Benutzeranleitung / Produktwartung POWERCONNECT 6200 SERIES des Produzenten Dell
Zur Seite of 176
www .dell.com | support.dell.com Dell™ PowerConnect™ 6200 Series Configuration Guide Model: PC6224, PC6248, P C6224P , PC6248P , and PC6224F.
Notes, Cautions, and W arnings NOTE: A NOT E indic ates impor tant i nforma tio n that he lps you make bet ter us e of you r comput er . CAUTION: A CAUTION indicates p otential damage to hardware or loss of data if in structions are not f ollowed.
3 Contents 1 About this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Orga nization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Additio nal Documentatio n . . . . . . . . . . . . . . . . . . . . . . . .
4 3 Switching Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 29 Vi rt u a l L A N s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 VLA N Config uration Example . . . . . . . . . . . . . . . . . . . . . . . . 30 CLI Exa mples .
5 sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Overv iew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 sFlow Agent s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 CLI Exa mples .
6 5 Device Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 802.1x Network Acce ss Control . . . . . . . . . . . . . . . . . . . . . . . . 106 802. 1x Network Acces s Control Exa mples . . . . . . . . . . . . . . . . 106 802.1 X Authentic ation and VLANs .
7 6I P v 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Overv iew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Interfac e Configu ration . . . . . . . . . . . . . . . . . . . . . . . . .
8 9 Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Auto Co nfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2 Overv iew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About th is Document 9 1 About this Document This configuration guide provides examples of how to use the Dell™P owerConnect™ 6200 Series switch in a typical network.
10 About this Docume nt Additional Do cumentation The following do cum entation pro vides additional informat ion about P owerConnect 6200 Serie s sof tware: •T h e CLI Comman d Reference for your D.
System Configur ation 11 2 System Configuratio n This section prov ides configuration scenarios for the following featur es: •" T r a c e r o u t e " o n p a g e 1 2 • "C onfigura t.
12 System C onfi gurat ion T rac eroute Use T ra cerout e to discove r the route s that packets take when tr aveling on a hop-by-ho p basi s to their destination through the network .
System Configur ation 13 --More-- or (q)uit 20 64.233.174.99 250 ms 240 ms 250 ms Hop Count = 20 Last T TL = 30 Test attempt = 90 Test Success = 90 Configuration Scripting Configuration scripting allows y ou to generate a te xt-f ormatted scrip t file that show s the curr e nt s y stem configuration.
14 System C onfi gurat ion CLI Exa m ples The following are e xamples of the comma nds used for configurations scripting. Exam ple # 1: Viewin g the Scri pt O ptio ns console#script ? apply Applies configuration script to the switch. delete Deletes a configuratio n script file from the switch.
System Configur ation 15 Example #4: Copying the Active Configuration into a Sc ript Use this command to captur e the running configuration into a script .
16 System C onfi gurat ion exit configure logging web-session bridge aging-time 100 exit Configuration script validated. File transfer operati on completed successfully.
System Configur ation 17 CLI Exa m ples The following are e xamples of the commands used in the out bound telnet feature. Exam ple #1: Conne ctin g to Anot her System by Usin g T eln et console#telnet 192.
18 System C onfi gurat ion CLI Exa m ples The following are e xamples of the commands used in the SN TP feature. Exam ple #1: Viewin g SNTP Option s (Dell PC62XX Routing) (Config) #sntp ? console(config)#sntp ? authenticate Require authentication for received Network Time Protocol (NTP) traffic from servers.
System Configur ation 19 Exam ple #3: Viewin g SNTP I nform ation console#show sntp ? configuration Show the configuration of the Simple Network Time Protocol (SNTP).
20 System C onfi gurat ion Syslog Overview Syslog: • A llow s y ou to sto re sy ste m m es sag es a nd /o r err or s. • Can store to local files on the switch or a remote server running a syslog daemon. • P rovides a meth od of collecting mess age logs from many systems .
System Configur ation 21 Web Session Logging : disabled SNMP Set Command Logg ing : disabled 0 Messages were not l ogged. Buffer Log: <189> JAN 01 03:57:58 10.27.65.86-1 TRAPMGR[216282304]: traputil.c(908) 31 %% Instance 0 has electe d a new STP root: 8000:00ff:f2a3:8888 <189> JAN 01 03:57:58 10.
22 System C onfi gurat ion alert Immediate action needed critical Critical conditions debug Debugging messages emergency System is unusable error Error conditions info Informational messages notice No.
System Configur ation 23 Storm Control A traffic storm occurs when incoming pack ets flood the LAN result ing in network performance degradation. The St orm Control featur e protects against this condition. The switch so ftware p rovides broadcast, multicast, and unicast storm r ecovery for individual interfaces.
24 System C onfi gurat ion Example #1: Set Broadcast Storm Control for an Interface console#configure console(config)#inter face ethernet 1/g17 console(config-if-1/g17)#storm-control broadcast ? <cr> Press enter to execute the command. level Configure storm-control thresholds.
System Configur ation 25 Cable Diagno stics This sectio n describes: • "Copper P ort Cable T est" on page 2 5 • "F iber P ort Cable T est" on page 27 NOTE: Cab le Diag nost ics is support ed on SFP/XFP ports but not on the Sta ckin g/CX- 4/SFP +/10Gb aseT po rts.
26 System C onfi gurat ion Exam ple #1: Cabl e T est for Co pper Ports console#test copper-p ort tdr 1/g1 Cable Status......... .......................
System Configur ation 27 Exa mple #3 : Show La st T im e Doma in Refle ctometry T ests Use the show copper-ports tdr comm and in P rivileged EXEC mode to display the last Time Domai n Refle ctometry (TDR) tests o n specifi ed ports . The following examp le displays the last TDR tests on a ll ports.
