Dell 6200 SERIES manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of Dell 6200 SERIES, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Dell 6200 SERIES one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of Dell 6200 SERIES. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of Dell 6200 SERIES should contain:
- informations concerning technical data of Dell 6200 SERIES
- name of the manufacturer and a year of construction of the Dell 6200 SERIES item
- rules of operation, control and maintenance of the Dell 6200 SERIES item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Dell 6200 SERIES alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Dell 6200 SERIES, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Dell service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Dell 6200 SERIES.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the Dell 6200 SERIES item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    www .dell.com | support.dell.com Dell™ PowerConnect™ 6200 Series Configuration Guide Model: PC6224, PC6248, P C6224P , PC6248P , and PC6224F[...]

  • Page 2

    Notes, Cautions, and Warnings NOTE: A NOTE i ndic ates import ant inf orma tion th at he lps you make bet ter us e of your computer . CAUTION: A CAUTION in dicates pot ential damage to hardware or loss of data if in structions a re not f ollowed. WAR N I N G : A WARNIN G indi cate s a pot entia l for pr ope rty dama ge, pe rson al in jury, or deat [...]

  • Page 3

    3 Contents 1 About this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Organiz ation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Additiona l Documentatio n . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2 System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 T rac e[...]

  • Page 4

    4 3 Switching Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 29 Vir t u a l L A Ns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 VLA N Config uration Example . . . . . . . . . . . . . . . . . . . . . . . . 30 CLI Exa mples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Web Interf ace .[...]

  • Page 5

    5 sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Overv iew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 sFlow Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 CLI Exa mples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 4 Routing Configura[...]

  • Page 6

    6 5 Device Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 802.1x Ne twork Acce ss Control . . . . . . . . . . . . . . . . . . . . . . . . 106 802. 1x Network Acces s Control Exa mples . . . . . . . . . . . . . . . . 106 802.1 X Authentic ation and VLANs . . . . . . . . . . . . . . . . . . . . . . . 109 Authe nti cate d and[...]

  • Page 7

    7 6I P v 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Overv iew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Interfac e Configu ration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 CLI Exa mple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 7 Qual[...]

  • Page 8

    8 9 Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 1 Auto Co nfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Overv iew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Functi onal Descr ipti on . . . . . . . . . . . . . . . . . . . . . . . . . . 162 CLI Exa mp[...]

  • Page 9

    About th is Document 9 1 About this Do cument This configuration guide prov ides examples of how to use the Dell™P owe rConnect™ 6200 Series switch in a ty pical network. It describes the adv a ntages of specific functi ons the P owerConnect 6200 Series swit ch provides and includes informat ion about configuring those functions using the comma[...]

  • Page 10

    10 About this Docume nt Additional Do cumentation The following document ation provides additional information about P owerConnect 6200 Series softwa re: •T h e CLI Command Reference for your Dell P owerConnect switch describes the commands avail able from the comma nd-line in terface (CLI) for m ana ging , monit oring, an d configurin g the sw i[...]

  • Page 11

    System Configurat ion 11 2 System Configuration This section provide s configuration scenarios for the following features: •" T r a c e r o u t e " o n p a g e 1 2 • "C onfigura tion Scrip ting" on page 13 • "Outbound T el net" on pag e 16 • "Simple Network Time P rotocol (SNTP)" on page 17 • "[...]

  • Page 12

    12 System C onfigu rati on T rac eroute Use T ra ceroute to di scove r the route s that packets take when tra veling on a hop -by-ho p basis to their destination through the network. • Maps network rout es by sending pack ets with small T ime-to-Live (TTL) values and watches t he ICMP time -out anno uncements • Command di splays al l L3 device [...]

  • Page 13

    System Configurat ion 13 --More-- or (q)uit 20 64.233.174.99 250 ms 240 m s 250 ms Hop Count = 20 Last TTL = 30 Test atte mpt = 90 Test Success = 90 Configuration Scripting Configuration scripting allows you to generate a text-f ormatt ed script file that shows the curr ent system configuration. Y ou can ge nerate mu ltiple s cripts and upload and [...]

  • Page 14

    14 System C onfigu rati on CLI Examp les The following are e xamples of the comma nds used for configurations scripting. Exam ple # 1: Viewing the Scri pt O ptio ns console#script ? apply Applies configuration script to the sw itch. delete Deletes a configuration script file fr om the switch. list Lists all configuration script files p resent on th[...]

  • Page 15

    System Configurat ion 15 Example #4: Cop ying the Active Co nfiguration into a Sc ript Use this command to captur e the running configuration into a script. console#show running-config running-co nfig.scr Config script created successfully. Exam ple # 5: Upload in g a C onfi gura tion Scri pt t o th e T FTP Serv er Use this command to upload a conf[...]

  • Page 16

    16 System C onfigu rati on exit configure logging web-session bridge aging-time 100 exit Configuration script validated. File transfer operation completed succ essfully. Exam ple #7: Validatin g a Scri pt console#script validate abc.scr ip address dhcp username "admin" password 16d7a4fca744 2dda3ad93c9a726597e4 level 15 encrypted exit Con[...]

  • Page 17

    System Configurat ion 17 CLI Examp les The following are e xamples of the commands used in the outbo und telnet feature. Exam ple #1: Conne ctin g to Anot her System by Usin g T eln et console#telnet 192.168.77.151 Trying 192.168.77.151... console# User:admin Password: (Dell PC62XX Routing) >enable Password: console#show ip interface Management [...]

  • Page 18

    18 System C onfigu rati on CLI Examp les The following are e xamples of the commands used in the SNTP fea ture. Exam ple #1: Viewing S NTP Opt ion s (Dell PC62XX Routing)(Config) #sntp ? console(config)#sntp ? authenticate Require authentication for received Ne twork Time Protocol (NTP) traffic from servers. authentication-key Defi ne an authentica[...]

  • Page 19

    System Configurat ion 19 Exam ple #3: Viewing S NTP I nforma tion console#show sntp ? configuration Show the conf iguration of the Simple Network Time Protocol (SNT P). status To show the s tatus of the Simple Network Time Protocol (SNT P). console#show sntp configuration Polling interval: 64 seconds MD5 Authentication keys: Authentication is not r[...]

  • Page 20

    20 System C onfigu rati on Syslog Overview Syslog: • Al low s y ou to sto re syst em m es sage s a nd /or err ors . • Can store to local files on the switch or a remote server running a syslog daem on. • P rovides a meth od of collecting mess age logs from many systems . Interpreting Log Files F igur e 2-1 describes the information that displ[...]

  • Page 21

    System Configurat ion 21 Web Session Logging : disabled SNMP Set Command Logging : disabled 0 Messages were not logged. Buffer Log: <189> JAN 01 03:57:58 10.27.65.86-1 TR APMGR[216282304]: traputil.c(908) 31 %% Instance 0 has elected a new STP root: 8000:00ff:f2a3:8888 <189> JAN 01 03:57:58 10.27.65.86-1 TR APMGR[216282304]: traputil.c([...]

  • Page 22

    22 System C onfigu rati on alert Immediate act ion needed critical Critical cond itions debug Debugging mes sages emergency System is unu sable error Error conditi ons info Informational messages notice Normal but si gnificant conditions warning Warning condi tions console(Config-logging)#level critical Port D escrip tion The P ort D escription fea[...]

  • Page 23

    System Configurat ion 23 Storm Control A traffic storm occurs when incoming pack ets flood the LAN result ing in network performance degradation. The St orm Control featur e protects against this condition. The switch soft ware pro vides broadcast, multicast, and unicast storm r ecovery for individual interfaces. Unicast Stor m Control protects ag [...]

  • Page 24

    24 System C onfigu rati on Example #1: Set Broadcast Storm Control for an Interface console#configure console(config)#interface ethernet 1/g17 console(config-if-1/g17)#storm-control broadcast ? <cr> Press enter t o execute the command. level Configure sto rm-control thresholds. console(config-if-1/g17)#storm-control broadcast level ? <rate[...]

