Other trademarks and trade names may be used in this publication to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own.
Contents Introduction ..... . . About This Document ....Audience .
Page 4
Stacking Features ....High Port Count ....Single IP Management .
Page 5
Green Technology Features ....Energy Detect Mode ....Energy Efficient Ethernet .
Page 6
GARP and GVRP Support ....Voice VLAN ..... Guest VLAN .
Page 7
OSPFv3 ..... . . DHCPv6 ..... . . Quality of Service (QoS) Features .
Page 8
Using Dell OpenManage Switch Administrator ..... About Dell OpenManage Switch Administrator ..Starting the Application ....
Page 9
Using the Command-Line Interface ..Accessing the Switch Through the CLI ..Console Connection ....Telnet Connection .
Page 10
IP Interface Configuration (Default VLAN IP Address) ....Route Entry Configuration (Switch Default Gateway) ..... Domain Name Server .
Page 11
Switch Stack MAC Addressing and Stack Design Considerations ... . NSF Network Design Considerations ..Why is Stacking Needed? ... . . Default Stacking Values .
Page 12
Controlling Management Access ..Management Access Control Overview ..What Are the Recommendations for Management Security? ....What Is an Authentication Profile? .
Page 14
What Is the Log Message Format? ..What Factors Should Be Considered When Configuring Logging? ... Default Log Settings ....Monitoring System Information and Configuring Logging (Web) .
Page 15
Logging Configuration Examples ... . Configuring Local and Remote Logging ..Configuring Email Alerting ... . . 11 Managing General System Settings .
Page 16
Power Over Ethernet Global Configuration (7024P/7048P Only) ....Power Over Ethernet Interface Configuration (7024P/7048P Only) ..Configuring System Settings (CLI) .
Page 17
SNMPv3 User Security Model (USM) ..Communities ....Notification Filter ....Notification Recipients .
Page 22
Captive Portal Activation and Activity Status ..... . . Interface Activation Status ... . Interface Capability Status .
Page 23
Link Dependency Summary ... . Port Green Ethernet Configuration ..Port Green Ethernet Statistics ... Port Green Ethernet LPI History .
Page 24
Port Access Control History Log Summary ..Port Security ....Internal Authentication Server Users Configuration ....Configuring Port-Based Security (CLI) .
Page 25
What Are the ACL Limitations? ... How Are ACLs Configured? ... . . Configuring ACLs (Web) ....IP ACL Configuration .
Page 32
27 Snooping and Inspecting Traffic ..Traffic Snooping and Inspection Overview ..What Is DHCP Snooping? ... . . How Is the DHCP Snooping Bindings Database Populated? .
Page 33
Configuring Traffic Snooping and Inspection (CLI) ..... Configuring DHCP Snooping ... . Configuring IP Source Guard .
Page 34
Link Aggregation Configuration Examples ..Configuring Dynamic LAGs ... . Configuring Static LAGs ....29 Managing the MAC Address Table .
Page 36
Configuring the DHCP Server (CLI) ..Configuring Global DHCP Server Settings ..Configuring a Dynamic Address Pool ..Configuring a Static Address Pool .
Page 37
IP Routing Configuration Example ... Configuring PowerConnect Switch A ..Configuring PowerConnect Switch B ..33 Configuring L2 and L3 Relay Features .
Page 38
34 Configuring OSPF and OSPFv3 ..OSPF Overview ..... What Are OSPF Areas and Other OSPF Topology Features? .
Page 39
OSPFv3 Link State Database ... . OSPFv3 Virtual Link Configuration ..OSPFv3 Virtual Link Summary ... OSPFv3 Route Redistribution Configuration .
Page 40
35 Configuring RIP 1005 ....RIP Overview 1005 ..... . How Does RIP Determine Route Information? 1006...
Page 41
Configuring VRRP Features (Web) 1026 ... VRRP Configuration 1026 ....VRRP Virtual Router Status 1027 .
Page 42
Configuring IPv6 Routing Features (CLI) 1059 ..Configuring Global IP Routing Settings 1059 ..Configuring IPv6 Interface Settings 1060 ..Configuring IPv6 Route Table Entries and Route Preferences 1062 .
Page 43
Configuring DHCPv6 Interface Information 1079 . . . Monitoring DHCPv6 Information 1080 ..DHCPv6 Configuration Examples 1081 ... Configuring a DHCPv6 Stateless Server 1081 .
Introduction The switches in the Dell PowerConnect 7000 Series are stackable Layer 2 and 3 switches that extend the Dell PowerConnect LAN switching product range. These switches include the following features: • 1U form factor, rack-mountable chassis design. • Support for all data-communication requirements for a multi-layer switch, including layer 2 switching, IPv4 routing, IPv6 routing, IP multicast, quality of service, security, and system management features.
CTRL key. Additional Documentation The following documents for the PowerConnect 7000 Series switches are available at support.dell.com/manuals: Getting Started Guide— provides information about the switch models in • the series, including front and back panel features. It also describes the installation and initial configuration procedures.
Switch Features This section describes the switch user-configurable software features. NOTE: Before proceeding, read the release notes for this product. The release notes are part of the firmware download. The topics covered in this section include: • System Management • Spanning Tree Protocol Features &...
Multiple Management Options You can use any of the following methods to manage the switch: • Use a Web browser to access the Dell OpenManage Switch Administrator interface. The switch contains an embedded Web server that serves HTML pages. •...
Integrated DHCP Server PowerConnect 7000 Series switches include an integrated DHCP server that can deliver host-specific configuration information to hosts on the network. The switch DHCP server allows you to configure IP address pools (scopes), and when a host’s DHCP client requests an address, the switch DHCP server automatically assigns the host an address from the pool.
File Management You can upload and download files such as configuration files and system images by using HTTP (web only), TFTP , Secure FTP (SFTP), or Secure Copy (SCP). Configuration file uploads from the switch to a server are a good way to back up the switch configuration.
sFlow sFlow is the standard for monitoring high-speed switched and routed networks. sFlow technology is built into network equipment and gives complete visibility into network activity, enabling effective management and control of network resources. The PowerConnect 7000 Series switches support sFlow version 5. For information about configuring managing sFlow settings, see "Monitoring Switch Traffic"...
Stacking Features For information about creating and maintaining a stack of switches, see "Managing a Switch Stack" on page 135. High Port Count You can stack PowerConnect 7000 Series switches up to 12 switches high, supporting up to 576 front-panel ports, if all units in the stack are 48-port models.
Master Failover with Transparent Transition Standby The stacking feature supports a or backup unit that assumes the Master unit role if the Master unit in the stack fails. As soon as a Master failure is detected in the stack, the Standby unit initializes the control plane and enables all other stack units with the current configuration.
Password-Protected Management Access Access to the Web, CLI, and SNMP management interfaces is password protected, and there are no default users on the system. For information about configuring local user accounts, see "Controlling Management Access" on page 169. Strong Password Enforcement The Strong Password feature enforces a baseline password strength for all locally administered users.
SSH/SSL The switch supports Secure Shell (SSH) for secure, remote connections to the CLI and Secure Sockets Layer (SSL) to increase security when accessing the Web-based management interface. For information about configuring SSH and SSL settings, see "Controlling Management Access" on page 169. Inbound Telnet Control You can configure the switch to prevent new Telnet sessions from being established with the switch.
Dot1x Authentication (IEEE 802.1X) Dot1x authentication enables the authentication of system users through a local internal server or an external server. Only authenticated and approved system users can transmit and receive data. Supplicants are authenticated using the Extensible Authentication Protocol (EAP). Also supported are PEAP , EAP-TTL, EAP-TTLS, and EAP-TLS.
Access Control Lists (ACL) Access Control Lists (ACLs) ensure that only authorized users have access to specific resources while blocking off any unwarranted attempts to reach network resources. ACLs are used to provide traffic flow control, restrict contents of routing updates, decide which types of traffic are forwarded or blocked, and above all provide security for the network.
DHCP Snooping DHCP Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server. It filters harmful DHCP messages and builds a bindings database of (MAC address, IP address, VLAN ID, port) tuples that are specified as authorized. DHCP snooping can be enabled globally and on specific VLANs.
Green Technology Features For information about configuring Green Technology features, see "Configuring Port Characteristics" on page 483. Energy Detect Mode When the Energy Detect mode is enabled and the port link is down, the PHY automatically goes down for short period of time and then wakes up to check link pulses.
PoE Plus Support The PowerConnect 7024P and 7048P switches implement the PoE Plus specification (IEEE 802.3AT). This allows power to be supplied to Class 4 PD devices that require power greater than 15.4 Watts. Each port is capable of delivering up to 30W of power. Real-time power supply status is also available on the switch as part of the PoE Plus implementation.
VLAN-Aware MAC-based Switching Packets arriving from an unknown source address are sent to the CPU and added to the Hardware Table. Future packets addressed to or from this address are more efficiently forwarded. Back Pressure Support On half-duplex links, a receiver may prevent buffer overflows by occupying the link so that it is unavailable for additional traffic.
Port Mirroring Port mirroring monitors and mirrors network traffic by forwarding copies of incoming and outgoing packets from up to four source ports to a monitoring port. The switch also supports flow-based mirroring, which allows you to copy certain types of traffic to a single destination port. This provides flexibility— instead of mirroring all ingress or egress traffic on a port the switch can mirror a subset of that traffic.
Connectivity Fault Management (IEEE 802.1ag) The Connectivity Fault Management (CFM) feature, also known as Dot1ag, supports Service Level Operations, Administration, and Management (OAM). CFM is the OAM Protocol provision for end-to-end service layer instance in carrier networks. The CFM feature provides mechanisms to help you perform connectivity checks, fault detection, fault verification and isolation, and fault notification per service in a network domain.
Virtual Local Area Network Supported Features For information about configuring VLAN features see "Configuring VLANs" on page 571. VLAN Support VLANs are collections of switching ports that comprise a single broadcast domain. Packets are classified as belonging to a VLAN based on either the VLAN tag or a combination of the ingress port and packet contents.
GARP and GVRP Support The switch supports the configuration of Generic Attribute Registration Protocol (GARP) timers GARP VLAN Registration Protocol (GVRP) relies on the services provided by GARP to provide IEEE 802.1Q-compliant VLAN pruning and dynamic VLAN creation on 802.1Q trunk ports. When GVRP is enabled, the switch registers and propagates VLAN membership on all ports that are part of the active spanning tree protocol topology.
Spanning Tree Protocol Features For information about configuring Spanning Tree Protocol features, see "Configuring the Spanning Tree Protocol" on page 629. Spanning Tree Protocol (STP) Spanning Tree Protocol (IEEE 802.1D) is a standard requirement of Layer 2 switches that allows bridges to automatically prevent and resolve L2 forwarding loops.
Bridge Protocol Data Unit (BPDU) Guard Spanning Tree BPDU Guard is used to disable the port in case a new device tries to enter the already existing topology of STP. Thus devices, which were originally not a part of STP, are not allowed to influence the STP topology. BPDU Filtering When spanning tree is disabled on a port, the BPDU Filtering feature allows BPDU packets received on that port to be dropped.
Routing Features Address Resolution Protocol (ARP) Table Management You can create static ARP entries and manage many settings for the dynamic ARP table, such as age time for entries, retries, and cache size. For information about managing the ARP table, see "Configuring IP Routing" on page 883.
BOOTP/DHCP Relay Agent The switch BootP/DHCP Relay Agent feature relays BootP and DHCP messages between DHCP clients and DHCP servers that are located in different IP subnets. For information about configuring the BootP/DHCP Relay agent, see "Configuring L2 and L3 Relay Features" on page 907. IP Helper and UDP Relay The IP Helper and UDP Relay features provide the ability to relay various protocols to servers on a different subnet.
Virtual Router Redundancy Protocol (VRRP) VRRP provides hosts with redundant routers in the network topology without any need for the hosts to reconfigure or know that there are multiple routers. If the primary (master) router fails, a secondary router assumes control and continues to use the virtual router IP (VRIP) address.
IPv6 Routes Because IPv4 and IPv6 can coexist on a network, the router on such a network needs to forward both traffic types. Given this coexistence, each switch maintains a separate routing table for IPv6 routes. The switch can forward IPv4 and IPv6 traffic over the same set of interfaces.
Quality of Service (QoS) Features NOTE: Some features that can affect QoS, such as ACLs and Voice VLAN, are described in other sections within this chapter. Differentiated Services (DiffServ) The QoS Differentiated Services (DiffServ) feature allows traffic to be classified into streams and given certain QoS treatment in accordance with defined per-hop behaviors.
Internet Small Computer System Interface (iSCSI) Optimization The iSCSI Optimization feature helps give traffic between iSCSI initiator and target systems special QoS treatment in the switch. This is accomplished by monitoring, or snooping traffic to detect packets used by iSCSI stations in establishing iSCSI sessions and connections.
IGMP Snooping Querier When Protocol Independent Multicast (PIM) and IGMP are enabled in a network with IP multicast routing, the IP multicast router acts as the IGMP querier. However, if the IP-multicast traffic in a VLAN needs to be Layer 2 switched only, an IP-multicast router is not required.
Internet Group Management Protocol The Internet Group Management Protocol (IGMP) is used by IPv4 systems (hosts and routers) to report their IP multicast group memberships to any neighboring multicast routers. PowerConnect 7000 Series switches perform the “multicast router part” of the IGMP protocol, which means it collects the membership information needed by the active multicast router.
MLD/MLDv2 (RFC2710/RFC3810) MLD is used by IPv6 systems (listeners and routers) to report their IP multicast addresses memberships to any neighboring multicast routers. The implementation of MLD v2 is backward compatible with MLD v1. MLD protocol enables the IPv6 router to discover the presence of multicast listeners, the nodes that want to receive the multicast data packets, on its directly attached interfaces.
Hardware Overview This section provides an overview of the switch hardware. The topics covered in this section include: • PowerConnect 7000 Series Front Panel • PowerConnect 7000 Series Back Panel • LED Definitions PowerConnect 7000 Series Front Panel The PowerConnect 7000 Series front panel includes the following features: •...
Page 82
Figure 3-2. PowerConnect 7024P with 24 10/100/1000Base-T PoE Plus Ports 10/100/1000Base-T RJ-45 PoE Plus Ports Combo Ports Providing up to 30W per Port Figure 3-3. PowerConnect 7024F with 24 SFP Ports SFP Ports Combo Ports Figure 3-4. PowerConnect 7048 with 48 10/100/1000Base-T Ports 10/100/1000Base-T Auto-sensing Combo Ports Full Duplex RJ-45 Ports...
Page 83
Figure 3-5. PowerConnect 7048P with 48 10/100/1000Base-T PoE Plus Ports 10/100/1000Base-T RJ-45 PoE Plus Ports Combo Ports Providing up to 30W per Port Figure 3-6. PowerConnect 7048R with 48 10/100/1000Base-T Ports Combo Ports 10/100/1000Base-T Auto-sensing Full Duplex RJ-45 Ports Hardware Overview...
The PowerConnect 7048, PowerConnect 7048P, and PowerConnect 7048R front panel provides 48 Gigabit Ethernet (10/100/1000Base-T) RJ-45 ports with four SFP combo ports. The PowerConnect 7048P switch ports are IEEE 802.3at-2009-compliant (PoE Plus) and can provided up to 30W of power per port.
The front-panel switch ports have the following characteristics: • The switch automatically detects the difference between crossed and straight-through cables on RJ-45 ports. • SFP ports support both SX and LX modules. • RJ-45 ports support half- and full-duplex mode 10/100/1000 Mbps. Console Port The console port is for management through a serial interface.
The front panel contains light emitting diodes (LEDs) that indicate the status of port links, power supplies, fans, stacking, and the overall system. Additionally, the PowerConnect 7024P and PowerConnect 7048P switches contain LEDs that provide information about Power over Ethernet Plus (PoE+) status and activity on the ports.
PowerConnect 7000 Series Back Panel The PowerConnect 7000 Series back panel has the following features: • Expansion Slots for Plug-in Modules • Power Supplies • Ventilation System • Locator LED The following images show the back panel of the PowerConnect 7000 Series switches.
Figure 3-10. PC7048R Back Panel Fan Trays AC Power AC Power Dual 10G Slots for SFP+, 10GBase-T, Receptacle Receptacle or Stacking/10GbE Modules Expansion Slots for Plug-in Modules Two expansion slots are located on the back of the switch and can support the following modules: •...
Figure 3-12. SFP+ Module Figure 3-13. Stacking/10 GbE Module Power Supplies PC7024 and PC7024F PowerConnect 7024 and PowerConnect 7024F switches have an internal 180-watt power supply. The additional external power supply (PowerConnect RPS720) provides 180 watts of power and gives full redundancy for the switch.
PC7048P PowerConnect 7048P switches have an internal 1000-watt power supply which can support up to 24 ports of PoE. The additional external power supply (PowerConnect MPS1000) allows all 48 ports of PoE, or 24 ports of PoE and full redundancy for the switch.
100/1000/10000Base-T Port LEDs (PC7024P and PC7048P) The 100/1000/10000Base-T ports on the PowerConnect 7024P and PowerConnect 7048P include Power over Ethernet Plus support, and each port is capable of delivering up to 30W of power to the connected PoE- powered device.
Page 92
Table 3-2. 100/1000/10000Base-T Port LED Definitions (PC7024P and PC7048P) Color/Activity Definition Left Green The port is operating at 1000 Mbps. Yellow The port is operating at 10/100 Mbps. Solid A link is present. No link is present. Right Green blinking The port is active, and PoE Plus power is off.
Module LEDs The 10GBase-T module has two LEDs per port, the SFP+ module has one LED per port, and the Stacking/10 GbE module does not have any LEDs. 10 Gigabit Ethernet Port LEDs Table 3-4 contains LED definitions for 10 GbE ports on the plug-in module available for PowerConnect 7000 Series switches.
Page 94
Console Port LEDs The console port is labeled with the |O|O| symbol and is for management through a serial interface. This port provides a direct connection to the switch and allows you to access the CLI from a console terminal connected to the port through the provided serial cable (RJ-45 to female DB-9 connectors).
System LEDs The system LEDs for the PowerConnect 7000 Series switches are located on the right side of the front panel. The system LEDs indicate whether the switch is the stack master and provide information about the status of system diagnostics, switch temperature and power.
Page 96
Table 3-8. System LED Definitions (Continued) Color Definition Green solid Power Supply is operating normally. Green blinking Switch locator function activated (see "Using the Device View Switch Locator Feature" on page 102) Power is off or has failed. Green solid Redundant power supply is operating normally.
• Defining Fields About Dell OpenManage Switch Administrator Dell OpenManage Switch Administrator is a Web-based tool to help you manage and monitor a PowerConnect 7000 Series switch. Table 4-1 lists the Web browsers that are compatible with Dell OpenManage Switch Administrator.
Starting the Application To access the Dell OpenManage Switch Administrator and log on to the switch: 1 Open a web browser. 2 Enter the IP address of the switch in the address bar and press <Enter>. For information about assigning an IP address to a switch, see "Setting the IP Address and Other Basic Network Information"...
5 The Dell OpenManage Switch Administrator home page displays. The home page is the Device Information page, which contains a graphical representation of the front panel of the switch. For more information about the home page, see "Device Information" on page 240.
Page 100
Save, Print, Refresh, Help Configuration and Status Options Command Button Using the Switch Administrator Buttons and Links Table 4-2 describes the buttons and links available from the Dell OpenManage Switch Administrator interface. Table 4-2. Button and Link Descriptions Button or Link...
Defining Fields User-defined fields can contain 1 159 characters, unless otherwise noted on – the Dell OpenManage Switch Administrator Web page. All characters may be used except for the following: • • •...
LED is blinking. For more information about the locator LED, see "Locator LED" on page 90. NOTE: You can also issue the locate command from the CLI to enable the locator LED. Using Dell OpenManage Switch Administrator...
For more information about creating a serial connection, see the Getting Started Guide available at support.dell.com/manuals. 1 Connect the DB-9 connector of the supplied serial cable to a management station, and connect the RJ-45 connector to the switch console port.
2 Start the terminal emulator, such as Microsoft HyperTerminal, and select the appropriate serial port (for example, COM 1) to connect to the console. 3 Configure the management station serial port with the following settings: • Data rate — 9600 baud. •...
Understanding Command Modes The CLI groups commands into modes according to the command function. Each of the command modes supports specific software commands. The commands in one mode are not available until you switch to that particular mode, with the exception of the User EXEC mode commands. You can execute the User EXEC mode commands in the Privileged EXEC mode.
Page 106
Table 5-1. Command Mode Overview Command Mode Access Method Command Prompt Exit or Access Previous Mode User EXEC The user is logout console> automatically in User EXEC mode unless the user is defined as a privileged user. Privileged EXEC From User Use the exit console# EXEC mode,...
Entering CLI Commands The switch CLI uses several techniques to help you enter commands. Using the Question Mark to Get Help Enter a question mark (?) at the command prompt to display the commands available in the current mode. console(config-vlan)#? exit To exit from the mode.
You can also enter a question mark (?) after typing one or more characters of a word to list the available command or parameters that begin with the letters, as shown in the following example: console#show po? policy-map port ports Using Command Completion The CLI can complete partially entered commands when you press the <Tab>...
Understanding Error Messages If you enter a command and the system is unable to execute it, an error message appears. Table 5-2 describes the most common CLI error messages. Table 5-2. CLI Error Messages Message Text Description Indicates that you entered an incorrect or % Invalid input unavailable command.
Page 110
Table 5-3. History Buffer Navigation Keyword Source or Destination Up-arrow key Recalls commands in the history buffer, beginning with the most recent command. Repeats the key sequence to recall successively <Ctrl>+<P> older commands. Down-arrow key Returns to more recent commands in the history buffer after recalling commands with the up-arrow key.
Default Settings This section describes the default settings for many of the software features on the PowerConnect 7000 Series switches. Table 6-1. Default Settings Feature Default IP address None Subnet mask None Default gateway None DHCP client Enabled on out-of-band (OOB) interface. Disabled on Management VLAN (inband management ports).
Page 112
Table 6-1. Default Settings (Continued) Feature Default Enabled (No servers configured) SNMP Enabled (SNMPv1) SNMP Traps Enabled Auto Configuration Enabled Auto Save Disabled Stacking Enabled Nonstop Forwarding on the Stack Enabled sFlow Enabled ISDP Enabled (Versions 1 and 2) RMON Enabled TACACS+ Not configured...
Page 113
Table 6-1. Default Settings (Continued) Feature Default Head of Line Blocking Prevention Disabled Maximum Frame Size 1500 bytes Auto-MDI/MDIX Support Enabled Auto Negotiation Enabled Advertised Port Speed Maximum Capacity Broadcast Storm Control Disabled Port Mirroring Disabled LLDP Enabled LLDP-MED Disabled MAC Table Address Aging 300 seconds (Dynamic Addresses) Cisco Protocol Filtering (LLPF)
Page 114
Table 6-1. Default Settings (Continued) Feature Default Link Aggregation No LAGs configured LACP System Priority Routing Mode Disabled OSPF Admin Mode Enabled OSPF Router ID 0.0.0.0 IP Helper and UDP Relay Enabled Enabled VRRP Disabled Tunnel and Loopback Interfaces None IPv6 Routing Disabled DHCPv6...
Setting the IP Address and Other Basic Network Information This chapter describes how to configure basic network information for the switch, such as the IP address, subnet mask, and default gateway. The topics in this chapter include: • IP Address and Network Information Overview •...
IP addresses. Default Domain Name Identifies your network, such as dell.com. If you enter a hostname and do not include the domain name information, the default domain name is automatically appended to the hostname.
You must use a console-port connection to perform the initial switch configuration. When you boot the switch for the first time and the configuration file is empty, the Dell Easy Setup Wizard starts. The Dell Easy Setup Wizard is a CLI-based tool to help you perform the initial switch configuration.
Page 118
Dell recommends that you use the OOB port for remote management. The following list highlights some advantages of using OOB management instead of in-band management: •...
notification, the switch will reduce the MSS. However, many firewalls block ICMP Destination Unreachable messages, which causes the destination to request the packet again until the connection times out. In order to resolve this issue, you can reduce the MSS setting to a more appropriate value on the local host or alternatively, you can set the MTU on the PowerConnect management port to a smaller value.
Configuring Basic Network Information (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring basic network information on the PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. Out-of-Band Interface Use the Out of Band Interface page to assign the Out of Band Interface IP address and subnet mask or to enable/disable the DHCP client for address...
IP Interface Configuration (Default VLAN IP Address) Use the IP Interface Configuration page to assign the Default VLAN IP address and Subnet Mask, the Default Gateway IP address, and to assign the boot protocol. To display the IP Interface Configuration page, click Routing → IP → IP Interface Configuration in the navigation panel.
4 If you select Manual for the configuration method, specify the IP Address and Subnet Mask in the appropriate fields. 5 Click Apply. NOTE: You do not need to configure any additional fields on the page. For information about VLAN routing interfaces, see "Configuring Routing Interfaces" on page 843.
Page 123
Figure 7-4. Default Route Configuration (Default VLAN) 3 In the Next Hop IP Address field, enter the IP address of the default gateway. 4 Click Apply. For more information about configuring routes, see "Configuring IP Routing" on page 883. Setting Basic Network Information...
Domain Name Server Use the Domain Name Server page to configure the IP address of the DNS server. The switch uses the DNS server to translate hostnames into IP addresses. To display the Domain Name Server page, click System → IP Addressing → Domain Name Server in the navigation panel.
Default Domain Name Use the Default Domain Name page to configure the domain name the switch adds to a local (unqualified) hostname. To display the Default Domain Name page, click System → IP Addressing → Default Domain Name in the navigation panel. Figure 7-7.
Host Name Mapping Use the Host Name Mapping page to assign an IP address to a static host name. The Host Name Mapping page provides one IP address per host. To display the Host Name Mapping page, click System → IP Addressing → Host Name Mapping.
The switch learns hosts dynamically by using the configured DNS server to resolve a hostname. For example, if you ping www.dell.com from the CLI, the switch uses the DNS server to lookup the IP address of dell.com and adds the entry to the Dynamic Host Name Mapping table.
Configuring Basic Network Information (CLI) This section provides information about the commands you use to configure basic network information on the PowerConnect 7000 Series switch. For more PowerConnect 7000 Series CLI information about these commands, see the Reference Guide Enabling the DHCP Client on the OOB Port Beginning in Privileged EXEC mode, use the following commands to enable the DHCP client on the OOB port.
Managing DHCP Leases Beginning in Privileged EXEC mode, use the following commands to manage and troubleshoot DHCP leases on the switch. Command Purpose interface release dhcp Force the DHCPv4 client to release a leased address on the specified interface. interface renew dhcp Force the DHCP client to immediately renew an IPv4 address lease.
Configuring Static Network Information on the OOB Port Beginning in Privileged EXEC mode, use the following commands to configure a static IP address, subnet mask, and default gateway on the OOB port. Command Purpose configure Enter Global Configuration mode. interface out-of-band Enter Interface Configuration mode for the OOB port.
Configuring and Viewing Additional Network Information Beginning in Privileged EXEC mode, use the following commands to configure a DNS server, the default domain name, and a static host name-to- address entry. Use the show commands to verify configured information and to view dynamic host name mappings.
Basic Network Information Configuration Example In this example, an administrator at a Dell office in California decides not to use the Dell Easy Setup Wizard to perform the initial switch configuration. The administrator configures a PowerConnect 7000 Series switch to obtain its information from a DHCP server on the network and creates the administrative user with read/write access.
Page 133
Default Gateway....10.27.22.1 Protocol Current....DHCP Burned In MAC Address.... 001E.C9AA.AA08 5 View additional network information. console#show hosts Host name: Default domain: sunny.dell.com dell.com Name/address lookup is enabled Name servers (Preference order): 10.27.138.20, 10.27.138.21 Configured host name-to-address mapping: Host Addresses...
Managing a Switch Stack This chapter describes how to configure and manage a stack of switches. The topics covered in this chapter include: • Stacking Overview • Default Stacking Values • Managing and Monitoring the Stack (Web) • Managing the Stack (CLI) •...
Page 136
The running configuration and application state is synchronized between the Master and Standby during the normal stacking operation. In a stack of three or more switches, Dell strongly recommends connecting the stack in a ring topology so that each switch is connected to two other switches.
PowerConnect 7000 Series and M6348 Stacking Compatibility The stack can contain any combination of switch models in the PowerConnect 7000 Series as well as the PowerConnect M6348 switch, as long as all switches are running the same firmware version. For example, a single stack of six switches might include the following members: •...
• If the Management Unit function is disabled, the unit remains a non- Management Unit. If the entire stack is powered OFF and ON again, the unit that was the Management Unit before the reboot will remain the Management Unit after the stack resumes operation.
might trigger many other protocols. However, it is possible to intentionally pre-configure a unit. You can view the preconfigured/unassigned units by using the show switch CLI command. If a new switch is added to a stack of switches that are powered and running and already have an elected Management Unit, the newly added switch becomes a stack member rather than the Management Unit.
How is the Firmware Updated on the Stack? When you add a new switch to a stack, the Stack Firmware Synchronization feature automatically synchronizes the firmware version with the version running on the stack master. The synchronization operation may result in either upgrade or downgrade of firmware on the mismatched stack member.
Page 141
Management Unit acts as the control plane. The management plane is application software running on the Management Unit that provides interfaces allowing a network administrator to configure the device. The Nonstop Forwarding (NSF) feature allows the forwarding plane of stack units to continue to forward packets while the control and management planes restart as a result of a power failure, hardware failure, or software fault on the stack Management Unit.
Page 142
Checkpointing Switch applications (features) that build up a list of data such as neighbors or clients can significantly improve their restart behavior by remembering this data across a warm restart. This data can either be stored persistently, as DHCP server and DHCP snooping store their bindings database, or the Management Unit can checkpoint this data directly to the standby unit.
Table 8-1. Applications that Checkpoint Data Application Checkpointed Data IGMP/MLD Snooping Multicast groups, list of router ports, last query data for each VLAN IPv6 NDP Neighbor cache entries iSCSI Connections LLDP List of interfaces with MED devices attached OSPFv2 Neighbors and designated routers OSPFv3 Neighbors and designated routers Route Table Manager...
If you move the master unit of stack to a different place in the network, make sure you power down the whole stack before you redeploy the master unit so that the stack members do not continue to use the MAC address of the redeployed switch.
Default Stacking Values Stacking is always enabled on PowerConnect 7000 Series switches. NSF is enabled by default. You can disable NSF in order to redirect the CPU resources consumed by data checkpointing. Checkpointing only occurs when a backup unit is elected, so there is no need to disable the NSF feature on a standalone switch.
Managing and Monitoring the Stack (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring stacking on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. NOTE: The changes you make to the Stacking configuration pages take effect only after the device is reset.
Page 147
Changing the ID or Switch Type for a Stack Member To change the switch ID or type: 1 Open the Unit Configuration page. 2 Click Add to display the Add Unit page. Figure 8-3. Add Remote Log Server Settings 3 Specify the switch ID, and select the model number of the switch. 4 Click Apply.
Stack Summary Use the Stack Summary page to view a summary of switches participating in the stack. To display the Stack Summary page, click System → Stack Management → Stack Summary in the navigation panel. Figure 8-4. Stack Summary Managing a Switch Stack...
Stack Firmware Synchronization Use the Stack Firmware Synchronization page to control whether the firmware image on a new stack member can be automatically upgraded or downgraded to match the firmware image of the stack master. To display the Stack Firmware Synchronization page, click System → Stack Management →...
Supported Switches Use the Supported Switches page to view information regarding each type of supported switch for stacking, and information regarding the supported switches. To display the Supported Switches page, click System → Stack Management → Supported Switches in the navigation panel. Figure 8-6.
Stack Port Summary Use the Stack Port Summary page to configure the stack-port mode and to view information about the stackable ports. This screen displays the unit, the stackable interface, the configured mode of the interface, the running mode as well as the link status and link speed of the stackable port. To display the Stack Port Summary page, click System →...