28 System C onfi gurat ion.
Switch ing Confi guratio n 29 3 Switching Configuration This section prov ides configuration scenarios for the following featur es: • "Virtual LANs " on page 29 • "V oice VLAN".
30 Switch ing C onfigu rat ion • The IP -subnet Ba sed VLAN featur e lets you map IP addr esses to VLANs by specifyi ng a source IP addr ess, net work mask, and the desir ed VLAN ID. • The MAC-based VL AN feature let packets originating fr om end stat ions become p art of a VLAN accor ding to so urce MAC addr ess.
Switch ing Confi guratio n 31 CLI Exa m ples T h e f o l l o w i n g e x a m p l e s s h o w h o w t o c r e a te V L A N s , a s s i g n p o r t s t o t h e V L A N s, a n d a s s i g n a V L A N a s t h e default VLAN to a port.
32 Switch ing C onfigu rat ion Example #3: Assign Ports to VLAN3 This e xample shows how to assign the ports t hat will belong to VLAN 3. Unta gg ed frames will be acce pted on ports 1/g19 a nd 1/ g20. Note tha t port 1/g1 8 bel ongs to b oth VL ANs and t hat port 1/g1 7 can neve r belo ng to VLA N 3.
Switch ing Confi guratio n 33 Exa mple #6 : View Infor mation About VL AN 2 console#show ip interface vlan 2 Primary IP Address............................ 192.168.10.33/255.255.255.0 Routing Mode.................................. Ena ble Administrative Mode.
34 Switch ing C onfigu rat ion IP Subne t and MAC-Based VLANs In additio n to port-based VLANs, the sw itch also support s VLANs that are bas ed on the IP addr ess or MA C address of a host. W ith IP subnet and MA C-based VL ANs, the VLAN member ship is determined by the address of the ho st rather tha n the port to which the host i s attached.
Switch ing Confi guratio n 35 Exam ple # 4: Viewing IP S ubn et a nd MA C-Ba sed V LAN Ass ociat ions console#show vlan association mac MAC Address VLAN ID ----------------- ------- 00FF.F2A3.8886 10 console#show vlan association subnet IP Subnet IP Mask VLAN ID ---------------- ---------------- ------- 192.
36 Switch ing C onfigu rat ion CLI Exa m ple Exam ple #1: Con figur ing a P rotec ted Po rt The comm ands in t his exampl e name the protected p ort gro up 1 “PP_ T e st” and a ssign po rts 1 and 2 to the grou p.
Switch ing Confi guratio n 37 Vo i c e V L A N V o ice VLAN enable s switch ports to carry voice tra ffic with a de fined priority in order to en able th e separati on of voice a nd data traffic com ing onto the por t.
38 Switch ing C onfigu rat ion • Wh en a dot1p prio rity is assoc iate d w ith th e V oice V LAN por t instea d of a VL AN I D, th en th e prio rit y inform ation is p assed onto th e VOIP phone usin g the LLD P - MED mechan ism.
Switch ing Confi guratio n 39 Exam ple #2: Conf iguri ng Voice VLAN on an Unau then tica ted Po rt I n s o m e n e t w o r k s , m u lt i p l e d e v i c e s ( f o r ex a m p l e, a P C , Pr i n t e r , a n d p h o n e ) a re c o n n e c t e d t o a si n g l e p o r t on t he switch .
40 Switch ing C onfigu rat ion IGMP Snoopin g This sect ion describes the Inte rnet Group Manage ment P rotocol (IGMP) Snooping feature. IGMP Snooping enables the s witch to moni tor IGMP tr ansa ctions between ho sts and routers.
Switch ing Confi guratio n 41 1. Create VLAN 1 00. console#configure console(config)#vlan database console(config-vlan)#vlan 100 2. Enable IGMP snooping on the VLAN.
42 Switch ing C onfigu rat ion 9. View information about the IGM P snoop ing configu ration. console#show ip igmp snooping Admin Mode..................................... Ena ble Multicast Control Frame Count.................. 0 Interfaces Enabled for IGMP Snooping.
Switch ing Confi guratio n 43 Multicast Packets Received..................... 62 6494 Broadcast Packets Received..................... 0 console#show statistics ethernet 1/g10 ... Total Packets Received Without Errors.......... 12 Unicast Packets Received.
44 Switch ing C onfigu rat ion Exa m ple #2: Conf igure I GMP Snoo ping Que rier Prop erties The firs t com man d in this e x ampl e sets the IGMP Quer ier Qu ery Inte rval time to 1 00. Th is me ans that the swit ch waits 100 s econds befor e sending another general query .
Switch ing Confi guratio n 45 Exa mple #5: Show IGMP S nooping Qu erier Inf ormati on for VLAN 10 console#show ip igmp snooping querier vlan 10 Vlan 10 : IGMP Snooping querier status ---------------------------------------------- IGMP Snooping Querier Vlan Mode.
46 Switch ing C onfigu rat ion CLI Exa m ple The following shows an e xample of configuring the softwar e to suppor t Link Aggr egation (L AG) to a server and t o a Layer 3 switch.
Switch ing Confi guratio n 47 Exa m ple 1: Creat e Names f or T wo Port-Chan nels console#configure console(config)#interface port-channel 1 console(config-if-ch1)#description lag_1 console(config-if-.
48 Switch ing C onfigu rat ion ch2 No Configured Ports 3 ch3 No Configured Ports 3 ch4 No Configured Ports 3 ch5 No Configured Ports 3 ch6 No Configured Ports 3 ch7 No Configured Ports 3 ch8 No Config.
Switch ing Confi guratio n 49 Port Mirrorin g This section describes the P ort Mirroring feature, whic h can serve as a diag nostic tool, debugging to o l, or mea ns of fe ndin g off at tacks.