  • Page 25

    System Configurat ion 25 Cable Diagno stics This section de scribes: • "Copper P ort Cable T est" on page 25 • "F iber P ort Cable T est" on page 27 NOTE: Cable Diag nostic s is support ed on SFP/XFP ports but not on the Sta ckin g/CX- 4/SFP +/10Gb aseT po rts. Copper Po rt Cabl e T est The cable test feature enables you to [...]

  • Page 26

    26 System C onfigu rati on Exam ple #1: Cabl e T est for Copp er Po rts console#test copper-port tdr 1/g1 Cable Status.......................... ......... Short Cable Length.......................... ......... 5m console#show copper-ports tdr Port Result Length [meters] D ate ------- ------ --------------- - -------------------- 1/g1 Short 9 J an 0[...]

  • Page 27

    System Configurat ion 27 Examp le #3: S how La st T ime Doma in Refle ctomet ry T ests Use the sho w copper-ports tdr comm and in P rivileged EXEC mode to display the last Time Domain Refle ctometry (T DR) tests o n specifi ed ports. The following examp le displays the last TDR tests on a ll ports. console#show copper-ports tdr Port Result Length [[...]

  • Page 28

    28 System C onfigu rati on[...]

  • Page 29

    Switch ing Confi guration 29 3 Switching Configuration This section provide s configuration scenarios for the following features: • "Virtu al LANs" on page 29 • "V oice VLAN" on page 3 7 • "IGMP Snooping" on page 40 • "IGMP Snooping Q uerier" on page 43 • "Link Aggr egation/P ort Chan nels"[...]

  • Page 30

    30 Switch ing C onfigu rati on • The IP -subne t Based VLAN fe ature l ets you map IP addresses to VLANs by specifying a source IP addr ess, net work mask, and the desir ed VLAN ID. • The MAC-based VL AN feature let packets originating from end stat ions become part of a VLAN accor ding to sour ce MAC addr ess. T o confi gure t he featur e, you[...]

  • Page 31

    Switch ing Confi guration 31 CLI Examp les T h e fo ll ow in g e x a m p l e s s h o w ho w t o c r e at e V LA N s , a ss i gn p o r t s t o t h e V L AN s, an d a ss i g n a V LA N a s t he default VLAN to a port. Exam ple #1: Crea te T wo VLA Ns Use the following commands to create two VLANs and to assign the VLA N IDs while leaving the names bl[...]

  • Page 32

    32 Switch ing C onfigu rati on Example #3: Assign Ports to VLAN3 This ex ample shows how to assign the ports t hat will belong to VLAN 3. Untagged frames wi ll be acce pted on po rts 1/g19 a nd 1/ g20. Note that port 1/g1 8 bel ongs to bo th VLA Ns and t hat po rt 1/g17 c an n eve r belo ng t o VLA N 3. console(config)#interface ethernet 1/g18 ccon[...]

  • Page 33

    Switch ing Confi guration 33 Examp le #6: V iew Infor mation About V LAN 2 console#show ip interface vlan 2 Primary IP Address............................ 192.168.10.33/255.255.255.0 Routing Mode.................................. Enable Administrative Mode........................... Enable Forward Net Directed Broadcasts............... Disable Prox[...]

  • Page 34

    34 Switch ing C onfigu rati on IP Subnet and MAC-B ased VLANs In addition to port-based V LANs, the sw itch also supports VLANs that are bas ed on the IP addr ess or MAC address of a host. W ith IP subnet and MA C-based VLANs , the VLAN membership is determined by the address of the host rather tha n the port to which the host is attached. CLI Exam[...]

  • Page 35

    Switch ing Confi guration 35 Exam ple # 4: Viewing IP S ubnet a nd MAC -Ba sed V LAN Ass ociati ons console#show vlan association mac MAC Address VLAN ID ----------------- ------- 00FF.F2A3.8886 10 console#show vlan association subnet IP Subnet IP Mask VLAN ID ---------------- ---------------- ------- 192.168.25.0 255.255.255.0 10 192.168.1.11 255.[...]

  • Page 36

    36 Switch ing C onfigu rati on CLI Examp le Exam ple #1: Conf iguri ng a Pro tec ted Po rt The comma nds in th is example na me the protected p ort gro up 1 “PP_ T e st” and a ssign po rts 1 and 2 to the group. console(config)#switchport protected 1 name PP_Test console(config)#interface ethernet 1/g17 console(config-if-1/g17)#switchport protec[...]

  • Page 37

    Switch ing Confi guration 37 Vo i c e V L A N V oice VLAN enables sw itch ports to ca rry voice tra ffic with a defin ed priority in order to en able the separati on of voice a nd data traffic coming onto the port. A primary b enefi t of using V oice VLAN is to ensure that t he sound q uality of an IP phon e is safegua rded from det eriorating when[...]

  • Page 38

    38 Switch ing C onfigu rati on • Wh en a d ot1p prio rity is assoc iated wi th the V oice V LAN port in stea d of a VL AN I D, th en th e prio rity inform ation is p assed onto the VOIP ph one using t he LLD P -M ED m echan ism. B y this me thod, th e voice data coming from the V OIP phone is tagge d with VLAN 0 and with t he ex chang ed priori t[...]

  • Page 39

    Switch ing Confi guration 39 Exam ple #2: Conf iguri ng Voice VLAN on an Unau then tica ted Port I n s o me n e t w or ks , m u l t i p l e de vi c e s ( f or ex a m p l e , a P C, Pri nt e r , an d p h on e ) a r e c o n n e c te d t o a s in gl e p o r t on t he switch. The PC s and pri nters are a uthenti cated b y 802.1X, but the phone m ight n[...]

  • Page 40

    40 Switch ing C onfigu rati on IGMP Snooping This sectio n describes the Interne t Group Manage ment P rotocol (IGMP) Snooping feature. IGMP Snooping enables the swi tch to moni tor IGMP tra nsa ctions between ho sts and routers. It can help conserve bandwidth by allowing the switch to forwar d IP mult icast traffic only to connected hosts that req[...]

  • Page 41

    Switch ing Confi guration 41 1. Create VLAN 1 00. console#configure console(config)#vlan database console(config-vlan)#vlan 100 2. Enable IGMP snooping on the VLAN. console(config-vlan)#ip igmp snooping 100 console(config-vlan)#exit 3. F orbid the forwarding of unregistered multicast a ddresses on VLAN 100 to pr even t multicast floodin g to ports [...]

  • Page 42

    42 Switch ing C onfigu rati on 9. View information about the IGM P snooping configu ration. console#show ip igmp snooping Admin Mode..................................... Enable Multicast Control Frame Count.................. 0 Interfaces Enabled for IGMP Snooping........... None Vlans enabled for IGMP snooping................ 100 In this e xample, [...]

  • Page 43

    Switch ing Confi guration 43 Multicast Packets Received..................... 626494 Broadcast Packets Received..................... 0 console#show statistics ethernet 1/g10 ... Total Packets Received Without Errors.......... 12 Unicast Packets Received....................... 0 Multicast Packets Received..................... 12 Broadcast Packets Rec[...]

  • Page 44

    44 Switch ing C onfigu rati on Examp le #2: C onfigur e IGMP Sn ooping Q uerier P roperti es The firs t com mand in th is examp le se ts the IG MP Que rier Q uery In terva l time to 1 00. T his me ans that the swit ch waits 100 s econds befor e sending another general query . The second command sets the IGMP Querier timer expiration period t o 100.[...]

  • Page 45

    Switch ing Confi guration 45 Examp le #5: Show IGMP Sn ooping Qu erier Info rmation f or VLAN 10 console#show ip igmp snooping querier vlan 10 Vlan 10 : IGMP Snooping querier status ---------------------------------------------- IGMP Snooping Querier Vlan Mode................ Enable Querier Election Participate Mode.............. Enable Querier Vla[...]

