Dell Networking N2000 Series Users Manual User's Guide

2015-01-05

: Dell Dell-Dell-Networking-N2000-Series-Users-Manual-136323 dell-dell-networking-n2000-series-users-manual-136323 dell pdf

Open the PDF directly: View PDF PDF.
Page Count: 1460 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Dell Networking
N2000, N3000, and N4000
Series Switches
User’s Configuration
Guide
Regulatory Models: N2024, N2024P,
N2038,N2048P, N3024, N3024F, N3024P,
N3048, N3048P, N4032, N4032F, N4064,
N4064F
Notes and Cautions
NOTE: A NOTE indicates important information that helps you make better use of
your computer.
CAUTION: A CAUTION indicates potential damage to hardware or loss of data if
instructions are not followed.
____________
Information in this publication is subject to change without notice.
© 2014 Dell Inc. All rights reserved.
Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc.
is strictly forbidden.
Trademarks used in this text: Dell™, the DELL logo, EqualLogic™, and OpenManage™ are
trademarks of Dell Inc. Microsoft®, Windows®, Windows Server®, MS-DOS®, and Windows Vista®
are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or
other countries. sFlow® is a registered trademark of InMon Corporation. Cisco® is a registered
trademark of Cisco Systems. Mozilla® and Firefox® are registered trademarks of the Mozilla
Foundation.
Other trademarks and trade names may be used in this publication to refer to either the entities claiming
the marks and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and
trade names other than its own.
Regulatory Models: N2024, N2024P, N2038,N2048P, N3024, N3024F, N3024P, N3048, N3048P, N4032, N4032F, N4064, N4064F
January 2014 Rev. A01
Contents 3
Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . 51
About This Document . . . . . . . . . . . . . . . . . . 51
Audience . . . . . . . . . . . . . . . . . . . . . . . . . 52
Document Conventions . . . . . . . . . . . . . . . . . 52
Additional Documentation. . . . . . . . . . . . . . . . 53
2 Switch Feature Overview . . . . . . . . . . . . 55
System Management Features . . . . . . . . . . . . . 56
Multiple Management Options . . . . . . . . . . . 56
System Time Management . . . . . . . . . . . . . 56
Log Messages . . . . . . . . . . . . . . . . . . . 57
Integrated DHCP Server . . . . . . . . . . . . . . 57
Management of Basic Network Information. . . . 57
IPv6 Management Features . . . . . . . . . . . . 58
Dual Software Images . . . . . . . . . . . . . . . 58
File Management . . . . . . . . . . . . . . . . . . 58
Switch Database Management Templates. . . . . 58
Automatic Installation of Firmware and
Configuration . . . . . . . . . . . . . . . . . . . . 59
sFlow . . . . . . . . . . . . . . . . . . . . . . . . 59
SNMP Alarms and Trap Logs . . . . . . . . . . . . 60
CDP Interoperability through ISDP . . . . . . . . . 60
Remote Monitoring (RMON) . . . . . . . . . . . . 60
Stacking Features . . . . . . . . . . . . . . . . . . . . 61
High Stack Count . . . . . . . . . . . . . . . . . . 61
4Contents
Single IP Management . . . . . . . . . . . . . . . 61
Master Failover with Transparent Transition . . . . 62
Nonstop Forwarding on the Stack . . . . . . . . . 62
Hot Add/Delete and Firmware
Synchronization . . . . . . . . . . . . . . . . . . . 62
Security Features . . . . . . . . . . . . . . . . . . . . 63
Configurable Access and Authentication
Profiles . . . . . . . . . . . . . . . . . . . . . . . 63
Password-Protected Management Access . . . . 63
Strong Password Enforcement . . . . . . . . . . . 63
TACACS+ Client . . . . . . . . . . . . . . . . . . . 63
RADIUS Support . . . . . . . . . . . . . . . . . . 64
SSH/SSL. . . . . . . . . . . . . . . . . . . . . . . 64
Inbound Telnet Control . . . . . . . . . . . . . . . 64
Denial of Service . . . . . . . . . . . . . . . . . . 64
Port Protection . . . . . . . . . . . . . . . . . . . 64
Captive Portal . . . . . . . . . . . . . . . . . . . . 65
Dot1x Authentication (IEEE 802.1X) . . . . . . . . . 66
MAC-Based 802.1X Authentication . . . . . . . . . 66
Dot1x Monitor Mode . . . . . . . . . . . . . . . . 66
MAC-Based Port Security . . . . . . . . . . . . . 66
Access Control Lists (ACL) . . . . . . . . . . . . . 67
Time-Based ACLs . . . . . . . . . . . . . . . . . . 67
IP Source Guard (IPSG). . . . . . . . . . . . . . . 67
DHCP Snooping . . . . . . . . . . . . . . . . . . . 68
Dynamic ARP Inspection . . . . . . . . . . . . . . 68
Protected Ports (Private VLAN Edge). . . . . . . . 68
Green Technology Features . . . . . . . . . . . . . . . 69
Energy Detect Mode . . . . . . . . . . . . . . . . 69
Energy Efficient Ethernet . . . . . . . . . . . . . . 69
Power Utilization Reporting. . . . . . . . . . . . . 69
Contents 5
Power over Ethernet (PoE) Plus Features . . . . . . . . 70
Power Over Ethernet (PoE) Plus
Configuration . . . . . . . . . . . . . . . . . . . . 70
PoE Plus Support . . . . . . . . . . . . . . . . . . 70
Switching Features . . . . . . . . . . . . . . . . . . . 71
Flow Control Support (IEEE 802.3x) . . . . . . . . . 71
Head of Line Blocking Prevention . . . . . . . . . 71
Alternate Store and Forward (ASF). . . . . . . . . 71
Jumbo Frames Support . . . . . . . . . . . . . . . 71
Auto-MDI/MDIX Support . . . . . . . . . . . . . . 72
VLAN-Aware MAC-based Switching. . . . . . . . 72
Back Pressure Support . . . . . . . . . . . . . . . 72
Auto Negotiation . . . . . . . . . . . . . . . . . . 72
Broadcast Storm Control . . . . . . . . . . . . . . 73
Port Mirroring. . . . . . . . . . . . . . . . . . . . 73
Static and Dynamic MAC Address Tables . . . . . 73
Link Layer Discovery Protocol (LLDP) . . . . . . . 74
Link Layer Discovery Protocol (LLDP) for
Media Endpoint Devices . . . . . . . . . . . . . . 74
Connectivity Fault Management
(IEEE 802.1ag) . . . . . . . . . . . . . . . . . . . . 74
Priority-based Flow Control (PFC) . . . . . . . . . 74
Data Center Bridging Exchange (DBCx)
Protocol . . . . . . . . . . . . . . . . . . . . . . . 75
Enhanced Transmission Selection . . . . . . . . . 75
Cisco Protocol Filtering. . . . . . . . . . . . . . . 76
DHCP Layer 2 Relay. . . . . . . . . . . . . . . . . 76
Virtual Local Area Network Supported Features . . . . 77
VLAN Support. . . . . . . . . . . . . . . . . . . . 77
Port-Based VLANs . . . . . . . . . . . . . . . . . 77
IP Subnet-based VLAN . . . . . . . . . . . . . . . 77
MAC-based VLAN . . . . . . . . . . . . . . . . . 77
IEEE 802.1v Protocol-Based VLANs . . . . . . . . 77
6Contents
GARP and GVRP Support . . . . . . . . . . . . . . 78
Voice VLAN . . . . . . . . . . . . . . . . . . . . . 78
Guest VLAN . . . . . . . . . . . . . . . . . . . . . 78
Double VLANs. . . . . . . . . . . . . . . . . . . . 78
Spanning Tree Protocol Features . . . . . . . . . . . . 79
Spanning Tree Protocol (STP) . . . . . . . . . . . 79
Spanning Tree Port Settings . . . . . . . . . . . . 79
Rapid Spanning Tree . . . . . . . . . . . . . . . . 79
Multiple Spanning Tree . . . . . . . . . . . . . . . 79
Bridge Protocol Data Unit (BPDU) Guard. . . . . . 80
BPDU Filtering . . . . . . . . . . . . . . . . . . . 80
RSTP-PV and STP-PV . . . . . . . . . . . . . . . . 80
Link Aggregation Features. . . . . . . . . . . . . . . . 81
Link Aggregation . . . . . . . . . . . . . . . . . . 81
Link Aggregate Control Protocol (LACP) . . . . . . 81
Multi-Switch LAG (MLAG) . . . . . . . . . . . . . 81
Routing Features . . . . . . . . . . . . . . . . . . . . . 82
Address Resolution Protocol (ARP) Table
Management . . . . . . . . . . . . . . . . . . . . 82
VLAN Routing . . . . . . . . . . . . . . . . . . . . 82
IP Configuration . . . . . . . . . . . . . . . . . . . 82
Open Shortest Path First (OSPF) . . . . . . . . . . 82
BOOTP/DHCP Relay Agent . . . . . . . . . . . . . 83
IP Helper and UDP Relay . . . . . . . . . . . . . . 83
Routing Information Protocol . . . . . . . . . . . . 83
Router Discovery . . . . . . . . . . . . . . . . . . 83
Routing Table . . . . . . . . . . . . . . . . . . . . 83
Virtual Router Redundancy Protocol (VRRP) . . . . 84
Tunnel and Loopback Interfaces . . . . . . . . . . 84
IPv6 Routing Features . . . . . . . . . . . . . . . . . . 85
IPv6 Configuration . . . . . . . . . . . . . . . . . 85
Contents 7
IPv6 Routes . . . . . . . . . . . . . . . . . . . . . 85
OSPFv3 . . . . . . . . . . . . . . . . . . . . . . . 85
DHCPv6 . . . . . . . . . . . . . . . . . . . . . . . 85
Quality of Service (QoS) Features . . . . . . . . . . . . 86
Differentiated Services (DiffServ) . . . . . . . . . 86
Class Of Service (CoS) . . . . . . . . . . . . . . . 86
Auto Voice over IP (VoIP). . . . . . . . . . . . . . 86
Internet Small Computer System Interface
(iSCSI) Optimization. . . . . . . . . . . . . . . . . 87
Layer 2 Multicast Features . . . . . . . . . . . . . . . 87
MAC Multicast Support. . . . . . . . . . . . . . . 87
IGMP Snooping . . . . . . . . . . . . . . . . . . . 87
IGMP Snooping Querier . . . . . . . . . . . . . . 88
MLD Snooping . . . . . . . . . . . . . . . . . . . 88
Multicast VLAN Registration . . . . . . . . . . . . 88
Layer 3 Multicast Features . . . . . . . . . . . . . . . 89
Distance Vector Multicast Routing Protocol . . . . 89
Internet Group Management Protocol . . . . . . . 89
IGMP Proxy . . . . . . . . . . . . . . . . . . . . . 89
Protocol Independent Multicast—
Dense Mode . . . . . . . . . . . . . . . . . . . . 89
Protocol Independent Multicast—
Sparse Mode . . . . . . . . . . . . . . . . . . . . 90
Protocol Independent Multicast—
Source Specific Multicast . . . . . . . . . . . . . 90
Protocol Independent Multicast IPv6 Support . . . 90
MLD/MLDv2 (RFC2710/RFC3810) . . . . . . . . . . 90
3 Hardware Overview. . . . . . . . . . . . . . . . . 91
Dell Networking N2000 Series Switch Hardware . . . 91
N2000 Series Front Panel . . . . . . . . . . . . . . 91
8Contents
N2000 Series Back Panel . . . . . . . . . . . . . . 95
N2000 LED Definitions. . . . . . . . . . . . . . . . 97
Power Consumption for N2000 Series PoE
Switches . . . . . . . . . . . . . . . . . . . . . 100
Dell Networking N3000 Series Switch
Hardware. . . . . . . . . . . . . . . . . . . . . . . . 102
N3000 Series Front Panel . . . . . . . . . . . . . 102
N3000 Series Back Panel . . . . . . . . . . . . . 106
LED Definitions . . . . . . . . . . . . . . . . . . 109
Power Consumption for N3000 Series PoE
Switches . . . . . . . . . . . . . . . . . . . . . 113
Dell Networking N4000 Series Switch
Hardware. . . . . . . . . . . . . . . . . . . . . . . . 115
Front Panel . . . . . . . . . . . . . . . . . . . . 115
N4000 Back Panel. . . . . . . . . . . . . . . . . 119
LED Definitions . . . . . . . . . . . . . . . . . . 121
Switch MAC Addresses . . . . . . . . . . . . . . . . 125
4 Using Dell OpenManage Switch
Administrator . . . . . . . . . . . . . . . . . . . . 127
About Dell OpenManage Switch Administrator. . . . 127
Starting the Application . . . . . . . . . . . . . . . . 128
Understanding the Interface . . . . . . . . . . . . . . 129
Using the Switch Administrator Buttons and
Links . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Defining Fields . . . . . . . . . . . . . . . . . . . . . 132
Understanding the Device View . . . . . . . . . . . . 132
Using the Device View Port Features. . . . . . . 132
Contents 9
Using the Device View Switch Locator
Feature . . . . . . . . . . . . . . . . . . . . . . . 133
5 Using the Command-Line Interface. . . . 135
Accessing the Switch Through the CLI . . . . . . . . . 135
Console Connection . . . . . . . . . . . . . . . . 135
Telnet Connection . . . . . . . . . . . . . . . . . 136
Understanding Command Modes . . . . . . . . . . . . 137
Entering CLI Commands . . . . . . . . . . . . . . . . . 139
Using the Question Mark to Get Help . . . . . . . 139
Using Command Completion . . . . . . . . . . . . 140
Entering Abbreviated Commands . . . . . . . . . 140
Negating Commands . . . . . . . . . . . . . . . . 140
Command Output Paging . . . . . . . . . . . . . . 141
Understanding Error Messages . . . . . . . . . . 141
Recalling Commands from the History Buffer . . . 141
. . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6 Default Settings. . . . . . . . . . . . . . . . . . . 143
7 Setting the IP Address and Other
Basic Network Information . . . . . . . . . . 147
IP Address and Network Information Overview . . . . 147
What Is the Basic Network Information? . . . . . 147
Why Is Basic Network Information
Needed? . . . . . . . . . . . . . . . . . . . . . . 148
How Is Basic Network Information
Configured? . . . . . . . . . . . . . . . . . . . . . 149
10 Contents
What Is Out-of-Band Management and
In-Band Management? . . . . . . . . . . . . . . 149
Default Network Information . . . . . . . . . . . . . 151
Configuring Basic Network Information (Web) . . . . 152
Out-of-Band Interface . . . . . . . . . . . . . . 152
IP Interface Configuration (Default VLAN IP
Address). . . . . . . . . . . . . . . . . . . . . . 153
Route Entry Configuration (Switch Default
Gateway) . . . . . . . . . . . . . . . . . . . . . 155
Domain Name Server . . . . . . . . . . . . . . . 157
Default Domain Name . . . . . . . . . . . . . . 158
Host Name Mapping . . . . . . . . . . . . . . . 159
Dynamic Host Name Mapping . . . . . . . . . . 160
Configuring Basic Network Information (CLI). . . . . 161
Enabling the DHCP Client on the OOB Port . . . . 161
Enabling the DHCP Client on the Default
VLAN . . . . . . . . . . . . . . . . . . . . . . . 161
Managing DHCP Leases . . . . . . . . . . . . . 162
Configuring Static Network Information on
the OOB Port . . . . . . . . . . . . . . . . . . . 163
Configuring Static Network Information on
the Default VLAN . . . . . . . . . . . . . . . . . 163
Configuring and Viewing Additional Network
Information . . . . . . . . . . . . . . . . . . . . 164
Contents 11
Basic Network Information Configuration
Example . . . . . . . . . . . . . . . . . . . . . . . . . 166
8 Managing QSFP Ports . . . . . . . . . . . . . . 169
9 Managing a Switch Stack . . . . . . . . . . . 171
Stacking Overview . . . . . . . . . . . . . . . . . . . 171
Dell Networking N2000, N3000, and N4000
Stacking Compatibility . . . . . . . . . . . . . . . 174
How is the Stack Master Selected? . . . . . . . . 175
Adding a Switch to the Stack. . . . . . . . . . . . 176
Removing a Switch from the Stack. . . . . . . . . 177
How is the Firmware Updated on the Stack? . . . 177
What is Stacking Standby? . . . . . . . . . . . . . 178
What is Nonstop Forwarding? . . . . . . . . . . . 178
Switch Stack MAC Addressing and Stack
Design Considerations . . . . . . . . . . . . . . . 181
NSF Network Design Considerations . . . . . . . 181
Why is Stacking Needed? . . . . . . . . . . . . . 182
Default Stacking Values . . . . . . . . . . . . . . . . . 182
Managing and Monitoring the Stack (Web). . . . . . . 184
Unit Configuration . . . . . . . . . . . . . . . . . 184
Stack Summary . . . . . . . . . . . . . . . . . . . 185
Stack Firmware Synchronization . . . . . . . . . . 186
Supported Switches . . . . . . . . . . . . . . . . 187
Stack Port Summary . . . . . . . . . . . . . . . . 188
Stack Port Counters . . . . . . . . . . . . . . . . 189
Stack Port Diagnostics . . . . . . . . . . . . . . . 189
NSF Summary. . . . . . . . . . . . . . . . . . . . 190
Checkpoint Statistics . . . . . . . . . . . . . . . . 191
12 Contents
Managing the Stack (CLI) . . . . . . . . . . . . . . . 192
Configuring Stack Member, Stack Port, and
NSF Settings . . . . . . . . . . . . . . . . . . . 192
Viewing and Clearing Stacking and NSF
Information . . . . . . . . . . . . . . . . . . . . 194
Stacking and NSF Usage Scenarios . . . . . . . . . . 195
Basic Failover . . . . . . . . . . . . . . . . . . . 195
Preconfiguring a Stack Member . . . . . . . . . 197
NSF in the Data Center . . . . . . . . . . . . . . 199
NSF and VoIP . . . . . . . . . . . . . . . . . . . 200
NSF and DHCP Snooping . . . . . . . . . . . . . 201
NSF and the Storage Access Network . . . . . . 202
NSF and Routed Access . . . . . . . . . . . . . 204
10 Configuring Authentication,
Authorization, and Accounting . . . . . . . 207
AAA Overview . . . . . . . . . . . . . . . . . . . . . 207
Methods. . . . . . . . . . . . . . . . . . . . . . 208
Access Lines . . . . . . . . . . . . . . . . . . . 209
Authentication . . . . . . . . . . . . . . . . . . . . . 211
Authentication Types . . . . . . . . . . . . . . . 211
Authorization . . . . . . . . . . . . . . . . . . . . . . 212
Exec Authorization Capabilities. . . . . . . . . . 212
Accounting . . . . . . . . . . . . . . . . . . . . . . . 214
Authentication Examples . . . . . . . . . . . . . . . 215
Local Authentication Example . . . . . . . . . . 215
TACACS+ Authentication Example . . . . . . . . 217
Public Key SSH Authentication Example . . . . . 218
RADIUS Authentication Example . . . . . . . . . 225
Contents 13
Authorization Examples . . . . . . . . . . . . . . . . . 227
Local Authorization Example—Direct
Login to Privileged EXEC Mode. . . . . . . . . . . 227
TACACS+ Authorization Example—Direct
Login to Privileged EXEC Mode. . . . . . . . . . . 227
TACACS+ Authorization Example—
Administrative Profiles . . . . . . . . . . . . . . . 228
TACACS+ Authorization Example—Custom
Administrative Profile. . . . . . . . . . . . . . . . 229
TACACS+ Authorization Example—
Per-command Authorization . . . . . . . . . . . . 230
RADIUS Authorization Example—Direct
Login to Privileged EXEC Mode. . . . . . . . . . . 231
RADIUS Authorization Example—
Administrative Profiles . . . . . . . . . . . . . . . 232
Using RADIUS Servers to Control Management
Access . . . . . . . . . . . . . . . . . . . . . . . . . . 232
How Does RADIUS Control Management
Access?. . . . . . . . . . . . . . . . . . . . . . . 232
Which RADIUS Attributes Does the Switch
Support? . . . . . . . . . . . . . . . . . . . . . . 234
How Are RADIUS Attributes Processed on
the Switch? . . . . . . . . . . . . . . . . . . . . . 236
Using TACACS+ Servers to Control Management
Access . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Which TACACS+ Attributes Does the Switch
Support? . . . . . . . . . . . . . . . . . . . . . . 238
Default Configurations. . . . . . . . . . . . . . . . . . 239
Method Lists . . . . . . . . . . . . . . . . . . . . 239
Access Lines (AAA) . . . . . . . . . . . . . . . . 239
Access Lines (Non-AAA) . . . . . . . . . . . . . . 240
Administrative Profiles . . . . . . . . . . . . . . . 240
14 Contents
11 Monitoring and Logging System
Information . . . . . . . . . . . . . . . . . . . . . . 243
System Monitoring Overview . . . . . . . . . . . . . 243
What System Information Is Monitored? . . . . . 243
Why Is System Information Needed?. . . . . . . 244
Where Are Log Messages Sent? . . . . . . . . . 244
What Are the Severity Levels? . . . . . . . . . . 245
What Are the System Startup and Operation
Logs? . . . . . . . . . . . . . . . . . . . . . . . 245
What Is the Log Message Format? . . . . . . . . 246
What Factors Should Be Considered When
Configuring Logging? . . . . . . . . . . . . . . . 247
Default Log Settings . . . . . . . . . . . . . . . . . . 248
Monitoring System Information and Configuring
Logging (Web) . . . . . . . . . . . . . . . . . . . . . 249
Device Information . . . . . . . . . . . . . . . . 249
System Health. . . . . . . . . . . . . . . . . . . 251
System Resources . . . . . . . . . . . . . . . . 252
Unit Power Usage History . . . . . . . . . . . . 253
Integrated Cable Test for Copper Cables . . . . . 254
Optical Transceiver Diagnostics . . . . . . . . . 255
Log Global Settings . . . . . . . . . . . . . . . . 257
RAM Log . . . . . . . . . . . . . . . . . . . . . 258
Log File . . . . . . . . . . . . . . . . . . . . . . 259
Syslog Server . . . . . . . . . . . . . . . . . . . 259
Email Alert Global Configuration . . . . . . . . . 262
Email Alert Mail Server Configuration . . . . . . 262
Email Alert Subject Configuration . . . . . . . . 264
Email Alert To Address Configuration. . . . . . . 265
Email Alert Statistics . . . . . . . . . . . . . . . 266
Contents 15
Monitoring System Information and Configuring
Logging (CLI) . . . . . . . . . . . . . . . . . . . . . . . 267
Viewing System Information and Enabling
the Locator LED. . . . . . . . . . . . . . . . . . . 267
Running Cable Diagnostics . . . . . . . . . . . . . 268
Configuring Local Logging . . . . . . . . . . . . . 269
Configuring Remote Logging . . . . . . . . . . . . 270
Configuring Mail Server Settings. . . . . . . . . . 271
Configuring Email Alerts for Log Messages . . . . 272
Logging Configuration Examples . . . . . . . . . . . . 274
Configuring Local and Remote Logging . . . . . . 274
Configuring Email Alerting . . . . . . . . . . . . . 276
12 Managing General System Settings . . . 279
System Settings Overview. . . . . . . . . . . . . . . . 279
Why Does System Information Need to
Be Configured? . . . . . . . . . . . . . . . . . . . 281
What Are SDM Templates?. . . . . . . . . . . . . 281
Why is the System Time Needed? . . . . . . . . . 283
How Does SNTP Work? . . . . . . . . . . . . . . 283
What Configuration Is Required for Plug-In
Modules? . . . . . . . . . . . . . . . . . . . . . . 284
What Are the Key PoE Plus Features for the
N2024P/N2048P and N3024P/N3048P
Switches?. . . . . . . . . . . . . . . . . . . . . . 285
Default General System Information . . . . . . . . . . 286
Configuring General System Settings (Web) . . . . 287
System Information . . . . . . . . . . . . . . . . . 287
CLI Banner . . . . . . . . . . . . . . . . . . . . . 290
SDM Template Preference . . . . . . . . . . . . . 291
Clock . . . . . . . . . . . . . . . . . . . . . . . . 292
SNTP Global Settings . . . . . . . . . . . . . . . . 293
16 Contents
SNTP Authentication . . . . . . . . . . . . . . . 294
SNTP Server . . . . . . . . . . . . . . . . . . . 296
Summer Time Configuration . . . . . . . . . . . 299
Time Zone Configuration . . . . . . . . . . . . . 300
Card Configuration . . . . . . . . . . . . . . . . 301
Slot Summary . . . . . . . . . . . . . . . . . . . 302
Supported Cards . . . . . . . . . . . . . . . . . 303
Power Over Ethernet Global Configuration
(N2024P/N2048P and N3024P/N3048P Only) . . . 304
Power Over Ethernet Interface Configuration
(N2024P/N2048P and N3024P/N3048P Only) . . . 305
Configuring System Settings (CLI) . . . . . . . . . . . 307
Configuring System Information . . . . . . . . . 307
Configuring the Banner . . . . . . . . . . . . . . 308
Managing the SDM Template. . . . . . . . . . . 309
Configuring SNTP Authentication and an
SNTP Server . . . . . . . . . . . . . . . . . . . 309
Setting the System Time and Date Manually . . . 311
Configuring the Expansion Slots (N3000
Series Only) . . . . . . . . . . . . . . . . . . . . 312
Viewing Slot Information (N4000 Series
Only). . . . . . . . . . . . . . . . . . . . . . . . 313
Configuring PoE Settings (N2024P/N2048P
and N3024P/N3048P Only) . . . . . . . . . . . . 313
General System Settings Configuration
Examples . . . . . . . . . . . . . . . . . . . . . . . . 315
Configuring System and Banner Information. . . 315
Configuring SNTP . . . . . . . . . . . . . . . . . 319
Configuring the Time Manually . . . . . . . . . . 321
13 Configuring SNMP . . . . . . . . . . . . . . . . . 323
SNMP Overview . . . . . . . . . . . . . . . . . . . . 323
What Is SNMP? . . . . . . . . . . . . . . . . . . 323
Contents 17
What Are SNMP Traps? . . . . . . . . . . . . . . 324
Why Is SNMP Needed? . . . . . . . . . . . . . . 325
Default SNMP Values . . . . . . . . . . . . . . . . . . 325
Configuring SNMP (Web) . . . . . . . . . . . . . . . . 327
SNMP Global Parameters . . . . . . . . . . . . . 327
SNMP View Settings . . . . . . . . . . . . . . . . 328
Access Control Group . . . . . . . . . . . . . . . 330
SNMPv3 User Security Model (USM) . . . . . . . 332
Communities . . . . . . . . . . . . . . . . . . . . 335
Notification Filter . . . . . . . . . . . . . . . . . . 337
Notification Recipients . . . . . . . . . . . . . . . 338
Trap Flags . . . . . . . . . . . . . . . . . . . . . . 340
OSPFv2 Trap Flags . . . . . . . . . . . . . . . . . 341
OSPFv3 Trap Flags . . . . . . . . . . . . . . . . . 342
Trap Log . . . . . . . . . . . . . . . . . . . . . . . 343
Configuring SNMP (CLI) . . . . . . . . . . . . . . . . . 345
Configuring the SNMPv3 Engine ID . . . . . . . . 345
Configuring SNMP Views, Groups, and Users . . . 346
Configuring Communities. . . . . . . . . . . . . . 349
Configuring SNMP Notifications (Traps and
Informs) . . . . . . . . . . . . . . . . . . . . . . . 351
SNMP Configuration Examples . . . . . . . . . . . . . 354
Configuring SNMPv1 and SNMPv2. . . . . . . . . 354
Configuring SNMPv3 . . . . . . . . . . . . . . . . 355
14 Managing Images and Files . . . . . . . . . 359
Image and File Management Overview . . . . . . . . . 359
What Files Can Be Managed? . . . . . . . . . . . 359
Why Is File Management Needed?. . . . . . . . . 361
18 Contents
What Methods Are Supported for File
Management?. . . . . . . . . . . . . . . . . . . 363
What Factors Should Be Considered When
Managing Files?. . . . . . . . . . . . . . . . . . 364
How Is the Running Configuration Saved? . . . . 366
Managing Images and Files (Web) . . . . . . . . . . 367
File System . . . . . . . . . . . . . . . . . . . . 367
Active Images. . . . . . . . . . . . . . . . . . . 368
USB Flash Drive . . . . . . . . . . . . . . . . . . 369
File Download . . . . . . . . . . . . . . . . . . . 370
File Upload . . . . . . . . . . . . . . . . . . . . 372
Copy Files . . . . . . . . . . . . . . . . . . . . . 374
Managing Images and Files (CLI) . . . . . . . . . . . 375
Downloading and Activating a New Image
(TFTP) . . . . . . . . . . . . . . . . . . . . . . . 375
Managing Files in Internal Flash . . . . . . . . . 377
Managing Files on a USB Flash Device . . . . . 379
Uploading a Configuration File (SCP) . . . . . . . 379
Managing Configuration Scripts (SFTP) . . . . . 380
File and Image Management Configuration
Examples . . . . . . . . . . . . . . . . . . . . . . . . 381
Upgrading the Firmware . . . . . . . . . . . . . 381
Managing Configuration Scripts . . . . . . . . . 384
Managing Files by Using the USB Flash
Drive. . . . . . . . . . . . . . . . . . . . . . . . 386
15 Automatically Updating the Image
and Configuration . . . . . . . . . . . . . . . . . 389
Auto Configuration Overview . . . . . . . . . . . . . 389
What Is USB Auto Configuration? . . . . . . . . 390
What Files Does USB Auto Configuration
Use? . . . . . . . . . . . . . . . . . . . . . . . . 390
Contents 19
How Does USB Auto Configuration Use the
Files on the USB Device?. . . . . . . . . . . . . . 391
What Is the Setup File Format?. . . . . . . . . . . 392
What Is the DHCP Auto Configuration
Process? . . . . . . . . . . . . . . . . . . . . . . 393
Monitoring and Completing the DHCP Auto
Configuration Process . . . . . . . . . . . . . . . 398
What Are the Dependencies for DHCP Auto
Configuration? . . . . . . . . . . . . . . . . . . . 399
Default Auto Configuration Values . . . . . . . . . . . 400
Managing Auto Configuration (Web) . . . . . . . . . . 401
Auto-Install Configuration . . . . . . . . . . . . . 401
Managing Auto Configuration (CLI) . . . . . . . . . . . 402
Managing Auto Configuration . . . . . . . . . . . 402
Auto Configuration Example. . . . . . . . . . . . . . . 403
Enabling USB Auto Configuration and Auto
Image Download . . . . . . . . . . . . . . . . . . 403
Enabling DHCP Auto Configuration and Auto
Image Download . . . . . . . . . . . . . . . . . . 405
Easy Image Upgrade via USB . . . . . . . . . . . 406
16 Monitoring Switch Traffic . . . . . . . . . . . 407
Traffic Monitoring Overview . . . . . . . . . . . . . . 407
What is sFlow Technology?. . . . . . . . . . . . . 407
What is RMON?. . . . . . . . . . . . . . . . . . . 410
What is Port Mirroring?. . . . . . . . . . . . . . . 411
Port Mirroring Behaviors . . . . . . . . . . . . . . 412
Remote Capture. . . . . . . . . . . . . . . . . . . 413
Why is Traffic Monitoring Needed? . . . . . . . . 413
20 Contents
Default Traffic Monitoring Values . . . . . . . . . . . 414
Monitoring Switch Traffic (Web) . . . . . . . . . . . 414
sFlow Agent Summary . . . . . . . . . . . . . . 414
sFlow Receiver Configuration . . . . . . . . . . 416
sFlow Sampler Configuration . . . . . . . . . . . 417
sFlow Poll Configuration . . . . . . . . . . . . . 418
Interface Statistics . . . . . . . . . . . . . . . . 419
Etherlike Statistics . . . . . . . . . . . . . . . . 420
GVRP Statistics . . . . . . . . . . . . . . . . . . 421
EAP Statistics . . . . . . . . . . . . . . . . . . . 422
Utilization Summary. . . . . . . . . . . . . . . . 423
Counter Summary. . . . . . . . . . . . . . . . . 424
Switchport Statistics . . . . . . . . . . . . . . . 425
RMON Statistics . . . . . . . . . . . . . . . . . 426
RMON History Control Statistics . . . . . . . . . 427
RMON History Table . . . . . . . . . . . . . . . 429
RMON Event Control . . . . . . . . . . . . . . . 430
RMON Event Log . . . . . . . . . . . . . . . . . 432
RMON Alarms. . . . . . . . . . . . . . . . . . . 433
Port Statistics . . . . . . . . . . . . . . . . . . . 435
LAG Statistics . . . . . . . . . . . . . . . . . . . 436
Port Mirroring . . . . . . . . . . . . . . . . . . . 437
Monitoring Switch Traffic (CLI) . . . . . . . . . . . . 439
Configuring sFlow . . . . . . . . . . . . . . . . . 439
Configuring RMON . . . . . . . . . . . . . . . . 441
Viewing Statistics . . . . . . . . . . . . . . . . . 443
Configuring Port Mirroring . . . . . . . . . . . . 444
Configuring RSPAN . . . . . . . . . . . . . . . . 445
Traffic Monitoring Configuration Examples . . . . . . 447
Configuring sFlow . . . . . . . . . . . . . . . . . 447
Configuring RMON . . . . . . . . . . . . . . . . 449
Configuring Remote Capture . . . . . . . . . . . 450
Configuring RSPAN . . . . . . . . . . . . . . . . 455
Contents 21
17 Configuring iSCSI Optimization . . . . . . . 459
iSCSI Optimization Overview . . . . . . . . . . . . . . 459
What Does iSCSI Optimization Do?. . . . . . . . . 460
How Does the Switch Detect iSCSI
Traffic Flows? . . . . . . . . . . . . . . . . . . . . 460
How Is Quality of Service Applied to iSCSI
Traffic Flows? . . . . . . . . . . . . . . . . . . . . 460
How Does iSCSI Optimization Use ACLs? . . . . . 461
What Information Does the Switch Track in
iSCSI Traffic Flows?. . . . . . . . . . . . . . . . . 462
How Does iSCSI Optimization Interact With
Dell EqualLogic Arrays? . . . . . . . . . . . . . . 463
What Occurs When iSCSI Optimization Is
Enabled or Disabled? . . . . . . . . . . . . . . . . 463
How Does iSCSI Optimization Interact with
DCBx?. . . . . . . . . . . . . . . . . . . . . . . . 464
How Does iSCSI Optimization Interact with
Dell Compellent Arrays? . . . . . . . . . . . . . . 464
iSCSI CoS and Priority Flow Control/Enhanced
Transmission Selection Interactions . . . . . . . . 465
Default iSCSI Optimization Values . . . . . . . . . . . 466
Configuring iSCSI Optimization (Web) . . . . . . . . . 467
iSCSI Global Configuration . . . . . . . . . . . . . 467
iSCSI Targets Table . . . . . . . . . . . . . . . . . 468
iSCSI Sessions Table . . . . . . . . . . . . . . . . 469
iSCSI Sessions Detailed . . . . . . . . . . . . . . 470
Configuring iSCSI Optimization (CLI) . . . . . . . . . . 471
iSCSI Optimization Configuration Examples . . . . . . 473
Configuring iSCSI Optimization Between
Servers and a Disk Array . . . . . . . . . . . . . . 473
22 Contents
18 Configuring Port Characteristics. . . . . . 477
Port Overview . . . . . . . . . . . . . . . . . . . . . 477
What Physical Port Characteristics Can
Be Configured? . . . . . . . . . . . . . . . . . . 477
What is Link Dependency? . . . . . . . . . . . . 479
What Interface Types are Supported? . . . . . . 481
What is Interface Configuration Mode? . . . . . 481
What Are the Green Ethernet Features? . . . . . 483
Default Port Values. . . . . . . . . . . . . . . . . . . 485
Configuring Port Characteristics (Web) . . . . . . . . 486
Port Configuration. . . . . . . . . . . . . . . . . 486
Link Dependency Configuration . . . . . . . . . 489
Link Dependency Summary. . . . . . . . . . . . 491
Port Green Ethernet Configuration . . . . . . . . 492
Port Green Ethernet Statistics . . . . . . . . . . 493
Port Green Ethernet LPI History . . . . . . . . . 495
Configuring Port Characteristics (CLI). . . . . . . . . 496
Configuring Port Settings . . . . . . . . . . . . . 496
Configuring Link Dependencies . . . . . . . . . 497
Configuring Green Features . . . . . . . . . . . 498
Port Configuration Examples . . . . . . . . . . . . . 500
Configuring Port Settings . . . . . . . . . . . . . 500
Configuring a Link Dependency Groups . . . . . 501
19 Configuring Port and System
Security . . . . . . . . . . . . . . . . . . . . . . . . . 503
Port-based Security—IEEE 802.1X and Port
MAC Locking . . . . . . . . . . . . . . . . . . . . . . 503
IEEE 802.1X . . . . . . . . . . . . . . . . . . . . 504
Contents 23
Port Security (Port-MAC Locking) . . . . . . . . . 539
Captive Portal . . . . . . . . . . . . . . . . . . . . . . 543
Captive Portal Overview . . . . . . . . . . . . . . 543
Default Captive Portal Behavior and Settings . . . 548
Configuring the Captive Portal (Web) . . . . . . . 550
Configuring Captive Portal (CLI) . . . . . . . . . . 568
Captive Portal Configuration Example . . . . . . . 574
Authentication Manager. . . . . . . . . . . . . . . . . 578
Overview . . . . . . . . . . . . . . . . . . . . . . 578
Authentication Restart . . . . . . . . . . . . . . . 579
802.1X Interaction. . . . . . . . . . . . . . . . . . 579
Authentication Priority . . . . . . . . . . . . . . . 579
Configuration Example—802.1X and MAB . . . . . 580
Denial of Service . . . . . . . . . . . . . . . . . . . . 582
20 Configuring Access Control Lists . . . . . 583
ACL Overview . . . . . . . . . . . . . . . . . . . . . . 583
What Are MAC ACLs? . . . . . . . . . . . . . . . 584
What Are IP ACLs? . . . . . . . . . . . . . . . . . 585
What Is the ACL Redirect Function? . . . . . . . . 585
What Is the ACL Mirror Function? . . . . . . . . . 585
What Is ACL Logging . . . . . . . . . . . . . . . . 586
What Are Time-Based ACLs?. . . . . . . . . . . . 586
What Are the ACL Limitations? . . . . . . . . . . . 587
ACL Configuration Details . . . . . . . . . . . . . . . . 591
How Are ACLs Configured?. . . . . . . . . . . . . 591
Editing Access Lists . . . . . . . . . . . . . . . . 591
Preventing False ACL Matches. . . . . . . . . . . 591
Using IP and MAC Address Masks. . . . . . . . . 593
24 Contents
Policy Based Routing . . . . . . . . . . . . . . . . . 594
Overview . . . . . . . . . . . . . . . . . . . . . 594
Limitations. . . . . . . . . . . . . . . . . . . . . 596
Examples . . . . . . . . . . . . . . . . . . . . . 598
Configuring ACLs (Web) . . . . . . . . . . . . . . . . 599
IP ACL Configuration . . . . . . . . . . . . . . . 599
IP ACL Rule Configuration . . . . . . . . . . . . 601
MAC ACL Configuration. . . . . . . . . . . . . . 603
MAC ACL Rule Configuration . . . . . . . . . . . 605
IPv6 ACL Configuration . . . . . . . . . . . . . . 606
IPv6 ACL Rule Configuration . . . . . . . . . . . 607
ACL Binding Configuration . . . . . . . . . . . . 609
Time Range Entry Configuration . . . . . . . . . 610
Configuring ACLs (CLI) . . . . . . . . . . . . . . . . . 612
Configuring an IPv4 ACL . . . . . . . . . . . . . 612
Configuring a MAC ACL. . . . . . . . . . . . . . 618
Configuring an IPv6 ACL . . . . . . . . . . . . . 623
Configuring a Time Range. . . . . . . . . . . . . 626
ACL Configuration Examples. . . . . . . . . . . . . . 628
Basic Rules . . . . . . . . . . . . . . . . . . . . 628
Internal System ACLs . . . . . . . . . . . . . . . 629
Complete ACL Example . . . . . . . . . . . . . . 629
Advanced Examples . . . . . . . . . . . . . . . 633
Policy Based Routing Examples . . . . . . . . . 640
21 Configuring VLANs. . . . . . . . . . . . . . . . . 645
VLAN Overview . . . . . . . . . . . . . . . . . . . . 645
Switchport Modes . . . . . . . . . . . . . . . . 648
VLAN Tagging . . . . . . . . . . . . . . . . . . . 649
GVRP . . . . . . . . . . . . . . . . . . . . . . . 650
Contents 25
Double-VLAN Tagging . . . . . . . . . . . . . . . 651
Voice VLAN . . . . . . . . . . . . . . . . . . . . . 652
Private VLANs . . . . . . . . . . . . . . . . . . . 654
Additional VLAN Features . . . . . . . . . . . . . 660
Default VLAN Behavior . . . . . . . . . . . . . . . . . 661
Configuring VLANs (Web) . . . . . . . . . . . . . . . . 663
VLAN Membership . . . . . . . . . . . . . . . . . 663
VLAN Port Settings . . . . . . . . . . . . . . . . . 668
VLAN LAG Settings . . . . . . . . . . . . . . . . . 669
Bind MAC to VLAN . . . . . . . . . . . . . . . . . 671
Bind IP Subnet to VLAN . . . . . . . . . . . . . . 672
GVRP Parameters. . . . . . . . . . . . . . . . . . 673
Protocol Group . . . . . . . . . . . . . . . . . . . 675
Adding a Protocol Group . . . . . . . . . . . . . . 676
Double VLAN Global Configuration. . . . . . . . . 678
Double VLAN Interface Configuration . . . . . . . 679
Voice VLAN . . . . . . . . . . . . . . . . . . . . . 681
Configuring VLANs (CLI) . . . . . . . . . . . . . . . . . 682
Creating a VLAN . . . . . . . . . . . . . . . . . . 682
Configuring a Port in Access Mode . . . . . . . . 682
Configuring a Port in Trunk Mode . . . . . . . . . 683
Configuring a Port in General Mode . . . . . . . . 686
Configuring VLAN Settings for a LAG . . . . . . . 688
Configuring Double VLAN Tagging . . . . . . . . . 689
Configuring MAC-Based VLANs . . . . . . . . . . 691
Configuring IP-Based VLANs. . . . . . . . . . . . 692
Configuring a Protocol-Based VLAN . . . . . . . . 693
Configuring GVRP. . . . . . . . . . . . . . . . . . 695
Configuring Voice VLANs. . . . . . . . . . . . . . 697
VLAN Configuration Examples . . . . . . . . . . . . . 698
Configuring VLANs Using Dell OpenManage
Administrator . . . . . . . . . . . . . . . . . . . . 701
26 Contents
Configure the VLANs and Ports on Switch 2 . . . 705
Configuring VLANs Using the CLI . . . . . . . . . 706
Configuring a Voice VLAN . . . . . . . . . . . . 710
22 Configuring the Spanning Tree
Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 715
STP Overview . . . . . . . . . . . . . . . . . . . . . 715
What Are Classic STP, Multiple STP, and
Rapid STP? . . . . . . . . . . . . . . . . . . . . 715
How Does STP Work?. . . . . . . . . . . . . . . 716
How Does MSTP Operate in the Network?. . . . 717
MSTP with Multiple Forwarding Paths . . . . . . 721
What are the Optional STP Features? . . . . . . 722
RSTP-PV . . . . . . . . . . . . . . . . . . . . . . . . 724
DirectLink Rapid Convergence . . . . . . . . . . 725
IndirectLink Rapid Convergence Feature. . . . . 727
Interoperability Between STP-PV and
RSTP-PV Modes . . . . . . . . . . . . . . . . . 729
Interoperability With IEEE Spanning Tree
Protocols . . . . . . . . . . . . . . . . . . . . . 729
Configuration Examples. . . . . . . . . . . . . . 734
Default STP Values. . . . . . . . . . . . . . . . . . . 735
Configuring Spanning Tree (Web) . . . . . . . . . . . 736
STP Global Settings. . . . . . . . . . . . . . . . 736
STP Port Settings . . . . . . . . . . . . . . . . . 738
STP LAG Settings . . . . . . . . . . . . . . . . . 740
Rapid Spanning Tree . . . . . . . . . . . . . . . 741
MSTP Settings . . . . . . . . . . . . . . . . . . 743
MSTP Interface Settings . . . . . . . . . . . . . 745
Contents 27
Configuring Spanning Tree (CLI). . . . . . . . . . . . . 746
Configuring Global STP Bridge Settings . . . . . . 746
Configuring Optional STP Features. . . . . . . . . 747
Configuring STP Interface Settings . . . . . . . . 748
Configuring MSTP Switch Settings. . . . . . . . . 749
Configuring MSTP Interface Settings . . . . . . . 750
STP Configuration Examples . . . . . . . . . . . . . . 751
STP Configuration Example. . . . . . . . . . . . . 751
MSTP Configuration Example . . . . . . . . . . . 753
RSTP-PV Access Switch Configuration
Example . . . . . . . . . . . . . . . . . . . . . . . 756
23 Discovering Network Devices. . . . . . . . 761
Device Discovery Overview . . . . . . . . . . . . . . . 761
What Is ISDP? . . . . . . . . . . . . . . . . . . . 761
What is LLDP? . . . . . . . . . . . . . . . . . . . 761
What is LLDP-MED? . . . . . . . . . . . . . . . . 762
Why are Device Discovery Protocols
Needed? . . . . . . . . . . . . . . . . . . . . . . 762
Default IDSP and LLDP Values . . . . . . . . . . . . . 763
Configuring ISDP and LLDP (Web). . . . . . . . . . . . 765
ISDP Global Configuration . . . . . . . . . . . . . 765
ISDP Cache Table. . . . . . . . . . . . . . . . . . 766
ISDP Interface Configuration. . . . . . . . . . . . 767
ISDP Statistics . . . . . . . . . . . . . . . . . . . 768
LLDP Configuration . . . . . . . . . . . . . . . . . 769
LLDP Statistics . . . . . . . . . . . . . . . . . . . 771
LLDP Connections . . . . . . . . . . . . . . . . . 772
LLDP-MED Global Configuration . . . . . . . . . . 774
LLDP-MED Interface Configuration . . . . . . . . 775
LLDP-MED Local Device Information . . . . . . . 776
28 Contents
LLDP-MED Remote Device Information . . . . . 776
Configuring ISDP and LLDP (CLI) . . . . . . . . . . . 777
Configuring Global ISDP Settings. . . . . . . . . 777
Enabling ISDP on a Port . . . . . . . . . . . . . 778
Viewing and Clearing ISDP Information . . . . . 778
Configuring Global LLDP Settings. . . . . . . . . 779
Configuring Port-based LLDP Settings . . . . . . 779
Viewing and Clearing LLDP Information . . . . . 780
Configuring LLDP-MED Settings . . . . . . . . . 781
Viewing LLDP-MED Information . . . . . . . . . 782
Device Discovery Configuration Examples . . . . . . 782
Configuring ISDP . . . . . . . . . . . . . . . . . 782
Configuring LLDP . . . . . . . . . . . . . . . . . 783
24 Configuring Port-Based Traffic
Control . . . . . . . . . . . . . . . . . . . . . . . . . . 787
Port-Based Traffic Control Overview . . . . . . . . . 787
What is Flow Control?. . . . . . . . . . . . . . . 788
What is Storm Control? . . . . . . . . . . . . . . 788
What are Protected Ports? . . . . . . . . . . . . 789
What is Link Local Protocol Filtering? . . . . . . 789
Default Port-Based Traffic Control Values . . . . . . 790
Configuring Port-Based Traffic Control (Web) . . . . 791
Flow Control (Global Port Parameters) . . . . . . 791
Storm Control . . . . . . . . . . . . . . . . . . . 792
Protected Port Configuration . . . . . . . . . . . 794
LLPF Configuration . . . . . . . . . . . . . . . . 796
Configuring Port-Based Traffic Control (CLI) . . . . . 798
Configuring Flow Control and Storm Control . . . 798
Contents 29
Configuring Protected Ports . . . . . . . . . . . . 799
Configuring LLPF . . . . . . . . . . . . . . . . . . 800
Port-Based Traffic Control Configuration Example . . . 801
25 Configuring L2 Multicast Features . . . . 803
L2 Multicast Overview. . . . . . . . . . . . . . . . . . 803
Multicast Flooding and Forwarding . . . . . . . . 803
What Are the Multicast Bridging Features? . . . . 804
What Is L2 Multicast Traffic? . . . . . . . . . . . . 804
What Is IGMP Snooping?. . . . . . . . . . . . . . 805
What Is MLD Snooping? . . . . . . . . . . . . . . 807
What Is Multicast VLAN Registration? . . . . . . . 808
When Are L3 Multicast Features Required? . . . . 809
What Are GARP and GMRP? . . . . . . . . . . . . 810
Snooping Switch Restrictions. . . . . . . . . . . . . . 812
Partial IGMPv3 and MLDv2 Support . . . . . . . . 812
MAC Address-Based Multicast Group . . . . . . . 812
IGMP/MLD Snooping in a Multicast Router . . . . 812
Topologies Where the Multicast Source Is
Not Directly Connected to the Querier . . . . . . . 813
Using Static Multicast MAC Configuration. . . . . 813
IGMP Snooping and GMRP. . . . . . . . . . . . . 813
Default L2 Multicast Values . . . . . . . . . . . . . . . 814
Configuring L2 Multicast Features (Web) . . . . . . . . 816
Multicast Global Parameters . . . . . . . . . . . . 816
Bridge Multicast Group. . . . . . . . . . . . . . . 817
MRouter Status . . . . . . . . . . . . . . . . . . . 820
General IGMP Snooping . . . . . . . . . . . . . . 821
Global Querier Configuration . . . . . . . . . . . . 824
VLAN Querier . . . . . . . . . . . . . . . . . . . . 825
30 Contents
VLAN Querier Status . . . . . . . . . . . . . . . 827
MFDB IGMP Snooping Table . . . . . . . . . . . 828
MLD Snooping General . . . . . . . . . . . . . . 829
MLD Snooping Global Querier Configuration. . . 831
MLD Snooping VLAN Querier. . . . . . . . . . . 832
MLD Snooping VLAN Querier Status . . . . . . . 834
MFDB MLD Snooping Table . . . . . . . . . . . 835
MVR Global Configuration . . . . . . . . . . . . 836
MVR Members . . . . . . . . . . . . . . . . . . 837
MVR Interface Configuration . . . . . . . . . . . 838
MVR Statistics . . . . . . . . . . . . . . . . . . 840
GARP Timers . . . . . . . . . . . . . . . . . . . 841
GMRP Parameters . . . . . . . . . . . . . . . . 843
MFDB GMRP Table . . . . . . . . . . . . . . . . 845
Configuring L2 Multicast Features (CLI) . . . . . . . . 846
Configuring Layer 2 Multicasting . . . . . . . . . 846
Configuring IGMP Snooping on VLANs. . . . . . 847
Configuring IGMP Snooping Querier . . . . . . . 848
Configuring MLD Snooping on VLANs . . . . . . 849
Configuring MLD Snooping Querier . . . . . . . 850
Configuring MVR . . . . . . . . . . . . . . . . . 851
Configuring GARP Timers and GMRP. . . . . . . 853
Case Study on a Real-World Network Topology . . . 854
Multicast Snooping Case Study . . . . . . . . . 854
26 Configuring Connectivity Fault
Management . . . . . . . . . . . . . . . . . . . . . 859
Dot1ag Overview . . . . . . . . . . . . . . . . . . . . 859
How Does Dot1ag Work Across a Carrier
Network? . . . . . . . . . . . . . . . . . . . . . 860
What Entities Make Up a Maintenance
Domain? . . . . . . . . . . . . . . . . . . . . . . 861
Contents 31
What is the Administrators Role? . . . . . . . . . 863
Default Dot1ag Values . . . . . . . . . . . . . . . . . . 864
Configuring Dot1ag (Web) . . . . . . . . . . . . . . . . 865
Dot1ag Global Configuration . . . . . . . . . . . . 865
Dot1ag MD Configuration. . . . . . . . . . . . . . 865
Dot1ag MA Configuration. . . . . . . . . . . . . . 866
Dot1ag MEP Configuration . . . . . . . . . . . . . 867
Dot1ag MIP Configuration . . . . . . . . . . . . . 868
Dot1ag RMEP Summary . . . . . . . . . . . . . . 869
Dot1ag L2 Ping . . . . . . . . . . . . . . . . . . . 870
Dot1ag L2 Traceroute . . . . . . . . . . . . . . . . 870
Dot1ag L2 Traceroute Cache . . . . . . . . . . . . 871
Dot1ag Statistics . . . . . . . . . . . . . . . . . . 872
Configuring Dot1ag (CLI). . . . . . . . . . . . . . . . . 873
Configuring Dot1ag Global Settings and
Creating Domains. . . . . . . . . . . . . . . . . . 873
Configuring MEP Information. . . . . . . . . . . . 874
Dot1ag Ping and Traceroute . . . . . . . . . . . . 875
Dot1ag Configuration Example . . . . . . . . . . . . . 876
27 Snooping and Inspecting Traffic . . . . . . 879
Traffic Snooping and Inspection Overview . . . . . . . 879
What Is DHCP Snooping?. . . . . . . . . . . . . . 880
How Is the DHCP Snooping Bindings
Database Populated?. . . . . . . . . . . . . . . . 881
What Is IP Source Guard? . . . . . . . . . . . . . 883
What is Dynamic ARP Inspection? . . . . . . . . . 884
Why Is Traffic Snooping and Inspection
Necessary? . . . . . . . . . . . . . . . . . . . . . 885
32 Contents
Default Traffic Snooping and Inspection Values . . . 885
Configuring Traffic Snooping and
Inspection (Web) . . . . . . . . . . . . . . . . . . . . 887
DHCP Snooping Configuration . . . . . . . . . . 887
DHCP Snooping Interface Configuration . . . . . 888
DHCP Snooping VLAN Configuration . . . . . . . 890
DHCP Snooping Persistent Configuration . . . . 891
DHCP Snooping Static Bindings
Configuration . . . . . . . . . . . . . . . . . . . 892
DHCP Snooping Dynamic Bindings
Summary . . . . . . . . . . . . . . . . . . . . . 893
DHCP Snooping Statistics . . . . . . . . . . . . 894
IPSG Interface Configuration . . . . . . . . . . . 895
IPSG Binding Configuration. . . . . . . . . . . . 895
IPSG Binding Summary . . . . . . . . . . . . . . 896
DAI Global Configuration . . . . . . . . . . . . . 897
DAI Interface Configuration . . . . . . . . . . . 898
DAI VLAN Configuration . . . . . . . . . . . . . 900
DAI ACL Configuration . . . . . . . . . . . . . . 901
DAI ACL Rule Configuration. . . . . . . . . . . . 901
DAI Statistics . . . . . . . . . . . . . . . . . . . 902
Configuring Traffic Snooping and
Inspection (CLI). . . . . . . . . . . . . . . . . . . . . 904
Configuring DHCP Snooping . . . . . . . . . . . 904
Configuring IP Source Guard . . . . . . . . . . . 906
Configuring Dynamic ARP Inspection . . . . . . 907
Traffic Snooping and Inspection Configuration
Examples . . . . . . . . . . . . . . . . . . . . . . . . 910
Configuring DHCP Snooping . . . . . . . . . . . 910
Configuring IPSG . . . . . . . . . . . . . . . . . 912
Contents 33
28 Configuring Link Aggregation . . . . . . . . 913
Link Aggregation. . . . . . . . . . . . . . . . . . . . . 913
Overview . . . . . . . . . . . . . . . . . . . . . . 913
Default Link Aggregation Values . . . . . . . . . . 917
Configuring Link Aggregation (Web) . . . . . . . . 918
Configuring Link Aggregation (CLI) . . . . . . . . . 925
Link Aggregation Configuration Examples . . . . . 929
Multi-Switch LAG (MLAG). . . . . . . . . . . . . . . . 932
Overview . . . . . . . . . . . . . . . . . . . . . . 932
Deployment Scenarios . . . . . . . . . . . . . . . 933
Definitions . . . . . . . . . . . . . . . . . . . . . 935
Configuration Consistency . . . . . . . . . . . . . 936
Operation in the Network. . . . . . . . . . . . . . 939
L2 Configuration Steps . . . . . . . . . . . . . . . 942
Switch Firmware Upgrade Procedure . . . . . . . 945
Static Routing on MLAG Interfaces . . . . . . . . 946
Caveats and Limitations . . . . . . . . . . . . . . 953
Basic Configuration Example. . . . . . . . . . . . 959
A Complete Example . . . . . . . . . . . . . . . . 966
29 Configuring Data Center Bridging
Features . . . . . . . . . . . . . . . . . . . . . . . . 983
Data Center Bridging Technology Overview . . . . . . 983
Default DCB Values. . . . . . . . . . . . . . . . . 984
Priority Flow Control. . . . . . . . . . . . . . . . . . . 985
PFC Operation and Behavior . . . . . . . . . . . . 985
Configuring PFC Using the Web Interface . . . . . 986
Configuring PFC Using the CLI . . . . . . . . . . . 988
PFC Configuration Example. . . . . . . . . . . . . 990
34 Contents
DCB Capability Exchange . . . . . . . . . . . . . . . 992
Interoperability with IEEE DCBx . . . . . . . . . 993
DCBx and Port Roles . . . . . . . . . . . . . . . 993
Configuration Source Port Selection
Process . . . . . . . . . . . . . . . . . . . . . . 995
Disabling DCBX . . . . . . . . . . . . . . . . . . 996
Configuring DCBx . . . . . . . . . . . . . . . . . 997
Enhanced Transmission Selection. . . . . . . . . . . 999
ETS Operation. . . . . . . . . . . . . . . . . . . 999
Commands . . . . . . . . . . . . . . . . . . . . 1002
ETS Configuration Example . . . . . . . . . . . . 1003
ETS Theory of Operation . . . . . . . . . . . . . 1009
30 Managing the MAC Address Table . . . 1015
MAC Address Table Overview . . . . . . . . . . . . . 1015
How Is the Address Table Populated? . . . . . . 1015
What Information Is in the MAC Address
Table? . . . . . . . . . . . . . . . . . . . . . . . 1016
How Is the MAC Address Table Maintained
Across a Stack?. . . . . . . . . . . . . . . . . . 1016
Default MAC Address Table Values . . . . . . . . . . 1016
Managing the MAC Address Table (Web) . . . . . . . 1017
Static Address Table . . . . . . . . . . . . . . . 1017
Global Address Table . . . . . . . . . . . . . . . 1019
Managing the MAC Address Table (CLI). . . . . . . . 1020
Managing the MAC Address Table . . . . . . . . 1020
Contents 35
31 Configuring Routing Interfaces . . . . . . 1021
Routing Interface Overview . . . . . . . . . . . . . . 1021
What Are VLAN Routing Interfaces? . . . . . . . 1021
What Are Loopback Interfaces? . . . . . . . . . 1022
What Are Tunnel Interfaces?. . . . . . . . . . . 1023
Why Are Routing Interfaces Needed? . . . . . . 1024
Default Routing Interface Values . . . . . . . . . . . 1026
Configuring Routing Interfaces (Web). . . . . . . . . 1027
IP Interface Configuration . . . . . . . . . . . . 1027
DHCP Lease Parameters . . . . . . . . . . . . . 1028
VLAN Routing Summary . . . . . . . . . . . . . 1028
Tunnel Configuration . . . . . . . . . . . . . . . 1029
Tunnels Summary. . . . . . . . . . . . . . . . . 1030
Loopbacks Configuration . . . . . . . . . . . . . 1031
Loopbacks Summary . . . . . . . . . . . . . . . 1032
Configuring Routing Interfaces (CLI) . . . . . . . . . 1033
Configuring VLAN Routing Interfaces (IPv4) . . . 1033
Configuring Loopback Interfaces. . . . . . . . . 1035
Configuring Tunnels . . . . . . . . . . . . . . . 1036
32 Configuring DHCP Server and Relay
Settings . . . . . . . . . . . . . . . . . . . . . . . . 1037
DHCP Overview . . . . . . . . . . . . . . . . . . . . 1037
How Does DHCP Work? . . . . . . . . . . . . . 1038
What are DHCP Options?. . . . . . . . . . . . . 1038
How is DHCP Option 82 Used? . . . . . . . . . . 1039
What Additional DHCP Features Does the
Switch Support? . . . . . . . . . . . . . . . . . 1041
36 Contents
Default DHCP Server Values . . . . . . . . . . . . . . 1042
Configuring the DHCP Server (Web) . . . . . . . . . . 1043
DHCP Server Network Properties . . . . . . . . 1043
Address Pool . . . . . . . . . . . . . . . . . . . 1045
Address Pool Options . . . . . . . . . . . . . . . 1049