50 Switch ing C onfigu rat ion Port Security This sectio n describes the P ort Security fe ature. Overview P ort Security : • Allow s for lim iting the num ber o f MAC ad dresses on a giv en po rt. • P ackets that have a mat ching MAC ad dress (secur e packe ts) ar e forwar ded; all other pack ets (uns ecure packets) ar e restricted.
Switch ing Confi guratio n 51 CLI Exa m ples The following are e xamples of the commands used in the P ort Security feature. Exam ple #1: Enab le P ort Secu rity on a n I nter fac e console(config)#interface ethernet 1/g18 console(config-if-1/g18)#port security ? <cr> Press enter to execute th e command.
52 Switch ing C onfigu rat ion Link Layer D iscovery Pr otocol The Link Layer D iscovery Pr o tocol (LLDP) fea ture allows individual interfaces on the switch to advertis e major capabil ities and p hysical de scription s. Networ k managers can view this information and identify system topology and detect ba d configurations on the LAN.
Switch ing Confi guratio n 53 Exa m ple # 3: Show Glob al LLDP Param eters console#show lldp LLDP Global Configuration Transmit Interval............................ 30 s econds Transmit Hold Multiplier..................... 8 Reinit Delay..............
54 Switch ing C onfigu rat ion Deni al of Service Attac k Protec tion This sectio n describes the P o werConnect 62 00 Se ries Denial of Service P rotection feature.
Switch ing Confi guratio n 55 T able 3- 1 describes t he dos-control key w ord s . T abl e 3-1. DoS Contr ol CLI Exa m ples The commands shown be low show how to enab le DoS protection and vi ew its status.
56 Switch ing C onfigu rat ion Example #2: V iewing the DoS Configuration Information console#show dos-control SIPDIP Mode.................................... En able First Fragment Mode............................ En able Min TCP Hdr Size............
Switch ing Confi guratio n 57 The har dware rate limits DHCP pack ets sent to the CP U from interfaces to 64 Kbps. The DHCP sno o ping appli cation processes incoming DHCP messag e s.
58 Switch ing C onfigu rat ion Figure 3-4. DHCP Bind ing The DHCP snoo ping co mponent does not forward server messages since they are forwarded in hardware. DHCP snooping forwar ds valid DHCP client messages r ecei ved on un-truste d interfac es to all trusted interfac es within the V LAN.
Switch ing Confi guratio n 59 CLI Exa m ples The commands below show exa mples of configuring DHCP Snooping for the switch and for individual interfaces.
60 Switch ing C onfigu rat ion console(config)# console(config)#exit Exa m ple #6 Conf igure D HCP snoo ping dat abase Pe rsiste ncy inte rval console(config)#ip dhcp snooping database write-de lay 50.
Switch ing Confi guratio n 61 Exa mple #10 Sho w DHCP Sno oping confi guratio n on VLANs and Por ts show ip dhcp snooping binding DHCP snooping is Enabled DHCP snooping source MAC verification is enab.
62 Switch ing C onfigu rat ion ----------- ---------- ---------------- 1/g15 No No 1/g16 No No 1/g17 No No 1/g18 No No 1/g19 No No 1/g20 No No 1/g21 No No 1/g22 No No 1/g23 No No 1/g24 No No 1/xg3 No .
Switch ing Confi guratio n 63 Exa mple #12 Sho w DHCP Sno oping datab ase confi guratio ns console#show ip dhcp snooping database agent url: local write-delay: 500 console# Exam ple # 13 Show DHC P Sn.
64 Switch ing C onfigu rat ion 1/g3 No 15 1 1/g4 No 15 1 1/g5 No 15 1 1/g6 No 15 1 1/g7 No 15 1 1/g8 No 15 1 1/g9 No 15 1 1/g10 No 15 1 1/g11 No 15 1 1/g12 No 15 1 1/g13 No 15 1 1/g14 No 15 1 1/g15 No.
Switch ing Confi guratio n 65 ch3 No 15 1 ch4 No 15 1 ch5 No 15 1 ch6 No 15 1 ch7 No 15 1 ch8 No 15 1 ch9 No 15 1 ch10 No 15 1 --More-- or (q)uit console# Example #15 Show D HCP Snooping Per Port Stat.
66 Switch ing C onfigu rat ion 1/g11 0 0 0 1/g12 0 0 0 1/g13 0 0 0 1/g14 0 0 0 1/g15 0 0 0 1/g16 0 0 0 1/g17 0 0 0 1/g18 0 0 0 1/g19 0 0 0 1/g20 0 0 0 --More-- or (q)uit 1/g21 0 0 0 1/g22 0 0 0 1/g23 .
Switch ing Confi guratio n 67 ch13 0 0 0 ch14 0 0 0 ch15 0 0 0 ch16 0 0 0 ch17 0 0 0 --More-- or (q)uit sFlow This sectio n describes the sFlow feature.
68 Switch ing C onfigu rat ion The advantages of using sFlow ar e: • It is possibl e to monitor al l ports of th e switch conti nuously , with no i mpact on the dist ributed switching perf ormance.
Switch ing Confi guratio n 69 The mech anism involv es a counter t hat is decr emen ted w ith each pack et. When th e counter r eaches zero a sample is taken. 5. When a sam ple is taken, the counter ind icating how many packets to skip before t a king the next sample is reset.
70 Switch ing C onfigu rat ion Exa m ple # 4: Show the s F low co nfigur ation for rec eiver ind ex 1 console#show sflow 1 destination Receiver Index................................. 1 Owner String................................... si te77 Time out..
Switch ing Confi guratio n 71 Example #6: Show sFlow polling for receiver index 1 console#show sflow 1 polling Poller Receiver Poller Data Source Index Interval ----------- ------- ------- 1/g1 1 200 .