  • Page 46

    46 Switch ing C onfigu rati on CLI Examp le The following shows an e xample of configuring the softwar e to support Link Aggr egation (L AG) to a server and to a Layer 3 switch. F igur e 3-3 shows the exampl e network. Figure 3- 3. LAG/Port- channe l Exa mple Netw ork D iagram Subnet 3 Port 1/0/8 LAG_20 Lay er 2 Switch Port 1/0/9 LAG_20 Serve r Por[...]

  • Page 47

    Switch ing Confi guration 47 Examp le 1: C reate Nam es for T wo Port- Channels console#configure console(config)#interface port-channel 1 console(config-if-ch1)#description lag_1 console(config-if-ch1)#exit console(config)#interface port-channel 2 console(config-if-ch2)#description lag_2 console(config-if-ch2)#exit Exam ple 2 : A dd th e Ph ysica [...]

  • Page 48

    48 Switch ing C onfigu rati on ch2 No Configured Ports 3 ch3 No Configured Ports 3 ch4 No Configured Ports 3 ch5 No Configured Ports 3 ch6 No Configured Ports 3 ch7 No Configured Ports 3 ch8 No Configured Ports 3 ch9 No Configured Ports 3 ch10 No Configured Ports 3 ch11 No Configured Ports 3 ch12 No Configured Ports 3 ch13 No Configured Ports 3 ch1[...]

  • Page 49

    Switch ing Confi guration 49 Port Mirrorin g This section describes the P ort Mirroring feature, whic h can serve as a diag nostic tool, debugging tool , or mea ns of fe ndin g off at tacks. Overview P ort mirroring selects network traffic from specific po rts fo r analysis by a networ k analyzer , while allowing the same t raffic to be swit ched t[...]

  • Page 50

    50 Switch ing C onfigu rati on Port Security This sectio n describes the P ort Security feat ure. Overview P ort Security : • Allow s for limi ting the num ber of M AC add resses on a giv en po rt. • P ack ets that have a matchin g MAC addr ess (secur e packets) ar e forwar ded; all other pack ets (uns ecure packets) ar e restricted. • Enable[...]

  • Page 51

    Switch ing Confi guration 51 CLI Examp les The following are e xamples of the commands used in the P ort Security feature. Exam ple # 1: Enab le P ort S ecu rity on a n I nter fac e console(config)#interface ethernet 1/g18 console(config-if-1/g18)#port security ? <cr> Press enter to execute the command. discard Discard frames with unlearned s[...]

  • Page 52

    52 Switch ing C onfigu rati on Link Layer D iscovery Protocol The Link Layer D iscovery Protocol (LLDP) feature allows individual interfaces on the switch to adv ertise major capabili ties and p hysical de scriptions . Networ k managers can view this information and identify system topology and detect ba d configurations on the LAN. LLDP has separa[...]

  • Page 53

    Switch ing Confi guration 53 Examp le #3: Show Global LLDP Param eters console#show lldp LLDP Global Configuration Transmit Interval............................ 30 seconds Transmit Hold Multiplier..................... 8 Reinit Delay................................. 5 seconds Notification Interval........................ 1000 seconds Exam ple #4 S h[...]

  • Page 54

    54 Switch ing C onfigu rati on Denial of Se rvice Attac k Protec tion This sectio n describes the P owerConnect 6200 Se ries Denial of Service P r otection feature. Overview Denial of Service: •S p a n s t w o c a t e g o r i e s : – P rotect ion of the switc h – P rotect ion of the networ k • P rotect s against the e xploita tion of a numb[...]

  • Page 55

    Switch ing Confi guration 55 T able 3- 1 describes t he dos-control key w ord s . T abl e 3-1. DoS Control CLI Examp les The commands shown below s how how to enab le DoS protection and view i ts status. Exam ple # 1: Enab ling a ll D OS Con trols console#configure console(config)#dos-control sipdip console(config)#dos-control firstfrag console(con[...]

  • Page 56

    56 Switch ing C onfigu rati on Example #2: V iewing the DoS Configuration Information console#show dos-control SIPDIP Mode.................................... Enable First Fragment Mode............................ Enable Min TCP Hdr Size............................... 20 TCP Fragment Mode.............................. Enable TCP Flag Mode..........[...]

  • Page 57

    Switch ing Confi guration 57 The hardw are rate limits DHCP pack ets sent to the CP U from interfaces to 64 Kbps. The DHCP snooping application pro cesses incoming DHCP mess ages. F or DHCPREL EASE and DHCPDEC LINE messages, the a pplication comp ares the r eceive i nterface and V LAN with the client interfac e and VLAN i n the binding s datab ase.[...]

  • Page 58

    58 Switch ing C onfigu rati on Figure 3-4. DHCP Bind ing The DHCP snoo ping compo nent does not forward server mes sages since they are forwarded in hardware. DHCP snooping forwar ds valid DHCP client messages r eceiv ed on un-truste d interface s to all trusted interfac es within the V LAN. The binding's databa se includes the following i nfo[...]

  • Page 59

    Switch ing Confi guration 59 CLI Examp les The commands below show exa mples of configuring DHCP Snooping for the switch and for individual interfaces. Exa mple #1 Enabl e DHCP snoo ping for the swi tch console(config)#ip dhcp snooping console(config)#exit console# Exa mple #2 Enab le DHCP snoo ping on a VLAN console(config)#ip dhcp snooping vlan 1[...]

  • Page 60

    60 Switch ing C onfigu rati on console(config)# console(config)#exit Examp le #6 C onfigur e DHCP sn ooping d atabas e Persist ency int erval console(config)#ip dhcp snooping database write-delay 500 console(config)# console(config)#exit Exam ple #7 C onfig ure an inter fac e as DHC P snoo ping truste d console(config-if-1/g1)#ip dhcp snooping trus[...]

  • Page 61

    Switch ing Confi guration 61 Exa mple #10 Sho w DHCP Sno oping confi guratio n on VLANs and Ports show ip dhcp snooping binding DHCP snooping is Enabled DHCP snooping source MAC verification is enabled DHCP snooping is enabled on the following VLANs: 1 Interface Trusted Log Invalid Pkts ----------- ---------- ---------------- 1/g1 Yes Yes 1/g2 No N[...]

  • Page 62

    62 Switch ing C onfigu rati on ----------- ---------- ---------------- 1/g15 No No 1/g16 No No 1/g17 No No 1/g18 No No 1/g19 No No 1/g20 No No 1/g21 No No 1/g22 No No 1/g23 No No 1/g24 No No 1/xg3 No No 1/xg4 No No ch1 No No ch2 No No ch3 No No ch4 No No ch5 No No ch6 No No --More-- or (q)uit console#[...]

  • Page 63

    Switch ing Confi guration 63 Exa mple #12 Sho w DHCP Snoopi ng datab ase config uratio ns console#show ip dhcp snooping database agent url: local write-delay: 500 console# Exam ple # 13 S how DHC P Sn oop ing b indi ng e ntri es Total number of bindings: 2 MAC Address IP Address VL AN Interface Type Lease (Secs) ----------------- --------------- --[...]

  • Page 64

    64 Switch ing C onfigu rati on 1/g3 No 15 1 1/g4 No 15 1 1/g5 No 15 1 1/g6 No 15 1 1/g7 No 15 1 1/g8 No 15 1 1/g9 No 15 1 1/g10 No 15 1 1/g11 No 15 1 1/g12 No 15 1 1/g13 No 15 1 1/g14 No 15 1 1/g15 No 15 1 1/g16 No 15 1 1/g17 No 15 1 1/g18 No 15 1 --More-- or (q)uit 1/g19 No 15 1 1/g20 No 15 1 1/g21 No 15 1 1/g22 No 15 1 1/g23 No 15 1 1/g24 No 15 1[...]

  • Page 65

    Switch ing Confi guration 65 ch3 No 15 1 ch4 No 15 1 ch5 No 15 1 ch6 No 15 1 ch7 No 15 1 ch8 No 15 1 ch9 No 15 1 ch10 No 15 1 --More-- or (q)uit console# Example #15 Show D HCP Snooping Per Port Statistics console#show ip dhcp snooping statistics Interface MAC Verify Client Ifc DHCP Server Failures Mismatch Msgs Rec'd ----------- ---------- --[...]