DHCP Bindings . . . . . . . . . . . . . . . . . . 1051
DHCP Server Reset Configuration . . . . . . . . 1052
DHCP Server Conflicts Information . . . . . . . . 1052
DHCP Server Statistics . . . . . . . . . . . . . . 1053
Configuring the DHCP Server (CLI) . . . . . . . . . . 1054
Configuring Global DHCP Server Settings . . . . 1054
Configuring a Dynamic Address Pool. . . . . . . 1055
Configuring a Static Address Pool . . . . . . . . 1056
Monitoring DHCP Server Information . . . . . . 1057
DHCP Server Configuration Examples. . . . . . . . . 1058
Configuring a Dynamic Address Pool. . . . . . . 1058
Configuring a Static Address Pool . . . . . . . . 1060
33 Configuring IP Routing. . . . . . . . . . . . . 1063
IP Routing Overview . . . . . . . . . . . . . . . . . . 1063
Default IP Routing Values . . . . . . . . . . . . . . . 1065
ARP Table. . . . . . . . . . . . . . . . . . . . . . . . 1066
Configuring IP Routing Features (Web) . . . . . . . . 1067
IP Configuration . . . . . . . . . . . . . . . . . . 1067
IP Statistics . . . . . . . . . . . . . . . . . . . . 1068
ARP Create . . . . . . . . . . . . . . . . . . . . 1069
ARP Table Configuration . . . . . . . . . . . . . 1070
Router Discovery Configuration . . . . . . . . . 1071
Contents 37
Router Discovery Status . . . . . . . . . . . . . 1072
Route Table . . . . . . . . . . . . . . . . . . . . 1073
Best Routes Table . . . . . . . . . . . . . . . . 1074
Route Entry Configuration . . . . . . . . . . . . 1075
Configured Routes . . . . . . . . . . . . . . . . 1077
Route Preferences Configuration . . . . . . . . 1078
Configuring IP Routing Features (CLI) . . . . . . . . . 1079
Configuring Global IP Routing Settings. . . . . . 1079
Adding Static ARP Entries and Configuring
ARP Table Settings . . . . . . . . . . . . . . . . 1080
Configuring Router Discovery (IRDP). . . . . . . 1081
Configuring Route Table Entries and Route
Preferences. . . . . . . . . . . . . . . . . . . . 1082
IP Routing Configuration Example . . . . . . . . . . 1084
Configuring Dell Networking Switch A . . . . . . 1085
Configuring Dell Networking Switch B . . . . . . 1086
34 Configuring L2 and L3 Relay
Features . . . . . . . . . . . . . . . . . . . . . . . 1087
L2 and L3 Relay Overview . . . . . . . . . . . . . . . 1087
What Is L3 DHCP Relay? . . . . . . . . . . . . . 1087
What Is L2 DHCP Relay? . . . . . . . . . . . . . 1088
What Is the IP Helper Feature?. . . . . . . . . . 1089
Default L2/L3 Relay Values . . . . . . . . . . . . . . 1093
Configuring L2 and L3 Relay Features (Web) . . . . . 1094
DHCP Relay Global Configuration . . . . . . . . 1094
DHCP Relay Interface Configuration . . . . . . . 1095
DHCP Relay Interface Statistics . . . . . . . . . 1097
DHCP Relay VLAN Configuration . . . . . . . . . 1098
DHCP Relay Agent Configuration. . . . . . . . . 1098
IP Helper Global Configuration . . . . . . . . . . 1100
38 Contents
IP Helper Interface Configuration . . . . . . . . 1102
IP Helper Statistics . . . . . . . . . . . . . . . . 1104
Configuring L2 and L3 Relay Features (CLI) . . . . . . 1105
Configuring L2 DHCP Relay . . . . . . . . . . . . 1105
Configuring L3 Relay (IP Helper) Settings . . . . 1107
Relay Agent Configuration Example. . . . . . . . . . 1109
35 Configuring OSPF and OSPFv3. . . . . . . 1111
OSPF Overview. . . . . . . . . . . . . . . . . . . . . 1112
What Are OSPF Areas and Other OSPF
Topology Features? . . . . . . . . . . . . . . . . 1112
What Are OSPF Routers and LSAs? . . . . . . . 1113
How Are Routes Selected? . . . . . . . . . . . . 1113
How Are OSPF and OSPFv3 Different? . . . . . . 1113
OSPF Feature Details. . . . . . . . . . . . . . . . . . 1114
Max Metric . . . . . . . . . . . . . . . . . . . . 1114
Static Area Range Cost . . . . . . . . . . . . . . 1116
LSA Pacing . . . . . . . . . . . . . . . . . . . . 1117
Flood Blocking . . . . . . . . . . . . . . . . . . 1118
Default OSPF Values . . . . . . . . . . . . . . . . . . 1120
Configuring OSPF Features (Web) . . . . . . . . . . . 1122
OSPF Configuration . . . . . . . . . . . . . . . . 1122
OSPF Area Configuration . . . . . . . . . . . . . 1123
OSPF Stub Area Summary . . . . . . . . . . . . 1126
OSPF Area Range Configuration . . . . . . . . . 1127
OSPF Interface Statistics . . . . . . . . . . . . . 1128
OSPF Interface Configuration. . . . . . . . . . . 1129
OSPF Neighbor Table . . . . . . . . . . . . . . . 1130
OSPF Neighbor Configuration . . . . . . . . . . 1131
OSPF Link State Database . . . . . . . . . . . . 1132
Contents 39
OSPF Virtual Link Configuration . . . . . . . . . 1132
OSPF Virtual Link Summary. . . . . . . . . . . . 1134
OSPF Route Redistribution Configuration . . . . 1135
OSPF Route Redistribution Summary. . . . . . . 1136
NSF OSPF Configuration . . . . . . . . . . . . . 1137
Configuring OSPFv3 Features (Web) . . . . . . . . . 1138
OSPFv3 Configuration . . . . . . . . . . . . . . 1138
OSPFv3 Area Configuration. . . . . . . . . . . . 1139
OSPFv3 Stub Area Summary . . . . . . . . . . . 1142
OSPFv3 Area Range Configuration . . . . . . . . 1143
OSPFv3 Interface Configuration . . . . . . . . . 1144
OSPFv3 Interface Statistics . . . . . . . . . . . 1145
OSPFv3 Neighbors . . . . . . . . . . . . . . . . 1146
OSPFv3 Neighbor Table. . . . . . . . . . . . . . 1147
OSPFv3 Link State Database . . . . . . . . . . . 1148
OSPFv3 Virtual Link Configuration . . . . . . . . 1149
OSPFv3 Virtual Link Summary . . . . . . . . . . 1151
OSPFv3 Route Redistribution Configuration . . . 1152
OSPFv3 Route Redistribution Summary . . . . . 1153
NSF OSPFv3 Configuration . . . . . . . . . . . . 1154
Configuring OSPF Features (CLI) . . . . . . . . . . . 1155
Configuring Global OSPF Settings . . . . . . . . 1155
Configuring OSPF Interface Settings. . . . . . . 1158
Configuring Stub Areas and NSSAs . . . . . . . 1160
Configuring Virtual Links . . . . . . . . . . . . . 1162
Configuring OSPF Area Range Settings . . . . . 1164
Configuring NSF Settings for OSPF. . . . . . . . 1166
Configuring OSPFv3 Features (CLI) . . . . . . . . . . 1167
Configuring Global OSPFv3 Settings . . . . . . . 1167
Configuring OSPFv3 Interface Settings . . . . . 1169
Configuring Stub Areas and NSSAs . . . . . . . 1171
Configuring Virtual Links . . . . . . . . . . . . . 1173
Configuring an OSPFv3 Area Range . . . . . . . 1174
40 Contents
Configuring OSPFv3 Route Redistribution
Settings . . . . . . . . . . . . . . . . . . . . . . 1175
Configuring NSF Settings for OSPFv3. . . . . . . 1176
OSPF Configuration Examples . . . . . . . . . . . . . 1177
Configuring an OSPF Border Router and
Setting Interface Costs . . . . . . . . . . . . . . 1177
Configuring Stub and NSSA Areas for
OSPF and OSPFv3. . . . . . . . . . . . . . . . . 1180
Configuring a Virtual Link for OSPF and
OSPFv3 . . . . . . . . . . . . . . . . . . . . . . 1184
Interconnecting an IPv4 Backbone and
Local IPv6 Network . . . . . . . . . . . . . . . . 1187
Configuring the Static Area Range Cost . . . . . 1190
Configuring Flood Blocking . . . . . . . . . . . . 1195
36 Configuring RIP . . . . . . . . . . . . . . . . . . 1201
RIP Overview. . . . . . . . . . . . . . . . . . . . . . 1201
How Does RIP Determine Route
Information?. . . . . . . . . . . . . . . . . . . . 1201
What Is Split Horizon? . . . . . . . . . . . . . . 1202
What RIP Versions Are Supported? . . . . . . . 1202
Default RIP Values . . . . . . . . . . . . . . . . . . . 1203
Configuring RIP Features (Web) . . . . . . . . . . . . 1204
RIP Configuration . . . . . . . . . . . . . . . . . 1204
RIP Interface Configuration. . . . . . . . . . . . 1205
RIP Interface Summary . . . . . . . . . . . . . . 1206
RIP Route Redistribution Configuration. . . . . . 1207
RIP Route Redistribution Summary . . . . . . . . 1208
Configuring RIP Features (CLI). . . . . . . . . . . . . 1209
Configuring Global RIP Settings . . . . . . . . . 1209
Configuring RIP Interface Settings . . . . . . . . 1210
Contents 41
Configuring Route Redistribution Settings . . . . 1211
RIP Configuration Example . . . . . . . . . . . . . . 1213
37 Configuring VRRP . . . . . . . . . . . . . . . . 1217
VRRP Overview . . . . . . . . . . . . . . . . . . . . 1217
How Does VRRP Work?. . . . . . . . . . . . . . 1217
What Is the VRRP Router Priority? . . . . . . . . 1218
What Is VRRP Preemption?. . . . . . . . . . . . 1218
What Is VRRP Accept Mode? . . . . . . . . . . 1219
What Are VRRP Route and Interface
Tracking? . . . . . . . . . . . . . . . . . . . . . 1219
Default VRRP Values. . . . . . . . . . . . . . . . . . 1221
Configuring VRRP Features (Web). . . . . . . . . . . 1222
VRRP Configuration. . . . . . . . . . . . . . . . 1222
VRRP Virtual Router Status . . . . . . . . . . . . 1223
VRRP Virtual Router Statistics . . . . . . . . . . 1224
VRRP Router Configuration . . . . . . . . . . . . 1225
VRRP Route Tracking Configuration . . . . . . . 1226
VRRP Interface Tracking Configuration . . . . . 1228
Configuring VRRP Features (CLI) . . . . . . . . . . . 1230
Configuring VRRP Settings . . . . . . . . . . . . 1230
VRRP Configuration Example . . . . . . . . . . . . . 1232
VRRP with Load Sharing . . . . . . . . . . . . . 1232
Troubleshooting VRRP . . . . . . . . . . . . . . 1235
VRRP with Route and Interface Tracking. . . . . 1236
42 Contents
38 Configuring IPv6 Routing . . . . . . . . . . . 1241
IPv6 Routing Overview . . . . . . . . . . . . . . . . . 1241
How Does IPv6 Compare with IPv4? . . . . . . . 1242
How Are IPv6 Interfaces Configured? . . . . . . 1242
Default IPv6 Routing Values . . . . . . . . . . . . . . 1243
Configuring IPv6 Routing Features (Web) . . . . . . . 1245
Global Configuration . . . . . . . . . . . . . . . 1245
Interface Configuration . . . . . . . . . . . . . . 1246
Interface Summary . . . . . . . . . . . . . . . . 1247
IPv6 Statistics . . . . . . . . . . . . . . . . . . . 1248
IPv6 Neighbor Table. . . . . . . . . . . . . . . . 1249
DHCPv6 Client Parameters . . . . . . . . . . . . 1250
DHCPv6 Client Statistics . . . . . . . . . . . . . 1251
IPv6 Router Entry Configuration . . . . . . . . . 1252
IPv6 Route Table . . . . . . . . . . . . . . . . . 1253
IPv6 Route Preferences. . . . . . . . . . . . . . 1254
Configured IPv6 Routes . . . . . . . . . . . . . . 1255
Configuring IPv6 Routing Features (CLI) . . . . . . . . 1256
Configuring Global IP Routing Settings . . . . . . 1256
Configuring IPv6 Interface Settings . . . . . . . 1257
Configuring IPv6 Neighbor Discovery . . . . . . 1258
Configuring IPv6 Route Table Entries and
Route Preferences . . . . . . . . . . . . . . . . 1260
IPv6 Show Commands . . . . . . . . . . . . . . 1262
Contents 43
IPv6 Static Reject and Discard Routes . . . . . . . . 1263
39 Configuring DHCPv6 Server and
Relay Settings . . . . . . . . . . . . . . . . . . . 1265
DHCPv6 Overview . . . . . . . . . . . . . . . . . . . 1265
What Is a DHCPv6 Pool? . . . . . . . . . . . . . 1266
What Is a Stateless Server? . . . . . . . . . . . 1266
What Is the DHCPv6 Relay Agent
Information Option?. . . . . . . . . . . . . . . . 1266
What Is a Prefix Delegation? . . . . . . . . . . . 1266
Default DHCPv6 Server and Relay Values. . . . . . . 1267
Configuring the DHCPv6 Server and Relay (Web). . . 1268
DHCPv6 Global Configuration . . . . . . . . . . 1268
DHCPv6 Pool Configuration. . . . . . . . . . . . 1269
Prefix Delegation Configuration . . . . . . . . . 1271
DHCPv6 Pool Summary . . . . . . . . . . . . . . 1272
DHCPv6 Interface Configuration . . . . . . . . . 1273
DHCPv6 Server Bindings Summary . . . . . . . 1275
DHCPv6 Statistics. . . . . . . . . . . . . . . . . 1276
Configuring the DHCPv6 Server and Relay (CLI) . . . 1277
Configuring Global DHCP Server and
Relay Agent Settings . . . . . . . . . . . . . . . 1277
Configuring a DHCPv6 Pool for Stateless
Server Support . . . . . . . . . . . . . . . . . . 1277
Configuring a DHCPv6 Pool for Specific
Hosts . . . . . . . . . . . . . . . . . . . . . . . 1278
Configuring DHCPv6 Interface Information . . . 1279
Monitoring DHCPv6 Information . . . . . . . . . 1280
DHCPv6 Configuration Examples . . . . . . . . . . . 1281
Configuring a DHCPv6 Stateless Server . . . . . 1281
44 Contents
Configuring the DHCPv6 Server for Prefix
Delegation. . . . . . . . . . . . . . . . . . . . . 1282
Configuring an Interface as a DHCPv6
Relay Agent . . . . . . . . . . . . . . . . . . . . 1283
40 Configuring Differentiated Services . . 1285
DiffServ Overview . . . . . . . . . . . . . . . . . . . 1285
How Does DiffServ Functionality Vary Based
on the Role of the Switch? . . . . . . . . . . . . 1286
What Are the Elements of DiffServ
Configuration? . . . . . . . . . . . . . . . . . . 1286
Default DiffServ Values . . . . . . . . . . . . . . . . 1287
Configuring DiffServ (Web) . . . . . . . . . . . . . . 1288
DiffServ Configuration . . . . . . . . . . . . . . 1288
Class Configuration . . . . . . . . . . . . . . . . 1289
Class Criteria . . . . . . . . . . . . . . . . . . . 1290
Policy Configuration . . . . . . . . . . . . . . . 1292
Policy Class Definition . . . . . . . . . . . . . . 1294
Service Configuration . . . . . . . . . . . . . . . 1297
Service Detailed Statistics . . . . . . . . . . . . 1298
Flow-Based Mirroring . . . . . . . . . . . . . . 1299
Configuring DiffServ (CLI) . . . . . . . . . . . . . . . 1300
DiffServ Configuration (Global) . . . . . . . . . . 1300
DiffServ Class Configuration for IPv4 . . . . . . . 1300
DiffServ Class Configuration for IPv6 . . . . . . . 1302
DiffServ Policy Creation. . . . . . . . . . . . . . 1303
DiffServ Policy Attributes Configuration . . . . . 1304
DiffServ Service Configuration . . . . . . . . . . 1306
DiffServ Configuration Examples . . . . . . . . . . . 1307
Providing Subnets Equal Access to
External Network . . . . . . . . . . . . . . . . . 1307
Contents 45
DiffServ for VoIP . . . . . . . . . . . . . . . . . 1310
41 Configuring Class-of-Service . . . . . . . 1313
CoS Overview . . . . . . . . . . . . . . . . . . . . . 1313
What Are Trusted and Untrusted Port
Modes? . . . . . . . . . . . . . . . . . . . . . . 1314
How Is Traffic Shaping Used on Egress
Traffic? . . . . . . . . . . . . . . . . . . . . . . 1314
How Are Traffic Queues Defined? . . . . . . . . 1315
Which Queue Management Methods Are
Supported? . . . . . . . . . . . . . . . . . . . . 1315
CoS Queue Usage . . . . . . . . . . . . . . . . 1316
Default CoS Values . . . . . . . . . . . . . . . . . . 1316
Configuring CoS (Web) . . . . . . . . . . . . . . . . 1318
Mapping Table Configuration. . . . . . . . . . . 1318
Interface Configuration. . . . . . . . . . . . . . 1320
Interface Queue Configuration . . . . . . . . . . 1321
Interface Queue Drop Precedence
Configuration . . . . . . . . . . . . . . . . . . . 1322
Configuring CoS (CLI) . . . . . . . . . . . . . . . . . 1324
Mapping Table Configuration. . . . . . . . . . . 1324
CoS Interface Configuration Commands . . . . . 1325
Interface Queue Configuration . . . . . . . . . . 1325
Configuring Interface Queue Drop
Probability . . . . . . . . . . . . . . . . . . . . 1327
46 Contents
CoS Configuration Example . . . . . . . . . . . . . . 1328
42 Configuring Auto VoIP . . . . . . . . . . . . . 1331
Auto VoIP Overview . . . . . . . . . . . . . . . . . . 1331
How Does Auto-VoIP Use ACLs? . . . . . . . . . 1332
Default Auto VoIP Values . . . . . . . . . . . . . . . 1332
Configuring Auto VoIP (Web) . . . . . . . . . . . . . 1333
Auto VoIP Global Configuration. . . . . . . . . . 1333
Auto VoIP Interface Configuration . . . . . . . . 1333
Configuring Auto VoIP (CLI) . . . . . . . . . . . . . . 1335
43 Managing IPv4 and IPv6 Multicast . . . 1337
L3 Multicast Overview . . . . . . . . . . . . . . . . . 1337
What Is IP Multicast Traffic? . . . . . . . . . . . 1338
What Multicast Protocols Does the Switch
Support?. . . . . . . . . . . . . . . . . . . . . . 1339
What Are the Multicast Protocol Roles? . . . . . 1339
When Is L3 Multicast Required on the
Switch? . . . . . . . . . . . . . . . . . . . . . . 1340
What Is the Multicast Routing Table? . . . . . . 1341
What Is IGMP? . . . . . . . . . . . . . . . . . . 1341
What Is MLD? . . . . . . . . . . . . . . . . . . . 1342
What Is PIM? . . . . . . . . . . . . . . . . . . . 1343
What Is DVMRP? . . . . . . . . . . . . . . . . . 1353
Default L3 Multicast Values . . . . . . . . . . . . . . 1355
Configuring General IPv4 Multicast
Features (Web) . . . . . . . . . . . . . . . . . . . . . 1357
Multicast Global Configuration . . . . . . . . . . 1357
Contents 47
Multicast Interface Configuration . . . . . . . . 1358
Multicast Route Table . . . . . . . . . . . . . . 1359
Multicast Admin Boundary Configuration . . . . 1360
Multicast Admin Boundary Summary . . . . . . 1361
Multicast Static MRoute Configuration . . . . . 1361
Multicast Static MRoute Summary. . . . . . . . 1362
Configuring IPv6 Multicast Features (Web) . . . . . . 1363
IPv6 Multicast Route Table . . . . . . . . . . . . 1363
Configuring IGMP and IGMP Proxy (Web) . . . . . . 1364
IGMP Global Configuration . . . . . . . . . . . . 1364
IGMP Interface Configuration . . . . . . . . . . 1365
IGMP Interface Summary . . . . . . . . . . . . 1366
IGMP Cache Information . . . . . . . . . . . . . 1366
IGMP Interface Source List Information . . . . . 1368
IGMP Proxy Interface Configuration . . . . . . . 1369
IGMP Proxy Configuration Summary . . . . . . . 1370
IGMP Proxy Interface Membership Info . . . . . 1371
Detailed IGMP Proxy Interface
Membership Information . . . . . . . . . . . . . 1372
Configuring MLD and MLD Proxy (Web) . . . . . . . 1373
MLD Global Configuration . . . . . . . . . . . . 1373
MLD Routing Interface Configuration . . . . . . 1374
MLD Routing Interface Summary. . . . . . . . . 1375
MLD Routing Interface Cache Information. . . . 1375
MLD Routing Interface Source List Information . 1376
MLD Traffic . . . . . . . . . . . . . . . . . . . . 1377
MLD Proxy Configuration . . . . . . . . . . . . . 1378
MLD Proxy Configuration Summary . . . . . . . 1379
MLD Proxy Interface Membership
Information . . . . . . . . . . . . . . . . . . . . 1380
Detailed MLD Proxy Interface
Membership Information . . . . . . . . . . . . . 1381
48 Contents
Configuring PIM for IPv4 and IPv6 (Web) . . . . . . . 1382
PIM Global Configuration . . . . . . . . . . . . . 1382
PIM Global Status. . . . . . . . . . . . . . . . . 1383
PIM Interface Configuration . . . . . . . . . . . 1384
PIM Interface Summary . . . . . . . . . . . . . 1385
Candidate RP Configuration . . . . . . . . . . . 1386
Static RP Configuration . . . . . . . . . . . . . . 1388
SSM Range Configuration . . . . . . . . . . . . 1390
BSR Candidate Configuration. . . . . . . . . . . 1392
BSR Candidate Summary . . . . . . . . . . . . . 1393
Configuring DVMRP (Web). . . . . . . . . . . . . . . 1394
DVMRP Global Configuration . . . . . . . . . . . 1394
DVMRP Interface Configuration . . . . . . . . . 1395
DVMRP Configuration Summary . . . . . . . . . 1396
DVMRP Next Hop Summary . . . . . . . . . . . 1397
DVMRP Prune Summary . . . . . . . . . . . . . 1398
DVMRP Route Summary . . . . . . . . . . . . . 1398
Configuring L3 Multicast Features (CLI) . . . . . . . . 1399
Configuring and Viewing IPv4 Multicast
Information . . . . . . . . . . . . . . . . . . . . 1399
Configuring and Viewing IPv6 Multicast
Route Information. . . . . . . . . . . . . . . . . 1401
Configuring and Viewing IGMP . . . . . . . . . . 1402
Configuring and Viewing IGMP Proxy . . . . . . 1404
Configuring and Viewing MLD . . . . . . . . . . 1405
Configuring and Viewing MLD Proxy . . . . . . . 1406
Configuring and Viewing PIM-DM for
IPv4 Multicast Routing . . . . . . . . . . . . . . 1407
Configuring and Viewing PIM-DM for IPv6
Multicast Routing . . . . . . . . . . . . . . . . . 1408
Configuring and Viewing PIM-SM for IPv4
Multicast Routing . . . . . . . . . . . . . . . . . 1410
Configuring and Viewing PIM-SM for IPv6
Multicast Routing . . . . . . . . . . . . . . . . . 1412
Contents 49
Configuring and Viewing DVMRP
Information . . . . . . . . . . . . . . . . . . . . 1416
L3 Multicast Configuration Examples . . . . . . . . . 1417
Configuring Multicast VLAN Routing With
IGMP and PIM-SM . . . . . . . . . . . . . . . . 1417
Configuring DVMRP . . . . . . . . . . . . . . . 1421
A Feature Limitations and Platform
Constants . . . . . . . . . . . . . . . . . . . . . . . . . 1423
B System Process Definitions . . . . . . . . 1433
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1441
50 Contents
Introduction 51
1
Introduction
The switches in the Dell Networking N2000/N3000/N4000 series are stackable
Layer 2 and 3 switches that extend the Dell Networking LAN switching
product range. These switches include the following features:
1U form factor, rack-mountable chassis design.
Support for all data-communication requirements for a multi-layer switch,
including layer 2 switching, IPv4 routing, IPv6 routing, IP multicast,
quality of service, security, and system management features.
High availability with hot swappable stack members.
The Dell Networking N2000/N3000/N4000 includes 13 switch models:
N2024, N2024P, N2038,N2048P, N3024, N3024F, N3024P, N3048, N3048P,
N4032, N4032F, N4064, N4064F.
About This Document
This guide describes how to configure, monitor, and maintain Dell
Networking N2000/N3000/N4000 switches by using web-based Dell
OpenManage Switch Administrator utility or the command-line interface
(CLI).
NOTE: Switch administrators are strongly advised to maintain Dell Networking
switches on the latest version of the Dell Networking Operating System (DNOS).
Dell Networking continually improves the features and functions of DNOS based
on feedback from you, the customer. For critical infrastructure, prestaging of the
new release into a non-critical portion of the network is recommended to verify
network configuration and operation with any new version of DNOS switch
firmware.
52 Introduction
Audience
This guide is for network administrators in charge of managing one or more
Dell Networking series switches. To obtain the greatest benefit from this
guide, you should have a basic understanding of Ethernet networks and local
area network (LAN) concepts.
Document Conventions
Table 1-1 describes the typographical conventions this document uses.
Table 1-1. Document Conventions
Convention Description
Bold Page names, field names, menu options, button names, and
CLI commands and keywords.
courier font Command-line text (CLI output) and file names
[ ] In a command line, square brackets indicate an optional
entry.
{ } In a command line, inclusive brackets indicate a selection of
compulsory parameters separated by the | character. One
option must be selected. For example: spanning-tree mode
{stp|rstp|mstp} means that for the spanning-tree mode
command you must enter either stp, rstp, or mstp
Italic
In a command line, indicates a variable.
<Enter> Any individual key on the keyboard.
CTRL + Z A keyboard combination that involves pressing the Z key
while holding the CTRL key.
Introduction 53
Additional Documentation
The following documents for the Dell Networking series switches are
available at support.dell.com/manuals:
Getting Started Guide—
provides information about the switch models in
the series, including front and back panel features. It also describes the
installation and initial configuration procedures.
CLI Reference Guide—
provides information about the command-line
interface (CLI) commands used to configure and manage the switch. The
document provides in-depth CLI descriptions, syntax, default values, and
usage guidelines.
54 Introduction
Switch Feature Overview 55
2
Switch Feature Overview
This section describes the switch user-configurable software features.
The topics covered in this section include:
NOTE: Before proceeding, read the release notes for this product. The release
notes are part of the firmware download.
System Management
Features
•Stacking Features
Security Features
Green Technology Features
Power over Ethernet (PoE)
Plus Features
Switching Features
Virtual Local Area Network
Supported Features
Spanning Tree Protocol
Features
Link Aggregation Features
•Routing Features
IPv6 Routing Features
Quality of Service (QoS)
Features
Layer 2 Multicast Features
Layer 3 Multicast Features
56 Switch Feature Overview
System Management Features
Multiple Management Options
You can use any of the following methods to manage the switch:
Use a web browser to access the Dell OpenManage Switch Administrator
interface. The switch contains an embedded Web server that serves
HTML pages.
Use a Telnet client, SSH client, or a direct console connection to access
the CLI. The CLI
syntax and semantics conform as much as possible to
common industry practice.
Use a network management system (NMS), like the Dell OpenManage
Network Manager, to manage and monitor the system through SNMP. The
switch supports
SNMP v1/v2c/v3 over the UDP/IP transport protocol.
Nearly all switch features support a preconfiguration capability, even when
the feature is not enabled or the required hardware is not present.
Preconfigured capabilities become active only when enabled (typically via an
admin mode control) or when the required hardware is present (or both). For
example, a port can be preconfigured with both trunk and access mode
information. The trunk mode information is applied only when the port is
placed into trunk mode and the access mode information is only applied
when the port is placed into access mode. Likewise, OSPF routing can be
configured in the switch without being enabled on any port. This capability is
present in all of the management options.
System Time Management
You can configure the switch to obtain the system time and date through a
remote Simple Network Time Protocol (SNTP) server, or you can set the time
and date locally on the switch. You can also configure the time zone and
information about time shifts that might occur during summer months. If
you use SNTP to obtain the time, you can require communications between
the switch and the SNTP server to be encrypted.
For information about configuring system time settings, see "Managing
General System Settings" on page 279.
Switch Feature Overview 57
Log Messages
The switch maintains in-memory log messages as well as persistent logs. You
can configure remote logging so that the switch sends log messages to a
remote SYSLOG server. You can also configure the switch to email log
messages to a configured SMTP server. This allows you to receive the log
message in an e-mail account of your choice. Switch auditing messages, CLI
command logging, Web logging, and SNMP logging can be enabled or
disabled.
For information about configuring system logging, see "Monitoring and
Logging System Information" on page 243.
Integrated DHCP Server
Dell Networking series switches include an integrated DHCP server that can
deliver host-specific configuration information to hosts on the network. The
switch DHCP server allows you to configure IPv4 address pools (scopes), and
when a host’s DHCP client requests an address, the switch DHCP server
automatically assigns the host an address from the pool.
For information about configuring the DHCP server settings, see
"Configuring DHCP Server and Relay Settings" on page 1037.
Management of Basic Network Information
The DHCP client on the switch allows the switch to acquire information such
as the IPv4 or IPv6 address and default gateway from a network DHCP server.
You can also disable the DHCP client and configure static network
information. Other configurable network information includes a Domain
Name Server (DNS), hostname to IP address mapping, and a default domain
name.
If the switch detects an IP address conflict on the management interface, it
generates a trap and sends a log message.
For information about configuring basic network information, see "Setting
the IP Address and Other Basic Network Information" on page 147.
58 Switch Feature Overview
IPv6 Management Features
Dell Networking series switches provide IPv6 support for many standard
management features including HTTP, HTTPS/SSL, Telnet, SSH, SNMP,
SNTP, TFTP, and traceroute on both the in-band and out-of-band
management ports.
Dual Software Images
Dell Networking series switches can store up to two software images. The dual
image feature allows you to upgrade the switch without deleting the older
software image. You designate one image as the active image and the other
image as the backup image.
For information about managing the switch image, see "Managing Images
and Files" on page 359.
File Management
You can upload and download files such as configuration files and system
images by using HTTP (web only), TFTP, Secure FTP (SFTP), or Secure
Copy (SCP). Configuration file uploads from the switch to a server are a good
way to back up the switch configuration. You can also download a
configuration file from a server to the switch to restore the switch to the
configuration in the downloaded file.
You can also copy files to and from a USB Flash drive that is plugged into the
USB port on the front panel of the switch or automatically upgrade a switch
by booting it with a newer firmware image on a USB drive plugged in to the
switch.
For information about uploading, downloading, and copying files, see
"Managing Images and Files" on page 359.
Switch Database Management Templates
Switch Database Management (SDM) templates enable you to reallocate
system resources to support a different mix of features based on your network
requirements. Dell Networking series switches support the following three
templates:
Dual IPv4 and IPv6 (default)
•IPv4 Routing
Switch Feature Overview 59
•IPv4 Data Center
For information about setting the SDM template, see "Managing General
System Settings" on page 279.
Automatic Installation of Firmware and Configuration
The Auto Install feature allows the switch to upgrade or downgrade to a
newer software image and update the configuration file automatically during
device initialization with limited administrative configuration on the device.
If a USB device is connected to the switch and contains a firmware image
and/or configuration file, the Auto Install feature installs the image or
configuration file from USB device. Otherwise, the switch can obtain the
necessary information from a DHCP server on the network.
For information about Auto Install, see "Automatically Updating the Image
and Configuration" on page 389.
sFlow
sFlow is the standard for monitoring high-speed switched and routed
networks. sFlow technology is built into network equipment and gives
complete visibility into network activity, enabling effective management and
control of network resources. The Dell Networking series switches support
sFlow version 5.
For information about configuring managing sFlow settings, see "Monitoring
Switch Traffic" on page 407.
NOTE: Automatic migration of the startup configuration to the next version of
firmware from the current and previous versions of firmware is supported; the
syntax is automatically updated when it is read into the running-config. Check
the release notes to determine if any parts of the configuration cannot be
migrated. Save the running-config to maintain the updated syntax. Migration of
configuration is not assured on a firmware downgrade. When upgrading or
downgrading firmware, check your configuration to ensure that it implements the
desired configuration. Meta-configuration data (stack-port and slot
configuration) is always reset to the defaults on a downgrade on each stack unit.
As an example, Ethernet ports configured as stacking ports default back to
Ethernet mode on a downgrade.
60 Switch Feature Overview
SNMP Alarms and Trap Logs
The system logs events with severity codes and timestamps. The events are
sent as SNMP traps to a trap recipient list.
For information about configuring SNMP traps and alarms, see "Configuring
SNMP" on page 323.
CDP Interoperability through ISDP
Industry Standard Discovery Protocol (ISDP) allows the Dell Networking
switch to interoperate with Cisco devices running the Cisco Discovery
Protocol (CDP). ISDP is a proprietary Layer 2 network protocol which inter-
operates with Cisco network equipment and is used to share information
between neighboring devices (routers, bridges, access servers, and switches).
For information about configuring ISDP settings, see "Discovering Network
Devices" on page 761.
Remote Monitoring (RMON)
RMON is a standard Management Information Base (MIB) that defines
current and historical MAC-layer statistics and control objects, allowing real-
time information to be captured across the entire network.
For information about configuring managing RMON settings, see
"Monitoring Switch Traffic" on page 407.
Switch Feature Overview 61
Stacking Features
For information about creating and maintaining a stack of switches, see
"Managing a Switch Stack" on page 171.
High Stack Count
The Dell Networking N2000, N3000, and N4000 series switches include a
stacking feature that allows up to 12 switches to operate as a single unit. The
N2000 and N3000 series switches have two fixed mini-SAS stacking
connectors at the rear. N2000 series switches will stack with other N2000
series switches and Dell Networking N3000 series switches stack with other
N3000 series switches.
Dell Networking N4000 series switches stack with other Dell Networking
N4000 series switches over front panel ports configured for stacking.
Single IP Management
When multiple switches are connected together through the stack ports, they
operate as a single unit with a larger port count. The stack operates and is
managed as a single entity. One switch acts as the master, and the entire stack
is managed through the management interface (Web, CLI, or SNMP) of the
stack master.
62 Switch Feature Overview
Master Failover with Transparent Transition
The stacking feature supports a
standby
or backup unit that assumes the
stack master role if the stack master fails. As soon as a stack master failure is
detected, the standby unit initializes the control plane and enables all other
stack units with the current configuration. The standby unit maintains a
synchronized copy of the running configuration for the stack.
Nonstop Forwarding on the Stack
The Nonstop Forwarding (NSF) feature allows the forwarding plane of stack
units to continue to forward packets while the control and management
planes restart as a result of a power failure, hardware failure, or software fault
on the stack master and allows the standby switch to quickly takeover as the
master.
Hot Add/Delete and Firmware Synchronization
You can add and remove units to and from the stack without cycling the
power. When you add a unit, the Stack Firmware Synchronization feature, if
enabled, automatically synchronizes the firmware version with the version
running on the stack master. The synchronization operation may result in
either an upgrade or a downgrade of firmware on the mismatched stack
member. Once the firmware is synchronized on a member unit, the running-
config on the member is updated to match the master switch. The startup-
config on the standby and member switches is not updated to match the
master switch due to configuration changes on the master switch. Saving the
startup config on the master switch also saves it to the startup config on all
the other stack members.The hardware configuration of every switch is
updated to match the master switch (unit number, slot configuration, stack
member number, etc.).
Switch Feature Overview 63
Security Features
Configurable Access and Authentication Profiles
You can configure rules to limit access to the switch management interface
based on criteria such as access type and source IP address of the
management host. You can also require the user to be authenticated locally or
by an external server, such as a RADIUS server.
For information about configuring access and authentication profiles, see
"Configuring Authentication, Authorization, and Accounting" on page 207.
Password-Protected Management Access
Access to the Web, CLI, and SNMP management interfaces is password
protected, and there are no default users on the system.
For information about configuring local user accounts, see "Configuring
Authentication, Authorization, and Accounting" on page 207.
Strong Password Enforcement
The Strong Password feature enforces a baseline password strength for all
locally administered users. Password strength is a measure of the effectiveness
of a password in resisting guessing and brute-force attacks. The strength of a
password is a function of length, complexity and randomness. Using strong
passwords lowers overall risk of a security breach.
For information about configuring password settings, see "Configuring
Authentication, Authorization, and Accounting" on page 207.
TACACS+ Client
The switch has a TACACS+ client. TACACS+ provides centralized security
for validation of users accessing the switch. TACACS+ provides a centralized
user management system while still retaining consistency with RADIUS and
other authentication processes.
For information about configuring TACACS+ client settings, see
"Configuring Authentication, Authorization, and Accounting" on page 207.
64 Switch Feature Overview
RADIUS Support
The switch has a Remote Authentication Dial In User Service (RADIUS)
client and can support up to 32 named authentication and accounting
RADIUS servers. The switch also supports RADIUS Attribute 4, which is the
configuration of a NAS-IP address. You can also configure the switch to
accept RADIUS-assigned VLANs.
For information about configuring RADIUS client settings, see "Configuring
Authentication, Authorization, and Accounting" on page 207.
SSH/SSL
The switch supports Secure Shell (SSH) for secure, remote connections to
the CLI and Secure Sockets Layer (SSL) to increase security when accessing
the web-based management interface. The SSH server can be enabled or
disabled using the ip ssh command.
For information about configuring SSH and SSL settings, see "Configuring
Authentication, Authorization, and Accounting" on page 207.
Inbound Telnet Control
By default, the switch allows access over Telnet. The administrator can enable
or disable the Telnet server using the ip telnet command. Additionally, the
Telnet port number is configurable using the same command.
For information about configuring inbound Telnet settings, see "Configuring
Authentication, Authorization, and Accounting" on page 207.
Denial of Service
The switch supports configurable Denial of Service (DoS) attack protection
for eight different types of attacks.
For information about configuring DoS settings, see "Configuring Port and
System Security" on page 503.
Port Protection
A port may be put into the diagnostically disabled state for any of the
following reasons:
Switch Feature Overview 65
BPDU Storm Protection: By default, if Spanning Tree Protocol (STP)
bridge protocol data units (BPDUs) are received at a rate of 15pps or
greater for three consecutive seconds on a port, the port will be
diagnostically disabled. The threshold is not configurable.
DHCP Snooping: If DHCP packets are received on a port at a rate that
exceeds 15 pps, the port will be diagnostically disabled. The threshold is
configurable up to 300 pps for up to 15s long using the
ip dhcp snooping
limit
command. DHCP snooping is disabled by default. The default
protection limit is 15 pps.
Dynamic ARP Inspection: By default, if Dynamic ARP Inspection packets
are received on a port at a rate that exceeds 15 pps for 1 second, the port
will be diagnostically disabled. The threshold is configurable up to 300 pps
and the burst is configurable up to 15s long using the
ip arp inspection
limit
command.
Spanning tree: Spanning tree will diagnostically disable an interface when
it is unable to update the internal state of the interface for more than 90
seconds or when the internal message buffer for an interface overflows.
SFP+ transceivers: SFP+ transceivers are not compatible with SFP slots
(M3024F front panel ports). To avoid damage to SFP+ transceivers
mistakenly inserted into SFP ports, the SFP port is diagnostically disabled
when an SFP+ transceiver is detected.
ICMP storms: Ports on which ICMP storms are detected are diagnostically
disabled. The rate limit and burst sizes are configurable separately for IPv4
and IPv6.
A port that is diagnostically disabled may be returned to service using the no
shut command.
Captive Portal
The Captive Portal feature blocks clients from accessing the network until
user verification has been established. When a user attempts to connect to
the network through the switch, the user is presented with a customized Web
page that might contain username and password fields or the acceptable use
policy. You can require users to be authenticated by a local or remote RADIUS
database before access is granted.
For information about configuring the Captive Portal features, see "Captive
Portal" on page 543.
66 Switch Feature Overview
Dot1x Authentication (IEEE 802.1X)
Dot1x authentication enables the authentication of system users through a
local internal server or an external server. Only authenticated and approved
system users can transmit and receive frames over the port. Supplicants are
authenticated using the Extensible Authentication Protocol (EAP). PEAP,
EAP-TTL, EAP-TTLS, and EAP-TLS are supported for remote authentication
servers. Local (IAS) authentication supports EAP-MD5 only.
For information about configuring IEEE 802.1X settings, see "Configuring
Port and System Security" on page 503.
MAC-Based 802.1X Authentication
MAC-based authentication allows multiple supplicants connected to the
same port to each authenticate individually. For example, a system attached
to the port might be required to authenticate in order to gain access to the
network, while a VoIP phone might not need to authenticate in order to send
voice traffic through the port.
For information about configuring MAC-based 802.1X authentication, see
"Configuring Port and System Security" on page 503.
Dot1x Monitor Mode
Monitor mode can be enabled in conjunction with Dot1x authentication to
allow network access even when the user fails to authenticate. The switch logs
the results of the authentication process for diagnostic purposes. The main
purpose of this mode is to help troubleshoot the configuration of a Dot1x
authentication on the switch without affecting the network access to the
users of the switch.
For information about enabling the Dot1X Monitor mode, see "Configuring
Port and System Security" on page 503.
MAC-Based Port Security
The port security feature limits access on a port to users with specific MAC
addresses. These addresses are manually defined or learned on that port.
When a frame is seen on a locked port, and the frame source MAC address is
not tied to that port, the protection mechanism is invoked.
For information about configuring MAC-based port security, see "Configuring
Port and System Security" on page 503.
Switch Feature Overview 67
Access Control Lists (ACL)
Access Control Lists (ACLs) ensure that only authorized users have access to
specific resources while blocking off any unwarranted attempts to reach
network resources. ACLs are used to provide traffic flow control, restrict
contents of routing updates, decide which types of traffic are forwarded or
blocked, and above all provide security for the network. The switch supports
the following ACL types:
•IPv4 ACLs
•IPv6 ACLs
•MAC ACLs
For all ACL types, you can apply the ACL rule when the packet enters or exits
the physical port, LAG, or VLAN interface.
ACLs can be used to implement policy-based routing (PBR) to implement
packet routing according to specific organizational policies.
For information about configuring ACLs and PBR, see "Configuring Access
Control Lists" on page 583.
Time-Based ACLs
With the Time-based ACL feature, you can define when an ACL is in effect
and the amount of time it is in effect.
For information about configuring time-based ACLs, see "Configuring Access
Control Lists" on page 583.
IP Source Guard (IPSG)
IP source guard (IPSG) is a security feature that filters IP packets based on
the source ID. The source ID may either be source IP address or a source IP
address source MAC address pair as found in the local DHCP snooping
database. IPSG depends on DHCP Snooping to associate IP address with
MAC addresses.
For information about configuring IPSG, see "Snooping and Inspecting
Traffic" on page 879.
68 Switch Feature Overview
DHCP Snooping
DHCP Snooping is a security feature that monitors DHCP messages between
a DHCP client and DHCP server. It filters harmful DHCP messages and
builds a bindings database of (MAC address, IP address, VLAN ID, port)
tuples that are specified as authorized. DHCP snooping can be enabled
globally and on specific VLANs. Ports within the VLAN can be configured to
be trusted or untrusted. DHCP servers must be reached through trusted ports.
For information about configuring DHCP Snooping, see "Snooping and
Inspecting Traffic" on page 879.
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and
malicious ARP packets. The feature prevents a class of man-in-the-middle
attacks, where an unfriendly station intercepts traffic for other stations by
poisoning the ARP caches of its unsuspecting neighbors. The malicious
station sends ARP requests or responses mapping another station's IP address
to its own MAC address.
Dynamic ARP Inspection relies on DHCP Snooping.
For information about configuring DAI, see "Snooping and Inspecting Traffic"
on page 879.
Protected Ports (Private VLAN Edge)
Private VLAN Edge (PVE) ports are a Layer 2 security feature that provides
port-based security between ports that are members of the same VLAN. It is
an extension of the common VLAN. Traffic from protected ports is sent only
to the uplink ports and cannot be sent to other ports within the VLAN.
For information about configuring IPSG, see "Configuring Port-Based Traffic
Control" on page 787.
Switch Feature Overview 69
Green Technology Features
For information about configuring Green Technology features, see
"Configuring Port Characteristics" on page 477.
Energy Detect Mode
When the Energy Detect mode is enabled and the port link is down, the PHY
automatically goes down for short period of time and then wakes up
periodically to check link pulses. This mode reduces power consumption on
the port when no link partner is present.
Energy Efficient Ethernet
The switch supports the IEEE 802.3az Energy Efficient Ethernet (EEE)
Lower Power Idle Mode, which enables both the send and receive sides of the
link to disable some functionality for power savings when the link is lightly
loaded.
EEE and energy detect are supported on the N2000 and N3000 1G copper
ports. EEE is supported on the N4000 10G copper ports and energy detect is
supported on the N4000 10G and 40G copper ports.
EEE and energy detect are disabled by default on the N2000 and N3000
copper ports. Energy detect is enabled by default on the N4000 switches. EEE
is disabled by default on the N4000 10G copper ports.
Power Utilization Reporting
The switch displays the current power consumption of the power supply (or
power supplies). This information is available from the management
interface.
70 Switch Feature Overview
Power over Ethernet (PoE) Plus Features
For information about configuring PoE Plus features, see "Managing General
System Settings" on page 279."
Power Over Ethernet (PoE) Plus Configuration
The Dell Networking N2024P/N2048P and N3024P/N3048P switches support
PoE Plus configuration for power threshold, power priority, SNMP traps, and
PoE legacy device support. PoE can be administratively enabled or disabled
on a per-port basis. Power can also be limited on a per-port basis.
PoE Plus Support
The Dell Networking N2024P/N2048P and N3024P/N3048P switches
implement the PoE Plus specification (IEEE 802.1at), in addition to the
IEEE 802.3AF specification). This allows power to be supplied to Class 4 PD
devices that require power greater than 15.4 Watts. Each port is capable of
delivering up to 34.2W of power. Real-time power supply status is also
available on the switch as part of the PoE Plus implementation.
NOTE: The Dell Networking N2024P/N2048P and N3024P/N3048P switches
support PoE Plus. The PoE Plus features do not apply to the other models in the
Dell Networking N2000/N3000/N4000 series.
Switch Feature Overview 71
Switching Features
Flow Control Support (IEEE 802.3x)
Flow control enables lower speed switches to communicate with higher speed
switches by requesting that the higher speed switch refrain from sending
packets for a limited period of time. Transmissions are temporarily halted to
prevent buffer overflows.
For information about configuring flow control, see "Configuring Port-Based
Traffic Control" on page 787.
Head of Line Blocking Prevention
Head of Line (HOL) blocking prevention prevents traffic delays and frame
loss caused by traffic competing for the same egress port resources. HOL
blocking queues packets, and the packets at the head of the queue are
forwarded before packets at the end of the queue.
Alternate Store and Forward (ASF)
The Alternate Store and Forward (ASF) feature reduces latency for large
packets. When ASF is enabled, the memory management unit (MMU) can
forward a packet to the egress port before it has been entirely received on the
Cell Buffer Pool (CBP) memory.
AFS, which is also known as cut-through mode, is configurable through the
command-line interface. For information about how to configure the AFS
feature, see the
CLI Reference Guide
available at support.dell.com/manuals.
Jumbo Frames Support
Jumbo frames enable transporting data in fewer frames to ensure less
overhead, lower processing time, and fewer interrupts.
For information about configuring the switch MTU, see "Configuring Port
Characteristics" on page 477.
NOTE: This feature is available on the N4000 series switches only.
72 Switch Feature Overview
Auto-MDI/MDIX Support
Your switch supports auto-detection between crossed and straight-through
cables. Media-Dependent Interface (MDI) is the standard wiring for end
stations, and the standard wiring for hubs and switches is known as Media-
Dependent Interface with Crossover (MDIX). Auto-negotiation must be
enabled for MDIX to detect the wiring configuration.
VLAN-Aware MAC-based Switching
Packets arriving from an unknown source address are sent to the CPU and
added to the Hardware Table. Future packets addressed to or from this
address are more efficiently forwarded.
Back Pressure Support
On half-duplex links, a receiver may prevent buffer overflows by jamming the
link so that it is unavailable for additional traffic. On full-duplex links, a
receiver may send a PAUSE frame indicating that the transmitter should
cease transmission of frames for a specified period.
When flow control is enabled, the Dell Networking series switches will
observe received PAUSE frames or jamming signals, but will not issue them
when congested.
Auto Negotiation
Auto negotiation allows the switch to advertise modes of operation. The auto
negotiation function provides the means to exchange information between
two switches that share a point-to-point link segment, and to automatically
configure both switches to take maximum advantage of their transmission
capabilities.
Dell Networking series switches enhance auto negotiation by providing
configuration of port advertisement. Port advertisement allows the system
administrator to configure the port speeds that are advertised.
For information about configuring auto negotiation, see "Configuring Port
Characteristics" on page 477.
Switch Feature Overview 73
Broadcast Storm Control
When Layer 2 frames are forwarded, broadcast, unknown unicast, and
multicast frames are flooded to all ports on the relevant virtual local area
network (VLAN). The flooding occupies bandwidth, and loads all nodes
connected on all ports. Storm control limits the amount of broadcast,
unknown unicast, and multicast frames accepted and forwarded by the
switch.
For information about configuring Broadcast Storm Control settings, see
"Configuring Port-Based Traffic Control" on page 787.
Port Mirroring
Port mirroring monitors and mirrors network traffic by forwarding copies of
incoming and outgoing packets from multiple source ports to a monitoring
port. Source ports may be VLANs, physical interfaces, port-channels, or the
CPU port. The switch also supports flow-based mirroring, which allows you to
copy certain types of traffic to a single destination port. This provides
flexibility—instead of mirroring all ingress or egress traffic on a port the
switch can mirror a subset of that traffic. You can configure the switch to
mirror flows based on certain kinds of Layer 2, Layer 3, and Layer 4
information.
Dell Networking switches support RSPAN destinations where traffic can be
tunneled across the operational network. RSPAN does not support
configuration of the CPU port as a source.
For information about configuring port mirroring, see "Monitoring Switch
Traffic" on page 407.
Static and Dynamic MAC Address Tables
You can add static entries to the switch’s MAC address table and configure
the aging time for entries in the dynamic MAC address table. You can also
search for entries in the dynamic table based on several different criteria.
For information about viewing and managing the MAC address table, see
"Managing the MAC Address Table" on page 1015.