72 Switch ing C onfigu rat ion.
Rou ting Configu ration 73 4 Routing Co nfiguration This sectio n describes configurat ion scenari o s and instr uct ions for the following routing featur es: • "V LAN Rout ing" on page 74.
74 Rou ting Configu ration VLAN Routing This section prov ides an exampl e of how to config ure P owerConnect 6200 Series s oftware to support VLA N r ou tin g. NOTE: The managemen t VLAN cannot be conf igure d as a routin g int erfac e. The swi tch may also be mana ged vi a VLAN rout ing in ter fac es.
Rou ting Configu ration 75 console(config-vlan)#vlan 10 console(config-vlan)#vlan 20 console(config-vlan)#exit Exam ple 2 : Co nfig ure th e VLAN Me mbers The following code sequence shows an example o f adding po rts to the VLANs and a ssigning the P VID for each port.
76 Rou ting Configu ration Exa mple 3: Set Up VLA N Rout ing for th e VLANs and As sign an IP Add ress The following co de seque nce shows how to enab le routing for the VLANs and how to configure the IP addr esses and subnet mas k s for t he virtual r outer ports.
Rou ting Configu ration 77 V irtual Rou ter Redundan cy Protocol When an end station is statically configured with the addr ess of the rou ter that will handle its routed traffic, a s ingle point of failur e is introduced int o th e network. If the rou ter goes down, the en d station is unable to communicate.
78 Rou ting Configu ration Configuring VRRP on the Switch as a Master Rou te r 1 Enable rou ting for th e switch. IP forw arding is then ena bled by def ault.
Rou ting Configu ration 79 4 Assign virtual router ID to the interfac e that will participate in th e protocol: console(config)#interface vlan 50 console(config-if-vlan50)#ip vrrp 20 5 Specify the IP ad dress that the virt ual router function w ill recognize.
80 Rou ting Configu ration Proxy Ad dress Resolution Prot ocol (ARP) This sect ion describes the P roxy Address Resolution P rotocol ( ARP) featur e. Overview • P roxy ARP allows a router to a nswer ARP requests wher e the target IP address is n ot the router itself but a des tinat ion th at t he r oute r can reac h.
Rou ting Configu ration 81 Active State................................... In active Link Speed Data Rate........................... 10 Half MAC Address.................................... 00 FF.F2A3.888A Encapsulation Type............................
82 Rou ting Configu ration A virtual link can be used to connect an ar ea to Area 0 when a direct li nk is not possible. A vi rtual link traverses an area between the remote area and Ar ea 0 (see F igur e 4-5). A stub ar ea is an ar ea that does not re ceive routes that wer e learned from a protocol other than OSP F or were statically configur ed.
Rou ting Configu ration 83 External routes ar e those imported into OSPF from other routing pro tocol or processes . OSPF compute s the path cos t differently for external type 1 and externa l type 2 routes. The c ost of an external type 1 route is the cost adverti sed in the external LSA plus the path cost from the calculating rout er to the ASBR.
84 Rou ting Configu ration IPv4 (OSP Fv2) IPv6 (O SPFv3) • E nable routing for the switch : console#config ip routing exit console#config ipv6 unicast-routi ng exit Enable routing and a ssign IP for VLANs 70, 80 a n d 90. config interface vlan 70 routing ip address 192.
Rou ting Configu ration 85 Exa m ple 2 : Configur ing Stub and NS SA Areas In t hi s exa mp le, A rea 0 co nn ects di rect ly t o t wo othe r areas: Are a 1 i s d efin e d as a s tub area an d Area 2 is defined as an NS SA area.
86 Rou ting Configu ration Figur e 4-4. O SPF Co nfigu rati on—St ub Are a and N SSA Are a Configure Rout e r A : Router A is a back bone rout er . It links to an ASBR (not define d he re ) that rout es traff ic outs ide the AS.
Rou ting Configu ration 87 ipv6 address 3000:3:10 0::/64 eui64 ip ospf area 0.0.0.0 ipv6 ospf exit • Define an OS PF router: ipv6 router ospf router-id 3.3.3.3 exit router ospf router-id 3.3.3.3 exit exit Configure Rout e r B: Router B is a ABR th at con nects Ar ea 0 to Area s 1 an d 2.
88 Rou ting Configu ration • F or IPv4: Define an OSPF router . Def ine Are a 1 as a st ub. Enabl e OSPF for IPv 4 on VLANs 10, 5, and 17 by global ly defining th e range of IP addresses associated with ea ch interface, an d then associating those ranges with A reas 1, 0, and 17, respectively .
Rou ting Configu ration 89 Exa mple 3: Con figurin g a V irtual L ink In this e xample, Ar ea 0 connects dir ectly to Ar e a 1. A virtual link is defined that traverses Ar ea 1 and connects to Area 2 . F igur e 4-5 illustrates this example OSPF confi g uration.
90 Rou ting Configu ration router ospf router-id 3.3.3.3 network 10.2.3.0 0.0.0 .255 area 0.0.0.0 exit exit Configure Rout e r B: Router B is a ABR that directly connects Ar ea 0 to Ar ea 1. In addition to the configuration steps described in the pre vious example , we define a virtual link that trav erse s Area 1 to Router C (5.
Rou ting Configu ration 91 routing ip address 10.1.2.1 255.255.255.0 ipv6 address 3000:1:2: :/64 eui64 ipv6 ospf ipv6 ospf areaid 1 exit interface vlan 11 routing ip address 10.1.101.1 255.255.255.0 ipv6 address 3000:1:10 1::/64 eui64 ipv6 ospf ipv6 ospf areaid 2 exit ipv6 router ospf router-id 5.