  • Page 66

    66 Switch ing C onfigu rati on 1/g11 0 0 0 1/g12 0 0 0 1/g13 0 0 0 1/g14 0 0 0 1/g15 0 0 0 1/g16 0 0 0 1/g17 0 0 0 1/g18 0 0 0 1/g19 0 0 0 1/g20 0 0 0 --More-- or (q)uit 1/g21 0 0 0 1/g22 0 0 0 1/g23 0 0 0 1/g24 0 0 0 1/xg3 0 0 0 1/xg4 0 0 0 ch1 0 0 0 ch2 0 0 0 ch3 0 0 0 ch4 0 0 0 ch5 0 0 0 ch6 0 0 0 ch7 0 0 0 ch8 0 0 0 ch9 0 0 0 ch10 0 0 0 ch11 0 [...]

  • Page 67

    Switch ing Confi guration 67 ch13 0 0 0 ch14 0 0 0 ch15 0 0 0 ch16 0 0 0 ch17 0 0 0 --More-- or (q)uit sFlow This sectio n describes the sFlow feature. s Flow is the industry standard fo r monitoring high-spee d switched a nd route d networks . sFlow te chnology is built i nto netw ork equip ment and giv es complet e visibi lity in to netwo rk act [...]

  • Page 68

    68 Switch ing C onfigu rati on The advantages o f using sFlow ar e: • It is possible to monit or all port s of the switch continuousl y , with no impact on t he distri buted switching perf ormance. • Minim al memory /CPU is r equ ired. Samples are not aggregated into a flow-tabl e on the switch; th ey are forwarded immediately over the network [...]

  • Page 69

    Switch ing Confi guration 69 The mechani sm involv es a counter t hat is decr emen ted w ith each pack et. When th e counter r eaches zero a sample is taken. 5. When a sam ple is taken, the counter indicatin g how many packets to skip before taking the next sample is reset. The value of the coun ter is set to a random integer wh ere the sequence of[...]

  • Page 70

    70 Switch ing C onfigu rati on Examp le #4: Show the sFlo w config uration f or receive r index 1 console#show sflow 1 destination Receiver Index................................. 1 Owner String................................... site77 Time out....................................... 1529 IP Address:.................................... 30.30.30.1 Ad[...]

  • Page 71

    Switch ing Confi guration 71 Example #6: Show sFlow polling for receiver index 1 console#show sflow 1 polling Poller Receiver Poller Data Source Index Interval ----------- ------- ------- 1/g1 1 200 1/g2 1 200 1/g3 1 200 1/g4 1 200 1/g5 1 200 1/g6 1 200 1/g7 1 200 1/g8 1 200 1/g9 1 200 1/g10 1 200 1/g15 1 400[...]

  • Page 72

    72 Switch ing C onfigu rati on[...]

  • Page 73

    Rout ing Configu ration 73 4 Routing Co nfiguration This section de scribes configurat ion scenari os and instructions for the following routing features: • "V LAN Routing" o n page 74 • "Virtu al Router Redundancy P rotocol" on page 77 • "P roxy Addr ess Resolution P rotocol (ARP)" on page 80 •" O S P F &[...]

  • Page 74

    74 Rout ing Configu ration VLAN Routing This section prov ides an exampl e of how to config ure P owerConnect 6200 Series so ftware to support VLA N ro u ting . NOTE: The mana gemen t VLAN cannot be config ured as a r outin g inter face. The swi tch may als o be mana ged vi a VLAN r out ing in ter faces . CLI Examp les The diagram in t his section [...]

  • Page 75

    Rout ing Configu ration 75 console(config-vlan)#vlan 10 console(config-vlan)#vlan 20 console(config-vlan)#exit Exam ple 2 : Co nfig ure the VLAN Mem bers The following co de sequence shows an example of adding ports to the V LANs and assignin g the PVID for each port. The PVID determines t he VLAN ID assigned to untag ged frames received on the por[...]

  • Page 76

    76 Rout ing Configu ration Exa mple 3: Set Up VLAN Routin g for the VLAN s and Assi gn an IP Addre ss The following co de sequence shows how to enable routing for the VLANs and how to configure the IP addr esses and subnet masks for the virtual route r ports.: console#configure console(config)#interface vlan 10 console(config-if-vlan10)#routing con[...]

  • Page 77

    Rout ing Configu ration 77 V irtual Rout er Redundancy Pr otocol When an end station is statically configured with the addr ess of the rou ter that will handle its routed traffic, a s ingle point of failur e is introduced into th e network. If the rou ter goes down, the en d station is unable to communicate. Since static confi guration is a conveni[...]

  • Page 78

    78 Rout ing Configu ration Configuring VRRP on the Switch as a Master Router 1 Enable routin g for the s witch. IP forw arding is then ena bled by def ault. console#config console(config)#ip routing 2 Configur e the IP addr esses and subnet masks f or th e VLAN routing in terface t hat wi ll particip ate in the protocol: console(config)#interface v[...]

  • Page 79

    Rout ing Configu ration 79 4 Assign virtual router ID to the interfac e that will pa rticipate in the prot ocol: console(config)#interface vlan 50 console(config-if-vlan50)#ip vrrp 20 5 Specify the IP address that the virtual router function will recognize. console(config-if-vlan50)#ip vrrp 20 ip 192.150.2.1 6 Set the priority for the interface. As[...]

  • Page 80

    80 Rout ing Configu ration Proxy Ad dress Resolution Protoc ol (ARP) This sectio n describes the P roxy Address Resolution P rotocol ( ARP) featur e. Overview • P roxy ARP allows a router to a nswer ARP requests where the target IP address is n ot t he router itself but a des tinatio n th at t he r outer can reac h. • If a ho st does not know t[...]

  • Page 81

    Rout ing Configu ration 81 Active State................................... Inactive Link Speed Data Rate........................... 10 Half MAC Address.................................... 00FF.F2A3.888A Encapsulation Type............................. Ethernet IP MTU......................................... 1500 OSPF Larger networks typi cally use t[...]

  • Page 82

    82 Rout ing Configu ration A virtual link can be used to connect an ar ea to Area 0 when a direct li nk is not possible. A virtua l link traverses an area between the remote area and Ar ea 0 (see F i gure 4-5). A stub ar ea is an ar ea that does not receive rout es that were learned from a protocol other than OSP F or were statically configur ed. T[...]

  • Page 83

    Rout ing Configu ration 83 External routes ar e those imported into OSPF from other routing pro tocol or processes. OSPF compute s the path cos t differently for external typ e 1 and external type 2 route s. The cos t of an external typ e 1 route is the cost advertis ed in the external LSA plus the path cost from the calculating rout er to the ASBR[...]

  • Page 84

    84 Rout ing Configu ration IPv4 (OSP Fv2) IPv6 (O SPFv3) • Enable routing for the switch : console#config ip routing exit console#config ipv6 unicast-routing exit Enable routing and a ssign IP for VLANs 70, 80 a nd 90. config interface vlan 70 routing ip address 192.150.2.2 255.255.255.0 exit interface vlan 80 routing ip address 192.130.3.1 255.2[...]

  • Page 85

    Rout ing Configu ration 85 Examp le 2: Confi guring Stub an d NSSA Areas In t his exam ple , A rea 0 c o nne cts di rect ly t o tw o o the r are as: Are a 1 i s d efin ed as a s tub area and Area 2 is defined as an NS SA area. NOTE: OSPF v2 and OS PFv3 can ope rate co ncurr ent ly on a ne twor k and on th e same in ter faces ( althou gh th ey do no[...]

  • Page 86

    86 Rout ing Configu ration Figur e 4-4. OSPF Co nfigu rati on—St ub Are a and N SSA Are a Configure Router A : Router A is a backbone router . It li nks to an ASBR (not define d her e) that routes traff ic outs ide the AS . • Globa lly enable IP v6 an d IPv4 rou ting: (console) #configure ipv6 unicast-routing ip routing • Config ure IP addr e[...]