74 Switch Feature Overview
Link Layer Discovery Protocol (LLDP)
The IEEE 802.1AB defined standard, Link Layer Discovery Protocol (LLDP),
allows the switch to advertise major capabilities and physical descriptions.
This information can help you identify system topology and detect bad
configurations on the LAN.
For information about configuring LLDP, settings see "Discovering Network
Devices" on page 761.
Link Layer Discovery Protocol (LLDP) for Media Endpoint Devices
The Link Layer Discovery Protocol for Media Endpoint Devices (LLDP-
MED) provides an extension to the LLDP standard for network configuration
and policy, device location, Power over Ethernet management, and inventory
management.
For information about configuring LLDP-MED, settings see "Discovering
Network Devices" on page 761.
Connectivity Fault Management (IEEE 802.1ag)
The Connectivity Fault Management (CFM) feature, also known as Dot1ag,
supports Service Level Operations, Administration, and Management
(OAM). CFM is the OAM Protocol provision for end-to-end service layer
instance in carrier networks. The CFM feature provides mechanisms to help
you perform connectivity checks, fault detection, fault verification and
isolation, and fault notification per service in a network domain.
For information about configuring IEEE 802.1ag settings, see "Configuring
Connectivity Fault Management" on page 859.
Priority-based Flow Control (PFC)
The Priority-based Flow Control feature allows the switch to pause or inhibit
transmission of individual priorities within a single physical link. By
configuring PFC to pause a congested priority (priorities) independently,
protocols that are highly loss sensitive can share the same link with traffic that
NOTE: This feature is available on the N4000 series switches only.
NOTE: This feature is available on the N4000 switches only.
Switch Feature Overview 75
has different loss tolerances. Priorities are differentiated by the priority field
of the 802.1Q VLAN header. The N4000 switches support lossless transport of
frames on up to two priority classes.
For information about configuring the PFC feature, see "Configuring Data
Center Bridging Features" on page 983.
Data Center Bridging Exchange (DBCx) Protocol
The Data Center Bridging Exchange Protocol (DCBx) is used by DCB
devices to exchange configuration information with directly connected peers.
The protocol is also used to detect misconfiguration of the peer DCB devices
and, optionally, for configuration of peer DCB devices. For information about
configuring DCBx settings, see "Configuring Data Center Bridging Features"
on page 983. DCBx is a link-local protocol and operates only on individual
links.
Enhanced Transmission Selection
Enhanced Transmission Selection (ETS) allows the switch to allocate
bandwidth to traffic classes and share unused bandwidth with lower-priority
traffic classes while coexisting with strict-priority traffic classes. ETS is
supported on the Dell Networking N4000 series switches and can be
configured manually or automatically using the auto configuration feature.
For more information about ETS, see "Enhanced Transmission Selection" on
page 999.
NOTE: An interface that is configured for PFC is automatically disabled for 802.3x
flow control.
NOTE: This feature is available on the N4000 switches only.
NOTE: This feature is available on the N4000 switches only.
76 Switch Feature Overview
Cisco Protocol Filtering
The Cisco Protocol Filtering feature (also known as Link Local Protocol
Filtering) filters Cisco protocols that should not normally be relayed by a
bridge. The group addresses of these Cisco protocols do not fall within the
IEEE defined range of the 802.1D MAC Bridge Filtered MAC Group
Addresses (01-80-C2-00-00-00 to 01-80-C2-00-00-0F).
For information about configuring LLPF, settings see "Configuring Port-
Based Traffic Control" on page 787.
DHCP Layer 2 Relay
This feature permits Layer 3 Relay agent functionality in Layer 2 switched
networks. The switch supports L2 DHCP relay configuration on individual
ports, link aggregation groups (LAGs) and VLANs.
For information about configuring L2 DHCP Relay settings see "Configuring
L2 and L3 Relay Features" on page 1087.
Switch Feature Overview 77
Virtual Local Area Network Supported Features
For information about configuring VLAN features see "Configuring VLANs"
on page 645.
VLAN Support
VLANs are collections of switching ports that comprise a single broadcast
domain. Packets are classified as belonging to a VLAN based on either the
VLAN tag or a combination of the ingress port and packet contents. Packets
sharing common attributes can be groups in the same VLAN. The Dell
Networking series switches are in full compliance with IEEE 802.1Q VLAN
tagging.
Port-Based VLANs
Port-based VLANs classify incoming packets to VLANs based on their ingress
port. When a port uses 802.1X port authentication, packets can be assigned
to a VLAN based on the result of the 802.1X authentication a client uses
when it accesses the switch. This feature is useful for assigning traffic to
Guest VLANs or Voice VLANs.
IP Subnet-based VLAN
This feature allows incoming untagged packets to be assigned to a VLAN and
traffic class based on the source IP address of the packet.
MAC-based VLAN
This feature allows incoming untagged packets to be assigned to a VLAN and
traffic class based on the source MAC address of the packet.
IEEE 802.1v Protocol-Based VLANs
VLAN classification rules are defined on data-link layer (Layer 2) protocol
identification. Protocol-based VLANs are used for isolating Layer 2 traffic for
differing Layer 3 protocols.
78 Switch Feature Overview
GARP and GVRP Support
The switch supports the Generic Attribute Registration Protocol (GARP).
GARP VLAN Registration Protocol (GVRP) relies on the services provided by
GARP to provide IEEE 802.1Q-compliant VLAN pruning and dynamic
VLAN creation on 802.1Q trunk ports. When GVRP is enabled, the switch
registers and propagates VLAN membership on all ports that are part of the
active spanning tree protocol topology.
For information about configuring GARP timers see "Configuring L2
Multicast Features" on page 803.
Voice VLAN
The Voice VLAN feature enables switch ports to carry voice traffic with
defined priority. The priority level enables the separation of voice and data
traffic coming onto the port. Voice VLAN is the preferred solution for
enterprises wishing to deploy voice services in their network.
Guest VLAN
The Guest VLAN feature allows a switch to provide a distinguished service to
unauthenticated users. This feature provides a mechanism to allow visitors
and contractors to have network access to reach external network with no
ability to browse information on the internal LAN.
For information about configuring the Guest VLAN see "Configuring Port
and System Security" on page 503.
Double VLANs
The Double VLAN feature (IEEE 802.1QinQ) allows the use of a second tag
on network traffic. The additional tag helps differentiate between customers
in the Metropolitan Area Networks (MAN) while preserving individual
customer’s VLAN identification when they enter their own 802.1Q domain.
Switch Feature Overview 79
Spanning Tree Protocol Features
For information about configuring Spanning Tree Protocol features, see
"Configuring the Spanning Tree Protocol" on page 715.
Spanning Tree Protocol (STP)
Spanning Tree Protocol (IEEE 802.1D) is a standard requirement of Layer 2
switches that allows bridges to automatically prevent and resolve L2
forwarding loops.
Spanning Tree Port Settings
The STP feature supports a variety of per-port settings including path cost,
priority settings, Port Fast mode, STP Root Guard, Loop Guard, TCN Guard,
and Auto Edge. These settings are also configurable per-LAG.
Rapid Spanning Tree
Rapid Spanning Tree Protocol (RSTP) detects and uses network topologies to
enable faster spanning tree convergence after a topology change, without
creating forwarding loops. The port settings supported by STP are also
supported by RSTP.
Multiple Spanning Tree
Multiple Spanning Tree (MSTP) operation maps VLANs to spanning tree
instances. Packets assigned to various VLANs are transmitted along different
paths within MSTP Regions (MST Regions). Regions are one or more
interconnected MSTP bridges with identical MSTP settings. The MSTP
standard lets administrators assign VLAN traffic to unique paths.
The switch supports IEEE 802.1Q-2005, which is a version of corrects
problems associated with the previous version, provides for faster transition-
to-forwarding, and incorporates new features for a port (restricted role and
restricted TCN).
80 Switch Feature Overview
Bridge Protocol Data Unit (BPDU) Guard
Spanning Tree BPDU Guard is used to disable the port in case a new device
tries to enter the already existing topology of STP. Thus devices, which were
originally not a part of STP, are not allowed to influence the STP topology.
BPDU Filtering
When spanning tree is disabled on a port, the BPDU Filtering feature allows
BPDU packets received on that port to be dropped. Additionally, the BPDU
Filtering feature prevents a port in Port Fast mode from sending and receiving
BPDUs. A port in Port Fast mode is automatically placed in the forwarding
state when the link is up to increase convergence time.
RSTP-PV and STP-PV
Dell Networking switches support both Rapid Spanning Tree Per VLAN
(RSTP-PV) and Spanning Tree Per VLAN (STP-PV). RSTP-PV is the IEEE
802.1w (RSTP) standard implemented per VLAN. A single instance of rapid
spanning tree (RSTP) runs on each configured VLAN. Each RSTP instance
on a VLAN has a root switch. STP-PV is the IEEE 802.1s (STP) standard
implemented per VLAN.
Switch Feature Overview 81
Link Aggregation Features
For information about configuring link aggregation (port-channel) features,
see "Configuring Link Aggregation" on page 913.
Link Aggregation
Up to eight ports can combine to form a single Link Aggregation Group
(LAG). This enables fault tolerance protection from physical link disruption,
higher bandwidth connections and improved bandwidth granularity.
Per IEEE 802.1AX, only links with the same operational characteristics, such
as speed and duplex setting, may be aggregated. Dell Networking switches
aggregate links only if they have the same operational speed and duplex
setting, as opposed to the configured speed and duplex setting. This allows
operators to aggregate links that use auto negotiation to set values for speed
and duplex or to aggregate ports with SFP+ technology operating at a lower
speed, e.g., 1G. Dissimilar ports will not become active in the LAG if their
operational settings do not match those of the first member of the LAG.
Link Aggregate Control Protocol (LACP)
Link Aggregate Control Protocol (LACP) uses peer exchanges across links to
determine, on an ongoing basis, the aggregation capability of various links,
and continuously provides the maximum level of aggregation capability
achievable between a given pair of systems. LACP automatically determines,
configures, binds, and monitors the binding of ports to aggregators within the
system.
Multi-Switch LAG (MLAG)
Dell Networking switches support the MLAG feature to extends the LAG
bandwidth advantage across multiple Dell Networking switches connected to
a LAG partner device. The LAG partner device is oblivious to the fact that it
is connected over a LAG to two peer Dell Networking switches; instead, the
two switches appear as a single switch to the partner. When using MLAG, all
links can carry data traffic across a physically diverse topology and, in the case
of a link or switch failure, traffic can continue to flow with minimal
disruption.
82 Switch Feature Overview
Routing Features
Address Resolution Protocol (ARP) Table Management
You can create static ARP entries and manage many settings for the dynamic
ARP table, such as age time for entries, retries, and cache size.
For information about managing the ARP table, see "Configuring IP Routing"
on page 1063.
VLAN Routing
Dell Networking series switches support VLAN routing. You can also
configure the software to allow traffic on a VLAN to be treated as if the VLAN
were a router port.
For information about configuring VLAN routing interfaces, see "Configuring
Routing Interfaces" on page 1021.
IP Configuration
The switch IP configuration settings to allow you to configure network
information for VLAN routing interfaces such as IP address and subnet mask,
and ICMP redirects. Global IP configuration settings for the switch allow you
to enable or disable the generation of several types of ICMP messages and
enable or disable the routing mode.
For information about managing global IP settings, see "Configuring IP
Routing" on page 1063.
Open Shortest Path First (OSPF)
Open Shortest Path First (OSPF) is a dynamic routing protocol commonly
used within medium-to-large enterprise networks. OSPF is an interior
gateway protocol (IGP) that operates within a single autonomous system.
For information about configuring OSPF, see "Configuring OSPF and
OSPFv3" on page 1111.
NOTE: This feature is not available on N2000 switches.
Switch Feature Overview 83
BOOTP/DHCP Relay Agent
The switch BootP/DHCP Relay Agent feature relays BootP and DHCP
messages between DHCP clients and DHCP servers that are located in
different IP subnets.
For information about configuring the BootP/DHCP Relay agent, see
"Configuring L2 and L3 Relay Features" on page 1087.
IP Helper and UDP Relay
The IP Helper and UDP Relay features provide the ability to relay various
protocols to servers on a different subnet.
For information about configuring the IP helper and UDP relay features, see
"Configuring L2 and L3 Relay Features" on page 1087.
Routing Information Protocol
Routing Information Protocol (RIP), like OSPF, is an IGP used within an
autonomous Internet system. RIP is an IGP that is designed to work with
moderate-size networks.
For information about configuring RIP, see "Configuring RIP" on page 1201.
Router Discovery
For each interface, you can configure the Router Discovery Protocol (RDP) to
transmit router advertisements. These advertisements inform hosts on the
local network about the presence of the router.
For information about configuring router discovery, see "Configuring IP
Routing" on page 1063.
Routing Table
The routing table displays information about the routes that have been
dynamically learned. You can configure static and default routes and route
preferences. A separate table shows the routes that have been manually
configured.
For information about viewing the routing table, see "Configuring IP
Routing" on page 1063.
84 Switch Feature Overview
Virtual Router Redundancy Protocol (VRRP)
VRRP provides hosts with redundant routers in the network topology without
any need for the hosts to reconfigure or know that there are multiple routers.
If the primary (master) router fails, a secondary router assumes control and
continues to use the virtual router IP (VRIP) address.
VRRP Route Interface Tracking extends the capability of VRRP to allow
tracking of specific route/interface IP states within the router that can alter
the priority level of a virtual router for a VRRP group.
For information about configuring VRRP settings, see "Configuring VRRP"
on page 1217.
Tunnel and Loopback Interfaces
Dell Networking series switches support the creation, deletion, and
management of tunnel and loopback interfaces. Tunnel interfaces facilitate
the transition of IPv4 networks to IPv6 networks. A loopback interface is
always expected to be up, so you can configure a stable IP address that other
network devices use to contact or identify the switch.
For information about configuring tunnel and loopback interfaces, see
"Configuring Routing Interfaces" on page 1021.
NOTE: This feature is not available on N2000 switches.
NOTE: This feature is not available on N2000 switches.
Switch Feature Overview 85
IPv6 Routing Features
IPv6 Configuration
The switch supports IPv6, the next generation of the Internet Protocol. You
can globally enable IPv6 on the switch and configure settings such as the IPv6
hop limit and ICMPv6 rate limit error interval. You can also control whether
IPv6 is enabled on a specific interface. The switch supports the configuration
of many per-interface IPv6 settings including the IPv6 prefix and prefix
length.
For information about configuring general IPv6 routing settings, see
"Configuring IPv6 Routing" on page 1241.
IPv6 Routes
Because IPv4 and IPv6 can coexist on a network, the router on such a network
needs to forward both traffic types. Given this coexistence, each switch
maintains a separate routing table for IPv6 routes. The switch can forward
IPv4 and IPv6 traffic over the same set of interfaces.
For information about configuring IPv6 routes, see "Configuring IPv6
Routing" on page 1241.
OSPFv3
OSPFv3 provides a routing protocol for IPv6 networking. OSPFv3 is a new
routing component based on the OSPF version 2 component. In dual stack
IPv6, you can configure and use both OSPF and OSPFv3 components.
For information about configuring OSPFv3, see "Configuring OSPF and
OSPFv3" on page 1111.
DHCPv6
DHCPv6 incorporates the notion of the “stateless” server, where DHCPv6 is
not used for IP address assignment to a client, rather it only provides other
networking information such as DNS, Network Time Protocol (NTP), and/or
Session Initiation Protocol (SIP) information.
NOTE: This feature is not available on N2000 switches.
86 Switch Feature Overview
For information about configuring DHCPv6 settings, see "Configuring
DHCPv6 Server and Relay Settings" on page 1265.
Quality of Service (QoS) Features
Differentiated Services (DiffServ)
The QoS Differentiated Services (DiffServ) feature allows traffic to be
classified into streams and given certain QoS treatment in accordance with
defined per-hop behaviors. Dell Networking series switches support both IPv4
and IPv6 packet classification.
For information about configuring DiffServ, see "Configuring Differentiated
Services" on page 1285.
Class Of Service (CoS)
The Class Of Service (CoS) queueing feature lets you directly configure
certain aspects of switch queuing. This provides the desired QoS behavior for
different types of network traffic when the complexities of DiffServ are not
required. CoS queue characteristics, such as minimum guaranteed
bandwidth and transmission rate shaping, are configurable at the queue (or
port) level.
For information about configuring CoS, see "Configuring Class-of-Service" on
page 1313.
Auto Voice over IP (VoIP)
This feature provides ease of use for the user in setting up VoIP for IP phones
on a switch. This is accomplished by enabling a VoIP profile that a user can
select on a per port basis.
For information about configuring Auto VoIP, see "Configuring Auto VoIP" on
page 1331.
NOTE: Some features that can affect QoS, such as ACLs and Voice VLAN, are
described in other sections within this chapter.
Switch Feature Overview 87
Internet Small Computer System Interface (iSCSI) Optimization
The iSCSI Optimization feature helps network administrators track iSCSI
traffic between iSCSI initiator and target systems. This is accomplished by
monitoring, or snooping traffic to detect packets used by iSCSI stations in
establishing iSCSI sessions and connections. Data from these exchanges may
optionally be used to create classification rules to assign the traffic between
the stations to a configured traffic class. This affects how the packets in the
flow are queued and scheduled for egress on the destination port.
For information about configuring iSCSI settings, see "Configuring iSCSI
Optimization" on page 459.
Layer 2 Multicast Features
For information about configuring L2 multicast features, see "Configuring L2
Multicast Features" on page 803.
MAC Multicast Support
Multicast service is a limited broadcast service that allows one-to-many and
many-to-many connections. In Layer 2 multicast services, a single frame
addressed to a specific multicast address is received, and copies of the frame
to be transmitted on each relevant port are created.
IGMP Snooping
Internet Group Management Protocol (IGMP) Snooping is a feature that
allows a switch to forward multicast traffic intelligently on the switch.
Multicast traffic is traffic that is destined to a host group. Host groups are
identified by the destination MAC address, i.e. the range 01:00:5e:00:00:00 to
01:00:5e:7f:ff:ff:ff for IPv4 multicast traffic or 33:33:xx:xx:xx:xx for IPv6
multicast traffic. Based on the IGMP query and report messages, the switch
forwards traffic only to the ports that request the multicast traffic. This
prevents the switch from broadcasting the traffic to all ports and possibly
affecting network performance.
88 Switch Feature Overview
IGMP Snooping Querier
When Protocol Independent Multicast (PIM) and IGMP are enabled in a
network with IP multicast routing, the IP multicast router acts as the IGMP
querier. However, if it is desirable to keep the multicast network Layer 2
switched only, the IGMP Snooping Querier can perform the query functions
of a Layer 3 multicast router.
MLD Snooping
In IPv4, Layer 2 switches can use IGMP Snooping to limit the flooding of
multicast traffic by dynamically configuring Layer 2 interfaces so that
multicast traffic is forwarded to only those interfaces associated with IP
multicast address.
In IPv6, MLD snooping performs a similar function. With MLD snooping,
IPv6 multicast data is selectively forwarded to a list of ports intended to
receive the data (instead of being flooded to all of the ports in a VLAN). This
list is constructed by snooping IPv6 multicast control packets.
Multicast VLAN Registration
The Multicast VLAN Registration (MVR) protocol, like IGMP Snooping,
allows a Layer 2 switch to listen to IGMP frames and forward the multicast
traffic only to the receivers that request it. Unlike IGMP Snooping, MVR
allows the switch to listen across different VLANs. MVR uses a dedicated
VLAN, which is called the multicast VLAN, to forward multicast traffic over
the Layer 2 network to the various VLANs that have multicast receivers as
members.
Switch Feature Overview 89
Layer 3 Multicast Features
For information about configuring L3 multicast features, see "Managing IPv4
and IPv6 Multicast" on page 1337.
Distance Vector Multicast Routing Protocol
Distance Vector Multicast Routing Protocol (DVMRP) exchanges probe
packets with all DVMRP-enabled routers, establishing two way neighboring
relationships and building a neighbor table. It exchanges report packets and
creates a unicast topology table, which is used to build the multicast routing
table. This multicast route table is then used to route the multicast packets.
Internet Group Management Protocol
The Internet Group Management Protocol (IGMP) is used by IPv4 systems
(hosts and routers) to report their IP multicast group memberships to any
neighboring multicast routers. Dell Networking series switches perform the
“multicast router part” of the IGMP protocol, which means it collects the
membership information needed by the active multicast router.
IGMP Proxy
The IGMP Proxy feature allows the switch to act as a proxy for hosts by
sending IGMP host messages on behalf of the hosts that the switch
discovered through standard IGMP router interfaces.
Protocol Independent Multicast—Dense Mode
Protocol Independent Multicast (PIM) is a standard multicast routing
protocol that provides scalable inter-domain multicast routing across the
Internet, independent of the mechanisms provided by any particular unicast
routing protocol. The Protocol Independent Multicast-Dense Mode (PIM-
DM) protocol uses an existing Unicast routing table and a Join/Prune/Graft
mechanism to build a tree. PIM-DM creates source-based shortest-path
distribution trees, making use of reverse path forwarding (RPF).
NOTE: This feature is not available on N2000 switches.
90 Switch Feature Overview
Protocol Independent Multicast—Sparse Mode
Protocol Independent Multicast-Sparse Mode (PIM-SM) is used to efficiently
route multicast traffic to multicast groups that may span wide area networks,
and where bandwidth is a constraint. PIM-SM uses shared trees by default
and implements source-based trees for efficiency. This data threshold rate is
used to toggle between trees.
Protocol Independent Multicast—Source Specific Multicast
Protocol Independent Multicast—Source Specific Multicast (PIM-SSM) is a
subset of PIM-SM and is used for one-to-many multicast routing
applications, such as audio or video broadcasts. PIM-SSM does not use shared
trees.
Protocol Independent Multicast IPv6 Support
PIM-DM and PIM-SM support IPv6 routes.
MLD/MLDv2 (RFC2710/RFC3810)
MLD is used by IPv6 systems (listeners and routers) to report their IP
multicast addresses memberships to any neighboring multicast routers. The
implementation of MLD v2 is backward compatible with MLD v1.
MLD protocol enables the IPv6 router to discover the presence of multicast
listeners, the nodes that want to receive the multicast data packets, on its
directly attached interfaces. The protocol specifically discovers which
multicast addresses are of interest to its neighboring nodes and provides this
information to the multicast routing protocol that make the decision on the
flow of the multicast data packets.
Hardware Overview 91
3
Hardware Overview
This section provides an overview of the switch hardware. It is organized by
product type:
Dell Networking N2000 Series Switch Hardware
Dell Networking N3000 Series Switch Hardware
Dell Networking N4000 Series Switch Hardware
Switch MAC Addresses
Dell Networking N2000 Series Switch Hardware
This section contains information about device characteristics and modular
hardware configurations for the N2000 series switches.
N2000 Series Front Panel
Then N2000 series front panel includes the following features:
•Switch Ports
•Console Port
•USB Port
Reset Button
•SFP+ Ports
•Port and System LEDs
Stack Master LED and Stack Number Display
The following images show the front panels of the switch models in the
N2000 series.
92 Hardware Overview
Figure 3-1. N2048 Switch with 48 10/100/1000BASE-T Ports (Front Panel)
In addition to the switch ports, the front panel of each model in the N2000
series includes the following ports:
•Console port
•USB port
Figure 3-2. N2024 Close-up
The N2024 front panel, shown in Figure 3-2, has status LEDs for over-
temperature alarm, internal power, and status on the top row. The bottom
row of status LEDs displays stack master, redundant power supply (RPS)
status and fan alarm status.
48 10/100/1000BASE-T Ports SFP+ Ports
Console Port USB Port
Hardware Overview 93
Figure 3-3. N2024P Close-up
The N2024P front panel, shown in Figure 3-3, has status LEDs for over-
temperature alarm, internal power and status on the top row. The bottom row
of status LEDs displays stack master, modular power supply (MPS) status and
fan alarm status.
Switch Ports
The N2024/N2024P front panel provides 24 Gigabit Ethernet
(10/100/1000BASE-T) RJ-45 ports that support auto-negotiation for speed,
flow control, and duplex. The N2024/N2024P models support two SFP+ 10G
ports. Dell-qualified SFP+ transceivers are sold separately.
The N2048/N2048P front panel provides 48 Gigabit Ethernet (10BASE-T,
100BASE-TX, 1000BASE-T) RJ-45 ports that support auto-negotiation for
speed, flow control, and duplex. The N2048/N2048P support two SFP+ 10G
ports. Dell-qualified SFP+ transceivers are sold separately.
The front-panel switch ports have the following characteristics:
The switch automatically detects the difference between crossed and
straight-through cables on RJ-45 ports and automatically chooses the MDI
or MDIX configuration to match the other end.
SFP+ ports support Dell-qualified transceivers. The default behavior is to
log a message and generate an SNMP trap on insertion or removal of an
optic that is not qualified by Dell. The message and trap can be suppressed
by using the
service unsupported-transceiver
command.
94 Hardware Overview
RJ-45 ports support full-duplex mode 10/100/1000 Mbps speeds on
standard Category 5 UTP cable.
SFP+ ports support SFP+ transceivers and SFP+ copper twin-ax
technology operating at 10G or 1G plus SFP transceivers operating at 1G.
The N2024P/N2048P front panel ports support PoE (15.4W) and PoE+
(34.2W).
Console Port
The console port provides serial communication capabilities, which allows
communication using RS-232 protocol. The serial port provides a direct
connection to the switch and allows access to the CLI from a console
terminal connected to the port through the provided serial cable (with RJ45
YOST to female DB-9 connectors).
The console port is separately configurable and can be run as an asynchronous
link from 1200 baud to 115,200 baud.
The Dell CLI only supports changing the speed. The defaults are 9600 baud
rate, 8 data bits, No Parity, 1 Stop Bit, No Flow Control.
USB Port
The Type-A, female USB port supports a USB 2.0-compliant flash memory
drive. The Dell Networking switch can read or write to a flash drive with a
single partition formatted as FAT-32. You can use a USB flash drive to copy
switch configuration files and images between the USB flash drive and the
switch. You can also use the USB flash drive to move and copy configuration
files and images from one switch to other switches in the network. The
system does not support the deletion of files on USB flash drives.
The USB port does not support any other type of USB device.
Reset Button
The reset button is accessed through the pinhole and allows you to perform a
hard reset on the switch. To use the reset button, insert an unbent paper clip
or similar tool into the pinhole. When the switch completes the boot process
after the reset, it resumes operation with the most recently saved
configuration. Any changes made to the running configuration that were not
saved to the startup configuration prior to the reset are lost.
Hardware Overview 95
Port and System LEDs
The front panel contains light emitting diodes (LEDs) that indicate the
status of port links, power supplies, fans, stacking, and the overall system
status. See "N2000 LED Definitions" on page 97 for more information.
Stack Master LED and Stack Number Display
When a switch within a stack is the master unit, the stack master LED, which
is labeled M, is solid green. If the M LED is off, the stack member is not the
master unit. The Stack No. panel displays the unit number for the stack
member. If a switch is not part of a stack (in other words, it is a stack of one
switch), the M LED is illuminated, and the unit number is displayed.
N2000 Series Back Panel
The following images show the back panels of the N2000 switches.
Figure 3-4. N2000 Back Panel
Figure 3-5. N2024P/N2048P Back Panel
The term mini-SAS refers to the stacking port cable connections shown in
Figure 3-6. See "Managing a Switch Stack" on page 171 for information on
using the mini-SAS ports to connect switches.
Fan Vents AC Power Receptacle
96 Hardware Overview
Figure 3-6. N2048 Mini-SAS Stacking Ports and Fans
Power Supplies
N2024 and N2048
N2024 and N2048 series switches have an internal 100-watt power supply.
The additional redundant power supply (Dell Networking RPS720) provides
180 watts of power and gives full redundancy for the switch.
N2024P and N2048P
N2024P and N2048P switches have an internal 1000-watt power supply
feeding up to 24 PoE devices at full PoE+ power (850W). An additional
external power supply (MPS1000) provides 1000 watts and gives full power
coverage for all 48 PoE devices (1800W).
NOTE: PoE power is dynamically allocated. Not all ports will require the full PoE+
power.
CAUTION: Remove the power cable from the power supplies prior to removing
the power supply module itself. Power must not be connected prior to insertion in
the chassis.
Ventilation System
Two fans cool the N2000 switches.
Information Tag
The back panel includes a slide-out label panel that contains system
information, such as the Service Tag, MAC address, and so on.
Mini-SAS stacking ports
Hardware Overview 97
N2000 LED Definitions
This section describes the LEDs on the front and back panels of the switch.
Port LEDs
Each port on an N2000 switch includes two LEDs. One LED is on the left
side of the port, and the second LED is on the right side of the port. This
section describes the LEDs on the switch ports.
100/1000/10000Base-T Port LEDs
Each 100/1000/10000Base-T port has two LEDs. Figure 3-20 illustrates the
100/1000/10000Base-T port LEDs.
Figure 3-7. 100/1000/10000Base-T Port LEDs
Link/SPD Activity
98 Hardware Overview
Table 3-16 shows the 100/1000/10000Base-T port LED definitions.
Stacking Port LEDs
Table 3-1. 100/1000/10000Base-T Port Definitions
LED Color Definition
Link/SPD LED Off There is no link.
Solid yellow The port is operating at 10/100 Mbps.
Solid green The port is operating at 1000 Mbps.
Activity LED
(on non-PoE
switches)
Off There is no current transmit/receive activity.
Blinking green The port is actively transmitting/receiving.
Activity/PoE
LED (on PoE
switches)
Off There is no current transmit/receive activity
and PoE power is off.
Blinking green The port is actively transmitting/receiving and
PoE power is off.
Blinking yellow The port is actively transmitting/receiving and
PoE power is on.
Solid yellow There is no current transmit/receive activity
and PoE power is on.
Table 3-2. Stacking Port LED Definitions
LED Color Definition
Link LED Off There is no link.
Solid green The port is actively transmitting/receiving.
Activity LED Off There is no current transmit/receive activity.
Blinking green The port is actively transmitting/receiving.
Hardware Overview 99
System LEDs
The system LEDs, located on the back panel, provide information about the
power supplies, thermal conditions, and diagnostics.
Table 3-21 shows the System LED definitions for the N2000 series switches.
Table 3-3. Console Port LED Definitions
LED Color Definition
Link/SPD LED Off There is no link.
Solid green A link is present.
Table 3-4. System LED Definitions
LED Color Definition
Status Solid green Normal operation.
Blinking green The switch is booting
Solid red A critical system error has occurred.
Blinking red A noncritical system error occurred (fan or power
supply failure).
Power Off There is no power or the switch has experienced a
power failure.
Solid green Power to the switch is on.
Blinking green The switch locator function is enabled.
RPS (on
non-PoE
switches)
Off There is no redundant power supply (RPS).
Solid green Power to the RPS is on.
Solid red An RPS is detected but it is not receiving power.
EPS (on
PoE
switches)
Off There is no external power supply (EPS).
Solid green Power to the EPS is on.
Solid red An EPS is detected but it is not receiving power.
Fan Solid green The fan is powered and is operating at the expected
RPM.
Solid red A fan failure has occurred.
100 Hardware Overview
Power Consumption for N2000 Series PoE Switches
Table 3-5 shows power consumption data for the PoE-enabled switches.
The PoE power budget for each interface is controlled by the switch firmware.
The administrator can limit the power supplied on a port or prioritize power
to some ports over others. Table 3-6 shows power budget data.
Stack
master
Off The switch is in stand-alone mode.
Solid green The switch is master for the stack.
Temp Solid green The switch is operating below the threshold
temperature.
Solid red The switch temperature exceeds the threshold of 75°C.
Stack No. Switch ID within the stack.
Table 3-5. Power Consumption
Model Input
Voltage
Power Supply
Configuration
Max Steady
Current
Consumption (A)
Max Steady
Power (W)
N2024P 100V Main PSU+EPS PSU 8.9 890.0
110V Main PSU+EPS PSU 8.3 913.0
120V Main PSU+EPS PSU 7.6 912.0
220V Main PSU+EPS PSU 4.0 880.0
240V Main PSU+EPS PSU 3.6 873.6
N2048P 100V Main PSU+EPS PSU 17.8 1780.0
110V Main PSU+EPS PSU 15.8 1740.2
120V Main PSU+EPS PSU 14.5 1740.0
220V Main PSU+EPS PSU 7.7 1687.4
240V Main PSU+EPS PSU 7.1 1704.0
Table 3-4. System LED Definitions (Continued)
LED Color Definition
Hardware Overview 101
Table 3-6. N2000 Series PoE Power Budget Limit
One PSU Support Two PSUs Support
Model
Name
System Power
Max. Dissipation
Max. PSU
Output Ability
POE+ Power
Turn-on Limitation
Max. PSUs
Output Ability
POE+ Power
Turn-on Limitation
N2024P 90W 1000W Power budget is
850W:
The total POE
supplied power
must not exceed
850W.
2000W Power budget is
1700W:
All PoE+ ports can
supply maximum
power.
N2048P 110W 1000W Power budget is
850W:
The total POE
supplied power
must not exceed
850W.
2000W Power budget is
1700W:
All PoE+ ports can
supply maximum
power.
102 Hardware Overview
Dell Networking N3000 Series Switch Hardware
This section contains information about device characteristics and modular
hardware configurations for the N3000 series switches.
N3000 Series Front Panel
The N2000 series front panel includes the following features:
•Switch Ports
•Console Port
Out-of-Band Management Port
•USB Port
•SFP+ Ports
Reset Button
•Port and System LEDs
Stack Master LED and Stack Number Display
The following images show the front panels of the switch models in the
N3000 series.
Figure 3-8. N3024F with 24 10/100/1000BASE-T Ports (Front Panel)
The N3000 series switch includes two combo ports. The combo ports are SFP
on the N3000 series and 1000BaseT on the N3024F switch.
Combo
Ports
10/100/1000BASE-T Auto-sensing
Full Duplex RJ-45 Ports SFP+
Ports
Hardware Overview 103
Figure 3-9. N3048 with 48 10/100/1000BASE-T Ports (Front Panel)
The additional ports are on the right side of the front panel, as shown in
Figure 3-9 and Figure 3-10 on page 103.
Figure 3-10. Additional N3000 Series Ports
The N3000 front panel above also contains a reset button (pinhole) and
several status LEDs. See Figure 3-10.
10/100/1000BASE-T Auto-sensing
Full Duplex RJ-45 Ports
Combo
Ports
SFP+
Ports
Combo Ports
Reset Button
USB Port
Console Port Out-of-Band Management Port
SFP+ Ports
104 Hardware Overview
The N3000 front panel also displays status LEDs for over-temperature alarm,
internal power supply 1 and switch status on the top row. The bottom row of
status LEDs displays stack master, internal power supply 2 and fan alarm.
Switch Ports
The N3024/N3024P front panel provides 24 Gigabit Ethernet
(10/100/1000BASE-T) RJ-45 ports that support auto-negotiation for speed,
flow control, and duplex. The N3024P models support two SFP+ 10G ports.
Dell-qualified SFP+ transceivers are sold separately.
The N3024F front panel provides 24 Gigabit Ethernet 100BASE-
FX/1000BASE-X SFP ports plus 2 1000BASE-T combo ports. Dell-qualified
SFP transceivers are sold separately.
The N3048/N3048P front panel provides 48 Gigabit Ethernet (10BASE-T,
100BASE-TX, 1000BASE-T) RJ-45 ports that support auto-negotiation for
speed, flow control, and duplex. The N3048/N3048P support two SFP+ 10G
ports. Dell-qualified SFP+ transceivers are sold separately.
The front-panel switch ports have the following characteristics:
The switch automatically detects the difference between crossed and
straight-through cables on RJ-45 ports and automatically chooses the MDI
or MDIX configuration to match the other end.
SFP+ ports support Dell-qualified transceivers. The default behavior is to
log a message and generate an SNMP trap on insertion or removal of an
optic that is not qualified by Dell. The message and trap can be suppressed
by using the
service unsupported-transceiver
command.
RJ-45 ports support full-duplex mode 10/100/1000 Mbps speeds on
standard Category 5 UTP cable.
SFP+ ports support SFP+ transceivers and SFP+ copper twin-ax
technology operating at 10G/1G plus SFP transceivers operating at 1G.
The N3024P/N3048P front panel ports support PoE (15.4W) and PoE+
(34.2W).
Hardware Overview 105
Console Port
The console port provides serial communication capabilities, which allows
communication using RS-232 protocol. The serial port provides a direct
connection to the switch and allows access to the CLI from a console
terminal connected to the port through the provided serial cable (with RJ45
YOST to female DB-9 connectors).
The console port is separately configurable and can be run as an asynchronous
link from 1200 baud to 115,200 baud.
The Dell CLI only supports changing the speed.
The defaults are 9600 baud rate, 8 data bits, No Parity, 1 Stop Bit, No Flow
Control.
Out-of-Band Management Port
The Out-of-Band (OOB) management port is a 10/100/1000BASE-T
Ethernet port dedicated to remote switch management. Traffic on this port is
segregated from operational network traffic on the switch ports and cannot be
switched or routed to or from the operational network.
USB Port
The Type-A, female USB port supports a USB 2.0-compliant flash memory
drive. The Dell Networking switch can read or write to a flash drive with a
single partition formatted as FAT-32. You can use a USB flash drive to copy
switch configuration files and images between the USB flash drive and the
switch. You can also use the USB flash drive to move and copy configuration
files and images from one switch to other switches in the network. The
system does not support the deletion of files on attached USB flash drives.
The USB port does not support any other type of USB device.
Reset Button
The reset button is accessed through the pinhole and allows you to perform a
hard reset on the switch. To use the reset button, insert an unbent paper clip
or similar tool into the pinhole. When the switch completes the boot process
after the reset, it resumes operation with the most recently saved
configuration. Any changes made to the running configuration that were not
saved to the startup configuration prior to the reset are lost.
106 Hardware Overview
Port and System LEDs
The front panel contains light emitting diodes (LEDs) that indicate the
status of port links, power supplies, fans, stacking, and the overall system
status.
For information about the status that the LEDs indicate, see the
User’s
Configuration Guide.
Stack Master LED and Stack Number Display
When a switch within a stack is the master unit, the stack master LED, which
is labeled M, is solid green. If the M LED is off, the stack member is not the
master unit. The Stack No. panel displays the unit number for the stack
member. If a switch is not part of a stack (in other words, it is a stack of one
switch), the M LED is illuminated, and the unit number is displayed.
N3000 Series Back Panel
The following images show the back panels of the N3000 switches.
Figure 3-11. N3000 Back Panel
Figure 3-12. N3024P/N3048P Back Panel
Dual 10G Slots for SFP+ or
10GBASE-T Modules
AC Power
Receptacle
Fan Vents
Hardware Overview 107
Figure 3-13. N3048 Mini-SAS Stacking Ports Close-up
The term mini-SAS refers to the stacking port cable connections shown in
Figure 3-13. See "Managing a Switch Stack" on page 171 for information on
using the mini-SAS ports to connect switches.
Expansion Slots for Plug-in Modules
One expansion slot is located on the back of the N3000 models and can
support the following modules:
•10GBASE-T module
•SFP+ module
Each plug-in module has two ports. The plug-in modules include hot-swap
support, so you do not need to reboot the switch after you install a new
module.
Power Supplies
N3024, N3024F and N3048
N3024 series, N3024F and N3048 switches support two 200-watt Field
Replaceable Unit (FRU) power supplies which give full power redundancy for
the switch. The N3024, N3024F, and N3048 switches offer the V-lock feature
for users desiring the need to eliminate accidental power disconnection. The
V-lock receptacle on the
Power Supply Unit (
PSU) allows for the use of a
power cord that has the V-lock feature to create an integral secure locking
connection.
Mini-SAS stacking ports
108 Hardware Overview
N3024P and N3048P
Dell Networking N3024P and N3048P switches support one or two 1100-watt
FRU power supplies. The N3024P switch is supplied with a single 715-watt
power supply (the default configuration) and supports an additional
1100-watt supply. For the N3048P switch, a single 1100-watt power supply is
supplied and another 1100 watt power supply can be added.
A single 1100-watt power supply can feed up to 24 PoE devices at full PoE+
power (950W). Dual-equipped switches will feed up to 48 PoE devices at full
PoE+ power (1800W), as well as provide power supply redundancy.
NOTE: PoE power is dynamically allocated by default. Not all ports will require the
full PoE+ power.
CAUTION: Remove the power cable from the power supplies prior to removing
the power supply module itself. Power must not be connected prior to insertion in
the chassis.
Ventilation System
Two fans cool the N3000 switches. The N3000 switches additionally have a
fan in each internal power supply. The N3000 fan is a FRU.
Information Tag
The back panel includes a slide-out label panel that contains system
information, such as the Service Tag, MAC address, and so on.
Hardware Overview 109
LED Definitions
This section describes the LEDs on the front and back panels of the switch.
Port LEDs
Each port on an N3000 series switch includes two LEDs. One LED is on the
left side of the port, and the second LED is on the right side of the port. This
section describes the LEDs on the switch ports.
100/1000/10000Base-T Port LEDs
Each 100/1000/10000Base-T port has two LEDs. Figure 3-20 illustrates the
100/1000/10000Base-T port LEDs.
Figure 3-14. 100/1000/10000Base-T Port LEDs
Link/SPD Activity
110 Hardware Overview
Table 3-16 shows the 100/1000/10000Base-T port LED definitions.
Module Bay LEDs
The following tables describe the purpose of each of the module bay LEDs
when SFP+ and 10GBaseT modules are used.
Table 3-7. 100/1000/10000Base-T Port Definitions
LED Color Definition
Link/SPD LED Off There is no link.
Solid yellow The port is operating at 10/100 Mbps.
Solid green The port is operating at 1000 Mbps.
Activity LED
(on non-PoE
switches)
Off There is no current transmit/receive activity.
Blinking green The port is actively transmitting/receiving.
Activity/PoE
LED (on PoE
switches)
Off There is no current transmit/receive activity
and PoE power is off.
Blinking green The port is actively transmitting/receiving and
PoE power is off.
Blinking yellow The port is actively transmitting/receiving and
PoE power is on.
Solid yellow There is no current transmit/receive activity
and PoE power is on.
Table 3-8. SFP+ Module LED Definitions
LED Color Definition
Link/SPD LED Off There is no link.
Solid green The port is operating at 10 Gbps.
Solid amber The port is operating at 1000 Mbps.
Activity LED Off There is no current transmit/receive activity.
Blinking green The port is actively transmitting/receiving.
Hardware Overview 111
Table 3-9. 10GBase-T Module LED Definitions
LED Color Definition
Link/SPD LED Off There is no link.
Solid green The port is operating at 10 Gbps.
Solid amber The port is operating at 100/1000 Mbps.
Activity LED Off There is no current transmit/receive activity.
Blinking green The port is actively transmitting/receiving.
Table 3-10. Stacking Port LED Definitions
LED Color Definition
Link LED Off There is no link.
Solid green The port is actively transmitting/receiving.
Activity LED Off There is no current transmit/receive activity.
Blinking green The port is actively transmitting/receiving.
Table 3-11. OOB Port LED Definitions
LED Color Definition
Link/SPD LED Off There is no link.
Solid green The port is actively transmitting/receiving at
1000 Mbps.
Solid amber The port is actively transmitting/receiving at
10/100 Mbps.
Activity LED Off There is no current transmit/receive activity.
Blinking green The port is actively transmitting/receiving.
112 Hardware Overview
System LEDs
The system LEDs, located on the back panel, provide information about the
power supplies, thermal conditions, and diagnostics.
Table 3-21 shows the System LED definitions for the N3000 series switches.
Table 3-12. Console Port LED Definitions
LED Color Definition
Link/SPD LED Off There is no link.
Solid green A link is present.
Table 3-13. System LED Definitions
LED Color Definition
Status Solid green Normal operation.
Blinking green The switch is booting
Solid red A critical system error has occurred.
Blinking red A noncritical system error occurred (fan or power
supply failure).
Power 1,
Power 2
Off There is no power or the switch has experienced a
power failure.
Solid green Power to the switch is on.
Blinking green The switch locator function is enabled.
Fan Solid green The fan is powered and is operating at the expected
RPM.
Solid red A fan failure has occurred.
Stack
master
Off The switch is in stand-alone mode.
Solid green The switch is master for the stack.
Temp Solid green The switch is operating below the threshold
temperature.
Solid red The switch temperature exceeds the threshold of 75°C.
Stack No. Switch ID within the stack.
Hardware Overview 113
Power Consumption for N3000 Series PoE Switches
Table 3-14 shows power consumption data for the PoE-enabled switches.
The PoE power budget for each interface is controlled by the switch firmware.
The administrator can limit the power supplied on a port or prioritize power
to some ports over others. Table 3-15 shows the power budget data.
Table 3-14. N3000 Series Power Consumption
Model Input
Voltage
Power Supply
Configuration
Max Steady
Current
Consumption (A)
Max Steady
Power (W)
N3024P 100V PSU1+PSU2 13.1 1310.0
110V PSU1+PSU2 11.7 1287.0
120V PSU1+PSU2 10.6 1272.0
220V PSU1+PSU2 5.6 1232.0
240V PSU1+PSU2 5.2 1240.8
N3048P 100V PSU1+PSU2 21.8 2180.0
110V PSU1+PSU2 19.5 2145.0
120V PSU1+PSU2 17.8 2136.0
220V PSU1+PSU2 9.31 2048.2
240V PSU1+PSU2 8.6 2064.0
114 Hardware Overview
Table 3-15. N3000 Series PoE Power Budget Limit
One PSU Support Two PSUs Support
Model
Name
System Power
Max. Dissipation
Max. PSU
Output Ability
POE+ Power
Turn-on Limitation
Max. PSUs
Output Ability
POE+ Power
Turn-on Limitation
N3024P 110W 715W Power budget is
550W:
The total POE
supplied power
must not exceed
550W.
715W Power budget is
1100W:
All PoE+ ports can
supply maximum
power.
N3048P 140W 1100W Power budget is
950W:
The total POE
supplied power
must not exceed
950W.
2200W Power budget is
1900W:
All PoE+ ports can
supply maximum
power.
Hardware Overview 115
Dell Networking N4000 Series Switch Hardware
NOTE: PowerConnect 8100 has been renamed N4000. Both PowerConnect 8100
and N4000 can run firmware versions 6.1 and beyond. N4000 cannot run firmware
prior to version 6.1.
This section contains information about device characteristics and modular
hardware configurations for the N4000 series switches.
Front Panel
The N4000 series front panel includes the following features:
•Switch ports
Module bay that supports the following modules:
2 x 40 Gig QSFP (each QSFP may be configured as 4 x 10 Gig ports)
–4 x SFP+ module
4 x 10GBaseT module
See "Hot-Pluggable Interface Modules" on page 117 for more information.
•USB port
Reset button
Port and system LEDs
•Stack LED
The N4032 front panel provides 32 x 10GbE copper ports that support up to
100M of CAT-6A UTP cabling. The N4032F provides 32 SFP+ ports
supporting SFP+ and SFP transceivers.
116 Hardware Overview
Figure 3-15. N4024 Front Panel
Figure 3-16. N4024F Front Panel
N4032 and N4032F switches can be stacked with other N4000 switches using
10G or 40G SFP+ or QSFP modules in the module bay.
The N4064 front panel provides 64 x 10GbE copper ports and two fixed
QSFP ports, each supporting 4 x 10G or 1 x 40G connections. The N4064F
front panel provides 64 SFP+ ports supporting SFP+ and SFP transceivers
plus two fixed QSFP ports, each supporting 4 x 10G or 1 x 40G connections.
10GbE Copper Ports Module bay
USB port
10GbE Fiber Ports Module bay
USB port
Hardware Overview 117
Figure 3-17. N4064 Front Panel
Figure 3-18. N4064F Front Panel
The N4064 and N4064F switches can be stacked with other N4000 switches
using the 10G or 40G SFP+ or QSFP modules in the module bay or fixed
QSFP ports.
Hot-Pluggable Interface Modules
The N4032, N4032F, N4064, and N4064F switches support the following hot-
pluggable interface modules:
N4000
-QSFP — 2 x 40G QSFP port module - defaults to 2 x 40G
N4000
-SFP+ — 4 x SFP+ port module - defaults to 4 x 10G mode
N4000
-10GBT — 4 x 10GBase-T ports module - defaults to 4 x 10G mode
Blank module — defaults to 10G mode
10GbE Copper Ports USB port Fixed QSFP
ports
Module bay
10GbE Fiber Ports Fixed QSFP
ports
Module bay
USB port
118 Hardware Overview
A reboot is necessary when a hot-pluggable module is replaced with a module
of different type. Specifically, changing from a 40G module to a 10G module
or from a 10G module to a 40G module requires a reboot. Plug-in modules
with any port configured as a stacking port are not hot-swappable. Remove
the stack-port configuration from a slot before plugging in a module.
You must execute a no slot or clear config command prior to inserting the
new module. Note that changing the role of a port from stacking to Ethernet
or vice-versa also requires a switch reboot.
If a no slot command is not issued prior to inserting a module, a message
such as the following will appear:
Card Mismatch: Unit:1 Slot:1 Inserted-Card: Dell 2
Port QSFP Expansion Card Config-Card: Dell 4 Port
10GBase-T Expansion Card
The following sections provides details on each module.
Quad-Port SFP (QSFP) Uplink Module
The QSFP module supports features four ports that support 10G SFP+
transceivers. The QSFP module supports the following features:
Four 10G ports with quad-breakout/QBO cable or one 40G port
Front-panel port status LEDs
The QSFP interfaces can be used for stacking. Stacking is supported at
distances of up to 100M.
Quad-Port SFP+ Uplink Module
The N4000-SFP+ module features four SFP+ ports, each providing the
following features:
SFP+ optical interfaces
SFP+ copper twinax interface
Front-panel port status LEDs
The SFP+ connections can be used for stacking. Stacking is supported at
distances of up to 100M.
Hardware Overview 119
10GBase-T Copper Uplink Module
The 10GBase-T copper module features four copper ports that can support
10GbE/1GbE/100MbE switching and provides following features:
Complies with IEEE802.3z, IEEE 802.3, IEEE802.3u, IEEE802.3ab,
IEEE802.3az, IEEE802.3an
Four 10GBase-T/1GBase-T/100MBase-T copper ports.
Front panel port status LEDs
USB Port
The Type-A, female USB port supports a USB 2.0-compliant flash memory
drive. The N4000 switch can read or write to a flash drive with a single
partition formatted as FAT-32. You can use a USB flash drive to copy switch
configuration files and images between the USB flash drive and the switch.
You can also use the USB flash drive to move and copy configuration files and
images from one switch to other switches in the network. Deletion of files on
the USB drive is not supported.
The USB port does not support any other type of USB device.
Port and System LEDs
The front panel contains light emitting diodes (LEDs) to indicate port status.
For information about the status that the LEDs indicate, see "LED
Definitions" on page 121.
SFP+ and QSFP+ Ports
SFP+ and QSFP+ ports support Dell-qualified transceivers. The default
behavior is to log a message and generate an SNMP trap on insertion or
removal of an optic that is not qualified by Dell. This message and trap can be
suppressed by using the service unsupported-transceiver command.
N4000 Back Panel
The N4000 series back panel has the following features:
•Console port
Out-of-band management port
Power Supplies
120 Hardware Overview
Ventilation System
The following image show the back panel of the N4000 series switches.
Figure 3-19. N4000 Series Back Panel
Console Port
The console port is for management through a serial interface. This port
provides a direct connection to the switch and allows you to access the CLI
from a console terminal connected to the port through the provided serial
cable (RJ-45 to female DB-9 connectors).
The console port supports asynchronous data of eight data bits, one stop bit, no
parity bit, and no flow control. The default baud rate is 9600 bps.
Out-of-Band Management Port
The Out-of-Band (OOB) management port is a 10/100/1000BASE-T
Ethernet port dedicated to remote switch management. Traffic on this port is
segregated from operational network traffic on the switch ports and cannot be
switched or routed to or from the operational network.
Power Supplies
Each N4000 series switch has two power supplies for redundant or
loadsharing operation. Each power supply can support 300W.
AC powerAC power OOB Ethernet port
RJ-45 serial console port
Fans
Hardware Overview 121
Ventilation System
The N4000 series switches have two fans. Each switch also has four thermal
sensors and a fan speed controller, which can be used to control FAN speeds.
You can verify operation by observing the LEDs.
LED Definitions
This section describes the LEDs on the front and back panels of the switch.
Port LEDs
Each port on a N4000 series switch includes two LEDs. One LED is on the
left side of the port, and the second LED is on the right side of the port. This
section describes the LEDs on the switch ports.
100/1000/10000Base-T Port LEDs
Each 100/1000/10000Base-T port has two LEDs. Figure 3-20 illustrates the
100/1000/10000Base-T port LEDs.
Figure 3-20. 100/1000/10000Base-T Port LEDs
CAUTION: Remove the power cable from the modules prior to removing the
module itself. Power must not be connected prior to insertion in the chassis.
Link Activity
122 Hardware Overview
Table 3-16 shows the 100/1000/10000Base-T port LED definitions.
Module Bay LEDs
The following tables describe the purpose of each of the module bay LEDs
when SFP+, 10GBase-T, and QSFP modules are used.
Table 3-16. 100/1000/10000Base-T Port Definitions
LED Color Definition
Link LED Off There is no link.
Solid green The port is operating at 10 Gbps.
Solid amber The port is operating at 100/1000 Mbps.
Activity LED Off There is no current transmit/receive activity.
Blinking green The port is actively transmitting/receiving.
Table 3-17. SFP+ Module LED Definitions
LED Color Definition
Link LED Off There is no link.
Solid green The port is operating at 10 Gbps.
Solid amber The port is operating at 100/1000 Mbps.
Activity LED Off There is no current transmit/receive activity.
Blinking green The port is actively transmitting/receiving.
Table 3-18. 10GBase-T Module LED Definitions
LED Color Definition
Link LED Off There is no link.
Solid green The port is operating at 10 Gbps.
Solid amber The port is operating at 100/1000 Mbps.
Activity LED Off There is no current transmit/receive activity.
Blinking green The port is actively transmitting/receiving.
Hardware Overview 123
Out-of-Band Ethernet Management Port LEDs
Table 3-20 shows the LED definitions for the OOB Ethernet management
port.
System LEDs
The system LEDs, located on the back panel, provide information about the
power supplies, thermal conditions, and diagnostics.
Table 3-19. QSFP Module LED Definitions
LED Color Definition
Link LED Off There is no link.
Solid green The port is operating at 40 Gbps.
Solid amber The port is operating at other speeds.
Activity LED Off There is no current transmit/receive activity.
Blinking green The port is actively transmitting/receiving.
Table 3-20. OOB Ethernet Management Port LED Definitions
LED Color Definition
Link LED Off There is no link.
Solid green The port is operating at 1000 Mbps.
Solid amber The port is operating at 10/100 Mbps.
Activity LED Off There is no current transmit/receive activity.
Blinking green The port is actively transmitting/receiving.
124 Hardware Overview
Table 3-21 shows the System LED definitions for the N4000 series switches.
Table 3-21. System LED Definitions—N4000 Series Switches
LED Color Definition
System Blinking blue The switch is booting
Solid red A critical system error has occurred.
Blinking red A noncritical system error occurred (fan or power
supply failure).
Temp Off The switch is operating at normal temperature.
Solid amber The thermal sensor’s system temperature threshold of
75°C has been exceeded.
Diag Off The switch is operating normally
Blinking green A diagnostic test is running.
Fan Solid green The fan is powered and is operating at the expected
RPM.
Solid red A fan failure has occurred.
Stack Solid blue The switch is in stacking master mode.
Solid amber The switch is in stacking slave mode.
Off The switch is in stand-alone mode.
Locator Blinking green The locator function is enabled.
Solid green The locator function is disabled.