92 Rou ting Configu ration Routing Inform ation Protocol Routing Information Pr otoco l (RIP) is o ne of the protocols wh ich may be used by routers to e xchange network topology informat ion. It is characterized as an “interior ” gateway protocol, and is typically used in small to medium-sized networks.
Rou ting Configu ration 93 CLI Exa m ples The configuratio n commands used in the foll o wing e xample enable R IP on port s vlan 2 and vlan 3 as shown in the network illustrated in F igur e 4-6.
94 Rou ting Configu ration Exam ple #3. Enab le RIP for the Switch The next sequence enables RIP for the swit ch. The route preference defaults to 15. console#config router rip enable exit exit Exam ple # 4. Enab le R IP fo r the VLA N R outin g I nterf aces This command sequence enables RIP for V L AN 2 and VLAN 3 .
Rou ting Configu ration 95 Route Prefere nces Y ou can use route prefer e nce assignment to control how the router chooses which routes to use when alternat ives exis t.
96 Rou ting Configu ration Exam ple 1 : Co nfig ure Admi nis trativ e P refere nce s The following commands configure the administrative pr eference for the RIP and OSPF : console#Config router rip di.
Rou ting Configu ration 97 Using Equal Cost Multipath The equal cost multipath ( E CMP) feature a llows a ro uter to use more than one ne xt hop to forward packets to a given destination prefix. I t can be used to promote a more optimal use of network r esources and bandwidth .
98 Rou ting Configu ration Routing protocols can also be configur ed to compute ECMP routes. F or example, r e ferring to F igure 4-8, if OSPF were configur ed in on both links connecting Router A and Router B, and if Router B advertised its connectio n to 20.
Rou ting Configu ration 99 Loopback Interfaces P owerConnect 620 0 Series softwar e prov ides for th e creation, deletion, and management of loopback interfaces.
100 Rou ting Configu ration IP MTU............... .......................... 1500 Bandwidth............ .......................... 100000 kbps Destination Unreachab les.
Rou ting Configu ration 101 T able 4-1. Defau lt Ports - UD P Port Numbers Implied By W ildcard The sw itch li mits the number of r elay en tries t o four ti mes the maximum n umber of VLAN ro uting interfaces (512 relay entries).
102 Rou ting Configu ration The r elay agent only rela ys packet s that meet the following conditions: • The destinati on MAC addr ess must be the al l-ones broad cast addr ess (FF :FF : F F :FF :FF : F F). • The destina tion IP addr ess must be the limit e d broa dcast addr ess (255.
Rou ting Configu ration 103 Exam ple 5: Enabl e IP Help er on a V LAN Rou ting Inter face to a Se rver (D HCP an d DNS) T o relay DHCP and DNS pack ets t o 192.168.30.1 , use the follo wing commands: console(config-if-vlan100)#ip helper-address 192.1 68.
104 Rou ting Configu ration Exam ple 7 : Sh ow IP He lper Con fig uration s The following command shows IP Helper configurations: console#show ip helpe r-a IP helper is enabled Interface UDP Port Discard Hit Count Server Address -------------------- ----------- ---------- ---------- ------------------ vlan 100 domain No 0 192.
Devi ce S ecu rit y 105 5 Device S ecurity This sectio n describes co nfiguration scenarios for the following featur es: • "8 02.1x N etwork Access C ont rol" on page 106 • "802.
106 Devic e Security 802.1x Network Access Control P ort-b ased network access control allows the operation of a system’s port(s) to b e controlled to ensure that access to its services is permit ted only by systems that are authorized to do so .
Devi ce S ecu rit y 107 Figure 5-1. Switch wit h 802.1x Net work Acce ss Control If a us e r , or supplicant, attempts to communicat e via the switch o n any i nterface ex cept interface 1/g1, the system challenges t he supplica nt for login credentials.
108 Devic e Security Exam ple #2: MAC -Base d Aut henti cati on Mod e The P ow erConnect 62 00 Series switches s upport MAC-based 802.1X authenti cation. This feature allows multiple hos t s to a uthenticate on a single port. The hosts are disting uished by their MA C addr e sses.
Devi ce S ecu rit y 109 802.1X Authentication and VLANs The P owe rConnect 62 00 Series s witches allow a port to be placed into a part icular VLAN based on the r esult of type of 802.1X authentication a client uses when it accesses the switch. The R ADIUS server or IEEE 802.
110 Devic e Security VL A N a n d t h e p o r t i s m ov e d t o t h e a u t h o r iz e d s t a t e , al l o w i n g a c c e s s t o t h e c l i e nt . H o w e ve r , i f t h e p o r t i s in MAC-base d 802.1X a uthenti cation mode, i t will not mov e to the a uthorized state.
Devi ce S ecu rit y 111 Authentication Server Filter Assignment The P owerConnect 6 200 Series switches allow the external 802.1X Authenticator or RADIUS server to assign Diff Serv policies to users th at au thenticat e to the s witch. W hen a host (su pplican t) attem pts to connect to the networ k throug h a port, th e switch cont acts the 802.
112 Devic e Security Ingr ess ACL s support Flow-base d Mirroring and A CL L ogging, whi ch have the following characteristics: • Flow-ba sed mirrorin g is the abil ity to mirror tra ffic tha t match es a perm it rul e to a specific ph ysical port or LAG.
Devi ce S ecu rit y 113 Egress ACL Limitations Egr ess A CLs h ave some add itional limitat ions. T h e fo llowing limita tions app ly to eg ress A CLs only : • Egress A C Ls support IP Pro tocol/Destination, IP A ddres s S ource/Destination, L4 Source/Destination port, IP DSCP , IP T oS , and IP precedence match conditions only .