Stack Port Counters Use the Stack Port Counters page to view the transmitted and received statistics, including data rate and error rate. To display the Stack Port Counters page, click System → Stack Management → Stack Point Counters in the navigation panel. Figure 8-8.
NSF Summary Use the NSF Summary page to change the administrative status of the NSF feature and to view NSF information. NOTE: The OSPF feature uses NSF to enable the hardware to continue forwarding IPv4 packets using OSPF routes while a backup unit takes over Management Unit responsibility.
Checkpoint Statistics Use the Checkpoint Statistics page to view information about checkpoint messages generated by the master unit. To display the Checkpoint Statistics page, click System → Stack Management → Checkpoint Statistics in the navigation panel. Figure 8-10. Checkpoint Statistics Managing a Switch Stack...
Managing the Stack (CLI) This section provides information about the commands you use to manage the stack and view information about the switch stack. For more information PowerConnect 7000 Series CLI Reference about these commands, see the Guide . Configuring Stack Member and NSF Settings Beginning in Privileged EXEC mode, use the following commands to configure stacking and NSF settings.
Command Purpose boot auto-copy-sw allow- Allow the firmware version on the newly added stack downgrade member to be downgraded if the firmware version on manager is older. exit Exit to Privileged EXEC mode. show auto-copy-sw View the Stack Firmware Synchronization settings for the stack.
Command Purpose show checkpoint View information about checkpoint messages generated by statistics the master unit. clear checkpoint Reset the checkpoint statistics counters to zero. statistics Stacking and NSF Usage Scenarios Only a few settings are available to control the stacking configuration, such as the designation of the standby unit or enabling/disabling NSF.
Basic Failover In this example, the stack has four members that are connected through a daisy-chain, as Figure 8-11 shows. Figure 8-11. Basic Stack Failover When all four units are up and running, the show switch CLI command gives the following output: console#show switch Management Standby...
Page 159
At this point, if Unit 2 is powered off or rebooted due to an unexpected failure, show switch gives the following output: console#show switch Management Standby Preconfig Plugged- Switch Code Status Status Model ID in Model Status Version --- --------- ------- -------- ------------------- --------...
Preconfiguring a Stack Member To preconfigure a stack member before connecting the physical unit to the stack, use the show support switchtype command to obtain the SID of the unit to be added. The example in this section demonstrates pre-configuring a PowerConnect 7048P switch on a stand-alone PowerConnect 7048R switch.
Page 161
3 Confirm the stack configuration. Some of the fields have been omitted from the following output due to space limitations. console#show switch SW Management Standby Preconfig Plugged-in Switch Code Status Status Model ID Model ID Status Version --- --------- ------- -------- --------- ---------- -------- Mgmt Sw PCT7048R PCT7048R...
NSF in the Data Center Figure 8-12 illustrates a data center scenario, where the stack of two PowerConnect switches acts as an access switch. The access switch is connected to two aggregation switches, AS1 and AS2. The stack has a link from two different units to each aggregation switch, with each pair of links grouped together in a LAG.
NSF and VoIP Figure 8-13 shows how NSF maintains existing voice calls during a Management Unit failure. Assume the top unit is the Management Unit. When the Management Unit fails, the call from phone A is immediately disconnected. The call from phone B continues. On the uplink, the forwarding plane removes the failed LAG member and continues using the remaining LAG member.
NSF and DHCP Snooping Figure 8-14 illustrates an L2 access switch running DHCP snooping. DHCP trusted snooping only accepts DHCP server messages on ports configured as ports. DHCP snooping listens to DHCP messages to build a bindings database that lists the IP address the DHCP server has assigned to each host. IP Source Guard (IPSG) uses the bindings database to filter data traffic in hardware based on source IP address and source MAC address.
If a host is in the middle of an exchange with the DHCP server when the failover occurs, the exchange is interrupted while the control plane restarts. When DHCP snooping is enabled, the hardware traps all DHCP packets to the CPU. The control plane drops these packets during the restart. The DHCP client and server retransmit their DHCP messages until the control plane has resumed operation and messages get through.
Page 166
Figure 8-15. NSF and a Storage Area Network Disc Array (iSCSI Targets) Servers (iSCSI Initiators) 10.1.1.2 10.1.1.3 10.1.1.1 10.1.1.10 10.1.1.11 When the Management Unit fails, session A drops. The initiator at 10.1.1.10 detects a link down on its primary NIC and attempts to reestablish the session on its backup NIC to a different IP address on the disk array.
NSF and Routed Access Figure 8-16 shows a stack of three units serving as an access router for a set of hosts. Two LAGs connect the stack to two aggregation routers. Each LAG is a member of a VLAN routing interface. The stack has OSPF and PIM adjacencies with each of the aggregation routers.
Page 168
JOIN messages upstream. The control plane updates the driver with checkpointed unicast routes. The forwarding plane reconciles L3 hardware tables. The OSPF graceful restart finishes, and the control plane deletes any stale unicast routes not relearned at this point. The forwarding plane reconciles L3 multicast hardware tables.
Controlling Management Access This chapter describes how to control access to the switch management interface through switch-based authentication or by using TACACS+ or RADIUS servers. It also includes information about controlling access through Telnet, SSH, HTTP, and HTTPs. The Denial of Service (DoS) protection feature is also described in this chapter.
Page 170
Table 9-1. Management Security Features Management Security Description Feature Management Access Contains rules to apply to one or more in-band ports, LAGs, Control List (ACL) or VLANs to limit management access by method (for example, Telnet or HTTP) and/or source IP address. NOTE: Management ACLs cannot be applied to the OOB port.
What Are the Recommendations for Management Security? Selecting the authentication policy for a network is very important. In large deployments, many administrators prefer to use a RADIUS or TACACS+ server because it allows the authentication policy to be applied system wide with little administrative effort.
• Console—Authenticates access through the console port (CLI only). • Telnet—Authenticates users accessing the CLI by using a Telnet or SSH client. • Secure HTTP—Authenticates users accessing OpenManage Switch Administrator by using an HTTPS connection. • HTTP—Authenticates users accessing OpenManage Switch Administrator by using an HTTP connection.
Page 173
Figure 9-1. Basic TACACS+ Topology Backup TACACS+ Server PowerConnect Switch Primary TACACS+ Server Management Network Management Host You can configure the TACACS+ server list with one or more hosts defined via their network IP address. You can also assign each a priority to determine the order in which the TACACS+ client will contact them.
How Does RADIUS Control Management Access? Many networks use a RADIUS server to maintain a centralized user database that contains per-user authentication information. RADIUS servers provide a centralized authentication method for: • Telnet Access • Web Access • Console to Switch Access •...
Page 175
Figure 9-2. RADIUS Topology Backup RADIUS Server PowerConnect Switch Primary RADIUS Server Management Network Management Host The server can authenticate the user itself or make use of a back-end device to ascertain authenticity. In either case a response may or may not be forthcoming to the client.
enable Auth-Type := Local, User-Password == "pass5678" Service-Type = Administrative-User The values for the Service-Type attribute are as follows: • NAS-Prompt-User indicates the user should be provided a command prompt on the switch, which is acting as the Network Access Server (NAS), from which nonprivileged commands can be executed.
Page 177
When multiple RADIUS servers are configured with different names, the servers are in different groups. The primary/secondary designation and priority applies to RADIUS servers only within the same group. Within a named group, the switch always attempts to contact the primary RADIUS server first.
What Other Features Use Authentication? In addition to controlling access to the management interface, the switch can use RADIUS, IAS, or the local user database to provide port-based access control. Port-based access control specifies whether devices that are connected to the switch ports are allowed access to the network. The IEEE 802.1X feature (also known as Dot1X) and Captive Portal feature use RADIUS or the local user database to control network access.
Page 179
Table 9-2. Management Security Default Values (Continued) Management Security Default Feature Authentication The following three Authentication Profiles are configured Profiles by default: • defaultList—Method is NONE, which means no authentication is required. • networkList—Method is LOCAL, which means the user credentials are verified against the information in the local user database.
Controlling Management Access (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring management security on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. Access Profile Use the Access Profile page to define a profile and rules for accessing the switch.
Page 181
Adding and Configuring an Access Profile To configure an access profile: 1 Open the Access Profile page. 2 Click Add Profile to display the Add an Access Profile page. 3 Enter a name for the Access Profile. 4 Specify a rule for management access, and then click Apply. In Figure 9-4, the Access Profile name is mgmt_ACL, and access is permitted on VLAN 1 from any host in the 10.27.65.0/24 subnet.
Page 182
Figure 9-5 shows the configuration of an additional rule that allows management access to a host in the 10.27.65.0/24 subnet that is connected to Port 1. The rule priority is 2. This rule might be necessary if Port 1 is not a member of VLAN 1.
Page 183
Figure 9-6. View Access Profile Information 8 Click Access Profile to return to the main page for the feature. 9 To activate the profile, select the Set Active Access Profile option, and then click Apply. NOTE: The switch enforces the profile rules only if the profile is active. If an access profile is not activated, the device can be accessed by any host and on any interface.
Authentication Profiles User authentication occurs locally and on an external server. Use the Authentication Profiles page to select the user authentication methods for the defaultList and networkList. These Authentication Profiles are created by default. To display the Authentication Profiles page, click System → Management Security →...
Page 185
myList. The switch will contact the RADIUS server to authenticate the user. If that attempt fails, the switch queries the local user database for relevant authentication information. NOTE: To use the LINE or ENABLE method, you must first define passwords for these methods.
Page 186
6 To view the existing Authentication Profiles and the order in which the login methods are used, click Show All. Figure 9-10. View Authentication Profile Table Controlling Management Access...
Select Authentication After authentication profiles are defined, you can apply them to management access methods. For example, console users can be authenticated by Authentication Profile List 1, while Telnet users are authenticated by Authentication Profile List 2. To display the Select Authentication page, click System → Management Security →...
Password Management Password management provides increased network security and improved password control. Passwords for SSH, Telnet, HTTP , HTTPS, and SNMP access are assigned security features, including: • Defining minimum password lengths (the minimum password length is 8 when password length-checking is enabled) •...
Page 189
Figure 9-12. Password Management Adding Excluded Keywords To prevent keywords from being used in passwords: 1 Make sure Create is selected from the Password Exclude-keyword menu. 2 Specify the keyword to exclude. 3 Click Add Excluded Keyword. Controlling Management Access...
Last Password Set Result Use the Last Password Set Result page to view information about the most recently configured password for a user in the Local User Database. To display the Last Password Set Result page, click System → Management Security →...
User Login Configuration Use the User Login Configuration page to select the list to use to authenticate attempts to login to the switch by users configured in the Local User Database. Each user in the database can have a different list applied. To display the User Login Configuration page, click System →...
Local User Database Use the Local User Database page to define passwords, access rights for users and reactivate users whose accounts have been suspended. This page also contains fields to allow you to configure SNMPv3 settings for users in the local database.
Page 193
Adding a User to the Local Database To add local users: 1 Open the Local User Database page. 2 Click Add to display the Add a New User page. 3 Specify a login name, select the access level, and type/retype the password. Figure 9-16.
Line Password Use the Line Password page to define passwords that are used to access the CLI through the Console port, SSH, or Telnet. To display the Line Password page, click System → Management Security → Line Password in the navigation panel. Figure 9-17.
TACACS+ Settings TACACS+ provides centralized security for validation of users accessing the switch, while still retaining consistency with RADIUS and other authentication processes. TACACS+ provides the following services: • Authentication — Provides authentication during login and through user names and user-defined passwords. •...
Page 196
Adding TACACS+ Host Information To add a TACACS+ host: 1 Open the TACACS+ Settings page. 2 Click Add to display the Add a TACACS+ Host page. 3 Specify a the hostname or IP address of the TACACS+ the switch will use to authenticate users.
Figure 9-21. View Local User Database Entries RADIUS Global Configuration Use the RADIUS Global Configuration page to configure that affect all RADIUS servers that are configured on the switch. To display the RADIUS Global Configuration page, click System → Management Security → RADIUS Global Configuration in the navigation panel.
RADIUS Server Configuration From the RADIUS Server Configuration page, you can add a new RADIUS server, configure settings for a new or existing RADIUS server, and view RADIUS server status information. The RADIUS client on the switch supports up to 32 named authentication and accounting servers. To access the RADIUS Server Configuration page, click System →...
Page 199
4 Use the default RADIUS server name or enter up to 32 alphanumeric characters. Spaces, hyphens, and underscores are also permitted. You can use the same name for multiple RADIUS Authentication servers. RADIUS clients can use RADIUS servers with the same name as backups for each other.
Figure 9-25. Viewing the RADIUS Server Table RADIUS Accounting Server Configuration From the RADIUS Accounting Server Configuration page, you can add a new RADIUS accounting server, configure settings for a new or existing RADIUS accounting server, and view RADIUS accounting server status information.
Page 201
Adding and Configuring RADIUS Accounting Server Information To add a RADIUS accounting server: 1 Open the RADIUS Accounting Server Configuration page. 2 Click Add to display the Add RADIUS Accounting Server page. 3 Specify the IP address of the RADIUS accounting server. 4 Use the default RADIUS server name or enter up to 32 alphanumeric characters.
Figure 9-28. Viewing the RADIUS Accounting Server Table RADIUS Accounting Server Statistics Use the RADIUS Accounting Server Statistics page to view statistical information for each RADIUS accounting server configured on the system. To access the RADIUS Accounting Server Statistics page, click System → Management Security →...
RADIUS Server Statistics Use the RADIUS Server Statistics page to view statistical information for each RADIUS server configured on the system. To access the RADIUS Server Statistics page, click System → Management Security → RADIUS Server Statistics in the navigation panel. Figure 9-30.
Authorization Network RADIUS In some networks, the RADIUS server is responsible for assigning traffic to a particular VLAN. From the Authorization Network RADIUS page, you can enable the switch to accept VLAN assignment by the RADIUS server. For more information about VLANs and RADIUS-assigned VLANs, see "Dynamic VLAN Creation"...
Telnet Server Use the Telnet Server page to enable or disable telnet service on the switch or to modify the telnet port. To display the Telnet Server page, click System → Management Security → Telnet Server. Figure 9-32. Telnet Server Controlling Management Access...
Denial of Service Denial of Service (DoS) refers to the exploitation of a variety of vulnerabilities which would interrupt the service of a host or make a network unstable. Use the Denial of Service page to configure settings to help prevent DoS attacks.
Secure HTTP Configuration Secure HTTP (HTTPS) increases the security of web-based management by encrypting communication between the administrative system and the switch. Use the Secure HTTP page to manage the HTTPS mode and certificate information that enables management of the switch through HTTPS. To display the Secure HTTP page, click System →...
Page 208
Importing and Requesting Certificates Use the following steps to import or request a certificate by using SSH. 1 From the Secure HTTP page, click SSH Request. Figure 9-35. Secure HTTP - SSH Request 2 Select the certificate number. 3 Complete the fields that are relevant to the certificate. 4 To import the certificate, click Certificate Import.
Page 209
Viewing Certificate Information To view the certificate request or to view the generated certificate, click Show All. Figure 9-36. View Certificate Requests Controlling Management Access...
Secure Shell Configuration Secure Shell (SSH) is similar to Telnet but increases the security of CLI- based management by creating a secure channel for communication between the administrative system and the switch. Use the Secure Shell page to manage the SSH mode and other information that enables management of the switch through SSH.
Generate RSA Keys — Begin generating RSA host keys. Note that to • generate SSH key files, SSH must be administratively disabled and there must be no active SSH sessions. Generate DSA Key — Begin generating DSA host keys. Note that to •...
Page 212
Configuring a Public Key Use the following steps to configure a public key for SSH. 1 From the Secure Public Key page, click Add. Figure 9-39. Secure Public Key — Add 2 Specify the algorithm to use of the public-key cryptography, either DSA or RSA.
Controlling Management Access (CLI) This section provides information about the commands you use to control access to the switch management interface. For more information about PowerConnect 7000 Series CLI Reference Guide these commands, see the Configuring a Management Access List NOTE: Management ACLs can be applied only to in-band ports and cannot be applied to the OOB port.
Page 214
Command Purpose interface-type permit { Permit access to the management interface from the interface-number specified port, VLAN, or LAG and meet the other optional service [service ] [priority criteria. priority-value service permit service Permit access to the management interface from the priority-value [priority specified service.
Adding Users to the Local Database Beginning in Privileged EXEC mode, use the following commands to add users to the local user database. Command Purpose configure Enter Global Configuration mode. name username Add a new user to the local users database. password password [level...
Configuring and Applying Authentication Profiles Beginning in Privileged EXEC mode, use the following commands to create an authentication list, configure the authentication methods for that list, and apply the list to an access method. Command Purpose configure Enter Global Configuration mode. aaa authentication login Configure the methods used to authenticate a user list-name...
Command Purpose line {console|ssh Enter Line configuration mode for the specified access |telnet} method. login authentication Specify the login authentication list to use for the line list-name {default| access. The list is applied to the current line mode (console, Telnet, or SSH). enable authentication Specify the enable authentication list to use for access to list-name...
Page 218
Command Purpose passwords lock-out Specify the number of times a user can enter an incorrect attempts password before being denied access to the management interface. NOTE: Password lockout applies only to local users. Users authenticated by RADIUS and TACACS+ are subject to the policies defined by the RADIUS or TACACS+ server.
Command Purpose passwords strength Specify up to three keywords to exclude in a password. The word exclude-keyword password does not accept the keyword in any form (in between the string, case in-sensitive and reverse) as a substring. passwords strength- Verify the strength of a password during configuration. check exit Exit to Privileged EXEC mode.
Page 220
Command Purpose key-string key [ Set the authentication and encryption key for all RADIUS communications between the switch and the RADIUS server. NOTE: You can also use the radius-server key [ key-string command in Global Configuration mode to set the same authentication and encryption key for all configured RADIUS servers.
Command Purpose show radius statistics View the RADIUS statistics for the switch. You can specify [[accounting | additional information to narrow the scope of the authentication] command output. ipaddress hostname • accounting | authentication — The type of server servername name (accounting or authentication).
Configuring Telnet and SSH Access Beginning in Privileged EXEC mode, use the following commands to specify Telnet and SSH server settings on the switch. Command Purpose configure Enter Global Configuration mode. ip telnet server disable Disable the Telnet service on the switch ip ssh server Allow access to the switch management interface by using SSH, which is disabled by default.
Command Purpose show crypto key pubkey- View SSH public keys stored on the switch. chain ssh [username username • — Specifies the remote SSH client username. username ] [fingerprint (Range: 1–48 characters) bubble-babble|hex] • bubble-babble — Fingerprints in Bubble Babble format. •...
Page 224
Command Purpose <CTRL + Z> Exit to Privileged EXEC mode. crypto certificate Generate and display a certificate request for HTTPS. This number request command takes you to Crypto Certificate Request mode. In this mode, you can use the following commands to specify certificate details: •...
Command Purpose show crypto certificate View the SSL certificates of your switch. mycertificate show ip http server Display the HTTPS server configuration. secure status show ip http server Display the HTTP server configuration. status Configuring DoS Information Beginning in Privileged EXEC mode, use the following commands to specify settings to help prevent DoS attacks on the switch.
Page 226
Command Purpose size dos-control icmp [ Enable Maximum ICMP Packet Size Denial of Service size protections, where is the Maximum ICMP packet size. (Range: 0-16376). If ICMP Echo Request (PING) packets ingress having a size greater than the configured value, the packets are dropped.
Management Access Configuration Examples This section contains the following examples: • Configuring a Management Access List • Configuring an Authentication Profile • Configuring the Primary and Secondary RADIUS Servers • Configuring Password Lockout Configuring a Management Access List The commands in this example create a management ACL that permits access to the switch through the in-band switch ports on VLAN 1 and on port 9 from hosts with an IP address in the 10.27.65.0 subnet.
The commands in this example configure primary and secondary RADIUS servers that the switch will use to authenticate access. The RADIUS servers belong to the same named server group (Dell-RADIUS) and use the same RADIUS secret (test1234). A third RADIUS server is configured as an accounting server, and RADIUS accounting is globally enabled.
Configuring an Authentication Profile The commands in this example create a new authenticating profile that uses the RADIUS server configured in the previous example to authenticate users who attempt to access the switch management interface by using SSH or Telnet. If the RADIUS authentication is unsuccessful, the switch uses the local user database to attempt to authenticate the users.
4 View the current authentication methods and profiles. console#show authentication methods Login Authentication Method Lists --------------------------------- defaultList none networkList local myList radius local Enable Authentication Method Lists ---------------------------------- enableList none Line Login Method List Enable Method List ------- ----------------- ------------------ Console defaultList enableList...
Page 232
The password lockout feature disables local access to the switch for a given user name if the user fails to supply the correct password within the configured number of attempts. Failed attempts to log on do not need to close together in time; consecutive login failures separated by extensive time periods can still cause a user to be locked out.
Page 233
4 View information about the authentication profiles. By default, Console (serial) access uses the defaultList authentication. The defaultList does not require authentication, but the networkList requires authentication by verifying the user name and password against an entry in the local database.
Page 234
The following screen text shows an example session that results in the lockout of local user abc User:abc Password:******** ! Enter invalid password User:abc Password:******** ! Enter invalid password User:abc Password:******** User: <188> FEB 04 19:44:52 10.27.22.46-1 USER_MGR[183162896]: user_mgr.c(1640) 695 %% User abc locked out on authentication failure ! Enter valid password User:abc...
Monitoring and Logging System Information This chapter provides information about the features you use to monitor the switch, including logging, cable tests, and email alerting. The topics covered in this chapter include: • System Monitoring Overview • Default Log Settings •...
Why Is System Information Needed? The information the switch provides can help you troubleshoot issues that might be affecting system performance. The cable diagnostics test help you troubleshoot problems with the physical connections to the switch. Auditing access to the switch and the activities an administrator performed while managing the switch can help provide security and accountability.
What Are the Severity Levels? For each local or remote log file, you can specify the severity of the messages to log. Each severity level is identified by a name and a number. Table 10-1 provides information about the severity levels. Table 10-1.
The first part of the log message up to the first left bracket is fixed by the Syslog standard (RFC 3164). The second part up to the two percent signs is standardized for all Dell PowerConnect logs. The variable text of the log message follows. The log message is limited to 96 bytes.
Message — Contains the text of the log message. What Factors Should Be Considered When Configuring Logging? Dell recommends that network administrators deploy a syslog server in their network and configure all switches to log messages to the syslog server.
Device Information The Device Information page displays after you successfully log on to the switch by using the Dell OpenManage Switch Administrator. This page is a virtual representation of the switch front panel. Use the Device Information page to view information about the port status, system status, and the switch stack.
Page 241
Figure 10-2. Stack View For more information about the device view features, see "Understanding the Device View" on page 102. Monitoring and Logging System Information...
System Health Use the Health page to view status information about the switch power and ventilation sources. To display the Health page, click System → General → Health in the navigation panel. Figure 10-3. Health Monitoring and Logging System Information...
System Resources Use the System Resources page to view information about memory usage and task utilization. To display the System Resources page, click System → General → System Resources in the navigation panel. Figure 10-4. System Resources Monitoring and Logging System Information...
Unit Power Usage History Use the Unit Power Usage History page to view information about switch power consumption. To display the Unit Power Usage History page, click System → General → Unit Power Usage History in the navigation panel. Figure 10-5. Unit Power Usage History Monitoring and Logging System Information...
Integrated Cable Test for Copper Cables Use the Integrated Cable Test for Copper Cables page to perform tests on copper cables. Cable testing provides information about where errors occurred in the cable, the last time a cable test was performed, and the type of cable error which occurred.
To view a summary of all integrated cable tests performed, click the Show All link. Figure 10-7. Integrated Cable Test Summary Optical Transceiver Diagnostics Use the Optical Transceiver Diagnostics page to perform tests on Fiber Optic cables. To display the Optical Transceiver Diagnostics page, click System → Diagnostics →...
Page 247
Figure 10-8. Optical Transceiver Diagnostics To view a summary of all optical transceiver diagnostics tests performed, click the Show All link. Figure 10-9. Optical Transceiver Diagnostics Summary Monitoring and Logging System Information...
Log Global Settings Use the Global Settings page to enable logging globally, to enable other types of logging. You can also specify the severity of messages that are logged to the console, RAM log, and flash-based log file. The Severity table lists log messages from the highest severity (Emergency) to the lowest (Debug).
RAM Log Use the RAM Log page to view information about specific RAM (cache) log entries, including the time the log was entered, the log severity, and a description of the log. To display the RAM Log, click System → Logs → RAM Log in the navigation panel.
Log File The Log File contains information about specific log entries, including the time the log was entered, the log severity, and a description of the log. To display the Log File, click System → Logs → Log File in the navigation panel.
Page 251
Figure 10-13. Remote Log Server Adding a New Remote Log Server To add a log server: 1 Open the Remote Log Server page. 2 Click Add to display the Add Remote Log Server page. 3 Specify the IP address or hostname of the remote server. 4 Define the UDP Port and Description fields.
Page 252
Figure 10-14. Add Remote Log Server 5 Select the severity of the messages to send to the remote server. NOTE: When you select a severity level, all higher severity levels are automatically selected. 6 Click Apply. Click the Show All link to view or remove remote log servers configured on the system.
Figure 10-15. Show All Log Servers Email Alert Global Configuration Use the Email Alert Global Configuration page to enable the email alerting feature and configure global settings so that system log messages can be sent to from the switch to one or more email accounts. To display the Email Alert Global Configuration page, click System →...
Email Alert Mail Server Configuration Use the Email Alert Mail Server Configuration page to configure information about the mail server the switch uses for sending email alert messages. To display the Email Alert Mail Server Configuration page, click System → Email Alerts →...
Page 255
Figure 10-18. Add Mail Server 4 Click Apply. 5 If desired, click Configuration to return to the Email Alert Mail Server Configuration page to specify port and security settings for the mail server. Click the Show All link to view or remove mail servers configured on the switch.
Email Alert Subject Configuration Use the Email Alert Subject Configuration page to configure the subject line for email alerts that are sent by the switch. You can customize the subject for the message severity and entry status. To display the Email Alert Subject Configuration page, click System → Email Alerts →...
Email Alert To Address Configuration Use the Email Alert To Address Configuration page to specify where the email alerts are sent. You can configure multiple recipients and associate different message severity levels with different recipient addresses. To display the Email Alert To Address Configuration page, click System → Email Alerts →...
Email Alert Statistics Use the Email Alert Statistics page to view the number of emails that were successfully and unsuccessfully sent, and when emails were sent. To display the Email Alert Statistics page, click System → Email Alerts → Email Alert Statistics in the navigation panel. Figure 10-24.
Monitoring System Information and Configuring Logging (CLI) This section provides information about the commands you use to configure information you use to monitor the PowerConnect 7000 Series switch. For PowerConnect 7000 Series more information about these commands, see the CLI Reference Guide Viewing System Information and Enabling the Locator LED Beginning in Privileged EXEC mode, use the following commands to view system health and resource information and to enable the switch locator...
Command Purpose test copper-port tdr Perform the Time Domain Reflectometry (TDR) test to interface diagnose the quality and characteristics of a copper cable attached to the specified port. CAUTION: Issuing the test copper-port tdr command will bring the interface down. NOTE: To ensure accurate measurements, disable all Green Ethernet modes (EEE or energy-detect mode) on the port...
Page 261
Command Purpose logging Enable logging to the specified file. Optionally, you can {buffered|console| file} define a logging discriminator to help filter log messages severity and set the severity of the messages to log. • buffered — Enables logging to the RAM file (cache). If the switch resets, the buffered logs are cleared.
Configuring Remote Logging Beginning in Privileged EXEC mode, use the following commands to define a remote server to which the switch sends log messages. Command Purpose configure Enter Global Configuration mode. ip-address logging { Define a remote log server and enter the configuration hostname mode for the specified log server.
Configuring Mail Server Settings Beginning in Privileged EXEC mode, use the following commands to configure information about the mail server (SMTP host) on the network that will initially receive the email alerts from the switch and relay them to the correct recipient. Command Purpose configure...
Configuring Email Alerts for Log Messages Beginning in Privileged EXEC mode, use the following commands to configure email alerts so that log messages are sent to the specified address. Command Purpose configure Enter Global Configuration mode. severity logging email [ ] Enable email alerting and determine which non-critical log severity messages should be emailed.
Page 265
Command Purpose logging email test Send a test email to the configured recipient to verify that message-type {urgent | the feature is properly configured. non-urgent | both} body message-body CTRL + Z Exit to Privileged EXEC mode. show logging email View the configured settings for email alerts.
Logging Configuration Examples This section contains the following examples: • Configuring Local and Remote Logging • Configuring Email Alerting Configuring Local and Remote Logging This example shows how to enable switch auditing and CLI command logging. Log messages with a severity level of Notification (level 5) and above are sent to the RAM (buffered) log.
Page 267
4 Verify the remote log server configuration. console#show syslog-servers IP Address/Hostname Port Severity Description ------------------------- ------ -------------- ---------- 192.168.2.10 debugging Syslog Server 5 Verify the local logging configuration and view the log messages stored in the buffer (RAM log). console#show logging Logging is enabled Console Logging: level debugging.
Configuring Email Alerting The commands in this example define the SMTP server to use for sending email alerts. The mail server does not require authentication and uses the standard TCP port for SMTP, port 25, which are the default values. Only Emergency messages (severity level 0) will be sent immediately as individual emails, and messages with a severity of alert, critical, and error (levels 1-3) will be sent in a single email every 120 minutes.
5 Specify the address where email alerts should be sent. console(config)#logging email message-type both to-addr administrator@dell.com 6 Specify the text that will appear in the email alert Subject line. console(config)#logging email message-type urgent subject "LOG MESSAGES - EMERGENCY"...
Page 270
Email Alert Non Urgent Severity Level..3 Email Alert Trap Severity Level....6 Email Alert Notification Period....120 min Email Alert To Address Table: For Msg Type......1 Address1......administrator@dell.com For Msg Type......2 Address1......administrator@dell.com Email Alert Subject Table For Msg Type 1, subject is....LOG MESSAGES - EMERGENCY For Msg Type 2, subject is....LOG MESSAGE...
Managing General System Settings This chapter describes how to set system information, such as the hostname, and time settings, and how to select the Switch Database Management (SDM) template to use on the switch. This chapter also describes how to configure the back-panel expansion slots with card information as well as how to configure the Power over Ethernet (PoE) settings for the PowerConnect 7024P and 7048P switches.
Table 11-1. System Information Feature Description SDM Template Determines the maximum resources a switch or router can use for various features. For more information, see "What Are SDM Templates?" on page 273 The switch can obtain the time from a Simple Network Time Protocol (SNTP) server, or you can set the time manually.
Telnet sessions open with several different switches, the system name can help you quickly identify the switch because the host name replaces console as the CLI command prompt. The Banner can provide information about the switch status. For example, if multiple users connect to the switch, the message of the day (MOTD) banner might alert everyone who connects to the switch about a scheduled switch image upgrade.
SDM Template Configuration Guidelines When you configure the switch to use an SDM template that is not currently in use, you must reload the switch for the configuration to take effect. NOTE: If you attach a unit to a stack and its template does not match the stack's template, then the new unit will automatically reboot using the template used by the management unit.
To increase security, you can require authentication between the configured SNTP server and the SNTP client on the switch. Authentication is provided by Message Digest 5 (MD5). MD5 verifies the integrity of the communication and authenticates the origin of the communication. What Configuration Is Required for Plug-In Modules? The switch supports several different plug-in modules (also known as cards) for the expansion slots located on the back of the switch.
Page 276
Table 11-4. PoE Plus Key Features (7024P and 7048P Only) Feature Description Per-Port Power Limit Configurable power limit for each PoE-Plus port. Power Management Supports two power-management modes: Modes • Static—Allows you to reserve a guaranteed amount of power for a PoE port. This is useful for powering up devices which draw variable amount of power and provide them an assured power range to operate within.