  • Page 87

    Rout ing Configu ration 87 ipv6 address 3000:3:100::/64 eui64 ip ospf area 0.0.0.0 ipv6 ospf exit • Define an OS PF router: ipv6 router ospf router-id 3.3.3.3 exit router ospf router-id 3.3.3.3 exit exit Configure Router B: Rout er B is a ABR that c onnec ts Ar ea 0 t o Ar eas 1 and 2. • Configure IPv6 and IPv 4 routing. T he static rou tes are[...]

  • Page 88

    88 Rout ing Configu ration • F or IPv4: Defin e an OSPF ro uter . Define Ar ea 1 as a stub. En able OSPF for IPv4 on VLANs 10, 5, and 17 by globally d efining the ra nge of IP addresses associated with ea ch interface, an d then associating those ranges with A reas 1, 0, and 17, respectively . Th en, configure a met ric cost to associate wit h st[...]

  • Page 89

    Rout ing Configu ration 89 Exa mple 3: Conf iguring a V irtual Link In this e xample, Ar ea 0 connects dire ctly to Area 1. A virtual link is defined tha t traverses Area 1 and connects to Area 2. F igur e 4-5 illustrates this example OSPF configurati on. Figure 4 -5. OS PF Configura tion—Virt ual Link Configure Router A : Router A is a backbone [...]

  • Page 90

    90 Rout ing Configu ration router ospf router-id 3.3.3.3 network 10.2.3.0 0.0.0.255 area 0.0.0. 0 exit exit Configure Router B: Router B is a A BR that dire ctly connects Area 0 to Area 1. In addit ion to the configuration steps described in the prev ious example, we define a virtual link that trav erse s Area 1 to Router C (5.5.5.5). (console)#con[...]

  • Page 91

    Rout ing Configu ration 91 routing ip address 10.1.2.1 255.255.255.0 ipv6 address 3000:1:2::/64 eui64 ipv6 ospf ipv6 ospf areaid 1 exit interface vlan 11 routing ip address 10.1.101.1 255.255.255.0 ipv6 address 3000:1:101::/64 eui64 ipv6 ospf ipv6 ospf areaid 2 exit ipv6 router ospf router-id 5.5.5.5 area 0.0.0.1 virtual-link 4.4.4.4 exit router os[...]

  • Page 92

    92 Rout ing Configu ration Routing Inform ation Protocol Routing Information Pr otocol (RIP) is one of the proto cols which may be used by routers to ex change network topology informat ion. It is characterized as an “interior ” gateway protocol, and is typically used in small to medium-sized networks. RIP Configu ration A router running RIP se[...]

  • Page 93

    Rout ing Configu ration 93 CLI Examp les The configuration co mmands used in the following example enabl e RIP on ports vlan 2 and vlan 3 as shown in the network illustrated in F igur e 4-6. Figur e 4-6. Port Rou tin g Examp le Netw ork Di agra m Example #1: Enable Routing for the Switch The following sequence enables routi ng for the switch: conso[...]

  • Page 94

    94 Rout ing Configu ration Exam ple #3. Enab le RIP for the Switch The next sequence enables RIP for the swit ch. The route preference defaults to 15. console#config router rip enable exit exit Exam ple # 4. Enab le RI P fo r the VLA N Ro utin g I nterfa ces This command sequence enables RIP for VLAN 2 and VLAN 3. Authentication defaults to none, a[...]

  • Page 95

    Rout ing Configu ration 95 Route Preferenc es Y ou can use route preference assignment to control how the router chooses which routes to use when alternativ es exis t. This secti on describes thr ee uses of route prefer e nce assignme nt: • "Assigning Admin istrative P refer ences to Routing Pr otocols" on page 95 • "Using E qual[...]

  • Page 96

    96 Rout ing Configu ration Exam ple 1 : Co nfig ure Admini st rativ e Pr efere nce s The following commands configure the administrative pr eference for the RIP and OSPF : console#Config router rip distance rip 130 exit F or OSPF , an a dditional p arameter ident ifies the t ype of OSPF route t hat the preference value appli es to: router ospf dist[...]

  • Page 97

    Rout ing Configu ration 97 Using E qual Cost Multipath The equal cost multipath (ECMP) feat ure allows a ro uter to use mor e than one next hop to forward packets to a given destination prefix. I t can be used to promote a mor e optimal use of network r esources and bandwidth . A router that does not use ECM P forwards all packet s to a given desti[...]

  • Page 98

    98 Rout ing Configu ration Routing protocols can also be configur ed to compute ECMP routes. F or example, r eferring t o F igure 4-8, if OSPF were configur ed in on both links connecting Router A and Router B, and if Router B advertised its connectio n to 20.0.0.0/8 , then Ro uter A could comp ute an OSPF rout e to 20.0.0.0/8 with next hops of 10.[...]

  • Page 99

    Rout ing Configu ration 99 Loopback Interfaces P owerConnect 6200 Se ries softwar e provide s for th e creation, deletion, and management of loopback interfaces. A loopback interfa ce is a software-onl y int erface that is not ass ociated with a phys ical location; as such it is not dependent on the physi cal status of a p articular router inter fa[...]

  • Page 100

    100 Rout ing Configu ration IP MTU................................ ......... 1500 Bandwidth............................. ......... 100000 kbps Destination Unreachables.............. ......... Enabled ICMP Redirects................................. Enabled T o delete a loopback interface, ent er the following command from the Glob al Config mode: co[...]

  • Page 101

    Rout ing Configu ration 101 T able 4-1. Default Port s - UDP P ort Numb ers Impli ed By Wild card The sw itch li mits the number of r elay en tries t o four ti mes the maximum n umber of VLAN rou ting interfaces (512 relay entries). There is no limit to the number of relay entries on an individual interface, and no limit t o the number of servers f[...]

  • Page 102

    102 Rout ing Configu ration The re lay agent only rela ys packets t hat meet the following conditions: • The des tination MAC ad dress must be the all-one s broadcast ad dres s (FF :FF :FF :FF :FF :FF). • The des tination IP addr ess must b e the limit ed broadcast address (2 55.255. 255.255) or a d irected broadcast address for the receive int[...]

  • Page 103

    Rout ing Configu ration 103 Exam ple 5: Ena bl e IP Help er on a VL AN Rou ting In terf ace to a Serv er (DHC P and DN S) T o relay DHCP and DNS pack ets to 192.168.30.1 , use the follo wing commands: console(config-if-vlan100)#ip helper-address 192.168.30.1 dhcp console(config-if-vlan100)#ip helper-address 192.168.30.1 domain Example 6: Enable IP [...]

  • Page 104

    104 Rout ing Configu ration Exam ple 7 : Sh ow IP He lper Conf igura tion s The following command shows IP Helper configurations: console#show ip helper-a IP helper is enabled Interface UDP Port Di scard Hit Count Server Address -------------------- ----------- ----- ----- ---------- ------------------ vlan 100 domain No 0 192.168.30.1 vlan 100 dhc[...]

  • Page 105

    Devi ce S ecur it y 105 5 Device S ecurity This section de scribes co nfiguration scenarios for the following featur es: • "802 .1x Ne twork Access C ontro l" on page 106 • "802.1 X Auth entication and VLANs" on page 109 • "Au then tica tion Ser ver F ilte r Assig nm ent" on pag e 11 1 • "Access Control Li[...]

  • Page 106

    106 Device Se curity 802.1x Network Access Control P ort-b ased network access control allows the op eration of a system’s port(s) to be cont rolled to ensure that access to i ts services is permit ted only by systems that ar e authorized to do so . P ort Access Control provides a means of pr eventing unauthorized access by supplicants or users t[...]

  • Page 107

    Devi ce S ecur it y 107 Figure 5-1. Switch wit h 802.1x Net work Access Co ntrol If a user , or supplicant, at tempts to communicate via the switch on any interface e xcept i nterface 1/g1, the system challenges t he supplicant for login credentia ls. The syste m encryp ts the pr ovided informa tion and transmits it to the RAD IUS server . If the R[...]