Hardware Overview 125
Switch MAC Addresses
The switch allocates MAC addresses from the Vital Product Data information
stored locally in flash. MAC addresses are used as follows:
Shown below are three commands that display the MAC addresses used by
the switch:
console#show system
System Description: Dell Ethernet Switch
System Up Time: 0 days, 00h:05m:11s
System Contact:
System Name:
System Location:
Burned In MAC Address: 001E.C9F0.004D
System Object ID: 1.3.6.1.4.1.674.10895.3042
System Model ID: N4032
Machine Type: N4032
Temperature Sensors:
Unit Description Temperature Status
(Celsius)
---- ----------- ----------- ------
1 MAC 32 Good
1 CPU 31 Good
1 PHY (left side) 26 Good
1 PHY (right side) 29 Good
Fans:
Unit Description Status
---- ----------- ------
1 Fan 1 OK
1 Fan 2 OK
1 Fan 3 OK
1 Fan 4 OK
1 Fan 5 OK
1 Fan 6 No Power
Power Supplies:
Unit Description Status Average Current Since
Power Power Date/Time
(Watts) (Watts)
---- ----------- ----------- ---------- -------- -------------------
Table 3-22. MAC Address Use
Base switch address, Layer 2
Base + 1 Out-of-band port (not available on N20xx switches)
Base + 3 Layer 3
126 Hardware Overview
1 System OK 42.0 43.4
1 Main OK N/A N/A 04/06/2001 16:36:16
1 Secondary No Power N/A N/A 01/01/1970 00:00:00
USB Port Power Status:
----------------------
Device Not Present
console#show ip interface out-of-band
IP Address..................................... 10.27.21.29
Subnet Mask.................................... 255.255.252.0
Default Gateway................................ 10.27.20.1
Configured IPv4 Protocol....................... DHCP
Burned In MAC Address.......................... 001E.C9F0.004E
console#show ip interface vlan 1
Routing Interface Status....................... Down
Primary IP Address............................. 1.1.1.2/255.255.255.0
Method......................................... Manual
Routing Mode................................... Enable
Administrative Mode............................ Enable
Forward Net Directed Broadcasts................ Disable
Proxy ARP...................................... Enable
Local Proxy ARP................................ Disable
Active State................................... Inactive
MAC Address.................................... 001E.C9F0.0050
Encapsulation Type............................. Ethernet
IP MTU......................................... 1500
Bandwidth...................................... 10000 kbps
Destination Unreachables....................... Enabled
ICMP Redirects................................. Enabled
Using Dell OpenManage Switch Administrator 127
4
Using Dell OpenManage Switch
Administrator
This section describes how to use the Dell OpenManage Switch
Administrator application. The topics covered in this section include:
About Dell OpenManage Switch Administrator
Starting the Application
Understanding the Interface
Using the Switch Administrator Buttons and Links
Defining Fields
About Dell OpenManage Switch Administrator
Dell OpenManage Switch Administrator is a web-based tool to help you
manage and monitor a Dell Networking N2000, N3000, and N4000 series
switches. Table 4-1 lists the web browsers that are compatible with Dell
OpenManage Switch Administrator. The browsers have been tested on a PC
running the Microsoft Windows operating system.
Table 4-1. Compatible Browsers
Browser Version
Internet Explorer v9
Mozilla Firefox v14
Safari v5.0
Chrome v21
NOTE: Additional operating systems and browsers might be compatible but have
not been explicitly tested with Dell OpenManage Switch Administrator.
128 Using Dell OpenManage Switch Administrator
Starting the Application
To access the Dell OpenManage Switch Administrator and log on to the
switch:
1
Open a web browser.
2
Enter the IP address of the switch in the address bar and press <Enter>.
For information about assigning an IP address to a switch, see "Setting the
IP Address and Other Basic Network Information" on page 147.
3
When the
Login
window displays, enter a user name and password.
Passwords are both case sensitive and alpha-numeric.
Figure 4-1. Login Screen
4
Click
Submit
.
NOTE: The switch is not configured with a default user name or password.
You must connect to the CLI by using the console port to configure the initial
user name and password. For information about connecting to the console,
see "Console Connection" on page 135. For information about creating a user
and password, see "Configuring Authentication, Authorization, and
Accounting" on page 207.
Using Dell OpenManage Switch Administrator 129
5
The
Dell OpenManage
Switch Administrator
home page displays.
The home page is the
Device Information
page, which contains a
graphical representation of the front panel of the switch. For more
information about the home page, see "Device Information" on page 249.
Understanding the Interface
The Dell OpenManage Switch Administrator interface contains the following
components:
Navigation panel — Located on the left side of the page, the navigation
pane provides an expandable view of features and their components.
Configuration and status options — The main panel contains the fields
you use to configure and monitor the switch.
Page tabs — Some pages contain tabs that allow you to access additional
pages related to the feature.
Command buttons — Command buttons are located at the bottom of the
page. Use the command buttons to submit changes, perform queries, or
clear lists.
Save, Print, Refresh, and Help buttons — These buttons appear on the
top-right side of the main panel and are on every page.
Support, About, and Logout links — These links appear at the top of every
page.
130 Using Dell OpenManage Switch Administrator
Figure 4-2. Switch Administrator Components
Navigation Panel Page Tabs Links Save, Print, Refresh, Help
Configuration and Status Options Command Button
Using Dell OpenManage Switch Administrator 131
Using the Switch Administrator Buttons and Links
Table 4-2 describes the buttons and links available from the
Dell
OpenManage
Switch Administrator
interface.
Table 4-2. Button and Link Descriptions
Button or Link Description
Support Opens the Dell Support page at support.dell.com
About Contains the version and build number and Dell copyright
information.
Log Out Logs out of the application and returns to the login screen.
Save Saves the running configuration to the startup configuration.
When you click Apply, changes are saved to the running
configuration. When the system boots, it loads the startup
configuration. Any changes to the running configuration that were
not saved to the startup configuration are lost across a power cycle.
Print Opens the printer dialog box that allows you to print the current
page. Only the main panel prints.
Refresh Refreshes the screen with the current information.
Help Online help that contains information to assist in configuring and
managing the switch. The online help pages are context sensitive.
For example, if the IP Addressing page is open, the help topic for
that page displays if you click Help.
Apply Updates the running configuration on the switch with the changes.
Configuration changes take effect immediately.
Clear Resets statistic counters and log files to the default configuration.
Query Queries tables.
Left arrow and
Right arrow
Moves information between lists.
NOTE: A few pages contain a button that occurs only on that page. Page-specific
buttons are described in the sections that pertain to those pages.
132 Using Dell OpenManage Switch Administrator
Defining Fields
User-defined fields can contain 1159 characters, unless otherwise noted on
the Dell OpenManage Switch Administrator web page.
All characters may be used except for the following:
•\
•/
•:
•*
•?
•<
•>
•|
Understanding the Device View
The Device View shows various information about switch. This graphic
appears on the OpenManage Switch Administrator Home page, which is the
page that displays after a successful login. The graphic provides information
about switch ports and system health.
Figure 4-3. Dell Networking N3048 Device View
Using the Device View Port Features
The switching-port coloring indicates if a port is currently active. Green
indicates that the port has a link, red indicates that an error has occurred on
the port, and blue indicates that the link is down. Each port image is a
hyperlink to the Port Configuration page for the specific port.
Using Dell OpenManage Switch Administrator 133
Using the Device View Switch Locator Feature
The Device View graphic includes a Locate button and a drop-down menu of
timer settings. When you click Locate, the switch locator LED on the back
panel of the switch blinks for the number of seconds selected from the timer
menu. The green, blinking LED on the back of the switch can help you or a
technician near the switch identify the physical location of the switch within
a room or rack full of switches. After you click the Locate button it turns
green and remains green while the LED is blinking.
NOTE: You can also issue the locate command from the CLI to enable the
locator LED.
134 Using Dell OpenManage Switch Administrator
Using the Command-Line Interface 135
5
Using the Command-Line Interface
This section describes how to use the Command-Line Interface (CLI) on a
Dell Networking N2000, N3000, and N4000 series switches.
The topics covered in this section include:
Accessing the Switch Through the CLI
Understanding Command Modes
Entering CLI Commands
Accessing the Switch Through the CLI
The CLI provides a text-based way to manage and monitor the Dell
Networking N2000, N3000, and N4000 series switches. You can access the
CLI by using a direct connection to the console port or by using a Telnet or
SSH client.
To access the switch by using Telnet or Secure Shell (SSH), the switch must
have an IP address, and the management station you use to access the device
must be able to ping the switch IP address.
For information about assigning an IP address to a switch, see "Setting the IP
Address and Other Basic Network Information" on page 147.
Console Connection
Use the following procedures to connect to the CLI by connecting to the
console port. For more information about creating a serial connection, see the
Getting Started Guide
available at support.dell.com/manuals.
1
Connect the DB-9 connector of the supplied serial cable to a management
station, and connect the RJ-45 connector to the switch console port.
On N2000 and N3000 series switches, the console port is located on the
right side of the front panel and is labeled with the
|O|O|
symbol. On the
N4000 series switches, it is located on the back panel above the OOB
Ethernet port.
136 Using the Command-Line Interface
2
Start the terminal emulator, such as
Microsoft HyperTerminal
, and select
the appropriate serial port (for example, COM 1) to connect to the
console.
3
Configure the management station serial port with the following settings:
Data rate — 9600 baud.
Data format — 8 data bits
•Parity None
Stop bits — 1
Flow control — None
4
Power on the switch (or stack).
After the boot process completes, the
console>
prompt displays, and
you can enter commands.
Telnet Connection
Telnet is a terminal emulation TCP/IP protocol. ASCII terminals can be
virtually connected to the local device through a TCP/IP protocol network.
Telnet connections are enabled by default, and the Telnet port number is 23.
The switch supports up to four simultaneous Telnet sessions. All CLI
commands can be used over a Telnet session.
To connect to the switch using Telnet, the switch must have an IP address,
and the switch and management station must have network connectivity. You
can use any Telnet client on the management station to connect to the
switch.
NOTE: For a stack of switches, be sure to connect to the console port on the
Master switch. The Master LED (M) is illuminated on the stack Master.
NOTE: By default, no authentication is required for console access.
However, if an authentication method has been configured for console port
access, the User: login prompt displays.
NOTE: SSH, which is more secure than Telnet, is disabled by default.
Using the Command-Line Interface 137
You can also initiate a Telnet session from the OpenManage Switch
Administrator. For more information, see "Initiating a Telnet Session from the
Web Interface" on page 288.
Understanding Command Modes
The CLI groups commands into modes according to the command function.
Each of the command modes supports specific software commands. The
commands in one mode are not available until you switch to that particular
mode, with the exception of the User EXEC mode commands. You can
execute the User EXEC mode commands in the Privileged EXEC mode.
To display the commands available in the current mode, enter a question
mark (?) at the command prompt. In each mode, a specific command is used
to navigate from one command mode to another.
The main command modes include the following:
User EXEC — Commands in this mode permit connecting to remote
devices, changing terminal settings on a temporary basis, performing basic
tests, and listing system information.
Privileged EXEC — Commands in this mode permit you to view all switch
settings and to enter the global configuration mode.
Global Configuration — Commands in this mode manage the device
configuration on a global level and apply to system features, rather than to
a specific protocol or interface.
Interface Configuration — Commands in this mode configure the settings
for a specific interface or range of interfaces.
VLAN Configuration — Commands in this mode create and remove
VLANs and configure IGMP/MLD Snooping parameters for VLANs.
The CLI includes several additional command modes. For more information
about the CLI command modes, including details about all modes, see the
CLI Reference Guide
.
Table 5-1 describes how to navigate between CLI Command Mode and lists
the prompt that displays in each mode.
138 Using the Command-Line Interface
Table 5-1. Command Mode Overview
Command Mode Access Method Command Prompt Exit or Access
Previous Mode
User EXEC The user is
automatically in
User EXEC
mode unless the
user is defined as
a privileged user.
console> logout
Privileged EXEC From User
EXEC mode,
enter the enable
command
console# Use the exit
command, or press
Ctrl-Z to return to
User EXEC mode.
Global
Configuration
From Privileged
EXEC mode, use
the configure
command.
console(config)# Use the exit
command, or press
Ctrl-Z to return to
Privileged EXEC
mode.
Interface
Configuration
From Global
Configuration
mode, use the
interface
command and
specify the
interface type
and ID.
console(config-
if)#
To exit to Global
Configuration
mode, use the exit
command, or press
Ctrl-Z to return to
Privileged EXEC
mode.
Using the Command-Line Interface 139
Entering CLI Commands
The switch CLI uses several techniques to help you enter commands.
Using the Question Mark to Get Help
Enter a question mark (?) at the command prompt to display the commands
available in the current mode.
console(config-vlan)#?
exit To exit from the mode.
help Display help for various special keys.
ip Configure IP parameters.
ipv6 Configure IPv6 parameters.
protocol Configure the Protocols associated with
particular Group Ids.
vlan Create a new VLAN or delete an existing
VLAN.
Enter a question mark (?) after each word you enter to display available
command keywords or parameters.
console(config)#vlan ?
<vlan-list> <1-4093> - separate non-consecutive IDs
with ',' and no spaces; Use '-' for
range.
protocol Configure Protocol Based VLAN
parameters.
If the help output shows a parameter in angle brackets, you must replace the
parameter with a value.
console#telnet ?
<ip-address|hostname> Enter the valid host IP
address or Host Name.
140 Using the Command-Line Interface
If there are no additional command keywords or parameters, or if additional
parameters are optional, the following message appears in the output:
<cr> Press enter to execute the command.
You can also enter a question mark (?) after typing one or more characters of a
word to list the available command or parameters that begin with the letters,
as shown in the following example:
console#show po?
policy-map port ports
Using Command Completion
The CLI can complete partially entered commands when you press the
<Tab> or <Space> key.
console#show run<Tab>
console#show running-config
If the characters you entered are not enough for the switch to identify a single
matching command, continue entering characters until the switch can
uniquely identify the command. Use the question mark (?) to display the
available commands matching the characters already entered.
Entering Abbreviated Commands
To execute a command, you need to enter enough characters so that the
switch can uniquely identify a command. For example, to enter Global
Configuration mode from Privileged EXEC mode, you can enter conf instead
of configure.
console#conf
console(config)#
Negating Commands
For many commands, the prefix keyword no is entered to cancel the effect of
a command or reset the configuration to the default value. Many
configuration commands have this capability.
Using the Command-Line Interface 141
Command Output Paging
Lines are printed on the screen up to the configured terminal length limit
(default 24). Use the space bar to show the next page of output or the carriage
return to show the next line of output. Setting the terminal length to zero
disables paging. Command output displays until no more output is available.
Understanding Error Messages
If you enter a command and the system is unable to execute it, an error
message appears. Table 5-2 describes the most common CLI error messages.
If you attempt to execute a command and receive an error message, use the
question mark (?) to help you determine the possible keywords or parameters
that are available.
Recalling Commands from the History Buffer
Every time a command is entered in the CLI, it is recorded in an internally
managed Command History buffer. By default, the history buffer is enabled
and stores the last 10 commands entered. These commands can be recalled,
reviewed, modified, and reissued. This buffer is not preserved after switch
resets.
Table 5-2. CLI Error Messages
Message Text Description
% Invalid input
detected at '^'
marker.
Indicates that you entered an incorrect or
unavailable command. The carat (^) shows
where the invalid text is detected. This message
also appears if any of the parameters or values are
not recognized.
Command not found /
Incomplete command.
Use ? to list
commands.
Indicates that you did not enter the required
keywords or values.
Ambiguous command Indicates that you did not enter enough letters to
uniquely identify the command.
142 Using the Command-Line Interface
Table 5-3. History Buffer Navigation
Keyword Source or Destination
Up-arrow key
<Ctrl>+<P>
Recalls commands in the history buffer, beginning with the most
recent command. Repeats the key sequence to recall successively
older commands.
Down-arrow key
<Ctrl>+<N>
Returns to more recent commands in the history buffer after
recalling commands with the up-arrow key. Repeating the key
sequence recalls more recent commands in succession.
Default Settings 143
6
Default Settings
This section describes the default settings for many of the software features
on the Dell Networking series switches.
Table 6-1. Default Settings
Feature Default
IP address None
Subnet mask None
Default gateway None
DHCP client Enabled on out-of-band (OOB) interface.
VLAN 1 Members All switch ports
SDM template Dual IPv4 and IPv6 routing
Users None
Minimum password length 8 characters
IPv6 management mode Enabled
SNTP client Disabled
Global logging Enabled
Switch auditing Disabled
CLI command logging Disabled
Web logging Disabled
SNMP logging Disabled
Console logging Enabled (Severity level: debug and above)
RAM logging Enabled (Severity level: debug and above)
Persistent (FLASH) logging Disabled
DNS Enabled (No servers configured)
SNMP Enabled (SNMPv1)
144 Default Settings
SNMP Traps Enabled
Auto Configuration Enabled
Auto Save Disabled
Stacking Enabled
Nonstop Forwarding on the Stack Enabled
sFlow Enabled
ISDP Enabled (Versions 1 and 2)
RMON Enabled
TACACS+ Not configured
RADIUS Not configured
SSH/SSL Disabled
Telnet Enabled
Denial of Service Protection Disabled
Captive Portal Disabled
Dot1x Authentication (IEEE 802.1X) Disabled
MAC-Based Port Security All ports are unlocked
Access Control Lists (ACL) None configured
IP Source Guard (IPSG) Disabled
DHCP Snooping Disabled
Dynamic ARP Inspection Disabled
Protected Ports (Private VLAN Edge) None
Energy Detect Mode Disabled
EEE Lower Power Mode Disabled
PoE Plus (POE switches) Auto
Flow Control Support (IEEE 802.3x) Enabled
Head of Line Blocking Prevention Disabled
Maximum Frame Size 1500 bytes
Table 6-1. Default Settings (Continued)
Feature Default
Default Settings 145
Auto-MDI/MDIX Support Enabled
Auto Negotiation Enabled
Advertised Port Speed Maximum Capacity
Broadcast Storm Control Disabled
Port Mirroring Disabled
LLDP Enabled
LLDP-MED Disabled
MAC Table Address Aging 300 seconds (Dynamic Addresses)
Cisco Protocol Filtering (LLPF) No protocols are blocked
DHCP Layer 2 Relay Disabled
Default VLAN ID 1
Default VLAN Name Default
GVRP Disabled
GARP Timers Leave: 60 centiseconds
Leave All: 1000 centiseconds
Join: 20 centiseconds
Voice VLAN Disabled
Guest VLAN Disabled
RADIUS-assigned VLANs Disabled
Double VLANs Disabled
Spanning Tree Protocol (STP) Enabled
STP Operation Mode IEEE 802.1w Rapid Spanning Tree
Optional STP Features Disabled
STP Bridge Priority 32768
Multiple Spanning Tree Disabled
Link Aggregation No LAGs configured
LACP System Priority 1
Table 6-1. Default Settings (Continued)
Feature Default
146 Default Settings
Routing Mode Disabled
OSPF Admin Mode Enabled
OSPF Router ID 0.0.0.0
IP Helper and UDP Relay Enabled
RIP Enabled
VRRP Disabled
Tunnel and Loopback Interfaces None
IPv6 Routing Disabled
DHCPv6 Disabled
OSPFv3 Enabled
DiffServ Enabled
Auto VoIP Disabled
Auto VoIP Traffic Class 6
PFC Disabled; no classifications configured.
DCBx version Auto detect
iSCSI Enabled
MLD Snooping Enabled
IGMP Snooping Enabled
IGMP Snooping Querier Disabled
GMRP Disabled
IPv4 Multicast Disabled
IPv6 Multicast Disabled
Table 6-1. Default Settings (Continued)
Feature Default
Setting Basic Network Information 147
7
Setting the IP Address and Other
Basic Network Information
This chapter describes how to configure basic network information for the
switch, such as the IP address, subnet mask, and default gateway. The topics
in this chapter include:
IP Address and Network Information Overview
Default Network Information
Configuring Basic Network Information (Web)
Configuring Basic Network Information (CLI)
Basic Network Information Configuration Example
IP Address and Network Information Overview
What Is the Basic Network Information?
The basic network information includes settings that define the Dell
Networking N2000, N3000, and N4000 series switches in relation to the
network. Table 7-1 provides an overview of the settings this chapter describes.
Table 7-1. Basic Network Information
Feature Description
IP Address On an IPv4 network, the a 32-bit number that uniquely
identifies a host on the network. The address is
expressed in dotted-decimal format, for example
192.168.10.1.
Subnet Mask Determines which bits in the IP address identify the
network, and which bits identify the host. Subnet
masks are also expressed in dotted-decimal format, for
example 255.255.255.0.
148 Setting Basic Network Information
Additionally, this chapter describes how to view host name-to-IP address
mappings that have been dynamically learned by the system.
Why Is Basic Network Information Needed?
Dell Networking series switches are layer 2/3 managed switches. To manage
the switch remotely by using a web browser or Telnet client, the switch must
have an IP address, subnet mask, and default gateway. You must also
configure a username and password to be able to log into the switch from a
remote host. For information about configuring users, see "Configuring
Authentication, Authorization, and Accounting" on page 207. If you manage
the switch only by using the console connection, configuring an IP address
and user is not required. In this case, disabling the Telnet server using the no
ip telnet command is recommended.
Default Gateway Typically a router interface that is directly connected to
the switch and is in the same subnet. The switch sends
IP packets to the default gateway when it does not
recognize the destination IP address in a packet.
DHCP Client Requests network information from a DHCP server on
the network.
Domain Name System
(DNS) Server
Translates hostnames into IP addresses. The server
maintains a domain name databases and their
corresponding IP addresses.
Default Domain Name Identifies your network, such as dell.com. If you enter a
hostname and do not include the domain name
information, the default domain name is automatically
appended to the hostname.
Host Name Mapping Allows you to statically map an IP address to a
hostname.
NOTE: The configuration example in this chapter includes commands to create
an administrative user with read/write access.
Table 7-1. Basic Network Information (Continued)
Feature Description
Setting Basic Network Information 149
Configuring the DNS information, default domain name, and host name
mapping help the switch identify and locate other devices on the network and
on the Internet. For example, to upgrade the switch software by using a TFTP
server on the network, you must identify the TFTP server. If you configure
the switch to use a DNS server to resolve hostnames into IP addresses, you
can enter the hostname of the TFTP server instead of the IP address. It is
often easier to remember a hostname than an IP address, and if the IP address
is dynamically assigned, it might change from time-to-time.
How Is Basic Network Information Configured?
You must use a console-port connection to perform the initial switch
configuration. When you boot the switch for the first time and the
configuration file is empty, the Dell Easy Setup Wizard starts. The Dell Easy
Setup Wizard is a CLI-based tool to help you perform the initial switch
configuration. If you do not respond to the Dell Easy Setup Wizard prompt
within 60 seconds, the console> prompt appears, and you enter User
Configuration mode.
For more information about performing the initial switch configuration by
using the wizard, see the
Getting Started Guide
at
support.dell.com/manuals.
If you do not use the wizard to prompt you for the initial configuration
information, you can enable the DHCP client on the switch to obtain
network information from a DHCP server on your network, or you can
statically assign the network information.
After you configure the switch with an IP address and create a user account,
you can continue to use the console connection to configure basic network
information, or you can log on to the switch by using a Telnet client or a web
browser. You can change the IP address information and configure additional
network information from the remote system.
What Is Out-of-Band Management and In-Band Management?
The Dell Networking 3000 and 4000 series switches have an external port
intended solely for management of the switch. This port is the out-of-band
(OOB) management port. Traffic received on the OOB port is never switched
or routed to any in-band port and is not rate limited. Likewise, traffic received
on any in-band port is never forwarded or routed over the OOB port. The only
applications available on the OOB port are protocols required to manage the
150 Setting Basic Network Information
switch, for example Telnet, SSH, DHCP client, and TFTP. If using the out-of-
band management port, it is strongly recommended that the port be
connected only to a physically isolated secure management network.
Alternatively, network administrators may choose to manage their network via
the production network. This is in-band management. Because in-band
management traffic is mixed in with production network traffic, it is subject
to all of the filtering rules usually applied on a switched/routed port, such as
ACLs and VLAN tagging, and is rate limited to protect against DoS attacks.
You can assign an IP address or IPv6 addresses to the
OOB management port
and to any VLAN. By default, all ports are members of VLAN 1. If you assign an
IP address to VLAN 1, you can connect to the switch management interface by
using any of the front-panel switch ports. This is required to manage the
N2000
switches over an Ethernet port.
Dell recommends that you use the OOB port for remote management. The
following list highlights some advantages of using OOB management instead
of in-band management:
Traffic on the OOB port is passed directly to the switch CPU, bypassing
the switching silicon. The OOB port is implemented as an independent
NIC, which allows direct access to the switch CPU from the management
network.
If the production network is experiencing problems, you can still access
the switch management interface and troubleshoot issues.
Because the OOB port is intended to be physically isolated from the
production network or deployed behind a firewall, configuration options
are limited to just those protocols needed to manage the switch. Limiting
the configuration options makes it difficult to accidentally cut off
management access to the switch.
DHCP can be enabled on the OOB interface and VLAN interfaces
simultaneously, or you can configure static information. To configure static
address information on the default VLAN, set the IP address and subnet mask
on the VLAN interface and configure a global default gateway for the switch.
Adjusting the Management Interface MTU
When logging in to the Dell Networking switch using TCP, the switch
negotiates the TCP Maximum Segment Size (MSS) using the minimum of
the requested MSS or the MTU setting of the port. TCP packets are
Setting Basic Network Information 151
transmitted from the switch with the DF (Don't Fragment) bit set in order to
receive notification of fragmentation from any transit routers. Upon receiving
an ICMP
Destination Unreachable, Fragmentation needed but DF set
notification, the switch will reduce the MSS. However, many firewalls block
ICMP Destination Unreachable messages, which causes the destination to
request the packet again until the connection times out.
To resolve this issue, you can reduce the MSS setting to a more appropriate
value on the local host or alternatively, you can set system MTU to a smaller
value.
Default Network Information
NOTE: N2000 switches do not have an out-of-band interface.
By default, no network information is configured. The DHCP client is
enabled on the OOB interface by default on N3000 and N4000 switches.
The DHCP client is enabled on VLAN 1 by default on the N2000 switches.
DNS is enabled, but no DNS servers are configured. VLAN 1 does not have an
IP address, subnet mask, or default gateway configured on N3000 and N4000
switches.
152 Setting Basic Network Information
Configuring Basic Network Information (Web)
This section provides information about the OpenManage Switch
Administrator pages for configuring and monitoring basic network
information on the Dell Networking N2000, N3000, and N4000 series
switches. For details about the fields on a page, click at the top of the
page.
Out-of-Band Interface
NOTE: N2000 switches do not have an out-of-band interface.
Use the Out of Band Interface page to assign the out-of-band interface IP
address and subnet mask or to enable/disable the DHCP client for address
information assignment. DHCP is enabled by default on the OOB interface.
The OOB interface must be configured on a subnet separate from the front-
panel port routing interfaces. The system default gateway must not share an
address range/subnet with the OOB interface.
The out-of-band interface may also be assigned an IPv6 address, either
statically or via DHCP. In addition, the out-of-band port may be assigned an
IPv6 address via the IPv6 auto-configuration process.
To display the Out of Band Interface page, click System
IP Addressing
Out of Band Interface in the navigation panel.
Setting Basic Network Information 153
Figure 7-1. Out of Band Interface
To enable the DHCP client and allow a DHCP server on your network to
automatically assign the network information to the OOB interface, select
DHCP from the Protocol menu. If you statically assign the network
information, make sure the Protocol menu is set to None.
IP Interface Configuration (Default VLAN IP Address)
Use the IP Interface Configuration page to assign the default VLAN IP
address and subnet mask, the default gateway IP address, and to assign the
boot protocol.
To display the IP Interface Configuration page, click Routing
IP
IP Interface Configuration in the navigation panel.
154 Setting Basic Network Information
Figure 7-2. IP Interface Configuration (Default VLAN)
Assigning Network Information to the Default VLAN
To assign an IP Address and subnet mask to the default VLAN:
1
From the
Interface
menu, select VLAN 1.
2
From the
Routing Mode
field, select
Enable
.
3
From the
IP Address Configuration Method
field specify whether to
assign a static IP address (Manual) or use DHCP for automatic address
assignment.
4
If you select
Manual
for the configuration method, specify the I
P Address
and
Subnet Mask
in the appropriate fields.
5
Click
Apply
.
Setting Basic Network Information 155
Route Entry Configuration (Switch Default Gateway)
Use the Route Entry Configuration page to configure the default gateway for
the switch. The default VLAN uses the switch default gateway as its default
gateway. The switch default gateway must not be on the same subnet as the
OOB management port, as the OOB management port cannot route packets
received on the front-panel ports.
To display the Route Entry Configuration page, click Routing
Router
Route Entry Configuration in the navigation panel.
Figure 7-3. Route Configuration (Default VLAN)
NOTE: You do not need to configure any additional fields on the page. For
information about VLAN routing interfaces, see "Configuring Routing Interfaces"
on page 1021.
156 Setting Basic Network Information
Configuring a Default Gateway for the Switch:
To configure the switch default gateway:
1
Open the
Route Entry Configuration page.
2
From the
Route Type
field, select Default.
Figure 7-4. Default Route Configuration (Default VLAN)
3
In the
Next Hop IP Address
field, enter the IP address of the default
gateway.
4
Click
Apply
.
For more information about configuring routes, see "Configuring IP Routing"
on page 1063.
Setting Basic Network Information 157
Domain Name Server
Use the Domain Name Server page to configure the IP address of the DNS
server. The switch uses the DNS server to translate hostnames into IP
addresses.
To display the Domain Name Server page, click System
IP Addressing
Domain Name Server in the navigation panel.
Figure 7-5. DNS Server
To configure DNS server information, click the Add link and enter the IP
address of the DNS server in the available field.
Figure 7-6. Add DNS Server
158 Setting Basic Network Information
Default Domain Name
Use the Default Domain Name page to configure the domain name the
switch adds to a local (unqualified) hostname.
To display the Default Domain Name page, click System
IP Addressing
Default Domain Name in the navigation panel.
Figure 7-7. Default Domain Name
Setting Basic Network Information 159
Host Name Mapping
Use the Host Name Mapping page to assign an IP address to a static host
name. The Host Name Mapping page provides one IP address per host.
To display the Host Name Mapping page, click System
IP Addressing
Host Name Mapping.
Figure 7-8. Host Name Mapping
To map a host name to an IP address, click the Add link, type the name of the
host and its IP address in the appropriate fields, and then click Apply.
Figure 7-9. Add Static Host Name Mapping
Use the Show All link to view all configured host name-to-IP address
mappings.
160 Setting Basic Network Information
Dynamic Host Name Mapping
Use the Dynamic Host Name Mapping page to view dynamic host entries
the switch has learned. The switch learns hosts dynamically by using the
configured DNS server to resolve a hostname. For example, if you ping
www.dell.com from the CLI, the switch uses the DNS server to lookup the IP
address of dell.com and adds the entry to the Dynamic Host Name Mapping
table.
To display the Dynamic Host Name Mapping page, click System
IP
Addressing
Dynamic Host Name Mapping in the navigation panel.
Figure 7-10. View Dynamic Host Name Mapping
Setting Basic Network Information 161
Configuring Basic Network Information (CLI)
This section provides information about the commands you use to configure
basic network information on the Dell Networking N2000, N3000, and N4000
series switches. For more information about these commands, see the
Dell
Networking N2000, N3000, and N4000 Series Switches CLI Reference Guide
at support.dell.com/manuals.
Enabling the DHCP Client on the OOB Port
NOTE: N2000 switches do not have an out-of-band interface.
Beginning in Privileged EXEC mode, use the following commands to enable
the DHCP client on the OOB port.
Enabling the DHCP Client on the Default VLAN
Beginning in Privileged EXEC mode, use the following commands to enable
the DHCP client on the default VLAN, which is VLAN 1. As a best practice,
it is recommended that a separate VLAN other than one used for client traffic
be used for in-band management of the switch. In general, using VLAN 1, or
any other VLAN carrying client traffic, for in-band management introduces a
security vulnerability.
Command Purpose
configure Enter Global Configuration mode.
interface out-of-band Enter Interface Configuration mode for the OOB port.
ip address dhcp Enable the DHCP client.
CTRL + Z Exit to Privileged EXEC mode.
show ip interface out-of-
band
Display network information for the OOB port.
Command Purpose
configure Enter Global Configuration mode.
interface vlan 1 Enter Interface Configuration mode for VLAN 1.
ip address dhcp Enable the DHCP client.
ipv6 address dhcp Enable the DHCPv6 client.
162 Setting Basic Network Information
Managing DHCP Leases
Beginning in Privileged EXEC mode, use the following commands to manage
and troubleshoot DHCP leases on the switch.
CTRL + Z Exit to Privileged EXEC mode.
show ip interface vlan 1 Display network information for VLAN 1.
Command Purpose
show dhcp lease
interface [
interface
]
Display IPv4 addresses leased from a DHCP server.
show ipv6 dhcp interface
vlan [
interface
]
Display information about the IPv6 DHCP information
for all interfaces or for the specified interface.
debug dhcp packet Display debug information about DHCPv4 client activities
and to trace DHCPv4 packets to and from the local
DHCPv4 client.
debug ipv6 dhcp Display debug information about DHCPv6 client activities
and to trace DHCPv6 packets to and from the local
DHCPv6 client.
ipv6 address
{[
prefix/prefixlien
] |
autoconfig | dhcp}
Set the IPv6 address of the management interface or
enables autoconfiguration or DHCP.
ipv6 gateway
ipv6-
address
Set the IPv6 default gateway address.
ipv6 enable Enable IPv6 functionality on the interface.
show ipv6 interface out-
of-band
Show settings for the interface.
Command Purpose
Setting Basic Network Information 163
Configuring Static Network Information on the OOB Port
NOTE: N2000 switches do not have an out-of-band interface.
Beginning in Privileged EXEC mode, use the following commands to
configure a static IP address, subnet mask, and default gateway on the OOB
port. If no default gateway is configured, then the zero subnet (0.0.0.0) is
used. In this configuration, the OOB port can reach hosts in the local subnet
only, because the OOB port will not be able to issue ARP requests to the
default gateway. Configuring a default gateway address on the OOB port
allows the OOB port to issue ARPs and address traffic to hosts on other
subnets. The OOB port subnet may not overlap with any in-band VLAN
subnet.
NOTE: The out-of-band port also supports IPv6 address assignment, including IPv6
auto-configuration and an IPv6 DHCP client.
Configuring Static Network Information on the Default VLAN
Beginning in Privileged EXEC mode, use the following commands to
configure a static IP address, subnet mask, and default gateway on the default
VLAN. Alternatively, a DHCP server may be used to obtain a network address.
The switch also supports IPv6 address auto-configuration.
Command Purpose
configure Enter Global Configuration mode.
interface out-of-band Enter Interface Configuration mode for the OOB
port.
ip address
ip_address
subnet_mask
[
gateway_ip
]
Configure a static IP address and subnet mask.
Optionally, you can also configure a default gateway.
ipv6 address
prefix/prefix-
length
Configure an IPv6 prefix for the OOB port
ipv6 address enable Enable IPv6 addressing on the OOB port
ipv6 address autoconfig Enable IPv6 auto-configuration for the OOB port
ipv6 address dhcp Enable DHCP address assignment for the OOB port.
CTRL + Z Exit to Privileged EXEC mode.
show ip interface out-of-band Verify the network information for the OOB port.
164 Setting Basic Network Information
Static IP subnets on inband ports (configured on switch VLANs) may not
overlap with the OOB port subnet. If configuring management access on the
front-panel ports, it is recomended that:
A VLAN other than the default VLAN be used to avoid attack vectors
enabled by incorrect cabling.
Both ACLs and Management ACLs be utilized to reduce the possibility of
DoS attacks or intruders gaining access to the switch management
console. The advantage of the management ACL is that it can also protect
the OOB port, whereas ACLs can only protect access via an in-band port.
Configuring and Viewing Additional Network Information
Beginning in Privileged EXEC mode, use the following commands to
configure a DNS server, the default domain name, and a static host name-to-
address entry. Use the show commands to verify configured information and
to view dynamic host name mappings.
Command Purpose
configure Enter Global Configuration mode.
interface vlan 1 Enter Interface Configuration mode for VLAN 1.
ip address
ip_address
subnet_mask
Enter the IP address and subnet mask.
ipv6 address
prefix/prefix-length
[eui64]
Enter the IPv6 address and prefix.
ipv6 enable Enable IPv6 on the interface.
exit Exit to Global Configuration mode
ip default-gateway
ip_address
Configure the default gateway.ipv6 gateway
Configure the default gateway for IPv6.
ipv6 gateway
ip_address
Configure the default gateway for IPv6.
exit Exit to Privileged Exec mode.
show ip interface vlan 1 Verify the network information for VLAN 1.
show ipv6 interface vlan 1 Verify IPv6 network information for VLAN 1.
Setting Basic Network Information 165
Command Purpose
configure Enter Global Configuration mode.
ip domain-lookup Enable IP DNS-based host name-to-address translation.
ip name-server
ip_address
Enter the IP address of an available name server to use to
resolve host names and IP addresses.
You can specify up to six DNS servers. The first server you
configure is the primary DNS server.
ip domain-name
name
Define a default domain name to complete unqualified
host names.
ip host
name ip_address
Use to configure static host name-to-address mapping in
the host cache.
ip address-conflict-
detect run
Trigger the switch to run active address conflict detection
by sending gratuitous ARP packets for IPv4 addresses on
the switch.
CTRL + Z Exit to Privileged EXEC mode.
show ip interface vlan 1 Verify the network information for VLAN 1.
show hosts Verify the configured network information and view the
dynamic host mappings.
show ip address-conflict View the status information corresponding to the last
detected address conflict.
clear ip address-conflict-
detect
Clear the address conflict detection status in the switch.
166 Setting Basic Network Information
Basic Network Information Configuration
Example
In this example, an administrator at a Dell office in California decides not to
use the Dell Easy Setup Wizard to perform the initial switch configuration.
The administrator configures a Dell Networking N2000, N3000, and N4000
series switches to obtain its information from a DHCP server on the
management network and creates the administrative user with read/write
access. The administrator also configures the following information:
Primary DNS server: 10.27.138.20
Secondary DNS server: 10.27.138.21
Default domain name: sunny.dell.com
The administrator also maps the administrative laptop host name to its IP
address. The administrator uses the OOB port to manage the switch.
To configure the switch:
1
Connect the OOB port to the management network. DHCP is enabled by
on the switch OOB interface by default on N3000 and N4000 switches.
DHCP is enabled on VLAN 1 on the N2000 switches. If the DHCP client
on the switch has been disabled, use the following commands to enable
the DHCP client on the OOB port.
console#configure
console(config)#interface out-of-band
console(config-if)#ip address dhcp
console(config-if)#exit
2
Configure the administrative user.
console(config)#username admin password secret123
level 15
3
Configure the DNS servers, default domain name, and static host
mapping.
console(config)#ip name-server 10.27.138.20
10.27.138.21
console(config)#ip domain-name sunny.dell.com
console(config)#ip host admin-laptop 10.27.65.103
console(config)#exit
Setting Basic Network Information 167
4
View the network information that the DHCP server on the network
dynamically assigned to the switch.
console#show ip interface out-of-band
IP Address........................ 10.27.22.153
Subnet Mask...................... 255.255.255.0
Default Gateway.................. 10.27.22.1
Protocol Current................. DHCP
Burned In MAC Address............ 001E.C9AA.AA08
5
View additional network information.
console#show hosts
Host name:
Default domain: sunny.dell.com dell.com
Name/address lookup is enabled
Name servers (Preference order): 10.27.138.20,
10.27.138.21
Configured host name-to-address mapping:
Host Addresses
----------- ------------------------------------
admin-laptop 10.27.65.103
cache: TTL (Hours)
Host Total Elapsed Type Addresses
--------- ------- ------- --------- ---------
No hostname is mapped to an IP address
6
Verify that the static hostname is correctly mapped.
console#ping admin-laptop
Pinging admin-laptop with 0 bytes of data:
Reply From 10.27.65.103: icmp_seq = 0. time <10
msec.
Reply From 10.27.65.103: icmp_seq = 1. time <10
msec.
168 Setting Basic Network Information
Managing QSFP Ports 169
8
Managing QSFP Ports
QSFP ports available on N4000 series switches can operate in 1 x 40G mode
or in 4 x 10G mode. Appropriate cables must be used that match the selected
mode. When changing from one mode to another, a switch reboot is required.
The QSFP ports also support stacking over the interfaces in either 1 x 40G or
4 x 10G mode. Changing from Ethernet mode to stacking mode and vice-
versa requires a reboot as well.
The ports on a QSFP plugin module are named Fo1/1/1-2 in 40-gigabit mode
and Te1/1/1-8 in 10-gigabit mode. On the N4064, the fixed QSFP ports are
named Fo1/0/1-2 in 40-gigabit mode and Te1/0/49-56 in 10-gigabit mode. All
of the possible populated or configured interfaces will show in the show
interfaces status command regardless of the port mode, i.e. 40-gigabit or
10-gigabit. Unpopulated or unconfigured interfaces for plug in modules do
not show in the show interfaces status command.
The default setting for a 40-gigabit Ethernet interface is nonstacking,
40-gigabit Ethernet (1 x 40G).
The commands to change 1 x 40G and 4 x 10G modes are always entered on
the 40-gigabit interfaces.
The commands to change the Ethernet/stack mode are entered on the
appropriate interface (tengigabitethernet or fortygigabitethernet). It is
possible to configure some of the 10G ports in a 40G interface as stacking and
not others.
To reconfigure a QSFP port, select the 40-gigabit port to change in Interface
Config mode and enter the hardware profile portmode command with the
selected mode. For example, to change a 1 x 40G port to 4 x 10G mode, enter
the following commands on the forty-gigabit interface:
console(config)#interface fo1/1/1
console(config-if-Fo1/1/2)#hardware profile portmode 4x10g
This command will not take effect until the switch is rebooted.
console(config-if-Fo1/1/2)#do reload
Are you sure you want to reload the stack? (y/n)
170 Managing QSFP Ports
To change a 4 x 10G port to 1 x 40G mode, enter the following commands on
the 40-gigabit interface:
console(config)#interface Fo2/1/1
console(config-if-Fo2/1/1)#hardware profile portmode 1x40g
This command will not take effect until the switch is rebooted.
console(config-if-Fo1/1/2)#do reload
Are you sure you want to reload the stack? (y/n)
Attempting to change the port mode on the tengigabit interface will give the
error “An invalid interface has been used for this function.”
Managing a Switch Stack 171
9
Managing a Switch Stack
This chapter describes how to configure and manage a stack of switches.
The topics covered in this chapter include:
Stacking Overview
Default Stacking Values
Managing and Monitoring the Stack (Web)
Managing the Stack (CLI)
Stacking and NSF Usage Scenarios
Stacking Overview
The Dell Networking N2000, N3000, and N4000 and series switches include a
stacking feature that allows up to 12 switches to operate as a single unit. The
N2000 and N3000 series switches have two fixed mini-SAS stacking
connectors at the rear. N2000 series switches will stack with other N2000
series switches and Dell Networking 3000 series switches stack with other
3000 series switches.
Dell Networking 4000 series switches stack with other Dell Networking 4000
series switches over front panel ports configured for stacking.
A stack of twelve 48-port N2000 or N3000 switches has an aggregate
throughput capacity of 576 Gigabits. Dell Networking N2000/N3000 stacking
links operate at 21 Gbps or 4.3% of total aggregate throughput capacity of a
full stack; therefore, it is recommended that operators provision large stacking
topologies such that it is unlikely that a significant portion of the stack
capacity will transit stacking links. One technique for achieving this is to
distribute uplinks evenly across the stack vs. connecting all uplinks to a single
stack unit or to adjacent stacking units.
Dell Networking N4000 series switches support high performance stacking
over front panel ports, allowing increased capacity to be added as needed,
without affecting network performance and providing a single point of
management. Up to twelve Dell Networking N4000 series switches can be
172 Managing a Switch Stack
stacked using any port as long as the link bandwidth for parallel stacking links
is the same. In other words, all the port types on the N4000 series switches
can be used for stacking. Additional stacking connections can be made
between adjacent switch units to increase the stacking bandwidth provided
that all redundant stacking links have the same port speed. It is strongly
recommended that the stacking bandwidth be kept equal across all stacking
connections; that is, avoid mixing single and double stacking connections
within a stack. Up to eight redundant stacking links operating at the same
speed can be configured on an N4000 stack unit (four in each direction).
A stack of twelve N4000 series switches has an aggregate front panel capacity
of 5.760 terabits (not including the 40G ports). Provisioning for 5% inter-
stack capacity requires 280 gigabits of bandwidth dedicated to stacking or all
four 40G ports plus another twelve 10G ports. Therefore, it is recommended
that operators provision large stacking topologies such that it is unlikely that a
significant portion of the stack capacity will transit stacking links. One
technique for achieving this is to distribute downlinks and transit links evenly
across the stack vs. connecting all downlinks/transit links to a single stack unit
or to adjacent stacking units.
If Priority Flow Control (PFC) is enabled on any port in an N4000 series
stack, stacking is supported at distances up to 100 meters on the stacking
ports. If PFC is not enabled, stacking is supported up to the maximum
distance supported by the transceiver on the stack links. Note that PFC
cannot be enabled on stacking ports — the system handles the buffering and
flow control automatically.
A single switch in the stack manages all the units in the stack (the stack
master), and you manage the stack by using a single IP address. The IP
address of the stack does not change, even if the stack master changes.
A stack is created by daisy-chaining stacking links on adjacent units. If
available, up to eight links per stack unit can be used for stacking (four in
each direction). A stack of units is manageable as a single entity when the
units are connected together. If a unit cannot detect a stacking partner on any
port enabled for stacking, the unit automatically operates as a standalone
unit. If a stacking partner is detected, the switch always operates in stacking
mode. One unit in the stack is designated as the stack master. The master
manages all the units in the stack. The stack master runs the user interface
Managing a Switch Stack 173
and switch software, and propagates changes to the member units. To manage
a stack using the serial interface, you must connect to the stack master via the
connect command or by physically connecting the cable to the stack master.
A second switch is designated as the standby unit, which becomes the master
if the stack master is unavailable. You can manually configure which unit is
selected as the standby, or the system can select the standby automatically.
When units are in a stack, the following activities occur:
All units are checked for software version consistency.
The switch Control Plane is active only on the master. The Control Plane
is a software layer that manages system and hardware configuration and
runs the network control protocols to set system configuration and state.
The switch Data Plane is active on all units in the stack, including the
master. The Data Plane is the set of hardware components that forward
data packets without intervention from a control CPU.
The running configuration is propagated to all units and the application
state is synchronized between the master and standby during normal
stacking operation. The startup configuration and backup configuration
on the stack members are not overwritten with the master switch
configuration.
Dell strongly recommends connecting the stack in a ring topology so that
each switch is connected to two other switches.
Connecting switches in a ring topology allows the stack to utilize the
redundant communication path to each switch. If a switch in a ring topology
fails, the stack can automatically establish a new communications path to the
other switches. Switches not stacked in a ring topology may split into multiple
independent stacks upon the failure of a single switch or stacking link.
Additional stacking connections can be made between adjacent switch units
to increase the stacking bandwidth, provided that all redundant stacking links
have the same bandwidth. It is strongly recommended that the stacking
bandwidth be kept equal across of all stacking connections; that is, avoid
mixing single and double stacking connections within a stack. Up to eight
redundant stacking links can be configured on a stacking unit (four in each
direction).
Figure 9-1 shows a stack with three switches as stack members connected in a
ring topology.
174 Managing a Switch Stack
Figure 9-1. Connecting a Stack of Switches
The stack in Figure 9-1 has the following physical connections between the
switches:
The lower stacking port on Unit 1 is connected to the upper stacking port
on Unit 2.
The lower stacking port on Unit 2 is connected to the upper stacking port
on Unit 3.
The lower stacing port on Unit 3 is connected to the upper stacking port
on Unit 1.
Dell Networking N2000, N3000, and N4000 Stacking Compatibility
Dell Networking N2000, N3000, and N4000 series switches do not stack with
different Dell Networking series switches or Dell PowerConnect series
switches. Dell Networking N2000 series switches only stack with other N2000
Managing a Switch Stack 175
series switches. Likewise, Dell Networking N3000 series switches only stack
with other Dell N3000 series switches. Dell Networking N4000 series switches
stack with other Dell Networking N4000 series switches.
How is the Stack Master Selected?
A stack master is elected or re-elected based on the following considerations,
in order:
1
The switch is currently the stack master.
2
The switch has the higher MAC address.
3
A unit is selected as standby by the administrator, and a fail over action is
manually initiated or occurs due to stack master failure.
In most cases, a switch that is added to an existing stack will become a stack
member, and not the stack master. When you add a switch to the stack, one
of the following scenarios takes place regarding the management status of the
new switch:
If the switch has the stack master function enabled but another stack
master is already active, then the switch changes its configured stack
master value to disabled.
If the stack master function is unassigned and there is another stack
master in the system then the switch changes its configured stack master
value to disabled.
If the stack master function is enabled or unassigned and there is no other
stack master in the system, then the switch becomes stack master.
If the stack master function is disabled, the unit remains a non-stack
master.
If the entire stack is powered OFF and ON again, the unit that was the
stack
master
before the reboot will remain the
stack master
after the stack resumes
operation.
You can manually set the unit number for the switch. To avoid unit-number
conflicts, one of the following scenarios takes place when you add a new
member to the stack:
If the switch has a unit number that is already in use, then the unit that
you add to the stack changes its configured unit number to the lowest
unassigned unit number.
176 Managing a Switch Stack
If the switch you add does not have an assigned unit number, then the
switch sets its configured unit number to the lowest unassigned unit
number.
If the unit number is configured and there are no other devices using the
unit number, then the switch starts using the configured unit number.
If the switch detects that the maximum number of units already exist in
the stack making it unable to assign a unit number, then the switch sets its
unit number to
unassigned
and does not participate in the stack.
Adding a Switch to the Stack
When adding a new member to a stack, make sure that only the stack cables,
and no network cables, are connected before powering up the new unit. Stack
port configuration is stored on the member units. If stacking over Ethernet
ports (N4000 only), configure the ports on the unit to be added to the stack as
stacking ports and power the unit off prior to connecting the stacking cables.
Make sure the links are not already connected to any ports of that unit. This is
important because if STP is enabled and any links are UP, the STP
reconvergence will take place as soon as the link is detected.
After the stack cables on the new member are connected to the stack, you can
power up the new units, beginning with the unit directly attached to the
currently powered-up unit. Always power up new stack units closest to an
existing powered unit first. Do not connect a new member to the stack after it
is powered up. Also, do not connect two functional, powered-up stacks
together. Hot insertion of units into a stack is not supported.
If a new switch is added to a stack of switches that are powered and running
and already have an elected stack master, the newly added switch becomes a
stack member rather than the stack master. Use the boot auto-copy-sw
command on the stack master to enable automatic firmware upgrade of newly
added switches. If a firmware mismatch is detected, the newly added switch
does not fully join the stack and holds until it is upgraded to the same
firmware version as the master switch. After firmware synchronization
finishes, the running configuration of the newly added unit is overwritten
with the stack master configuration. Stack port configuration is always stored
on the local unit and may be updated with preconfiguration information from
the stack master when the unit joins the stack.
Managing a Switch Stack 177
You can preconfigure information about a stack member and its ports before
you add it to the stack. The preconfiguration takes place on the stack master.
If there is saved configuration information on the stack master for the newly
added unit, the stack master applies the configuration to the new unit;
otherwise, the stack master applies the default configuration to the new unit.
Removing a Switch from the Stack
Prior to removing a member from a stack, check that other members of the
stack will not become isolated from the stack due to the removal. Check the
stack-port error counters to ensure that a stack configured in a ring topology
can establish a communication path around the member to be removed.
The main point to remember when you remove a unit from the stack is to
disconnect all the links on the stack member to be removed. Also, be sure to
take the following actions:
Remove all the STP participating ports and wait to stabilize the STP.
Remove all the member ports of any Port-Channels (LAGs) so there will
not be any control traffic destined to those ports connected to this member.
Statically re-route any traffic going through this unit.
When a unit in the stack fails, the stack master removes the failed unit from
the stack. The failed unit reboots with its original running-config. If the stack
is configured in a ring topology, then the stack automatically routes around
the failed unit. If the stack is not configured in a ring topology, then the stack
may split, and the isolated members will reboot and re-elect a new stack
master. No changes or configuration are applied to the other stack members;
however, the dynamic protocols will try to reconverge as the topology could
change because of the failed unit.
If you remove a unit and plan to renumber the stack, issue a no member
unit
command in Stack Configuration mode to delete the removed switch from
the configured stack member information.
How is the Firmware Updated on the Stack?
When you add a new switch to a stack, the Stack Firmware Synchronization
feature automatically synchronizes the firmware version with the version
running on the stack master per the configuration on the master switch. The
synchronization operation may result in either upgrade or downgrade of
firmware on the mismatched stack member.
178 Managing a Switch Stack
Upgrading the firmware on a stack of switches is the same as upgrading the
firmware on a single switch. After you download a new image by using the File
Download page or copy command, the downloaded image is distributed to all
the connected units of the stack. For more information about downloading
and installing images, see "Managing Images and Files" on page 359.
What is Stacking Standby?
A standby unit is preconfigured in the stack. If the current stack master fails,
the standby unit becomes the stack master. If no switch is pre-configured as
the standby unit, the software automatically selects a standby unit from the
existing stack units.
When the failed master resumes normal operation, it joins the stack as a
member (not a master) if the new stack master has already been elected.
The stack master copies its running configuration to the standby unit
whenever it changes (subject to some restrictions to reduce overhead). This
enables the standby unit to take over the stack operation with minimal
interruption if the stack master becomes unavailable.
Operational state synchronization also occurs:
when you save the running configuration to the startup configuration on
the stack master.
when the backup unit changes.
What is Nonstop Forwarding?
Networking devices, such as the Dell Networking series switches, are often
described in terms of three semi-independent functions called the forwarding
plane, the control plane, and the management plane. The forwarding plane
forwards data packets and is implemented in hardware. The control plane is
the set of protocols that determine how the forwarding plane should forward
packets, deciding which data packets are allowed to be forwarded and where
they should go. Application software on the stack master acts as the control
plane. The management plane is application software running on the stack
master that provides interfaces allowing a network administrator to configure
the device.
The Nonstop Forwarding (NSF) feature allows the forwarding plane of stack
units to continue to forward packets while the control and management
planes restart as a result of a power failure, hardware failure, or software fault
Managing a Switch Stack 179
on the stack master. This type of operation is called nonstop forwarding.
When the stack master fails, only the switch ASICs on the stack master need
to be restarted.
To prevent adjacent networking devices from rerouting traffic around the
restarting device, the NSF feature uses the following three techniques:
1
A protocol can distribute a part of its control plane to stack units so that
the protocol can give the appearance that it is still functional during the
restart.
2
A protocol may enlist the cooperation of its neighbors through a technique
known as graceful restart.
3
A protocol may simply restart after the failover if neighbors react slowly
enough that they will not normally detect the outage.
The NSF feature enables the stack master unit to synchronize the running-
config within 60 seconds after a configuration change has been made.
However, if a lot of configuration changes happen concurrently, NSF uses a
back-off mechanism to reduce the load on the switch. The show nsf
command output includes information about when the next running-config
synchronization will occur.
Initiating a Failover
The NSF feature allows you to initiate a failover using the initiate failover
command, which causes the former stack master to reboot (cold start), and
the new master to perform a warm restart.
Initiating a failover reloads the stack master, triggering the backup unit to
take over. Before the failover, the stack master pushes application data and
other important information to the backup unit. Although the handoff is
controlled and causes minimal network disruption, some application state is
lost, such as pending timers and other pending internal events.
Checkpointing
Switch applications (features) that build up a list of data such as neighbors or
clients can significantly improve their restart behavior by remembering this
data across a warm restart. This data can either be stored persistently, as
DHCP server and DHCP snooping store their bindings database, or the stack
master can checkpoint this data directly to the standby unit. Persistent
180 Managing a Switch Stack
storage allows an application on a standalone unit to retain its data across a
restart, but since the amount of storage is limited, persistent storage is not
always practical.