114 Devic e Security IP ACLs IP A CLs classify for Layers 3 a nd 4. Each ACL is a s et of up to te n rules a pplie d to inbo und traffic. Each ru le speci fies whe ther th e conten ts of a given field.
Devi ce S ecu rit y 115 IP ACL CLI Exampl e The script in this section shows you how to set up an IP ACL with tw o rules , one appl icable to TCP traffic an d one to UD P tra ffic.
116 Devic e Security Step 1: Creat e an ACL and Define an ACL Rul e This command creates a n ACL named list1 and configur es a rule for the ACL. Afte r the mask has been appl ied, it permits pack ets carrying TCP t raffic that matche s the specified So urce IP addr ess, and sends these pa ckets to the specifie d Dest ination IP addr e ss.
Devi ce S ecu rit y 117 Step 4: V iewing the MAC ACL Information console#show mac acce ss-lists Current number of all ACLs: 2 Maximum number of all ACLs: 100 MAC ACL Name Rules Interface(s) Direction .
118 Devic e Security attributes containing configuration in formation. If the server re jects the user , it r eturns a nega tive r esult. If the server rejects the client or the shared “secrets ” differ , the server returns no result.
Devi ce S ecu rit y 119 Figure 5-3. RADIUS Se rvers in a Net work When a user attempts to log in, the switch prompts for a userna m e and passwo rd. The switch then attempts to communicate with the p rimary R ADIUS server at 10.10.10.10. Upon successf u l connection with the server , the login credentials are ex changed over an encrypted cha nnel.
120 Devic e Security Example #2: Set the NAS-IP Ad dress for the RADIUS Ser ver The NAS-IP address attribute identifies the IP Address of the netwo rk authenticat ion server (NAS) that is requesting authe ntication of the us er . The address should be unique to the NAS withi n the scope of the R AD IUS server .
Devi ce S ecu rit y 121 Figure 5-4. PowerCo nnect 620 0 Series Switc h with T ACACS+ When a user attempts to log into the switch, the NAS or switch prompt s for a username and passwor d. The switch attempt s to communicate with the highes t priority configured T A CACS+ server at 10.
122 Devic e Security 802.1x MAC Authentication Bypass ( MAB) MAB is a s upplemental a uthenticati o n mechani sm that allows 8 02.1x unawar e clients, such as p rinters and fax mac hines, to auth entic ate to t he net work us ing th e cli ent MA C addr ess a s an id entifi er .
Devi ce S ecu rit y 123 Figure 5-5. MAB Op eration – A uthenticat ions Based on MAC Ad dress in Da tabase CLI Exa m ples Exam ple 1 : E nabl e/Dis abl e MAB T o enable/disable MAB on interface 1/5, .
124 Devic e Security Exam ple 2: S how MA B Con figu rat ion T o show the MAB configuration for inte rface 1/ 5, use the follow ing command: console#show dot1x ethernet 1/g5 Administrative Mode.
Devi ce S ecu rit y 125 Captive Portal Overview Captive P ortal feat ure is a softwar e implementati o n that allows client access only on user verification.
126 Devic e Security In th e unknown state, t he CP does n't r edire ct HTTP/S tra ffic to the switc h, but qu eries the switch t o determine whet her the client is authenticated or unauthenticated . In the Una uthenti cated sta te, the CP di rects the HT T P/S traff ic to th e swit ch to allo w the client to authent icat e with the swit ch.
Devi ce S ecu rit y 127 All new captive portal insta nces are also assigned to the "Default" group. The adminis trator can create new groups and m odify the user/group association to only allow a subset of users access to a specific captive por t al instance.
128 Devic e Security In response to the request, the authenti cated user is removed from the connection status tables. I f the client logout request featur e is not enabled, or the user does not s pec.
Devi ce S ecu rit y 129 Capt ive Port al S tat isti cs Client sess ion statistics are ava ilable for both g uest and authenticat ed users.Client s tatistics ar e used to enforce the idle timeout and other limits configured for the user and captive portal instance.
130 Devic e Security console#show captive-portal Administrative Mode....................... Enabled Operational Status........................ Enabled Disable Reason............................ Adminis trator Disabled Captive Portal IP Address........
Devi ce S ecu rit y 131 Example 7: Modify the Default Captive Portal Configuration (Change V erific ation Method to Local) T o change the verification method to local, use the following command: conso.
132 Devic e Security T o create a local user , use the following command: console(Config-CP)#user 1 name user1 console(config-CP)#user 1 password Enter password (8 to 64 characters): ******** Re-enter.
Devi ce S ecu rit y 133 Operational Block Interface Inte rface Description Status Status --------- ----------- ----------------------------- ------------ ----------- 1/g18 Unit: 1 Slo t: 0 Port: 18 Gi.
134 Devic e Security.
IPv6 135 6 IPv6 This section includes the following subsections: • "Over view" on page 135 • "Inte rface C onfiguration" on page 135 Overv iew Ther e are ma n y conceptual similarities betw een IPv4 and IPv6 network ope ration.
136 IPv6 • Allocated f rom part of the IPv6 unicast addre ss space • Not visible off the local link • N ot global ly unique Ne xt hop addresses computed by rout ing protocols are usually link-local. During a t ransition period, a global IPv6 Inte rne t back bone may not be available.
IPv6 137 ip ospf area 0.0.0.0 exit interface vlan 2 routing ipv6 enable ipv6 address 2020:1::1/64 ipv6 ospf ipv6 ospf network poi nt-to-point exit interface tunnel 0 ipv6 address 2001::1/64 tunnel mode ipv6ip tunnel source 20.20.2 0.1 tunnel destination 10 .