Default General System Information By default, no system information or time information is configured, and the SNTP client is disabled. The default SDM Template applied to the switch is the Dual IPv4-IPv6 template. The following table shows the default PoE Plus settings for the PowerConnect 7024P and 7048P switches.
Configuring General System Settings (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring general system settings on the PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. System Information Use the System Information page to configure the system name, contact name, location, and asset tag.
Page 279
Initiating a Telnet Session from the Web Interface NOTE: The Telnet client feature does not work with Microsoft Windows Internet Explorer 7 and later versions. Initiating this feature from any browser running on a Linux operating system is not supported. To launch a Telnet session: 1 From the System →...
Page 280
Figure 11-3. Select Telnet Client The selected Telnet client launches and connects to the switch CLI. Figure 11-4. Telnet Session Managing General System Settings...
CLI Banner Use the CLI Banner page to configure a message for the switch to display when a user connects to the switch by using the CLI. You can configure different banners for various CLI modes and access methods. To display the CLI Banner page, click System → General → CLI Banner in the navigation panel.
SDM Template Preference Use the SDM Template Preference page to view information about template resource settings and to select the template that the switch uses. If you select a new SDM template for the switch to use, you must reboot the switch before the template is applied.
Clock If you do not obtain the system time from an SNTP server, you can manually set the date and time on the switch on the Clock page. The Clock page also displays information about the time settings configured on the switch. To display the Clock page, click System →...
SNTP Global Settings Use the SNTP Global Settings page to enable or disable the SNTP client, configure whether and how often the client sends SNTP requests, and determine whether the switch can receive SNTP broadcasts. To display the SNTP Global Settings page, click System → Time Synchronization →...
SNTP Authentication Use the SNTP Authentication page to enable or disable SNTP authentication, to modify the authentication key for a selected encryption key ID, to designate the selected authentication key as a trusted key, and to remove the selected encryption key ID. NOTE: The SNTP server must be configured with the same authentication information to allow time synchronization to take place between the two devices.
Page 286
The Add Authentication Key page displays: Figure 11-10. Add Authentication Key 3 Enter a numerical encryption key ID and an authentication key in the appropriate fields. 4 If the key is to be used to authenticate a unicast SNTP server, select the Trusted Key check box.
Figure 11-11. Authentication Key Table SNTP Server Use the SNTP Server page to view and modify information about SNTP servers, and to add new SNTP servers that the switch can use for time synchronization. The switch can accept time information from both IPv4 and IPv6 SNTP servers.
Page 288
Figure 11-12. SNTP Servers Defining a New SNTP Server To add an SNTP server: 1 Open the SNTP Servers page. 2 Click Add. The Add SNTP Server page displays. Managing General System Settings...
Page 289
Figure 11-13. Add SNTP Server 3 In the SNTP Server field, enter the IP address or host name for the new SNTP server. 4 Specify whether the information entered in the SNTP Server field is an IPv4 address, IPv6 address, or a hostname (DNS). 5 If you require authentication between the SNTP client on the switch and the SNTP server, select the Encryption Key ID check box, and then select the key ID to use.
Page 290
Figure 11-14. SNTP Servers Table Managing General System Settings...
Summer Time Configuration Use the Summer Time Configuration page to configure summer time (daylight saving time) settings. To display the Summer Time Configuration page, click System → Time Synchronization → Summer Time Configuration in the navigation panel. Figure 11-15. Summer Time Configuration NOTE: The fields on the Summer Time Configuration page change when you select or clear the Recurring check box.
Time Zone Configuration Use the Time Zone Configuration to configure time zone information, including the amount time the local time is offset from UTC and the acronym that represents the local time zone. To display the Time Zone Configuration page, click System → Time Synchronization →...
Card Configuration Use the Card Configuration page to control the administrative status of the rear-panel expansion slots (Slot 1 or Slot 2) and to configure the plug-in module to use in the slot. To display the Card Configuration page, click Switching → Slots → Card Configuration in the navigation panel.
Slot Summary Use the Slot Summary page to view information about the expansion slot status. To display the Slot Summary page, click Switching → Slots → Summary in the navigation panel. Figure 11-18. Slot Summary Managing General System Settings...
Supported Cards Use the Supported Cards page to view information about the supported plug-in modules for the switch. To display the Supported Cards page, click Switching → Slots → Supported Cards in the navigation panel. Figure 11-19. Supported Cards Managing General System Settings...
Power Over Ethernet Global Configuration (7024P/7048P Only) Use the PoE Global Configuration page to configure the PoE settings for the switch. To display the PoE Global Configuration page, click System → General → Power over Ethernet → Global Configuration in the navigation panel. Figure 11-20.
Power Over Ethernet Interface Configuration (7024P/7048P Only) Use the PoE Interface Configuration page to configure the per-port PoE settings. From this page, you can also access the PoE Counters table and PoE Port Table. The PoE Port table allows you to view and configure PoE settings for multiple ports on the same page.
Page 298
To view PoE statistics for each port, click Counters. Figure 11-22. PoE Counters Table To view the PoE Port Table, click Show All. Figure 11-23. PoE Port Table If you change any settings for one or more ports on the PoE Port Table page, click Apply to update the switch with the new settings.
Configuring System Settings (CLI) This section provides information about the commands you use to configure system information and time settings on the PowerConnect 7000 Series PowerConnect switch. For more information about these commands, see the 7000 Series CLI Reference Guide Configuring System Information Beginning in Privileged EXEC mode, use the following commands to configure system information.
Configuring the Banner Beginning in Privileged EXEC mode, use the following commands to configure the MOTD, login, or User EXEC banner. The switch supports the following banner messages: • MOTD—Displays when a user connects to the switch. • Login—Displays after the MOTD banner and before the login prompt. •...
Managing the SDM Template Beginning in Privileged EXEC mode, use the following commands to set the SDM template preference and to view information about the available SDM templates. Command Purpose configure Enter Global Configuration mode. sdm prefer {dual-ipv4- Select the SDM template to apply to the switch after the and-ipv6 default| ipv4- next boot.
Page 302
Command Purpose key_id sntp trusted-key Specify the authentication key the SNTP server must include in SNTP packets that it sends to the switch. key_id number must be an encryption key ID defined in the previous step. sntp authenticate Require authentication for communication with the SNTP server.
Setting the System Time and Date Manually Beginning in Privileged EXEC mode, use the following commands to configure the time and date, time zone, and summer time settings. Command Purpose mm/dd/yyyy clock set { Configure the time and date. You can enter the time first hh:mm:ss and then the date, or the date and then the time.
Command Purpose clock summer-time Use this command if the summer time does not start and date month date { end every year according to a recurring pattern. You can month date year enter the month and then the date, or the date and then the hh:mm date month month.
Configuring PoE Settings (7024P/7048P Only) Beginning in Privileged EXEC mode, use the following commands to configure PoE information. Command Purpose configure Enter Global Configuration mode. power inline usage- Specify the maximum usage for PoE power on the system. threshold threshold threshold variable (range: 12–99%) is a percentage of total system power.
Page 306
Command Purpose power inline high-power Configure the port high power mode for connected-device {legacy | dot3at} compatibility. • legacy—Use this mode if the device can power up (more than 12.95 Watts) with higher current and cannot identify itself as Class 4 device. •...
Page 307
Command Purpose power inline reset (Optional) Reset the port. You might use this command if the port is stuck in an Error state. CTRL + Z Exit to Privileged EXEC mode. show power inline Display PoE information for the switch. show power inline Display PoE information for the specified interface.
3 Configure the message that displays when a user connects to the switch. PC7048(config)#banner motd "This switch connects users in cubicles C121-C139." PC7048(config)#exit 4 View system information to verify the configuration. PC7048#show system System Description: Dell Ethernet Switch Managing General System Settings...
Page 309
System Up Time: 0 days, 19h:36m:36s System Contact: Jane Doe System Name: PC7048 System Location: RTP100 Burned In MAC Address: 001E.C9AA.AA07 System Object ID: 1.3.6.1.4.1.674.10895.3035 System Model ID: PCT7048 Machine Type: PowerConnect 7048 Temperature Sensors: Unit Temperature (Celsius) Status ---- --------------------- ------ Power Supplies:...
Figure 11-24. Verify MOTD Configuring SNTP The commands in this example configure the switch to poll an SNTP server to synchronize the time. Additionally, the SNTP sessions between the client and server must be authenticated. To configure the switch: 1 Configure the authentication information. The SNTP server must be configured with the same authentication key and ID.
Page 311
3 Verify the configuration. console#show sntp configuration Polling interval: 512 seconds MD5 Authentication keys: 23456465 Authentication is required for synchronization. Trusted keys: 23456465 Unicast clients: Enable Unicast servers: Server Polling Priority ------------ ----------- --------- -------- 192.168.10.30 23456465 Enabled 4 View the SNTP status on the switch. console#show sntp status Client Mode: Unicast...
Configuring the Time Manually The commands in this example manually set the system time and date. The time zone is set to Eastern Standard Time (EST), which has an offset of -5 hours. Summer time is enabled and uses the preconfigured United States settings.
Configuring SNMP The topics covered in this chapter include: • SNMP Overview • Default SNMP Values • Configuring SNMP (Web) • Configuring SNMP (CLI) • SNMP Configuration Examples SNMP Overview Simple Network Management Protocol (SNMP) provides a method for managing network devices. The PowerConnect 7000 Series switches support SNMP version 1, SNMP version 2, and SNMP version 3.
The SNMP agent maintains a list of variables that are used to manage the switch. The variables are defined in the MIB. The MIB presents the variables controlled by the agent. The SNMP agent defines the MIB specification format, as well as the format used to access the information over the network. Access rights to the SNMP agent are controlled by access strings.
Why Is SNMP Needed? Some network administrators prefer to use SNMP as the switch management interface. Settings that you view and configure by using the Web-based Dell OpenManage Switch Administrator and the CLI are also available by using SNMP .
Page 316
Table 12-1. SNMP Defaults Parameter Default Value QoS traps Enabled Multicast traps Disabled Captive Portal traps Disabled OSPF traps Disabled Table 12-2 describes the two views that are defined by default. Table 12-2. SNMP Default Views View Name OID Subtree View Type Default Included...
Configuring SNMP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the SNMP agent on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. NOTE: For some features, the control to enable or disable traps is available from a configuration page for that feature and not from the Trap Manager pages that...
SNMP View Settings Use the SNMP View Settings page to create views that define which features of the device are accessible and which are blocked. You can create a view that includes or excludes OIDs corresponding to interfaces. To display the View Settings page, click System → SNMP → View Settings in the navigation panel.
Page 319
Figure 12-3. Add View 3 Specify a name for the view and a valid SNMP OID string. 4 Select the view type. 5 Click Apply. The SNMP view is added, and the device is updated. Click Show All to view information about configured SNMP Views. Configuring SNMP...
Access Control Group Use the Access Control Group page to view information for creating SNMP groups, and to assign SNMP access privileges. Groups allow network managers to assign access rights to specific device features or features aspects. To display the Access Control Group page, click System → SNMP → Access Control in the navigation panel.
Figure 12-5. Add Access Control Group 3 Specify a name for the group. 4 Select a security model and level 5 Define the context prefix and the operation. 6 Click Apply to update the switch. Click Show All to view information about existing access control configurations.
Page 322
Figure 12-6. SNMPv3 User Security Model Adding Local SNMPv3 Users to a USM To add local users: 1 Open the User Security Model page. 2 Click Add Local User. The Add Local User page displays: Configuring SNMP...
Page 323
Figure 12-7. Add Local Users 3 Define the relevant fields. 4 Click Apply to update the switch. Click Show All to view the User Security Model Table, which contains information about configured Local and Remote Users. Adding Remote SNMPv3 Users to a USM To add remote users: 1 Open the SNMPv3 User Security Model page.
Figure 12-8. Add Remote Users 3 Define the relevant fields. 4 Click Apply to update the switch. Click Show All to view the User Security Model Table, which contains information about configured Local and Remote Users. Communities Access rights for SNMPv1 and SNMPv2 are managed by defining communities Communities page.
Page 325
Figure 12-9. SNMP Communities Adding SNMP Communities To add a community: 1 Open the Communities page. 2 Click Add. The Add SNMPv1,2 Community page displays: Configuring SNMP...
Page 326
Figure 12-10. Add SNMPv1,2 Community 3 Specify the IP address of an SNMP management station and the community string to act as a password that will authenticate the management station to the SNMP agent on the switch. 4 Select the access mode. 5 Click Apply to update the switch.
Notification Filter Use the Notification Filter page to set filtering traps based on OIDs. Each OID is linked to a device feature or a feature aspect. The Notification Filter page also allows you to filter notifications. To display the Notification Filter page, click System → SNMP → Notification Filters in the navigation panel.
Figure 12-12. Add Notification Filter 3 Specify the name of the filter, the OID for the filter. 4 Choose whether to send (include) traps or informs to the trap recipient or prevent the switch from sending (exclude) the traps or informs. 5 Click Apply to update the switch.
Page 329
Figure 12-13. SNMP Notification Recipient Adding a Notification Recipient To add a recipient: 1 Open the Notification Recipient page. 2 Click Add. The Add Recipient page displays: Configuring SNMP...
Page 330
Figure 12-14. Add Notification Recipient 3 Specify the IP address or hostname of the host to receive notifications. 4 Select whether to send traps or informs to the specified recipient 5 Define the relevant fields for the SNMP version you use. 6 Configure information about the port on the recipient.
Trap Flags The Trap Flags page is used to specify which traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log.
OSPFv2 Trap Flags The OSPFv2 Trap Flags page is used to specify which OSPFv2 traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log.
OSPFv3 Trap Flags The OSPFv3 Trap Flags page is used to specify which OSPFv3 traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log.
Trap Log The Trap Log page is used to view entries that have been written to the trap log. To access the Trap Log page, click Statistics/RMON → Trap Manager → Trap Log in the navigation panel. Figure 12-18. Trap Logs Click Clear to delete all entries from the trap log.
Configuring SNMP (CLI) This section provides information about the commands you use to manage and view SNMP features on the switch. For more information about these PowerConnect 7000 Series CLI Reference Guide commands, see the Configuring the SNMPv3 Engine ID To use SNMPv3, the switch must have engine ID.
Command Purpose exit Exit to Privileged EXEC mode. show snmp engineid View the local SNMP engine ID. Configuring SNMP Views, Groups, and Users Beginning in Privileged EXEC mode, use the following commands to define SNMP views, and SNMP groups, and local and remote SNMPv3 users. Command Purpose configure...
Page 337
Command Purpose snmp-server group Specify the identity string of the receiver and set the groupname {v1 | v2 | v3 receiver timeout value. {noauth | auth | priv} groupname • — Specifies the name of the group. (Range: view-name [notify 1-30 characters.) view-name [context...
Page 338
Command Purpose snmp-server user Configure a new SNMPv3 user. username groupname username • — Specifies the name of the user on the host engineid-string [remote that connects to the agent. (Range: 1-30 characters.) password [{auth-md5 groupname • — Specifies the name of the group to which password auth-sha the user belongs.
Command Purpose show snmp group View SNMP group configuration information. group_name show snmp user View SNMP user configuration information. user_name Configuring Communities Beginning in Privileged EXEC mode, use the following commands to configure access rights for SNMPv1 and SNMPv2. Command Purpose configure Enter Global Configuration mode...
Page 340
Command Purpose snmp-server community- Map the internal security name for SNMP v1 and SNMP community string group v2 security models to the group name. group-name [ipaddress community-string — • Community string that acts like a ip-address password and permits access to the SNMP protocol (Range: 1-20 characters) group-name —...
Configuring SNMP Notifications (Traps and Informs) Beginning in Privileged EXEC mode, use the following commands to allow the switch to send SNMP traps and to configure which traps are sent. Command Purpose configure Enter Global Configuration mode snmp-server enable traps Specify the traps to enable.
Page 342
Command Purpose host- snmp-server host For SNMPv1 and SNMPv2, configure the system to receive addr [informs [timeout SNMP traps or informs. seconds retries ] [retries host-addr • — Specifies the IP address of the host (targeted | traps version {1 | 2}]] recipient) or the name of the host.
Page 343
Command Purpose snmp-server v3-host { For SNMPv3, configure the system to receive SNMP traps address hostname or informs. username {traps | ip-address • — Specifies the IP address of the host informs} [noauth | auth (targeted recipient). | priv] [timeout hostname •...
SNMP Configuration Examples This section contains the following examples: • Configuring SNMPv1 and SNMPv2 • Configuring SNMPv3 Configuring SNMPv1 and SNMPv2 This example shows how to complete a basic SNMPv1/v2 configuration. The commands enable read-only access from any host to all objects on the switch public using the community string , and enable read-write access from any...
Community-String Group Name IP Address ----------------- -------------- ------------ private DefaultWrite public DefaultRead Traps are enabled. Authentication trap is enabled. Version 1,2 notifications Target Addr. Type Community Version UDP Filter Retries Port Name ------------ ---- --------- ---- ----- ----- ------- 192.168.3.65 Trap public Version 3 notifications Target Addr.
Page 346
admin , assign the user to the group, and specify the 3 Create the user authentication credentials. console(config)#snmp-server user admin group_snmpv3 auth-md5 secretkey 4 Specify the IP address of the host where traps are to be sent. Packet authentication using MD5-SHA is enabled for the traps. console(config)#snmp-server v3-host 192.168.3.35 admin traps auth console(config)#exit...
Page 347
console#show snmp views Name OID Tree Type ------------------ ------------------------ ------------ Default Included Default snmpVacmMIB Excluded Default usmUser Excluded Default snmpCommunityTable Excluded view_snmpv3 internet Included DefaultSuper Included console#show snmp group Name Context Model Security Read Views Notify Prefix Level Write ------------ -------- ------ -------- -------- ------ ------- DefaultRead ""...
Managing Images and Files This chapter describes how to upload, download, and copy files, such as firmware images and configuration files, on the switch. The topics covered in this chapter include: • Image and File Management Overview • Managing Images and Files (Web) •...
Page 350
Table 13-1. Files to Manage File Action Description startup-config Download Contains the software configuration that Upload loads during the boot process. Copy running-config Download Contains the current switch configuration. Upload Copy backup-config Download An additional configuration file that serves Upload as a backup.
Table 13-1. Files to Manage File Action Description SSL certificate files Download Contains information to encrypt, authenticate, and validate HTTPS sessions. The switch supports the following files for SSL: • SSL Trusted Root Certificate File (PEM Encoded) • SSL Server Certificate File (PEM Encoded) •...
Page 352
changes that take place after the boot process completes are written to the running-config file. The backup-config file does not exist until you explicitly create one by copying an existing configuration file to the backup-config file or downloading a backup-config file to the switch. You can also create configuration scripts, which are text files that contains CLI commands.
What Methods Are Supported for File Management? You can use any of the following protocols to download files from a remote system to the switch or to upload files from the switch to a remote system: • TFTP • SFTP •...
Editing and Downloading Configuration Files Each configuration file contains a list of executable CLI commands. The commands must be complete and in a logical order, as if you were entering them by using the switch CLI. When you download a startup-config or backup-config file to the switch, the new file replaces the previous version.
! Display information about direct connections show serial ! End of the script file Managing Files on a Stack Image files downloaded to the master unit of a stack are automatically downloaded to all stack members. If you activate the backup image on the master, it is activated on all units as well so that when you reload the stack, all units use the same image.
Managing Images and Files (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage images and files on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page.
Active Images Use the Active Images page to set the firmware image to use when the switch boots. If you change the boot image, it does not become the active image until you reset the switch. To display the Active Images page, click System → File Management → Active Images in the navigation panel.
USB Flash Drive Use the USB Flash Drive page to view information about a USB flash drive connected to the USB port on the front panel of the switch. The page also displays information about the files stored on the USB flash drive. To safely remove the USB flash drive from the USB port, click Unmount USB before removing the drive.
File Download Use the File Download page to download image (binary) files, SSH and SSL certificates, IAS User files, and configuration (ASCII), files from a remote server to the switch. To display the File Download page, click System → File Management → File Download in the navigation panel.
Page 360
If you select a transfer mode that requires authentication, additional fields appear in the Download section. If you select HTTP as the download method, some of the fields are hidden. NOTE: If you are using HTTPS to manage the switch, the download method will be HTTPS.
File Upload Use the File Upload to Server page to upload configuration (ASCII), image (binary), IAS user, operational log, and startup log files from the switch to a remote server. To display the File Upload to Server page, click System → File Management →...
Page 362
NOTE: If you are using HTTPS to manage the switch, the download method will be HTTPS. 4 To upload by using HTTP, click Apply. A dialog box opens to allow you to open or save the file. Figure 13-7. File Upload 5 To upload by using any method other than HTTP, enter the IP address of the server and specify a name for the file.
Copy Files Use the Copy Files page to: • Copy the active firmware image to one or all members of a stack. • Copy the running, startup, or backup configuration file to the startup or backup configuration file. • Restore the running configuration to the factory default settings. To display the Copy Files page, click System →...
Managing Images and Files (CLI) This section provides information about the commands you use to upload, download, and copy files to and from the PowerConnect 7000 Series switch. PowerConnect 7000 For more information about these commands, see the Series CLI Reference Guide .
Managing Files in Internal Flash Beginning in Privileged EXEC mode, use the following commands to copy, rename, delete and list the files in the internal flash. Command Purpose List the files in the flash file system. filename copy flash:// Copy a file from the internal flash to a USB flash drive. filename usb:// Use the dir command to see a list of the files that can be...
Managing Files on a USB Flash Device Beginning in Privileged EXEC mode, use the following commands to manage files that are on a USB device that is plugged into the USB flash port on the front panel of the switch. Command Purpose show usb device...
Managing Configuration Scripts (SFTP) Beginning in Privileged EXEC mode, use the following commands to download a configuration script from a remote system to the switch, validate the script, and activate it. NOTE: The startup-config and backup-config files are essentially configuration scripts and can be validated and applied by using the commands in this section.
File and Image Management Configuration Examples This section contains the following examples: • Upgrading the Firmware • Managing Configuration Scripts Upgrading the Firmware This example shows how to download a firmware image to the switch and activate it. The TFTP server in this example is PumpKIN, an open source TFTP server running on a Windows system.
Page 369
Figure 13-9. Image Path 3 View information about the current image. console#show bootvar Image Descriptions image1 : image2 : Images currently available on Flash ------- ------------ ------------ --------------- -------------- unit image1 image2 current-active next-active ------- ------------ ------------ --------------- -------------- 2.23.11.17 image1 image1 4 Download the image to the switch.
Page 370
Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n)y 5 Activate the new image (image2) so that it becomes the active image after the switch resets. console#boot system image2 Activating image image2 .. 6 View information about the current image.
Managing Configuration Scripts This example shows how to create a configuration script that adds three hostname-to-IP address mappings to the host table. To configure the switch: 1 Open a text editor on an administrative computer and type the commands as if you were entering them by using the CLI. Figure 13-10.
Page 372
Management access will be blocked for the duration of the transfer 4 After you confirm the download information and the script successfully downloads, it is automatically validated for correct syntax. Are you sure you want to start? (y/n) y 135 bytes transferred Validating configuration script...
6 Verify that the script was successfully applied. console#show hosts Host name: test Name/address lookup is enabled Name servers (Preference order): 192.168.3.20 Configured host name-to-address mapping: Host Addresses ------------------------ ------------------------ labpc1 192.168.3.56 labpc2 192.168.3.58 labpc3 192.168.3.59 Managing Files by Using the USB Flash Drive In this example, the administrator copies the backup image to a USB flash drive before overwriting the backup image on the switch with a new image.
Page 374
Mode......unknown Data Type......Config Script Source Filename....temp-config.scr Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y 4 Download the new image from the USB flash drive to the switch. The image overwrites the image that is not currently active.
Automatically Updating the Image and Configuration The topics covered in this chapter include: • Auto Configuration Overview • What Are the Dependencies for DHCP Auto Configuration? • Default Auto Configuration Values • Managing Auto Configuration (Web) • Managing Auto Configuration (CLI) •...
NOTE: Neither USB Configuration nor Auto Install is invoked if a valid configuration file is on the switch. What Is USB Auto Configuration? You can use the USB Auto Configuration feature to configure or upgrade one or more switches that have not been previously configured, such as when you deploy new switches.
How Does USB Auto Configuration Use the Files on the USB Device? The *.setup file can include the following information: • MAC address of the switch • Configuration file name • Image file name • IP address MAC Address Lookup The MAC address should be on the same line as the configuration file and/or image file name to allow a specific switch (identified by its MAC address) to be associated with a specific config file or image.
configured is added to the beginning of the line (if no MAC address was specified in the file) for lines using the IP address lookup method so that the MAC and IP address combinations are recorded within the *.setup file for future use bindings.
If the switches are to be assigned a static IP address included in a specified configuration file (.text) or by a DHCP server, the entries in the *.setup file that assigns a specific configuration file and image to each switch has the following format: MAC_Address Config_File...
Page 380
Option 125 and specify the Dell Enterprise Number, 674. Within the Dell section of option 125, sub option 5 must specify the path and name of a file on the TFTP server. This file is not the image file itself, but rather a text file that contains the path and name of the image file.
Page 381
If the DHCP server does not specify a configuration file or download of the configuration file fails, the Auto Configuration process attempts to download a configuration file with the name dell-net.cfg. The switch unicasts or broadcasts TFTP requests for a network configuration file in the same manner as it attempts to download a host-specific configuration file.
Page 382
If the default network configuration file does not contain the switch's IP address, the switch attempts a reverse DNS lookup to resolve its hostname. A sample dell-net.cfg file follows: config ip host switch1 192.168.1.10 ip host switch2 192.168.1.11...
Table 14-2 displays the determining factors for issuing unicast or broadcast TFTP requests. Table 14-2. TFTP Request Types TFTP Server Host-specific Switch TFTP Request Method Address Config Filename Available Available Issue a unicast request for the host-specific router config file to the TFTP server Issue a unicast request for a default network or router config file to the TFTP server Issue a broadcast request for the host-...
Stopping and Restarting the Auto Configuration Process You can terminate the Auto Configuration process at any time before the image or configuration file is downloaded. This is useful when the switch is disconnected from the network. Termination of the Auto Configuration process ends further periodic requests for a host-specific file.
• A DNS server must contain an IP address to hostname mapping for the switch if a <hostname>.cfg file is to be downloaded. • If a default gateway is needed to forward TFTP requests, an IP helper address for TFTP needs to be configured on the default gateway. Default Auto Configuration Values Table 14-3 describes the Auto Configuration defaults.
Managing Auto Configuration (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage images and files on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. Auto-Install Configuration Use the Auto-Install Configuration page to allow the switch to obtain network information (such as the IP address and subnet mask) and...
Managing Auto Configuration (CLI) This section provides information about the commands you manage the Auto-Install Configuration feature on the switch. For more information about PowerConnect 7000 Series CLI Reference Guide these commands, see the Managing Auto Configuration Beginning in Privileged EXEC mode, use the following commands to manually activate the Auto Configuration process and download a configuration script from a remote system to the switch, validate the script, and activate it.
Auto Configuration Example A network administrator is deploying three PowerConnect switches and wants to quickly and automatically install the latest image and a common configuration file that configures basic settings such as VLAN creation and membership, RADIUS server settings, and 802.1X information. The configuration file also contains the command boot host autosave so that the downloaded configuration is automatically saved to the startup config.
Page 389
4 Create a setup file named PowerConnect.setup. The setup file contains the following lines: 001E.C9AA.AC17 switchA.txt PC7000vR.5.4.1.stk 001E.C9AA.AC20 switchB.txt PC7000vR.5.4.1.stk 001E.C9AA.AC33 switchC.txt PC7000vR.5.4.1.stk NOTE: This .setup file does not provide the switch with a static IP address. However, the switchA.txt switchB.txt, switchC.txt files can contain the commands required to configure a static IP address on...
Enabling DHCP Auto Configuration and Auto Image Download If no USB device is connected to the USB port on the PowerConnect switch and no configuration file is found during the boot process, the Auto Configuration feature uses the DHCP Auto Configuration process to download the configuration file to the switch.
Monitoring Switch Traffic This chapter describes sFlow features, Remote Monitoring (RMON), and Port Mirroring features. The topics covered in this chapter include: • Traffic Monitoring Overview • Default Traffic Monitoring Values • Monitoring Switch Traffic (Web) • Monitoring Switch Traffic (CLI) •...
Page 392
from monitored devices. sFlow datagrams forward sampled traffic statistics to the sFlow Collector for analysis. You can specify up to eight different sFlow receivers to which the switch sends sFlow datagrams. Figure 15-1. sFlow Architecture sFlow Receiver PowerConnect Switches (sFlow Agents) sFlow Datagrams The advantages of using sFlow are: •...
Page 393
sFlow Sampling The sFlow Agent in the PowerConnect 7000 Series switch software uses two forms of sampling: • Statistical packet-based sampling of switched or routed Packet Flows • Time-based sampling of counters Packet Flow Sampling and Counter Sampling are performed by sFlow Instances associated with individual Data Sources within an sFlow Agent.
• When a sample is taken, the counter indicating how many packets to skip before taking the next sample is reset. The value of the counter is set to a random integer where the sequence of random integers used over time is the Sampling Rate.
• Specify the network management system IP address or permit management access from all IP addresses. For more information about configuring SNMP, see "Configuring SNMP" on page 313. The RMON agent in the switch supports the following groups: • Group 1—Statistics. Contains cumulative traffic and error statistics. •...
NOTE: You can create a DiffServ policy class definition that mirrors specific types of traffic to a destination port. For more information, see "Configuring Differentiated Services" on page 1085. The packet that is copied to the destination port is in the same format as the original packet on the wire.
Monitoring Switch Traffic (Web) This section provides information about the OpenManage Switch Administrator pages to use to monitor network traffic on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. sFlow Agent Summary Use the sFlow Agent Summary page to view information about sFlow MIB and the sFlow Agent IP address.
sFlow Receiver Configuration Use the sFlow Receiver Configuration page to configure settings for the sFlow receiver to which the switch sends sFlow datagrams. You can configure up to eight sFlow receivers that will receive datagrams. To display the Receiver Configuration page, click System → sFlow → Receiver Configuration in the navigation panel.
sFlow Sampler Configuration Use the sFLow Sampler Configuration page to configure the sFlow sampling settings for switch ports. To display the Sampler Configuration page, click System → sFlow → Sampler Configuration in the navigation panel. Figure 15-4. sFlow Sampler Configuration Click Show All to view information about configured sampler data sources.
sFlow Poll Configuration Use the sFLow Poll Configuration page to configure how often a port should collect counter samples. To display the Sampler Configuration page, click System → sFlow → Sampler Configuration in the navigation panel. Figure 15-5. sFlow Poll Configuration Click Show All to view information about the ports configured to collect counter samples.
Interface Statistics Use the Interface Statistics page to display statistics for both received and transmitted packets. The fields for both received and transmitted packets are identical. To display the page, click Statistics/RMON → Table Views → Interface Statistics in the navigation panel. Figure 15-6.
Etherlike Statistics Use the Etherlike Statistics page to display interface statistics. To display the page, click Statistics/RMON → Table Views → Etherlike Statistics in the navigation panel. Figure 15-7. Etherlike Statistics Monitoring Switch Traffic...
GVRP Statistics Use the GVRP Statistics page to display switch statistics for GVRP. To display the page, click Statistics/RMON → Table Views → GVRP Statistics in the navigation panel. Figure 15-8. GVRP Statistics Monitoring Switch Traffic...
EAP Statistics Use the EAP Statistics page to display information about EAP packets received on a specific port. For more information about EAP , see "Dot1x Authentication" on page 350. To display the EAP Statistics page, click Statistics/RMON → Table Views → EAP Statistics in the navigation panel Figure 15-9.
Utilization Summary Use the Utilization Summary page to display interface utilization statistics. To display the page, click Statistics/RMON → Table Views → Utilization Summary in the navigation panel. Figure 15-10. Utilization Summary Monitoring Switch Traffic...