The NSF checkpoint service allows the stack master to communicate certain
data to the backup unit in the stack. When the stack selects a backup unit,
the checkpoint service notifies applications to start a complete checkpoint.
After the initial checkpoint is done, applications checkpoint changes to their
data.
Table 9-1 lists the applications on the switch that checkpoint data and
describes the type of data that is checkpointed.
NOTE: The switch cannot guarantee that a backup unit has exactly the same data
that the stack master has when it fails. For example, the stack master might fail
before the checkpoint service gets data to the backup if an event occurs shortly
before a failover.
Table 9-1. Applications that Checkpoint Data
Application Checkpointed Data
ARP Dynamic ARP entries
Auto VOIP Calls in progress
Captive Portal Authenticated clients
DHCP server Address bindings (persistent)
DHCP snooping DHCP bindings database
DOT1Q Internal VLAN assignments
DOT1S Spanning tree port roles, port states, root bridge, etc.
DOT1X Authenticated clients
DOT3ad Port states
IGMP/MLD Snooping Multicast groups, list of router ports, last query data for
each VLAN
IPv6 NDP Neighbor cache entries
iSCSI Connections
LLDP List of interfaces with MED devices attached
Managing a Switch Stack 181
Switch Stack MAC Addressing and Stack Design Considerations
The switch stack uses the MAC addresses assigned to the stack master.
If the backup unit assumes control due to a stack master failure or warm
restart, the backup unit continues to use the original stack master’s MAC
addresses. This reduces the amount of disruption to the network because
ARP and other L2 entries in neighbor tables remain valid after the failover to
the backup unit.
Stack units should always be connected with a ring topology (or other
biconnected topology), so that the loss of a single stack link does not divide
the stack into multiple stacks. If a stack is partitioned such that some units
lose all connectivity to other units, then both parts of the stack start using the
same MAC addresses. This can cause severe problems in the network.
If you move the stack master to a different place in the network, make sure
you power down the whole stack before you redeploy the stack master so that
the stack members do not continue to use the MAC address of the redeployed
switch.
NSF Network Design Considerations
You can design your network to take maximum advantage of NSF. For
example, by distributing a LAG's member ports across multiple units, the
stack can quickly switch traffic from a port on a failed unit to a port on a
OSPFv2 Neighbors and designated routers
OSPFv3 Neighbors and designated routers
Route Table Manager IPv4 and IPv6 dynamic routes
SIM The system's MAC addresses. System up time. IP address,
network mask, default gateway on each management
interface, DHCPv6 acquired IPv6 address.
Voice VLAN VoIP phones identified by CDP or DHCP (not LLDP)
NOTE: Each switch is assigned four consecutive MAC addresses. A stack of
switches uses the MAC addresses assigned to the stack master.
Table 9-1. Applications that Checkpoint Data
Application Checkpointed Data
182 Managing a Switch Stack
surviving unit. When a unit fails, the forwarding plane of surviving units
removes LAG members on the failed unit so that it only forwards traffic onto
LAG members that remain up. If a LAG is left with no active members, the
LAG goes down. To prevent a LAG from going down, configure LAGs with
members on multiple units within the stack, when possible. If a stack unit
fails, the system can continue to forward on the remaining members of the
stack.
If your switch stack performs VLAN routing, another way to take advantage of
NSF is to configure multiple “best paths” to the same destination on
different stack members. If a unit fails, the forwarding plane removes Equal
Cost Multipath (ECMP) next hops on the failed unit from all unicast
forwarding table entries. If the cleanup leaves a route without any next hops,
the route is deleted. The forwarding plane only selects ECMP next hops on
surviving units. For this reason, try to distribute links providing ECMP paths
across multiple stack units.
Why is Stacking Needed?
Stacking increases port count without requiring additional configuration. If
you have multiple Dell Networking switches, stacking them helps make
management of the switches easier because you configure the stack as a single
unit and do not need to configure individual switches.
Default Stacking Values
Stacking is always enabled on Dell Networking series switches.
On the N4000 switches, by default, the 10G SFP+ ports are in Ethernet
mode and must be configured to be used as stacking ports. Ports that are
configured in stacking mode show as “detached” in the output of the show
interfaces status command.
Configuring an Ethernet port as a stacking port changes the default
configuration of the port. The port stacking configuration does not show in
the running-config. To determine the stacking configuration of a port, use the
show switch stack-ports command. On the N2000/N3000 switches, there are
Managing a Switch Stack 183
two fixed stacking ports in the rear of the switch. Stacking on Ethernet ports
is not supported. The fixed stacking ports show as TwentygigabitStacking and
are abbreviated Tw.
NSF is enabled by default. You can disable NSF to redirect the CPU resources
consumed by data checkpointing. Checkpointing only occurs when a backup
unit is elected, so there is no need to disable the NSF feature on a standalone
switch. When a new unit is added to the stack, the new unit takes the
configuration of the stack, including the NSF setting. OSPF implements a
separate graceful restart control that enables NSF for OSPF. OSPF graceful
restart is not enabled by default.
184 Managing a Switch Stack
Managing and Monitoring the Stack (Web)
This section provides information about the OpenManage Switch
Administrator pages for configuring and monitoring stacking on a Dell
Networking N2000, N3000, and N4000 series switches. For details about the
fields on a page, click at the top of the page.
Unit Configuration
Use the Unit Configuration page to change the unit number and unit type
(Management, Member, or Standby).
To display the Unit Configuration page, click System Stack Management
Unit Configuration in the navigation panel.
Figure 9-2. Stack Unit Configuration
NOTE: The changes you make to the Stacking configuration pages take effect only
after the device is reset.
Managing a Switch Stack 185
Changing the ID or Switch Type for a Stack Member
To change the switch ID or type:
1
Open the
Unit Configuration
page.
2
Click
Add
to display the
Add Unit
page.
Figure 9-3. Add Remote Log Server Settings
3
Specify the switch ID, and select the model number of the switch.
4
Click
Apply
.
Stack Summary
Use the Stack Summary page to view a summary of switches participating in
the stack.
To display the Stack Summary page, click System
Stack Management
Stack Summary in the navigation panel.
Figure 9-4. Stack Summary
186 Managing a Switch Stack
Stack Firmware Synchronization
Use the Stack Firmware Synchronization page to control whether the
firmware image on a new stack member can be automatically upgraded or
downgraded to match the firmware image of the stack master.
To display the Stack Firmware Synchronization page, click System
Stack
Management
Stack Firmware Synchronization in the navigation panel.
Figure 9-5. Stack Firmware Synchronization
Managing a Switch Stack 187
Supported Switches
Use the Supported Switches page to view information regarding each type of
supported switch for stacking, and information regarding the supported
switches.
To display the Supported Switches page, click System
Stack Management
Supported Switches in the navigation panel.
Figure 9-6. Supported Switches
188 Managing a Switch Stack
Stack Port Summary
Use the Stack Port Summary page to configure the stack-port mode and to
view information about the stackable ports. This screen displays the unit, the
stackable interface, the configured mode of the interface, the running mode
as well as the link status and link speed of the stackable port.
To display the Stack Port Summary page, click System
Stack Management
Stack Port Summary in the navigation panel.
Figure 9-7. Stack Port Summary
NOTE: By default the ports are configured to operate as Ethernet ports. To
configure a port as a stack port, you must change the Configured Stack Mode
setting from Ethernet to Stack.
Managing a Switch Stack 189
Stack Port Counters
Use the Stack Port Counters page to view the transmitted and received
statistics, including data rate and error rate.
To display the Stack Port Counters page, click System
Stack Management
Stack Point Counters in the navigation panel.
Figure 9-8. Stack Port Counters
Stack Port Diagnostics
The Stack Port Diagnostics page is intended for Field Application Engineers
(FAEs) and developers only.
190 Managing a Switch Stack
NSF Summary
Use the NSF Summary page to change the administrative status of the NSF
feature and to view NSF information.
To display the NSF Summary page, click System Stack Management
NSF Summary in the navigation panel.
Figure 9-9. NSF Summary
To cause the maser unit to failover to the standby unit, click Initiate Failover.
The failover results in a warm restart of the stack master. Initiating a failover
reloads the stack master, triggering the backup unit to take over.
NOTE: The OSPF feature uses NSF to enable the hardware to continue forwarding
IPv4 packets using OSPF routes while a backup unit takes over stack master
responsibility. To configure NSF on a stack that uses OSPF or OSPFv3, see "NSF
OSPF Configuration" on page 1137 and "NSF OSPFv3 Configuration" on page 1154.
Managing a Switch Stack 191
Checkpoint Statistics
Use the Checkpoint Statistics page to view information about checkpoint
messages generated by the stack master.
To display the Checkpoint Statistics page, click System Stack
Management Checkpoint Statistics in the navigation panel.
Figure 9-10. Checkpoint Statistics
192 Managing a Switch Stack
Managing the Stack (CLI)
This section provides information about the commands you use to manage
the stack and view information about the switch stack. For more information
about these commands, see the
Dell Networking N2000, N3000, and N4000
Series Switches CLI Reference Guide
at support.dell.com/manuals.
Configuring Stack Member, Stack Port, and NSF Settings
Beginning in Privileged EXEC mode, use the following commands to
configure stacking and NSF settings.
Command Purpose
configure Enter Global Configuration mode.
switch
current_ID
renumber
new_ID
Change the switch ID number. The valid range is 1-10.
NOTE: Changing the ID number causes all switches in the
stack to be reset to perform stack master renumbering. The
running configuration is cleared when the units reset.
stack Enter Global Stack Configuration mode.
initiate failover Move the management switch functionality from the
master switch to the standby switch.
standby
unit
Specify the stack member that will come up as the master
if a stack failover occurs.
set description
unit
Configure a description for the specified stack member.
Managing a Switch Stack 193
member
unit
SID
Add a switch to the stack and specify the model of the new
stack member.
unit
- The switch unit ID
SID
- The index into the database of the supported
switch types, indicating the type of the switch being
preconfigured.
Note
: Member configuration displayed in the running
config may be learned from the physical stack. Member
configuration is not automatically saved in the startup-
config. Save the configuration to retain the current
member settings.
To view the SID associated with the supported switch
types, use the
show supported switchtype
command in
Privileged EXEC mode.
stack-port
tengigabitethernet
unit/slot/port
{ethernet |
stack}
Set the mode of the port to either Ethernet or stacking
(N4000 only).
nsf Enable nonstop forwarding on the stack.
exit Exit to Global Config mode.
boot auto-copy-sw Enable the Stack Firmware Synchronization feature.
boot auto-copy-sw allow-
downgrade
Allow the firmware version on the newly added stack
member to be downgraded if the firmware version on
manager is older. Config migration is not assured for
firmware downgrade.
exit Exit to Privileged EXEC mode.
show auto-copy-sw View the Stack Firmware Synchronization settings for the
stack.
reload
unit
If necessary, reload the specified stack member.
NOTE: The OSPF feature uses NSF to enable the hardware to continue forwarding
IPv4 packets using OSPF routes while a backup unit takes over stack master
responsibility. Additional NSF commands are available in OSPF and OSPFv3
command modes. For more information, see "NSF OSPF Configuration" on
page 1137 and "NSF OSPFv3 Configuration" on page 1154
Command Purpose
194 Managing a Switch Stack
Viewing and Clearing Stacking and NSF Information
Beginning in Privileged EXEC mode, use the following commands to view
stacking information and to clear NSF statistics.
Command Purpose
show switch [
stack-
member-number]
View information about all stack members or the specified
member.
show switch stack-
standby
View the ID of the switch that will assume the role of the
stack master if it goes down.
show switch stack-ports View information about the stacking ports.
show switch stack-ports
counters
View the statistics about the data the stacking ports have
transmitted and received.
show switch stack-ports
stack-path
View the path that packets take from one stack member to
another.
show supported
switchtype
View the Dell Networking models that are supported in
the stack and the switch index (SID) associated with each
model.
show nsf View summary information about the NSF feature.
show checkpoint
statistics
View information about checkpoint messages generated by
the stack master.
clear checkpoint
statistics
Reset the checkpoint statistics counters to zero.
Managing a Switch Stack 195
Stacking and NSF Usage Scenarios
Only a few settings are available to control the stacking configuration, such as
the designation of the standby unit or enabling/disabling NSF. The examples
in this section describe how the stacking and NSF feature act in various
environments.
This section contains the following examples:
Basic Failover
Preconfiguring a Stack Member
NSF in the Data Center
NSF and VoIP
NSF and DHCP Snooping
NSF and the Storage Access Network
NSF and Routed Access
Basic Failover
In this example, the stack has four members that are connected in a ring
topology, as Figure 9-11 shows.
Figure 9-11. Basic Stack Failover
196 Managing a Switch Stack
When all four units are up and running, the show switch CLI command gives
the following output:
console#show switch
At this point, if Unit 2 is powered off or rebooted due to an unexpected
failure, show switch gives the following output:
console#show switch
When the failed unit resumes normal operation, the previous configuration
that exists for that unit is reapplied by the stack master.
To permanently remove the unit from the stack, enter into Stack Config
Mode and use the member command, as the following example shows.
console#configure
console(config)#stack
console(config-stack)#no member 2
console(config-stack)#exit
console(config)#exit
console#show switch
SW Management
Status
Standby
Status
Preconfig
Model ID
Plugged-
in Model
ID
Switch
Status
Code
Version
--- --------- ------- -------- --------- ------- --------
1 Stack Member N3048 N3048 OK 6.0.0.0
2 Stack Member N3048 N3048 OK 6.0.0.0
3 Mgmt Switch N3048 N3048 OK 6.0.0.0
4 Stack Member N3048 N3048 OK 6.0.0.0
SW Management
Status
Standby
Status
Preconfig
Model ID
Plugged-
in Model
ID
Switch
Status
Code
Version
--- --------- ------- -------- ------------------- --------
1 Stack Member N3048 N3048 OK 6.0.0.0
2 Unassigned N3048 Not Present 0.0.0.0
3 Mgmt Switch N3048 N3048 OK 6.0.0.0
4 Stack Member N3048 N3048 OK 6.0.0.0
Managing a Switch Stack 197
Preconfiguring a Stack Member
To preconfigure a stack member before connecting the physical unit to the
stack, use the show support switchtype command to obtain the SID of the
unit to be added.
The example in this section demonstrates pre-configuring a Dell Networking
switch on a stand-alone Dell Networking switch.
To configure the switch:
1
View the list of SIDs to determine which SID identifies the switch to
preconfigure. The following is the output on N3000 and N2000 series
switches.
console#show supported switchtype
SID Switch Model ID
--- --------------------------------
1 N3024
2 N3024F
3 N3024P
4 N3048
5 N3048P
6 N2024
7 N2024P
8 N2048
9 N2048P
NOTE: N2000 and N3000 switches cannot be stacked together.
SW Management
Status
Standby
Status
Preconfig
Model ID
Plugged-
in Model
ID
Switch
Status
Code
Version
--- --------- ------- -------- ------------------- --------
1 Stack Member N3048 N3048 OK 6.0.0.0
3 Mgmt Switch N3048 N3048 OK 6.0.0.0
4 Stack Member N3048 N3048 OK 6.0.0.0
198 Managing a Switch Stack
2
Preconfigure the switch (SID = 2) as member number 2 in the stack.
console#configure
console(config)#stack
console(config-stack)#member 2 2
console(config-stack)#exit
console(config)#exit
3
Confirm the stack configuration. Some of the fields have been omitted
from the following output due to space limitations.
console#show switch
Management Standby Preconfig Plugged-in Switch Code
SW Status Status Model ID Model ID Status Version
--- ---------- --------- ------------- ------------- ------------- -----------
1 Mgmt Sw N3048 N3048 OK 6.0.0.0
Managing a Switch Stack 199
NSF in the Data Center
Figure 9-12 illustrates a data center scenario, where the stack of two Dell
Networking switches acts as an access switch. The access switch is connected
to two aggregation switches, AS1 and AS2. The stack has a link from two
different units to each aggregation switch, with each pair of links grouped
together in a LAG. The two LAGs and link between AS1 and AS2 are
members of the same VLAN. Spanning tree is enabled on the VLAN. Assume
spanning tree selects AS1 as the root bridge. Assume the LAG to AS1 is the
root port on the stack and the LAG to AS2 is discarding. Unit 1 is the stack
master. If unit 1 fails, the stack removes the Unit 1 link to AS1 from its LAG.
The stack forwards outgoing packets through the Unit 2 link to AS1 during
the failover. During the failover, the stack continues to send BPDUs and LAG
PDUs on its links on Unit 2. The LAGs stay up (with one remaining link in
each), and spanning tree on the aggregation switches does not see a topology
change.
Figure 9-12. Data Center Stack Topology
200 Managing a Switch Stack
NSF and VoIP
Figure 9-13 shows how NSF maintains existing voice calls during a stack
master failure. Assume the top unit is the stack master. When the stack
master fails, the call from phone A is immediately disconnected. The call
from phone B continues. On the uplink, the forwarding plane removes the
failed LAG member and continues using the remaining LAG member. If
phone B has learned VLAN or priority parameters through LLDP-MED, it
continues to use those parameters. The stack resumes sending LLDPDUs
with MED TLVs once the control plane restarts. Phone B may miss an
LLDPDU from the stack, but should not miss enough PDUs to revert its
VLAN or priority, assuming the administrator has not reduced the LLDPDU
interval or hold count. If phone B is receiving quality of service from policies
installed in the hardware, those policies are retained across the stack master
restart.
Figure 9-13. NSF and VoIP
Managing a Switch Stack 201
NSF and DHCP Snooping
Figure 9-14 illustrates an L2 access switch running DHCP snooping. DHCP
snooping only accepts DHCP server messages on ports configured as
trusted
ports. DHCP snooping listens to DHCP messages to build a bindings
database that lists the IP address the DHCP server has assigned to each host.
IP Source Guard (IPSG) uses the bindings database to filter data traffic in
hardware based on source IP address and source MAC address. Dynamic ARP
Inspection (DAI) uses the bindings database to verify that ARP messages
contain a valid sender IP address and sender MAC address. DHCP snooping
checkpoints its bindings database.
Figure 9-14. NSF and DHCP Snooping
If the stack master fails, all hosts connected to that unit lose network access
until that unit reboots. The hardware on surviving units continues to enforce
source filters IPSG installed prior to the failover. Valid hosts continue to
communicate normally. During the failover, the hardware continues to drop
data packets from unauthorized hosts so that security is not compromised.
202 Managing a Switch Stack
If a host is in the middle of an exchange with the DHCP server when the
failover occurs, the exchange is interrupted while the control plane restarts.
When DHCP snooping is enabled, the hardware traps all DHCP packets to
the CPU. The control plane drops these packets during the restart. The
DHCP client and server retransmit their DHCP messages until the control
plane has resumed operation and messages get through. Thus, DHCP
snooping does not miss any new bindings during a failover.
As DHCP snooping applies its checkpointed DHCP bindings, IPSG confirms
the existence of the bindings with the hardware by reinstalling its source IP
address filters.
If Dynamic ARP Inspection is enabled on the access switch, the hardware
traps ARP packets to the CPU on untrusted ports. During a restart, the
control plane drops ARP packets. Thus, new traffic sessions may be briefly
delayed until after the control plane restarts.
If IPSG is enabled and a DHCP binding is not checkpointed to the backup
unit before the failover, that host will not be able to send data packets until it
renews its IP address lease with the DHCP server.
NSF and the Storage Access Network
Figure 9-15 illustrates a stack of three Dell Networking switches connecting
two servers (iSCSI initiators) to a disk array (iSCSI targets). There are two
iSCSI connections as follows:
Session A: 10.1.1.10 to 10.1.1.3
Session B: 10.1.1.11 to 10.1.1.1
An iSCSI application running on the stack master (the top unit in the
diagram) has installed priority filters to ensure that iSCSI traffic that is part
of these two sessions receives priority treatment when forwarded in hardware.
Managing a Switch Stack 203
Figure 9-15. NSF and a Storage Area Network
When the stack master fails, session A drops. The initiator at 10.1.1.10
detects a link down on its primary NIC and attempts to reestablish the
session on its backup NIC to a different IP address on the disk array. The
hardware forwards the packets to establish this new session, but assuming the
session is established before the control plane is restarted on the backup unit,
the new session receives no priority treatment in the hardware.
Session B remains established and fully functional throughout the restart and
continues to receive priority treatment in the hardware.
204 Managing a Switch Stack
NSF and Routed Access
Figure 9-16 shows a stack of three units serving as an access router for a set of
hosts. Two LAGs connect the stack to two aggregation routers. Each LAG is a
member of a VLAN routing interface. The stack has OSPF and PIM
adjacencies with each of the aggregation routers. The top unit in the stack is
the stack master.
Figure 9-16. NSF and Routed Access
If the stack master fails, its link to the aggregation router is removed from the
LAG. When the control plane restarts, both routing interfaces come back up
by virtue of the LAGs coming up. OSPF sends grace LSAs to inform its OSPF
neighbors (the aggregation routers) that it is going through a graceful restart.
The grace LSAs reach the neighbors before they drop their adjacencies with
the access router. PIM starts sending hello messages to its neighbors on the
aggregation routers using a new generation ID to prompt the neighbors to
quickly resend multicast routing information. PIM neighbors recognize the
new generation ID and immediately relay the group state back to the
restarting router. IGMP sends queries to relearn the hosts' interest in
multicast groups. IGMP tells PIM the group membership, and PIM sends
NOTE: The graceful restart feature for OSPF is disabled by default. For information
about the web pages and commands to configure NSF for OSPF or OSPFv3, see
"Configuring OSPF and OSPFv3" on page 1111.
Managing a Switch Stack 205
JOIN messages upstream. The control plane updates the driver with
checkpointed unicast routes. The forwarding plane reconciles L3 hardware
tables.
The OSPF graceful restart finishes, and the control plane deletes any stale
unicast routes not relearned at this point. The forwarding plane reconciles L3
multicast hardware tables. Throughout the process, the hosts continue to
receive their multicast streams, possibly with a short interruption as the top
aggregation router learns that one of its LAG members is down. The hosts see
no more than a 50 ms interruption in unicast connectivity.
206 Managing a Switch Stack
Configuring Authentication, Authorization, and Accounting
10
Configuring Authentication,
Authorization, and Accounting
This chapter describes how to control access to the switch management
interface using authentication and authorization. It also describes how to
record this access using accounting. Together the three services are referred to
by the acronym AAA.
The topics covered in this chapter include:
AAA Overview
• Authentication
• Authorization
• Accounting
Authentication Examples
Authorization Examples
Using RADIUS Servers to Control Management Access
Using TACACS+ Servers to Control Management Access
Default Configurations
AAA Overview
AAA is a framework for configuring management security in a consistent way.
Three services make up AAA:
Authentication—Validates the user identity. Authentication takes place
before the user is allowed access to switch services.
Authorization—Determines which services the user is allowed to access.
Accounting—Collects and sends security information about users and
commands.
208 Configuring Authentication, Authorization, and Accounting
Each service is configured using method lists. The method lists define how
each service is to be performed by specifying the methods available to
perform a service. The first method in a list is tried first. If the first method
returns an error, the next method in the list is tried. This continues until all
methods in the list have been attempted. If no method can perform the
service, then the service fails. A method may return an error due to lack of
network access, misconfiguration of a server, and other reasons. If there is no
error, the method returns success if the user is allowed access to the service
and failure if the user is not.
AAA gives the user flexibility in configuration by allowing different method
lists to be assigned to different access lines. In this way, it is possible to
configure different security requirements for the serial console than for
Telnet, for example.
Methods
A method performs the configured service. Not every method is available for
every service. Some methods require a username and password and other
methods only require a password. Table 10-1 summarizes the various
methods:
Table 10-1. AAA Methods
Method Username? Password? Can Return an Error?
enable no yes yes
ias yes yes no
line no yes yes
local yes yes yes
none no no no
radius yes yes yes
tacacs yes yes yes
Configuring Authentication, Authorization, and Accounting 209
Methods that never return an error cannot be followed by any other methods
in a method list.
•The
enable
method uses the enable password. If there is no enable
password defined, then the enable method will return an error.
•The
ias
method is a special method that is only used for 802.1X. It uses an
internal database (separate from the local user database) that acts like an
802.1X authentication server. This method never returns an error. It will
always pass or deny a user.
•The
line
method uses the password for the access line on which the user is
accessing the switch. If there is no line password defined for the access
line, then the line method will return an error.
•The
local
method uses the local user database. If the user password does
not match, then access is denied. This method returns an error if the user
name is not present in the local user database.
•The
none
method does not perform any service, but instead always returns
a result as if the service had succeeded. This method never returns an error.
If none is configured as a method, the user will always be authenticated
and allowed to access the switch.
•The
radius
and
tacacs
methods communicate with servers running the
RADIUS and TACACS+ protocols, respectively. These methods can
return an error if the switch is unable to contact the server.
Access Lines
There are five access lines: console, Telnet, SSH, HTTP, and HTTPS. HTTP
and HTTPS are not configured using AAA method lists. Instead, the
authentication list for HTTP and HTTPS is configured directly
(authorization and accounting are not supported). The default method lists
for both the HTTP and HTTPS access lines consist of only the local method.
Each of the other access lines may be assigned method lists independently for
the AAA services.
The SSH line has built-in authentication beyond that configured by the
administrator.
In the SSH protocol itself, there are multiple methods for authentication.
These are not the authentication methods configured in AAA, but are
internal to SSH itself. When an SSH connection is attempted, the challenge-
response method is specified in the connection request.
210 Configuring Authentication, Authorization, and Accounting
The methods available for authentication are: host-based authentication,
public key authentication, challenge-response authentication, and password
authentication. Authentication methods are tried in the order specified
above, although SSH-2 has a configuration option to change the default
order.
Host-based authentication operates as follows:
If the host from which the user logs in is listed in a specific file
(/etc/hosts.equiv or /etc/ssh/shosts.equiv) on the remote host, and the user
names are the same on both hosts, or if the files ~/.rhosts or ~/.shosts exist in
the user's home directory on the remote host and contain a line containing
the name of the client machine and the name of the user on that machine,
the user is considered for login. Additionally, the server must be able to verify
the client's host key for login to be permitted. This authentication method
closes security holes due to IP spoofing, DNS spoofing, and routing spoofing.
This authentication method is not implemented by DNOS.
Public key authentication operates as follows:
The administrator first generates a pair of encryption keys, the "public" key
and the "private" key. Messages encrypted with the private key can only be
decrypted by the public key, and vice-versa. The administrator keeps the
private key on his/her local machine, and loads the public key on to the
switch. When the administrator attempts to log into the switch, the protocol
sends a brief message, encrypted with the public key. If the switch can decrypt
the message (and can send back some proof that it has done so) then the
response proves that switch must possess the private key, and user is
authenticated without giving a username/password.
This method is implemented in DNOS. If the user does not present a
certificate, it is not considered an error, and authentication will continue with
challenge-response authentication.
Challenge-response authentication works as follows:
The switch sends an arbitrary "challenge" text and prompts for a response.
SSH-2 allows multiple challenges and responses; SSH-1 is restricted to one
challenge/response only. Examples of challenge-response authentication
include BSD Authentication.
Finally, if all other authentication methods fail, SSH prompts the user for a
password.
Configuring Authentication, Authorization, and Accounting 211
Authentication
Authentication is the process of validating a user's identity. During the
authentication process, only identity validation is done. There is no
determination made of which switch services the user is allowed to access.
This is true even when RADIUS is used for authentication; RADIUS cannot
perform separate transactions for authentication and authorization. However,
the RADIUS server can provide attributes during the authentication process
that are used in the authorization process.
Authentication Types
There are three types of authentication:
Login
— Login authentication grants access to the switch if the user
credentials are validated. Access is granted only at privilege level one.
Enable
—Enable authentication grants access to a higher privilege level if
the user credentials are validated for the higher privilege level. When
RADIUS is used for enable authentication, the username for this request is
always $enab15$. The username used to log into the switch is not used for
RADIUS enable authentication.
Dot1x
—Dot1x authentication is used to grant an 802.1X supplicant access
to the network. For more information about 802.1X, see
"Configuring Port
and System Security
" on page 503
.
Table 10-2 shows the valid methods for each type of authentication:
Table 10-2. Valid Methods for Authentication Types
Method Login Enable Dot1x
enable yes yes no
iasnonoyes
line yes yes no
local yes no no
none yes yes yes
radius yes yes yes
tacacs yes yes no
212 Configuring Authentication, Authorization, and Accounting
Authorization
Authorization is used to determine which services the user is allowed to
access. For example, the authorization process may assign a user’s privilege
level, which determines the set of commands the user can execute. There are
three kinds of authorization: commands, exec, and network.
Commands
: Command authorization determines which CLI commands
the user is authorized to execute.
Exec
: Exec authorization determines what the user is authorized to do on
the switch; that is, the user’s privilege level and an administrative profile.
Network
: Network authorization enables a RADIUS server to assign a
particular 802.1X supplicant to a VLAN. For more information about
802.1X, see
"Configuring Port and System Security
" on page 503
.
Table 10-3 shows the valid methods for each type of authorization:
Exec Authorization Capabilities
Dell Networking switches support two types of service configuration with
exec authorization: privilege level and administrative profiles.
Privilege Level
By setting the privilege level during exec authorization, a user can be placed
directly into Privileged EXEC mode when they log into the command line
interface.
Table 10-3. Authorization Methods
Method Commands Exec Network
local no yes no
none yes yes no
radius no yes yes
tacacs yes yes no
Configuring Authentication, Authorization, and Accounting 213
Administrative Profiles
The Administrative Profiles feature allows the network administrator to
define a list of rules that control the CLI commands available to a user. These
rules are collected in a “profile.” The rules in a profile can define the set of
commands, or a command mode, to which a user is permitted or denied
access.
Within a profile, rule numbers determine the order in which the rules are
applied. When a user enters a CLI command, rules within the first profile
assigned to the user are applied in descending order until there is a rule that
matches the input. If no rule permitting the command is found, then the
other profiles assigned to the user (if any) are searched for rules permitting
the command. Rules may use regular expressions for command matching. All
profiles have an implicit “deny all” rule, such that any command that does
not match any rule in the profile is considered to have been denied by that
profile.
A user can be assigned to more than one profile. If there are conflicting rules
in profiles, the “permit” rule always takes precedence over the “deny” rule.
That is, if any profile assigned to a user permits a command, then the user is
permitted access to that command. A user may be assigned up to 16 profiles.
A number of profiles are provided by default. These profiles cannot be altered
by the switch administrator. See "Administrative Profiles" on page 240 for the
list of default profiles.
If the successful authorization method does not provide an administrative
profile for a user, then the user is permitted access based upon the user's
privilege level. This means that, if a user successfully passes enable
authentication or if exec authorization assigns a privilege level, the user is
permitted access to all commands. This is also true if none of the
administrative profiles provided are configured on the switch. If some, but
not all, of the profiles provided in the authentication are configured on the
switch, then the user is assigned the profiles that exist, and a message is
logged that indicates which profiles could not be assigned.
214 Configuring Authentication, Authorization, and Accounting
Accounting
Accounting is used to record security events, such as a user logging in or
executing a command. Accounting records may be sent upon completion of
an event (stop-only) or at both the beginning and end of an event (start-
stop). There are three types of accounting: commands, Dot1x, and exec.
Commands
—Sends accounting records for command execution.
Dot1x
—Sends accounting records for network access.
Exec
—Sends accounting records for management access (logins).
For more information about the data sent in accounting records, see "Which
RADIUS Attributes Does the Switch Support?" on page 234 and "Using
TACACS+ Servers to Control Management Access" on page 237.
Table 10-4 shows the valid methods for each type of accounting:
Table 10-4. Accounting Methods
Method Commands Dot1x Exec
radius no yes yes
tacacs yes no yes
Configuring Authentication, Authorization, and Accounting 215
Authentication Examples
It is important to understand that during authentication, all that happens is
that the user is validated. If any attributes are returned from the server, they
are not processed during authentication. In the examples below, it is assumed
that the default configuration of authorization—that is, no authorization—is
used.
Local Authentication Example
Use the following configuration to require local authentication when logging
in over a Telnet connection:
aaa authentication login “loc” local
line telnet
login authentication loc
exit
enable password PaSSW0rd
username guest password password
passwords strength minimum numeric-characters 2
passwords strength minimum character-classes 4
passwords strength-check
username admin password paSS1&word2 privilege 15
passwords lock-out 3
The following describes each line of this code:
•The
aaa authentication login “loc” local
command creates a login
authentication list called “loc” that contains the method local.
•The
line telnet
command enters the configuration mode for the Telnet
line.
•The
login authentication loc
command assigns the loc login
authentication list to be used for users accessing the switch via Telnet.
The enable password allows Telnet and SSH users access to privileged exec
mode. It is required that an enable password be configured to allow local
access users to elevate to privileged exec level.
•The
username guest password password
command creates a user with the
name “guest” and password “password”. A simple password can be
configured here, since strength-checking has not yet been enabled.
216 Configuring Authentication, Authorization, and Accounting
•The
passwords strength minimum numeric-characters 2
command sets
the minimum number of numeric characters required when password
strength checking is enabled. This parameter is enabled only if the
passwords strength minimum character-classes
parameter is set to
something greater than its default value of 0.
•The
passwords strength minimum character-classes 4
command sets the
minimum number of character classes that must be present in the
password. The possible character classes are: upper-case, lower-case,
numeric and special.
•The
passwords strength-check
command enables password strength
checking.
•The
username admin password paSS1&word2 privilege 15
command
creates a user with the name “admin” and password “paSS1&word2”. This
user is enabled for privilege level 15. Note that, because password strength
checking was enabled, the password was required to have at least two
numeric characters, one uppercase character, one lowercase character, and
one special character.
•The
passwords lock-out 3
command locks out a local user after three
failed login attempts.
This configuration allows either user to log into the switch. Both users will
have privilege level 1. If no enable password was configured, neither user
would be able to successfully execute the enable command, which grants
access to Privileged EXEC mode, because there is no enable password set by
default (the default method list for Telnet enable authentication is only the
“enable” method).
NOTE: It is recommend that the password strength checking and password
lockout features be enabled when configuring local users.
Configuring Authentication, Authorization, and Accounting 217
TACACS+ Authentication Example
Use the following configuration to require TACACS+ authentication when
logging in over a Telnet connection:
aaa authentication login “tacplus” tacacs
aaa authentication enable “tacp” tacacs
tacacs-server host 1.2.3.4
key “secret”
exit
line telnet
login authentication tacplus
enable authentication tacp
exit
The following describes each line in the above configuration:
•The
aaa authentication login “tacplus” tacacs
command creates a login
authentication list called “tacplus” that contains the method tacacs. If this
method returns an error, the user will fail to login.
•The
aaa authentication enable “tacp” tacacs
command creates an enable
authentication list called “tacp” that contains the method tacacs. If this
method fails, then the user will fail to execute the enable command.
•The
tacacs-server host 1.2.3.4
command is the first step in defining a
TACACS+ server at IP address 1.2.3.4. The result of this command is to
place the user in tacacs-server mode to allow further configuration of the
server.
•The
key “secret”
command defines the shared secret. This must be the
same as the shared secret defined on the TACACS+ server.
•The
line telnet
command enters the configuration mode for the Telnet
line.
•The
login authentication tacplus
command assigns the tacplus login
authentication method list to be used for users accessing the switch via
Telnet.
•The
enable authentication tacp
command assigns the tacp enable
authentication method list to be used for users executing the enable
command when accessing the switch via Telnet.
218 Configuring Authentication, Authorization, and Accounting
Public Key SSH Authentication Example
The following is an example of a public key configuration for SSH login.
Using a tool such as putty and a private/public key infrastructure, one can
enable secure login to the Dell Networking switch without a password.
Instead, a public key is used with a private key kept locally on the
administrator's computer. The public key can be placed on multiple devices,
allowing the administrator secure access without needing to remember
multiple passwords. It is strongly recommended that the private key be
protected with a password.
This configuration requires entering a public key, which can be generated by a
tool such as PuTTYgen. Be sure to generate the correct type of key. In this
case, we use an RSA key with the SSH-2 version of the protocol.
Switch Configuration
username "admin" password f4d77eb781360c5711ecf3700a7af623 privilege 15 encrypted
aaa authentication login "NOAUTH" line
aaa authentication enable "NOAUTH" line
crypto key generate rsa
crypto key pubkey-chain ssh user-key "admin" rsa
key-string row AAAAB3NzaC1yc2EAAAABJQAAAIBor6DPjYDpSy8Qcji68xrS/4Lf8c9Jq4xXKIZ5
Pvv20AkRFE0ifVI9EH4jyZagR3wzH5Xl9dyjA6bTuqMgN15C1xJC1l59FU88JaY7
ywGdRppmoaJrNRPM7RZtQPaDVIunzm3eMr9PywwQ0umsHWGNexUrDYHFWRIAmJp6
89AAxw==
exit
line ssh
login authentication defaultList
exit
ip ssh server
ip ssh pubkey-auth
ip ssh protocol 2
The following describes each line of the above configuration:
The username command creates a switch administrator.
The aaa authentication lines set the login and enable methods for line to
NOAUTH.
The crypto key generate command generates an internal RSA key. This step is
not required if an internal RSA key has been generated before on this switch.
NOTE: A user logging in with this configuration would be placed in User EXEC
mode with privilege level 1. To access Privileged EXEC mode with privilege level 15,
use the enable command.
Configuring Authentication, Authorization, and Accounting 219
The crypto key pubkey-chain ssh command sets SSH to use a public key for
the specified administrator login. The user login is specified by the username
command, not the ias-user command.
The key-string command enters the public key obtained from a key authority
or from a tool such as PuTTyGen. This command is entered as a single line,
not as four lines as it appears in the text above.
The line ssh command sets the line method to SSH.
The login authentication command configures the authentication method to
the defaultList. The defaultList contains a single method — none — which is
equivalent to no authentication. Since the authentication is provided by the
public key, a second layer of authentication is not required.
The last three lines enable the SSH server, configure it to use public key
authentication, and specify use of the SSH-2 protocol.
The following shows the configured authentication methods:
console(config)#show authentication methods
Login Authentication Method Lists
---------------------------------
defaultList : none
networkList : local
NOAUTH : line
Enable Authentication Method Lists
----------------------------------
enableList : enable none
enableNetList : enable
NOAUTH : line
Line Login Method List Enable Method List
------- ----------------- ------------------
Console defaultList enableList
Telnet networkList enableList
SSH defaultList enableList
HTTPS :local
HTTP :local
DOT1X :
220 Configuring Authentication, Authorization, and Accounting
PUTTY Configuration
Main Screen
On the following screen, the IP address of the switch is configured and SSH is
selected as the secure login protocol.
Configuring Authentication, Authorization, and Accounting 221
On the next screen, PUTTY is configured to use SSH-2 only. This is an
optional step that accelerates the login process.
222 Configuring Authentication, Authorization, and Accounting
The following screen is the key to the configuration. It is set to display the
authentication banner, disable authentication with Pageant, disable keyboard-
interactive authentication (unless desired), disable attempted changes of user
name, and select the private key file used to authenticate with the switch.
Configuring Authentication, Authorization, and Accounting 223
The following screen configures the user name to be sent to the switch. A user
name is always required. Alternatively, leave Auto-login name blank and the
system will prompt for a user name.
224 Configuring Authentication, Authorization, and Accounting
After configuring Putty, be sure to save the configuration. The following
screen shows the result of the login process. The user name is entered
automatically and the switch confirms that public key authentication occurs.
Configuring Authentication, Authorization, and Accounting 225
Authenticating Without a Public Key
When authenticating without the public key, the switch prompts for the user
name and password. This is a SSH function, not a switch function. If the user
knows the administrator login and password, then they are able to
authenticate in this manner.
RADIUS Authentication Example
Use the following configuration to require RADIUS authentication to login
over a Telnet connection:
aaa authentication login “rad” radius
aaa authentication enable “raden” radius
radius-server host 1.2.3.4
key “secret”
exit
line telnet
login authentication rad
enable authentication raden
exit
The following describes each line in the above configuration:
226 Configuring Authentication, Authorization, and Accounting
•The
aaa authentication login “rad” radius
command creates a login
authentication list called “rad” that contains the method radius. If this
method returns an error, the user will fail to login.
•The
aaa authentication enable “raden” radius
command creates an
enable authentication list called “raden” that contains the method radius.
If this method fails, then the user will fail to execute the enable command.
•The
radius-server host 1.2.3.4
command is the first step in defining a
RADIUS server at IP address 1.2.3.4. The result of this command is to
place the user in radius-server mode to allow further configuration of the
server.
•The
key “secret”
command defines the shared secret. This must be the
same as the shared secret defined on the RADIUS server.
•The
line telnet
command enters the configuration mode for the Telnet
line.
•The
login authentication rad
command assigns the rad login
authentication method list to be used for users accessing the switch via
Telnet.
•The
enable authentication raden
command assigns the raden enable
authentication method list to be used for users executing the enable
command when accessing the switch via Telnet.
Configuring Authentication, Authorization, and Accounting 227
Authorization Examples
Authorization allows the administrator to control which services a user is
allowed to access. Some of the things that can be controlled with
authorization include the user's initial privilege level and which commands
the user is allowed to execute. When authorization fails, the user is denied
access to the switch, even though the user has passed authentication.
The following examples assume that the configuration used in the previous
examples has already been applied.
Local Authorization Example—Direct Login to Privileged EXEC Mode
Apply the following configuration to use the local user database for
authorization, such that a user can enter privileged EXEC mode directly:
aaa authorization exec “locex” local
line telnet
authorization exec locex
exit
With the users that were previously configured, the guest user will still log
into user EXEC mode, since the guest user only has privilege level 1 (the
default). The admin user will be able to login directly to privileged EXEC
mode since his privilege level was configured as 15.
TACACS+ Authorization Example—Direct Login to Privileged EXEC
Mode
Apply the following configuration to use TACACS+ for authorization, such
that a user can enter privileged EXEC mode directly:
aaa authorization exec “tacex” tacacs
line telnet
authorization exec tacex
exit
Configure the TACACS+ server so that the shell service is enabled and the
priv-lvl attribute is sent when user authorization is performed. For example:
shell:priv-lvl=15
The following describes each line in the above configuration:
228 Configuring Authentication, Authorization, and Accounting
•The
aaa authorization exec “tacex” tacacs
command creates an exec
authorization method list called tacex which contains the method tacacs.
•The
authorization exec tacex
command assigns the tacex exec
authorization method list to be used for users accessing the switch via
Telnet.
Notes:
If the privilege level is zero (that is, blocked), then authorization will fail
and the user will be denied access to the switch.
If the privilege level is higher than one, the user will be placed directly in
Privileged EXEC mode. Note that all commands in Privileged EXEC mode
require privilege level 15, so assigning a user a lower privilege level will be
of no value.
A privilege level greater than 15 is invalid and treated as if privilege level
zero had been supplied.
The shell service must be enabled on the TACACS+ server. If this service
is not enabled, authorization will fail and the user will be denied access to
the switch.
TACACS+ Authorization Example—Administrative Profiles
The switch should use the same configuration as for the previous
authorization example.
The TACACS+ server should be configured such that it will send the “roles”
attribute. For example:
shell:roles=router-admin
The above example attribute will give the user access to the commands
permitted by the router-admin profile.
NOTE: If the priv-lvl attribute is also supplied, the user can also be placed directly
into privileged EXEC mode.
Configuring Authentication, Authorization, and Accounting 229
TACACS+ Authorization Example—Custom Administrative Profile
This example creates a custom profile that allows the user to control user
access to the switch by configuring a administrative profile that only allows
access to AAA related commands. Use the following commands to create the
administrative profile:
admin-profile aaa
rule 99 permit command “^show aaa .*”
rule 98 permit command “^show authentication .*”
rule 97 permit command "^show authorization .*”
rule 96 permit command “^show accounting .*”
rule 95 permit command “^show tacacs .*”
rule 94 permit command “^aaa .*”
rule 93 permit command “^line .*”
rule 92 permit command “^login .*”
rule 91 permit command “^authorization .*”
rule 90 permit command “^accounting .*”
rule 89 permit command “^configure .*”
rule 88 permit command “^password .*”
rule 87 permit command “^username .*”
rule 86 permit command “^show user.*"
rule 85 permit command “^radius-server .*”
rule 84 permit command “^tacacs-server .*”
rule 83 permit mode radius-auth-config
rule 82 permit mode radius-acct-config
rule 81 permit mode tacacs-config
exit
The following describes each line in the above configuration:
•The
admin-profile aaa
command will create an administrative profile call
aaa and place the user in admin-profile-config mode.
•Each
rule
number
permit command
regex
command allows any
command that matches the regular expression.
•Each
rule
number
permit mode
mode-name
command allows all
commands in the named mode.
The command rules use regular expressions as implemented by Henry
Spencer's regex library (the POSIX 1003.2 compliant version). In the
regular expressions used in this example, the caret (^) matches the null
230 Configuring Authentication, Authorization, and Accounting
string at the beginning of a line, the period (.) matches any single
character, and the asterisk (*) repeats the previous match zero or more
times.
To assign this profile to a user, configure the TACACS+ server so that it
sends the following “roles” attribute for the user:
shell:roles=aaa
If it is desired to also permit the user access to network-operator
commands (basically, all the command in User EXEC mode), then the
“roles” attribute would be configured as follows:
shell:roles=aaa,network-operator
TACACS+ Authorization Example—Per-command Authorization
An alternative method for command authorization is to use the TACACS+
feature of per-command authorization. With this feature, every time the user
enters a command, a request is sent to the TACACS+ server to ask if the user
is permitted to execute that command. Exec authorization does not need to
be configured to use per-command authorization.
Apply the following configuration to use TACACS+ to authorize commands:
aaa authorization commands “taccmd” tacacs
line telnet
authorization commands taccmd
exit
The following describes each line in the above configuration:
•The
aaa authorization commands “taccmd” tacacs
command creates a
command authorization method list called taccmd that includes the
method tacacs.
•The
authorization commands taccmd
command assigns the taccmd
command authorization method list to be used for users accessing the
switch via Telnet.
The TACACS+ server must be configured with the commands that the user
is allowed to execute. If the server is configured for command authorization
as “None”, then no commands will be authorized. If both administrative
Configuring Authentication, Authorization, and Accounting 231
profiles and per-command authorization are configured for a user, any
command must be permitted by both the administrative profiles and by per-
command authorization.
RADIUS Authorization Example—Direct Login to Privileged EXEC Mode
Apply the following configuration to use RADIUS for authorization, such that
a user can enter privileged exec mode directly:
aaa authorization exec “rad” radius
line telnet
authorization exec rad
exit
Configure the RADIUS server so that the RADIUS attribute Service Type (6)
is sent with value Administrative. Any value other than Administrative is
interpreted as privilege level 1.
The following describes each line in the above configuration:
•The
aaa authorization exec “rad” radius
command creates an exec
authorization method list called “rad” that contains the method radius.
•The
authorization exec rad
command assigns the rad exec authorization
method list to be used for users accessing the switch via Telnet.
Notes:
If the privilege level is zero (that is, blocked), then authorization will fail
and the user will be denied access to the switch.
If the privilege level is higher than one, the user will be placed directly in
Privileged EXEC mode. Note that all commands in Privileged EXEC mode
require privilege level 15, so assigning a user a lower privilege level will be
of no value.
A privilege level greater than 15 is invalid and treated as if privilege level
zero had been supplied.
232 Configuring Authentication, Authorization, and Accounting
RADIUS Authorization Example—Administrative Profiles
The switch should use the same configuration as in the previous
authorization example.
The RADIUS server should be configured such that it will send the Cisco AV
Pair attribute with the “roles” value. For example:
shell:roles=router-admin
The above example attribute gives the user access to the commands
permitted by the router-admin profile.
Using RADIUS Servers to Control Management
Access
The RADIUS client on the switch supports multiple RADIUS servers. When
multiple authentication servers are configured, they can help provide
redundancy. One server can be designated as the primary and the other(s) will
function as backup server(s). The switch attempts to use the primary server
first. if the primary server does not respond, the switch attempts to use the
backup servers. A priority value can be configured to determine the order in
which the backup servers are contacted.
How Does RADIUS Control Management Access?
Many networks use a RADIUS server to maintain a centralized user database
that contains per-user authentication information. RADIUS servers provide a
centralized authentication method for:
Telnet Access
•Web Access
Console to Switch Access
Access Control Port (802.1X)
Like TACACS+, RADIUS access control utilizes a database of user
information on a remote server. Making use of a single database of accessible
information—as in an Authentication Server—can greatly simplify the
authentication and management of users in a large network. One such type of
Authentication Server supports the Remote Authentication Dial In User
Service (RADIUS) protocol as defined by RFC 2865.
Configuring Authentication, Authorization, and Accounting 233
For authenticating users prior to access, the RADIUS standard has become
the protocol of choice by administrators of large accessible networks. To
accomplish the authentication in a secure manner, the RADIUS client and
RADIUS server must both be configured with the same shared password or
“secret”. This “secret” is used to generate one-way encrypted authenticators
that are present in all RADIUS packets. The “secret” is never transmitted over
the network.
RADIUS conforms to a secure communications client/server model using
UDP as a transport protocol. It is extremely flexible, supporting a variety of
methods to authenticate and statistically track users. RADIUS is also
extensible, allowing for new methods of authentication to be added without
disrupting existing functionality.
As a user attempts to connect to the switch management interface, the switch
first detects the contact and prompts the user for a name and password. The
switch encrypts the supplied information, and a RADIUS client transports
the request to a pre-configured RADIUS server.
Figure 10-1. RADIUS Topology
The server can authenticate the user itself or make use of a back-end device to
ascertain authenticity. In either case a response may or may not be
forthcoming to the client. If the server accepts the user, it returns a positive
result with attributes containing configuration information. If the server
`
Management Host
Primary RADIUS Server
Backup RADIUS Server
Management
Network
Dell Networking Switch
234 Configuring Authentication, Authorization, and Accounting
rejects the user, it returns a negative result. If the server rejects the client or
the shared
secrets
differ, the server returns no result. If the server requires
additional verification from the user, it returns a challenge, and the request
process begins again.
If you use a RADIUS server to authenticate users, you must configure user
attributes in the user database on the RADIUS server. The user attributes
include the user name, password, and privilege level.
Which RADIUS Attributes Does the Switch Support?
Table 10-5 lists the RADIUS attributes that the switch supports and indicates
whether the 802.1X feature, user management feature, or Captive Portal
feature supports the attribute. You can configure these attributes on the
RADIUS server(s) when utilizing the switch RADIUS service.
NOTE: To set the privilege level, it is recommended to use the Service-Type
attribute instead of the Cisco AV pair priv-lvl attribute.
Table 10-5. Supported RADIUS Attributes
Type RADIUS Attribute Name 802.1X User Manager Captive Portal
1 USER-NAME Yes Yes No
2 USER-PASSWORD Yes Yes No
4 NAS-IP-ADDRESS Yes No No
5NAS-PORT Yes Yes No
6SERVICE-TYPE No Yes No
11 FILTER-ID Yes No No
12 FRAMED-MTU Yes No No
15 LOGIN-SERVICE No Yes
18 REPLY-MESSAGE Yes Yes No
24 STATE Yes Yes No
25 CLASS Yes No No
26 VENDOR-SPECIFIC No Yes Yes
27 SESSION-TIMEOUT Yes No Yes
Configuring Authentication, Authorization, and Accounting 235
28 IDLE-TIMEOUT No No Yes
29 TERMINATION-ACTION Yes No No
30 CALLED-STATION-ID Yes No No
31 CALLING-STATION-ID Yes No No
32 NAS-IDENTIFIER Yes Yes No
40 ACCT-STATUS-TYPE Set by
RADIUS
client for
Accounting
Yes No
42 ACCT-INPUT-OCTETS Yes No No
43 ACCT-OUTPUT-OCTETS Yes No No
44 ACCT-SESSION-ID Set by
RADIUS
client for
Accounting
Yes No
46 ACCT-SESSION-TIME Yes Yes No
49 ACCT-TERMINATECAUSE Yes No No
52 ACCT-
INPUTGIGAWORDS
Yes No No
53 ACCT-
OUTPUTGIGAWORDS
Yes No No
61 NAS-PORT-TYPE Yes No No
64 TUNNEL-TYPE Yes No No
65 TUNNEL-MEDIUM-TYPE Yes No No
79 EAP-MESSAGE Yes No No
80 MESSAGEAUTHENTICAT
OR
Set by
RADIUS
client for
Accounting
Yes No
81 TUNNEL-
PRIVATEGROUP-ID
Yes No No
Table 10-5. Supported RADIUS Attributes (Continued)
Type RADIUS Attribute Name 802.1X User Manager Captive Portal
236 Configuring Authentication, Authorization, and Accounting
How Are RADIUS Attributes Processed on the Switch?
The following attributes are processed in the RADIUS Access-Accept
message received from a RADIUS server:
NAS-PORT—ifIndex of the port to be authenticated.
REPLY-MESSAGE—Trigger to respond to the Access-Accept message
with an EAP notification.
STATE-RADIUS—Server state. Transmitted in Access-Request and
Accounting-Request messages.
SESSION-TIMEOUT—Session timeout value for the session (in seconds).
Used by both 802.1X and Captive Portal.
TERMINATION-ACTION—Indication as to the action taken when the
service is completed.
EAP-MESSAGE—Contains an EAP message to be sent to the user. This is
typically used for MAB clients.
VENDOR-SPECIFIC—The following Cisco AV Pairs are supported:
– shell:priv-lvl
– shell:roles
FILTER-ID—Name of the filter list for this user.
TUNNEL-TYPE—Used to indicate that a VLAN is to be assigned to the
user when set to tunnel type VLAN (13).
TUNNEL-MEDIUM-TYPE—Used to indicate the tunnel medium type.
Must be set to medium type 802 (6) to enable VLAN assignment.
TUNNEL-PRIVATE-GROUP-ID—Used to indicate the VLAN to be
assigned to the user. May be a string which matches a preconfigured VLAN
name or a VLAN id. If a VLAN id is given, the string must only contain
decimal digits.
Configuring Authentication, Authorization, and Accounting 237
Using TACACS+ Servers to Control Management
Access
TACACS+ (Terminal Access Controller Access Control System) provides
access control for networked devices via one or more centralized servers.
TACACS+ simplifies authentication by making use of a single database that
can be shared by many clients on a large network. TACACS+ uses TCP to
ensure reliable delivery and a shared key configured on the client and daemon
server to encrypt all messages.
If you configure TACACS+ as the authentication method for user login and a
user attempts to access the user interface on the switch, the switch prompts
for the user login credentials and requests services from the TACACS+
client. The client then uses the configured list of servers for authentication,
and provides results back to the switch.
Figure 10-2 shows an example of access management using TACACS+.
Figure 10-2. Basic TACACS+ Topology
You can configure the TACACS+ server list with one or more hosts defined
via their network IP address. You can also assign each a priority to determine
the order in which the TACACS+ client will contact them. TACACS+
contacts the server when a connection attempt fails or times out for a higher
priority server.
`
Management Host
Primary TACACS+ Server
Backup TACACS+ Server
Management
Network
Dell Networking Switch
238 Configuring Authentication, Authorization, and Accounting
You can configure each server host with a specific connection type, port,
timeout, and shared key, or you can use global configuration for the key and
timeout.
The TACACS+ server can do the authentication itself, or redirect the request
to another back-end device. All sensitive information is encrypted and the
shared secret is never passed over the network; it is used only to encrypt the
data.
Which TACACS+ Attributes Does the Switch Support?
Table 10-6 lists the TACACS+ attributes that the switch supports and
indicates whether the authorization or accounting service supports sending or
receiving the attribute. The authentication service does not use attributes.
You can configure these attributes on the TACACS+ server(s) when utilizing
the switch TACACS+ service.