138 IPv6 ipv6 address 2020:2::2/64 ipv6 ospf ipv6 ospf network poi nt-to-point exit interface tunnel 0 ipv6 address 2001::2/64 tunnel mode ipv6ip tunnel source 10.10.1 0.1 tunnel destination 20 .20.20.1 ipv6 ospf ipv6 ospf network poi nt-to-point exit interface loopback 0 ip address 2.
Qua lity of Servic e 139 7 Quality of Service This section includes the following subsections: • "Cla ss of Service Qu euing" on page 139 • "Differentiated Services" on page 143 Class of Service Queuing The Class of Servic e (CoS) f eature lets yo u give preferential treatme nt to certai n types of traffic over others.
140 Quality of Service CoS Mapping T able fo r T rust ed Ports Mapping is from the designated field values on trusted ports’ incoming p ackets to a traffic cl as s priority (actuall y a CoS tra ffic qu eue).
Qua lity of Servic e 141 Figur e 7-1. CoS Mappin g and Queue Co nfigurati on Continuing this examp le, yo u configur ed the egress P o rt 1/g8 for strict priority on queue 6, a nd a set a weighted scheduling scheme for qu eues 5-0.
142 Quality of Service Figur e 7-2. C oS1 /g Conf igur ation Example S ystem Diagr am Y ou will configure the ingress interface uniquely for all cos-queue an d VLAN parameters.
Qua lity of Servic e 143 Differentiated Services Differentiated Services (DiffServ) is one technique for implemen ting Quality of Service (QoS) policies. Using DiffServ in your network allows you to dir ectly configure the r elevant parameters on the switche s and routers rather than using a r esource reserv ation protocol.
144 Quality of Service CLI Exa m ple This e xample shows how a net work administrator ca n provide equal access to the Internet (or other e xt ernal network) to different depart ments wi thin a compan y . Each of four departments has its own Class B su bnet that is alloca ted 25% of the availabl e bandwidth on the port acce ssing the I nternet.
Qua lity of Servic e 145 match srcip 172.16.20 .0 255.255.255.0 exit class-map match-all t est_dept match srcip 172.16.30 .0 255.255.255.0 exit class-map match-all d evelopment_dept match srcip 172.
146 Quality of Service Set the CoS queue configuration for the (presumed) egress interface 1/g5 such t hat each of queues 1, 2, 3 and 4 get a minimum guaranteed bandwidth of 25%. All queues for t his interface use weighted round robin scheduling by default.
Qua lity of Servic e 147 Figur e 7-4. Dif fServ VoIP Exampl e Netw ork Diag ram.
148 Quality of Service Example #2: Configuring DiffServ V oIP Support Enter G lobal Confi g mode. Set que ue 6 on al l ports to use strict pr iority mode.
Multi cas t 149 8 Multicast This section prov ides configuration scenarios for the following featur es: • "IGM P Configu ration" on page 150 •" I G M P P r o x y " o n p a g e .
150 Multi cas t When to Enab le IP Multicast on t he PowerConnect 6200 Ser ies Switch Use the IP multica st feature on the P owerConn ect 6200 Ser ies swit ch to route multicas t traff ic between VLANs on the switch. If all host s connected to the switch a r e on the same subnet, th ere is no need to configur e the IP multicast feature.
Multi cas t 151 IGMP Proxy IGMP pro xy enables a multi cast router to learn multicast group me m bership info rmation and forwar d multicast p ackets base d upon the group membership informat ion. The IGMP P roxy is capabl e of functioning only in certain topologies that do no t req uire Mult icast Routing P rotocols (i .
152 Multi cas t Exa m ple #2: V iew IG MP Proxy C onfigur ation Data Y ou can use various commands from P rivileged EXEC or User EXEC modes to show IGMP proxy configuration data. • Use the follo wing command to display a summary of th e host interface statu s p arameters.
Multi cas t 153 CLI Exa m ple The following example configures two D VMR P interfaces. F irst, this example configu r es an OSPF router 1 and globall y enables IP routing and IP multicast.
154 Multi cas t PIM P rotoco l Independent Multicast (PIM) is a standard multicast routing prot ocol that provides scalable inter -domain multicas t routing across the Internet , independen t of the mechanisms prov ided by any particular unicast routing protocol.
Multi cas t 155 Exam ple : PIM-S M The following example configur es PIM-SM for IPv4 on a router . F irst, configure a n OSPF 1 router and globally enable IP routing, multica st, IGMP , and PIM- SM. Next, configure a PIM-SM rendezvous point with a n IP address and group range.
T o m inimize the repeated flooding of datagrams and subsequent pruning associated with a particular source-group (S,G) pair , P IM-DM uses a State Refresh message. This message is sent by the router(s) dir ect ly connected to the source and is propagated throughout the network.
Multi cas t 157 Multicast Routing and IGMP Snooping In this example, p orts 1/g5 and 1/ g10 are members of VLAN 10 0, and port 1/ g15 is a member of VLAN 200.
158 Multi cas t 8 Globally enable IGM P snooping, IP m ulticast, IGMP , a nd PIM -DM on the sw itch. console(config)# ip igmp snooping console(config)# ip multicast console(config)# ip igmp console(config)# ip pimdm NOTE: Only one mult ica st ro uti ng pro toc ol (P IM-S M, P IM-DM, or DVMR P) ca n be ena bled glo ball y on th e switch a t a time.
Multi cas t 159 console#s how ip igmp IGMP Admin Mode................................ En abled IGMP Router-Alert check........................ Di sabled IGMP INTERFACE STATUS Interface Interface-Mode .
160 Multi cas t.
Utility 161 9 Utility This sectio n describes the following feat ures: • "Auto Co nfig" on page 162 • "Nonstop F orwardi ng on a Switch Stack" on page 168.
162 Utili ty Auto Config Overview Au t o Config is a s oftware featur e that automatically config ures a sw itch when the device is initialized and no configuration file is found on the switch .