Counter Summary Use the Counter Summary page to display interface utilization statistics in numeric sums as opposed to percentages. To display the page, click Statistics/RMON → Table Views → Counter Summary in the navigation panel. Figure 15-11. Counter Summary Monitoring Switch Traffic...
Switchport Statistics Use the Switchport Statistics page to display statistical summary information about switch traffic, address tables, and VLANs. To display the page, click Statistics/RMON → Table Views → Switchport Statistics in the navigation panel. Figure 15-12. Switchport Statistics Monitoring Switch Traffic...
RMON Statistics Use the RMON Statistics page to display details about switch use such as packet processing statistics and errors that have occurred on the switch. To display the page, click Statistics/RMON → RMON → Statistics in the navigation panel. Figure 15-13.
RMON History Control Statistics Use the RMON History Control page to maintain a history of statistics on each port. For each interface (either a physical port or a port-channel), you can define how many buckets exist, and the time interval between each bucket snapshot.
Page 410
Figure 15-15. Add History Entry 3 Select the port or LAG on which you want to maintain a history of statistics. 4 Specify an owner, the number of historical buckets to keep, and the sampling interval. 5 Click Apply to add the entry to the RMON History Control Table. To view configured history entries, click the Show All tab.
RMON History Table Use the RMON History Table page to display interface-specific statistical network samplings. Each table entry represents all counter values compiled during a single sample. To display the RMON History Table page, click Statistics/RMON → RMON → History Table in the navigation panel. Figure 15-16.
RMON Event Control Use the RMON Events Control page to define RMON events. Events are used by RMON alarms to force some action when a threshold is crossed for a particular RMON counter. The event information can be stored in a log and/or sent as a trap to a trap receiver.
Page 413
Figure 15-18. Add an Event Entry 3 If the event sends an SNMP trap, specify the SNMP community to receive the trap. 4 Optionally, provide a description of the event and the name of the event owner. 5 Select an event type. 6 Click Apply.
RMON Event Log Use the RMON Event Log page to display a list of RMON events. To display the page, click Statistics/RMON → RMON → Events Log in the navigation panel. Figure 15-19. RMON Event Log Monitoring Switch Traffic...
RMON Alarms Use the RMON Alarms page to set network alarms. Alarms occur when certain thresholds are crossed for the configured RMON counters. The alarm triggers an event to occur. The events can be configured as part of the RMON Events group.
Page 416
Adding an Alarm Table Entry To add an alarm: 1. Open the RMON Alarms page. 2. Click Add. The Add an Alarm Entry page displays. Figure 15-21. Add an Alarm Entry 3. Complete the fields on this page as needed. Use the help menu to learn more information about the data required for each field.
Port Statistics Use the Port Statistics page to chart port-related statistics on a graph. To display the page, click Statistics/RMON → Charts → Port Statistics in the navigation panel. Figure 15-22. Ports Statistics To chart port statistics, select the type of statistics to chart and (if desired) the refresh rate, then click Draw.
LAG Statistics Use the LAG Statistics page to chart LAG-related statistics on a graph. To display the page, click Statistics/RMON → Charts → LAG Statistics in the navigation panel. Figure 15-23. LAG Statistics To chart LAG statistics, select the type of statistics to chart and (if desired) the refresh rate, then click Draw.
Port Mirroring Use the Port Mirroring page to create a mirroring session in which all traffic that is sent or received (or both) on one or more source ports is mirrored to a destination port. To display the Port Mirroring page, click Switching → Ports → Traffic Mirroring →...
Page 420
Figure 15-25. Add Source Port 5 Click Apply. 6 Repeat the previous steps to add additional source ports. 7 Click Port Mirroring to return to the Port Mirroring page. 8 Enable the administrative mode and specify the destination port. Figure 15-26. Configure Additional Port Mirroring Settings 9 Click Apply.
Monitoring Switch Traffic (CLI) This section provides information about the commands you use to manage traffic monitoring features on the switch and to view information about switch traffic. For more information about these commands, see the PowerConnect 7000 Series CLI Reference Guide Configuring sFlow Beginning in Privileged EXEC mode, use the following commands to configure the sFlow receiver and to configure the sampling and polling on...
Page 422
Command Purpose rcvr-index sflow polling Enable a new sFlow poller instance on an interface range. if_type if_number poll- rcvr-index • — The sFlow Receiver associated with the interval poller (Range: 1–8). if_type if_number • — The list of interfaces to poll. The interface type can be Gigabitethernet (gi) or Tengigabitethernet (te), for example gi1/0/3-5 enables polling on ports 3, 4, and 5.
Command Purpose CTRL + Z Exit to Privileged Exec mode. show sflow agent View information about the switch sFlow agent. index show sflow View information about a configured sFlow receivers. destination index show sflow polling View information about the configured sFlow poller instances for the specified receiver.
Page 424
Command Purpose number rmon alarm Add an alarm entry variable interval number • — The alarm index. (Range: 1–65535) {absolute |delta} rising- variable • — A fully qualified SNMP object identifier that value event- threshold resolves to a particular instance of an MIB object. number ] rising- value...
Command Purpose rmon collection history Enable an RMON MIB history statistics group on the index [owner interface. ownername ] [buckets NOTE: You must configure RMON alarms and events before bucket-number RMON collection history is able to display. seconds [interval index •...
Configuring Port Mirroring Use the following commands in Privileged EXEC mode to configure a port mirroring session. Command Purpose configure Enter Global Configuration mode monitor session Configure a source (monitored) port or CPU interface for session_number source a monitor session. interface {cpu | session_number •...
Traffic Monitoring Configuration Examples This section contains the following examples: • Configuring sFlow • Configuring RMON Configuring sFlow This example shows how to configure the switch so that ports 10-15 and port 23 send sFlow datagrams to an sFlow receiver at the IP address 192.168.20.34. The receiver owner is receiver1, and the timeout is 100000 seconds.
Page 428
Port......6343 Datagram Version....5 Maximum Datagram Size..... 1400 console#show sflow 1 polling Poller Receiver Poller Data Source Index Interval ----------- ------- ------- gi1/0/10 gi1/0/11 gi1/0/12 gi1/0/13 gi1/0/14 gi1/0/15 gi1/0/23 console#show sflow 1 sampling Sampler Receiver Packet Max Header Data Source Index Sampling Rate Size...
Configuring RMON This example generates a trap and creates a log entry when the number of inbound packets are undeliverable due to errors increases by 20 or more. First, an RMON event is created. Then, the alarm is created. The event (event 1) generates a trap and creates a log entry.
Configuring iSCSI Optimization This chapter describes how to configure Internet Small Computer System Interface (iSCSI) optimization, which enables special quality of service (QoS) treatment for iSCSI traffic. The topics covered in this chapter include: • iSCSI Optimization Overview • Default iSCSI Optimization Values •...
When Should iSCSI Optimization Be Enabled? Use this feature in networks containing iSCSI initiators and targets where you want to protect this traffic from interruption by giving it preferential QoS treatment. The dynamically-generated classifier rules are used to direct the iSCSI data traffic to queues that can be given the desired preference characteristics over other data traveling through the switch.
The PowerConnect 7000 Series switch uses LLDP , a vendor-neutral protocol, to discover Dell EqualLogic devices on the network. LLDP is enabled by default. For more information about LLDP , see "Discovering Network Devices"...
If the iSCSI feature is disabled on the switch, iSCSI resources are released and the detection of Dell EqualLogic arrays by using LLDP is disabled. Disabling iSCSI does not remove the MTU, flow control, portfast or storm control configuration applied as a result of enabling iSCSI.
Default iSCSI Optimization Values Table 16-1 shows the default values for the iSCSI optimization feature. Table 16-1. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization Global Status Disabled iSCSI CoS mode Disabled Classification iSCSI packets are classified by VLAN instead of by DSCP values. VLAN Priority tag iSCSI flows are assigned by default the highest 802.1p VLAN priority tag mapped...
Configuring iSCSI Optimization (Web) This section provides information about the OpenManage Switch Administrator pages to use to the iSCSI features on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. iSCSI Global Configuration Use the Global Configuration page to allow the switch to snoop for iSCSI sessions/connections and to configure QoS treatment for packets where the...
iSCSI Targets Table Use the Targets Table page to view and configure iSCSI targets on the switch. To access the Targets Table page, click System → iSCSI → Targets in the navigation panel. Figure 16-2. iSCSI Targets Table To add an iSCSI Target, click Add at the top of the page and configure the relevant information about the iSCSI target.
iSCSI Sessions Table Use the Sessions Table page to view summary information about the iSCSI sessions that the switch has discovered. An iSCSI session occurs when an iSCSI initiator and iSCSI target communicate over one or more TCP connections. The maximum number of iSCSI sessions is 192. To access the Sessions Table page, click System →...
iSCSI Sessions Detailed Use the Sessions Detailed page to view detailed information about an iSCSI sessions that the switch has discovered. To access the Sessions Detailed page, click System → iSCSI → Sessions Detailed in the navigation panel. Figure 16-5. iSCSI Sessions Detail Configuring iSCSI Optimization...
Configuring iSCSI Optimization (CLI) This section provides information about the commands you use to configure iSCSI settings on the switch. For more information about the commands, see PowerConnect 7000 Series CLI Reference Guide Command Purpose configure Enter Global Configuration mode. iscsi enable Globally enable iSCSI optimization.
Page 441
Command Purpose time iscsi aging time Set aging time (range: 1–43,200 seconds) for iSCSI sessions. exit Exit to Privilege Exec mode. show iscsi Display iSCSI settings. show iscsi sessions Display iSCSI session information. Configuring iSCSI Optimization...
iSCSI Optimization Configuration Examples This section contains an example of how to configure iSCSI optimization on a stack of switches that are between a disk array and servers. Configuring iSCSI Optimization Between Servers and a Disk Array Figure 16-6 illustrates a stack of three PowerConnect 7000 Series switches connecting two servers (iSCSI initiators) to a disk array (iSCSI targets).
Page 443
The following commands show how to configure the iSCSI example depicted in Figure 16-6. 1 Enable iSCSI optimization on the switch. console#config console(config)#iscsi enable 2 Configure the switch to associate the DSCP priority 45 (and the queue that is mapped to it) with detected iSCSI session traffic. The remark keyword indicates that the switch should add this priority marking on packets as it forwards them.
Configuring a Captive Portal This chapter describes how to configure the Captive Portal feature. The topics covered in this chapter include: • Captive Portal Overview • Default Captive Portal Behavior and Settings • Configuring the Captive Portal (Web) • Configuring a Captive Portal (CLI) •...
Figure 17-1. Connecting to the Captive Portal Switch with Captive Portal RADIUS Server Captive (Optional) Portal User (Host) Default Captive Portal Welcome Screen (Displays in Captive Portal User’s Browser) The Captive Portal feature blocks hosts connected to the switch from accessing the network until user verification has been established.
also writes a message to the trap log when the event occurs. To enable the Captive Portal traps, see "Configuring SNMP Notifications (Traps and Informs)" on page 341. What Factors Should Be Considered When Designing and Configuring a Captive Portal? Before enabling the Captive Portal feature, decide what type (or types) of authentication to require.
Figure 17-2. Customized Captive Portal Welcome Screen How Does Captive Portal Work? When a port is enabled for Captive Portal, all the traffic coming onto the port from the unverified clients are dropped except for the ARP , DHCP, DNS and NETBIOS packets.
What Captive Portal Pages Can Be Customized? You can customize the following three Captive Portal pages: • Authentication Page —This page displays when a client attempts to connect to the network. You can customize the images, text, and colors that display on this page. •...
Default Captive Portal Behavior and Settings Captive Portal is disabled by default. If you enable Captive Portal, no interfaces are associated with the default Captive Portal. After you associate an interface with the Captive Portal and globally enable the Captive Portal feature, a user who connects to the switch through that interface is presented with the Captive Portal Welcome screen shown in Figure 17-3.
Page 451
Table 17-1. Default Captive Portal Values Feature Value Authentication Timeout 300 seconds Configured Captive Portals Captive Portal Name Default Protocol Mode HTTP Verification Mode Guest URL Redirect Mode User Group 1-Default Session Timeout 86400 seconds Local Users None configured Interface associations None Interface status Not blocked...
Configuring the Captive Portal (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring Captive Portal settings on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. Captive Portal Global Configuration Use the Captive Portal Global Configuration page to control the administrative state of the Captive Portal feature and configure global...
Captive Portal Configuration Use the Captive Portal Configuration page to view summary information about captive portals on the system, add a captive portal, and configure existing captive portals. The switch supports 10 Captive Portal configurations. Captive Portal configuration 1 is created by default and cannot be deleted. Each captive portal configuration can have unique guest or group access modes and a customized acceptance use policy that displays when the client connects.
Page 454
From the Captive Portal Configuration page, click Add to create a new Captive Portal instance. Figure 17-6. Add Captive Portal Configuration From the Captive Portal Configuration page, click Summary to view summary information about the Captive Portal instances configured on the switch.
Page 455
2 Click Download Image to download one or more custom images to the switch. You can use a downloaded custom image for the branding logo (default: Dell logo) on the Authentication Page and Logout Success page, the account image (default: blue banner with keys) on the Authentication Page, and the background image (default: blank) on the Logout Success Page.
Page 456
4 Browse to the directory where the image to be downloaded is located and select the image. 5 Click Apply to download the selected file to the switch. 6 To customize the Authentication Page, which is the page that a user sees upon attempting to connect to the network, click the Authentication Page link.
Page 457
7 Select the branding image to use and customize other page components such as the font for all text the page displays, the page title, and the acceptance use policy. 8 Click Apply to save the settings to the running configuration or click Preview to view what the user will see.
Figure 17-11. Captive Portal Logout Success Page 13 Customize the look and feel of the Logout Page, such as the background image and successful logout message. 14 Click Apply to save the settings to the running configuration or click Preview to view what the user will see. To return to the default views, click Clear.
Page 459
Figure 17-12 shows the Local User page after a user has been added. If no users have been added to the switch, many of the fields do not display on the screen. NOTE: Multiple user groups can be selected by holding the CTRL key down while clicking the desired groups.
Page 460
Figure 17-13. Add Local User From the Local User page, click Show All to view summary information about the local users configured in the local database. Figure 17-14. Captive Portal Local User Summary To delete a configured user from the database, select the Remove check box associated with the user and click Apply.
Page 461
Optional 0 session timeout is (seconds) reached (seconds). If the attribute is 0 or not present then use the value configured for the captive portal. Dell-Captive- 6231, A comma- String Optional None. The Portal-Groups delimited list of default group names that...
User Group You can assign Local Users to User Groups that you create. If the Verification Mode is Local or RADIUS, you assign a User Group to a Captive Portal Configuration. All users who belong to the group are permitted to access the network through this portal.
Page 463
From the User Group page, click Add to configure a new user group. Figure 17-16. Add User Group From the User Group page, click Show All to view summary information about the user groups configured on the switch. Figure 17-17. Captive Portal User Group Summary To delete a configured group, select the Remove check box associated with the group and click Apply.
Interface Association From the Interface Association page, you can associate a configured captive portal with specific interfaces. The captive portal feature only runs on the interfaces that you specify. A captive portal can have multiple interfaces associated with it, but an interface can be associated to only one Captive Portal at a time.
Captive Portal Global Status The Captive Portal Global Status page contains a variety of information about the Captive Portal feature. From the Captive Portal Global Status page, you can access information about the Captive Portal activity and interfaces. To display the Global Status page, click System → Captive Portal → Status →...
Captive Portal Activation and Activity Status The Captive Portal Activation and Activity Status page provides information about each Captive Portal configured on the switch. The Captive Portal Activation and Activity Status page has a drop-down menu that contains all captive portals configured on the switch. When you select a captive portal, the activation and activity status for that portal displays.
Interface Activation Status The Interface Activation Status page shows information for every interface assigned to a captive portal instance. To display the Interface Activation Status page, click System → Captive Portal → Interface Status → Interface Activation Status. Figure 17-21. Interface Activation Status Configuring a Captive Portal...
Interface Capability Status The Interface Capability Status page contains information about interfaces that can have CPs associated with them. The page also contains status information for various capabilities. Specifically, this page indicates what services are provided through the Captive Portal to clients connected on this interface.
Client Summary Use the Client Summary page to view summary information about all authenticated clients that are connected through the captive portal. From this page, you can manually force the captive portal to disconnect one or more authenticated clients. The list of clients is sorted by client MAC address.
Client Detail The Client Detail page shows detailed information about each client connected to the network through a captive portal. To display the Client Detail page, click System → Captive Portal → Client Connection Status → Client Detail. Figure 17-24. Client Detail Configuring a Captive Portal...
Captive Portal Interface Client Status Use the Interface Client Status page to view clients that are authenticated to a specific interface. To display the Interface Client Status page, click System → Captive Portal → Client Connection Status → Interface Client Status. Figure 17-25.
Captive Portal Client Status Use the Client Status page to view clients that are authenticated to a specific Captive Portal configuration. To display the Client Status page, click System → Captive Portal → Client Connection Status → Client Status. Figure 17-26. Captive Portal - Client Status Configuring a Captive Portal...
Configuring a Captive Portal (CLI) This section provides information about the commands you use to create and configure Captive Portal settings. For more information about the PowerConnect 7000 Series CLI Reference Guide commands, see the Configuring Global Captive Portal Settings Beginning in Privileged EXEC mode, use the following commands to configure global Captive Portal settings.
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show captive-portal View the Captive Portal administrative and operational [status] status. Use the status keyword to view additional global Captive Portal information and summary information about all configured Captive Portal instances. Creating and Configuring a Captive Portal Beginning in Privileged EXEC mode, use the following commands to create a Captive Portal instance and configure its settings.
Page 475
Command Purpose user-logout (Optional) Enable user logout mode to allow an authenticated client to deauthenticate from the network. If this option is clear or the user does not specifically request logout, the client connection status remains authenticated until the CP deauthenticates the user, for example by reaching the idle timeout or session timeout values.
Page 476
Command Purpose block (Optional) Block all traffic for a Captive Portal configuration. If the Captive Portal is blocked, users cannot gain access to the network through the Captive Portal. Use this function to temporarily protect the network during unexpected events, such as denial of service attacks.
Configuring Captive Portal Groups and Users Beginning in Privileged EXEC mode, use the following commands to create a Captive Portal group. You can use the default group, or you can create a new group. Command Purpose configure Enter global configuration mode. captive-portal Enter Captive Portal mode.
Command Purpose group-id user group (Optional) Move all of the users in a group to a different new-group-id moveusers group. This command removes the users from the group group-id specified by group-id • — Group ID (Range: 1–10). new-group-id • —...
Captive Portal Configuration Example The manager of a resort and conference center needs to provide wired Internet access to each guest room at the resort and in each conference room. Due to legal reasons, visitors and guests must agree to the resort’s acceptable use policy to gain network access.
7. Customize the authentication, logout, and logout success web pages that a Captive Portal user will see. Dell recommends that you use Use Dell OpenManage Administrator to customize the Captive Portal authentication, logout, and logout success pages. A Preview button is available to allow you to see the pages that a Captive Portal user will see.
Detailed Configuration Procedures Use the following steps to perform the Captive Portal configuration: 1. Configure the RADIUS server information on the switch. In this example, the RADIUS server IP address is 192.168.2.188, and the RADIUS server name is luxury-radius. console#configure console(config)#radius-server host 192.168.12.182 console(Config-auth-radius)#name luxury-radius console(Config-auth-radius)#exit...
Page 482
1 group 2 Continue entering username and password combinations to populate the local database. 8. Add the User-Name, User-Password, Session-Timeout, and Dell-Captive- Portal-Groups attributes for each employee to the database on the RADIUS server. 9. Globally enable the Captive Portal.
Configuring Port Characteristics This chapter describes how to configure physical switch port characteristics, including settings such as administrative status and Green Ethernet settings. This chapter also describes the link dependency feature. The topics covered in this chapter include: • Port Overview •...
Table 18-1. Port Characteristics Feature Description Speed Specifies the transmission rate for frames. Duplex mode Specifies whether the interface supports transmission between the switch and the connected client in one direction at a time (half) or both directions simultaneously (both). Maximum frame size Indicates the maximum frame size that can be handled by the port.
Page 485
You can create a maximum of 72 dependency groups16 groups. The ports participating in the Link Dependency can be across all the Stack Units (Manager/Member unit). Link Action The link action specifies the action that the group members will take when the dependent port is down.
Interfaces" on page 843. The PowerConnect 7000 Series includes two Power over Ethernet (PoE) Plus models: the PowerConnect 7024P and the PowerConnect 7048P. For information about configuring PoE plus features for the ports, see "Managing General System Settings" on page 271.
Page 487
To enter Interface Configuration mode for a physical switch port, the following information is required: • Type — For physical switch ports, the type is Gigabit Ethernet (gigabitethernet or gi) for 10/100/1000 Mbps Ethernet ports or 10-Gibabit Ethernet (tengigabitethernet or te) for 10,000 Mbps Ethernet ports. •...
To enter Interface Configuration mode for a range of interfaces, include the keyword range and specify the interfaces to configure. For example, to apply the same configuration to ports 1-10 on a standalone switch, use the following command: console(config)#interface range gigabitEthernet 1/0/1-10 To enter Interface Configuration mode for ports 3, 4, 5, 12, and 14 on a standalone switch, use the following command:...
Default Port Values Table 18-2 lists the default values for the port characteristics that this chapter describes. Table 18-2. Default Port Values Feature Description Administrative status All ports are enabled Description None defined Auto negotiation Enabled Speed Autonegotiate Duplex mode Autonegotiate Flow control Enabled...
Configuring Port Characteristics (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring port characteristics on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. Port Configuration Use the Port Configuration page to define port parameters.
Page 491
Configuring Multiple Ports To configure port settings on multiple ports: 1 Open the Port Configuration page. 2 Click Show All to display the Port Configuration Table page. 3 In the Ports list, select the check box in the Edit column for the port to configure.
Page 492
In the following example, Ports 3, 4, and 5 will be updated with the settings that are applied to Port 1. Figure 18-3. Copy Port Settings 8 Click Apply. Configuring Port Characteristics...
Link Dependency Configuration Use the Link Dependency Configuration page to create link dependency groups. You can create a maximum of 16 dependency groups. The page displays the groups whether they have been configured or not. To display the Link Dependency Configuration page, click Switching → Link Dependency →...
Page 494
5 To add a port to the Ports Depended On column, click the port in the Available Ports column, and then click the > button to the right of the Available Ports column. In the following example, Group 1 is configured so that Port 3 is dependent on Port 4.
Link Dependency Summary Use the Link Dependency Summary page to view all link dependencies on the system and to access the Link Dependency Configuration page. You can create a maximum of 16 dependency groups. The page displays the groups whether they have been configured or not. To display the Link Dependency Summary page, click Switching →...
Port Green Ethernet Configuration Use the Green Ethernet Configuration page to enable or disable energy- saving modes on each port. To display the Green Ethernet Configuration page, click System → Green Ethernet → Green Ethernet Configuration in the navigation panel. Figure 18-7.
Port Green Ethernet Statistics Use the Green Ethernet Statistics page to view information about per-port energy savings. To display the Green Ethernet Statistics page, click System → Green Ethernet → Green Ethernet Statistics in the navigation panel. Figure 18-8. Green Ethernet Statistics Configuring Port Characteristics...
Page 498
To view a summary of energy savings for the switch and all ports, click Summary. Figure 18-9. Green Ethernet Statistics Summary Configuring Port Characteristics...
Port Green Ethernet LPI History Use the Green Ethernet LPI History page to view data about the amount of time the switch has spent in low-power idle (LPI) mode. To display the Green Ethernet LPI History page, click System → Green Ethernet →...
Configuring Port Characteristics (CLI) This section provides information about the commands you use to configure port characteristics. For more information about the commands, see the PowerConnect 7000 Series CLI Reference Guide Configuring Port Settings Beginning in Privileged EXEC mode, use the following commands to configure various port settings.
Command Purpose show interfaces advertise View a summary of the speeds that are advertised on each port. show interfaces View configured descriptions for all ports. description show interfaces detail View detailed information about the specified port. interface Configuring Link Dependencies Beginning in Privileged EXEC mode, use the following commands to configure ports that are dependent on the state of other ports.
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show link-dependency View link dependency settings for all groups or for the group_id [group specified group. Configuring Green Features Beginning in Privileged EXEC mode, use the following commands to configure and monitor energy-saving features for the ports and the switch. Command Purpose configure...
Port Configuration Examples This section contains the following examples: • Configuring Port Settings • Configuring a Link Dependency Groups Configuring Port Settings The commands in this example specify the speed and duplex mode for port 1 (gigabitethernet 1/0/1) and change the MTU size for ports 10, 11, 12, 20, and To configure the switch: 1 Enter Interface Configuration mode for port 1.
Configuring a Link Dependency Groups The commands in this example create two link dependency groups. Group 1 has port 3 as a member port that is dependent on port 4. The group uses the default link action, which is down. This means that if port 4 goes down, port 3 goes down.
Configuring 802.1X and Port-Based Security This chapter describes how to configure port-based security features including IEEE 802.1X authentication and port security. Port-based security can also be accomplished by using Access Control Lists (ACLs). For information about configuring ACLs, see "Configuring Access Control Lists" on page 539.
What is IEEE 802.1X? The IEEE 802.1X standard provides a means of preventing unauthorized access by supplicants (clients) to the services the switch offers, such as access to the LAN. The 802.1X network has three components: • Supplicant — The client connected to the authenticated port that requests access to the network.
What are the 802.1X Port States? The 802.1X port state determines whether to allow or prevent network traffic on the port. The 802.1X state of a port can be one of the following: • Authorized • Unauthorized • Automode • MAC-Based If the port is in the authorized state, the port sends and receives normal traffic without client port-based authentication.
Page 508
If a port uses MAC-based 802.1X authentication, the option to use MAC Authentication Bypass (MAB) is available. MAB is a supplemental authentication mechanism that allows 802.1X unaware clients, such as printers and fax machines, to authenticate to the network using the client MAC address as an identifier.
What is the Role of 802.1X in VLAN Assignment? PowerConnect 7000 Series switches allow a port to be placed into a particular VLAN based on the result of the authentication or type of 802.1X authentication a client uses when it accesses the switch. The authentication server can provide information to the switch about which VLAN to assign the supplicant.
Page 510
Dynamic VLAN Creation If RADIUS-assigned VLANs are enabled thought the Authorization Network RADIUS configuration option, the RADIUS server is expected to include the VLAN ID in the 802.1X tunnel attributes of its response message to the switch. If dynamic VLAN creation is enabled on the switch and the RADIUS- assigned VLAN does not exist, then the assigned VLAN is dynamically created.
port. The port is assigned a Guest VLAN ID and is moved to the authorized status. Disabling the supplicant mode does not clear the ports that are already authorized and assigned Guest VLAN IDs. What is Monitor Mode? The monitor mode is a special mode that can be enabled in conjunction with 802.1X authentication.
What is the Internal Authentication Server? The Internal Authentication Server (IAS) is a dedicated database for local authentication of users for network access through 802.1X. In this database, the switch maintains a list of username and password combinations to use for 802.1X authentication.
Default Port-Based Security Values Table 19-2 lists the default values for the 802.1X features and for port security. Table 19-2. Default Port-Based Security Values Feature Description Global 802.1X status Disabled 802.1X authentication method none Per-port 802.1X status Disabled Port state automode Periodic reauthentication Disabled...
Configuring Port-Based Security (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the IEEE 802.1X features and Port Security on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page.
Page 516
Configuring 802.1X Settings on Multiple Ports To configure 802.1X authentication on multiple ports: 1 Open the Dot1x Authentication page. 2 Click Show All to display the Dot1x Authentication Table page. 3 In the Ports list, select the check box in the Edit column for the port to configure.
Page 517
Re-Authenticating Multiple Ports in the Dot1x Authentication Table To reauthenticate multiple ports: 1 Open the Dot1x Authentication page. 2 Click Show All. The Dot1x Authentication Table displays. 3 Check Edit to select the Units/Ports to re-authenticate. 4 To re-authenticate on a periodic basis, set Periodic Re-Authentication to Enable, and specify a Re-Authentication Period for all desired ports.
Authenticated Users The Authenticated Users page is used to display lists of ports that have authenticated users. To display the Authenticated Users page, click Switching → Network Security → Authenticated Users in the navigation panel. Figure 19-4. Network Security Authenticated Users Port Access Control Configuration Use the Port Access Control Configuration page to globally enable or disable RADIUS-assigned VLANs and to enable Monitor Mode to help troubleshoot...
Figure 19-5. Port Access Control Configuration Port Access Control History Log Summary Use the Port Access Control History Log Summary page to view log messages about 802.1X client authentication attempts. The information on this page can help you troubleshoot 802.1X configuration issues. To display the Port Access Control History Log Summary page, click Port Access Control Configuration page, click Switching →...
Port Security Use the Port Security page to enable MAC locking on a per-port basis. When a port is locked, you can limit the number of source MAC addresses that are allowed to transmit traffic on the port. To display the Port Security page, click Switching → Network Security → Port Security in the navigation panel.
Page 521
Figure 19-8. Configure Port Security Settings 5 Click Apply. Configuring 802.1X and Port-Based Security...
Internal Authentication Server Users Configuration Use the Internal Authentication Server Users Configuration page to add users to the local IAS database and to view the database entries. To display the Internal Authentication Server Users Configuration page, click System → Management Security → Internal Authentication Server Users Configuration in the navigation panel.
Page 523
Figure 19-10. Removing an IAS User 4 Click Apply. To view the Internal Authentication Server Users Table page, click Show All. Removing an IAS User To delete an IAS user: 1 Open the Internal Authentication Server Users Configuration page. 2 From the User menu, select the user to remove, select the user to remove. 3 Select the Remove check box.
Configuring Port-Based Security (CLI) This section provides information about commands you use to configure 802.1X and Port Security settings. For additional information about the PowerConnect 7000 Series CLI Reference commands in this section, see the Guide Configuring Basic 802.1X Authentication Settings Beginning in Privileged EXEC mode, use the following commands to enable and configure 802.1X authentication on the switch.
Page 525
Command Purpose dot1x port-control Specify the 802.1X mode for the port. {force-authorized | NOTE: For standard 802.1X implementations in which one force-unauthorized | client is connected to one port, use the dot1x port-control auto | mac-based} auto command to enable 802.1X authentication on the port. •...
NOTE: To enable 802.1X Monitor Mode to help troubleshoot authentication issues, use the dot1x system-auth-control monitor command in Global Configuration mode. To view 802.1X authentication events and information, use the show dot1x interface authentication-history {< > | all} [failed-auth-only] [detail] command in Privileged EXEC mode.
Page 527
Command Purpose dot1x timeout supp- Set the time that the switch waits for a response before seconds timeout retransmitting an Extensible Authentication Protocol (EAP)-request frame to the client. count dot1x max-req Set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP)-request frame (assuming that no response is received) to the client before restarting the authentication process.
Configuring 802.1X Settings for RADIUS-Assigned VLANs Beginning in Privileged EXEC mode, use the following commands to configure 802.1X settings that affect the RADIUS-assigned VLAN. Command Purpose configure Enter Global Configuration mode. aaa authorization Allow the RADIUS server to assign VLAN IDs to clients. network default radius aaa authorization If the RADIUS assigned VLAN does not exist on the...
Configuring Port Security Beginning in Privileged EXEC mode, use the following commands to enable port security on an interface to limit the number of source MAC addresses that can be learned. Command Purpose configure Enter Global Configuration mode. interface interface Enter interface configuration mode for the specified interface interface.
Configuring Internal Authentication Server Users Beginning in Privileged EXEC mode, use the following commands to add users to the IAS database and to use the database for 802.1X authentication. Command Purpose configure Enter Global Configuration mode. aaa ias-user username Add a user to the IAS user database. This command also user changes the mode to the AAA User Config mode.