Table 10-6. Supported TACACS+ Attributes
Attribute Name Exec Authorization Command
Authorization
Accounting
cmd both (optional) sent sent
cmd-arg sent
elapsed-time sent
priv-lvl received
protocol sent
roles both (optional)
service=shell both sent sent
start-time sent
stop-time sent
Configuring Authentication, Authorization, and Accounting 239
Default Configurations
Method Lists
The method lists shown in Table 10-7 are defined by default. They cannot be
deleted, but they can be modified. Using the “no” command on these lists
will return them to their default configuration.
Access Lines (AAA)
Table 10-8 shows the method lists assigned to the various access lines by
default.
Table 10-7. Default Method Lists
AAA Service (type) List Name List Methods
Authentication (login) defaultList none
Authentication (login) networkList local
Authentication (enable) enableList enable none
Authentication (enable) enableNetList enable
Authorization (exec) dfltExecAuthList none
Authorization (commands) dfltCmdAuthList none
Accounting (exec) dfltExecList tacacs (start-stop)
Accounting (commands) dfltCmdList tacacs (stop-only)
Table 10-8. Default AAA Methods
AAA Service (type) Console Telnet SSH
Authentication
(login)
defaultList networkList networkList
Authentication
(enable)
enableList enableNetList enableNetList
Authorization
(exec)
dfltExecAuthList dfltExecAuthList dfltExecAuthList
Authorization
(commands)
dfltCmdAuthList dfltCmdAuthList dfltCmdAuthList
240 Configuring Authentication, Authorization, and Accounting
Access Lines (Non-AAA)
Table 10-9 shows the default configuration of the access lines that do not use
method lists.
Administrative Profiles
The administrative profiles shown in Table 10-10 are system-defined and may
not be deleted or altered. To see the rules in a profile, use the show admin-
profiles name
profile name
command.
Accounting (exec) none none none
Accounting
(commands)
none none none
Table 10-9. Default Configuration for Non-AAA Access Lines
Access Line Authentication Authorization
HTTP local n/a
HTTPS local n/a
802.1X none none
Table 10-10. Default Administrative Profiles
Name Description
network-admin Allows access to all commands.
network-security Allows access to network security features such as 802.1X,
Voice VLAN, Dynamic ARP Inspection and IP Source
Guard.
router-admin Allows access to Layer 3 features such as IPv4 Routing, IPv6
Routing, OSPF, RIP, etc.
multicast-admin Allows access to multicast features at all layers, this includes
L2, IPv4 and IPv6 multicast, IGMP, IGMP Snooping, etc.
dhcp-admin Allows access to DHCP related features such as DHCP
Server and DHCP Snooping.
Table 10-8. Default AAA Methods (Continued)
AAA Service (type) Console Telnet SSH
Configuring Authentication, Authorization, and Accounting 241
CP-admin Allows access to the Captive Portal feature.
network-operator Allows access to all User EXEC mode commands and show
commands.
Table 10-10. Default Administrative Profiles (Continued)
Name Description
242 Configuring Authentication, Authorization, and Accounting
Monitoring and Logging System Information 243
11
Monitoring and Logging System
Information
This chapter provides information about the features you use to monitor the
switch, including logging, cable tests, and email alerting. The topics covered
in this chapter include:
System Monitoring Overview
Default Log Settings
Monitoring System Information and Configuring Logging (Web)
Monitoring System Information and Configuring Logging (CLI)
Logging Configuration Examples
System Monitoring Overview
What System Information Is Monitored?
The CLI and web-based interfaces provide information about physical
aspects of the switch, such as system health and cable diagnostics, as well as
information about system events, such as management login history. The
switch also reports system resource usage.
The system logging utility can monitor a variety of events, including the
following:
System events — System state changes and errors that range in severity
from Emergency to Debug
Audit events — Attempts to login or logout from the switch and attempts
to perform any operations with files on the flash drive
CLI commands — Commands executed from the CLI
Web page visits — Pages viewed by using OpenManage Switch
Administrator
SNMP events — SNMP
set
operations
244 Monitoring and Logging System Information
Why Is System Information Needed?
The information the switch provides can help you troubleshoot issues that
might be affecting system performance. The cable diagnostics test help you
troubleshoot problems with the physical connections to the switch. Auditing
access to the switch and the activities an administrator performed while
managing the switch can help provide security and accountability.
Where Are Log Messages Sent?
The messages the switch generates in response to events, faults, errors, and
configuration changes can be recorded in several locations. By default, these
messages are stored locally on the switch in the RAM (cache). This collection
of log files is called the RAM log or buffered log. When the RAM log file
reaches the configured maximum size, the oldest message is deleted from the
RAM when a new message is added. If the system restarts, all messages are
cleared.
In addition to the RAM log, you can specify that log files are sent to the
following sources:
Console — If you are connected to the switch CLI through the console
port, messages display to the screen as they are generated. Use the
terminal monitor
command to control logging of messages to the console
when connected via Telnet or SSH.
Log file — Messages sent to the log file are saved in the flash memory and
are not cleared when the system restarts.
Remote server — Messages can be sent to a remote log server for viewing
and storage.
Email — Messages can be sent to one or more email addresses. You must
configure information about the network Simple Mail Transport Protocol
SMTP) server for email to be successfully sent from the switch.
Monitoring and Logging System Information 245
What Are the Severity Levels?
For each local or remote log file, you can specify the severity of the messages
to log. Each severity level is identified by a name and a number. Table 11-1
provides information about the severity levels.
When you specify the severity level, messages with that severity level and
higher are sent to the log file. For example, if you specify the severity level as
critical, messages with a severity level of alert and emergency are also logged.
When you specify the severity level in a CLI command, you can use the
keyword or the numerical level.
What Are the System Startup and Operation Logs?
Two types of log files exist in flash (persistent) memory:
The first log type is the system startup log. The system startup log stores
the first 32 messages received after system reboot. The log file stops when
it is full.
The second log type is the system operation log. The system operation log
stores the last 1000 messages received during system operation. The oldest
messages are overwritten when the file is full.
A message is only logged in one file. On system startup, if the Log file is
enabled, the startup log stores messages up to its limit. Then the operation
log begins to store the messages.
Table 11-1. Log Message Severity
Severity Keyword Severity Level Description
emergencies 0 The switch is unusable.
alerts 1 Action must be taken immediately.
critical 2 The switch is experiencing critical conditions.
errors 3 The switch is experiencing error conditions.
warnings 4 The switch is experiencing warning conditions.
notification 5 The switch is experiencing normal but significant
conditions.
informational 6 The switch is providing non-critical information.
debugging 7 The switch is providing debug-level information.
246 Monitoring and Logging System Information
To view the log messages in the system startup and operational log files, you
must download the log files to an administrative host. The startup log files are
named slogX.txt and the operation log files are named ologX.txt. When
enabled, the system stores the startup and operation log files for the last three
switch boots. The current log files have a zero (0) in the file name (replacing
the X in the name as shown above), the prior log files contain a one (1) in the
name, and the oldest log files contain a two (2) in the name. For more
information about downloading files, see "Managing Images and Files" on
page 359.
What Is the Log Message Format?
The first part of the log message up to the first left bracket is fixed by the
Syslog standard (RFC 3164). The second part up to the two percent signs is
standardized for all Dell Networking logs. The variable text of the log message
follows. The log message is limited to 96 bytes.
Each log message uses the following format:
PRI—This consists of the facility code (see RFC 3164) multiplied by 8 and
added to the severity. The log messages use the local7 facility code (23).
This implies that a message of severity 0 will have a priority of 184 and a
message of severity 7 will have a priority of 191.
Timestamp—This is the system up time. For systems that use SNTP, this
is UTC. When time zones are enabled, local time will be used.
Host IP address—This is the IP address of the local system.
Monitoring and Logging System Information 247
Stack ID —This is the assigned stack ID. For the Dell Networking N2000,
N3000, and N4000 series switches, the stack ID number is always 1. The
number 1 is used for systems without stacking ability. The top of stack is
used to collect messages for the entire stack.
Component name—The component name for the logging component.
Component “UNKN” is substituted for components that do not identify
themselves to the logging component.
Thread ID—The thread ID of the logging component.
File name —The name of the file containing the invoking macro.
Line number —The line number which contains the invoking macro.
Sequence number —The message sequence number for this stack
component. Sequence numbers may be skipped because of filtering but
are always monotonically increasing on a per-stack member basis.
Message — Contains the text of the log message.
What Factors Should Be Considered When Configuring Logging?
Dell recommends that network administrators deploy a syslog server in their
network and configure all switches to log messages to the syslog server. Switch
administrators should also consider enabling persistent logging on the switch.
When managing logs on a stack of switches, the RAM log and persistent log
files exist only on the top of stack platform. Other platforms in the stack
forward their messages to the top of stack log.
248 Monitoring and Logging System Information
Default Log Settings
System logging is enabled, and messages are sent to the console (severity
level: warning and above), and RAM log (severity level: informational and
above). Switch auditing, CLI command logging, Web logging, and SNMP
logging are disabled. By default, no messages are sent to the log file that is
stored in flash, and no remote log servers are defined.
Email alerting is disabled, and no recipient email address is configured.
Additionally, no mail server is defined. If you add a mail server, by default, no
authentication or security protocols are configured, and the switch uses TCP
port 25 for SMTP.
After you enable email alerting and configure the mail server and recipient
email address, log messages with a severity level of emergency and alert are
sent immediately with each log message in a separate mail. The email subject
is “Urgent Log Messages.” Log messages with a severity level of critical, error,
and warning are sent periodically in a single email. The email subject is “Non
Urgent Log Messages.” Messages with a severity level of notice and below are
not sent in an email.
Monitoring and Logging System Information 249
Monitoring System Information and Configuring
Logging (Web)
This section provides information about the OpenManage Switch
Administrator pages to use to monitor system information and configure
logging on the Dell Networking N2000, N3000, and N4000 series switches.
For details about the fields on a page, click at the top of the page.
Device Information
The Device Information page displays after you successfully log on to the
switch by using the Dell OpenManage Switch Administrator. This page is a
virtual representation of the switch front panel. Use the Device Information
page to view information about the port status, or system status, and the
switch stack. Click on a port to access the Port Configuration page for the
selected port.
To display the Device Information page, click Home in the navigation panel.
Figure 11-1. Device Information
Click the Stack View link to view front panel representations for all units in
the stack.
250 Monitoring and Logging System Information
Figure 11-2. Stack View
For more information about the device view features, see "Understanding the
Device View" on page 132.
Monitoring and Logging System Information 251
System Health
Use the Health page to view status information about the switch power and
ventilation sources.
To display the Health page, click System
General
Health in the
navigation panel.
Figure 11-3. Health
252 Monitoring and Logging System Information
System Resources
Use the System Resources page to view information about memory usage and
task utilization.
To display the System Resources page, click System
General
System
Resources in the navigation panel.
Figure 11-4. System Resources
Monitoring and Logging System Information 253
Unit Power Usage History
Use the Unit Power Usage History page to view information about switch
power consumption.
To display the Unit Power Usage History page, click System
General
Unit Power Usage History in the navigation panel.
Figure 11-5. Unit Power Usage History
254 Monitoring and Logging System Information
Integrated Cable Test for Copper Cables
Use the Integrated Cable Test for Copper Cables page to perform tests on
copper cables. Cable testing provides information about where errors
occurred in the cable, the last time a cable test was performed, and the type of
cable error which occurred. The tests use Time Domain Reflectometry
(TDR) technology to test the quality and characteristics of a copper cable
attached to a port. Cables up to 120 meters long can be tested. Cables are
tested when the ports are in the down state, with the exception of the
Approximated Cable Length test. SFP, SFP+, and QSFP cables with passive
copper assemblies are not capable of performing TDR tests.
To display the Integrated Cable Test for Copper Cables page, click System
Diagnostics
Integrated Cable Test in the navigation panel.
Figure 11-6. Integrated Cable Test for Copper Cables
NOTE: Cable diagnostics may give misleading results if any green Ethernet
modes are enabled on the port. Disable EEE or energy-detect mode prior to
running any cable diagnostics.
Monitoring and Logging System Information 255
To view a summary of all integrated cable tests performed, click the Show All
link.
Figure 11-7. Integrated Cable Test Summary
Optical Transceiver Diagnostics
Use the Transceiver Diagnostics page to perform tests on Fiber Optic cables.
To display the Transceiver Diagnostics page, click System
Diagnostics
Transceiver Diagnostics in the navigation panel.
NOTE: Optical transceiver diagnostics can be performed only when the link is
present.
256 Monitoring and Logging System Information
Figure 11-8. Transceiver Diagnostics
To view a summary of all optical transceiver diagnostics tests performed, click
the Show All link.
Figure 11-9. Transceiver Diagnostics Summary
Monitoring and Logging System Information 257
Log Global Settings
Use the Global Settings page to enable logging globally, to enable other types
of logging. You can also specify the severity of messages that are logged to the
console, RAM log, and flash-based log file.
The Severity table lists log messages from the highest severity (Emergency) to
the lowest (Debug). When you select a severity level, all higher levels are
automatically selected. To prevent log messages from being sent to the
console, RAM log, or flash log file, clear all check boxes in the Severity
column.
To display the Global Settings page, click System
Logs
Global Settings
in the navigation panel.
Figure 11-10. Global Settings
258 Monitoring and Logging System Information
RAM Log
Use the RAM Log page to view information about specific RAM (cache) log
entries, including the time the log was entered, the log severity, and a
description of the log.
To display the RAM Log, click System
Logs
RAM Log in the navigation
panel.
Figure 11-11. RAM Log Table
Monitoring and Logging System Information 259
Log File
The Log File contains information about specific log entries, including the
time the log was entered, the log severity, and a description of the log.
To display the Log File, click System
Logs
Log File in the navigation
panel.
Figure 11-12. Log File
Syslog Server
Use the Remote Log Server page to view and configure the available syslog
servers, to define new syslog servers, and to set the severity of the log events
sent to the syslog server.
To display the Remote Log Server page, click System
Logs
Remote Log
Server.
260 Monitoring and Logging System Information
Figure 11-13. Remote Log Server
Adding a New Remote Log Server
To add a syslog server:
1
Open the
Remote Log Server
page.
2
Click
Add
to display the
Add Remote Log Server
page.
3
Specify the IP address or hostname of the remote server.
4
Define the
UDP Port
and
Description
fields.
Monitoring and Logging System Information 261
Figure 11-14. Add Remote Log Server
5
Select the severity of the messages to send to the remote server.
6
Click
Apply
.
Click the Show All link to view or remove remote log servers configured on
the system.
Figure 11-15. Show All Log Servers
NOTE: When you select a severity level, all higher (numerically lower)
severity levels are automatically selected.
262 Monitoring and Logging System Information
Email Alert Global Configuration
Use the Email Alert Global Configuration page to enable the email alerting
feature and configure global settings so that system log messages can be sent
to from the switch to one or more email accounts.
To display the Email Alert Global Configuration page, click System
Email Alerts
Email Alert Global Configuration in the navigation panel.
Figure 11-16. Email Alert Global Configuration
Email Alert Mail Server Configuration
Use the Email Alert Mail Server Configuration page to configure
information about the mail server the switch uses for sending email alert
messages.
To display the Email Alert Mail Server Configuration page, click System
Email Alerts
Email Alert Mail Server Configuration in the navigation
panel.
Monitoring and Logging System Information 263
Figure 11-17. Email Alert Mail Server Configuration
Adding a Mail Server
To add a mail server:
1
Open the
Email Alert Mail Server Configuration
page.
2
Click
Add
to display the
Email Alert Mail Server Add
page.
3
Specify the hostname of the mail server.
Figure 11-18. Add Mail Server
4
Click
Apply
.
5
If desired, click
Configuration
to return to the
Email Alert Mail Server
Configuration
page to specify port and security settings for the mail server.
Click the Show All link to view or remove mail servers configured on the
switch.
264 Monitoring and Logging System Information
Figure 11-19. Show All Mali Servers
Email Alert Subject Configuration
Use the Email Alert Subject Configuration page to configure the subject line
for email alerts that are sent by the switch. You can customize the subject for
the message severity and entry status.
To display the Email Alert Subject Configuration page, click System
Email Alerts
Email Alert Subject Configuration in the navigation panel.
Figure 11-20. Email Alert Subject Configuration
To view all configured email alert subjects, click the Show All link.
Monitoring and Logging System Information 265
Figure 11-21. View Email Alert Subjects
Email Alert To Address Configuration
Use the Email Alert To Address Configuration page to specify where the
email alerts are sent. You can configure multiple recipients and associate
different message severity levels with different recipient addresses.
To display the Email Alert To Address Configuration page, click System
Email Alerts
Email Alert To Address Configuration in the navigation
panel.
Figure 11-22. Email Alert To Address Configuration
To view configured recipients, click the Show All link.
266 Monitoring and Logging System Information
Figure 11-23. View Email Alert To Address Configuration
Email Alert Statistics
Use the Email Alert Statistics page to view the number of emails that were
successfully and unsuccessfully sent, and when emails were sent.
To display the Email Alert Statistics page, click System
Email Alerts
Email Alert Statistics in the navigation panel.
Figure 11-24. Email Alert Statistics
Monitoring and Logging System Information 267
Monitoring System Information and Configuring
Logging (CLI)
This section provides information about the commands you use to configure
information you use to monitor the Dell Networking N2000, N3000, and
N4000 series switches. For more information about these commands, see the
Dell Networking N2000, N3000, and N4000 Series Switches CLI Reference
Guide
at support.dell.com/manuals.
Viewing System Information and Enabling the Locator LED
Beginning in Privileged EXEC mode, use the following commands to view
system health and resource information and to enable the switch locator
LED.
Command Purpose
show system Display various system information.
show system power Displays the power supply status.
show system
temperature
Displays the system temperature and fan status.
show memory cpu Displays the total and available RAM space on the switch.
show process cpu Displays the CPU utilization for each process currently
running on the switch.
locate [switch
unit
]
[time
time
]
Enable the switch locator LED located on the back panel
of the switch. Optionally, you can specify the unit to
identify within a switch stack and the length of time that
the LED blinks.
Command Purpose
show system Display various system information.
show system power Displays the power supply status.
show system
temperature
Displays the system temperature and fan status.
show memory cpu Displays the total and available RAM space on the switch.
268 Monitoring and Logging System Information
Running Cable Diagnostics
Beginning in Privileged EXEC mode, use the following commands to run the
cable diagnostic tests.
show process cpu Displays the CPU utilization for each process currently
running on the switch.
NOTE: Cable diagnostics may give misleading results if green mode is enabled
on the port. Disable green mode prior to running any cable diagnostics.
Command Purpose
test copper-port tdr
interface
Perform the Time Domain Reflectometry (TDR) test to
diagnose the quality and characteristics of a copper cable
attached to the specified port. SFP, SFP+, and QSFP
cables with passive copper assemblies are not capable of
performing TDR tests.
CAUTION: Issuing the test copper-port tdr command
will bring the interface down.
NOTE: To ensure accurate measurements, disable all Green
Ethernet modes (EEE or energy-detect mode) on the port
before running the test.
The interface is specified in unit/slot/port format. For
example 1/0/3 is GbE interface 3 on unit 1 of the stack.
show copper-ports tdr
[
interface
]
Display the diagnostic information collected by the test
copper-port tdr command for all copper interfaces or a
specific interface.
show fiber-ports optical-
transceiver [
interface
]
Display the optical transceiver diagnostics for all fiber
ports. Include the
interface
option to show information for
the specified port.
Command Purpose
Monitoring and Logging System Information 269
Configuring Local Logging
Beginning in Privileged EXEC mode, use the following commands to
configure the type of messages that are logged and where the messages are
logged locally.
Command Purpose
configure Enter Global Configuration mode.
logging on Globally enables logging.
logging audit Enable switch auditing.
logging cli-command Enable CLI command logging
logging web-sessions Enable logging of the switch management Web page visits.
logging snmp Enable logging of SNMP set commands.
terminal monitor Enable display of system messages on the console for
Telnet/SSH sessions.
logging
{buffered|console| file}
[
severity
]
Enable logging to the specified file. Optionally, you can
define a logging discriminator to help filter log messages
and set the severity of the messages to log.
buffered
— Enables logging to the RAM file (cache). If
the switch resets, the buffered logs are cleared.
console
— Enables logging to the screen when you are
connected to the CLI through the console port.
file
— Enables logging to the startup and operational log
files on the flash.
discriminator
disc-name
— (Optional) Include a
message discriminator to help filter log messages. The
disc-name
can contain up to eight alphanumeric
characters. Spaces are not permitted.
severity
— (Optional) Enter the number or name of the
desired severity level. For information about severity
levels, see Table 11-1.
logging facility
facility-
type
Set the facility for logging messages. Permitted
facility-
type
values are local0, local1, local2, local3, local4, local5,
local 6, local7
CTRL + Z Exit to Privileged EXEC mode.
270 Monitoring and Logging System Information
Configuring Remote Logging
Beginning in Privileged EXEC mode, use the following commands to define a
remote server to which the switch sends log messages.
show logging Displays the state of logging and the syslog messages
stored in the internal buffer.
show logging file View information about the flash (persistent) log file.
clear logging Use to clear messages from the logging buffer.
Command Purpose
configure Enter Global Configuration mode.
logging {
ip-address
|
hostname
}
Define a remote log server and enter the configuration
mode for the specified log server.
description
description
Describe the log server. Use up to 64 characters. If the
description includes spaces, surround it with quotation
marks.
level
severity
Specify the severity level of the logs that should be sent to
the remote log server. For information about severity
levels, see Table 11-1.
port
udp-port
Specify the UDP port to use for sending log messages. The
range is 1 to 65535, and the default is 514.
CTRL + Z Exit to Privileged EXEC mode.
show syslog-servers Verify the remote log server configuration.
Command Purpose
Monitoring and Logging System Information 271
Configuring Mail Server Settings
Beginning in Privileged EXEC mode, use the following commands to
configure information about the mail server (SMTP host) on the network
that will initially receive the email alerts from the switch and relay them to
the correct recipient.
Command Purpose
configure Enter Global Configuration mode.
mail-server
ip-address
Specify the IP address of the SMTP server on the network
and enter the configuration mode for the mail server.
security {tlsvl|none} (Optional) Specify the security protocol to use with the
mail server.
port {25|465} Configure the TCP port to use for SMTP, which can be 25
(SMTP) or 465 (SMTP over SSL).
username
username
If the SMTP server requires authentication, specify the
username to use for the switch.
The same username and password settings must be
configured on the SMTP host.
password
password
If the SMTP server requires authentication from clients,
specify the password to associate with the switch
username.
CTRL + Z Exit to Privileged EXEC mode.
show mail-server all
config
View mail server configuration information for all
configured mail servers.
272 Monitoring and Logging System Information
Configuring Email Alerts for Log Messages
Beginning in Privileged EXEC mode, use the following commands to
configure email alerts so that log messages are sent to the specified address.
Command Purpose
configure Enter Global Configuration mode.
logging email [
severity
] Enable email alerting and determine which non-critical log
messages should be emailed. Including the
severity
value
sets the lowest severity for which log messages are emailed.
These messages are collected and sent in a single email at
the configured log duration.
severity
— (Optional) Enter the number or name of the
severity level for non-critical messages. Log messages at or
above this severity level are emailed. For information about
severity levels, see Table 11-1. Log messages below the
specified level are not emailed.
logging email urgent
{
severity
| none}
Determine which log messages are critical and should be
sent in a single email as soon as they are generated.
severity
— (Optional) Enter the number or name of the
severity level for critical messages. For information about
severity levels, see Table 11-1.
logging email logtime
minutes
Specify how often to send the non-critical email alerts that
have been collected. . The valid range is 30 - 1440 minutes.
logging email message-
type {urgent | non-
urgent | both} to-addr
email-address
Specify the email address of the recipient for log messages.
logging email from-addr
email-address
Specify the email address of the sender, which is the
switch.
logging email message-
type {urgent | non-
urgent | both} subject
subject
Specify the text that will appear in the subject line of email
alerts sent by the switch.
Monitoring and Logging System Information 273
logging email test
message-type {urgent |
non-urgent | both}
message-body
body
Send a test email to the configured recipient to verify that
the feature is properly configured.
CTRL + Z Exit to Privileged EXEC mode.
show logging email
config
View the configured settings for email alerts.
show logging email
statistics
View information about the number of emails sent and the
time they were sent.
clear logging email
statistics
Clear the email alerting statistics.
Command Purpose
274 Monitoring and Logging System Information
Logging Configuration Examples
This section contains the following examples:
Configuring Local and Remote Logging
Configuring Email Alerting
Configuring Local and Remote Logging
This example shows how to enable switch auditing and CLI command
logging. Log messages with a severity level of Notification (level 5) and above
are sent to the RAM (buffered) log. Emergency, Critical, and Alert (level 2)
log messages are written to the log file on the flash drive. All log messages are
displayed on the console and sent to a remote syslog server.
To configure the switch:
1
Enable switch auditing and CLI command logging.
console#configure
console(config)#logging audit
console(config)#logging cli-command
2
Specify where the logs are sent locally and what severity level of message is
to be logged. You can specify the severity as the level number, as shown in
the first two commands, or as the keyword, shown in the third command.
console(config)#logging buffered 5
console(config)#logging file 2
console(config)#logging console debugging
3
Define the remote log server.
console(config)#logging 192.168.2.10
console(Config-logging)#description "Syslog
Server"
console(Config-logging)#level debug
console(Config-logging)#exit
console(config)#exit
Monitoring and Logging System Information 275
4
Verify the remote log server configuration.
console#show syslog-servers
IP Address/Hostname Port Severity Description
------------------------- ------ -------------- ----------
192.168.2.10 514 debugging Syslog Server
5
Verify the local logging configuration and view the log messages stored in
the buffer (RAM log).
console#show logging
Logging is enabled
Console Logging: level debugging. Console
Messages: 748 Dropped.
Buffer Logging: level notifications. Buffer
Messages: 79 Logged,
File Logging: level critical. File Messages: 973
Dropped.
CLI Command Logging : enabled
Switch Auditing : enabled
Web Session Logging : disabled
SNMP Set Command Logging : disabled
Syslog server 192.168.2.10 logging: debug.
Messages: 0 dropped
412 Messages dropped due to lack of resources.
Buffer Log:
<186> FEB 02 05:53:03 0.0.0.0-1 UNKN[1073741088]:
bootos.c(232) 1 %% Event(0xaaaaaaaa)
<189> FEB 02 05:53:03 0.0.0.0-1 UNKN[1073741088]:
bootos.c(248) 2 %% Starting code... BSP
initialization complete, starting application.
--More-- or (q)uit
276 Monitoring and Logging System Information
Configuring Email Alerting
The commands in this example define the SMTP server to use for sending
email alerts. The mail server does not require authentication and uses the
standard TCP port for SMTP, port 25, which are the default values. Only
Emergency messages (severity level 0) will be sent immediately as individual
emails, and messages with a severity of alert, critical, and error (levels 1-3) will
be sent in a single email every 120 minutes. Warning, notice, info, and debug
messages are not sent in an email.
The email the administrator will in the inbox has a format similar to the
following:
Figure 11-25. Email Alert Message Format
For emergency-level messages, the subject is LOG MESSAGE -
EMERGENCY. For messages with a severity level of alert, critical, and error,
the subject is LOG MESSAGE.
To configure the switch:
1
Specify the mail server to use for sending messages.
console#configure
console(config)#mail-server ip-address 192.168.2.34
Monitoring and Logging System Information 277
2
Configure the username and password that the switch must use to
authenticate with the mail server.
console(Mail-Server)#username switchN3048
console(Mail-Server)#password passwordN3048
console(Mail-Server)#exit
3
Configure emergencies and alerts to be sent immediately, and all other
messages to be sent in a single email every 120 minutes.
console(config)#logging email error
console(config)#logging email urgent emergency
console(config)#logging email logtime 120
4
Specify the email address of the sender (the switch).
console(config)#logging email from-addr
N3048_noreply@dell.com
5
Specify the address where email alerts should be sent.
console(config)#logging email message-type both
to-addr administrator@dell.com
6
Specify the text that will appear in the email alert Subject line.
console(config)#logging email message-type urgent
subject "LOG MESSAGES - EMERGENCY"
console(config)#logging email message-type non-
urgent subject "LOG MESSAGES"
7
Verify the configuration.
console#show mail-server all config
Mail Servers Configuration:
No of mail servers configured.................. 1
Email Alert Mail Server Address................ 192.168.2.34
Email Alert Mail Server Port................... 25
Email Alert SecurityProtocol................... none
Email Alert Username........................... switchN3048
Email Alert Password........................... passwordN3048
console#show logging email config
278 Monitoring and Logging System Information
Email Alert Logging............................ enabled
Email Alert From Address.......................
N3048_noreply@dell.com
Email Alert Urgent Severity Level.............. 0
Email Alert Non Urgent Severity Level.......... 3
Email Alert Trap Severity Level................ 6
Email Alert Notification Period................ 120 min
Email Alert To Address Table:
For Msg Type..........................1
Address1..............................administrator@dell.com
For Msg Type..........................2
Address1..............................administrator@dell.com
Email Alert Subject Table :
For Msg Type 1, subject is............LOG MESSAGES - EMERGENCY
For Msg Type 2, subject is............LOG MESSAGE
Managing General System Settings 279
12
Managing General System Settings
This chapter describes how to set system information, such as the hostname,
and time settings, and how to select the Switch Database Management
(SDM) template to use on the switch.
For the N2000 and N3000 series switches, this chapter also describes how to
configure the Power over Ethernet (PoE) settings.
For the N3000 series switches, this chapter also describes how to view back-
panel expansion slot information.
The topics covered in this chapter include:
System Settings Overview
Default General System Information
Configuring General System Settings (Web)
Configuring System Settings (CLI)
General System Settings Configuration Examples
System Settings Overview
The system settings include the information described in Table 12-1. This
information helps identify the switch.
Table 12-1. System Information
Feature Description
System Name The switch name (host name). If you change the system name,
the CLI prompt changes from console to the system name.
System contact Identifies the person to contact for information regarding the
switch.
System location Identifies the physical location of the switch.
Asset tag Uniquely identifies the switch. Some organizations use asset tags
to identify, control, and track each piece of equipment.
280 Managing General System Settings
The switch can obtain the time from a Simple Network Time Protocol
(SNTP) server, or you can set the time manually. Table 12-2 describes the
settings that help the switch keep track of time.
The Dell Networking N2024P/N2048P and N3024P/N3048P switch ports are
IEEE 802.1at-2009-compliant (PoE Plus) and can provided up to 34.2W of
power per port. For more information about PoE Plus support, see "What Are
the Key PoE Plus Features for the N2024P/N2048P and N3024P/N3048P
Switches?" on page 285
CLI Banner Displays a message upon connecting to the switch or logging on
to the switch by using the CLI.
SDM Template Determines the maximum resources a switch or router can use
for various features. For more information, see "What Are SDM
Templates?" on page 281
Table 12-2. Time Settings
Feature Description
SNTP Controls whether the switch obtains its system time
from an SNTP server and whether communication
with the SNTP server requires authentication and
encryption. You can configure information for up to
eight SNTP servers. The SNTP client on the switch can
accept updates from both IPv4 and IPv6 SNTP servers.
Real time clock (RTC) If SNTP is disabled, you can manually enter the system
time and date.
Time Zone Allows you to specify the offset from Coordinated
Universal Time (UTC), which is also known as
Greenwich Mean Time (GMT).
Summer Time In some regions, the time shifts by one hour in the fall
and spring. In the United States, this is called daylight
saving time.
Table 12-1. System Information (Continued)
Feature Description
Managing General System Settings 281
Why Does System Information Need to Be Configured?
Configuring system information is optional. However, it can be helpful in
providing administrative information about the switch. For example, if you
manage several standalone Dell Networking series switches and have Telnet
sessions open with several different switches, the system name can help you
quickly identify the switch because the host name replaces console as the
CLI command prompt.
The Banner can provide information about the switch status. For example, if
multiple users connect to the switch, the message of the day (MOTD) banner
might alert everyone who connects to the switch about a scheduled switch
image upgrade.
What Are SDM Templates?
An SDM template is a description of the maximum resources a switch or
router can use for various features. Different SDM templates allow different
combinations of scaling factors, enabling different allocations of resources
depending on how the device is used. In other words, SDM templates enable
you to reallocate system resources to support a different mix of features based
on your network requirements.
Dell Networking series switches support the following three templates:
Dual IPv4 and IPv6 (default)
•IPv4 Routing
•IPv4 Data Center
Table 12-3 describes the parameters that are scaled for each template and the
per-template maximum value of the parameter.
Table 12-3. SDM Template Parameters and Values
Parameter Dual IPv4/IPv6 Dual IPv4/IPv6
Data Center
IPv4 Only IPv4 Data
Center
ARP entries
N2000
N3000
N4000
1024
4096
4096
0
4096
4096
1024
6144
6144
0
0
4096
282 Managing General System Settings
IPv4 unicast routes
N2000
N3000
N4000
256
8160
8160
0
8160
8160
512
12288
12288
0
0
8160
IPv6 Neighbor
Discovery Protocol
(NDP) entries
N2000
N3000
N4000
512
2560
1024
0
2560
1024
0
0
0
0
0
0
IPv6 unicast routes
N2000
N3000
N4000
128
4096
4096
0
4096
4096
0
0
0
0
0
0
ECMP next hops
N2000
N3000
N4000
1
4
4
0
16
4
1
16
16
0
0
16
IPv4 multicast routes
N2000
N3000
N4000
0
1536
512
0
1536
512
0
2048
1024
0
0
2048
IPv6 multicast routes
N2000
N3000
N4000
0
512
256
0
512
256
0
0
0
0
0
0
Table 12-3. SDM Template Parameters and Values (Continued)
Parameter Dual IPv4/IPv6 Dual IPv4/IPv6
Data Center
IPv4 Only IPv4 Data
Center
Managing General System Settings 283
SDM Template Configuration Guidelines
When you configure the switch to use an SDM template that is not currently
in use, you must reload the switch for the configuration to take effect.
If the IPv4 Routing or IPv4 Data Center template is currently in use and you
attempt to configure IPv6 routing features without first selecting the Dual
IPv4-IPv6 Routing template, the IPv6 commands do not take effect. IPv6
features are not available when an IPv4-only template is active.
Why is the System Time Needed?
The switch uses the system clock to provide time stamps on log messages.
Additionally, some show commands include the time in the command
output. For example, the show users login-history command includes a Login
Time field. The system clock provides the information for the Login Time
field.
How Does SNTP Work?
SNTP assures accurate switch clock time synchronization. Time
synchronization is performed by a network SNTP server.
Time sources are established by Stratums. Stratums define the accuracy of
the reference clock. The higher the stratum (where zero is the highest), the
more accurate the clock. The switch is at a stratum that is one lower than its
time source. For example, if the SNTP server in an internal network is a
Stratum 3 device, the switch is a Stratum 4 device.
You can configure the switch to request the time from an SNTP server on the
network, or you can allow the switch to receive SNTP broadcasts.
Requesting the time from a unicast SNTP server is more secure. Use this
method if you know the IP address of the SNTP server on your network. If you
allow the switch to receive SNTP broadcasts, any clock synchronization
information is accepted, even if it has not been requested by the device. This
method is less secure than polling a specified SNTP server.
NOTE: If you attach a unit to a stack and its template does not match the stack's
template, then the new unit will automatically reboot using the template used by
the management unit. To avoid the automatic reboot, you may first set the
template to the template used by the management unit. Then power off the new
unit, attach it to the stack, and power it on.
284 Managing General System Settings
To increase security, you can require authentication between the configured
SNTP server and the SNTP client on the switch. Authentication is provided
by Message Digest 5 (MD5). MD5 verifies the integrity of the
communication and authenticates the origin of the communication.
What Configuration Is Required for Plug-In Modules?
The N3000/N4000 series switches support several different plug-in modules
(also known as cards) for the expansion slots located on the back of the
switch. For information about the slots and the supported modules, see
"Hardware Overview" on page 91. You can preconfigure the card type prior to
inserting it into the switch.
Hot-swap is supported on the N3000/N4000 switch modules. However, the
switch must be rebooted for the new module to be recognized after it is
inserted.
Before inserting a new module into the expansion slot that was previously
occupied by a different type of module, issue a no slot command from the
CLI so that the switch can recognize the new module.
Once a module hs been recognized by the switch, its configuration is stored
locally on the switch as the switch default. The module configuration appears
in the running-config for informational purposes.
Managing General System Settings 285
What Are the Key PoE Plus Features for the N2024P/N2048P and
N3024P/N3048P Switches?
Table 12-4 describes some of the key PoE Plus features the switches support.
Table 12-4. PoE Plus Key Features
Feature Description
Global Usage
Threshold
Provides the ability to specify a power limit as a percentage
of the maximum power available to PoE ports. Setting a
limit prevents the PoE switch from reaching an overload
condition.
Per-Port Power
Prioritization
Provides the ability to assign a priority to each PoE port.
When the power budget of the PoE switch has been
exhausted, the higher-priority ports are given preference
over the lower-priority ports. Lower priority ports are
automatically stopped from supplying power in order to
provide power to higher-priority ports.
Per-Port Power Limit Configurable power limit for each PoE-Plus port.
Power Management
Modes
Supports two power-management modes:
Static—Allows you to reserve a guaranteed amount of
power for a PoE port. This is useful for powering up devices
which draw variable amount of power and provide them an
assured power range to operate within.
Dynamic—Power is not reserved for a given port at any
point of time. The power available with the PoE switch is
calculated by subtracting the instantaneous power drawn
by all the ports from the maximum available power. Thus
more ports can be powered at the same time. This feature
is useful to efficiently power up more number of devices
when the available power with the PoE switch is limited
Power Detection Mode Allows you to set the mode to legacy or 4-point 802.3AF
detection. Enabling an additional high-power setting will
allow the detection of 802.1at devices.
286 Managing General System Settings
Default General System Information
By default, no system information or time information is configured, and the
SNTP client is disabled. The default SDM Template applied to the switch is
the Dual IPv4-IPv6 template.
The following table shows the default PoE Plus settings for the Dell
Networking N2024P /N2048P and N3024P/N3048P switches.
Powered Device (PD)
Disconnection
Detection Mode
Configurable setting to set the method that determines
when a PD has disconnected from a port:
AC Disconnect—Assumes that when a valid PD is
connected to a port, the AC impedance measured on its
terminals is significantly lower than in the case of an open
port (disconnected PD)
DC Disconnect—Measures current consumption to
determine when a PD stops consuming current.
Table 12-5. PoE Plus Key Features (N2024P, N2048P, N3024P, N3048P Only)
Feature Description
Global Usage Threshold 0%
Per-Port Admin Status Auto
Per-Port Power Prioritization Enabled (globally, per-port priority is Low
Per-Port Power Limit None
Power Management Mode Dynamic
Power Detection Mode 802.3af Only
Powered Device (PD) Disconnection
Detection Mode
AC
Power Pairs alternative-a
Table 12-4. PoE Plus Key Features (Continued)
Feature Description
Managing General System Settings 287
Configuring General System Settings (Web)
This section provides information about the OpenManage Switch
Administrator pages for configuring and monitoring general system settings
on the Dell Networking N2000, N3000, and N4000 series switches. For details
about the fields on a page, click at the top of the page.
System Information
Use the System Information page to configure the system name, contact
name, location, and asset tag.
To display the System Information page, click System
General
System
Information in the navigation panel.
Figure 12-1. System Information
NOTE: From the System Information page, you can also initiate a Telnet session
to the switch.
288 Managing General System Settings
Initiating a Telnet Session from the Web Interface
To launch a Telnet session:
1
From the
System
General
System Information
page, click the
Telnet link.
2
Click the
Telnet
button.
Figure 12-2. Telnet
3
Select the Telnet client, and click
OK
.
Figure 12-3. Select Telnet Client
NOTE: The Telnet client feature does not work with Microsoft Windows Internet
Explorer 7 and later versions. Initiating this feature from any browser running on
a Linux operating system is not supported.
Managing General System Settings 289
The selected Telnet client launches and connects to the switch CLI.
Figure 12-4. Telnet Session
290 Managing General System Settings
CLI Banner
Use the CLI Banner page to configure a message for the switch to display
when a user connects to the switch by using the CLI. You can configure
different banners for various CLI modes and access methods.
To display the CLI Banner page, click System
General
CLI Banner in
the navigation panel.
Figure 12-5. CLI Banner
Managing General System Settings 291
SDM Template Preference
Use the SDM Template Preference page to view information about template
resource settings and to select the template that the switch uses. If you select
a new SDM template for the switch to use, you must reboot the switch before
the template is applied.
To display the SDM Template Preference page, click System
General
SDM Template Preference in the navigation panel.
Figure 12-6. SDM Template Preference
292 Managing General System Settings
Clock
If you do not obtain the system time from an SNTP server, you can manually
set the date and time on the switch on the Clock page. The Clock page also
displays information about the time settings configured on the switch.
To display the Clock page, click System
Time Synchronization
Clock
in the navigation panel.
Figure 12-7. Clock
NOTE: The system time cannot be set manually if the SNTP client is enabled. Use
the SNTP Global Settings page to enable or disable the SNTP client.
Managing General System Settings 293
SNTP Global Settings
Use the SNTP Global Settings
page
to enable or disable the SNTP client,
configure whether and how often the client sends SNTP requests, and
determine whether the switch can receive SNTP broadcasts.
To display the SNTP Global Settings
page, click System
Time
Synchronization
SNTP Global Settings in the navigation panel.
Figure 12-8. SNTP Global Settings
294 Managing General System Settings
SNTP Authentication
Use the SNTP Authentication page to enable or disable SNTP
authentication, to modify the authentication key for a selected encryption key
ID, to designate the selected authentication key as a trusted key, and to
remove the selected encryption key ID.
Click System
Time Synchronization
SNTP Authentication in the
navigation panel to display the SNTP Authentication page.
Figure 12-9. SNTP Authentication
Adding an SNTP Authentication Key
To configure SNTP authentication:
1
Open the
SNTP Authentication
page.
2
Click the
Add
link.
The
Add Authentication Key
page displays:
NOTE: The SNTP server must be configured with the same authentication
information to allow time synchronization to take place between the two devices.
Managing General System Settings 295
Figure 12-10. Add Authentication Key
3
Enter a numerical encryption key ID and an authentication key in the
appropriate fields.
4
If the key is to be used to authenticate a unicast SNTP server, select the
Trusted Key
check box. If the check box is clear, the key is untrusted and
cannot be used for authentication.
5
Click
Apply
.
The SNTP authentication key is added, and the device is updated.
To view all configured authentication keys, click the Show All link. The
Authentication Key Table displays. You can also use the Authentication Key
Table to remove or edit existing keys.
Figure 12-11. Authentication Key Table
296 Managing General System Settings
SNTP Server
Use the SNTP Server
page
to view and modify information about SNTP
servers, and to add new SNTP servers that the switch can use for time
synchronization. The switch can accept time information from both IPv4 and
IPv6 SNTP servers.
To display the SNTP Server
page, click System
Time Synchronization
SNTP Server in the navigation panel. If no servers have been configured, the
fields in the following image are not displayed.
Figure 12-12. SNTP Servers
Defining a New SNTP Server
To add an SNTP server:
1
Open the
SNTP Servers
page.
2
Click
Add
.
The
Add SNTP Server
page displays.
Managing General System Settings 297
Figure 12-13. Add SNTP Server
3
In the
SNTP Server
field, enter the IP address or host name for the new
SNTP server.
4
Specify whether the information entered in the
SNTP Server
field is an
IPv4 address, IPv6 address, or a hostname (DNS).
5
If you require authentication between the SNTP client on the switch and
the SNTP server, select the Encryption Key ID check box, and then select
the key ID to use.
To define a new encryption key, see "Adding an SNTP Authentication Key"
on page 294.
NOTE: The SNTP server must be configured with the same authentication
information to allow time synchronization to take place between the two
devices.
298 Managing General System Settings
To view all configured SNTP servers, click the
Show
All
link. The SNTP
Server Table
displays. You can also use the SNTP
Server Table
page to
remove or edit existing SNTP servers.
Figure 12-14. SNTP Servers Table
Managing General System Settings 299
Summer Time Configuration
Use the Summer Time Configuration page to configure summer time
(daylight saving time) settings.
To display the Summer Time Configuration page, click System
Time
Synchronization
Summer Time Configuration in the navigation panel.
Figure 12-15. Summer Time Configuration
To use the preconfigured summer time settings for the United States or
European Union, select the Recurring check box and specify USA or EU from
the Location menu.
NOTE: The fields on the Summer Time Configuration page change when you
select or clear the Recurring check box.
300 Managing General System Settings
Time Zone Configuration
Use the Time Zone Configuration to configure time zone information,
including the amount time the local time is offset from UTC and the
acronym that represents the local time zone.
To display the Time Zone Configuration page, click System
Time
Synchronization
Time Zone Configuration in the navigation panel.
Figure 12-16. Time Zone Configuration
Managing General System Settings 301
Card Configuration
Use the Card Configuration page
to control the administrative status of the
rear-panel expansion slots (Slot 1 or Slot 2) and to configure the plug-in
module to use in the slot.
To display the Card Configuration
page, click Switching
Slots
Card
Configuration in the navigation panel.
Figure 12-17. Card Configuration
302 Managing General System Settings
Slot Summary
Use the Slot Summary page
to view information about the expansion slot
status.
To display the Slot Summary page, click Switching
Slots
Summary in
the navigation panel.
Figure 12-18. Slot Summary
Managing General System Settings 303
Supported Cards
Use the Supported Cards page
to view information about the supported
plug-in modules for the switch.
To display the Supported Cards page, click Switching
Slots
Supported
Cards in the navigation panel.
Figure 12-19. Supported Cards
304 Managing General System Settings
Power Over Ethernet Global Configuration (N2024P/N2048P and
N3024P/N3048P Only)
Use the PoE Global Configuration page
to configure the PoE settings for the
switch.
To display the PoE Global Configuration
page, click System
General
Power over Ethernet
Global Configuration in the navigation panel.
Figure 12-20. PoE Global Configuration
Managing General System Settings 305
Power Over Ethernet Interface Configuration (N2024P/N2048P and
N3024P/N3048P Only)
Use the PoE Interface Configuration page
to configure the per-port PoE
settings. From this page, you can also access the PoE Counters table and PoE
Port Table. The PoE Port table allows you to view and configure PoE settings
for multiple ports on the same page.
To display the PoE Interface Configuration
page, click System
General
Power over Ethernet
Interface Configuration in the navigation panel.
Figure 12-21. PoE Interface Configuration
306 Managing General System Settings
To view PoE statistics for each port, click Counters.
Figure 12-22. PoE Counters Table
To view the PoE Port Table, click Show All.
Figure 12-23. PoE Port Table
If you change any settings for one or more ports on the PoE Port Table page,
click Apply to update the switch with the new settings.
Managing General System Settings 307
Configuring System Settings (CLI)
This section provides information about the commands you use to configure
system information and time settings on the Dell Networking N2000, N3000,
and N4000 series switches. For more information about these commands, see
the
Dell Networking N2000, N3000, and N4000 Series Switches CLI
Reference Guide
at support.dell.com/manuals.
Configuring System Information
Beginning in Privileged EXEC mode, use the following commands to
configure system information.
Command Purpose
configure Enter Global Configuration mode.
hostname
name
Configure the system name. The CLI prompt changes to
the host name after you execute the command.
snmp-server contact
name
Configure the name of the switch administrator. If the
name contains a space, use quotation marks around the
name.
snmp-server location
location
Configure the switch location.
asset-tag [unit
unit_id
]
tag
Configure the asset tag for the switch. Use the unit
keyword to configure the asset tag for each unit in a stack
of switches.
CTRL + Z Exit to Privileged EXEC mode.
show system [id] Display system information. Include the id keyword to
display additional system information.
308 Managing General System Settings
Configuring the Banner
Beginning in Privileged EXEC mode, use the following commands to
configure the MOTD, login, or User EXEC banner. The switch supports the
following banner messages:
MOTD—Displays when a user connects to the switch.
Login—Displays after the MOTD banner and before the login prompt.
Exec—Displays immediately after the user logs on to the switch.
Command Purpose
configure Enter Global Configuration mode.
banner
{motd|login|exec}
text
Configure the banner message that displays when you
connect to the switch (motd and login) or enter User
EXEC mode (exec).
Use quotation marks around a message if it includes
spaces.
line
{telnet|ssh|console}
Enter the terminal line configuration mode for Telnet,
SSH, or the console.
motd-banner Specify that the configured MOTD banner displays. To
prevent the banner from displaying, enter no motd-
banner.
exec-banner Specify that the configured exec banner displays. To
prevent the banner from displaying, enter no exec-banner.
login-banner Specify that the configured login banner displays. To
prevent the banner from displaying, enter no login-banner.
CTRL + Z Exit to Privileged EXEC mode.
show banner Display the banner status on all line terminals.
Managing General System Settings 309
Managing the SDM Template
Beginning in Privileged EXEC mode, use the following commands to set the
SDM template preference and to view information about the available SDM
templates.
Configuring SNTP Authentication and an SNTP Server
Beginning in Privileged EXEC mode, use the following commands to require
the SNTP client to use authentication when communicating with the SNTP
server. The commands also show how to configure an SNTP server.
Requiring authentication is optional. However, if you configure
authentication on the switch SNTP client, the SNTP server must be
configured with the same authentication information to allow time
synchronization to take place between the two devices.
Command Purpose
configure Enter Global Configuration mode.
sdm prefer {dual-ipv4-
and-ipv6 default| ipv4-
routing {data-center |
default}}
Select the SDM template to apply to the switch after the
next boot.
CTRL + Z Exit to Privileged EXEC mode.
show sdm prefer
[
template
]
View information about the SDM template the switch is
currently using. Use the
template
variable to view the
parameters for the specified template.
Command Purpose
configure Enter Global Configuration mode.
sntp authentication-key
key_id
md5
key_word
Define an authentication key for SNTP. The variables are:
key_id
— The encryption key ID, which is a number from
1–4294967295.
key_word
—The authentication key, which is a string of
up to eight characters.
310 Managing General System Settings
sntp trusted-key
key_id
Specify the authentication key the SNTP server must
include in SNTP packets that it sends to the switch.
The
key_id
number must be an encryption key ID defined
in the previous step.
sntp authenticate Require authentication for communication with the SNTP
server.
A trusted key must be configured before this command is
executed.
sntp server {
ip_address
|
hostname
} [priority
priority
] [key
key_id
]
Define the SNTP server.
ip_address
—The IP address (or host name) of the SNTP
server to poll. The IP address can be an IPv4 or IPv6
address.
priority
(Optional) If multiple SNTP servers are
defined, this number determines which server the switch
polls first. The priority is 1–8, where 1 is the highest
priority. If you do not specify a priority, the servers are
polled in the order that they are entered.
key_id
—(Optional) Enter an authentication key to use.
The key must be previously defined by the
sntp
authentication-key
command.
sntp
{unicast|broadcast}
client enable
This command enables the SNTP client and allows the
switch to poll configured unicast SNTP servers for updates
or receive broadcasts from any SNTP server.
sntp client poll timer
seconds
Specify how often the SNTP client requests SNTP packets
from the configured server(s).
seconds
—The poll interval can be 64, 128, 256, 512, or
1024 seconds.
CTRL + Z Exit to Privileged EXEC mode.
show sntp configuration Verify the SNTP configuration.
show sntp status View information about the SNTP updates.
Command Purpose
Managing General System Settings 311
Setting the System Time and Date Manually
Beginning in Privileged EXEC mode, use the following commands to
configure the time and date, time zone, and summer time settings.
Command Purpose
clock set {
mm/dd/yyyy
hh:mm:ss
} |
{
hh:mm:ss
mm/dd/yyyy
Configure the time and date. You can enter the time first
and then the date, or the date and then the time.
hh:mm:ss
Time in hours (24-hour format, from 01-24),
minutes (00-59), and seconds (00-59).
mm/dd/yyyy
— Two digit month (1-12), two-digit date of
the month (01-31), and four-digit year.
clock timezone hours-
offset
hours-offset
[minutes
minutes-
offset
] [zone
acronym
]
Configure the time zone settings.
hours-offset
— Hours difference from UTC. (Range: –12 to
+13)
minutes-offset
— Minutes difference from UTC. (Range:
0–59)
acronym
The acronym for the time zone. (Range: Up to
four characters)
clock summer-time
recurring {usa | eu |
{
week day month
hh:mm week day
month hh:mm
}}
[offset
offset
] [zone
acronym
]
Use this command if the summer time starts and ends every
year based on a set pattern.
For switches located in the United States or European
Union, use the usa or eu keywords to use the preconfigured
values. Otherwise, configure the start and end times by using
the following values:
week
Week of the month. (Range: 1–5, first, last)
day
— Day of the week. (The first three letters by name)
month
— Month. (The first three letters by name; jan, for
example.)
hh:mm
— Time in 24-hour format in hours and minutes.
(Range: hh: 0–23, mm: 0–59)
offset
— Number of minutes to add during the
summertime. (Range:1–1440)
acronym
— The acronym for the time zone to be displayed
when summertime is in effect. (Up to four characters)
312 Managing General System Settings
Configuring the Expansion Slots (N3000 Series Only)
Beginning in Privileged EXEC mode, use the following commands to
configure and view information about the expansion slots and plug-in
modules (cards).
clock summer-time
date {
date month
|
month date
}
year
hh:mm
{
date month
|
month dat
e}
year
hh:mm
[offset
offset
]
[zone
acronym
]
Use this command if the summer time does not start and
end every year according to a recurring pattern. You can
enter the month and then the date, or the date and then the
month.
date
— Day of the month. (Range: 1-31.)
month
— Month. (Range: The first three letters by name)
hh:mm
— Time in 24-hour format in hours and minutes.
(Range: hh: 0–23, mm: 0–59)
offset
Number of minutes to add during the
summertime. (Range:1–1440)
acronym
— The acronym for the time zone to be displayed
when summertime is in effect. (Range: Up to four
characters)
CTRL + Z Exit to Privileged EXEC mode.
show clock [detail] View information about the time. Include the detail
keyword to view information about the time zone and
summer time.
Command Purpose
configure Enter Global Configuration mode.
slot
unit/slot cardindex
Configured the specified slot (1–2) to use the plug-in
module identified by the
cardindex
number (CID). To
view the CID associated with each plug-in module, use the
show supported cardtype command.
CTRL + Z Exit to Privileged EXEC mode.
show slot Display status information about the expansion slots.
show supported cardtype Display information about the plug-in modules the switch
supports.
Command Purpose
Managing General System Settings 313
Viewing Slot Information (N4000 Series Only)
Use the following commands to view information about Slot 0 and its
support.
Configuring PoE Settings (N2024P/N2048P and N3024P/N3048P Only)
Beginning in Privileged EXEC mode, use the following commands to
configure PoE information.
Command Purpose
show slot Display status information about the expansion slots.
show supported cardtype Display information about the modules the switch
supports.
Command Purpose
configure Enter Global Configuration mode.
power inline usage-
threshold
threshold
Specify the maximum usage for PoE power on the system.
The
threshold
variable (range: 1–99%) is a percentage of
total system power.
power inline
management {class |
static | dynamic}
Set the power-management mode for the switch.
power inline detection
{dot3af |
dot3af+legacy}
Set the power-management mode for the switch.
802.3af-only
—IEEE 802.3af detection scheme is used.
802.3af+legacy
—IEEE 802.3af 4point detection scheme
is used and when it fails to detect a connected PD, legacy
capacitive detection is used.
interface
interface
Enter interface configuration mode for the specified port.
The
interface
variable includes the interface type and
number, for example gigabitethernet 1/0/3.
power inline {auto |
never}
Set the PoE device discovery admin mode.
auto
— Enables the device discovery protocol and, if
found, supplies power to the device.
never
— Disables the device discovery protocol and stops
supplying power to the device.