  • Page 108

    108 Device Se curity Exam ple #2: MAC -Base d Aut hentic atio n Mod e The P ow erConnect 62 00 Series switches sup port MAC-based 802.1X authentica tion. This feature allows multiple hosts to authenticat e on a single port. The hos ts are di stinguished by thei r MAC addr esses. When multiple hosts (for example, a PC, a printer , and a phone in the[...]

  • Page 109

    Devi ce S ecur it y 109 802.1X Authentication and VLANs The P owe rConnect 6200 Series swi tches allow a port to be placed into a particular VLAN based on the re sult of type of 802.1X authentication a client uses when it accesses the switch. The R ADIUS server or IEEE 802.1X Authenticator can provide information to t he switch about which V LAN to[...]

  • Page 110

    110 Device Se curity VL A N a n d t h e p o r t i s mo v ed t o t h e a u t h o r iz ed s ta t e , a l l o w in g a c c e s s t o t h e c l i e n t . H o w e ve r , i f t he po r t i s in MAC-based 80 2.1X au thentic ation mode, i t will not mov e to the au thorized state. MAC-bas ed mode mak es it po ssible f or both au thentica ted and g uest cli[...]

  • Page 111

    Devi ce S ecur it y 111 Authentication Server Filter Assignment The P owerConnect 6 200 Series switches allow the external 802.1X Authenticator or RADIUS server to assign Diff Serv policies to users th at au thenticat e to the sw itch. W hen a host (su pplicant) a ttemp ts to connect to the network t hrough a por t, the switch contacts the 802.1 X [...]

  • Page 112

    112 Device Se curity Ingr ess ACL s support Flow-based Mirroring and A CL L ogging, whic h have the following charact eristics: • Flow-ba sed mirroring is the abil ity to m irror tra ffic that match es a perm it rule to a specific phy sical port or LAG. Flow-based mirroring is similar to the r edir ect func tion, e xce pt that in fl ow-based mirr[...]

  • Page 113

    Devi ce S ecur it y 113 Egress ACL Limitations Egr ess A CLs have some add itional limitat ions. The follow ing limi tations apply to e gres s AC Ls only : • Egress ACLs support IP P rotocol/Destination, IP Address Source/Destination, L4 Source/Destination port, IP DSCP , IP T oS , and IP precedence match conditions only . • MAC ACLs ar e not s[...]

  • Page 114

    114 Device Se curity IP ACLs IP A CLs classify for Layers 3 a nd 4. Each ACL is a set of up to te n rules a pplie d to inbound tr affic. Each rule specif ies whe ther the c ontents of a given field should be used to permit or deny a ccess to the netwo rk, and may ap ply to one or more of the following fields within a packet: • Destin ation IP wit[...]

  • Page 115

    Devi ce S ecur it y 115 IP ACL CLI Exampl e The script in this section shows you how to set up an IP ACL with two r ules, one appli cable to TCP traffic and on e to UD P traffi c. The cont ent of the t wo rules i s the sam e. TCP and UDP p ackets will o nly be accepted by the P owerConnect 6200 Seri es switch if the source and destination stat ions[...]

  • Page 116

    116 Device Se curity Step 1 : C reate an ACL and Define an ACL Rule This command creates a n ACL named list1 and configur es a rule for the ACL. After the mask has been applie d, it permits pack ets carrying TCP traff ic that matche s the specified So urce IP addre ss, and sends these pa ckets to t he specified Destination IP addr ess. console#conf[...]

  • Page 117

    Devi ce S ecur it y 117 Step 4: V iewing the MAC ACL Information console#show mac access-lists Current number of all ACLs: 2 Maximum number of all ACLs: 100 MAC ACL Name Rules Interface(s) Direction ------------------------------- ----- ------------------------- --------- mac1 1 1/g5 Inbound console#show mac access-lists mac1 MAC ACL Name: mac1 Rul[...]

  • Page 118

    118 Device Se curity attributes containing configuration in formation. If the se rver reje cts the user , it r eturns a nega tive r esult. If the server rejects the client or the shared “secrets ” differ , the server returns no result. If the server requir es additi onal verificat ion from the user , it returns a challenge, an d the request pro[...]

  • Page 119

    Devi ce S ecur it y 119 Figure 5-3. RADIUS Servers in a Network When a user attempts to log in, t he switch prompts for a username an d password. The switch then attempts to communicate with the primary RADIUS server at 10.10.10.10. Up on successful connection with the server , the login credentials are ex changed over an encrypted cha nnel. The se[...]

  • Page 120

    120 Device Se curity Example #2: Set the NAS-IP Add ress for the RADIUS Server The NAS-IP address attribute identifies the IP Address of the netwo rk authentication server (NAS) that is requesting authenti cation of the us er . The address should be unique to the NAS withi n the scope of the R ADI US server . The NAS-IP -Add ress is only used in Ac[...]

  • Page 121

    Devi ce S ecur it y 121 Figure 5-4. PowerCo nnect 620 0 Series Switc h with T ACACS+ When a user attempts to log int o the switch, the NAS or switch prompt s for a username and passwor d. The switch attempts t o communicate with the highes t priority configured T A CACS+ server at 10.10.10.10 . Upon successful connection with the se rver , the s wi[...]

  • Page 122

    122 Device Se curity 802.1x MAC Authentication Bypass ( MAB) MAB is a s upplemental a uthentication mechanism that allow s 802.1x unawar e clients, such a s printers and fax mach ines, to auth entic ate to t he net work usi ng th e clien t MA C addr ess a s an iden tifi er . The known a nd allowable M AC ad dress and corr esponding access righ ts o[...]

  • Page 123

    Devi ce S ecur it y 123 Figure 5 -5. MAB Operatio n – Authen tications Based on MAC Addres s in Data base CLI Examp les Exam ple 1 : Ena bl e/Dis able MAB T o enable/disable MAB on interface 1/5 , use the following commands: console(config-if-1/g5)#dot1x mac-auth-bypass console(config-if-1/g5)#no dot1x mac-auth-bypass Client DO T 1x/MAB RADIUS Tr[...]

  • Page 124

    124 Device Se curity Exam ple 2 : Sh ow MAB Con figu rat ion T o show the MAB configuration for inte rface 1/5, us e the follow ing command: console#show dot1x ethernet 1/g5 Administrative Mode............... Enabled Port Admin Oper Reauth Reauth Mode Mode Control Period ------- ------------------ ------------ -------- ---------- 1/g5 mac-based Aut[...]

  • Page 125

    Devi ce S ecur it y 125 Captive Portal Overview Captive P ortal feat ure is a software implementation that allows client access only o n user verificatio n. V erification can be configured to al low access for guest and auth enticated users. Users must be validat ed against a database of authorized captive portal users locally or through a radius c[...]

  • Page 126

    126 Device Se curity In the unknown state, t he CP does n't r edire ct HTTP/S tra ffic to the switch , but que ries the switch t o determine whet her the client is authenticated o r unauthenticated . In the Una uthentic ated sta te, the CP di rects the HT TP/ S traff ic to th e switc h to allo w the client to authent icate with the sw itc h. O[...]

  • Page 127

    Devi ce S ecur it y 127 All new captive portal instances are also assigned to the "Default" group. The administrator ca n create new groups and modi fy the user/group association to only allow a subs et of users access to a specific captive portal instance. Network access is granted up on successful verification of user cr edentials. A re[...]

  • Page 128

    128 Device Se curity In response to the request, the authentic ated user i s removed from the co nnection status ta bles. If the client logout request featur e is not enabled, or the user does not spe cifically request logout, the connectio n stat us remains a uthen ticated unti l Capt ive P ortal dea uthenti cates ( session timeout , idle tim e, e[...]