Port-Based Security Configuration Examples This section contains the following examples: • Configuring 802.1X Authentication • Configuring MAC-Based Authentication Mode • Allowing RADIUS-Assigned VLANs and a Guest VLAN • Configuring Authentication Server Filter Assignments Configuring 802.1X Authentication The network in this example requires clients to use 802.1X authentication to access the network through the switch ports.
Page 532
Figure 19-12. 802.1X Example Physically Unsecured Devices Physically Secured Devices Authentication Server (RADIUS) PowerConnect Switch Clients (Ports 1 and 3) LAN Uplink (Port 10) Server Printer (Port 9) (Port 7) The following example shows how to configure the example shown in Figure 19-12.
Page 533
3 Enable 802.1X port-based access control on the switch. console(config)#dot1x system-auth-control 4 Configure ports 9 and 24 to be in the Authorized state, which allows the devices to connect to these ports to access the switch services without authentication. console(config)#interface range gi1/0/9-10 console(config-if)#dot1x port-control force- authorized console(config-if)#exit...
Page 534
User Name........dflint Supp MAC Address....... 0004.5A55.EFAD Session Time........826 Filter Id........VLAN Assigned........1 (Default) Interface........Gi1/0/7 User Name........0006.6B33.06BA Supp MAC Address....... 0006.6B33.06BA Session Time........826 Filter Id........VLAN Assigned........1 (Default) 8 View a summary of the port status. console#show dot1x Administrative Mode....
Configuring MAC-Based Authentication Mode The PowerConnect 7000 Series switches support MAC-based 802.1X authentication. This feature allows multiple hosts to authenticate on a single port. The hosts are distinguished by their MAC addresses. When multiple hosts (for example, a PC, a printer, and a phone in the same office) are connected to the switch on the same port, each of the connected hosts authenticates separately with the RADIUS server.
Guest-vlan Timeout......90 Server Timeout (secs)......30 MAB mode (configured)......Disabled MAB mode (operational)......Disabled Allowing RADIUS-Assigned VLANs and a Guest VLAN The following commands show how to configure the switch to accept RADIUS-assigned VLANs and Guest VLANs. The RADIUS server can place a port in a particular VLAN based on the result of the authentication.
Configuring Authentication Server Filter Assignments To enable filter assignment by an external server, the following conditions must be true: 1 The port that the host is connected to must be enabled for MAC-based port access control by using the following command in Interface Config mode: dot1x port-control mac-based 2 The RADIUS or 802.1X server must specify the policy to assign.
Page 538
Configuring 802.1X and Port-Based Security...
Configuring Access Control Lists This chapter describes how to configure Access Control Lists (ACLs), including IPv4, IPv6, and MAC ACLs. This chapter also describes how to configure time ranges that can be applied to any of the ACL types. The topics covered in this chapter include: •...
NOTE: Every ACL is terminated by an implicit deny all rule, which covers any packet not matching a preceding explicit rule. You can set up ACLs to control traffic at Layer 2, Layer 3, or Layer 4. MAC ACLs operate on Layer 2. IP ACLs operate on Layers 3 and 4. PowerConnect 7000 Series switches support both IPv4 and IPv6 ACLs.
What Are IP ACLs? IP ACLs classify for Layers 3 and 4 on IPv4 or IPv6 traffic. Each ACL is a set of up to ten rules applied to inbound traffic. Each rule specifies whether the contents of a given field should be used to permit or deny access to the network, and may apply to one or more of the following fields within a packet: •...
Using ACLs to mirror traffic is considered to be flow-based mirroring since the traffic flow is defined by the ACL classification rules. This is in contrast to port mirroring, where all traffic encountered on a specific interface is replicated on another interface. What Is ACL Logging ACL Logging provides a means for counting the number of “hits”...
A named time range can contain up to 10 configured time ranges. Only one absolute time range can be configured per time range. During the ACL configuration, you can associate a configured time range with the ACL to provide additional control over permitting or denying a user access to network resources.
NOTE: Although the maximum number of ACLs is 100, and the maximum number of rules per ACL is 127, the system cannot support 100 ACLs that each have 127 rules. The maximum number of ACLs and rules supported depends on the resources consumed by other processes and configured features running on the switch.
Configuring ACLs (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring ACLs on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. IP ACL Configuration Use the IP ACL Configuration page to add or remove IP-based ACLs.
Page 546
Figure 20-2. Add IP ACL 4 Click Apply. Removing IPv4 ACLs To delete an IPv4 ACL: 1 From the IP ACL Name menu on the IP ACL Configuration page, select the ACL to remove. 2 Select the Remove checkbox. 3 Click Apply. Viewing IPv4 ACLs To view configured ACLs, click Show All from the IP ACL Configuration page.
Figure 20-3. View IPv4 ACLs IP ACL Rule Configuration Use the IP ACL Rule Configuration page to define rules for IP-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. Additionally, you can specify to assign traffic to a particular queue, filter on some traffic, change VLAN tag, shut down a port, and/or redirect the traffic to a particular port.
Page 548
Figure 20-4. IP ACL - Rule Configuration Removing an IP ACL Rule To delete an IP ACL rule: 1 From the Rule ID menu, select the ID of the rule to delete. 2 Select the Remove option near the bottom of the page. 3 Click Apply to remove the selected rule.
MAC ACL Configuration Use the MAC ACL Configuration page to define a MAC-based ACL. To display the MAC ACL Configuration page, click Switching → Network Security → Access Control Lists → MAC Access Control Lists → Configuration in the navigation panel. Figure 20-5.
Page 550
Figure 20-6. Add MAC ACL 4 Click Apply. Renaming or Removing MAC ACLs To rename or delete a MAC ACL: 1 From the MAC ACL Name menu on the MAC ACL Configuration page, select the ACL to rename or remove. 2 To rename the ACL, select the Rename checkbox and enter a new name in the associated field.
MAC ACL Rule Configuration Use the MAC ACL Rule Configuration page to define rules for MAC-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. A default deny all rule is the last rule of every list. To display the MAC ACL Rule Configuration page, click Switching →...
IPv6 ACL Configuration Use the IPv6 ACL Configuration page to add or remove IP-based ACLs. To display the IP ACL Configuration page, click Switching → Network Security → Access Control Lists → IPv6 Access Control Lists → IPv6 ACL Configuration in the navigation panel. Figure 20-8.
Figure 20-9. Add IPv6 ACL 4 Click Apply. Removing IPv6 ACLs To delete an IPv6 ACL: 1 From the IPv6 ACL Name menu on the IPv6 ACL Configuration page, select the ACL to remove. 2 Select the Remove checkbox. 3 Click Apply. Viewing IPv6 ACLs To view configured ACLs, click Show All from the IPv6 ACL Configuration page.
Page 554
To display the IPv6 ACL Rule Configuration page, click Switching → Network Security → Access Control Lists → IPv6 Access Control Lists → Rule Configuration in the navigation menu. Figure 20-10. IPv6 ACL - Rule Configuration Removing an IPv6 ACL Rule To delete an IPv6 ACL rule: 1 From the Rule ID menu, select the ID of the rule to delete.
ACL Binding Configuration When an ACL is bound to an interface, all the rules that have been defined are applied to the selected interface. Use the ACL Binding Configuration page to assign ACL lists to ACL Priorities and Interfaces. From the Web interface, you can configure the ACL rule in the ingress or egress direction so that the ACLs implement security rules for packets entering or exiting the port.
Time Range Entry Configuration Use the Time Range Entry Configuration page to define time ranges to associate with ACL rules. To display the Time Range Entry Configuration page, click System → Time Synchronization → Time Range Configuration in the navigation panel. The following image shows the page after at least one time range has been added.
Page 557
Figure 20-13. Add a Time Range 3 Click Apply. 4 Click Configuration to return to the Time Range Entry Configuration page. 5 In the Time Range Name field, select the name of the time range to configure. 6 Specify an ID for the time range. You can configure up to 10 different time range entries to include in the named range.
Configuring ACLs (CLI) This section provides information about the commands you use to create and configure ACLs. For more information about the commands, see the PowerConnect 7000 Series CLI Reference Guide Configuring an IPv4 ACL Beginning in Privileged EXEC mode, use the following commands to create an IPv4 ACL, configure rules for the ACL, and bind the ACL to an interface.
Page 559
Command Purpose portvalue (continued) • — The source layer 4 port match condition for the ACL rule is specified by the port value parameter (Range: 0–65535). portkey portkey • — Or you can specify the , which can be one of the following keywords: domain, echo, ftp, ftpdata, http, smtp, snmp, telnet, tftp, and www.
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show ip access-lists Display all IPv4 access lists and all of the rules that are name name defined for the IPv4 ACL. Use the optional parameter to identify a specific IPv4 ACL to display. Configuring a MAC ACL Beginning in Privileged EXEC mode, use the following commands to create an MAC ACL, configure rules for the ACL, and bind the ACL to an interface.
Page 561
Command Purpose (Continued) • vlan eq — VLAN number. (Range 0-4095) • cos — Class of service. (Range 0-7) • log — Specifies that this rule is to be logged. time-range-name • — Specifies the named time range to associate with the ACL rule. •...
Command Purpose show mac access-lists Display all MAC access lists and all of the rules that are name name defined for the MAC ACL. Use the optional parameter to identify a specific MAC ACL to display. Configuring an IPv6 ACL Beginning in Privileged EXEC mode, use the following commands to create an IPv6 ACL, configure rules for the ACL, and bind the ACL to an interface.
Page 563
Command Purpose destination ipv6 prefix (Continued) • — IPv6 prefix in IPv6 global address format. value • flow label — The value to match in the Flow Label field of the IPv6 header (Range 0–1048575). dscp • dscp — Specifies the TOS for an IPv6 ACL rule depending on a match of DSCP values using the parameter dscp.
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show ipv6 access-lists Display all IPv6 access lists and all of the rules that are name name defined for the IPv6 ACL. Use the optional parameter to identify a specific IPv6 ACL to display. Configuring a Time Range Beginning in Privileged EXEC mode, use the following commands to create a time range and configure time-based entries for the time range.
Page 565
Command Purpose days-of-the- periodic { Configure a recurring time entry for the named time week time days-of- } to {[ range. the-week time days-of-the-week • —The first occurrence indicates the starting day(s) the ACL goes into effect. The second occurrence is the ending day(s) when the ALC rule is no days-of-the-week longer in effect.
ACL Configuration Examples This section contains the following examples: • Configuring an IP ACL • Configuring a MAC ACL • Configuring a Time-Based ACL Configuring an IP ACL The commands in this example set up an IP ACL that permits hosts in the 192.168.77.0/24 subnet to send TCP and UDP traffic only to the host with an IP address of 192.168.77.50.
To configure the switch: 1 Create an ACL named list1 and configures a rule for the ACL that permits packets carrying TCP traffic that matches the specified Source IP address (192.168.77.0/24), and sends these packets to the specified Destination IP address (192.168.77.50).
Page 568
console(config)#mac access-group mac1 in console(config)#exit 5 View information about the configured ACL. console#show mac access-lists Current number of all ACLs: 1 Maximum number of all ACLs: 100 MAC ACL Name Rules Interface(s) Direction ------------- -------- ------------ --------- mac1 ch1-48, Inbound Gi1/0/1- Gi1/0/48 console#show mac access-lists mac1...
Configuring a Time-Based ACL The following example configures an ACL that denies HTTP traffic from 8:00 pm to 12:00 pm and 1:00 pm to 6:00 pm on weekdays and from 8:30 am to 12:30 pm on weekends. The ACL affects all hosts connected to ports that are members of VLAN 100.
Page 570
7 Verify the configuration. console#show ip access-lists web-limit IP ACL Name: web-limit Inbound VLAN(s): Rule Number: 1 Action......deny Match All......FALSE Protocol......6(tcp) Source IP Address....any Destination IP Address.... any Destination L4 Port Keyword..80(www/http)ip Time Range Name....work-hours Rule Status.......
Configuring VLANs This chapter describes how to configure VLANs, including port-based VLANs, protocol-based VLANs, double-tagged VLANs, subnet-based VLANs, and Voice VLANs. The topics covered in this chapter include: • VLAN Overview • Default VLAN Behavior • Configuring VLANs (Web) • Configuring VLANs (CLI) •...
Page 572
priority over other traffic, such as data. Administrators also use VLANs to protect network resources. Traffic sent by authenticated clients might be assigned to one VLAN, while traffic sent from unauthenticated clients might be assigned to a different VLAN that allows limited network access. When one host in a VLAN sends a broadcast, the switch forwards traffic only to other members of that VLAN.
Page 573
Figure 21-1. Simple VLAN Topology Router Engineering VLAN 100 Switch Payroll VLAN 300 Tech Pubs VLAN 200 In this example, each port is manually configured so that the end station attached to the port is a member of the VLAN configured for the port. The VLAN membership for this network is port-based or static.
Table 21-1 provides an overview of the types of VLANs you can use to logically divide the network. Table 21-1. VLAN Assignment VLAN Assignment Description Port-based (Static) This is the most common way to assign hosts to VLANs. The port where the traffic enters the switch determines the VLAN membership.
Table 21-2. Switchport Mode Behavior Mode VLAN Membership Frames Frames Sent Ingress Accepted Filtering Access One VLAN Untagged Untagged Always On Trunk All VLANs that exist Tagged Tagged Always On in the system General As many as desired Tagged or Tagged or On or Off Untagged...
Configuring the PVID for an interface is useful when untagged and tagged packets will be sent and received on that port and a device connected to the interface does not support VLAN tagging. GVRP The GARP VLAN Registration Protocol (GVRP) helps to dynamically manage VLAN memberships on trunk ports.
802.1Q (0x8100) EtherType, it allows the traffic to have added security from misconfiguration while exiting the metro core. For example, if the edge device on the other side of the metro core is not stripping the second tag, the packet would never be classified as a 802.1Q tag, so the packet would be dropped rather than forwarded in the incorrect VLAN.
Page 578
The Voice VLAN feature can be enabled on a per-port basis. This feature supports a configurable voice VLAN DSCP value. This value is later retrieved by LLDP when the LLDPDU is transmitted, if LLDP has been enabled on the port and the required TLV is configured for the port. Identifying Voice Traffic Some VoIP phones contain full support for IEEE 802.1X.
• When a VLAN is associated with the Voice VLAN port, then the VLAN ID information is passed onto the VoIP phone using the LLDP-MED mechanism. By this method, the voice data coming from the VoIP phone is tagged with the exchanged VLAN ID. Untagged data arriving on the switch is given the default PVID of the port, and the voice traffic is received tagged with the pre-defined VLAN.
Default VLAN Behavior One VLAN exists on the PowerConnect 7000 Series switches by default. The VLAN ID is 1, and all ports are included in the VLAN as access ports, which are untagged. This means when a device connects to any port on the switch, the port forwards the packets without inserting a VLAN tag.
Page 581
Table 21-4 shows the default values or maximum values for VLAN features. Table 21-4. Additional VLAN Default and Maximum Values Feature Value Default VLAN VLAN 1 VLAN Name No VLAN name is configured VLAN Range 2–4093 Switchport mode Access Double-VLAN tagging Disabled If double-VLAN tagging is enabled, the default EtherType value is 802.1Q...
Configuring VLANs (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring VLANs on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. VLAN Membership Use the VLAN Membership page to create VLANs and define VLAN groups stored in the VLAN membership table.
Page 583
Table 21-5. VLAN Port Membership Definitions Port Control Definition Blank Blank: the interface is not a VLAN member. Packets in this VLAN are not forwarded on this interface. To perform additional port configuration, such as making the port a trunk port, use the Port Settings page.
Page 584
Adding a VLAN To create a VLAN: 1 Open the VLAN Membership page. 2 Click Add to display the Add VLAN page. 3 Specify a VLAN ID and a VLAN name. Figure 21-4. Add VLAN 4 Click Apply. Configuring Ports as VLAN Members To add member ports to a VLAN: 1 Open the VLAN Membership page.
Page 585
Figure 21-5. Add Ports to VLAN 4 Click Apply. 5 Verify that the ports have been added to the VLAN. Configuring VLANs...
Page 586
In Figure 21-6, the presence of the letter U in the Current row indicates that the port is an untagged member of the VLAN. Figure 21-6. Add Ports to VLAN Configuring VLANs...
VLAN Port Settings Use the VLAN Port Settings page to add ports to an existing VLAN and to configure settings for the port. If you select Trunk or Access as the Port VLAN Mode, some of the fields are not configurable because of the requirements for that mode.
Figure 21-8. VLAN Settings for All Ports VLAN LAG Settings Use the VLAN LAG Settings page to map a LAG to a VLAN and to configure specific VLAN settings for the LAG. To display the LAG Settings page, click Switching → VLAN → LAG Settings in the navigation panel.
Page 589
From the LAG Settings page, click Show All to see the current VLAN settings for all LAGs. You can change the settings for one or more LAGs by clicking the Edit option for a port and selecting or entering new values. Figure 21-10.
Bind MAC to VLAN Use the Bind MAC to VLAN page to map a MAC address to a VLAN. After the source MAC address and the VLAN ID are specified, the MAC to VLAN configurations are shared across all ports of the switch. The MAC to VLAN table supports up to 128 entries.
Figure 21-12. MAC-VLAN Bind Table Bind IP Subnet to VLAN Use the Bind IP Subnet to VLAN page to assign an IP Subnet to a VLAN. The IP Subnet to VLAN configurations are shared across all ports of the switch. There can be up to 64 entries configured in this table. To display the Bind IP Subnet to VLAN page, click Switching →...
Page 592
From the Bind IP Subnet to VLAN page, click Show All to see the IP subnets that are mapped to VLANs. From this page, you can change the settings for one or more entries or remove an entry. Figure 21-14. Subnet-VLAN Bind Table Configuring VLANs...
GVRP Parameters Use the GVRP Parameters page to enable GVRP globally and configure the port settings. To display the GVRP Parameters page, click Switching → VLAN → GVRP Parameters in the navigation panel. Figure 21-15. GVRP Parameters From the GVRP Parameters page, click Show All to see the GVRP configuration for all ports.
Page 594
Figure 21-16. GVRP Port Parameters Table Configuring VLANs...
Protocol Group Use the Protocol Group page to configure which EtherTypes go to which VLANs, and then enable certain ports to use these settings. Protocol-based VLANs are most often used in situations where network segments contain hosts running multiple protocols. To display the Protocol Group page, click Switching →...
Adding a Protocol Group To add a protocol group: 1 Open the Protocol Group page. 2 Click Add to display the Add Protocol Group page. 3 Create a name for the group and associate a VLAN with the group. Figure 21-18. Add Protocol Group 4 Click Apply.
Page 597
Figure 21-19. Configure Protocol Group 8 Click Apply. 9 Click Show All to see the protocol-based VLANs and their members. Figure 21-20. Protocol Group Table Configuring VLANs...
Double VLAN Global Configuration Use the Double VLAN Global Configuration page to specify the value of the EtherType field in the first EtherType/tag pair of the double-tagged frame. To display the Double VLAN Global Configuration page, click Switching → VLAN → Double VLAN → Global Configuration in the navigation panel. Figure 21-21.
Double VLAN Interface Configuration Use the Double VLAN Interface Configuration page to specify the value of the EtherType field in the first EtherType/tag pair of the double-tagged frame. To display the Double VLAN Interface Configuration page, click Switching → VLAN → Double VLAN → Interface Configuration in the navigation panel.
Voice VLAN Use the Voice VLAN Configuration page to configure and view voice VLAN settings that apply to the entire system and to specific interfaces. To display the page, click Switching → VLAN → Voice VLAN → Configuration in the navigation panel. Figure 21-24.
Configuring VLANs (CLI) This section provides information about the commands you use to create and configure VLANs. For more information about the commands, see the PowerConnect 7000 Series CLI Reference Guide Creating a VLAN Beginning in Privileged EXEC mode, use the following commands to configure a VLAN and associate a name with the VLAN.
Configuring a Port in Access Mode Beginning in Privileged EXEC mode, use the following commands to configure an untagged layer 2 VLAN interface and assign the interface to a VLAN. When a port is in access mode, it can only be a member of one untagged VLAN.
Configuring a Port in General Mode Beginning in Privileged EXEC mode, use the following commands to configure an interface with full 802.1q support and configure the VLAN membership information for the interface. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface...
Command Purpose switchport general (Optional) Specifies that the port will only accept tagged at ingress. acceptable-frame-type frames. Untagged frames are dropped tagged-only switchport general (Optional) Turn off ingress filtering so that all received ingress-filtering disable tagged frames are forwarded whether or not the port is a member of the VLAN in the tag.
Page 606
Command Purpose switchport trunk Set the list of allowed VLANs that can receive and send vlan- {allowed vlan traffic on this interface in tagged format when in trunking list vlan-id |native vlan mode. vlan-list • allowed — Set the list of allowed VLANs that can receive and send traffic on this interface in tagged format when in trunking mode.
Configuring VLAN Settings for a LAG The VLAN mode and memberships settings you configure for a port are also valid for a LAG (port channel). Beginning in Privileged EXEC mode, use the following commands to configure the VLAN mode for a LAG. Once you specify the switchport mode settings for a LAG, you can configure other VLAN memberships settings that are valid that the switchport mode.
Configuring Double VLAN Tagging Beginning in Privileged EXEC mode, use the following commands to configure an interface to send and accept frames with double VLAN tagging. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface interface.
Configuring MAC-Based VLANs Beginning in Privileged EXEC mode, use the following commands to associate a MAC address with a configured VLAN. The VLAN does not need to be configured on the system to associate a MAC address with it. You can create up to 256 VLAN to MAC address associations.
Configuring IP-Based VLANs Beginning in Privileged EXEC mode, use the following commands to associate an IP subnet with a configured VLAN. The VLAN does not need to be configured on the system to associate an IP subnet with it. You can create up to 256 VLAN to MAC address associations.
Page 611
Command Purpose configure Enter global configuration mode. vlan protocol group Create a new protocol group. name exit Exit to Privileged EXEC mode. show port protocol all Obtain the group ID for the newly configured group. configure Enter global configuration mode. vlan protocol group add Add any EtherType protocol to the protocol-based VLAN groupid...
Command Purpose groupid protocol group Attach a VLAN ID to the protocol-based group identified vlanid by groupid. A group may only be associated with one VLAN at a time. However, the VLAN association can be changed. groupid • — The protocol-based VLAN group ID, which is automatically generated when you create a protocol- based VLAN group with the vlan protocol group command.
Page 613
Command Purpose switchport forbidden (Optional) Forbids adding the specified VLANs to a port. vlan- vlan {add To revert to allowing the addition of specific VLANs to the list vlan-list |remove port, use the remove parameter of this command. vlan-list — List of valid VLAN IDs to add to the forbidden list.
Configuring Voice VLANs Beginning in Privileged EXEC mode, use the following commands to enable the Voice VLAN feature on the switch and on an interface. Command Purpose configure Enter global configuration mode. voice vlan Enable the voice vlan capability on the switch. interface interface Enter interface configuration mode for the specified...
VLAN Configuration Examples This section contains the following examples: • Configuring VLANs Using Dell OpenManage Administrator • Configuring VLANs Using the CLI • Configuring a Voice VLAN A network administrator wants to create the VLANs in Table 21-6: Table 21-6. Example VLANs...
Page 616
Figure 21-25. Network Topology for Port-Based VLAN Configuration LAN/WAN Switch 1 Switch 2 VLAN 100 VLAN 400 Engineering VLAN 200 Payroll Marketing Payroll Payroll Marketing Shared File Engineering Server Hosts Hosts Server Hosts The network in Figure 21-25 has the following characteristics: •...
Page 617
Table 21-7 shows the port assignments on the switches. Table 21-7. Switch Port Connections Port/LAG Function Switch 1 Connects to Switch 2 2–15 Host ports for Payroll 16–20 Host ports for Marketing LAG1 (ports 21–24) Connects to Payroll server Switch 2 Connects to Switch 1 2–10 Host ports for Marketing...
Configuring VLANs Using Dell OpenManage Administrator This example shows how to perform the configuration by using the Web- based interface. Configure the VLANs and Ports on Switch 1 Use the following steps to configure the VLANs and ports on Switch 1. None of the hosts that connect to Switch 1 use the Engineering VLAN (VLAN 100), so it is not necessary to create it on that switch.
Page 619
In the Static row, click the space for ports 16–20 so the U (untagged) displays for each port. Figure 21-27. VLAN Membership - VLAN 200 3 Click Apply. 4 Assign ports 2–15 and LAG1 to the Payroll VLAN. From the Switching → VLAN → VLAN Membership page, select 400-Payroll from the Show VLAN field.
Page 620
From the Switching → VLAN → LAG Settings page, make sure Po1 is selected. Configure the following settings: • Port VLAN Mode — General • PVID — 400 • Frame Type — AdmitAll Click Apply. Figure 21-28. LAG Settings 6 Configure port 1 as a trunk port. From the Switching →...
Page 621
Figure 21-29. Trunk Port Configuration 7 From the Switching → VLAN → VLAN Membership page, verify that port 1 is marked as a tagged member (T) for each VLAN. Figure 21-30 shows VLAN 200, in which port 1 is a tagged member, and ports 16–20 are untagged members.
Figure 21-31. Trunk Port Configuration Repeat steps b–d to add additional MAC address-to-VLAN information for the Sales department. 9 To save the configuration so that it persists across a system reset, use the following steps: Go to the System → File Management→ Copy Files page Select Copy Configuration and ensure that Running Config is the source and Startup Config is the destination.
From the Switching → VLAN → LAG Settings page, make sure Po1 is selected. From the Port VLAN Mode field, select General. Click Apply. 3. Configure port 1 as a trunk port. 4. Configure LAG2 as a trunk port. 5. Assign ports 1–10 to VLAN 200 as untagged (U) members. 6.
Page 624
console(config)#vlan 400 console(config-vlan400)#name Payroll console(config-vlan400)#exit 2. Assign ports 16–20 to the Marketing VLAN. console(config)#interface range gigabitEthernet 1/0/16-20 console(config-if)#switchport mode access console(config-if)#switchport access vlan 200 console(config-if)#exit 3. Assign ports 2–15 to the Payroll VLAN console(config)#interface range gigabitEthernet 1/0/2-15 console(config-if)#switchport mode access console(config-if)#switchport access vlan 400 console(config-if)#exit 4.
Page 625
6. Configure the MAC-based VLAN information. The following commands show how to associate a system with a MAC address of 00:1C:23:55:E9:8B with VLAN 300. Repeat the vlan association mac command to associate additional MAC addresses with VLAN 300. console(config)#vlan database console(config-vlan)#vlan association mac 00:1C:23:55:E9:8B 300 console(config-vlan)#exit...
Page 626
Port Gi1/0/1 is member in: VLAN Name Egress rule Type ---- ----------------- ----------- -------- Marketing Tagged Static Sales Tagged Static Payroll Tagged Static Configure the VLANs and Ports on Switch 2 Use the following steps to configure the VLANs and ports on Switch 2. Many of the procedures in this section are the same as procedures used to configure Switch 1.
Configuring a Voice VLAN The commands in this example create a VLAN for voice traffic with a VLAN ID of 25. Port 10 is set to an 802.1Q VLAN. In in this example, there are multiple devices connected to port 10, so the port must be in general mode in order to enable MAC-based 802.1X authentication.
Page 628
console(config-if-Gi1/0/10)#voice vlan 25 6 Disable authentication for the voice VLAN on the port. This step is required only if the voice phone does not support port-based authentication. console(config-if-Gi1/0/10)#voice vlan auth disable 7 Exit to Privileged Exec mode. console(config-if-Gi1/0/10)#<CTRL+Z> 8 View the voice VLAN settings for port 10. console#show voice vlan interface gi1/0/10 Interface......
Configuring the Spanning Tree Protocol This chapter describes how to configure the Spanning Tree Protocol (STP) settings on the switch. The topics covered in this chapter include: • STP Overview • Default STP Values • Configuring Spanning Tree (Web) • Configuring Spanning Tree (CLI) •...
recognize full-duplex connectivity and ports which are connected to end stations, resulting in rapid transitioning of the port to the Forwarding state and the suppression of Topology Change Notifications. MSTP is compatible to both RSTP and STP . It behaves appropriately to STP and RSTP bridges.
How Does MSTP Operate in the Network? In the following diagram of a small 802.1d bridged network, STP is necessary to create an environment with full connectivity and without loops. Figure 22-1. Small Bridged Network Switch A Port 1 Port 2 VLAN 10 VLAN 20 Port 1...
Page 632
Figure 22-2 shows the logical single STP network topology. Figure 22-2. Single STP Topology Switch A Port 1 Port 2 VLAN 10 VLAN 20 Port 1 Port 1 Switch B Switch C VLAN 10 VLAN 20 VLAN 20 For VLAN 10 this single STP topology is fine and presents no limitations or inefficiencies.
Page 633
The logical representation of the MSTP environment for these three switches is shown in Figure 22-3. Figure 22-3. Logical MSTP Environment MSTI 1 Regional Root & CIST Regional Root Switch A MSTI 1 Port 1 Port 2 VLAN 10 Port 1 Port 1 Switch B Switch C...
Page 634
In order for MSTP to correctly establish the different MSTIs as above, some additional changes are required. For example, the configuration would have to be the same on each and every bridge. That means that Switch B would have to add VLAN 10 to its list of supported VLANs (shown in Figure 22-3 with a *).
What are the Optional STP Features? The PowerConnect 7000 Series switches support the following optional STP features: • BPDU flooding • PortFast • BPDU filtering • Root guard • Loop guard • BPDU protection BPDU Flooding The BPDU flooding feature determines the behavior of the switch when it receives a BPDU on a port that is disabled for spanning tree.
Page 636
Root Guard Enabling root guard on a port ensures that the port does not become a root port or a blocked port. When a switch is elected as the root bridge, all ports are designated ports unless two or more ports of the root bridge are connected together.
Page 637
BPDU Protection When the switch is used as an access layer device, most ports function as edge ports that connect to a device such as a desktop computer or file server. The port has a single, direct connection and is configured as an edge port to implement the fast transition to a forwarding state.
Default STP Values Spanning tree is globally enabled on the switch and on all ports and LAGs. Table 22-1 summarizes the default values for STP. Table 22-1. STP Defaults Parameter Default Value Enable state Enabled (globally and on all ports) Spanning-tree mode RSTP (Classic STP and MSTP are disabled) Switch priority...
Configuring Spanning Tree (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring STP settings on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. STP Global Settings The STP Global Settings page contains fields for enabling STP on the switch.
STP Port Settings Use the STP Port Settings page to assign STP properties to individual ports. To display the STP Port Settings page, click Switching → Spanning Tree → STP Port Settings in the navigation panel. Figure 22-5. STP Port Settings Configuring the Spanning Tree Protocol...
Page 641
Configuring STP Settings for Multiple Ports To configure STP settings for multiple ports: 1 Open the STP Port Settings page. 2 Click Show All to display the STP Port Table. Figure 22-6. Configure STP Port Settings 3 For each port to configure, select the check box in the Edit column in the row associated with the port.
STP LAG Settings Use the STP LAG Settings page to assign STP aggregating ports parameters. To display the STP LAG Settings page, click Switching → Spanning Tree → STP LAG Settings in the navigation panel. Figure 22-7. STP LAG Settings Configuring STP Settings for Multiple LAGs To configure STP settings on multiple LAGS: 1 Open the STP LAG Settings page.
Figure 22-8. Configure STP LAG Settings 3 For each LAG to configure, select the check box in the Edit column in the row associated with the LAG. 4 Select the desired settings. 5 Click Apply. Rapid Spanning Tree Rapid Spanning Tree Protocol (RSTP) detects and uses network topologies that allow a faster convergence of the spanning tree without creating forwarding loops.
Page 644
To view RSTP Settings for all interfaces, click the Show All link. The Rapid Spanning Tree Table displays. Figure 22-10. RSTP LAG Settings Configuring the Spanning Tree Protocol...