314 Managing General System Settings
power inline priority
{critical | high | low}
Configures the port priority level for the delivery of power
to an attached device.
power inline high-power Configure the port high power mode for connected-device
compatibility.
power inline limit
user-defined
limit
Set the per-port power limit.
user-defined
limit
—Allows the port to draw up to user
defined configured value. The range of
limit
is
3000–32000 milliwatts.
power inline powered-
device
type
Provide a description to represent the type of device
connected to the port.
power inline reset (Optional) Reset the port. You might use this command if
the port is stuck in an Error state.
CTRL + Z Exit to Privileged EXEC mode.
show power inline Display PoE information for the switch.
show power inline
interface
Display PoE information for the specified interface.
Command Purpose
Managing General System Settings 315
General System Settings Configuration Examples
This section contains the following examples:
Configuring System and Banner Information
Configuring SNTP
Configuring the Time Manually
Configuring System and Banner Information
In this example, an administrator configures the following system
information:
System name: N2048
System contact: Jane Doe
System location: RTP100
Asset tag: 006429
The administrator then configures the MOTD banner to alert other switch
administrators of the connected topology.
To configure the switch:
1
Configure the hosts name.
console#configure
console(config)#hostname N2048
2
Configure the contact, location, and asset tag. Notice that the prompt
changed to the host name.
N2048(config)#snmp-server contact “Jane Doe”
N2048(config)#snmp-server location RTP100
N2048(config)#asset-tag 006429
3
Configure the message that displays when a user connects to the switch.
N2048(config)#banner motd This switch connects
users in cubicles C121-C139.”
N2048(config)#exit
4
View system information to verify the configuration.
N2048#show system
System Description: Dell Ethernet Switch
System Up Time: 0 days, 19h:36m:36s
316 Managing General System Settings
System Contact: Jane Doe
System Name: N2048
System Location: RTP100
Burned In MAC Address: 001E.C9AA.AA07
System Object ID: 1.3.6.1.4.1.674.10895.3035
System Model ID: N2048
Machine Type: Dell Networking N2048
Temperature Sensors:
Unit Temperature (Celsius) Status
---- --------------------- ------
1 43 OK
Power Supplies:
Unit Description Status Source
---- ----------- ----------- ------
1 Main OK AC
1 Secondary Error DC
Temperature Sensors:
Unit Description Temperature Status
(Celsius)
---- ----------- ----------- ------
1 CPU 33 Good
1 MAC 39 Good
1 Left PHY 32 Good
1 Right PHY 33 Good
Fans:
Unit Description Status
---- ----------- ------
1 Fan 1 OK
1 Fan 2 OK
1 Fan 3 OK
Managing General System Settings 317
Power Supplies:
Unit Description Status Average Current Since
Power Power Date/Time
(Watts) (Watts)
---- ---------- -------- ---------- -------- ------------
1 System OK 5.0 97.8
1 Main Failure
1 Secondary OK 97.6 97.8 01/10/2031
15:59:05
5
View additional information about the system.
N2048#show system id
Service Tag:
Chassis Service Tag: N/A
Serial Number: 7048NX1011
Asset Tag: unit-1
Unit Service tag Chassis Serv tag Serial number Asset tag
---- ----------- ---------------- ------------- ---------
1 N/A 70498NX1011 unit-1
Service Tag: 0000000
Chassis Service Tag:
Serial Number: TW282987BK0002
Asset Tag: 111222
Unit Service tag Chassis Serv tag Serial number Asset tag
---- ------------ ---------------- ------------- ----------
1 0000000 TW282987BK0002 111222
6
Initiate a new Telnet session to verify the MOTD.
318 Managing General System Settings
Figure 12-24. Verify MOTD
Managing General System Settings 319
Configuring SNTP
The commands in this example configure the switch to poll an SNTP server
to synchronize the time. Additionally, the SNTP sessions between the client
and server must be authenticated.
To configure the switch:
1
Configure the authentication information. The SNTP server must be
configured with the same authentication key and ID.
console#configure
console(config)#sntp authentication-key 23456465
md5 sntpkey
console(config)#sntp trusted-key 23456465
console(config)#sntp authenticate
2
Specify the IP address of the SNTP server to poll and include the
authentication key. This command automatically enables polling and sets
the priority to 1.
console(config)#sntp server 192.168.10.30 key
23456465
console(config)#sntp unicast client enable
3
Verify the configuration.
console#show sntp configuration
Polling interval: 512 seconds
MD5 Authentication keys: 23456465
Authentication is required for synchronization.
Trusted keys: 23456465
Unicast clients: Enable
Unicast servers:
Server Key Polling Priority
------------ ----------- --------- --------
192.168.10.30 23456465 Enabled 1
320 Managing General System Settings
4
View the SNTP status on the switch.
console#show sntp status
Client Mode: Unicast
Last Update Time: MAR 01 09:12:43 2010
Unicast servers:
Server Status Last response
--------------- ------------ ---------------------
192.168.10.30 Other 09:12:43 Mar 1 2011
Managing General System Settings 321
Configuring the Time Manually
The commands in this example manually set the system time and date. The
time zone is set to Eastern Standard Time (EST), which has an offset of -5
hours. Summer time is enabled and uses the preconfigured United States
settings.
To configure the switch:
1
Configure the time zone offset and acronym.
console#configure
console(config)#clock timezone -5 zone EST
2
Configure the summer time (daylight saving time) to use the
preconfigured settings for the United States.
console(config)#clock summer-time recurring us
3
Set the local time and date.
console(config)#clock set 16:13.06 03/01/2010
4
Verify the time settings.
console#show clock detail
00:27:19 EST(UTC-5:00) Feb 3 2039
No time source
Time zone:
Acronym is EST
Offset is UTC-5:00
Summertime:
Acronym not configured
Recurring every year (USA)
Begins on second Sunday of Mar at 02:00
Ends on first Sunday of Nov at 02:00
Offset is +60 minutes
322 Managing General System Settings
Configuring SNMP 323
13
Configuring SNMP
The topics covered in this chapter include:
SNMP Overview
Default SNMP Values
Configuring SNMP (Web)
Configuring SNMP (CLI)
SNMP Configuration Examples
SNMP Overview
Simple Network Management Protocol
(SNMP) provides a method for
managing network devices. The Dell Networking series switches support
SNMP version 1, SNMP version 2, and SNMP version 3.
What Is SNMP?
SNMP is a standard protocol that enables remote monitoring and
management of a device through communication between an SNMP
manager and an SNMP agent on the remote device. The SNMP manager is
typically part of a Network Management System (NMS) that runs on an
administrative host. The switch software includes
Management Information
Base
(MIB) objects that the SNMP agent queries and modifies. The switch
uses standard public MIBs and private MIBs.
A MIB acts as a structured road map for managed objects. A managed object
is any feature or setting that can be configured or monitored on the switch.
An Object Identifier (OID) is the unique number assigned to an object
defined in a MIB. An OID is written as a sequence of subidentifiers in
decimal notation.
324 Configuring SNMP
The SNMP agent maintains a list of variables that are used to manage the
switch. The variables are defined in the MIB. The MIB presents the variables
controlled by the agent. The SNMP agent defines the MIB specification
format, as well as the format used to access the information over the network.
Access rights to the SNMP agent are controlled by access strings.
SNMP v3 also applies access control and a new traps mechanism to SNMPv1
and SNMPv2 PDUs. In addition, the
User Security Model (USM) is defined
for SNMPv3 and includes:
Authentication — Provides data integrity and data origin authentication.
Privacy — Protects against disclosure of message content. Cipher-Bock-
Chaining
(CBC) is used for encryption. Either authentication is enabled
on an SNMP message, or both authentication and privacy are enabled on
an SNMP message. However privacy cannot be enabled without
authentication.
Timeliness — Protects against message delay or message redundancy. The
SNMP agent compares incoming message to the message time
information.
Key Management — Defines key generation, key updates, and key use.
Authentication or Privacy Keys are modified in the SNMPv3 User Security
Model (USM).
What Are SNMP Traps?
SNMP is frequently used to monitor systems for fault conditions such as
temperature violations, link failures, and so on. Management applications can
monitor for these conditions by polling the appropriate OIDs with the get
command and analyzing the returned data. This method has its drawbacks. If
it is done frequently, significant amounts of network bandwidth can be
consumed. If it is done infrequently, the response to the fault condition may
not occur in a timely fashion. SNMP traps avoid these limitations of the
polling method.
An SNMP trap is an asynchronous event indicating that something
significant has occurred. This is analogous to a pager receiving an important
message, except that he SNMP trap frequently contains all the information
needed to diagnose a fault.
Configuring SNMP 325
You can configure various features on the switch to generate SNMP traps that
inform the NMS about events or problems that occur on the switch. Traps
generated by the switch can also be viewed locally by using the web-based
interface or CLI.
Why Is SNMP Needed?
Some network administrators prefer to use SNMP as the switch management
interface. Settings that you view and configure by using the web-based Dell
OpenManage Switch Administrator and the CLI are also available by using
SNMP.
If you do not use NMS software to manage or monitor other devices on your
network, it might not be necessary to configure SNMP on the switch.
Default SNMP Values
By default, SNMPv2 is automatically enabled on the device. SNMPv1 and
SNMPv3 are disabled. To enable SNMPv3, you must define a local engine ID
for the device. The local engineID is by default set to the switch MAC
address, however when the switch operates in a stacking mode, it is important
to manually configure the local engineID for the stack. This local engineID
must be defined so that it is unique within the network. It is important to do
this because the default engineID in a stack is the MAC address of the master
unit, which may change if the master unit fails and another unit takes over
the stack.
Table 13-1 summarizes the default values for SNMP.
Table 13-1. SNMP Defaults
Parameter Default Value
SNMPv1 Disabled
SNMPv2 Enabled
SNMPv3 Disabled
SNMP traps Enabled
SNMP trap receiver None configured
Switch traps Enabled
326 Configuring SNMP
Table 13-2 describes the two views that are defined by default.
By default, three groups are defined. Table 13-3 describes the groups. The
Read, Write, and Notify values define the preconfigured views that are
associated with the groups.
QoS traps Enabled
Multicast traps Disabled
Captive Portal traps Disabled
OSPF traps Disabled
Table 13-2. SNMP Default Views
View Name OID Subtree View Type
Default iso Included
snmpVacmMIB Excluded
usmUser Excluded
snmpCommunityTable Excluded
DefaultSuper iso Included
Table 13-3. SNMP Default Groups
Group Name Security Level Read Write Notify
DefaultRead No Auth No Priv Default Default
DefaultWrite No Auth No Priv Default Default Default
DefaultSuper No Auth No Priv DefaultSuper DefaultSuper DefaultSuper
Table 13-1. SNMP Defaults
Parameter Default Value
Configuring SNMP 327
Configuring SNMP (Web)
This section provides information about the OpenManage Switch
Administrator pages for configuring and monitoring the SNMP agent on a
Dell Networking N2000, N3000, and N4000 series switches. For details about
the fields on a page, click at the top of the page.
SNMP Global Parameters
Use the Global Parameters
page
to enable SNMP and Authentication
notifications.
To display the Global Parameters
page, click System
SNMP
Global
Parameters in the navigation panel.
Figure 13-1. SNMP Global Parameters
NOTE: For some features, the control to enable or disable traps is available from
a configuration page for that feature and not from the Trap Manager pages that
this chapter describes.
328 Configuring SNMP
SNMP View Settings
Use the SNMP View Settings page to create views that define which features
of the device are accessible and which are blocked. You can create a view that
includes or excludes OIDs corresponding to interfaces.
To display the View Settings page, click System
SNMP
View Settings in
the navigation panel.
Figure 13-2. SNMP View Settings
Adding an SNMP View
To add a view:
1
Open the
View Settings
page.
2
Click
Add
.
The
Add View
page displays:
Configuring SNMP 329
Figure 13-3. Add View
3
Specify a name for the view and a valid SNMP OID string.
4
Select the view type.
5
Click
Apply
.
The SNMP view is added, and the device is updated.
Click Show All to view information about configured SNMP Views.
330 Configuring SNMP
Access Control Group
Use the Access Control Group page to view information for creating SNMP
groups, and to assign SNMP access privileges. Groups allow network
managers to assign access rights to specific device features or features aspects.
To display the Access Control Group page, click System
SNMP
Access
Control in the
navigation panel.
Figure 13-4. SNMP Access Control Group
Adding an SNMP Group
To add a group:
1
Open the
Access Control
Configuration
page.
2
Click
Add
.
The
Add an Access Control Configuration
page displays
:
Configuring SNMP 331
Figure 13-5. Add Access Control Group
3
Specify a name for the group.
4
Select a security model and level
5
Define the context prefix and the operation.
6
Click
Apply
to update the switch.
Click Show All to view information about existing access control
configurations.
332 Configuring SNMP
SNMPv3 User Security Model (USM)
Use the User Security Model page to assign system users to SNMP groups
and to define the user authentication method.
To display the User Security Model page, click System
SNMP
User
Security Model in the
navigation panel.
Figure 13-6. SNMPv3 User Security Model
Adding Local SNMPv3 Users to a USM
To add local users:
1
Open the
User Security Model
page.
2
Click
Add
Local User
.
The
Add Local User
page displays:
NOTE: You can also use the Local User Database page under Management
Security to configure SNMPv3 settings for users. For more information, see
"Configuring Authentication, Authorization, and Accounting" on page 207.
Configuring SNMP 333
Figure 13-7. Add Local Users
3
Define the relevant fields.
4
Click
Apply
to update the switch.
Click Show All to view the User Security Model Table, which contains
information about configured Local and Remote Users.
Adding Remote SNMPv3 Users to a USM
To add remote users:
1
Open the
SNMPv3 User Security Model
page.
2
Click
Add
Remote User
.
The
Add Remote User
page displays:
334 Configuring SNMP
Figure 13-8. Add Remote Users
3
Define the relevant fields.
4
Click
Apply
to update the switch.
Click Show All to view the User Security Model Table, which contains
information about configured Local and Remote Users.
Configuring SNMP 335
Communities
Access rights for SNMPv1 and SNMPv2 are managed by defining
communities Communities page. When the community names are changed,
access rights are also changed. SNMP Communities are defined only for
SNMP v1 and SNMP v2.
To display the Communities page, click System
SNMP
Communities
in the navigation panel.
Figure 13-9. SNMP Communities
Adding SNMP Communities
To add a community:
1
Open the
Communities
page.
2
Click
Add
.
The
Add SNMPv1,2 Community
page displays:
336 Configuring SNMP
Figure 13-10. Add SNMPv1,2 Community
3
Specify the IP address of an SNMP management station and the
community string to act as a password that will authenticate the
management station to the SNMP agent on the switch.
4
Select the access mode.
5
Click
Apply
to update the switch.
Click Show All to view the communities that have already been configured.
Configuring SNMP 337
Notification Filter
Use the Notification Filter page to set filtering traps based on OIDs. Each
OID is linked to a device feature or a feature aspect. The Notification Filter
page also allows you to filter notifications.
To display the Notification Filter page, click System
SNMP
Notification Filters in the
navigation panel
.
Figure 13-11. SNMP Notification Filter
Adding a Notification Filter
To add a filter:
1
Open the
Notification Filter
page.
2
Click
Add
.
The
Add Filter
page displays:
338 Configuring SNMP
Figure 13-12. Add Notification Filter
3
Specify the name of the filter, the OID for the filter.
4
Choose whether to send (include) traps or informs to the trap recipient or
prevent the switch from sending (exclude) the traps or informs.
5
Click
Apply
to update the switch.
Click Show All to view information about the filters that have already been
configured.
Notification Recipients
Use the Notification Recipients page
to view information for defining filters
that determine whether traps are sent to specific users, and the trap type sent.
SNMP notification filters provide the following services:
Identifying Management Trap Targets
•Trap Filtering
Selecting Trap Generation Parameters
Providing Access Control Checks
To display the Notification Recipients page, click System
SNMP
Notification Recipient in the navigation panel.
Configuring SNMP 339
Figure 13-13. SNMP Notification Recipient
Adding a Notification Recipient
To add a recipient:
1
Open the
Notification Recipient
page.
2
Click
Add
.
The
Add Recipient
page displays:
340 Configuring SNMP
Figure 13-14. Add Notification Recipient
3
Specify the IP address or hostname of the host to receive notifications.
4
Select whether to send traps or informs to the specified recipient
5
Define the relevant fields for the SNMP version you use.
6
Configure information about the port on the recipient.
7
Click
Apply
to update the switch.
Click Show All to view information about the recipients that have already
been configured.
Trap Flags
The Trap Flags page is used to specify which traps you want to enable or
disable. When the condition identified by an active trap is encountered by
the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a
message is written to the trap log.
Configuring SNMP 341
To access the Trap Flags page, click Statistics/RMON
Trap Manager
Trap Flags in the navigation panel.
Figure 13-15. Trap Flags
OSPFv2 Trap Flags
The OSPFv2 Trap Flags page is used to specify which OSPFv2 traps you want
to enable or disable. When the condition identified by an active trap is
encountered by the switch, a trap message is sent to any enabled SNMP Trap
Receivers, and a message is written to the trap log.
To access the OSPFv2 Trap Flags page, click Statistics/RMON
Trap
Manager
OSPFv2 Trap Flags in the navigation panel.
342 Configuring SNMP
Figure 13-16. OSPFv2 Trap Flags
OSPFv3 Trap Flags
The OSPFv3 Trap Flags page is used to specify which OSPFv3 traps you want
to enable or disable. When the condition identified by an active trap is
encountered by the switch, a trap message is sent to any enabled SNMP Trap
Receivers, and a message is written to the trap log.
To access the OSPFv3 Trap Flags page, click Statistics/RMON
Trap
Manager
OSPFv3 Trap Flags in the navigation panel.
Configuring SNMP 343
Figure 13-17. OSPFv3 Trap Flags
Trap Log
The Trap Log page is used to view entries that have been written to the trap
log.
To access the Trap Log page, click Statistics/RMON
Trap Manager
Trap Log in the navigation panel.
344 Configuring SNMP
Figure 13-18. Trap Logs
Click Clear to delete all entries from the trap log.
Configuring SNMP 345
Configuring SNMP (CLI)
This section provides information about the commands you use to manage
and view SNMP features on the switch. For more information about these
commands, see the
Dell Networking N2000, N3000, and N4000 Series
Switches CLI Reference Guide
at support.dell.com/manuals.
Configuring the SNMPv3 Engine ID
To use SNMPv3, the switch must have engine ID. You can specify your own
ID or use the default string that is generated using the MAC address of the
switch. If the SNMPv3 engine ID is deleted, or if the configuration file is
erased, then SNMPv3 cannot be used. Since the EngineID should be unique
within an administrative domain, Dell recommends that you
use the default
keyword to configure the Engine ID.
the following guidelines are recommended:
For standalone switches use the default keyword to configure the Engine
ID.
For a stack of switches, configure your own EngineID, and verify that is
unique within your administrative domain.
Changing the value of SNMP EngineID has important side-effects. A user's
password (entered on the command line) is converted to an MD5 or SHA
security digest. This digest is based on both the password and the local engine
ID. The command line password is then destroyed, as required by RFC 2274.
Because of this deletion, if the local value of engineID changes, the security
digests of SNMPv3 users will be invalid, and the users will have to be
reconfigured.
Beginning in Privileged EXEC mode, use the following commands to
configure an engine ID for SNMP.
Command Purpose
configure Enter Global Configuration mode
346 Configuring SNMP
Configuring SNMP Views, Groups, and Users
Beginning in Privileged EXEC mode, use the following commands to define
SNMP views, and SNMP groups, and local and remote SNMPv3 users.
snmp-server engineID
local {
engineid-string
|
default}
Configure the SNMPv3 Engine ID.
engineid-string — The character string that identifies the
engine ID. The engine ID is a concatenated hexadecimal
string. Each byte in hexadecimal character strings is two
hexadecimal digits. Each byte can be separated by a
period or colon. (Range: 6-32 characters)
default — The engineID is created automatically, based
on the device MAC address.
exit Exit to Privileged EXEC mode.
show snmp engineid View the local SNMP engine ID.
Command Purpose
configure Enter Global Configuration mode
snmp-server view
view-
name oid-tree
{included
| excluded}
Configure the SNMP view. When you configure groups,
users, and communities, you can specify a view to associate
with the group, user, or community
view-name
Specifies the name of the view. (Range: 1-
30 characters.)
oid-tree
— Specifies the object identifier of the ASN.1
subtree to be included or excluded from the view. To
identify the subtree, specify a text string consisting of
numbers, such as
1.3.6.2.4
, or a word, such as
system
. Replace a single subidentifier with the asterisk
(*) wildcard to specify a subtree family; for example
1.3.*.4
.
included
— Indicates that the view type is included.
excluded
— Indicates that the view type is excluded.
Command Purpose
Configuring SNMP 347
snmp-server group
groupname
{v1 | v2 | v3
{noauth | auth | priv}
[notify
view-name
]}
[context
view-name
]
[read
view-name
] [write
view-name
]
Specify the identity string of the receiver and set the
receiver timeout value.
groupname
— Specifies the name of the group. (Range:
1-30 characters.)
v1
Indicates the SNMP Version 1 security model.
v2
Indicates the SNMP Version 2 security model.
v3
Indicates the SNMP Version 3 security model.
noauth
— Indicates no authentication of a packet.
Applicable only to the SNMP Version 3 security model.
auth
— Indicates authentication of a packet without
encrypting it. Applicable only to the SNMP Version 3
security model.
priv
Indicates authentication of a packet with
encryption. Applicable only to the SNMP Version 3
security model.
view-name
— Specifies the view (defined in the previous
step) to use for the context, notification, read, and write
privileges for the group.
Command Purpose
348 Configuring SNMP
snmp-server user
username groupname
[remote
engineid-string
]
[{auth-md5
password
|
auth-sha
password
|
auth-md5-key
md5-key
|
auth-sha-key
sha-key
}
[priv-des
password
|
priv-des-key
des-key
]]
Configure a new SNMPv3 user.
username
Specifies the name of the user on the host
that connects to the agent. (Range: 1-30 characters.)
groupname
— Specifies the name of the group to which
the user belongs. (Range: 1-30 characters.)
engineid-string
— Specifies the engine ID of the remote
SNMP entity to which the user belongs. The engine ID is
a concatenated hexadecimal string. Each byte in the
hexadecimal character string is two hexadecimal digits.
The remote engine id designates the remote management
station, and should be defined to enable the device to
receive acknowledgements to "informs." (Range: 5-32
characters.)
auth-md5
— The HMAC-MD5-96 authentication level.
auth-sha
— The HMAC-SHA-96 authentication level.
password
— A password. (Range: 1 to 32 characters.)
•auth-
md5-key
— The HMAC-MD5-96 authentication
level. Enter a pregenerated MD5 key.
•auth-
sha-key
— The HMAC-SHA-96 authentication
level. Enter a pregenerated SHA key.
md5-key
— Character string
length 32 hex characters.
sha-key
— Character string
length 48 characters.
priv-des
— The CBC-DES Symmetric Encryption
privacy level. Enter a password.
priv-des-key
— The CBC-DES Symmetric Encryption
privacy level. The user should enter a pregenerated MD5
or SHA key depending on the authentication level
selected.
des-key
— The pregenerated DES encryption key. Length
is determined by authentication method selected
32
hex characters if MD5 Authentication is selected, 48 hex
characters if SHA Authentication is selected.
exit Exit to Privileged EXEC mode.
show snmp views View SNMP view configuration information.
Command Purpose
Configuring SNMP 349
Configuring Communities
Beginning in Privileged EXEC mode, use the following commands to
configure access rights for SNMPv1 and SNMPv2.
show snmp group
[
group_name
]
View SNMP group configuration information.
show snmp user
[
user_name
]
View SNMP user configuration information.
Command Purpose
configure Enter Global Configuration mode
snmp-server community
string
[ro | rw | su]
[view
view-name
]
[ipaddress
ip_address
]
Configure the community string and specify access criteria
for the community.
community-string
Acts as a password and is used to
authenticate the SNMP management station to the
switch. The string must also be defined on the NMS in
order for the NMS to access the SNMP agent on the
switch (Range: 1-20 characters)
ro
Indicates read-only access
rw
Indicates read-write access.
view-name
Specifies the name of a previously defined
MIB view.
ip_address
Specifies the IP address of the management
station. If no IP address is specified, all management
stations are permitted
Command Purpose
350 Configuring SNMP
snmp-server community-
group
community
-
string
group-name
[ipaddress
ip-address
]
Map the internal security name for SNMP v1 and SNMP
v2 security models to the group name.
community-string —
Community string that acts like a
password and permits access to the SNMP protocol
.
(Range: 1-20 characters)
group-name —
Name of a previously defined group. The
group defines the objects available to the community.
(Range: 1-30 characters)
ip-address
— Management station IP address. Default is
all IP addresses.
exit Exit to Privileged EXEC mode.
show snmp View SNMP settings and verify the configuration
Command Purpose
Configuring SNMP 351
Configuring SNMP Notifications (Traps and Informs)
Beginning in Privileged EXEC mode, use the following commands to allow
the switch to send SNMP traps and to configure which traps are sent.
Command Purpose
configure Enter Global Configuration mode
snmp-server enable traps
[acl | all | auto-copy-sw
| captive-portal
cp-type
| dot1q | dvrmp | link |
maclock | multiple-
users | ospf
ospftype
|
ospfv3
ospfv3type
| pim
| poe | snmp
authentication |
spanning-tree | stack |
vrrp]
Specify the traps to enable. The captive portal, OSPF and
OSPFv3 traps include several different traps that can be
enabled. For more information, use the CLI command
help or see the CLI Command Reference.
snmp-server filter
filter-
name oid-tree
{included
| excluded}
Configure a filter for SNMP traps and informs based on
OIDs. Each OID is linked to a device feature or a feature
aspect.
filter-name
— Specifies the label for the filter record that
is being updated or created. The name is used to
reference the record. (Range: 1-30 characters.)
oid-tree
— Specifies the object identifier of the ASN.1
subtree to be included or excluded from the view. To
identify the subtree, specify a text string consisting of
numbers, such as
1.3.6.2.4
, or a word, such as
system
. Replace a single subidentifier with the asterisk
(*) wildcard to specify a subtree family; for example,
1.3.*.4
.
included
Indicates that the filter type is included.
excluded
— Indicates that the filter type is excluded.
352 Configuring SNMP
snmp-server host
host-
addr
[informs [timeout
seconds
] [retries
retries
]
| traps version {1 | 2}]]
community-string
[udp-
port
port
] [filter
filtername
]
For SNMPv1 and SNMPv2, configure the system to receive
SNMP traps or informs.
host-addr
— Specifies the IP address of the host (targeted
recipient) or the name of the host. (Range:1-158
characters).
informs
— Indicates that SNMPv2 informs are sent to
this host
timeout
seconds
— Number of seconds to wait for an
acknowledgment before resending informs. The default is
15 seconds. (Range: 1-300 characters.)
retries
— Maximum number of times to resend an inform
request. The default is 3 attempts.
traps
— Indicates that SNMP traps are sent to this host
version 1
— Indicates that SNMPv1 traps will be used
version 2
— Indicates that SNMPv2 traps will be used
community-string
Specifies a password-like
community string sent with the notification operation.
(Range: 1-20 characters)
port
— UDP port of the host to use. The default is 162.
(Range: 1-65535 characters.)
filtername
A string that is the name of the filter that
defines the filter for this host. If unspecified, does not
filter anything (Range: 1-30 characters.)
Command Purpose
Configuring SNMP 353
snmp-server v3-host {
ip-
address
|
hostname
}
username
{traps |
informs} [noauth | auth
| priv] [timeout
seconds
] [retries
retries
]
[udpport
port
] [filter
filtername
]
For SNMPv3, configure the system to receive SNMP traps
or informs.
ip-address
— Specifies the IP address of the host
(targeted recipient).
hostname
— Specifies the name of the host. (Range: 1-
158 characters.)
username
— Specifies user name used to generate the
notification. (Range: 1-25 characters.)
traps
— Indicates that SNMP traps are sent to this host.
informs
— Indicates that SNMPv2 informs are sent to
this host.
noauth
— Specifies sending of a packet without
authentication.
auth
— Specifies authentication of a packet without
encrypting it
priv
— Specifies authentication and encryption of a
packet.
seconds
— Number of seconds to wait for an
acknowledgment before resending informs. This is not
allowed for hosts configured to send traps. The default is
15 seconds. (Range: 1-300 seconds.)
retries
— Maximum number of times to resend an inform
request. This is not allowed for hosts configured to send
traps. The default is 3 attempts. (Range: 0-255 retries.)
port
— UDP port of the host to use. The default is 162.
(Range: 1-65535.)
filter-name
— Specifies the optional filter (defined with
the
snmp-server filter
command) to use for the host.
(Range: 1-30 characters.)
exit Exit to Privileged EXEC mode.
show trapflags View the status of the configurable SNMP traps.
Command Purpose
354 Configuring SNMP
SNMP Configuration Examples
This section contains the following examples:
Configuring SNMPv1 and SNMPv2
Configuring SNMPv3
Configuring SNMPv1 and SNMPv2
This example shows how to complete a basic SNMPv1/v2 configuration. The
commands enable read-only access from any host to all objects on the switch
using the community string
public
, and enable read-write access from any
host to all objects on the switch using the community string
private
.
This example also shows how to allow the switch to generate traps for all
features that produce traps. The traps are sent to the host with an IP address
of 192.168.3.65 using the community string
public
.
To configure the switch:
1
Configure the public community string.
console#configure
console(config)#snmp-server community public ro
2
Configure the private community string.
console(config)#snmp-server community private rw
3
Enable all traps and specify the IP address of the host where the traps
should be sent.
console(config)#snmp-server enable traps all
console(config)#snmp-server host 192.168.3.65
public
console(config)#exit
4
View the current SNMP configuration on the switch.
console#show snmp
Community-String Community-Access View Name IP Address
-------------------- ---------------- --------- -------
private Read/Write Default All
public Read Only Default All
Configuring SNMP 355
Traps are enabled.
Authentication trap is enabled.
Version 1,2 notifications
Version 3 notifications
System Contact:
System Location:
Configuring SNMPv3
This example shows how to complete a basic SNMPv3 configuration. The
commands create a view that includes objects from the
internet
MIB subtree
(OID 1.3.6.1), which includes all objects on the switch.
The user named
admin
has read-write privileges to all objects within the view
(in other words, all objects on the switch) after supplying the appropriate
authentication credentials (secretkey).
To configure the switch:
1
Configure the view.
view_snmpv3
and specify the objects to include.
console#configure
console(config)#snmp-server view view_snmpv3
internet included
2
Create the group
group_snmpv3
and allow read-write access to the view
configured in the previous step.
console(config)#snmp-server group group_snmpv3 v3
auth read view_snmpv3 write view_snmpv3
Community-String Group Name IP Address
----------------- -------------- ------------
private DefaultWrite All
public DefaultRead All
Target Addr. Type Community Version UDP
Port
Filter
Name
TO
Sec
Retries
------------ ---- --------- ---- ----- ----- --- -------
192.168.3.65 Trap public 1 162
Target Addr. Type Username Security
Level
UDP
Port
Filter
Name
TO
Sec
Retries
------------ ---- --------- ------- ----- ----- --- -------
356 Configuring SNMP
3
Create the user
admin
, assign the user to the group, and specify the
authentication credentials.
console(config)#snmp-server user admin
group_snmpv3 auth-md5 secretkey
4
Specify the IP address of the host where traps are to be sent. Packet
authentication using MD5-SHA is enabled for the traps.
console(config)#snmp-server v3-host 192.168.3.35
admin traps auth
console(config)#exit
5
View the current SNMP configuration on the switch. The output includes
the SNMPv1/2 configuration in the previous example.
console#show snmp
Community-String Community-Access View Name IP Address
-------------------- ---------------- --------- -------
private Read/Write Default All
public Read Only Default All
Traps are enabled.
Authentication trap is enabled.
Version 1,2 notifications
Version 3 notifications
System Contact:
System Location:
Community-String Group Name IP Address
----------------- -------------- ------------
private DefaultWrite All
public DefaultRead All
Target Addr. Type Community Version UDP
Port
Filter
Name
TO
Sec
Retries
------------ ---- --------- ---- ----- ----- --- -------
192.168.3.65 Trap public 1 162
Target Addr. Type Username Security
Level
UDP
Port
Filter
Name
TO
Sec
Retries
------------ ---- --------- ------- ----- ----- --- -------
192.168.3.35 Trap admin Auth-NoP 162 15 3
Configuring SNMP 357
console#show snmp views
console#show snmp group
console#show snmp user
Name OID Tree Type
------------------ ------------------------ ------------
Default iso Included
Default snmpVacmMIB Excluded
Default usmUser Excluded
Default snmpCommunityTable Excluded
view_snmpv3 internet Included
DefaultSuper iso Included
Name Context
Prefix
Model Security
Level
Read Views
Write
Notify
------------ -------- ------ -------- -------- ------ -------
DefaultRead "" V1 NoAuth-
NoPriv
Default "" Default
DefaultRead "" V2 NoAuth-
NoPriv
Default "" Default
DefaultSuper "" V1 NoAuth-
NoPriv
DefaultSu
per
Default
Super
Default
Super
DefaultSuper "" V2 NoAuth-
NoPriv
DefaultSu
per
Default
Super
Default
Super
DefaultWrite "" V1 NoAuth-
NoPriv
Default Default Default
DefaultWrite "" V2 NoAuth-
NoPriv
Default Default Default
group_snmpv3 "" V3 Auth-
NoPriv
view_snmp
v3
view_sn
mpv3
""
Name Group Name Auth
Meth
Priv
Meth
Remote Engine ID
--------- ----------- ----- ----- ----------------
admin group_snmpv3 MD5 800002a203001ec9aaaa07
358 Configuring SNMP
Managing Images and Files 359
14
Managing Images and Files
This chapter describes how to upload, download, and copy files, such as
firmware images and configuration files, on the switch. The topics covered in
this chapter include:
Image and File Management Overview
Managing Images and Files (Web)
Managing Images and Files (CLI)
File and Image Management Configuration Examples
Image and File Management Overview
What Files Can Be Managed?
Dell Networking series switches maintain several different types of files on
the flash file system. Table 14-1 describes the files that you can manage. The
table also lists the type of action you can take on the file, which is one or more
of the following:
Download the file to the switch from a remote system (or USB flash drive).
Upload the file from the switch to a remote system (or USB flash drive).
Copy the file from one location on the file system to another location.
NOTE: For information about the Auto Configuration feature that enables the
switch to automatically upgrade the image or load a new configuration file during
the boot process, see Automatically Updating the Image and Configuration.
360 Managing Images and Files
Table 14-1. Files to Manage
File Action Description
image Download
Upload
Copy
Firmware for the switch. The switch can
maintain two images: the active image and
the backup image.
startup-config Download
Upload
Copy
Contains the software configuration that
loads during the boot process.
running-config Download
Upload
Copy
Contains the current switch configuration.
backup-config Download
Upload
Copy
An additional configuration file that serves
as a backup.
Configuration script Download
Upload
Text file with CLI commands. When you
activate a script on the switch, the
commands are executed and added to the
running-config.
Log files Upload Provides various information about events
that occur on the switch. For more
information, see Monitoring and Logging
System Information.
SSH key files Download Contains information to authenticate SSH
sessions. The switch supports the following
files for SSH:
SSH-1 RSA Key File
SSH-2 RSA Key File (PEM Encoded)
SSH-2 Digital Signature Algorithm (DSA)
Key File (PEM Encoded)
Managing Images and Files 361
Why Is File Management Needed?
This section provides some reasons why you might choose to manage various
files.
Image Files
The switch can store two firmware images, but only one is active. The other
image file is a backup image. By default, the switch has only one image. You
might copy an image or download an image to the switch for the following
reasons:
To create a backup image
To upgrade the firmware as new images become available
The Dell Networking series switches are named as follows:
<Switch name>v<version number>.stk
Where the switch name is:
N4000 — Dell Networking 4000 series switch firmware for:
SSL certificate files Download Contains information to encrypt,
authenticate, and validate HTTPS sessions.
The switch supports the following files for
SSL:
SSL Trusted Root Certificate File (PEM
Encoded)
SSL Server Certificate File (PEM
Encoded)
SSL Diffie-Hellman Weak Encryption
Parameter File (PEM Encoded)
SSL Diffie-Hellman Strong Encryption
Parameter File (PEM Encoded)
IAS Users Download List of Internal Authentication Server (IAS)
users for IEEE 802.1X authentication. For
more information, see What is the Internal
Authentication Server?
Table 14-1. Files to Manage
File Action Description
362 Managing Images and Files
N4032, N4032F, N4064, N4064F
N3000
_
N2000
Dell Networking 2000/3000 series switch firmware for:
N2024, N2048, N2024P, N2048P, N3024, N3024P, N3024F, N3048,
N3048P
And the version number is:
Version Numbering Convention
Major release numbers start at 6.
Minor release numbers start at 0.
Maintenance release numbers start at 0.
Build numbers start at 1.
Examples:
N3000
_
N2000
v6.0.1.3.stk —
N3000
/
N2000
series switch firmware version
6.0.1.3. This is the third build for the first maintenance release for the 6.0
major release.
N4000v6.1.0.1.stk — N4000 series switch firmware version 6.1.0.1. This is
the first build for the first minor release after the 6.0 major release, i.e.,
release 6.1.
Configuration Files
Configuration files contain the CLI commands that change the switch from
its default configuration. The switch can maintain three separate
configuration files: startup-config, running-config, and backup-config. The
switch loads the startup-config file when the switch boots. Any configuration
changes that take place after the boot process completes are written to the
Version number Description
6 0 0 1 Four part version number
Denotes the build number.
Denotes a scheduled maintenance release of the firmware.
Denotes a minor release of the firmware.
Denotes a major release of the firmware.
Managing Images and Files 363
running-config file. The backup-config file does not exist until you explicitly
create one by copying an existing configuration file to the backup-config file
or downloading a backup-config file to the switch.
You can also create configuration scripts, which are text files that contains
CLI commands.
When you apply (run) a configuration script on the switch, the commands in
the script are executed in the order in which they are written as if you were
typing them into the CLI. The commands that are executed in the
configuration script are added to the running-config file.
You might upload a configuration file from the switch to a remote server for
the following reasons:
To create a backup copy
To use the configuration file on another switch
To manually edit the file
You might download a configuration file from a remote server to the switch
for the following reasons:
To restore a previous configuration
To load the configuration copied from another switch
To load the same configuration file on multiple switches
Use a text editor to open a configuration file and view or change its contents.
SSH/SSL Files
If you use OpenManage Switch Administrator to manage the switch over an
HTTPS connection, you must copy the appropriate certificate files to the
switch. If you use the CLI to manage the switch over an SSH connection, you
must copy the appropriate key files to the switch.
What Methods Are Supported for File Management?
You can use any of the following protocols to download files from a remote
system to the switch or to upload files from the switch to a remote system:
NOTE: You must use the CLI to manage configuration scripts. The configuration
scripting feature is not available from the web interface.
364 Managing Images and Files
•TFTP
•SFTP
•SCP
•FTP
HTTP (Web only)
HTTPS (Web only)
You can also copy files between the file system on the internal flash and a
USB flash drive that is connected to the external USB port.
What Factors Should Be Considered When Managing Files?
Uploading and Downloading Files
To use TFTP, SFTP, SCP, or FTP for file management, you must provide the
IP address of the remote system that is running the appropriate server (TFTP,
SFTP, SCP or FTP). Make sure there is a route from the switch to the remote
system. You can use the ping command from the CLI to verify that a route
exists between the switch and the remote system.
If you are downloading a file from the remote system to the switch, be sure to
provide the correct path to the file and the correct file name.
Managing Images
When you download a new image to the switch, it overwrites the backup
image, if it exists. To use the new image, you must activate it and reload the
switch. The image that was previously the active image becomes the backup
image after the switch reloads. If you upgrade to a newer image and find that
it is not compatible with your network, you can revert to the original image.
If you activate a new image and reload the switch, and the switch is unable to
complete the boot process due to a corrupt image or other problem, you can
use the boot menu to activate the backup image. You must be connected to
the switch through the console port to access the boot menu. The image files
may contain firmware for the PHY processors on the switch. The PHY
firmware may be updated to the firmware version supported by the switch
firmware during the boot process or, in the case of switches that support the
hot swap of cards, when the card is inserted into the switch.
Managing Images and Files 365
Editing and Downloading Configuration Files
Each configuration file contains a list of executable CLI commands. The
commands must be complete and in a logical order, as if you were entering
them by using the switch CLI.
When you download a startup-config or backup-config file to the switch, the
new file replaces the previous version. To change the running-config file, you
execute CLI commands either by typing them into the CLI or by applying a
configuration script with the script apply command. The startup-config and
backup-config files can also be applied to the running-config by using the
script apply command.
Creating and Applying Configuration Scripts
When you use configuration scripting, keep the following considerations and
rules in mind:
The application of scripts is partial if the script fails. For example, if the
script executes four of ten commands and the script fails, the script stops
at four, and the final six commands are not executed.
Scripts cannot be modified or deleted while being applied.
Validation of scripts checks for syntax errors only. It does not validate that
the script will run.
The file extension must be .
scr
.
A maximum of seven scripts are allowed on the switch.
The combined size of all script files on the switch cannot exceed 2 MB.
The maximum number of configuration file command lines is 2000.
You can type single-line annotations in the configuration file to improve
script readability. The exclamation point (!) character flags the beginning of a
comment. The comment flag character can begin anywhere within a single
line, and all input following this character to the end of the line is ignored.
Any line in the file that begins with the “!” character is recognized as a
comment line and ignored by the parser.
The following example shows annotations within a file (commands are bold):
! Script file for displaying management access
show telnet !Displays the information about remote
connections
366 Managing Images and Files
! Display information about direct connections
show serial
! End of the script file
Managing Files on a Stack
Image files downloaded to the master unit of a stack are automatically
downloaded to all stack members. If you activate the backup image on the
master, it is activated on all units as well so that when you reload the stack, all
units use the same image.
The running-config, startup-config, and backup-config files, as well as all keys
and certificates are synchronized across the stack when the running-config
file is saved to the startup-config file.
Configuration scripts are not distributed across the stack and only exist on
the unit that is the master unit at the time of the file download.
Uploading Configuration Files by Using SNMP
When you use SNMP to upload a configuration file to a TFTP server, the
agentTransferUploadFileName object must be set to the local filename,
which is either startup-config or backup-config.
How Is the Running Configuration Saved?
Changes you make to the switch configuration while the switch is operating
are written to the running-config. These changes are not automatically
written to the startup-config. When you reload the switch, the startup-config
file is loaded. If you reload the switch (or if the switch resets unexpectedly),
any settings in the running-config that were not explicitly saved to the
startup-config are lost. You must save the running-config to the startup-
config to ensure that the settings you configure on the switch are saved across
a switch reset.
To save the running-config to the startup-config by using the web-based
interface, click (the save icon), which is available at the top of each page.
To save the running-config to the startup-config from the CLI, use the write
command.
Managing Images and Files 367
Managing Images and Files (Web)
This section provides information about the OpenManage Switch
Administrator pages to use to manage images and files on a Dell Networking
N2000, N3000, and N4000 series switches. For details about the fields on a
page, click at the top of the page.
File System
Use the File System page to view a list of the files on the device and to modify
the image file descriptions.
To display the File System page, click System
File Management
File
System in the navigation panel.
Figure 14-1. File System
368 Managing Images and Files
Active Images
Use the Active Images
page to set the firmware image to use when the switch
boots. If you change the boot image, it does not become the active image
until you reset the switch.
On the N4000 series switches, the images are named
active
and
backup
.
NOTE:
To display the Active Images page, click System
File Management
Active Images in the navigation panel.
Figure 14-2. Active Images
Managing Images and Files 369
USB Flash Drive
Use the USB Flash Drive page to view information about a USB flash drive
connected to the USB port on the front panel of the switch. The page also
displays information about the files stored on the USB flash drive.
A USB flash drive must be un-mounted by the operator before removing it
from the switch. If a new USB flash drive is installed without un-mounting
the previous drive, the new flash drive may not be recognized. If a USB flash
drive is removed without un-mounting it, un-mount the flash drive (i.e., use
the command unmount usb) and remove and reinstall the USB flash drive in
the switch.
To display the USB Flash Drive page, click System
File Management
USB Flash Drive in the navigation panel.
Figure 14-3. USB Flash Drive
370 Managing Images and Files
File Download
Use the File Download page to download image (binary) files, SSH and SSL
certificates, IAS User files, and configuration (ASCII), files from a remote
server to the switch.
To display the File Download page, click System
File Management
File
Download in the navigation panel.
Figure 14-4. File Download
Downloading Files
To download a file to the switch:
1
Open the
File Download
page.
2
Select the type of file to download to the switch.
3
Select the transfer mode.
Managing Images and Files 371
If you select a transfer mode that requires authentication, additional fields
appear in the Download section. If you select HTTP as the download
method, some of the fields are hidden.
4
To download using HTTP, click
Browse
and select the file to download,
then click
Apply
.
5
To download using any method other than HTTP, enter the IP address of
the server that contains the file to download, the name of the file and the
path on the server where it is located. For SFTP and SCP, provide the user
name and password.
6
Click
Apply
to begin the download.
Figure 14-5. File Download in Progress
7
The file is downloaded to the switch.
NOTE: If you are using HTTPS to manage the switch, the download method
will be HTTPS.
NOTE: After you start a file download, the page refreshes and a transfer
status field appears to indicate the number of bytes transferred. The web
interface is blocked until the file download is complete.
372 Managing Images and Files
File Upload
Use the File Upload to Server page to upload configuration (ASCII), image
(binary), IAS user, operational log, and startup log files from the switch to a
remote server.
To display the File Upload to Server page, click System
File Management
File Upload in the navigation panel.
Figure 14-6. File Upload
Uploading Files
To upload a file from the switch to a remote system:
1
Open the
File Upload
page.
2
Select the type of file to download to the remote server.
3
Select the transfer mode.
If you select a transfer mode that requires authentication, additional fields
appear in the Upload section. If you select HTTP as the upload method,
some of the fields are hidden.
Managing Images and Files 373
4
To upload by using HTTP, click
Apply
. A dialog box opens to allow you to
open or save the file.
Figure 14-7. File Upload
5
To upload by using any method other than HTTP, enter the IP address of
the server and specify a name for the file. For SFTP and SCP, provide the
user name and password.
6
Click
Apply
to begin the upload.
7
The file is uploaded to the specified location on the remote server.
NOTE: If you are using HTTPS to manage the switch, the download method
will be HTTPS.
NOTE: For some file uploads and methods, the page refreshes and a
transfer status field appears to indicate the number of bytes transferred. The
web interface is blocked until the file upload is complete.
374 Managing Images and Files
Copy Files
Use the Copy Files page to:
Copy the active firmware image to the switch. one or all members of a
stack.
Copy the running, startup, or backup configuration file to the startup or
backup configuration file.
Restore the running configuration to the factory default settings.
To display the Copy Files page, click System
File Management
Copy
Files in the navigation panel.
Figure 14-8. Copy Files
Managing Images and Files 375
Managing Images and Files (CLI)
This section provides information about the commands you use to upload,
download, and copy files to and from the Dell Networking N2000, N3000,
and N4000 series switches. For more information about these commands, see
the
Dell Networking N2000, N3000, and N4000 Series Switches CLI
Reference Guide
at support.dell.com/manuals. It also describes the
commands that control the Auto Configuration feature.
Downloading and Activating a New Image (TFTP)
Beginning in Privileged EXEC mode, use the following commands to
download a new firmware image to the switch and to make it the active
image. This example shows how to use TFTP to download the image.
NOTE: Upload, download, and copy functions use the copy command. The basic
syntax for the command is copy
source
destination
. This section shows several
different ways to use the copy command.
Command Purpose
copy tftp://{
ip-address
|
hostname
}/
path
/
file-
name
image
Use TFTP to download the firmware image at the
specified source to the non-active image.
If the image file is in the TFTP file system root (download
path), you do not need to specify the path in the
command.
On N4000 series switches, use the following command:
copy tftp://{
ip-address
|
hostname
}/
path
/
file-name
{active
| backup}
show version View information about the currently active image.
filedescr {image1 |
image2}
description
Add a description to the image files.
On N4000 series switches, use the following command:
filedescr {active | backup}
description
376 Managing Images and Files
boot system {image1 |
image2}
Set the image to use as the boot (active) image after the
switch resets. Images on the N4032/N4064 are named
active
and
backup
.
For N4000 series switches, use the following command:
boot system {active | backup}
reload Reboot the switch to make the new image the active
image.
You are prompted to verify that you want to continue.
Command Purpose
Managing Images and Files 377
Managing Files in Internal Flash
Beginning in Privileged EXEC mode, use the following commands to copy,
rename, delete and list the files in the internal flash.
Command Purpose
dir List the files in the flash file system.
copy flash://
filename
usb://
filename
Copy a file from the internal flash to a USB flash drive.
Use the dir command to see a list of the files that can be
copied from the internal flash.
Make sure a flash drive has been inserted in the USB port
on the front panel before executing the command.
rename
current_name
new_name
Rename a file in flash.
delete
filename
Remove the specified file.
erase {startup-config |
backup-image | backup-
config}
Erase the startup configuration, the backup configuration
or the backup image.
copy startup-config
backup-config
Save the startup configuration to the backup configuration
file.
copy running-config
startup-config
Copy the current configuration to the startup
configuration. This saves the current configuration to
NVRAM.
show startup-config View the contents of the startup-config file
show running-config View the contents of the running-config file
Command Purpose
dir List the files in the flash file system.
rename
current_name
new_name
Rename a file in flash.
delete
filename
Remove the specified file.
erase {startup-config |
backup-image | backup-
config}
Erase the startup configuration, the backup configuration
or the backup image.
378 Managing Images and Files
copy startup-config
backup-config
Save the startup configuration to the backup configuration
file.
copy running-config
startup-config
Copy the current configuration to the startup
configuration. This saves the current configuration to
NVRAM.
show startup-config View the contents of the startup-config file
show running-config View the contents of the running-config file
Command Purpose
Managing Images and Files 379
Managing Files on a USB Flash Device
Beginning in Privileged EXEC mode, use the following commands to manage
files that are on a USB device that is plugged into the USB flash port on the
front panel of the switch.
Uploading a Configuration File (SCP)
Beginning in Privileged EXEC mode, use the following commands to upload
a configuration file from the switch to a remote system by using SCP.
Command Purpose
show usb device Display USB flash device details
dir usb Display USB device contents and memory statistics
copy usb://
filename
{backup-config | image
| running-config | script
filename
| startup-config
|
filename
Copy the specified file from the USB flash device to the
specified file in internal flash.
unmount usb Make the USB flash device inactive.
Command Purpose
copy
file
scp://
user
@{
ip-
address
|
hostname
}/
path
/
file-name
Adds a description to an image file.
The file can be one of the following files:
•backup-config
•image
•operational-log
• running-config
•script
file-name
•startup-config
•startup-log
Password entry After you enter the copy command, the CLI prompts you
for the password associated with the username.
380 Managing Images and Files
Managing Configuration Scripts (SFTP)
Beginning in Privileged EXEC mode, use the following commands to
download a configuration script from a remote system to the switch, validate
the script, and activate it.
NOTE: The startup-config and backup-config files are essentially configuration
scripts and can be validated and applied by using the commands in this section.
Command Purpose
copy sftp://
user
@{
ip-
address
|
hostname
}/
path
/
file-name
script
dest-
name
Downloads the specified script from the remote server to
the switch.
Password entry After you enter the copy command, the CLI prompts you
for the password associated with the username.
script validate
script-
name
Checks the specified script for syntax errors.
The script is automatically validated when you download it
to the switch. You can validate again with this command.
script list View the list of available scripts.
script activate
script-
name
Executes the commands within the script in order. The
configuration changes in the script are applied to the
running configuration.
script show
script-name
View the contents of the specified script.
Managing Images and Files 381
File and Image Management Configuration
Examples
This section contains the following examples:
Upgrading the Firmware
Managing Configuration Scripts
Upgrading the Firmware
This example for a N4032 shows how to download a firmware image to the
switch and activate it. T
he TFTP server in this example is PumpKIN, an open
source TFTP server running on a Windows system.
TFTP server IP address: 10.27.65.103
•File path: \image
File name: dell_0308.stk
Use the following steps to prepare the download, and then download and
upgrade the switch image.
1
Check the connectivity between the switch and the TFTP server.
console#ping 10.27.65.103
Pinging 10.27.65.103 with 0 bytes of data:
Reply From 10.27.65.103: icmp_seq = 0. time <10 msec.
Reply From 10.27.65.103: icmp_seq = 1. time <10 msec.
Reply From 10.27.65.103: icmp_seq = 2. time <10 msec.
Reply From 10.27.65.103: icmp_seq = 3. time <10 msec.
----10.27.65.103 PING statistics----
4 packets transmitted, 4 packets received, 0% packet
loss
round-trip (msec) min/avg/max = <10/<10/<10
2
Copy the image file to the appropriate directory on the TFTP server. In
this example, the TFTP root directory is
C:\My
Documents\Other\Downloads\TFTP
., so the file path is
images.
382 Managing Images and Files
Figure 14-9. Image Path
3
View information about the current image.
console#show version
Image Descriptions
image1 :default image
image2 :
Images currently available on Flash
4
Download the image to the switch. After you execute the
copy
command,
you must verify that you want to start the download.
The downloaded image replaces the currently inactive image, which may
be image1 or image2.Use either the
active
or
backup
keyword to have the
image to replace the specified image type (which takes effect only after a
reboot). In the following example, the active image is replaced.
console#copy
tftp://10.27.65.103/images/dell_0308.stk
imageactive
Mode........................................... TFTP
------- ------------ ------------ --------------- --------------
unit image1 image2 current-active next-active
------- ------------ ------------ --------------- --------------
1 4.1.0.7 5.0.0.8 image1 image1
Managing Images and Files 383
Set TFTP Server IP............................. 10.27.65.103
TFTP Path...................................... images/
TFTP Filename.................................. dell_0308.stk
Data Type...................................... Code
Destination Filename........................... image
Management access will be blocked for the duration of the
transfer
Are you sure you want to start? (y/n)y
5
Activate the new image (image2) so that it becomes the active image after
the switch resets.
Use either the
active
or
backup
keyword, depending on which file type you
selected for replacement in step 4.
console#boot system activeimage2
Activating image activeimage2..
6
View information about the current image.
console#show bootvar
Image Descriptions
image1 :
image2 :
Images currently available on Flash
7
Copy the running configuration to the startup configuration to save the
current configuration to NVRAM.
console#copy running-config startup-config
This operation may take a few minutes.
Management interfaces will not be available during
this time.
Are you sure you want to save? (y/n)y
------- ------------ ------------ --------------- --------------
unit image1 image2 current-active next-active
------- ------------ ------------ --------------- --------------
1 4.1.0.7 5.0.0.8 image1 image2
384 Managing Images and Files
Configuration Saved!
8
Reset the switch to boot the system with the new image.
console#reload
Are you sure you want to continue? (y/n)y
Reloading all switches...
Managing Configuration Scripts
This example shows how to create a configuration script that adds three
hostname-to-IP address mappings to the host table.
To configure the switch:
1
Open a text editor on an administrative computer and type the commands
as if you were entering them by using the CLI.
Figure 14-10. Create Config Script
2
Save the file with an *.scr extension and copy it to the appropriate
directory on your TFTP server.
3
Download the file from the TFTP server to the switch.
Managing Images and Files 385
console#copy tftp://10.27.65.103/labhost.scr
script labhost.scr
Mode........................................... TFTP
Set TFTP Server IP............................. 10.27.65.103
TFTP Path...................................... ./
TFTP Filename.................................. labhost.scr
Data Type...................................... Config Script
Destination Filename........................... labhost.scr
Management access will be blocked for the duration of the
transfer
4
After you confirm the download information and the script successfully
downloads, it is automatically validated for correct syntax.
Are you sure you want to start? (y/n) y
135 bytes transferred
Validating configuration script...
configure
exit
configure
ip host labpc1 192.168.3.56
ip host labpc2 192.168.3.58
ip host labpc3 192.168.3.59
Configuration script validated.