  • Page 129

    Devi ce S ecur it y 129 Capt ive Port al S tat isti cs Client sess ion statistics ar e availab le for both guest a nd authenticated use rs.Client statis tics ar e used to enforce the idle timeout and other limits configured for the user and captive portal instance. Client statis tics may not be cl eared b y the adm inistrat or since this woul d aff[...]

  • Page 130

    130 Device Se curity console#show captive-portal Administrative Mode....................... Enabled Operational Status........................ Enabled Disable Reason............................ Administrator Disabled Captive Portal IP Address................. 1.2.3.4 Exam ple 6: Show C apti ve Por tal Ins tan ces T o show the status of all Captive [...]

  • Page 131

    Devi ce S ecur it y 131 Example 7: Modify the Default Captive Portal Configuration (Change V erific ation Method to Local) T o change the verification method to local, use the following command: console(config-CP 1)#verification local T o v iew the configuration change, use the following command: console#show captive-portal configuration 1 status C[...]

  • Page 132

    132 Device Se curity T o create a local user , use the following command: console(Config-CP)#user 1 name user1 console(config-CP)#user 1 password Enter password (8 to 64 characters): ******** Re-enter password: ******** console(Config-CP)#user 1 session-timeout 14400 T o verify the creation of a local user , use the follow ing command: console#show[...]

  • Page 133

    Devi ce S ecur it y 133 Operational Block Interface Interface Description Status Status --------- ---------------------------- ------------ ------------ ----------- 1/g18 Unit: 1 Slot: 0 Port: 18 Gig abit - Level Disabled Not Blocked T o view t he status of a captive client (connected to 1 /g18), use the following command: console#show captive-port[...]

  • Page 134

    134 Device Se curity[...]

  • Page 135

    IPv6 135 6 IPv6 This section includes the following subsections: • "Over view" on page 135 • "Inte rface Co nfiguration" on page 135 Overv iew There ar e many conceptual simila rities between IPv4 and IPv6 network operation. Addresses still have a network prefix p ortion (subnet) and a device interface specific portion (host[...]

  • Page 136

    136 IPv6 • Allo cated from part of the IPv6 uni cast addr ess spac e • Not visible off the local lin k • Not globally un ique Ne xt hop addresses computed by rout ing protocols are usually link-local. During a transi tion period, a global IPv6 Internet b ack bone may not be availab le. The solution of this is to tunnel IPv6 pack ets inside IP[...]

  • Page 137

    IPv6 137 ip ospf area 0.0.0.0 exit interface vlan 2 routing ipv6 enable ipv6 address 2020:1::1/64 ipv6 ospf ipv6 ospf network point-to-point exit interface tunnel 0 ipv6 address 2001::1/64 tunnel mode ipv6ip tunnel source 20.20.20.1 tunnel destination 10.10.10.1 ipv6 ospf ipv6 ospf network point-to-point exit interface loopback 0 ip address 1.1.1.1[...]

  • Page 138

    138 IPv6 ipv6 address 2020:2::2/64 ipv6 ospf ipv6 ospf network point-to-point exit interface tunnel 0 ipv6 address 2001::2/64 tunnel mode ipv6ip tunnel source 10.10.10.1 tunnel destination 20.20.20.1 ipv6 ospf ipv6 ospf network point-to-point exit interface loopback 0 ip address 2.2.2.2 255.255.255.0 exit exit[...]

  • Page 139

    Quali ty of Servic e 139 7 Quality of Service This section includes the following subsections: • "Class of S ervice Queuing" on pa ge 139 • "Differentiated Services" on page 143 Class of Service Queuing The Class of Servic e (CoS) f eature lets you giv e preferential treatmen t to certai n types of traf fic over others. T o [...]

  • Page 140

    140 Quality of Service CoS Ma pping T able fo r T rusted Ports Mapping is from the designated field values on trusted ports’ incoming p ackets to a traffic cl ass priority (actuall y a CoS tra ffic queue) . The trus ted port field-to -traff ic clas s config urat ion entri es for m the Mapping T able the switch uses to direct ingr ess packets from[...]

  • Page 141

    Quali ty of Servic e 141 Figure 7-1. C oS Mapping and Qu eue Configu ration Continuing this example, y ou configured the egress P o rt 1/g8 for strict priority on queue 6, and a set a weighted scheduling scheme for qu eues 5-0. A ssuming queue 5 ha s a higher weighti ng than queue 1 (relativ e wei ght values shown as a percentage, with 0% indicati [...]

  • Page 142

    142 Quality of Service Figur e 7-2. CoS1 /g Confi gurat ion Exa mple S ystem Diagr am Y o u will configure the ingress interface uniquely for all cos-queue and VLAN pa rameters. console#config interface ethernet 1/g10 classofservice trust dot1p classofservice dot1p-mapping 6 3 vlan priority 2 exit interface ethernet 1/g8 cos-queue min-bandwidth 0 0[...]

  • Page 143

    Quali ty of Servic e 143 Differentiated Services Differentiated Services (DiffServ) is one te chnique for implemen ting Quality of Service (QoS) policies. Using DiffServ in your network allows you to dir ectly configure the r elevant parameters on the switches and routers rather than using a r esource reserv ation protocol.This section explains how[...]

  • Page 144

    144 Quality of Service CLI Examp le This exa mple shows how a network administrator ca n provide equal access to the Internet (or other external netw ork) to diff erent department s within a company . Each of four departments has its own Class B subn et that is allocate d 25% of the a vailable ba ndwidth on the port acces sing the I nternet. Figure[...]

  • Page 145

    Quali ty of Servic e 145 match srcip 172.16.20.0 255.255.255.0 exit class-map match-all test_dept match srcip 172.16.30.0 255.255.255.0 exit class-map match-all development_dept match srcip 172.16.40.0 255.255.255.0 exit Crea te a DiffServ policy f or inbound traffic name d internet_access, adding the previously created dep artm ent clas se s as in[...]

  • Page 146

    146 Quality of Service Set the CoS queue configuration for the (presumed) egress interface 1/g5 such that each of queues 1, 2, 3 and 4 get a minimum guaranteed bandwidth of 25%. All queues for thi s interface use weighted round robin scheduling by default. The DiffServ inbound poli cy des ignat es tha t thes e que ues ar e to be us ed for the depar[...]

  • Page 147

    Quali ty of Servic e 147 Figure 7- 4. DiffServ VoIP Exampl e Netw ork Diag ram[...]

  • Page 148

    148 Quality of Service Example #2: Configuring DiffServ V oIP Support Enter Glo bal Config mode. Se t que ue 6 on al l ports to use strict pri ority mode. This queue shall be used for all V oIP pack ets. Activate Di ffServ for the switch. console#config cos-queue strict 6 diffserv Cr eate a DiffServ class ifier named class_voip and define a single [...]

  • Page 149

    Multi cast 149 8 Multicast This section provide s configuration scenarios for the following features: • "IGM P Configurat ion" on page 150 •" I G M P P r o x y " o n p a g e 1 5 1 •" D V M R P " o n p a g e 1 5 2 • "PIM" on page 154 • "Mu lticast Ro uting an d IGMP S nooping" on pa ge 157 [...]

  • Page 150

    150 Multi cast When to Enable IP Multicast on the PowerC onnect 6200 Ser ies Switch Use the IP multica st feature on the P o werConn ect 6200 S eries swit ch to route multica st traf fic betw een VLANs on the switch. If all hosts conne cted to the switch are on the same subnet, th ere is no need to configure the IP multicast featur e. If the switch[...]

  • Page 151

    Multi cast 151 IGMP Proxy IGMP pro xy enables a multi cast router to le arn multicast group membe rship information and forwar d multicast pack ets based up on the group membership information. The IGMP P roxy is capabl e of functioning only in certain topologies that do no t requ ire Multicast Routing P rotocols (i .e., DVMR P , PIM-DM, and PIM-SM[...]

  • Page 152

    152 Multi cast Examp le #2: V iew IGMP P roxy Conf iguratio n Data Y ou can use various commands from P rivileged EXEC or User EXEC modes to show IGMP proxy configuration data. • Use the following comma nd to display a summary of th e host interface status paramet ers. It displays the pa ram eter s on ly wh en IGMP Proxy is enabled. console#show [...]