MSTP Settings The Multiple Spanning Tree Protocol (MSTP) supports multiple instances of Spanning Tree to efficiently channel VLAN traffic over different interfaces. MSTP is compatible with both RSTP and STP; a MSTP bridge can be configured to behave entirely as a RSTP bridge or a STP bridge. To display the MSTP Settings page, click Switching →...
Page 646
Viewing and Modifying the Instance ID for Multiple VLANs To configure MSTP settings for multiple VLANS: 1 Open the MSTP Settings page. 2 Click Show All to display the MSTP Settings Table. Figure 22-12. Configure MSTP Settings 3 For each Instance ID to modify, select the check box in the Edit column in the row associated with the VLAN.
MSTP Interface Settings Use the MSTP Interface Settings page to assign MSTP settings to specific interfaces. To display the MSTP Interface Settings page, click Switching → Spanning Tree → MSTP Interface Settings in the navigation panel. Figure 22-13. MSTP Interface Settings Configuring MSTP Settings for Multiple Interfaces To configure MSTP settings for multiple interfaces: 1 Open the MSTP Interface Settings page.
Page 648
Figure 22-14. Configure MSTP Interface Settings 3 For each interface to configure, select the check box in the Edit column in the row associated with the interface. 4 Update the desired settings. 5 Click Apply. Configuring the Spanning Tree Protocol...
Configuring Spanning Tree (CLI) This section provides information about the commands you use to configure STP settings on the switch. For more information about the commands, see PowerConnect 7000 Series CLI Reference Guide Configuring Global STP Bridge Settings Beginning in Privileged EXEC mode, use the following commands to configure the global STP settings for the switch, such as the priority and timers.
Configuring Optional STP Features Beginning in Privileged EXEC mode, use the following commands to configure the optional STP features on the switch or on specific interfaces. Command Purpose configure Enter global configuration mode. spanning-tree bpdu Allow the flooding of BPDUs received on non-spanning- flooding tree ports to all other non-spanning-tree ports.
Configuring STP Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure the STP settings for a specific interface. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface interface. The variable includes the interface type and number, for example gigabitethernet 1/0/3 or port- channel 4.
Configuring MSTP Switch Settings Beginning in Privileged EXEC mode, use the following commands to configure MSTP settings for the switch. Command Purpose configure Enter global configuration mode. spanning-tree mst Enable configuring an MST region by entering the configuration multiple spanning-tree (MST) mode. string name Define the MST configuration name...
Configuring MSTP Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure MSTP settings for the switch. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface interface. The variable includes the interface type and number, for example gigabitethernet 1/0/3 or port- channel 4.
STP Configuration Examples This section contains the following examples: • Configuring STP • Configuring MSTP Configuring STP This example shows a LAN with four switches. On each switch, ports 1, 2, and 3 connect to other switches, and ports 4–20 connect to hosts (in Figure 22-15, each PC represents 17 host systems).
Page 655
Of the four switches in Figure 22-15, the administrator decides that Switch A is the most centrally located in the network and is the least likely to be moved or redeployed. For these reasons, the administrator selects it as the root bridge for the spanning tree.
Configuring MSTP This example shows how to configure IEEE 802.1s Multiple Spanning Tree (MST) protocol on the switches shown in Figure 22-16. Figure 22-16. MSTP Configuration Example Switch A Port 1 Port 2 VLAN 10 VLAN 20 Port 1 Port 1 Switch B Switch C Port 2...
Page 657
5 Change the region name so that all the bridges that want to be part of the same region can form the region. console(config-mst)#name dell console(config-mst)#exit 6 (Switch A only) Configure Switch A to be the root bridge of the spanning tree (CIST Regional Root) by configuring a higher root bridge priority.
Page 658
Configuring the Spanning Tree Protocol...
Discovering Network Devices This chapter describes the Industry Standard Discovery Protocol (ISDP) feature and the Link Layer Discovery Protocol (LLDP) feature, including LLDP for Media Endpoint Devices (LLDP-MED). The topics covered in this chapter include: • Device Discovery Overview • Default IDSP and LLDP Values •...
LLDP is a one-way protocol; there are no request/response sequences. Information is advertised by stations implementing the transmit function, and is received and processed by stations implementing the receive function. The transmit and receive functions can be enabled/disabled separately on each switch port.
Default IDSP and LLDP Values ISDP and LLDP are globally enabled on the switch and enabled on all ports by default. By default, the switch transmits and receives LLDP information on all ports. LLDP-MED is disabled on all ports. Table 23-1 summarizes the default values for ISDP . Table 23-1.
Page 662
Table 23-3 summarizes the default values for LLDP-MED. Table 23-3. LLDP-MED Defaults Parameter Default Value LLDP-MED Mode Disabled on all ports Config Notification Mode Disabled on all ports Transmit TVLs MED Capabilities Network Policy Discovering Network Devices...
Configuring ISDP and LLDP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IDSP and LLDP/LLDP- MED on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. ISDP Global Configuration From the ISDP Global Configuration page, you can configure the ISDP settings for the switch, such as the administrative mode.
ISDP Cache Table From the ISDP Cache Table page, you can view information about other devices the switch has discovered through the ISDP . To access the ISDP Cache Table page, click System → ISDP → Cache Table in the navigation panel. Figure 23-2.
ISDP Interface Configuration From the ISDP Interface Configuration page, you can configure the ISDP settings for each interface. If ISDP is enabled on an interface, it must also be enabled globally in order for the interface to transmit ISDP packets. If the ISDP mode on the ISDP Global Configuration page is disabled, the interface will not transmit ISDP packets, regardless of the mode configured on the interface.
Page 666
To view view the ISDP mode for multiple interfaces, click Show All. Figure 23-4. ISDP Interface Summary Discovering Network Devices...
ISDP Statistics From the ISDP Statistics page, you can view information about the ISDP packets sent and received by the switch. To access the ISDP Statistics page, click System → ISDP → Statistics in the navigation panel. Figure 23-5. ISDP Statistics Discovering Network Devices...
LLDP Configuration Use the LLDP Configuration page to specify LLDP parameters. Parameters that affect the entire system as well as those for a specific interface can be specified here. To display the LLDP Configuration page, click Switching → LLDP → Configuration in the navigation panel.
Page 669
To view the LLDP Interface Settings Table, click Show All. From the LLDP Interface Settings Table page, you can view and edit information about the LLDP settings for multiple interfaces. Figure 23-7. LLDP Interface Settings Table Discovering Network Devices...
LLDP Statistics Use the LLDP Statistics page to view LLPD-related statistics. To display the LLDP Statistics page, click Switching → LLDP → Statistics in the navigation panel. Figure 23-8. LLDP Statistics Discovering Network Devices...
LLDP Connections Use the LLDP Connections page to view the list of ports with LLDP enabled. Basic connection details are displayed. To display the LLDP Connections page, click Switching → LLDP → Connections in the navigation panel. Figure 23-9. LLDP Connections Discovering Network Devices...
Page 672
To view additional information about a device connected to a port that has been discovered through LLDP, click the port number in the Local Interface table (it is a hyperlink), or click Details and select the port with the connected device. Figure 23-10.
LLDP-MED Global Configuration Use the LLDP-MED Global Configuration page to change or view the LLDP-MED parameters that affect the entire system. To display the LLDP-MED Global Configuration page, click Switching→ LLDP → LLDP-MED → Global Configuration in the navigation panel. Figure 23-11.
LLDP-MED Interface Configuration Use the LLDP-MED Interface Configuration page to specify LLDP-MED parameters that affect a specific interface. To display the LLDP-MED Interface Configuration page, click Switching → LLDP → LLDP-MED → Interface Configuration in the navigation panel. Figure 23-12. LLDP-MED Interface Configuration Discovering Network Devices...
Page 675
To view the LLDP-MED Interface Summary table, click Show All. Figure 23-13. LLDP-MED Interface Summary Discovering Network Devices...
LLDP-MED Local Device Information Use the LLDP-MED Local Device Information page to view the advertised LLDP local data for each port. To display the LLDP-MED Local Device Information page, click Switching→ LLDP→ LLDP-MED→ Local Device Information in the navigation panel. Figure 23-14.
LLDP-MED Remote Device Information Use the LLDP-MED Remote Device Information page to view the advertised LLDP data advertised by remote devices. To display the LLDP-MED Remote Device Information page, click Switching→ LLDP→ LLDP-MED→ Remote Device Information in the navigation panel. Figure 23-15.
Configuring ISDP and LLDP (CLI) This section provides information about the commands you use to manage and view the device discovery protocol features on the switch. For more PowerConnect 7000 Series CLI information about these commands, see the Reference Guide Configuring Global ISDP Settings Beginning in Privileged EXEC mode, use the following commands to configure ISDP settings that affect the entire switch.
Enabling ISDP on a Port Beginning in Privileged EXEC mode, use the following commands to enable ISDP on a port. Command Purpose configure Enter Global Configuration mode. interface interface Enter interface configuration mode for the specified interface. isdp enable Administratively enable ISDP on the switch. exit Exit to Global Config mode.
Configuring Global LLDP Settings Beginning in Privileged EXEC mode, use the following commands to configure LLDP settings that affect the entire switch. Command Purpose configure Enter Global Configuration mode. lldp notification- Specify how often, in seconds, the switch should send interval interval remote data change notifications.
Command Purpose lldp notification Enable remote data change notifications on the interface. lldp transmit-tlv [sys- Specify which optional type-length-value settings (TLVs) desc][sys-name][sys- in the 802.1AB basic management set will be transmitted cap][port-desc] in the LLDP PDUs. • sys-name — Transmits the system name TLV •...
Configuring LLDP-MED Settings Beginning in Privileged EXEC mode, use the following commands to configure LLDP-MED settings that affect the entire switch. Command Purpose configure Enter Global Configuration mode. lldp med Specifies the number of LLDP PDUs that will be faststartrepeatcount transmitted when the protocol is enabled.
Viewing LLDP-MED Information Beginning in Privileged EXEC mode, use the following commands to view information about the LLDP-MED Protocol Data Units (PDUs) that are sent and have been received. Command Purpose show lldp med local- View LLDP information advertised by the specified port. interface device detail show lldp remote-device...
console(config-if-Gi1/0/3)# <CTRL + Z> console#show isdp Timer........45 Hold Time........60 Version 2 Advertisements....Enabled Neighbors table time since last change...00 days 00:00:00 Device ID........none Device ID format capability..Serial Number, Host Name Device ID format....Serial Number console#show isdp interface gi1/0/3 Interface Mode --------------- ----------...
Page 685
4 Specify the TLV information to be included in the LLDP PDUs transmitted from port 1/0/3. console(config-if-Gi1/0/3)#lldp transmit-tlv sys- name sys-desc sys-cap port-desc 5 Set the port description to be transmitted in LLDP PDUs. console(config-if-Gi1/0/3)#description "Test Lab Port" 6 Exit to Privileged EXEC mode. console(config-if-Gi1/0/3)# <CTRL + Z>...
Page 686
Chassis ID Subtype: MAC Address Chassis ID: 00:1E:C9:AA:AA:07 Port ID Subtype: Interface Name Port ID: gi 1/0/3 System Name: console System Description: PowerConnect 7048, 3.16.22.30, VxWorks 6.5 Port Description: Test Lab Port System Capabilities Supported: bridge, router System Capabilities Enabled: bridge Management Address: Type: IPv4 Address: 192.168.2.1...
Configuring Port-Based Traffic Control This chapter describes how to configure features that provide traffic control through filtering the type of traffic or limiting the speed or amount of traffic on a per-port basis. The features this section describes includes flow control, storm control, protected ports and Link Local Protocol Filtering (LLPF), which is also known as Cisco Protocol Filtering.
What is Flow Control? IEEE 802.3x flow control allows nodes that transmit at slower speeds to communicate with higher speed switches by requesting that the higher speed switch refrains from sending packets. Transmissions are temporarily halted to prevent buffer overflows. Enabling the flow control feature allows PowerConnect 7000 Series switches to receive pause frames from connected devices.
What are Protected Ports? The switch supports up to three separate groups of protected ports. Traffic can flow between protected ports belonging to different groups, but not within the same group. A port can belong to only one protected port group. You must remove an interface from one group before adding it to another group.
If Industry Standard Discovery Protocol (ISDP) is enabled on an interface, and the LLPF feature on an interface is enabled and configured to drop ISDP PDUs, the ISDP configuration overrides the LLPF configuration, and the ISDP PDUs are allowed on the interface. Default Port-Based Traffic Control Values Table 24-2 lists the default values for the port-based traffic control features that this chapter describes.
Configuring Port-Based Traffic Control (Web) This section provides information about the OpenManage Switch Administrator pages to use to control port-based traffic on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. Flow Control (Global Port Parameters) Use the Global Parameters page for ports to enable or disable flow control support on the switch.
Storm Control Use the Storm Control page to enable and configure the storm control feature. To display the Storm Control interface, click Switching → Ports → Storm Control in the navigation menu. Figure 24-2. Storm Control Configuring Storm Control Settings on Multiple Ports To configure storm control on multiple ports: 1 Open the Storm Control page.
Protected Port Configuration Use the Protected Port Configuration page to prevent ports in the same protected ports group from being able to see each other’s traffic. To display the Protected Port Configuration page, click Switching → Ports → Protected Port Configuration in the navigation menu. Figure 24-4.
Page 695
Figure 24-5. Add Protected Ports Group 5 Click Apply. 6 Click Protected Port Configuration to return to the main page. 7 Select the port to add to the group. 8 Select the protected port group ID. Figure 24-6. Add Protected Ports 9 Click Apply.
Figure 24-7. View Protected Port Information 11 To remove a port from a protected port group, select the Remove check box associated with the port and click Apply. LLPF Configuration Use the LLPF Interface Configuration page to filter out various proprietary protocol data units (PDUs) and/or ISDP if problems occur with these protocols running on standards-based switches.
Page 697
Figure 24-8. LLPF Interface Configuration To view the protocol types that have been blocked for an interface, click Show All. Figure 24-9. LLPF Filtering Summary Configuring Port-Based Traffic Control...
Configuring Port-Based Traffic Control (CLI) This section provides information about the commands you use to configure port-based traffic control settings. For more information about the PowerConnect 7000 Series CLI Reference Guide commands, see the Configuring Flow Control and Storm Control Beginning in Privileged EXEC mode, use the following commands to configure the flow control and storm control features.
Command Purpose show interfaces detail Display detailed information about the specified interface, interface including the flow control status. show storm-control View whether 802.3x flow control is enabled on the switch. show storm-control View storm control settings for all interfaces or the interface | all] specified interface.
Configuring LLPF Beginning in Privileged EXEC mode, use the following commands to configure LLPF settings. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface interface. The variable includes the interface type and number, for example gigabitethernet 1/0/3. You can also specify a range of interfaces with the interface range command, for example, interface range gigabitethernet 1/0/8-12 configures interfaces 8, 9, 10, 11,...
Port-Based Traffic Control Configuration Examples The commands in this example configure storm control, LLPF, and protected port settings for various interfaces on the switch. The storm control configuration in this example sets thresholds on the switch so that if broadcast traffic occupies more than 10% on the bandwidth on any physical port, the interface blocks the broadcast traffic until the measured amount of this traffic drops below the threshold.
Configuring L2 Multicast Features This chapter describes the layer 2 multicast features on the PowerConnect 7000 Series switches. The features this chapter describes include bridge multicast filtering, Internet Group Management Protocol (IGMP) snooping, Multicast Listener Discovery (MLD) snooping, and Multicast VLAN Registration (MVR).
discarded, depending on the switch configuration. If a match is found, then the packet is forwarded only to the ports that are members of that multicast group. You can create multicast bridging groups and specify the ports and LAGs that are members of each group.
What Is IGMP Snooping? IGMP Snooping is a layer 2 feature that allows the switch to dynamically add or remove ports from IP multicast groups by listening to IGMP join and leave requests. By "snooping" the IGMP packets transmitted between hosts and routers, the IGMP Snooping feature enables the switch to forward IP multicast traffic more intelligently and help conserve bandwidth.
MLD is a protocol used by IPv6 multicast routers to discover the presence of multicast listeners (nodes wishing to receive IPv6 multicast packets) on its directly-attached links and to discover which multicast packets are of interest to neighboring nodes. MLD is derived from IGMP; MLD version 1 (MLDv1) is equivalent to IGMPv2, and MLD version 2 (MLDv2) is equivalent to IGMPv3.
• In the compatible mode MVR does not learn multicast groups, but they have to be configured by administrator and protocol does not forward joins from the hosts to the router. To work in this mode the IGMP router has to be configured to transmit required multicast streams to the network with the MVR switch.
What Are GARP and GMRP? Generic Attribute Registration Protocol (GARP) is a general-purpose protocol that registers any network connectivity or membership-style information. GARP defines a set of switches interested in a given network attribute, such as VLAN ID or multicast address. PowerConnect 7000 Series switches can use GARP functionality for two applications: •...
Configuring L2 Multicast Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring L2 multicast features on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. Multicast Global Parameters Use the Multicast Global Parameters page to enable or disable bridge multicast filtering, IGMP Snooping, or MLD Snooping on the switch.
Bridge Multicast Group Use the Bridge Multicast Group page to create new multicast service groups or to modify ports and LAGs assigned to existing multicast service groups. Attached interfaces display in the Port and LAG tables and reflect the manner in which each is joined to the Multicast group.
Page 712
Unit and Ports — Displays and assigns multicast group membership to • ports. To assign membership, click in Static for a specific port. Each click toggles between S, F, and blank. See Table 25-2 for definitions. LAGs — Displays and assigns multicast group membership to LAGs. To •...
Page 713
Figure 25-3. Add Bridge Multicast Group 2 Select the ID of the VLAN to add to the multicast group or to modify membership for an existing group. 3 For a new group, specify the multicast group IP or MAC address associated with the selected VLAN.
Removing a Bridge Multicast Group To delete a bridge multicast group: 1 Open the Bridge Multicast Group page. 2 Select the VLAN ID associated with the bridge multicast group to be removed from the drop-down menu. The Bridge Multicast Address and the assigned ports/LAGs display. 3 Check the Remove check box.
MRouter Status Use the MRouter Status page to display the status of dynamically learned multicast router interfaces. To access this page, click Switching → Multicast Support → MRouter Status in the navigation panel. Figure 25-5. MRouter Status Configuring L2 Multicast Features...
General IGMP Snooping Use the General IGMP snooping page to configure IGMP snooping settings on specific ports and LAGs. To display the General IGMP snooping page, click Switching → Multicast Support → IGMP Snooping → General in the navigation menu. Figure 25-6.
Page 717
Figure 25-7. Edit IGMP Snooping Settings 3 Edit the IGMP Snooping fields as needed. 4 Click Apply. The IGMP Snooping settings are modified, and the device is updated. Copying IGMP Snooping Settings to Multiple Ports, LAGs, or VLANs To copy IGMP snooping settings: 1 From the General IGMP snooping page, click Show All.
Page 718
4 Select the Copy To checkbox for the Unit/Ports, LAGs, or VLANs that these parameters will be copied to. In Figure 25-8, the settings for port 3 will be copied to ports 4 and 5 and LAGs 1 and 2. Figure 25-8.
Global Querier Configuration Use the Global Querier Configuration page to configure IGMP snooping querier settings, such as the IP address to use as the source in periodic IGMP queries when no source address has been configured on the VLAN. To display the Global Querier Configuration page, click Switching → Multicast Support →...
VLAN Querier Use the VLAN Querier page to specify the IGMP Snooping Querier settings for individual VLANs. To display the VLAN Querier page, click Switching → Multicast Support → IGMP Snooping → VLAN Querier in the navigation menu. Figure 25-10. VLAN Querier Adding a New VLAN and Configuring its VLAN Querier Settings To configure a VLAN querier: 1 From the VLAN Querier page, click Add.
Page 721
Figure 25-11. Add VLAN Querier 2 Enter the VLAN ID and, if desired, an optional VLAN name. 3 Return to the VLAN Querier page and select the new VLAN from the VLAN ID menu. 4 Specify the VLAN querier settings. 5 Click Apply.
Page 722
To view a summary of the IGMP snooping VLAN querier settings for all VLANs on the switch, click Show All. Figure 25-12. Add VLAN Querier Configuring L2 Multicast Features...
VLAN Querier Status Use the VLAN Querier Status page to view the IGMP Snooping Querier settings for individual VLANs. To display the VLAN Querier Status page, click Switching → Multicast Support → IGMP Snooping → VLAN Querier Status in the navigation menu.
MFDB IGMP Snooping Table Use the MFDB IGMP Snooping Table page to view the multicast forwarding database (MFDB) IGMP Snooping Table and Forbidden Ports settings for individual VLANs. To display the MFDB IGMP Snooping Table page, click Switching → Multicast Support → IGMP Snooping → MFDB IGMP Snooping Table in the navigation menu.
MLD Snooping General Use the MLD Snooping General page to add MLD members. To access this page, click Switching → Multicast Support → MLD Snooping → General in the navigation panel. Figure 25-15. MLD Snooping General Modifying MLD Snooping Settings for Multiple Ports, LAGs, or VLANs To configure MLD snooping: 1 From the General MLD snooping page, click Show All.
Page 726
Figure 25-16. MLD Snooping Table 2 Select the Edit checkbox for each Port, LAG, or VLAN to modify. 3 Edit the MLD Snooping fields as needed. 4 Click Apply. The MLD Snooping settings are modified, and the device is updated. Copying MLD Snooping Settings to Multiple Ports, LAGs, or VLANs To copy MLD snooping settings: Configuring L2 Multicast Features...
1 From the General MLD snooping page, click Show All. The MLD Snooping Table displays. 2 Select the Copy Parameters From checkbox. 3 Select a Unit/Port, LAG, or VLAN to use as the source of the desired parameters. 4 Select the Copy To checkbox for the Unit/Ports, LAGs, or VLANs that these parameters will be copied to.
MLD Snooping VLAN Querier Use the MLD Snooping VLAN Querier page to specify the MLD Snooping Querier settings for individual VLANs. To display the MLD Snooping VLAN Querier page, click Switching → Multicast Support → MLD Snooping → VLAN Querier in the navigation menu.
Page 729
Figure 25-19. Add MLD Snooping VLAN Querier 2 Enter the VLAN ID and, if desired, an optional VLAN name. 3 Return to the VLAN Querier page and select the new VLAN from the VLAN ID menu. 4 Specify the VLAN querier settings. 5 Click Apply.
MLD Snooping VLAN Querier Status Use the VLAN Querier Status page to view the MLD Snooping Querier settings for individual VLANs. To display the VLAN Querier Status page, click Switching → Multicast Support → MLD Snooping → VLAN Querier Status in the navigation menu.
MFDB MLD Snooping Table Use the MFDB MLD Snooping Table page to view the MFDB MLD Snooping Table settings for individual VLANs. To display the MFDB MLD Snooping Table page, click Switching → Multicast Support → MLD Snooping → MFDB MLD Snooping Table in the navigation menu.
MVR Global Configuration Use the MVR Global Configuration page to enable the MVR feature and configure global parameters. To display the MVR Global Configuration page, click Switching → MVR Configuration → Global Configuration in the navigation panel. Figure 25-23. MVR Global Configuration Configuring L2 Multicast Features...
MVR Members Use the MVR Members page to view and configure MVR group members. To display the MVR Members page, click Switching → MVR Configuration → MVR Members in the navigation panel. Figure 25-24. MVR Members Adding an MVR Membership Group To add an MVR membership group: 1 From the MVR Membership page, click Add.
Figure 25-25. MVR Member Group 2 Specify the MVR group IP multicast address. 3 Click Apply. MVR Interface Configuration Use the MVR Interface Configuration page to enable MVR on a port, configure its MVR settings, and add the port to an MVR group. To display the MVR Interface Configuration page, click Switching →...
Page 735
Figure 25-26. MVR Interface Configuration To view a summary of the MVR interface configuration, click Show All. Figure 25-27. MVR Interface Summary Adding an Interface to an MVR Group To add an interface to an MVR group: 1 From the MVR Interface page, click Add. Configuring L2 Multicast Features...
Page 736
Figure 25-28. MVR - Add to Group 2 Select the interface to add to the MVR group. 3 Specify the MVR group IP multicast address. 4 Click Apply. Removing an Interface from an MVR Group To remove an interface from an MVR group: 1 From the MVR Interface page, click Remove.
MVR Statistics Use the MVR Statistics page to view MVR statistics on the switch. To display the MVR Statistics page, click Switching → MVR Configuration → MVR Statistics in the navigation panel. Figure 25-30. MVR Statistics Configuring L2 Multicast Features...
GARP Timers The Timers page contains fields for setting the GARP timers used by GVRP and GMRP on the switch. To display the Timers page, click Switching → GARP → Timers in the navigation panel. Figure 25-31. GARP Timers Configuring GARP Timer Settings for Multiple Ports To configure GARP timers on multiple ports: 1 Open the Timers page.
Page 739
Figure 25-32. Configure STP Port Settings 3 For each port or LAG to configure, select the check box in the Edit column in the row associated with the port. 4 Specify the desired timer values. 5 Click Apply. Configuring L2 Multicast Features...
Copying GARP Timer Settings From One Port to Others To copy GARP timer settings: 1 Select the Copy Parameters From check box, and select the port or LAG with the settings to apply to other ports or LAGs. 2 In the Ports or LAGs list, select the check box(es) in the Copy To column that will have the same settings as the port selected in the Copy Parameters From field.
Page 741
Figure 25-34. GMRP Port Configuration Table 3 For each port or LAG to configure, select the check box in the Edit column in the row associated with the port. 4 Specify the desired timer values. 5 Click Apply. Configuring L2 Multicast Features...
Copying Settings From One Port or LAG to Others To copy GMRP settings: 1 Select the Copy Parameters From check box, and select the port or LAG with the settings to apply to other ports or LAGs. 2 In the Ports or LAGs list, select the check box(es) in the Copy To column that will have the same settings as the port selected in the Copy Parameters From field.
Configuring L2 Multicast Features (CLI) This section provides information about the commands you use to configure L2 multicast settings on the switch. For more information about the PowerConnect 7000 Series CLI Reference Guide commands, see the Configuring Bridge Multicasting Beginning in Privileged EXEC mode, use the following commands to configure MAC address table features.
Page 744
Command Purpose mac address-table Forbid adding a specific Multicast address to specific ports. multicast forbidden mac-multicast-address • — MAC multicast address in the vlan-id address vlan format xxxx.xxxx.xxxx. mac-multicast-address ip- multicast-address • — IP multicast address. ip-multicast-address {add | remove} •...
Configuring IGMP Snooping Beginning in Privileged EXEC mode, use the following commands to configure IGMP snooping settings on the switch, ports, and LAGs. Command Purpose configure Enter global configuration mode. ip igmp snooping Enable IGMP snooping on the switch. interface interface Enter interface configuration mode for the specified port interface...
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show ip igmp snooping View IGMP snooping settings configured on the switch. show ip igmp snooping View the IGMP snooping settings for a specific port or interface interface LAG. Configuring IGMP Snooping on VLANs Beginning in Privileged EXEC mode, use the following commands to configure IGMP snooping settings on VLANs.
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show ip igmp snooping View the IGMP snooping settings on the VLAN. vlan-id vlan Configuring IGMP Snooping Querier Beginning in Privileged EXEC mode, use the following commands to configure IGMP snooping querier settings on the switch and on VLANs. Command Purpose configure...
Command Purpose ip igmp snooping querier Allow the IGMP snooping querier to participate in the vlan- election participate querier election process when it discovers the presence of another querier in the VLAN. When this mode is enabled, if the snooping querier finds that the other querier source address is more than the snooping querier address, it stops sending periodic queries.
Command Purpose ipv6 mld snooping Specify the leave time-out value for an interface. If an seconds maxresponse MLD report for a multicast group is not received within seconds the number of specified by the leave-time-out period after an MLD leave was received from a specific interface, the current interface is deleted from the member list of that multicast group.
Command Purpose ipv6 mld snooping Specify the leave time-out value for the VLAN. If an MLD vlan-id maxresponse report for a multicast group is not received within the seconds number of seconds configured with this command after an MLD leave was received from a specific interface, the current VLAN is deleted from the member list of that multicast group.
Command Purpose ipv6 mld snooping Allow the MLD snooping querier to participate in the querier election querier election process when it discovers the presence of vlan-id participate another querier in the VLAN. When this mode is enabled, if the snooping querier finds that the other querier source address is more than the snooping querier address, it stops sending periodic queries.
Page 752
Command Purpose mvr mode {compatible | Specify the MVR mode of operation. dynamic} mcast-address mvr group Add an MVR membership group. groups mcast-address • —The group IP multicast address group • —Specifies the number of contiguous groups interface interface Enter interface configuration mode for the specified port. interface variable includes the interface type and number, for example gigabitethernet 1/0/3.
Configuring GARP Timers and GMRP Beginning in Privileged EXEC mode, use the following commands to configure the GARP timers and to control the administrative mode GMRP on the switch and per-interface. Command Purpose configure Enter global configuration mode. garp timer {join | leave | Adjust the GARP application join, leave, and leaveall timer_value leaveall}...
L2 Multicast Configuration Examples This section contains the following examples: • Configuring IGMP Snooping • Configuring MVR Configuring IGMP Snooping This example configures IGMP snooping on the switch to limit multicast traffic and to allow L2 multicast forwarding on a single VLAN. The IP- multicast traffic in VLAN 100 needs to be Layer 2 switched only, so the IGMP snooping querier is enabled on the switch to perform the IGMP snooping functions on the VLAN, if necessary.
Page 755
1 Enable IGMP snooping globally. console(config)#ip igmp snooping 2 Enable the IGMP snooping querier on the switch. If there are no other IGMP snooping queriers, this switch will become the IGMP snooping querier for the local network. If an external querier is discovered, this switch will not be a querier.
Page 756
console(config-if)#switchport access vlan 100 console(config-if)#exit 10 Configure port 24 as a trunk port that connects to the data center switch. console(config)#interface gigabitethernet 1/0/24 console(config-if-Gi1/0/24)#ip igmp snooping console(config-if-Gi1/0/24)#switchport mode trunk console(config-if-Gi1/0/24)#exit console(config)#exit 11 Verify the IGMP snooping configuration. console#show ip igmp snooping Admin Mode......Enable IGMP Router-Alert check....Disabled Multicast Control Frame Count..0...
console#show bridge multicast address-table Vlan MAC Address Type Ports ---- ----------------- ------- --------- 0100.5E01.0101 Dynamic Gi1/0/1 0100.5E01.0102 Dynamic Gi1/0/2 Forbidden ports for multicast addresses: Vlan MAC Address Ports ---- ----------------------- ------------------ 0100.5E01.0101 0100.5E01.0102 When the video server sends multicast data to group 225.1.1.1, Port 1 participates and receives multicast traffic, but Port 2 does not participate because it is a member of a different multicast group.
Page 758
Figure 25-37. Switch with MVR PowerConnect Switch VLAN 99 Port 1 (MVR VLAN) VLAN 10 Port 24 Video Server Port 2 Port 8 Port 9 VLAN 20 To configure the switch: 1 Create VLANs 10, 20, and 99. console#configure console(config)#vlan database console(config-vlan)#vlan 10,20,99 console(config-vlan)#exit 2 Configure ports 1 and 2 as members of VLAN 10.
Page 759
console(config-if-Gi1/0/24)#switchport trunk native vlan 99 console(config-if-Gi1/0/24)#exit 5 Enable MVR on the switch. console(config)#mvr 6 Set VLAN 99 as the multicast VLAN. console(config)#mvr vlan 99 7 Set the MVR mode to dynamic. console(config)#mvr mode dynamic 8 Add the MVR multicast group. console(config)#mvr group 224.1.1.1 9 Configure ports 1, 2, 8, and 9 as MVR receiver ports.
Page 760
11 Verify the configuration. console#show mvr MVR Running....... TRUE MVR multicast VLAN....99 MVR Max Multicast Groups..256 MVR Current multicast groups..1 MVR Global query response time..5 (tenths of sec) MVR Mode......dynamic When hosts connected to receiver ports send IGMP join messages, the receiver ports and source port are added to the MVR group and receive multicast data from the network.