Utility 163 – The hos tname of the TFTP s erver (option 66 or sname). E ither the T FTP a ddress o r name is specified (not both) in most n etwo rk configu rations. If a TFT P hostname is given, a DNS server is r equ ired to translate the name t o an IP address.
164 Utili ty Once a hostname has bee n determined, the switch then issues a TFTP request for a file named "<hostname> .cfg" file, where <hostname> is the first 32 characters of the switch's hostname.
Utility 165 Host-Sp ecific Config File Not Fo und If the A uto Config process fa ils to download a co nfiguration fil e, a message is logged. If a final configuration file is not downloaded , as described in T able 9-1, the A uto Config procedure continues to issue TFTP broadcas t requests.
166 Utili ty Depend en cy Upon O ther N etwo rk Ser vice s The Auto Config process depends upon the following network services: • A DHCP or B OOT P server must be con figured on the network with appropriate services. • A configura tion file for the switch mu st be availa ble fro m a TFTP serv er on the ne twor k.
Utility 167 TFTP Clie nt The TFTP client downloads configur at ion files and sends TFTP requests to the broadc ast IP addr ess (255. 255.255.255). DNS C lient T h e D N S c l i e n t r e s o l v e s a.
168 Utili ty Nonstop Forwa rding on a Switch Stack Networking device s, such as the P owerCo nnect 6200 Series switches , are often described in terms of three semi-independent functions ca lled the forwarding plane, the control plane, and the manage ment plane.
Utility 169 NOTE: The sw itch c annot gu arantee that a ba ckup un it has e xactly th e same data that the m anagement unit ha s when it fail s. For ex ample, the mana gement un it might fail be fore the c heckpoin t servic e gets data to th e backu p if an eve nt occurs sho rtly before a failov er .
170 Utili ty Switch Stack MAC Addressin g and Stack Design Con siderations The switch stack uses the MAC addr ess es 1 assigned to the management uni t. If the backup unit assume s control due to a management unit failure or warm r est art, the backup unit continues to use the original management u nit’s MAC addresses.
Utility 171 Configur ation Ex amples The actual configuration of the feature is simple. NSF is eit her enabled or disabled. The e xam ples in this section describ e how the NSF featur e acts in vario us environments and w ith various switch appli cations.
172 Utili ty Vo I P F igur e 9-2 shows how n onstop forwarding maintain s e xisting voice calls during a management unit failur e. Assume the top unit is the management uni t. W hen the managem ent unit fai ls, the call from phone A is immediately dis connected.
Utility 173 Figur e 9-3. NSF and DHCP Snoo ping If the management u nit fails, all hosts connected to that unit lose network access until th at unit reboots. The har dware on surviving units continues to enforce source filters IP SG installed prior to t he failover .
174 Utili ty Stor age Ac cess Netwo rk Sc enar io F igur e 9-4 illus trates a stack of thre e P owerConne ct 6200 Series switches co nnecting two servers (iSCSI initiators) to a disk array (iSCSI targets). Ther e are two iSCSI connections as follows: Session A: 10.
Utility 175 Rout ed A cces s Sc enar io F igur e 9-5 show s a stack of thr ee units serving as an acce ss router for a se t of hosts. T wo LAGs connect the stack to tw o aggregation routers. Each LAG is a member of a VLAN rou ting interface. The stack has OSPF and PIM adja cencies with each of the agg regation routers.
176 Utili ty.
Ein wichtiger Punkt beim Kauf des Geräts Dell POWERCONNECT 6200 SERIES (oder sogar vor seinem Kauf) ist das durchlesen seiner Bedienungsanleitung. Dies sollten wir wegen ein paar einfacher Gründe machen:
Wenn Sie Dell POWERCONNECT 6200 SERIES noch nicht gekauft haben, ist jetzt ein guter Moment, um sich mit den grundliegenden Daten des Produkts bekannt zu machen. Schauen Sie zuerst die ersten Seiten der Anleitung durch, die Sie oben finden. Dort finden Sie die wichtigsten technischen Daten für Dell POWERCONNECT 6200 SERIES - auf diese Weise prüfen Sie, ob das Gerät Ihren Wünschen entspricht. Wenn Sie tiefer in die Benutzeranleitung von Dell POWERCONNECT 6200 SERIES reinschauen, lernen Sie alle zugänglichen Produktfunktionen kennen, sowie erhalten Informationen über die Nutzung. Die Informationen, die Sie über Dell POWERCONNECT 6200 SERIES erhalten, werden Ihnen bestimmt bei der Kaufentscheidung helfen.
Wenn Sie aber schon Dell POWERCONNECT 6200 SERIES besitzen, und noch keine Gelegenheit dazu hatten, die Bedienungsanleitung zu lesen, sollten Sie es aufgrund der oben beschriebenen Gründe machen. Sie erfahren dann, ob Sie die zugänglichen Funktionen richtig genutzt haben, aber auch, ob Sie keine Fehler begangen haben, die den Nutzungszeitraum von Dell POWERCONNECT 6200 SERIES verkürzen könnten.
Jedoch ist die eine der wichtigsten Rollen, die eine Bedienungsanleitung für den Nutzer spielt, die Hilfe bei der Lösung von Problemen mit Dell POWERCONNECT 6200 SERIES. Sie finden dort fast immer Troubleshooting, also die am häufigsten auftauchenden Störungen und Mängel bei Dell POWERCONNECT 6200 SERIES gemeinsam mit Hinweisen bezüglich der Arten ihrer Lösung. Sogar wenn es Ihnen nicht gelingen sollte das Problem alleine zu bewältigen, die Anleitung zeigt Ihnen die weitere Vorgehensweise – den Kontakt zur Kundenberatung oder dem naheliegenden Service.