  • Page 153

    Multi cast 153 CLI Examp le The following example configures two D VMRP i nterfaces. F irst, this example configures an OSPF router 1 and globally en ables IP routing and IP multicast. IGMP is globally enable d so that this router can manage group membership information for it s dire ctly-connected hosts (IGMP may not be required when there are no [...]

  • Page 154

    154 Multi cast PIM P rotoco l Independent Multicast (PIM) is a standard multicast routing protocol tha t provides scalable inter -domain multicast routing across the Inte rnet , independent of the mechanisms provide d by any particular unicast routing protocol. PIM has tw o types : • PIM-Dense Mo de (PIM-DM) • PI M- Spa rse Mode (PI M-SM) PIM-S[...]

  • Page 155

    Multi cast 155 Exam ple: P IM-S M The following example configur es PIM-SM for IPv4 on a router . F irst, configure a n OSPF 1 router and globally enable IP routing, multica st, IGMP , and PIM-SM. N ext, configure a PIM-SM rendezvous point with an I P address and group range. The IP address will serve as an RP for the range of potent ial multicast [...]

  • Page 156

    T o minimize t he repeated flooding of datagrams and subsequent pruning associated with a pa rticular source-group (S,G) pair , PI M-DM uses a State Refresh message. This message is sent by the router(s) directl y connect ed to the source and is propagated throughout the net work. When received by a router on its RPF interface, the Stat e Refresh m[...]

  • Page 157

    Multi cast 157 Multicast Routing and IGMP Snooping In this e xample, p orts 1/g5 and 1/ g10 are me mbers of VLAN 10 0, and port 1/g 15 is a member of VLAN 200. Both VLANs are configured as VLAN routing interfaces and are in differ ent subnet s. IGMP sno opin g i s co nf ig ured on V LAN 10 0 so th at a m emb er po rt will rece iv e mu lt ica st d a[...]

  • Page 158

    158 Multi cast 8 Globally enable IGM P snooping, IP m ulticast, IGMP , a nd PIM -DM on the sw itch. console(config)# ip igmp snooping console(config)# ip multicast console(config)# ip igmp console(config)# ip pimdm NOTE: Only one mult ica st ro uting pro tocol (P IM-S M, PI M-DM, or D VMR P) ca n be ena bled glo bally on the switch a t a time. 9 Co[...]

  • Page 159

    Multi cast 159 console#s how ip igmp IGMP Admin Mode................................ Enabled IGMP Router-Alert check........................ Disabled IGMP INTERFACE STATUS Interface Interface-Mode Operational-Status --------- -------------- ---------------- vlan 100 Enabled Operational vlan 200 Enabled Operational The host connected to interface 1/[...]

  • Page 160

    160 Multi cast[...]

  • Page 161

    Utility 161 9 Utility This section de scribes the following feat ures: • "Auto Co nfig" on page 162 • "Nonstop F orwar ding on a Sw itch St ack" on page 1 68[...]

  • Page 162

    162 Utility Auto Config Overview Auto Config is a software feature that automatical ly configure s a switch when the dev ice is initialized and no configuration file is found on the switch . A uto Config is accomplished in thr ee phases: 1 Assignment (configurat ion) of an IP ad dress f or the device 2 Assignmen t of a T FTP s erver 3 Obtainin g a [...]

  • Page 163

    Utility 163 – The hos tname of the TFTP s erver (option 66 or snam e). E ither the T FTP a ddress or name is specified (not both) in m ost n etwo rk configu rations. If a TFTP hostname is given, a DNS server is r equired to translate t he name to an IP address. – The IP address of the TFTP se rver (option 150 ). – The address of the TFTP serv[...]

  • Page 164

    164 Utility Once a hostname has been determi ned, the switch then issues a TFTP request for a file named "<hostname> .cfg" file, where <hostname> is the first 32 characters of the switch's h ostname. If the s witch is unable to map it s IP address to a hostname, Auto Config sends TFTP r equests for the default configurati[...]

  • Page 165

    Utility 165 Host-Sp ecific Config File Not Fo und If the A uto Config process fa ils to download a co nfiguration fil e, a message is logged. If a final configuration file is not downloaded , as described in T able 9-1, the A uto Config procedure continues to issue TFTP broadcast requests . The frequency of the broadcasts is once pe r 10 minute per[...]

  • Page 166

    166 Utility Depend ency U pon O ther N etwor k Ser vices The Auto Config process depends upon the following network services: • A DHCP or B OOTP serve r must be con figured on the network with appropriate services. • A configurat ion file for the switch mu st be availa ble from a TFTP serve r on the ne twor k. • The sw itch must be conn ected[...]

  • Page 167

    Utility 167 TFTP Clie nt The TFTP client downloads configur at ion files and sends TFTP requests to the broadc ast IP addr ess (255.255 .255.255). DNS C lient T h e DN S c l i en t re s ol ve s a n I P a d d r e s s t o a h os tn am e a n d re so lv e s a h o s t n am e t o a n I P a d d re ss ( re v e r s e I P addr ess to hostname mapp ing). BOOT[...]

  • Page 168

    168 Utility Nonstop Forwa rding on a Switch Stack Networking device s, such as the P owerCo nnect 6200 Series switches, are often described in terms of three semi-independent functions called the forwarding plane, the control plane, and the management plane. The forwarding plane forwards data pack ets and is implemented in hardware. The control pla[...]

  • Page 169

    Utility 169 NOTE: The sw itch ca nnot gu arantee th at a ba ckup un it has e xactly th e same data that the man agement unit has when it fails. For ex ample, the manag ement un it might fail be fore the c heckpoin t servic e gets data to th e backu p if an eve nt occurs sho rtly before a f ailover . T able 9-3 lists the appl icatio ns on the switc [...]

  • Page 170

    170 Utility Switch Stack MAC Addressing and Stack Desi gn Considerati ons The switch stack uses the MAC addresses 1 assigned to the management uni t. If the ba ckup unit assum es control due to a management unit failure or warm r est art, the backup unit continues to use the original management u nit’s MAC addresses. This reduces the amount of di[...]

  • Page 171

    Utility 171 Configur ation Exampl es The actual configuration of the feature is simple. NSF is either enabled or disa bled. The examples in this section describ e how the NSF featur e acts in variou s environments and with v arious switch appli cations. Data Center F igure 9-1 illustrates a data center scenari o , where the stack of two P owerConne[...]

  • Page 172

    172 Utility Vo I P F igur e 9-2 shows how n onstop forwarding maintain s e xisting voice calls during a management unit failur e. Assume the top unit is the management uni t. Wh en the managem ent unit fails, the call from phone A is immediately dis connected. The call from phone B continues. On the uplink, the forwarding plane removes the failed L[...]

  • Page 173

    Utility 173 Figure 9-3. NSF and DHCP Snoo ping If the management u nit fails, all hosts connected to that unit lose network access until th at unit reboots. The hardwar e on surviving units continues to enforce source filters IPSG inst alled prior to th e failover . V alid hosts continue t o communicate normally . During the fa ilover , the har dwa[...]

  • Page 174

    174 Utility Stor age Ac cess Ne two rk Scen ari o F igur e 9-4 illus trates a stack of three P owerConne ct 6200 Series switches connecting two serv ers (iSCSI initiators) to a disk array (iSCSI targets). Ther e are two iSCSI connections as follows: Session A: 10.1.1.10 to 10.1.1.3 Session B: 10 .1.1.11 to 10.1. 1.1 An iSCSI application running on [...]

  • Page 175

    Utility 175 Rout ed A cces s Sc enar io F igur e 9-5 shows a s tack of thr ee units se rving as an access router for a set of hosts. T wo L AGs connect the stack to two ag gregation routers. Each LAG is a member of a VLAN rou ting interface. The stack has OSPF and PIM adjacenci es with each of the agg regation routers. The top unit in the stack is [...]

  • Page 176

    176 Utility[...]