Configuring Connectivity Fault Management This chapter describes how to configure the IEEE 802.1ag (also known as IEEE Standard for Local and Metropolitan Area Dot1ag) protocol. Dot1ag ( Networks Virtual Bridged Local Area Networks Amendment 5: Connectivity Fault Management ) enables the detection and isolation of connectivity faults at the service level for traffic that is bridged over a metropolitan Ethernet LAN.
How Does Dot1ag Work Across a Carrier Network? A typical metropolitan area network comprises operator, service provider, and customer networks. To suit this business model, CFM relies on a functional model of hierarchical maintenance domains (MDs). These domains are assigned a unique MD level. There is a maximum of 8 levels, which can be nested but cannot overlap.
never intersect. The operator transparently passes frames from the customer and provider, and the customer does not see the operator frames. Multiple levels within a domain (say, operator) are supported for flexibility. What Entities Make Up a Maintenance Domain? Dot1ag defines three primary entities that make up the maintenance domain: Maintenance End Points (MEPs), Maintenance Intermediate Points (MIPs), and Maintenance Associations (MAs).
Page 764
Figure 26-2. Maintenance Endpoints and Intermediate Points Maintenance Associations An MA is a logical connection between one or more MEPs that enables monitoring a particular service instance. Each MA is associated with a unique SVLAN ID. An MA is identified by a maintenance association ID. All MEPs in the MA are assigned the maintenance identifier (MAID) for the association.
Figure 26-3. Provider View for Service Level OAM What is the Administrator’s Role? On the switch, the administrator configures the customer-level maintenance domains, associations, and endpoints used to participate in Dot1ag services with other switches connected through the provider network. The Administrator can also use utilities to troubleshoot connectivity faults when reported via SNMP traps.
Troubleshooting Tasks In the event of a connectivity loss between MEPs, the administrator can perform path discovery, similar to traceroute, from one MEP to any MEP or MIP in a maintenance domain using Link Trace Messages (LTMs). The connectivity loss is narrowed down using path discovery and is verified using Loop-back Messages (LBMs), which are similar to ping operations in IP networks.
Configuring Dot1ag (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring Dot1ag features on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. Dot1ag Global Configuration Use the Global Configuration page to enable and disable the Dot1ag admin mode and to configure the time after which inactive RMEP messages are...
Figure 26-5. Dot1ag MD Configuration Dot1ag MA Configuration Use the MA Configuration page to associate a maintenance domain level with one or more VLAN ID, provide a name for each maintenance association (MA), and to set the interval between continuity check messages sent by MEPs for the MA.
To add an MA, click the Add link at the top of the page. Dot1ag MEP Configuration Use the MEP Configuration page to define switch ports as Management End Points. MEPs are configured per domain and per VLAN. To display the page, click Switching → Dot1ag → MEP Configuration in the tree view.
To add a MEP, click the Add link at the top of the page. A VLAN must be associated with the selected domain before you configure a MEP to be used within an MA (see the MA Configuration page). Dot1ag MIP Configuration Use the MIP Configuration page to define a switch port as an intermediate bridge for a selected domain.
Dot1ag RMEP Summary Use the RMEP Summary page to view information on remote MEPs that the switch has learned through CFM PDU exchanges with MEPs on the switch. To display the page, click Switching → Dot1ag → RMEP Summary in the tree view.
Dot1ag L2 Ping Use the L2 Ping page to generate a loopback message from a specified MEP. The MEP can be identified by the MEP ID or by its MAC address. To display the page, click Switching → Dot1ag → L2 Ping in the tree view. Figure 26-10.
Figure 26-11. Dot1ag L2 Traceroute Dot1ag L2 Traceroute Cache Use the L2 Traceroute Cache page to view link traces retained in the link trace database. To display the page, click Switching → Dot1ag → L2 Traceroute Cache in the tree view. Figure 26-12.
Dot1ag Statistics Use the Statistics page to view Dot1ag information for a selected domain and VLAN ID. To display the page, click Switching → Dot1ag → Statistics in the tree view. Figure 26-13. Dot1ag Statistics Configuring Connectivity Fault Management...
Configuring Dot1ag (CLI) This section provides information about the commands you use to configure Dot1ag settings on the switch. For more information about the commands, PowerConnect 7000 Series CLI Reference Guide see the Configuring Dot1ag Global Settings and Creating Domains Beginning in Privileged Exec mode, use the following commands to configure CFM settings and to view global status and domain information.
Configuring MEP Information Beginning in Privileged Exec mode, use the following commands to configure the mode and view related settings. CLI Command Description configure Enter global configuration mode. interface interface Enter Interface Config mode for the specified interface interface, where is replaced by unit/slot/port gigabitethernet...
Dot1ag Ping and Traceroute Beginning in Privileged Exec mode, use the following commands to help identify and troubleshoot Ethernet CFM settings. CLI Command Description mac- ping ethernet cfm mac Generate a loopback message from the MEP with addr the specified MAC address. ping ethernet cfm Generate a loopback message from the MEP with mep-id...
Dot1ag Configuration Example In the following example, the switch at the customer site is part of a Metro Ethernet network that is bridged to remote sites through a provider network. A service VLAN (SVID 200) identifies a particular set of customer traffic on the provider network.
Page 779
2 Configure port 1/0/5 as an MEP for service VLAN 200 so that the port can exchange CFM PDUs with its counterpart MEPs on the customer network. The port is first configured as a MEP with MEP ID 20 on domain level 6 for VLAN 200.
Snooping and Inspecting Traffic This chapter describes Dynamic Host Configuration Protocol (DHCP) Snooping, IP Source Guard (IPSG), and Dynamic ARP Inspection (DAI), which are layer 2 security features that examine traffic to help prevent accidental and malicious attacks on the switch or network. The topics covered in this chapter include: •...
What Is DHCP Snooping? Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server to accomplish the following tasks: • Filter harmful DHCP messages • Build a bindings database with entries that consist of the following information: •...
How Is the DHCP Snooping Bindings Database Populated? The DHCP snooping application uses DHCP messages to build and maintain the binding’s database. DHCP snooping creates a tentative binding from DHCP DISCOVER and REQUEST messages. Tentative bindings tie a client to a port (the port where the DHCP client message was received). Tentative bindings are completed when DHCP snooping learns the client’s IP address from a DHCP ACK message on a trusted port.
Page 784
DHCP Snooping and VLANs DHCP snooping forwards valid DHCP client messages received on non- routing VLANs. The message is forwarded on all trusted interfaces in the VLAN. DHCP snooping can be configured on switching VLANs and routing VLANs. When a DHCP packet is received on a routing VLAN, the DHCP snooping application applies its filtering rules and updates the bindings database.
What Is IP Source Guard? IPSG is a security feature that filters IP packets based on source ID. This feature helps protect the network from attacks that use IP address spoofing to compromise or overwhelm the network. The source ID may be either the source IP address or a {source IP address, source MAC address} pair.
What is Dynamic ARP Inspection? Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI prevents a class of man-in-the-middle attacks where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. The malicious attacker sends ARP requests or responses mapping another station’s IP address to its own MAC address.
Why Is Traffic Snooping and Inspection Necessary? DHCP Snooping, IPSG, and DAI are security features that can help protect the switch and the network against various types of accidental or malicious attacks. It might be a good idea to enable these features on ports that provide network access to hosts that are in physically unsecured locations or if network users connect nonstandard hosts to the network.
Page 788
Table 27-1. Traffic Snooping Defaults (Continued) Parameter Default Value Static IPSG bindings None configured DAI validate source MAC Disabled DAI validate destination MAC Disabled DAI validate IP Disabled DAI trust state Disabled (untrusted) DAI Rate limit 15 packets per second DAI Burst interval 1 second DAI mode...
Configuring Traffic Snooping and Inspection (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring DHCP snooping, IPSG, and DAI features on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page.
DHCP Snooping Interface Configuration Use the DHCP Snooping Interface Configuration page to configure the DHCP Snooping settings on individual ports and LAGs. To access the DHCP Snooping Interface Configuration page, click Switching → DHCP Snooping → Interface Configuration in the navigation panel.
Page 791
To view a summary of the DHCP snooping configuration for all interfaces, click Show All. Figure 27-4. DHCP Snooping Interface Configuration Summary Snooping and Inspecting Traffic...
DHCP Snooping VLAN Configuration Use the DHCP Snooping VLAN Configuration page to control the DHCP snooping mode on each VLAN. To access the DHCP Snooping VLAN Configuration page, click Switching → DHCP Snooping → VLAN Configuration in the navigation panel. Figure 27-5.
Page 793
To view a summary of the DHCP snooping status for all VLANs, click Show All. Figure 27-6. DHCP Snooping VLAN Configuration Summary Snooping and Inspecting Traffic...
DHCP Snooping Persistent Configuration Use the DHCP Snooping Persistent Configuration page to configure the persistent location of the DHCP snooping database. The bindings database can be stored locally on the switch or on a remote system somewhere else in the network. The switch must be able to reach the IP address of the remote system to send bindings to a remote database.
DHCP Snooping Static Bindings Configuration Use the DHCP Snooping Static Bindings Configuration page to add static DHCP bindings to the binding database. To access the DHCP Snooping Static Bindings Configuration page, click Switching → DHCP Snooping → Static Bindings Configuration in the navigation panel.
Page 796
To view a summary of the DHCP snooping status for all VLANs, click Show All. Figure 27-9. DHCP Snooping Static Bindings Summary To remove a static binding, select the Remove checkbox associated with the binding and click Apply. Snooping and Inspecting Traffic...
IPSG Interface Configuration Use the IPSG Interface Configuration page to configure IPSG on an interface. To access the IPSG Interface Configuration page, click Switching → IP Source Guard → IPSG Interface Configuration in the navigation panel. Figure 27-12. IPSG Interface Configuration Snooping and Inspecting Traffic...
IPSG Binding Summary The IPSG Binding Summary page displays the IPSG Static binding list and IPSG dynamic binding list (the static bindings configured in Binding configuration page). To access the IPSG Binding Summary page, click Switching → IP Source Guard → IPSG Binding Summary in the navigation panel. Figure 27-14.
DAI Global Configuration Use the DAI Configuration page to configure global DAI settings. To display the DAI Configuration page, click Switching → Dynamic ARP Inspection → Global Configuration in the navigation panel. Figure 27-15. Dynamic ARP Inspection Global Configuration Snooping and Inspecting Traffic...
DAI Interface Configuration Use the DAI Interface Configuration page to select the DAI Interface for which information is to be displayed or configured. To display the DAI Interface Configuration page, click Switching → Dynamic ARP Inspection → Interface Configuration in the navigation panel.
Page 804
Figure 27-17. DAI Interface Configuration Summary Snooping and Inspecting Traffic...
DAI VLAN Configuration Use the DAI VLAN Configuration page to select the VLANs for which information is to be displayed or configured. To display the DAI VLAN Configuration page, click Switching → Dynamic ARP Inspection → VLAN Configuration in the navigation panel. Figure 27-18.
DAI ACL Configuration Use the DAI ACL Configuration page to add or remove ARP ACLs. To display the DAI ACL Configuration page, click Switching → Dynamic ARP Inspection → ACL Configuration in the navigation panel. Figure 27-20. Dynamic ARP Inspection ACL Configuration Snooping and Inspecting Traffic...
To view a summary of the ARP ACLs that have been created, click Show All. Figure 27-21. Dynamic ARP Inspection ACL Summary To remove an ARP ACL, select the Remove checkbox associated with the ACL and click Apply. DAI ACL Rule Configuration Use the DAI ARP ACL Rule Configuration page to add or remove DAI ARP ACL Rules.
Page 808
Figure 27-22. Dynamic ARP Inspection Rule Configuration To view a summary of the ARP ACL rules that have been created, click Show All. Figure 27-23. Dynamic ARP Inspection ACL Rule Summary To remove an ARP ACL rule, select the Remove checkbox associated with the rule and click Apply.
DAI Statistics Use the DAI Statistics page to display the statistics per VLAN. To display the DAI Statistics page, click Switching → Dynamic ARP Inspection → Statistics in the navigation panel. Figure 27-24. Dynamic ARP Inspection Statistics Snooping and Inspecting Traffic...
Configuring Traffic Snooping and Inspection (CLI) This section provides information about the commands you use to configure DHCP snooping, IPSG, and DAI settings on the switch. For more PowerConnect 7000 Series CLI information about the commands, see the Reference Guide Configuring DHCP Snooping Beginning in Privileged EXEC mode, use the following commands to configure and view DHCP snooping settings.
Page 811
Command Purpose ip dhcp snooping limit Configure the maximum rate of DHCP messages allowed rate {none | rate [burst on the switch at any given time. seconds interval rate • —The maximum number of packets per second allowed (Range: 0–300 pps). seconds •...
Configuring IP Source Guard Beginning in Privileged EXEC mode, use the following commands to configure IPSG settings on the switch. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified port interface or LAG. The variable includes the interface type and number, for example gigabitethernet 1/0/3.
Configuring Dynamic ARP Inspection Beginning in Privileged EXEC mode, use the following commands to configure DAI settings on the switch. Command Purpose configure Enter global configuration mode. ip arp inspection vlan Enable Dynamic ARP Inspection on a single VLAN or a vlan-range [logging] range of VLANs.
Page 814
Command Purpose ip arp inspection filter Configure the ARP ACL to be used for a single VLAN or a acl-name vlan-range vlan range of VLANs to filter invalid ARP packets. [static] Use the static keyword to indicate that packets that do not match a permit statement are dropped without consulting the DHCP snooping bindings.
Traffic Snooping and Inspection Configuration Examples This section contains the following examples: • Configuring DHCP Snooping • Configuring IPSG Configuring DHCP Snooping In this example, DHCP snooping is enabled on VLAN 100. Ports 1-20 connect end users to the network and are members of VLAN 100. These ports are configured to limit the maximum number of DHCP packets with a rate limit of 100 packets per second.
Page 816
To configure the switch: 1 Enable DHCP snooping on VLAN 100. console#config console(config)#ip dhcp snooping vlan 100 2 Configure LAG 1, which includes ports 21-24, as a trusted port. All other interfaces are untrusted by default. console(config)#interface port-channel 1 console(config-if-Po1)#ip dhcp snooping trust console(config-if-Po1)#exit 3 Enter interface configuration mode for all untrusted interfaces (ports 1- 20) and limit the number of DHCP packets that an interface can receive...
Configuring IPSG This example builds on the previous example and uses the same topology shown in Figure 27-25. In this configuration example, IP source guard is enabled on ports 1-20. DHCP snooping must also be enabled on these ports. Additionally, because the ports use IP source guard with source IP and MAC address filtering, port security must be enabled on the ports as well.
Configuring Link Aggregation This chapter describes how to create and configure link aggregation groups (LAGs), which are also known as port channels. The topics covered in this chapter include: • Link Aggregation Overview • Default Link Aggregation Values • Configuring Link Aggregation (Web) •...
Figure 28-1. LAG Configuration Wiring Closet Switch Data Center Switch LAGs can be configured on stand-alone or stacked switches. In a stack of switches, the LAG can consist of ports on a single unit or across multiple stack members. When a LAG members span different units across a stack, and a unit fails, the remaining LAG members on the functional units continue to handle traffic for the LAG.
more resilient LAG. Best practices suggest using dynamic link aggregation instead of static link aggregation.When a port is added to a LAG as a static member, it neither transmits nor receives LACP PDUs. What is LAG Hashing? PowerConnect 7000 Series switches support configuration of hashing algorithms for each LAG interface.
How Do LAGs Interact with Other Features? From a system perspective, a LAG is treated just as a physical port, with the same configuration parameters for administrative enable/disable, spanning tree port priority, path cost as may be for any other physical port. VLAN When members are added to a LAG, they are removed from all existing VLAN membership.
LAG Configuration Guidelines Ports to be aggregated must be configured so that they are compatible with the link aggregation feature and with the partner switch to which they connect. Ports to be added to a LAG must meet the following requirements: •...
Configuring Link Aggregation (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring LAGs on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. LAG Configuration Use the LAG Configuration page to set the name and administrative status (up/down) of a LAG.
LACP Parameters Dynamic link aggregation is initiated and maintained by the periodic exchanges of LACP PDUs. Use the LACP Parameters page to configure LACP LAGs. To display the LACP Parameters page, click Switching → Link Aggregation → LACP Parameters in the navigation panel. Figure 28-3.
Page 826
Figure 28-4. LACP Parameters Table 3 Select the Edit check box associated with each port to configure. 4 Specify the LACP port priority and LACP timeout for each port. 5 Click Apply. Configuring Link Aggregation...
LAG Membership Your switch supports 48 LAGs per system, and eight ports per LAG. Use the LAG Membership page to assign ports to static and dynamic LAGs. To display the LAG Membership page, click Switching → Link Aggregation → LAG Membership in the navigation panel. Figure 28-5.
Adding a LAG Port to a Dynamic LAG by Using LACP To add a dynamic LAG member: 1 Open the LAG Membership page. 2 Click in the LACP row to toggle the desired LAG port to L. NOTE: The port must be assigned to a LAG before it can be aggregated to an LACP.
LAG Hash Summary The LAG Hash Summary page lists the channels on the system and their assigned hash algorithm type. To display the LAG Hash Summary page, click Switching → Link Aggregation → LAG Hash Summary in the navigation panel. Figure 28-7.
Configuring Link Aggregation (CLI) This section provides information about the commands you use to configure link aggregation settings on the switch. For more information about the PowerConnect 7000 Series CLI Reference Guide commands, see the Configuring LAG Characteristics Beginning in Privileged EXEC mode, use the following commands to configure a few of the available LAG characteristics.
Configuring Link Aggregation Groups Beginning in Privileged EXEC mode, use the following commands to add ports as LAG members and to configure the LAG hashing mode. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified port. interface variable includes the interface type and number, for example gigabitethernet 1/0/3.
Page 832
Command Purpose mode hashing-mode Set the hashing algorithm on the LAG. mode value is a number from 1 to 7. The numbers correspond to the following algorithms: • 1 — Source MAC, VLAN, EtherType, source module, and port ID • 2 — Destination MAC, VLAN, EtherType, source module, and port ID •...
Configuring LACP Parameters Beginning in Privileged EXEC mode, use the following commands to configure system and per-port LACP parameters. Command Purpose configure Enter global configuration mode. lacp system-priority Set the Link Aggregation Control Protocol priority for the value switch. the priority value range is 1–65535. interface port-channel Enter interface configuration mode for the specified LAG.
Link Aggregation Configuration Examples This section contains the following examples: • Configuring Dynamic LAGs • Configuring Static LAGs NOTE: The examples in this section show the configuration of only one switch. Because LAGs involve physical links between two switches, the LAG settings and member ports must be configured on both switches.
Configuring Static LAGs The commands in this example show how to configure a static LAG on a switch. The LAG number is 2, and the member ports are 10, 11, 14, and 17. To configure the switch: 1 Enter interface configuration mode for the ports that are to be configured as LAG members.
Managing the MAC Address Table This chapter describes the L2 MAC address table the switch uses to forward data between ports. The topics covered in this chapter include: • MAC Address Table Overview • Default MAC Address Table Values • Managing the MAC Address Table (Web) •...
What Information Is in the MAC Address Table? Each entry in the address table, whether it is static or dynamic, includes the MAC address, the VLAN ID associated with the MAC address, and the interface on which the address was learned or configured. Each port can maintain multiple MAC addresses, and a MAC address can be associated with multiple VLANs.
Managing the MAC Address Table (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage the MAC address table on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. Static Address Table Use the Static Address Table page to view MAC addresses that have been manually added to the MAC address table and to configure static MAC...
Page 840
Figure 29-2. Adding Static MAC Address 3 Select the interface to associate with the static address. 4 Specify the MAC address and an associated VLAN ID. 5 Click Apply. The new static address is added to the Static MAC Address Table, and the device is updated.
Dynamic Address Table The Dynamic Address Table page contains fields for querying information in the dynamic address table, including the interface type, MAC addresses, VLAN, and table sorting key. Packets forwarded to an address stored in the address table are forwarded directly to those ports. The Dynamic Address Table also contains information about the aging time before a dynamic MAC address is removed from the table.
Managing the MAC Address Table (CLI) This section provides information about the commands you use to manage the MAC address table on the switch. For more information about the PowerConnect 7000 Series CLI Reference Guide commands, see the Managing the MAC Address Table Beginning in Privileged EXEC mode, use the following commands to add a static MAC address to the table, control the aging time for dynamic addresses, and view entries in the MAC address table.
Configuring Routing Interfaces This chapter describes the routing (layer 3) interfaces the PowerConnect 7000 Series switches support, which includes VLAN routing interfaces, loopback interfaces, and tunnel interfaces. The topics covered in this chapter are: • Routing Interface Overview • Default Routing Interface Values •...
For each VLAN routing interface you can assign a static IP address, or you can allow a network DHCP server to assign a dynamic IP address. When a port is enabled for bridging (L2 switching) rather than routing, which is the default, all normal bridge processing is performed for an inbound packet, which is then associated with a VLAN.
What Are Tunnel Interfaces? Tunnels are a mechanism for transporting a packet across a network so that it tunnel endpoint can be evaluated at a remote location or . The tunnel, effectively, hides the packet from the network used to transport the packet to the endpoint.
Page 846
In Figure 30-1 the PowerConnect switch is configured as an L3 device and performs the routing functions for hosts connected to the L2 switches. For Host A to communicate with Host B, no routing is necessary. These hosts are in the same VLAN. However, for Host A in VLAN 10 to communicate with Host C in VLAN 20, the PowerConnect switch must perform inter-VLAN routing.
Tunnel Interface Tunnels can be used in networks that support both IPv6 and IPv4. The tunnel allows non-contiguous IPv6 networks to be connected over an IPv4 infrastructure. Default Routing Interface Values By default, no routing interfaces are configured. When you create a VLAN, no IP address is configured, and DHCP is disabled. After you configure an IP address, routing is automatically enabled on the interface, and the interface has the default configuration shown in Table 30-1.
Page 848
Table 30-2. Tunnel Interface Defaults Parameter Default Value Tunnel mode 6-in-4 configured Link Local Only Mode Disabled Source address None Destination address 0.0.0.0 Configuring Routing Interfaces...
Configuring Routing Interfaces (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring VLAN routing interfaces, loopback interfaces, and tunnels on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page.
DHCP Lease Parameters Use the DHCP Lease Parameters page to view information about the network information automatically assigned to an interface by the DHCP server. To display the page, click Routing → IP → DHCP Lease Parameters in the navigation panel. Figure 30-3.
Figure 30-4. VLAN Routing Summary Tunnel Configuration Use the Tunnels Configuration page to create, configure, or delete a tunnel. To display the page, click Routing → Tunnels → Configuration in the navigation panel. Figure 30-5. Tunnel Configuration Configuring Routing Interfaces...
Tunnels Summary Use the Tunnels Summary page to display a summary of configured tunnels. To display the page, click Routing → Tunnels → Summary in the navigation panel. Figure 30-6. Tunnels Summary Configuring Routing Interfaces...
Loopbacks Configuration Use the Loopbacks Configuration page to create, configure, or remove loopback interfaces. You can also set up or delete a secondary address for a loopback. To display the page, click Routing → Loopbacks → Loopbacks Configuration in the navigation panel. Figure 30-7.
Loopbacks Summary Use the Loopbacks Summary page to display a summary of configured loopback interfaces on the switch. To display the page, click Routing → Loopbacks → Loopbacks Summary in the navigation panel. Figure 30-8. Loopbacks Summary Configuring Routing Interfaces...
Configuring Routing Interfaces (CLI) This section provides information about the commands you use to configure VLAN routing interfaces, loopbacks, and tunnels on the switch. For more PowerConnect 7000 Series CLI information about the commands, see the Reference Guide Configuring VLAN Routing Interfaces (IPv4) Beginning in Privileged EXEC mode, use the following commands to configure a VLAN as a routing interface and set the IP configuration parameters.
Page 856
Command Purpose size ip mtu Set the IP Maximum Transmission Unit (MTU) on a routing interface. The IP MTU is the size of the largest IP packet that can be transmitted on the interface without fragmentation. The range is 68–9198 bytes. size bandwidth Set the configured bandwidth on this interface to...
Configuring Loopback Interfaces Beginning in Privileged EXEC mode, use the following commands to configure a loopback interface. Command Purpose configure Enter Global Configuration mode. interface loopback Create the loopback interface and enter Interface loopback-id Configuration mode for the specified loopback interface.
Configuring Tunnels Beginning in Privileged EXEC mode, use the following commands to configure a loopback interface. NOTE: For information about configuring the IPv6 interface characteristics for a tunnel, see "Configuring IPv6 Routing" on page 1045. Command Purpose configure Enter Global Configuration mode. tunnel-id interface tunnel Create the tunnel interface and enter Interface...
Configuring DHCP Server Settings This chapter describes how to configure the switch to dynamically assign network information to hosts by using the Dynamic Host Configuration Protocol (DHCP). The topics covered in this chapter include: • DHCP Overview • Default DHCP Server Values •...
Figure 31-1. Message Exchange Between DHCP Client and Server D H C PD IS C O VE R (broadcast) D HC P O FFER (unicast) D H C PR E Q U ES T (broadcast) D H C PA C K (unicast) DHCP Client DHCP Server (PowerConnect Switch)
What Additional DHCP Features Does the Switch Support? The switch software includes a DHCP client that can request network information from a DHCP server on the network during the initial system configuration process. For information about enabling the DHCP client, see "Setting the IP Address and Other Basic Network Information"...
Configuring the DHCP Server (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the DHCP server on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. DHCP Server Network Properties Use the Network Properties page to define global DHCP server settings and to configure addresses that are not included in any address pools.
Page 863
Adding Excluded Addresses To exclude an address: 1 Open the Network Properties page. 2 Click Add Excluded Addresses to display the Add Excluded Addresses page. 3 In the From field, enter the first IP address to exclude from any configured address pool.
Deleting Excluded Addresses To remove an excluded address: 1 Open the Network Properties page. 2 Click Delete Excluded Addresses to display the Delete Excluded Addresses page. 3 Select the check box next to the address or address range to delete. Figure 31-4.
Page 865
Figure 31-5. Address Pool Adding a Network Pool To create and configure a network pool: 1 Open the Address Pool page. 2 Click Add Network Pool to display the Add Network Pool page. 3 Assign a name to the pool and complete the desired fields. In Figure 31-6, the network pool name is Engineering, and the address pool contains all IP addresses in the 192.168.5.0 subnet, which means a client that receives an address from the DHCP server might lease an...
Page 866
Figure 31-6. Add Network Pool The Engineering pool also configures clients to use 192.168.5.1 as the default gateway IP address and 192.168.1.5 and 192.168.2.5 as the primary and secondary DNS servers. NOTE: The IP address 192.168.5.1 should be added to the global list of excluded addresses so that it is not leased to a client.
Page 867
In Figure 31-7, the Static pool name is Lab, and the name of the client in the pool is LabHost1. The client’s MAC address is mapped to the IP address 192.168.11.54, the default gateway is 192.168.11.1, and the DNS servers the client will use have IP addresses of 192.168.5.100 and 192.168.2.5.
Address Pool Options Use the Address Pool Options page to view manually configured options. You can define options when you create an address pool, or you can add options to an existing address pool. To display the Address Pool Options page, click Routing → IP → DHCP Server →...
Page 869
Figure 31-9. Add DHCP Option 5 Click Apply. 6 To verify that the option has been added to the address pool, open the Address Pool Options page. Configuring DHCP Server Settings...
Figure 31-10. View Address Pool Options DHCP Bindings Use the DHCP Bindings page to view information about the clients that have leased IP addresses from the DHCP server. To display the DHCP Bindings page, click Routing → IP → DHCP Server →...
DHCP Server Reset Configuration Use the Reset Configuration page to clear the client bindings for one or more clients. You can also reset bindings for clients that have leased an IP address that is already in use on the network. To display the Reset Configuration page, click Routing →...
DHCP Server Conflicts Information Use the Conflicts Information page to view information about clients that have leased an IP address that is already in use on the network. To display the Conflicts Information page, click Routing → IP → DHCP Server →...
DHCP Server Statistics Use the Server Statistics page to view general DHCP server statistics, messages received from DHCP clients, and messages sent to DHCP clients. To display the Server Statistics page, click Routing → IP → DHCP Server → Server Statistics in the navigation panel. Figure 31-14.
Configuring the DHCP Server (CLI) This section provides information about the commands you use to configure and monitor the DHCP server and address pools. For more information about PowerConnect 7000 Series CLI Reference Guide the commands, see the Configuring Global DHCP Server Settings Beginning in Privileged EXEC mode, use the following commands to configure settings for the DHCP server.
Configuring a Dynamic Address Pool Beginning in Privileged EXEC mode, use the following commands to create an address pool with network information that is dynamically assigned to hosts with DHCP clients that request the information. Command Purpose configure Enter Global Configuration mode. name ip dhcp pool Create a DHCP address pool and enters DHCP pool...
Configuring a Static Address Pool Beginning in Privileged EXEC mode, use the following commands to create a static address pool and specify the network information for the pool. The network information configured in the static address pool is assigned only to the host with the hardware address or client identifier that matches the information configured in the static pool.
Command Purpose address1 default-router Specify the list of default gateway IP addresses to be address2..address8 assigned to the DHCP client. address1 dns-server Specify the list of DNS server IP addresses to be assigned address2..address8 to the DHCP client. domain domain-name Specify the domain name for a DHCP client.
5 Specify the domain name to be assigned to clients that lease an address from this pool. console(config-dhcp-pool)#domain-name engineering.dell.com console(config-dhcp-pool)#exit 6 In Global Configuration mode, add the addresses to exclude from the pool. Clients will not be assigned these IP addresses.
Page 879
9 View information about all configured address pools. console#show ip dhcp pool configuration all Pool: Engineering Pool Type......Network Network......192.168.5.0 255.255.255.0 Lease Time......1 days 0 hrs 0 mins DNS Servers......192.168.5.11 Default Routers....192.168.5.1 Domain Name......engineering.dell.com Configuring DHCP Server Settings...
192.168.5.101 6 Specify the domain name to be assigned to clients that lease an address from this pool. console(config-dhcp-pool)#domain-name executive.dell.com 7 Specify the option that configures the SMTP server IP address to the host. console(config-dhcp-pool)#option 69 ip 192.168.1.33 console(config-dhcp-pool)#exit...
Page 881
Pool: Tyler PC Pool Type......Static Client Name......TylerPC Hardware Address....00:1c:23:55:e9:f3 Hardware Address Type....ethernet Host......192.168.2.10 255.255.255.0 Lease Time......1 days 0 hrs 0 mins DNS Servers....... 192.168.2.101 Default Routers....192.168.2.1 Domain Name....... executive.dell.com Option......69 ip 192.168.1.33 Configuring DHCP Server Settings...
Configuring IP Routing This chapter describes how to configure routing on the switch, including global routing settings, Address Resolution Protocol (ARP), router discovery, and static routes. The topics covered in this chapter include: • IP Routing Overview • Default IP Routing Values •...
Page 884
Table 32-1. IP Routing Features (Continued) Feature Description ICMP Router Discovery Hosts can use IRDP to identify operational routers Protocol (IRDP) on the subnet. Routers periodically advertise their IP addresses. Hosts listen for these advertisements and discover the IP addresses of neighboring routers.
Default IP Routing Values Table 32-2 shows the default values for the IP routing features this chapter describes. Table 32-2. IP Routing Defaults Parameter Default Value Default Time to Live Routing Mode Disabled globally and on each interface ICMP Echo Replies Enabled ICMP Redirects Enabled...
Page 886
Table 32-2. IP Routing Defaults (Continued) Parameter Default Value Route Preference Values Preference values are as follows: • Local—0 • Static—1 • OSPF Intra—110 • OSPF Inter—110 • OSPF External—110 • RIP—120 Configuring IP Routing...
Configuring IP Routing Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IPv4 routing features on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. IP Configuration Use the Configuration page to configure routing parameters for the switch as opposed to an interface.
IP Statistics The IP statistics reported on the Statistics page are as specified in RFC 1213. To display the page, click Routing → IP → Statistics in the navigation panel. Figure 32-2. IP Statistics Configuring IP Routing...
ARP Create Use the Create page to add a static ARP entry to the Address Resolution Protocol table. To display the page, click Routing → ARP → Create in the navigation panel. Figure 32-3. ARP Create Configuring IP Routing...
ARP Table Configuration Use the Table Configuration page to change the configuration parameters for the Address Resolution Protocol Table. You can also use this screen to display the contents of the table. To display the page, click Routing → ARP → Table Configuration in the navigation panel.
Router Discovery Configuration Use the Configuration page to enter or change router discovery parameters. To display the page, click Routing → Router Discovery → Configuration in the navigation panel. Figure 32-5. Router Discovery Configuration Configuring IP Routing...
Router Discovery Status Use the Status page to display router discovery data for each interface. To display the page, click Routing → Router Discovery → Status in the navigation panel. Figure 32-6. Router Discovery Status Configuring IP Routing...
Route Table Use the Route Table page to display the contents of the routing table. To display the page, click Routing → Router → Route Table in the navigation panel. Figure 32-7. Route Table Configuring IP Routing...
Best Routes Table Use the Best Routes Table page to display the best routes from the routing table. To display the page, click Routing → Router → Best Routes Table in the navigation panel. Figure 32-8. Best Routes Table Configuring IP Routing...
Route Entry Configuration Use the Route Entry Configuration page to add new and configure router routes. To display the page, click Routing → Router → Route Entry Configuration in the navigation panel. Figure 32-9. Route Entry Configuration Adding a Route and Configuring Route Preference To configure routing table entries: 1 Open the Route Entry Configuration page.
Page 896
Figure 32-10. Router Route Entry and Preference Configuration 3 Next to Route Type, use the drop-down box to add a Default, Static, or Static Reject route. The fields to configure are different for each route type. Default — Enter the default gateway address in the Next Hop IP •...
Configured Routes Use the Configured Routes page to display the routes that have been manually configured. NOTE: For a static reject route, the next hop interface value is Null0. Packets to the network address specified in static reject routes are intentionally dropped. To display the page, click Routing →...
Route Preferences Configuration Use the Route Preferences Configuration page to configure the default preference for each protocol (for example 60 for static routes). These values are arbitrary values that range from 1 to 255, and are independent of route metrics. Most routing protocols use a route metric to determine the shortest path known to the protocol, independent of any other protocol.
Configuring IP Routing Features (CLI) This section provides information about the commands you use to configure IPv4 routing on the switch. For more information about the commands, see PowerConnect 7000 Series CLI Reference Guide Configuring Global IP Routing Settings Beginning in Privileged EXEC mode, use the following commands to configure various global IP routing settings for the switch.
Adding Static ARP Entries and Configuring ARP Table Settings Beginning in Privileged EXEC mode, use the following commands to configure static ARP entries in the ARP cache and to specify the settings for the ARP cache. Command Purpose configure Enter global configuration mode. ip-address hardware- Create a static ARP entry in the ARP table.
Configuring Router Discovery (IRDP) Beginning in Privileged EXEC mode, use the following commands to configure IRDP settings. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface VLAN routing interface. The variable includes the interface type (vlan) and number, for example vlan 100.
Configuring Route Table Entries and Route Preferences Beginning in Privileged EXEC mode, use the following commands to configure IRDP settings. Command Purpose configure Enter global configuration mode. ip route default Configure the default route. nextHopRtr preference nextHopRtr • — IP address of the next hop router. preference •...
Page 903
Command Purpose ip-address show ip route [ View the routing table. mask prefix-length ip-address • — Specifies the network for which the route [longer-prefixes] | is to be displayed and displays the best matching best- protocol route for the address. mask •...
IP Routing Configuration Example In this example, the PowerConnect switches are L3 switches with VLAN routing interfaces. VLAN routing is configured on PowerConnect Switch A and PowerConnect Switch B. This allows the host in VLAN 10 to communicate with the server in VLAN 30. A static route to the VLAN 30 subnet is configured on Switch A.
Configuring PowerConnect Switch A To configure Switch A. 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Assign an IP address to VLAN 10. This command also enables IP routing on the VLAN. console(config)#interface vlan 10 console(config-if-vlan10)#ip address 192.168.10.10 255.255.255.0 console(config-if-vlan10)#exit 3 Assign an IP address to VLAN 20.
Configuring PowerConnect Switch B To configure Switch B: 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Assign an IP address to VLAN 20. This command also enables IP routing on the VLAN. console#configure console(config)#interface vlan 20 console(config-if-vlan20)#ip address 192.168.20.25 255.255.255.0 console(config-if-vlan20)#exit 3 Assign an IP address to VLAN 30.
Configuring L2 and L3 Relay Features This chapter describes how to configure the L2 DHCP Relay, L3 DHCP Relay, and IP Helper features on PowerConnect 7000 Series switches. The topics covered in this chapter include: • L2 and L3 Relay Overview •...
the DHCP request. If the number of hops is greater than the configured giaddr number, the agent discards the packet. If the field is zero, the agent must fill in this field with the IP address of the interface on which the request was received.
Enabling L2 Relay on VLANs You can enable L2 DHCP relay on a particular VLAN. The VLAN is identified by a service VLAN ID (S-VID), which a service provider uses to identify a customer’s traffic while traversing the provider network to multiple remote sites.
Page 910
Table 33-1. Default Ports - UDP Port Numbers Implied By Wildcard Protocol UDP Port Number IEN-116 Name Service NetBIOS Name Server NetBIOS Datagram Server TACACS Server Time Service DHCP Trivial File Transfer Protocol The system limits the number of relay entries to four times the maximum number of routing interfaces (512 relay entries).
Page 911
configuration for the destination UDP port. If so, the relay agent unicasts the packet to the configured server IP addresses. Otherwise the packet is not relayed. NOTE: If the packet matches a discard relay entry on the ingress interface, the packet is not forwarded, regardless of the global configuration.
Page 912
Table 33-2 shows the most common protocols and their UDP port numbers and names that are relayed. Table 33-2. UDP Port Allocations UDP Port Number Acronym Application Echo Echo SysStat Active User NetStat NetStat Quote Quote of the day CHARGEN Character Generator FTP-data FTP Data...
Default L2/L3 Relay Values By default L2 DHCP relay is disabled. L3 relay (UDP) is enabled, but no UDP destination ports or server addresses are defined on the switch or on any interfaces. Table 33-3. L2/L3 Relay Defaults Parameter Default Value L2 DHCP Relay Admin Mode Disabled globally and on all interfaces and...
Configuring L2 and L3 Relay Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring L2 and L3 relay features on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page.
DHCP Relay Interface Configuration Use this page to enable L2 DHCP relay on individual ports. NOTE: L2 DHCP relay must also be enabled globally on the switch. To access this page, click Switching → DHCP Relay → Interface Configuration in the navigation panel. Figure 33-2.
DHCP Relay Interface Statistics Use this page to display statistics on DHCP Relay requests received on a selected port. To access this page, click Switching → DHCP Relay → Interface Statistics in the navigation panel. Figure 33-4. DHCP Relay Interface Statistics Configuring L2 and L3 Relay Features...
DHCP Relay VLAN Configuration Use this page to enable and configure DHCP Relay on specific VLANs. To access this page, click Switching → DHCP Relay → VLAN Configuration in the navigation panel. Figure 33-5. DHCP Relay VLAN Configuration To view a summary of the L2 DHCP relay configuration on all VLANs, click Show All.
DHCP Relay Agent Configuration Use the Configuration page to configure and display a DHCP relay agent. To display the page, click Routing → DHCP Relay Agent → Configuration in the navigation panel. Figure 33-7. DHCP Relay Agent Configuration Configuring L2 and L3 Relay Features...
IP Helper Global Configuration Use the Global Configuration page to add, show, or delete UDP Relay and Helper IP configuration To display the page, click Routing → IP Helper → Global Configuration in the navigation panel. Figure 33-8. IP Helper Global Configuration Adding an IP Helper Entry To configure an IP helper entry: 1.
Page 921
Figure 33-9. Add Helper IP Address 3. Select a UDP Destination port name from the menu or enter the UDP Destination Port ID. Select the Default Set to configure for the relay entry for the default set of protocols. NOTE: If the DefaultSet option is specified, the device by default forwards UDP Broadcast packets for the following services: IEN-116 Name Service (port 42), DNS (port 53), NetBIOS Name Server (port 137), NetBIOS Datagram...
IP Helper Interface Configuration Use the Interface Configuration page to add, show, or delete UDP Relay and Helper IP configuration for a specific interface. To display the page, click Routing → IP Helper → Interface Configuration in the navigation panel. Figure 33-10.
Figure 33-11. Add Helper IP Address 3. Select the interface to use for the relay. 4. Select a UDP Destination port name from the menu or enter the UDP Destination Port ID. Select the Default Set to configure for the relay entry for the default set of protocols.
Page 924
Figure 33-12. IP Helper Statistics Configuring L2 and L3 Relay Features...
Configuring L2 and L3 Relay Features (CLI) This section provides information about the commands you use to configure L2 and L3 relay features on the switch. For more information about the PowerConnect 7000 Series CLI Reference Guide commands, see the Configuring L2 DHCP Relay Beginning in Privileged EXEC mode, use the following commands to configure switch and interface L2 DHCP relay settings.
Command Purpose exit Exit to Privileged EXEC mode. show dhcp l2relay all View L2 DHCP relay settings for all interfaces. show dhcp l2relay vlan View L2 DHCP relay settings for the specified VLAN vlan-range show dhcp l2relay stats View the number of DHCP packets processed and relayed interface interface [all | by the L2 relay agent.
Page 927
Command Purpose ip helper-address Configure the relay of certain UDP broadcast packets server-address received on the VLAN routing interface(s). This command dest-udp-port discard} [ takes precedence over an ip helper-address command given | dhcp | domain | in global configuration mode. isakmp | mobile-ip | Specify the one of the protocols defined in the command nameserver | netbios-...
Relay Agent Configuration Example The example in this section shows how to configure the L3 relay agent (IP helper) to relay and discard various protocols. Figure 33-13. L3 Relay Network Diagram DHCP Server 192.168.40.22 DNS Server 192.168.40.43 DHCP Server SNMP Server 192.168.40.35 192.168.23.1 VLAN 30...
Page 929
2 Relay DNS packets received on VLAN 10 to 192.168.40.43 console(config-if-vlan10)#ip helper-address 192.168.40.35 domain console(config-if-vlan10)#exit 3 Relay SNMP traps (port 162) received on VLAN 20 to 192.168.23.1 console(config)#interface vlan 20 console(config-if-vlan20)#ip helper-address 192.168.23.1 162 4 The clients on VLAN 20 have statically-configured network information, so the switch is configured to drop DHCP packets received on VLAN 20 console(config-if-vlan20)#ip helper-address discard dhcp...
Configuring OSPF and OSPFv3 This chapter describes how to configure Open Shortest Path First (OSPF) and OSPFv3. OSPF is a dynamic routing protocol for IPv4 networks, and OSPFv3 is used to route traffic in IPv6 networks. The protocols are configured separately within the software, but their functionality is largely similar for IPv4 and IPv6 networks.
OSPF Overview OSPF is an Interior Gateway Protocol (IGP) that performs dynamic routing within a network. PowerConnect 7000 Series switches support two dynamic routing protocols: OSPF and Routing Information Protocol (RIP). Unlike RIP , OSPF is a link-state protocol. Larger networks typically use the OSPF protocol instead of RIP.
What Are OSPF Routers and LSAs? When a PowerConnect switch is configured to use OSPF for dynamic routing, it is considered to be an OSPF router. OSPF routers keep track of the state of the various links they send data to. Routers exchange OSPF link state advertisements (LSAs) with other routers.
Default OSPF Values OSPF is globally enabled by default. To make it operational on the router, you must configure a router ID and enable OSPF on at least one interface. Table 34-1 shows the global default values for OSPF and OSPFv3. Table 34-1.
Page 935
Table 34-2. OSPF Per-Interface Defaults Parameter Default Value Retransmit Interval 5 seconds Hello Interval 10 seconds Dead Interval 40 seconds LSA Ack Interval 1 second Interface Delay Interval 1 second MTU Ignore Disabled Passive Mode Disabled Network Type Broadcast Authentication Type None (OSPFv2 only) Metric Cost Not configured...
Configuring OSPF Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring OSPF features on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. OSPF Configuration Use the Configuration page to enable OSPF on a router and to configure the related OSPF settings.
OSPF Area Configuration The Area Configuration page lets you create a Stub area configuration and NSSA once you’ve enabled OSPF on an interface through Routing → OSPF → Interface Configuration. At least one router must have OSPF enabled for this web page to display. To display the page, click Routing →...
Page 938
Configuring an OSPF Stub Area To configure the area as an OSPF stub area, click Create Stub Area. The pages refreshes, and displays additional fields that are specific to the stub area. Figure 34-3. OSPF Stub Area Configuration Use the Delete Stub Area button to remove the stub area. Configuring OSPF and OSPFv3...
Page 939
Configuring an OSPF Not-So-Stubby Area To configure the area as an OSPF not-so-stubby area (NSSA), click NSSA Create. The pages refreshes, and displays additional fields that are specific to the NSSA. Figure 34-4. OSPF NSSA Configuration Use the NSSA Delete button to remove the NSSA area. Configuring OSPF and OSPFv3...
OSPF Stub Area Summary The Stub Area Summary page displays OSPF stub area detail. To display the page, click Routing → OSPF → Stub Area Summary in the navigation panel. Figure 34-5. OSPF Stub Area Summary Configuring OSPF and OSPFv3...
OSPF Area Range Configuration Use the Area Range Configuration page to configure and display an area range for a specified NSSA. To display the page, click Routing → OSPF → Area Range Configuration in the navigation panel. Figure 34-6. OSPF Area Range Configuration Configuring OSPF and OSPFv3...
OSPF Interface Statistics Use the Interface Statistics page to display statistics for the selected interface. The information is displayed only if OSPF is enabled. To display the page, click Routing → OSPF → Interface Statistics in the navigation panel. Figure 34-7. OSPF Interface Statistics Configuring OSPF and OSPFv3...
OSPF Interface Configuration Use the Interface Configuration page to configure an OSPF interface. To display the page, click Routing → OSPF → Interface Configuration in the navigation panel. Figure 34-8. OSPF Interface Configuration Configuring OSPF and OSPFv3...
OSPF Neighbor Table Use the Neighbor Table page to display the OSPF neighbor table list. When a particular neighbor ID is specified, detailed information about a neighbor is given. The information below is only displayed if OSPF is enabled. To display the page, click Routing → OSPF → Neighbor Table in the navigation panel.
OSPF Neighbor Configuration Use the Neighbor Configuration page to display the OSPF neighbor configuration for a selected neighbor ID. When a particular neighbor ID is specified, detailed information about a neighbor is given. The information below is only displayed if OSPF is enabled and the interface has a neighbor. The IP address is the IP address of the neighbor.
OSPF Link State Database Use the Link State Database page to display OSPF link state, external LSDB table, and AS opaque LSDB table information. To display the page, click Routing → OSPF → Link State Database in the navigation panel. Figure 34-11.
Page 947
Figure 34-12. OSPF Virtual Link Creation After you create a virtual link, additional fields display, as the Figure 34-13 shows. Figure 34-13. OSPF Virtual Link Configuration Configuring OSPF and OSPFv3...
OSPF Virtual Link Summary Use the Virtual Link Summary page to display all of the configured virtual links. To display the page, click Routing → OSPF → Virtual Link Summary in the navigation panel. Figure 34-14. OSPF Virtual Link Summary Configuring OSPF and OSPFv3...
OSPF Route Redistribution Configuration Use the Route Redistribution Configuration page to configure redistribution in OSPF for routes learned through various protocols. You can choose to redistribute routes learned from all available protocols or from selected ones. To display the page, click Routing → OSPF → Route Redistribution Configuration in the navigation panel.
NSF OSPF Summary Use the NSF OSPF Summary page to configure the non-stop forwarding (NSF) support mode and to view NSF summary information for the OSPF feature. NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure. For information about NSF, see "What is Nonstop Forwarding?"...
Configuring OSPFv3 Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring OSPFv3 features on a PowerConnect 7000 Series switch. For details about the fields on a page, click at the top of the page. OSPFv3 Configuration Use the Configuration page to activate and configure OSPFv3 for a switch.
OSPFv3 Area Configuration Use the Area Configuration page to create and configure an OSPFv3 area. To display the page, click IPv6 → OSPFv3 → Area Configuration in the navigation panel. Figure 34-19. OSPFv3 Area Configuration Configuring OSPF and OSPFv3...
Page 954
Configuring an OSPFv3 Stub Area To configure the area as an OSPFv3 stub area, click Create Stub Area. The pages refreshes, and displays additional fields that are specific to the stub area. Figure 34-20. OSPFv3 Stub Area Configuration Use the Delete Stub Area button to remove the stub area. Configuring OSPF and OSPFv3...
Page 955
Configuring an OSPFv3 Not-So-Stubby Area To configure the area as an OSPFv3 not-so-stubby area (NSSA), click Create NSSA. The pages refreshes, and displays additional fields that are specific to the NSSA. Figure 34-21. OSPFv3 NSSA Configuration Use the Delete NSSA button to remove the NSSA area. Configuring OSPF and OSPFv3...
OSPFv3 Stub Area Summary Use the Stub Area Summary page to display OSPFv3 stub area detail. To display the page, click IPv6 → OSPFv3 → Stub Area Summary in the navigation panel. Figure 34-22. OSPFv3 Stub Area Summary Configuring OSPF and OSPFv3...
OSPFv3 Area Range Configuration Use the Area Range Configuration page to configure OSPFv3 area ranges. To display the page, click IPv6 → OSPFv3 → Area Range Configuration in the navigation panel. Figure 34-23. OSPFv3 Area Range Configuration Configuring OSPF and OSPFv3...
OSPFv3 Interface Configuration Use the Interface Configuration page to create and configure OSPFv3 interfaces. This page has been updated to include the Passive Mode field. To display the page, click IPv6 → OSPFv3 → Interface Configuration in the navigation panel. Figure 34-24.
OSPFv3 Interface Statistics Use the Interface Statistics page to display OSPFv3 interface statistics. Information is only displayed if OSPF is enabled. Several fields have been added to this page. To display the page, click IPv6 → OSPFv3 → Interface Statistics in the navigation panel.
OSPFv3 Neighbors Use the Neighbors page to display the OSPF neighbor configuration for a selected neighbor ID. When a particular neighbor ID is specified, detailed information about that neighbor is given. Neighbor information only displays if OSPF is enabled and the interface has a neighbor. The IP address is the IP address of the neighbor.
OSPFv3 Neighbor Table Use the Neighbor Table page to display the OSPF neighbor table list. When a particular neighbor ID is specified, detailed information about a neighbor is given. The neighbor table is only displayed if OSPF is enabled. To display the page, click IPv6 → OSPFv3 → Neighbor Table in the navigation panel.
OSPFv3 Link State Database Use the Link State Database page to display the link state and external LSA databases. The OSPFv3 Link State Database page has been updated to display external LSDB table information in addition to OSPFv3 link state information.
OSPFv3 Virtual Link Configuration Use the Virtual Link Configuration page to define a new or configure an existing virtual link. To display this page, a valid OSPFv3 area must be defined through the OSPFv3 Area Configuration page. To display the page, click IPv6 → OSPFv3 → Virtual Link Configuration in the navigation panel.
Page 964
After you create a virtual link, additional fields display, as the Figure 34-30 shows. Figure 34-30. OSPFv3 Virtual Link Configuration Configuring OSPF and OSPFv3...
OSPFv3 Virtual Link Summary Use the Virtual Link Summary page to display virtual link data by Area ID and Neighbor Router ID. To display the page, click IPv6 → OSPFv3 → Virtual Link Summary in the navigation panel. Figure 34-31. OSPFv3 Virtual Link Summary Configuring OSPF and OSPFv3...
OSPFv3 Route Redistribution Configuration Use the Route Redistribution Configuration page to configure route redistribution. To display the page, click IPv6 → OSPFv3 → Route Redistribution Configuration in the navigation panel. Figure 34-32. OSPFv3 Route Redistribution Configuration Configuring OSPF and OSPFv3...
OSPFv3 Route Redistribution Summary Use the Route Redistribution Summary page to display route redistribution settings by source. To display the page, click IPv6 → OSPFv3 → Route Redistribution Summary in the navigation panel. Figure 34-33. OSPFv3 Route Redistribution Summary Configuring OSPF and OSPFv3...
NSF OSPFv3 Configuration Use the NSF OSPFv3 Configuration page to configure the non-stop forwarding (NSF) support mode and to view NSF summary information for the OSPFv3 feature. NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure. For information about NSF, see "What is Nonstop Forwarding?"...
Configuring OSPF Features (CLI) This section provides information about the commands you use to configure and view OSPF settings on the switch. This section does not describe all available show commands. For more information about all available OSPF PowerConnect 7000 Series CLI Reference Guide commands, see the Configuring Global OSPF Settings Beginning in Privileged EXEC mode, use the following commands to...
Page 970
Command Purpose default-information Control the advertisement of default routes. originate [always] • always — Normally, OSPF originates a default route only metric-value [metric if a default route is redistributed into OSPF (and default- type-value [metric-type information originate is configured). When the always option is configured, OSPF originates a default route, even if no default route is redistributed.
Command Purpose passive-interface default Configure OSPF interfaces as passive by default. This command overrides any interface-level passive mode settings.OSPF does not form adjacencies on passive interfaces but does advertise attached networks as stub networks. delay-time timers spf Specify the SPF delay and hold time. hold-time delay-time •...
Page 972
Command Purpose area-id ip ospf area Enables OSPFv2 on the interface and sets the area ID of [secondaries none] an interface. This command supersedes the effects of network area command. area-id variable is the ID of the area (Range: IP address or decimal from 0 –4294967295) Use the secondaries none keyword to prevent the interface from advertising its secondary addresses into the OSPFv2...
Page 973
Command Purpose ip ospf transmit-delay Set the OSPF Transit Delay for the interface. seconds seconds variable sets the estimated number of seconds it takes to transmit a link state update packet over this interface. (Range: 1–3600 seconds) ip ospf mtu-ignore Disable OSPF MTU mismatch detection on the received database description.
Command Purpose ip-address network Enable OSPFv2 on interfaces whose primary IP address wildcard-mask area- area matches this command, and make the interface a member of the specified area. ip-address • — Base IPv4 address of the network area. wildcard-mask • —...
Command Purpose area-id area nssa Configure the translator role of the NSSA. translator-role {always | • always — The router assumes the role of the translator candidate} when it becomes a border router. • candidate — The router can participate in the translator election process when it attains border router status.
Page 976
Command Purpose area-id area virtual-link Create the OSPF virtual interface for the specified area- router-id [authentication id and neighbor router. [message-digest | null]] Use the optional parameters to configure authentication [[authentication-key for the virtual link. If the area has not been previously key- | [message-digest-key created, it is created by this command.
Command Purpose area-id area virtual-link Set the OSPF Transit Delay for the interface. neighbor-id transmit- seconds variable is the number of seconds to seconds delay increment the age of the LSA before sending, based on the estimated time it takes to transmit from the interface.
Page 978
Configuring OSPF Route Redistribution Settings Beginning in Privileged EXEC mode, use the following commands to configure OSPF route redistribution settings. Command Purpose configure Enter global configuration mode. router ospf Enter OSPF configuration mode. distribute-list Specify the access list to filter routes received from the accesslistname out {rip | source protocol.
Command Purpose exit Exit to Global Config mode. exit Exit to Privileged EXEC mode. show ip ospf View OSPF configuration and status information, including route distribution information. Configuring NSF Settings for OSPF Beginning in Privileged EXEC mode, use the following commands to configure the non-stop forwarding settings for OSPF.
Page 980
Command Purpose nsf [ietf] [planned-only] Enable a graceful restart of OSPF. • ietf — This keyword is used to distinguish the IETF standard implementation of graceful restart from other implementations. Since the IETF implementation is the only one supported, this keyword is optional. •...
Configuring OSPFv3 Features (CLI) This section provides information about the commands you use to configure OSPFv3 settings on the switch. For more information about the commands PowerConnect 7000 Series and about additional show commands, see the CLI Reference Guide Configuring Global OSPFv3 Settings Beginning in Privileged EXEC mode, use the following commands to configure various global OSPFv3 settings for the switch.
Page 982
Command Purpose distance ospf {external | Set the preference values of OSPFv3 route types in the inter-area | intra-area } router. distance distance The range for the variable is 1–255. Lower route preference values are preferred when determining the best route.
Configuring OSPFv3 Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure per-interface OSPFv3 settings. Command Purpose configure Enter global configuration mode. vlan-id interface vlan Enter Interface Configuration mode for the specified VLAN. area-id ipv6 ospf areaid Enables OSPFv3 on the interface and sets the area ID of an interface.
Page 984
Command Purpose ipv6 ospf dead-interval Set the OSPFv3 dead interval for the interface. seconds seconds variable indicates the number of seconds a router waits to see a neighbor router's Hello packets before declaring that the router is down (Range: 1–65535). This parameter must be the same for all routers attached to a network.
Command Purpose show ipv6 ospf interface View summary information for all OSPFv3 interfaces interface-type interface- configured on the switch or for the specified routing number interface. show ipv6 ospf interface View per-interface OSPFv3 statistics. interface-type stats interface-number Configuring Stub Areas and NSSAs Beginning in Privileged EXEC mode, use the following commands to configure OSPFv3 stub areas and NSSAs.
Page 986
Command Purpose area-id area nssa [no- Create and configure an NSSA for the specified area ID. redistribution] [default- metric-value • —Specifies the metric of the default route information-originate advertised to the NSSA. (Range: 1–16777214) metric-value [metric metric-type-value • —The metric type can be one of the metric-type- [metric-type following :...
Configuring Virtual Links Beginning in Privileged EXEC mode, use the following commands to configure OSPFv3 Virtual Links. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. area-id area virtual-link Create the OSPFv3 virtual interface for the specified neighbor-id area-id neighbor-id...
Configuring an OSPFv3 Area Range Beginning in Privileged EXEC mode, use the following commands to configure an OSPFv3 area range. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. area-id ipv6- area range Configure a summary prefix for routes learned in a given prefix/prefix-length area.
Configuring OSPFv3 Route Redistribution Settings Beginning in Privileged EXEC mode, use the following commands to configure OSPFv3 route redistribution settings. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. redistribute {static | Configure OSPFv3 to allow redistribution of routes from connected} [metric the specified source protocol/routers.
Configuring NSF Settings for OSPFv3 Beginning in Privileged EXEC mode, use the following commands to configure the non-stop forwarding settings for OSPFv3. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. nsf [ietf ] helper strict-lsa- Require that an OSPFv3 helpful neighbor exit helper checking mode whenever a topology change occurs.
OSPF Configuration Examples This section contains the following examples: • Configuring an OSPF Border Router and Setting Interface Costs • Configuring Stub and NSSA Areas for OSPF and OSPFv3 • Configuring a Virtual Link for OSPF and OSPFv3 Configuring an OSPF Border Router and Setting Interface Costs This example shows how to configure the PowerConnect switch as an OSPF border router.
Page 992
To Configure Border Router A: 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Create VLANS 70, 80, and 90. console(config)#vlan 70,80,90 3 Assign IP addresses for VLANs 70, 80 and 90. console(config)#interface vlan 70 console(config-if-vlan70)#ip address 192.150.2.2 255.255.255.0 console(config-if-vlan70)#exit console(config)#interface vlan 80 console(config-if-vlan80)#ip address 192.150.3.1...
console(config-if-vlan70)#exit console(config)#interface vlan 80 console(config-if-vlan80)#ip ospf area 0.0.0.2 console(config-if-vlan80)#ip ospf priority 255 console(config-if-vlan80)#ip ospf cost 64 console(config-if-vlan80)#exit console(config)#interface vlan 90 console(config-if-vlan90)#ip ospf area 0.0.0.2 console(config-if-vlan90)#ip ospf priority 255 console(config-if-vlan90)#ip ospf cost 64 console(config-if-vlan90)#exit Configuring Stub and NSSA Areas for OSPF and OSPFv3 In this example, Area 0 connects directly to two other areas: Area 1 is defined as a stub area and Area 2 is defined as an NSSA area.
Page 994
Figure 34-36. OSPF Configuration—Stub Area and NSSA Area Boundary Router Area 0 0.0.0.0 VLAN 12 10.3.100.3 Switch A 3000:3:100:: 3.3.3.3 Backbone Router VLAN 5 10.2.3.2 Switch B 3000:2:3:: VLAN 6 2.2.2.2 10.2.3.3 Area Border 3000:2:3:: Router Internal VLAN 17 Router VLAN 10 10.2.4.2 10.1.2.2...
Page 995
console(config-if)#interface vlan 6 console(config-if-vlan6)#ip address 10.2.3.3 255.255.255.0 console(config-if-vlan6)#ipv6 address 3000:2:3::/64 eui64 4 Associate the interface with area 0.0.0.0 and enable OSPFv3. console(config-if-vlan6)#ip ospf area 0.0.0.0 console(config-if-vlan6)#ipv6 ospf console(config-if-vlan6)#exit 5 Configure IP and IPv6 addresses on VLAN routing interface 12. console(config)#interface vlan 12 console(config-if-vlan12)#ip address 10.3.100.3 255.255.255.0...
Page 996
console(config)#ipv6 route 3000:44:44::/64 3000:2:3::210:18ff:fe82:c14 console(config)#ip route 10.23.67.0 255.255.255.0 10.2.3.3 2 Create VLANs 5, 10, and 17. console(config)#vlan 5,10,17 3 On VLANs 5, 10, and 17, configure IPv4 and IPv6 addresses and enable OSPFv3. For IPv6, associate VLAN 5 with Area 0, VLAN 10 with Area 1, and VLAN 17 with Area 2.
console(config-router)#area 0.0.0.1 stub console(config-router)#area 0.0.0.2 nssa 5 For IPv4: Enable OSPF for IPv4 on VLANs 10, 5, and 17 by globally defining the range of IP addresses associated with each interface, and then associating those ranges with Areas 1, 0, and 2, respectively. console(config-router)#network 10.1.2.0 0.0.0.255 area 0.0.0.1 console(config-router)#network 10.2.3.0 0.0.0.255...
Page 998
Figure 34-37. OSPF Configuration—Virtual Link Area 2 0.0.0.2 Area 0 0.0.0.0 Internal Router Backbone VLAN 11 Router Switch B 10.1.101.1 Switch C 2.2.2.2 3000:1:101:: 5.5.5.5 Area Border Area Border Router Router VLAN 10 VLAN 7 10.1.2.2 10.1.2.1 3000:1:2:: 3000:1:2:: Area 1 Virtual Link 0.0.0.1 Switch B is an ABR that directly connects Area 0 to Area 1.
Page 999
console(config-rtr)#area 0.0.0.1 virtual-link 5.5.5.5 console(config-rtr)#exit Switch C is a ABR that enables a virtual link from the remote Area 2 in the AS to Area 0. The following commands define a virtual link that traverses Area 1 to Switch B (2.2.2.2). To configure Switch C: 1 For IPv4, assign the router ID, create the virtual link to Switch B, and associate the VLAN routing interfaces with the appropriate areas.
Interconnecting an IPv4 Backbone and Local IPv6 Network In Figure 34-38, two PowerConnect L3 switches are connected as shown in the diagram. The VLAN 15 routing interface on both switches connects to an IPv4 backbone network where OSPF is used as the dynamic routing protocol to exchange IPv4 routes.