File transfer operation completed successfully.
5
Run the script to execute the commands.
console#script apply labhost.scr
Are you sure you want to apply the configuration
script? (y/n)y
configure
exit
configure
ip host labpc1 192.168.3.56
386 Managing Images and Files
ip host labpc2 192.168.3.58
ip host labpc3 192.168.3.59
Configuration script 'labhost.scr' applied.
6
Verify that the script was successfully applied.
console#show hosts
Host name: test
Name/address lookup is enabled
Name servers (Preference order): 192.168.3.20
Configured host name-to-address mapping:
Host Addresses
------------------------ ------------------------
labpc1 192.168.3.56
labpc2 192.168.3.58
labpc3 192.168.3.59
Managing Files by Using the USB Flash Drive
In this example, the administrator copies the backup image to a USB flash
drive before overwriting the backup image on the switch with a new image.
The administrator also makes a backup copy of the running-config by
uploading it to a USB flash drive. After the backups are performed, the
administrator downloads a new image from the USB flash drive to the switch
to prepare for the upgrade.
This example assumes the new image is named new_img.stk and has already
been copied from an administrative host onto the USB flash drive.
To configure the switch:
1
Insert the USB flash drive into the USB port on the front panel of the
switch. The USB flash drive is automatically mounted.
2
Copy the backup image from the switch to the USB flash drive.
console#copy image usb://img_backup.stk
Mode................................... unknown
Managing Images and Files 387
Data Type.............................. Code
Management access will be blocked for the duration
of the transfer
Are you sure you want to start? (y/n) y
3
Copy the running-config to the USB flash drive.
console#copy running-config usb://rc_backup.scr
Mode............................. unknown
Data Type........................ Config Script
Source Filename.................. temp-config.scr
Management access will be blocked for the duration
of the transfer
Are you sure you want to start? (y/n) y
4
Download the new image from the USB flash drive to the switch. The
image overwrites the image that is not currently active.
console#copy usb://new_image.stk image
Mode................................... unknown
Data Type.............................. Code
Management access will be blocked for the duration
of the transfer
Are you sure you want to start? (y/n) y
5
To activate the new image after it has been successfully downloaded to the
switch, follow the procedures described in Upgrading the Firmware,
starting with step 5.
388 Managing Images and Files
Auto Image and Configuration Update 389
15
Automatically Updating the Image
and Configuration
The topics covered in this chapter include:
Auto Configuration Overview
What Are the Dependencies for DHCP Auto Configuration?
Default Auto Configuration Values
Managing Auto Configuration (Web)
Managing Auto Configuration (CLI)
Auto Configuration Example
Auto Configuration Overview
The Auto Configuration feature can automatically update the firmware
image and obtain configuration information when the switch boots. Auto
Configuration begins the automatic download and installation process when
the switch or stack master is initialized and no configuration file (startup-
config) is found, or when the switch boots and loads a saved configuration
that has Auto Configuration enabled. Auto Configuration is enabled by
default. Allow downgrade is also enabled by default.
The Auto Configuration feature includes two components:
USB Auto Configuration
•DHCP Auto Install
If no configuration file is found and the Auto Configuration feature is
enabled (which it is by default), the Auto Configuration process begins. If a
USB device is connected to the Dell Networking switch USB port and
contains the appropriate file, the switch uses the USB Auto Configuration
feature to update the configuration or image. If the USB Auto Configuration
390 Auto Image and Configuration Update
fails - either because it is disabled, no USB storage device is present, or no
configuration or images files are present on the USB storage device, the
switch uses the DHCP Auto Install process.
What Is USB Auto Configuration?
You can use the USB Auto Configuration feature to configure or upgrade one
or more switches that have not been previously configured, such as when you
deploy new switches. Before you deploy the switch, you perform the following
steps:
1
Create a text file that contains IP addresses (and/or MAC addresses) and
file names that are parsed and used by this feature. The optional MAC
address used to identify the switch is the MAC address of the base MAC
address of the switch, although the feature will accept any of the switch
MAC addresses (see "Switch MAC Addresses" on page 125 for further
information). The IP address is a required field in the configuration file.
Refer to the example below for an explanation of the file format.
2
Copy the file onto a USB device, along with any desired switch firmware
and configuration files.
3
Insert the USB device into the front-panel USB port on the Dell
Networking switch.
When the Auto Configuration process starts and no startup-config file is
present on the switch, the feature automatically searches a plugged-in USB
device for information.
What Files Does USB Auto Configuration Use?
The USB Auto Configuration feature uses the following file types:
*.setup file for initial switch configuration
*.text file for configuration information
*.stk file for software image installation
The Auto Configuration file searches the USB device for a file with a *.setup
extension. If only one .setup file is present, the switch uses the file. When
multiple *.setup files are present, the switch uses only the dellswitch.setup
NOTE: Neither USB Configuration nor Auto Install is invoked if a valid
configuration file is on the switch.
Auto Image and Configuration Update 391
file. If no dellswitch.setup file is available, the switch checks for a file with a
*.text configuration file and a *.stk image file. If multiple .text files exist, the
switch uses the dellswitch.text file. If multiple *.stk files are present, the
switch uses the image with the highest (most recent) version. Finally, if no
*.setup, *.text, or *.stk files are found, the switch proceeds to the DHCP
Auto Configuration process.
How Does USB Auto Configuration Use the Files on the USB Device?
The *.setup file can include the following information:
MAC address of the switch (optional)
Configuration file name (optional)
Image file name (optional)
IP address (mandatory)
MAC Address Lookup
The MAC address should be on the same line as the configuration file and/or
image file name to allow a specific switch (identified by its MAC address) to
be associated with a specific config file or image. If an IP address also exists
on the line, this indicates a previous binding and requires this IP address to be
configured for the management IP address.
IP Address Lookup
If the switch MAC address is not found within the .setup text file, the first
line that contains an IP address and no MAC address and is not marked in-use
will be used by the switch to assign the management IP address/netmask. The
IP address line should include the configuration filename and/or image
filename for the switch. This method allows a group of IP addresses to be
handed out without regard to the specific switch identified by the MAC
address. A switch will mark a line as invalid if it is read and failed to properly
parse if, for example, it contains an invalid configuration, a duplicate IP
address or an image file name that is not available. Once a switch selects an IP
address from the file, it adds its MAC address to the line, marks the line as in-
use, and updates the file on the USB device.
If the *.setup file contains IP addresses but no file names, the management IP
address will be assigned, and then the feature will search the USB device for
files with the .text and .stk extensions, which indicates that all switches will
392 Auto Image and Configuration Update
be using the same configuration file and/or image on the USB device. This
method allows different IP addresses to be assigned, but the same
configuration file or image is downloaded to multiple switches.
After the current switch has been configured and/or upgraded and the
completion message is displayed on the switch, the current line in the *.setup
text file will be marked as used. This allows you to use the *.setup file for
additional switches without manually changing the file. You can then remove
the USB device and insert it into the next switch to begin the process again.
Also, the switch MAC address of the switch that has been automatically
configured is added to the beginning of the line (if no MAC address was
specified in the file) for lines using the IP address lookup method so that the
MAC and IP address combinations are recorded within the *.setup file for
future use bindings.
At the start of the next USB auto download, if all lines in the *.setup file are
marked as already “in-use” or “invalid,” and there is no MAC address match
for a switch, the process will halt, and a message similar to the following is
displayed on the console:
<###> APR 22 08:32:43 Error: Auto Configuration has
terminated due to there being no more lines available
for use within the USB file “XXXXX.setup”.
Configuration File
The *.text configuration file identified in the *.setup file contains the
running-config to be loaded on to the switch. The configuration file specified
in the *.setup file should exist on the USB device. For information about the
format and contents of the *.text file, see Editing and Downloading
Configuration Files.
Image File
If the Auto Configuration process includes a switch image upgrade, the name
of the image file should be included in the *.setup file. The specified image
file should exist on the USB device.
What Is the Setup File Format?
The setup file must have a *.setup extension or this part of the feature will
never begin. If there are multiple .setup files located on the USB device, the
dellswitch.setup file will take precedence.
Auto Image and Configuration Update 393
The general format of the configuration file lines is as follows. The IP address
and subnet mask are required. The MAC address, configuration file, and
image file name entries are optional.
MAC_address IP_Address Subnet_Mask Config_File Image_File
The following example shows a *.setup example for two switches:
2180.c200.0010 192.168.0.10 255.255.255.0 switch-A.text N2000vR.5.4.1.stk
3380.c200.0011 192.168.0.11 255.255.255.0 switch-B.text N2000vR.5.4.1.stk
After a line has been read and implemented by the Auto Configuration
feature, it automatically adds “in-use” to the end of the line to ensure that the
information is not used for the next switch. To replicate the entire USB auto
configuration process, the “in-use” statements from the .setup file need to be
removed. Then, if the process is restarted, the MAC address/IP address
combinations will be ensured for any switch that has previously attempted
upgrade and all other switch upgrades can take place as if for the first time.
What Is the DHCP Auto Configuration Process?
If the USB Auto Configuration fails or is not used, the switch can use a
DHCP server to obtain configuration information from a TFTP server.
DHCP Auto Configuration is accomplished in three phases:
1
Assignment or configuration of an IP address for the switch
2
Assignment of a TFTP server
3
Obtaining a configuration file for the switch from the TFTP server
Auto Configuration is successful when an image or configuration file is
downloaded to the switch or stack master from a TFTP server.
NOTE: The downloaded configuration file is not automatically saved to startup-
config. You must explicitly issue a save request (copy running-config startup-
config) in order to save the configuration.
394 Auto Image and Configuration Update
Obtaining IP Address Information
DHCP is enabled by default on the Out-of-Band (OOB) interface on N3000
and N4000 switches. DHCP is enabled by default on VLAN 1 on the N2000
switches. If an IP address has not been assigned, the switch issues requests for
an IP address assignment.
A network DHCP server returns the following information:
IP address and subnet mask to be assigned to the interface
IP address of a default gateway, if needed for IP communication
After an IP address is assigned to the switch, if a hostname is not already
assigned, Auto Configuration issues a DNS request for the corresponding
hostname. This hostname is also displayed as the CLI prompt (as in response
to the hostname command).
Obtaining Other Dynamic Information
The following information is also processed and may be returned by a
BOOTP or DHCP server:
Name of configuration file (the
file
field in the DHCP header or option
67) to be downloaded from the TFTP server.
Identification of the TFTP server providing the file. The TFTP server can
be identified by name or by IP address as follows:
hostname: DHCP option 66 or the
sname
field in the DHCP header)
IP address: DHCP option 150 or the
siaddr
field in the DHCP header
When a DHCP OFFER identifies the TFTP server more than once, the
DHCP client selects one of the options in the following order:
sname
, option
66, option 150,
siaddr
. If the TFTP server is identified by hostname, a DNS
server is required to translate the name to an IP address.
The DHCP client on the switch also processes the name of the text file
(option 125, the V-I vendor-specific Information option) which contains the
path to the image file.
Auto Image and Configuration Update 395
Obtaining the Image
Auto Configuration attempts to download an image file from a TFTP server
only if no configuration file was found in the internal flash or a USB drive, or
even with a saved configuration file that has Auto Configuration enabled.
The network DHCP server may return a DHCP OFFER message with option
125. When configuring the network DHCP server for image downloads, you
must include Option 125 and specify the Dell Enterprise Number, 674.
Within the Dell section of option 125, sub option 5 must specify the path and
name of a file on the TFTP server. This file is not the image file itself, but
rather a text file that contains the path and name of the image file. Upon
receipt of option 125, the switch downloads the text file from the TFTP
server, reads the name of the image file, and downloads the image file from
the TFTP server.
After the switch successfully downloads and installs the new image, it
automatically reboots. The download or installation might fail for one of the
following reasons:
The path or filename of the image on the TFTP server does not match the
information specified in DHCP option 125.
The downloaded image is the same as the current image.
The validation checks, such as valid CRC Checksum, fails.
If the download or installation was unsuccessful, a message is logged.
Obtaining the Configuration File
If the DHCP OFFER identifies a configuration file, either as option 67 or in
the
file
field of the DHCP header, the switch attempts to download the
configuration file.
NOTE: In stack of switches, the downloaded image is pushed to all members
attached to the stack at the time of download. For members who join the stack
after the download, the Stack Firmware Synchronization feature will push the
latest image to all members.
NOTE: The configuration file is required to have a file type of *.cfg.
396 Auto Image and Configuration Update
The TFTP client makes three unicast requests. If the unicast attempts fail, or
if the DHCP OFFER did not specify a TFTP server address, the TFTP client
makes three broadcast requests.
If the DHCP server does not specify a configuration file or download of the
configuration file fails, the Auto Configuration process attempts to download
a configuration file with the name dell-net.cfg. The switch unicasts or
broadcasts TFTP requests for a network configuration file in the same
manner as it attempts to download a host-specific configuration file.
The default network configuration file consists of a set of IP address-to-
hostname mappings, using the command ip host hostname
address
. The
switch finds its own IP address, as learned from the DHCP server, in the
configuration file and extracts its hostname from the matching command. If
the default network configuration file does not contain the switch's IP
address, the switch attempts a reverse DNS lookup to resolve its hostname.
A sample dell-net.cfg file follows:
config
...
ip host switch1 192.168.1.10
ip host switch2 192.168.1.11
... <other hostname definitions>
exit
Once a hostname has been determined, the switch issues a TFTP request for
a file named hostname.cfg , where hostname is the first thirty-two
characters of the switch's hostname.
If the switch is unable to map its IP address to a hostname, Auto
Configuration sends TFTP requests for the default configuration file
host.cfg.
Auto Image and Configuration Update 397
Table 15-1 summarizes the config files that may be downloaded and the order
in which they are sought.
Table 15-2 displays the determining factors for issuing unicast or broadcast
TFTP requests.
Table 15-1. Configuration File Possibilities
Order
Sought
File Name Description Final File
Sought
1bootfile.cfg Host-specific config file, ending in a
*.cfg file extension
Yes
2dell-net.cfg Default network config file No
3hostname.cfg Host-specific config file, associated
with hostname.
Yes
4host.cfg Default config file Yes
Table 15-2. TFTP Request Types
TFTP Server
Address
Available
Host-specific Switch
Config Filename
Available
TFTP Request Method
Yes Yes Issue a unicast request for the host-specific
router config file to the TFTP server
Yes No Issue a unicast request for a default network
or router config file to the TFTP server
No Yes Issue a broadcast request for the host-
specific router config file to any available
TFTP server
No No Issue a broadcast request for the default
network or router config file to any available
TFTP server
398 Auto Image and Configuration Update
Monitoring and Completing the DHCP Auto Configuration Process
When the switch boots and triggers an Auto Configuration, a message
displays on the console screen to indicate that the process is starting. After
the process completes, the Auto Configuration process writes a log message.
When Auto Configuration has successfully completed, you can execute a
show running-config command to validate the contents of configuration.
Saving a Configuration
The Auto Configuration feature includes an AutoSave capability that allows
the downloaded configuration to be automatically saved; however, AutoSave
is disabled by default. If AutoSave has not been enabled, you must explicitly
save the downloaded configuration in nonvolatile memory on the stack
master. This makes the configuration available for the next reboot. In the
CLI, this is performed by issuing a write command or copy running-config
startup-config command and should be done after validating the contents of
saved configuration.
Stopping and Restarting the Auto Configuration Process
You can terminate the Auto Configuration process at any time before the
image or configuration file is downloaded. This is useful when the switch is
disconnected from the network. Termination of the Auto Configuration
process ends further periodic requests for a host-specific file.
The Auto Configuration process automatically starts after a reboot if the
configuration file is not found on the switch. The configuration file will not
be found if it has never been saved on the switch, or if you issue a command
to erase the configuration file (clear config or erase startup-config).
Managing Downloaded Config Files
The configuration files downloaded by Auto Configuration are stored in the
nonvolatile memory as .scr files. The files may be managed (viewed or
deleted) along with files downloaded by the configuration scripting utility.
A file is not automatically deleted after it is downloaded. The file does not
take effect upon a reboot unless you explicitly save the configuration (the
saved configuration takes effect upon reboot). If you do not save the
configuration downloaded by the Auto Configuration feature, the Auto
Configuration process occurs again on a subsequent reboot. This may result
in one of the previously downloaded files being overwritten.
Auto Image and Configuration Update 399
What Are the Dependencies for DHCP Auto Configuration?
The Auto Configuration process from TFTP servers depends upon the
following network services:
A DHCP server must be configured on the network with appropriate
services.
An image file and a text file containing the image file name for the switch
must be available from a TFTP server if DHCP image download is desired.
A configuration file (either from bootfile (or) option 67 option) for the
switch must be available from a TFTP server.
The switch must be connected to the network and have a Layer 3 interface
that is in an UP state.
A DNS server must contain an IP address to hostname mapping for the
TFTP server if the DHCP server response identifies the TFTP server by
name.
A DNS server must contain an IP address to hostname mapping for the
switch if a <
hostname>.cfg
file is to be downloaded.
If a default gateway is needed to forward TFTP requests, an IP helper
address for TFTP needs to be configured on the default gateway.
400 Auto Image and Configuration Update
Default Auto Configuration Values
Table 15-3 describes the Auto Configuration defaults.
Table 15-3. Auto Configuration Defaults
Feature Default Description
Auto Install
Mode
Enabled When the switch boots and no saved configuration is
found, the Auto Configuration automatically begins.
Retry Count 3 When the DHCP or BootP server returns information
about the TFTP server and bootfile, the switch makes
three unicast TFTP requests for the specified bootfile. If
the unicast attempts fail or if a TFTP server address was
not provided, the switch makes three broadcast requests
to any available TFTP server for the specified bootfile.
AutoSave Disabled If the switch is successfully auto-configured, the
running configuration is not saved to the startup
configuration.
AutoReboot Enabled After an image is successfully downloaded during the
Auto Configuration process, the switch automatically
reboots and makes the downloaded image the active
image.
Auto Image and Configuration Update 401
Managing Auto Configuration (Web)
This section provides information about the OpenManage Switch
Administrator pages to use to manage images and files on a Dell Networking
N2000, N3000, and N4000 series switches. For details about the fields on a
page, click at the top of the page.
Auto-Install Configuration
Use the Auto-Install Configuration page to allow the switch to obtain
network information (such as the IP address and subnet mask) and
automatically download a host-specific or network configuration file during
the boot process if no startup-config file is found.
To display the Auto Configuration page, click System
General
Auto-
Install Configuration in the navigation panel.
Figure 15-1. Auto-Install Configuration
402 Auto Image and Configuration Update
Managing Auto Configuration (CLI)
This section provides information about the commands you manage the
Auto-Install Configuration feature on the switch. For more information about
these commands, see the
Dell Networking N2000, N3000, and N4000 Series
Switches CLI Reference Guide
at support.dell.com/manuals.
Managing Auto Configuration
Beginning in Privileged EXEC mode, use the following commands to
manually activate the Auto Configuration process and download a
configuration script from a remote system to the switch, validate the script,
and activate it.
NOTE: The Auto Configuration feature begins automatically when the switch is
booted and no startup-config file is found or if the system boots and finds the
boot host dhcp command in the startup-config file.
Command Purpose
configure Enter Global Configuration mode.
boot host dhcp Enable Auto Configuration for the next reboot cycle. The
command does not change the current behavior of Auto
Configuration, but it does save the command to NVRAM.
boot host auto-save Allow the switch to automatically save the configuration file
downloaded to the switch by the Auto Configuration feature.
boot host retry-count
retries
Specify the number of attempts to download the file (by
sending unicast TFTP requests, and if unsuccessful,
broadcast TFTP requests) specified in the response from the
DHCP server.
The range for
retries
is 1–3.
boot host auto-reboot Allow the switch to automatically reboot when the image is
successfully downloaded through the Auto Configuration
feature.
exit Exit to Privileged Exec mode.
show boot Displays the current status of the Auto Configuration process.
Auto Image and Configuration Update 403
Auto Configuration Example
A network administrator is deploying three Dell Networking switches and
wants to quickly and automatically install the latest image and a common
configuration file that configures basic settings such as VLAN creation and
membership, RADIUS server settings, and 802.1X information. The
configuration file also contains the command boot host autosave so that the
downloaded configuration is automatically saved to the startup config.
This section describes two ways to enable automatic configuration file
download:
Enabling USB Auto Configuration and Auto Image Download
Enabling DHCP Auto Configuration and Auto Image Download
Enabling USB Auto Configuration and Auto Image Download
This example describes how to deploy three switches and automatically install
a custom configuration file on the switch and upgrade each switch with the
latest software image by using the USB Auto Configuration feature. The
switches have the following MAC addresses:
Switch A: 001E.C9AA.AC17
Switch B: 001E.C9AA.AC20
Switch C: 001E.C9AA.AC33
To configure each switch with a static IP address, you can include the IP
address in the .setup file or in the configuration file (.text) for the switch.
Otherwise, the switch can obtain an IP address from a DHCP server on the
network.
To use USB auto configuration:
1
Create a default config file for each switch. The configuration files are
named
switchA.txt
,
switchB.txt
, and
switchC.txt
. For
information about creating configuration files, see Managing Images and
Files.
2
Copy the configuration files to a USB device.
3
Copy the image file to the device. In this example, the image file that each
switch will download is named
N2000vR.5.4.1.stk
.
404 Auto Image and Configuration Update
4
Create a setup file named
dellswitch.setup
. The setup file contains
the following lines:
001E.C9AA.AC17 switchA.txt N2000vR.5.4.1.stk
001E.C9AA.AC20 switchB.txt N2000vR.5.4.1.stk
001E.C9AA.AC33 switchC.txt N2000vR.5.4.1.stk
5
Copy the
dellswitch.setup
file to the USB device.
6
Connect the USB device to Switch A.
7
Connect Switch A to the network. Make sure that a port (OOB port for
out-of-band management or any switch port for in-band management) is
connected to the network and that a DHCP server is accessible on the
network.
8
Insert the USB device into the USB port on the front panel of Switch A.
9
Power on Switch A. If no startup-config file is found, the Easy Startup
wizard will begin. Press N to skip the Easy Startup wizard and the USB
Auto Configuration process will begin. If necessary, delete the startup-
config file and reboot the switch.
The configuration in
switchA.txt
file is downloaded to the switch,
and the management interface acquires network information. After the
process completes, a message displays to indicate the status. The
dellswitch.setup
file is updated to add the term
in-use
to the
end of the line. The
N2000vR.5.4.1.stk
image is also downloaded
to the switch.
10
Remove the USB device from Switch A and insert it into Switch B.
11
Repeat the process to connect a port to the network. Power on the switch
to begin the USB Auto Configuration process on Switch B.
12
Remove the USB device from Switch B after the process completes, and
repeat the steps to perform the USB Auto Configuration process on
Switch C.
NOTE: This .setup file does not provide the switch with a static IP address.
However, the switchA.txt, switchB.txt, and switchC.txt
files can contain the commands required to configure a static IP address on
each switch. Otherwise, the switch will use DHCP to attempt to acquire an IP
address.
Auto Image and Configuration Update 405
Enabling DHCP Auto Configuration and Auto Image Download
If no USB device is connected to the USB port on the Dell Networking switch
and no configuration file is found during the boot process, the Auto
Configuration feature uses the DHCP Auto Configuration process to
download the configuration file to the switch. This example describes the
procedures to complete the configuration.
To use DHCP auto configuration:
1
Create a default config file for the switches named
host.cfg
. For
information about creating configuration files, see Managing Images and
Files.
2
Upload the
host.cfg
file to the TFTP server.
3
Upload the image file to the TFTP server.
4
Configure an address pool on the DHCP server that contains the following
information:
a
The IP address (
yiaddr
) and subnet mask (option 1) to be assigned to
the interface
b
The IP address of a default gateway (option 3)
c
DNS server address (option 6)
d
Name of config file for each host
e
Identification of the TFTP server by hostname (DHCP option 66 or
the
sname
field in the DHCP header) or IP address (DHCP option
150 or the
siaddr
field in the DHCP header)
f
Name of the text file (option 125, the V-I vendor-specific Information
option) that contains the path to the image file.
5
Connect a port (OOB port for out-of-band management or any switch port
for in-band management) on each switch to the network.
6
Boot the switches.
406 Auto Image and Configuration Update
Easy Image Upgrade via USB
If a USB device is detected during bootup and there is an image on the USB
device, and the switch has no startup config file, then the image version is
checked against the active image version. If a newer image version is found on
the USB device, the image is copied to the switch and the switch reloads
using the new image.
1
Copy the startup-config file to the backup-config,; e.g.,
copy startup-
config backup-config
.
2
Delete the startup-config file; e.g.,
del startup-config
.
3
Put the new image on a cleanly formatted USB stick and insert the USB
stick into the stack master.
4
Reboot the stack master and skip the Easy Startup configuration wizard by
pressing N when prompted.
5
After the upgrade completes, copy the backup-config to the startup-config,
remove the USB stick, and reload the stack. The startup configuration is
migrated to the new syntax when loaded into the running-config. Check
the running-config, make and necessary adjustments, and then save the
running-config into the startup-config.
Monitoring Switch Traffic 407
16
Monitoring Switch Traffic
This chapter describes sFlow features, Remote Monitoring (RMON), and
Port Mirroring features.
The topics covered in this chapter include:
Traffic Monitoring Overview
Default Traffic Monitoring Values
Monitoring Switch Traffic (Web)
Monitoring Switch Traffic (CLI)
Traffic Monitoring Configuration Examples
Traffic Monitoring Overview
The switch maintains statistics about network traffic that it handles. It also
has embedded technology that collects and sends information about traffic to
other devices. Dell Networking series switches include support for flow-based
monitoring through sFlow and Remote Network Monitoring (RMON)
agents.
What is sFlow Technology?
sFlow is an industry standard technology for monitoring high-speed switched
and routed networks. Dell Networking N2000, N3000, and N4000 series
switches software has a built-in sFlow agent that can monitor network traffic
on each port and generate sFlow data to an sFlow receiver (also known as a
collector). sFlow helps to provide visibility into network activity, which
enables effective management and control of network resources. sFlow is an
alternative to the NetFlow network protocol, which was developed by Cisco
Systems. The switch supports sFlow version 5.
As illustrated in Figure 16-1, the sFlow monitoring system consists of sFlow
Agents (such as Dell Networking series switches) and a central sFlow receiver.
sFlow Agents use sampling technology to capture traffic statistics from
408 Monitoring Switch Traffic
monitored devices. sFlow datagrams forward sampled traffic statistics to the
sFlow Collector for analysis. You can specify up to eight different sFlow
receivers to which the switch sends sFlow datagrams.
Figure 16-1. sFlow Architecture
The advantages of using sFlow are:
It is possible to monitor all ports of the switch continuously, with no
impact on the distributed switching performance.
Minimal memory/CPU is required. Samples are not aggregated into a flow-
table on the switch; they are forwarded immediately over the network to
the sFlow receiver.
The sFlow system is tolerant to packet loss in the network because
statistical modeling means the loss is equivalent to a slight change in the
sampling rate.
sFlow receiver can receive data from multiple switches, providing a real-
time synchronized view of the whole network.
The receiver can analyze traffic patterns based on protocols found in the
headers (e.g., TCP/IP, IPX, Ethernet, AppleTalk…). This alleviates the
need for a layer 2 switch to decode and understand all protocols.
Monitoring Switch Traffic 409
sFlow Sampling
The sFlow Agent in the Dell Networking software uses two forms of sampling:
Statistical packet-based sampling of switched or routed Packet Flows
Time-based sampling of counters
Packet Flow Sampling and Counter Sampling are performed by sFlow
Instances associated with individual Data Sources within an sFlow Agent.
Both types of samples are combined in sFlow datagrams. Packet Flow
Sampling creates a steady, but random, stream of sFlow datagrams that are
sent to the sFlow Collector. Counter samples may be taken opportunistically
to fill these datagrams.
To perform Packet Flow Sampling, an sFlow Sampler Instance is configured
with a Sampling Rate. Packet Flow sampling results in the generation of
Packet Flow Records. To perform Counter Sampling, an sFlow Poller Instance
is configured with a Polling Interval. Counter Sampling results in the
generation of Counter Records. sFlow Agents collect Counter Records and
Packet Flow Records and send them as sFlow datagrams to sFlow Collectors.
Packet Flow Sampling
Packet Flow Sampling, carried out by each sFlow instance, ensures that any
packet observed at a Data Source has an equal chance of being sampled,
irrespective of the Packet Flow(s) to which it belongs.
Packet Flow Sampling is accomplished as follows:
A packet arrives on an interface.
The Network Device makes a filtering decision to determine whether the
packet should be dropped.
If the packet is not filtered (dropped) a destination interface is assigned by
the switching/routing function.
A decision is made on whether or not to sample the packet.
The mechanism involves a counter that is decremented with each packet.
When the counter reaches zero a sample is taken.
When a sample is taken, the counter indicating how many packets to skip
before taking the next sample is reset. The value of the counter is set to a
random integer where the sequence of random integers used over time is
the Sampling Rate.
410 Monitoring Switch Traffic
Counter Sampling
The primary objective of Counter Sampling is to efficiently, periodically
export counters associated with Data Sources. A maximum Sampling Interval
is assigned to each sFlow instance associated with a Data Source.
Counter Sampling is accomplished as follows:
sFlow Agents keep a list of counter sources being sampled.
When a Packet Flow Sample is generated the sFlow Agent examines the
list and adds counters to the sample datagram, least recently sampled first.
Counters are only added to the datagram if the sources are within a short
period, 5 seconds say, of failing to meet the required Sampling Interval.
Periodically, say every second, the sFlow Agent examines the list of counter
sources and sends any counters that must be sent to meet the sampling
interval requirement.
The set of counters is a fixed set.
What is RMON?
Like sFlow, RMON is a technology that enables the collection and analysis of
a variety of data about network traffic. Dell Networking N2000, N3000, and
N4000 series switches software includes an RMON probe (also known as an
RMON agent) that collect information and analyze packets. The data that is
collected is defined in the RMON MIB, RFC 2819.
RMON is defined in an Internet Engineering Task Force (IETF) specification
and is an extension of the SNMP MIB. You can view the RMON information
locally on the switch or by using a generic RMON console on a network
management station (NMS). SNMP does not need to be configured on the
switch to view the RMON data locally. However, if you use a management
station to view the RMON data that the switch collects and analyzes, you
must configure the following SNMP settings:
Set up the SNMP community string to be used by the SNMP manager at a
given IP address.
Specify the network management system IP address or permit
management access from all IP addresses.
For more information about configuring SNMP, see "Configuring SNMP" on
page 323.
Monitoring Switch Traffic 411
The RMON agent in the switch supports the following groups:
Group 1—Statistics. Contains cumulative traffic and error statistics.
Group 2—History. Generates reports from periodic traffic sampling that
are useful for analyzing trends.
Group 3 —Alarm. Enables the definition and setting of thresholds for
various counters. Thresholds can be passed in either a rising or falling
direction on existing MIB objects, primarily those in the Statistics group.
An alarm is triggered when a threshold is crossed and the alarm is passed to
the Event group. The Alarm requires the Event Group.
Group 9 —Event. Controls the actions that are taken when an event
occurs. RMON events occur when:
A threshold (alarm) is exceeded
There is a match on certain filters.
What is Port Mirroring?
Port mirroring is used to monitor the network traffic that a port sends and
receives. The Port Mirroring feature creates a copy of the traffic that the
source port handles and sends it to a destination port. The source port is the
port that is being monitored. The destination port is where you would
connect a network protocol analyzer to learn more about the traffic that is
handled by the source port. Dell Networking switches support RSPAN
destinations where traffic can be tunneled across the operational network.
A port monitoring session includes one or more source ports that mirror
traffic to a single destination port. Sources can include VLANs, physical
interfaces, port-channels, the internal CPU port, or IP or MAC ACL flows.
Certain sources are not supported; i.e., physical members of a port-channel,
VLANs that contain a LAG member, etc. Destination ports, once configured,
no longer participate in spanning tree, IGMP/MLD snooping, or GVRP; do
not learn MAC addresses (learned MAC addresses are purged); do not
participate in routing (route entries are purged); and do not utilize any static
filter configuration. Configuration of a destination port is restored when the
port is no longer configured as a destination port.
NOTE: The switch supports RMON1.
412 Monitoring Switch Traffic
For each source port, you can specify whether to mirror ingress traffic (traffic
the port receives, or RX), egress traffic (traffic the port sends, or TX), or both
ingress and egress traffic.
The packet that is copied to the destination port is in the same format as the
original packet on the wire. This means that if the mirror port is copying a
received packet, the copied packet is VLAN tagged or untagged as it was
received on the source port. If the mirror is copying a transmitted packet, the
copied packet is VLAN tagged or untagged as it is being transmitted on the
source port. Destinations include physical interfaces and RSPAN VLANs.
After you configure the port mirroring session, you can enable or disable the
administrative mode of the session to start or stop the probe port from
receiving mirrored traffic.
Port Mirroring Behaviors
The following behaviors are applicable to monitor ports:
The destination port loses its VLAN configuration when port mirroring is
enabled. The VLAN configuration is restored when the port is no longer
configured for a monitor session. The mirrored source and the transit ports
retain their VLAN configuration. Transit ports must be members of the
RSPAN VLAN.
When port mirroring is enabled, all MAC address entries associated with
destination ports are purged. This prevents transmitting packets out of the
port that are not seen on the mirrored port. If spanning tree is enabled, this
is treated as a topology change.
The spanning tree protocol is disabled on destination ports such that
frames are always received from or transmitted out of the port as soon as
the port is up (spanning tree status is forwarding and role is disabled). This
is analogous to always setting the spanning tree state of the port to
forwarding. When a port is no longer configured to be the destination
port, spanning tree is re-enabled for that port, if configured. Note that the
NOTE: You can create a DiffServ policy class definition or an ACL that mirrors
specific types of traffic to a destination port. For more information, see
"Configuring Differentiated Services" on page 1285 or "Configuring Access Control
Lists" on page 583.
Monitoring Switch Traffic 413
disabling of spanning tree on a destination port means that administrators
must only connect the destination port to directly attached probes to avoid
the possibility of a network loop.
GVRP is disabled on destination ports such that GVRP PDUs are never
received from or transmitted to the port. Dynamic registrations are not
allowed on a destination port. The GVRP configuration at the port is
maintained and is reapplied when the port is no longer part of the SPAN.
All static filters, both source and destination, are disabled on destination
ports.
If routing is enabled on a destination port or an RSPAN VLAN, all route
entries associated with that port are purged. From a routing perspective,
the interface is marked as down.
Generally, the configuration of the source port is undisturbed so that its
behavior remains the same as if it was not mirrored.
Packets locally generated by the switch and transmitted over a source port
are not copied in a mirroring session.
The internal CPU port is allowed as a source port for local monitoring
sessions only (not allowed for RSPAN). If the internal CPU port is
mirrored, packets received and generated by the CPU for all ports are
mirrored.
Remote Capture
The Remote Capture feature enables mirrorring packets transmitted and
received by the switch CPU to a remote client for packet analysis using the
Wireshark tool. This feature can be used to help diagnose switch behavior or
monitor traffic sent to the switch CPU. The capture feature can also be
configured to capture to a local file or to an in-memory buffer.
Why is Traffic Monitoring Needed?
Monitoring the traffic that the switch handles, as well as monitoring all traffic
in the network, can help provide information about network performance and
utilization. This information can be useful in network planning and resource
allocation. Information about traffic flows can also help troubleshoot
problems in the network.
414 Monitoring Switch Traffic
Default Traffic Monitoring Values
The sFlow agent is enabled by default, but sampling and polling are disabled
on all ports. Additionally, no sFlow receivers (collectors) are configured.
Table 16-1 contains additional default values for the sFlow feature.
RMON is enabled by default, but no RMON alarms, events, or history
statistic groups are configured.
Port mirroring is disabled, and no ports are configured as source or destination
ports. After you configure a port mirroring session, the administrative mode is
disabled until you explicitly enable it.
Monitoring Switch Traffic (Web)
This section provides information about the OpenManage Switch
Administrator pages to use to monitor network traffic on a Dell Networking
N2000, N3000, and N4000 series switches. For details about the fields on a
page, click at the top of the page.
sFlow Agent Summary
Use the sFlow Agent Summary page to view information about sFlow MIB
and the sFlow Agent IP address.
To display the Agent Summary page, click System
sFlow
Agent
Summary in the navigation panel.
Table 16-1. sFlow Defaults
Parameter Default Value
Receiver timeout for sampling 0
Receiver port 6343
Receiver Maximum Datagram Size 1400 bytes
Maximum header size 128 bytes
Monitoring Switch Traffic 415
Figure 16-2. sFlow Agent Summary
416 Monitoring Switch Traffic
sFlow Receiver Configuration
Use the sFlow Receiver Configuration page to configure settings for the
sFlow receiver to which the switch sends sFlow datagrams. You can configure
up to eight sFlow receivers that will receive datagrams.
To display the Receiver Configuration page, click System
sFlow
Receiver Configuration in the navigation panel.
Figure 16-3. sFlow Receiver Configuration
Click Show All to view information about configured sFlow receivers.
Monitoring Switch Traffic 417
sFlow Sampler Configuration
Use the sFLow Sampler Configuration page to configure the sFlow sampling
settings for switch ports.
To display the Sampler Configuration page, click System
sFlow
Sampler Configuration in the navigation panel.
Figure 16-4. sFlow Sampler Configuration
Click Show All to view information about configured sampler data sources.
418 Monitoring Switch Traffic
sFlow Poll Configuration
Use the sFLow Poll Configuration page to configure how often a port should
collect counter samples.
To display the Sampler Configuration page, click System
sFlow
Sampler Configuration in the navigation panel.
Figure 16-5. sFlow Poll Configuration
Click Show All to view information about the ports configured to collect
counter samples.
Monitoring Switch Traffic 419
Interface Statistics
Use the Interface Statistics
page to display statistics for both received and
transmitted packets. The fields for both received and transmitted packets are
identical.
To display the page, click Statistics/RMON
Table Views
Interface
Statistics in the navigation panel.
Figure 16-6. Interface Statistics
420 Monitoring Switch Traffic
Etherlike Statistics
Use the Etherlike Statistics page to display interface statistics.
To display the page, click Statistics/RMON
Table Vi ews
Etherlike
Statistics in the navigation panel.
Figure 16-7. Etherlike Statistics
Monitoring Switch Traffic 421
GVRP Statistics
Use the
GVRP Statistics page to display switch statistics for GVRP.
To display the page, click Statistics/RMON
Table Views
GVRP
Statistics in the navigation panel.
Figure 16-8. GVRP Statistics
422 Monitoring Switch Traffic
EAP Statistics
Use the EAP Statistics page to display information about EAP packets
received on a specific port. For more information about EAP, see "Configuring
Port and System Security" on page 503.
To display the EAP Statistics page, click Statistics/RMON
Table Views
EAP Statistics in the navigation panel
.
Figure 16-9. EAP Statistics
Monitoring Switch Traffic 423
Utilization Summary
Use the
Utilization Summary
page to display interface utilization statistics.
To display the page, click Statistics/RMON
Table Views
Utilization
Summary in the navigation panel.
Figure 16-10. Utilization Summary
424 Monitoring Switch Traffic
Counter Summary
Use the
Counter Summary
page to display interface utilization statistics in
numeric sums as opposed to percentages.
To display the page, click Statistics/RMON
Table Vi ews
Counter
Summary in the navigation panel.
Figure 16-11. Counter Summary
Monitoring Switch Traffic 425
Switchport Statistics
Use the
Switchport Statistics page to display statistical summary information
about switch traffic, address tables, and VLANs.
To display the page, click Statistics/RMON
Table Views
Switchport
Statistics in the navigation panel.
Figure 16-12. Switchport Statistics
426 Monitoring Switch Traffic
RMON Statistics
Use the RMON Statistics page to display details about switch use such as
packet processing statistics and errors that have occurred on the switch.
To display the page, click Statistics/RMON
RMON
Statistics in the
navigation panel.
Figure 16-13. RMON Statistics
Monitoring Switch Traffic 427
RMON History Control Statistics
Use the RMON History Control page to maintain a history of statistics on
each port. For each interface (either a physical port or a port-channel), you
can define how many buckets exist, and the time interval between each
bucket snapshot.
To display the page, click Statistics/RMON
RMON
History Control in
the navigation panel.
Figure 16-14. RMON History Control
Adding a History Control Entry
To add an entry:
1
Open the
RMON History Control
page.
2
Click
Add
.
The
Add History Entry
page displays.
428 Monitoring Switch Traffic
Figure 16-15. Add History Entry
3
Select the port or LAG on which you want to maintain a history of
statistics.
4
Specify an owner, the number of historical buckets to keep, and the
sampling interval.
5
Click
Apply
to add the entry to the
RMON History Control Table
.
To view configured history entries, click the Show All tab. The
RMON
History Control Table
displays. From this page, you can remove configured
history entries.
Monitoring Switch Traffic 429
RMON History Table
Use the RMON History Table page to display interface-specific statistical
network samplings. Each table entry represents all counter values compiled
during a single sample.
To display the RMON History Table page, click Statistics/RMON
RMON
History Table in the navigation panel.
Figure 16-16. RMON History Table
430 Monitoring Switch Traffic
RMON Event Control
Use the RMON Events Control page to define RMON events. Events are
used by RMON alarms to force some action when a threshold is crossed for a
particular RMON counter. The event information can be stored in a log
and/or sent as a trap to a trap receiver.
To display the page, click Statistics/RMON
RMON
Event Control in
the navigation panel.
Figure 16-17. RMON Event Control
Adding an RMON Event
To add an event:
1
Open the
RMON Event Control
page.
2
Click
Add
.
The
Add an Event Entry
page displays.
Monitoring Switch Traffic 431
Figure 16-18. Add an Event Entry
3
If the event sends an SNMP trap, specify the SNMP community to receive
the trap.
4
Optionally, provide a description of the event and the name of the event
owner.
5
Select an event type.
6
Click
Apply
.
The event is added to the
RMON Event Table
, and the device is updated.
Viewing, Modifying, or Removing an RMON Event
To manage an event:
1
Open the
RMON Event Control
page.
2
Click
Show All
to display the
Event Control Table
page.
3
To edit an entry:
a
Select the
Edit
check box in for the event entry to change.
b
Modify the fields on the page as needed.
4
To remove an entry, select the
Remove
check box in for the event entry to
remove.
5
Click
Apply
.
432 Monitoring Switch Traffic
RMON Event Log
Use the RMON Event Log page to display a list of RMON events.
To display the page, click Statistics/RMON
RMON
Events Log in the
navigation panel.
Figure 16-19. RMON Event Log
Monitoring Switch Traffic 433
RMON Alarms
Use the RMON Alarms page to set network alarms. Alarms occur when
certain thresholds are crossed for the configured RMON counters. The alarm
triggers an event to occur. The events can be configured as part of the RMON
Events group. For more information about events, see "RMON Event Log" on
page 432.
To display the page, click Statistics/RMON
RMON
Alarms in the
navigation panel.
Figure 16-20. RMON Alarms
434 Monitoring Switch Traffic
Adding an Alarm Table Entry
To add an alarm:
1.
Open the
RMON Alarms
page.
2.
Click
Add.
The
Add an Alarm Entry
page displays.
Figure 16-21. Add an Alarm Entry
3.
Complete the fields on this page as needed. Use the help menu to learn
more information about the data required for each field.
4.
Click
Apply
.
The RMON alarm is added, and the device is updated.
To view configured alarm entries, click the Show All tab. The Alarms Table
displays. From this page, you can remove configured alarms.
Monitoring Switch Traffic 435
Port Statistics
Use the Port Statistics
page to chart port-related statistics on a graph.
To display the page, click Statistics/RMON
Charts
Port Statistics in
the navigation panel.
Figure 16-22. Ports Statistics
To chart port statistics, select the type of statistics to chart and (if desired)
the refresh rate, then click Draw.
436 Monitoring Switch Traffic
LAG Statistics
Use the LAG Statistics page to chart LAG-related statistics on a graph.
To display the page, click Statistics/RMON
Charts
LAG Statistics in
the navigation panel.
Figure 16-23. LAG Statistics
To chart LAG statistics, select the type of statistics to chart and (if desired)
the refresh rate, then click Draw.
Monitoring Switch Traffic 437
Port Mirroring
Use the Port Mirroring page to create a mirroring session in which all traffic
that is sent or received (or both) on one or more source ports is mirrored to a
destination port.
To display the Port Mirroring page, click Switching
Ports
Traffic
Mirroring
Port Mirroring in the navigation panel.
Figure 16-24. Port Mirroring
Configuring a Port Mirror Session
To configure port mirroring:
1
Open the
Port Mirroring
page.
2
Click
Add
.
The
Add Source Port
page displays.
3
Select the port to be mirrored.
4
Select the traffic to be mirrored.
438 Monitoring Switch Traffic
Figure 16-25. Add Source Port
5
Click
Apply
.
6
Repeat the previous steps to add additional source ports.
7
Click
Port Mirroring
to return to the
Port Mirroring
page.
8
Enable the administrative mode and specify the destination port.
Figure 16-26. Configure Additional Port Mirroring Settings
9
Click
Apply
.
Monitoring Switch Traffic 439
Monitoring Switch Traffic (CLI)
This section provides information about the commands you use to manage
traffic monitoring features on the switch and to view information about
switch traffic. For more information about these commands, see the
Dell
Networking N2000, N3000, and N4000 Series Switches CLI Reference Guide
at support.dell.com/manuals.
Configuring sFlow
Beginning in Privileged EXEC mode, use the following commands to
configure the sFlow receiver and to configure the sampling and polling on
switch interfaces.
Command Purpose
configure Enter Global Configuration mode
sflow
rcvr_index
destination
ip-address
[
port
]
Configure the address of the sFlow receiver and
(optionally) the destination UDP port for sFlow
datagrams.
rcvr_index
The index of this sFlow receiver (Range:
1–8).
ip-address
The sFlow receiver IP address.
port
—The destination Layer 4 UDP port for sFlow
datagrams. (Range: 1–65535).
sflow
rcvr_index
destination owner
owner_string
timeout
timeout
Specify the identity string of the receiver and set the
receiver timeout value.
timeout
—The number of seconds the configuration will
be valid before it is automatically cleared. A value of 0
essentiality means the receiver is not configured.
sflow
rcvr_index
maxdatagram
size
Specify the maximum number of data bytes that can be
sent in a single sample datagram.
The receiver should also be set this value to avoid
fragmentation of the sFlow datagrams. (Range: 200–9116
bytes).
440 Monitoring Switch Traffic
sflow
rcvr-index
polling
if_type if_number poll-
interval
Enable a new sFlow poller instance on an interface range.
rcvr-index
— The sFlow Receiver associated with the
poller (Range: 1–8).
if_type if_number
— The list of interfaces to poll. The
interface type can be Gigabitethernet (gi) or
Tengigabitethernet (te), for example te1/0/3-5 enables
polling on ports 3, 4, and 5.
poll-interval
The sFlow instance polling interval. A
value of
n
means once in
n
seconds a counter sample is
generated. (Range: 0–86400).
sflow
rcvr-index
sampling
if_type
if_number sampling-rate
[
size
]
Enable a new sflow sampler instance for the specified
interface range.
rcvr-index
— The sFlow Receiver for this sFlow sampler
to which flow samples are to be sent.
if_type if_number
— The list of interfaces to sample. The
interface type can be Gigabitethernet (gi) or
Tengigabitethernet (te), for example te1/0/3-5 enables
polling on ports 3, 4, and 5.
sampling-rate
— The statistical sampling rate for packet
sampling from this source. A sampling rate of 1 counts all
packets. A value of
n
means that out of
n
incoming
packets, 1 packet will be sampled. (Range: 1024 - 65536).
size
— The maximum number of bytes that should be
copied from the sampler packet (Range: 20 - 256 bytes).
interface
interface
Enter interface configuration mode for the specified
interface. The
interface
variable includes the interface type
and number, for example tengigabitethernet 1/0/3 or
te
1/0/3.
You can also specify a range of interfaces with the interface
range command, for example, interface range
tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,
11, and 12.
sflow
rcvr-index
polling
poll-interval
Enable a new sFlow poller instance for the interface.
Command Purpose
Monitoring Switch Traffic 441
Configuring RMON
Beginning in Privileged EXEC mode, use the following commands to
configure RMON alarms, collection history, and events. The table also lists
the commands you use to view information collected by the RMON probe.
sflow
rcvr-index
sampling
sampling-rate
[
size
]
Enable a new sflow sampler instance for the interface.
CTRL + Z Exit to Privileged Exec mode.
show sflow agent View information about the switch sFlow agent.
show sflow
index
destination
View information about a configured sFlow receivers.
show sflow
index
polling View information about the configured sFlow poller
instances for the specified receiver.
show sflow
index
sampling
View information about the configured sFlow sampler
instances for the specified receiver.
Command Purpose
configure Enter Global Configuration mode
rmon event
number
[log] [trap
community
]
[description
string
]
[owner
string
]
Configure an RMON event.
number
— The event index. (Range: 1–65535)
log
— Specify that an entry is made in the log table for
each event.
trap
community
If the event is an SNMP trap to be
sent, it is sent to the SNMP community specified by this
octet string. (Range: 0-127 characters)
description
string
A comment describing this event.
(Range 0-127 characters)
owner
string
— Enter a name that specifies who
configured this event. If unspecified, the name is an
empty string.
Command Purpose
442 Monitoring Switch Traffic
rmon alarm
number
variable interval
{absolute |delta} rising-
threshold
value
[
event-
number
]
rising-
threshold
value
[
event-
number
] [startup
direction
] [owner
string
]
Add an alarm entry
number
— The alarm index. (Range: 1–65535)
variable
— A fully qualified SNMP object identifier that
resolves to a particular instance of an MIB object.
interval
— The interval in seconds over which the data is
sampled and compared with the rising and falling
thresholds. (Range: 1–4294967295)
rising-threshold
value
— Rising threshold value. (Range:
0–4294967295)
rising-threshold
value
— Falling threshold value.
(Range: 0–4294967295)
event-number — The index of the event that is used
when a rising or falling threshold is crossed. (Range: 1-
65535)
delta
The sampling method for the selected variable
and calculating the value to be compared against the
thresholds. If the method is delta, the selected variable
value at the last sample is subtracted from the current
value, and the difference compared with the thresholds.
absolute
— The sampling method for the selected
variable and calculating the value to be compared against
the thresholds. If the method is absolute, the value of the
selected variable is compared directly with the thresholds
at the end of the sampling interval.
startup
direction
— The type of startup alarm, which can
be
rising
,
falling
, or
rising-falling
.
owner
string
Enter a name that specifies who
configured this alarm.
interface
interface
Enter Interface Configuration mode for the specified port
or LAG.
Command Purpose
Monitoring Switch Traffic 443
Viewing Statistics
Use the following commands in Privileged EXEC mode to view statistics
about the traffic handled by the switch.
rmon collection history
index
[owner
ownername
] [buckets
bucket-number
]
[interval
seconds
]
Enable an RMON MIB history statistics group on the
interface.
NOTE: You must configure RMON alarms and events before
RMON collection history is able to display.
index
The requested statistics index group. (Range:
1–65535)
ownername
Records the RMON statistics group owner
name. If unspecified, the name is an empty string.
bucket-number
— A value associated with the number of
buckets specified for the RMON collection history group
of statistics. If unspecified, defaults to 50.
(Range: 1 - 65535)
s
econds
— The number of seconds in each polling cycle.
If unspecified, defaults to 1800. (Range: 1–3600)
CTRL + Z Exit to Privileged EXEC mode.
show rmon {alarms
|collection history |
events | history | log |
statistics}
View information collected by the RMON probe.
Command Purpose
show interfaces counters
[errors][{
interface
|
port-channel
}]
Display the error counters or number of octets and packets
handled by all interfaces or the specified interface.
show statistics
{switchport |
interface
}
Display detailed statistics for a specific port or LAG, or for
the entire switch. The
interface
variable includes the
interface type and number.
Command Purpose
444 Monitoring Switch Traffic
Configuring Port Mirroring
Use the following commands in Privileged EXEC mode to configure a port
mirroring session.
Command Purpose
configure Enter Global Configuration mode
monitor session
session_number
source
interface {
interface
} [rx
| tx | both]
Configure a source (monitored) port or CPU interface for
a monitor session.
session_number
—The monitoring session ID, which is
always 1.
interface
—The interface to be monitored.
rx | tx — Monitor ingress (rx) or egress (tx) traffic. If no
parameter is given, both ingress and egress traffic are
monitored.
monitor session
session_number
destination interface
interface
Configure a destination (probe) port for a monitor session.
session_number
—The monitoring session ID, which is
always 1.
interface
—The Ethernet interface to which the
monitored source traffic is copied.
monitor session
session_number
mode
Enable the administrative mode for the configured port
mirroring session to start sending the traffic from the
source port to the destination (probe) port.
exit Exit to Privileged EXEC mode.
show monitor session 1 View information about the configured port mirroring
session.
Monitoring Switch Traffic 445
Configuring RSPAN
RSPAN is an extension of port mirroring that operates across multiple
switches. Use the following commands in Privileged EXEC mode to configure
RSPAN. Remember to assign VLANs to physical interfaces (steps not shown).
Configuring RSPAN (Source Switch)
Command Purpose
configure Enter Global Configuration mode.
vlan
vlan-id
Configure an RSPAN VLAN.
remote-span Configure the VLAN as a spanning VLAN.
exit Exit to Global Configuration mode.
interface te1/0/1 Enter interface configuration mode.
switchport mode trunk Set the egress span interface to trunk mode.
switch trunk allowed
vlan
vlan-id
Restrict the trunk to the spanning VLAN (optional).
exit Exit to Global Configuration mode.
monitor session
session_number source
interface
interface
[{rx |
tx | both}]
Configure a source (monitored) port for a monitor session.
session_number
—The monitoring session ID, which is
always 1.
sourceinterface
—The interface to be monitored. The
internal CPU port may not be configured as an RSPAN
source.
rx | tx | both
Monitor ingress (rx) or egress (tx)
traffic. If no parameter is given, both ingress and egress
traffic are monitored.
monitor session
session_number
destination remote vlan
vlan_id
reflector-port
interface_id
Configure a local RSPAN reflector port on the source
switch. The reflector port should be configured as a trunk
port.
monitor session
session_number
mode
Enable the administrative mode for the configured port
mirroring session to start sending the traffic from the
source port to the destination (probe) port.
446 Monitoring Switch Traffic
Configuring RSPAN (Transit Switch)
Configuring RSPAN (Destination Switch)
exit Exit to Privileged EXEC mode.
Command Purpose
configure Enter Global Configuration mode.
vlan
vlan-id
Create an RSPAN VLAN.
remote-span Configure the VLAN as a spanning VLAN.
exit Exit to Global Configuration mode.
interface range te1/0/1-2 Configure the span interfaces.
switchport mode trunk Configure the interface to be in trunking mode.
switch trunk allowed
vlan
vlan-id
Restrict the trunk to the spanning VLAN (optional).
exit Exit to Global Configuration mode.
Command Purpose
configure Enter Global Configuration mode.
vlan
vlan-id
Create an RSPAN VLAN.
remote-span Configure the VLAN as a spanning VLAN.
exit Exit to Global Configuration mode
monitor session
session_id
source remote
vlan
vlan_id
Configure a source RSPAN VLAN on the destination
switch.
monitor session
session_id
destination
interface
interface
Configure the destination port on the RSPAN destination
switch.
monitor session
session_id
mode
Enable the monitor session.
Command Purpose
Monitoring Switch Traffic 447
Traffic Monitoring Configuration Examples
This section contains the following examples:
Configuring sFlow
Configuring RMON
Configuring Remote Capture
Configuring RSPAN
Configuring sFlow
This example shows how to configure the switch so that ports 10-15 and port
23 send sFlow datagrams to an sFlow receiver at the IP address 192.168.20.34.
The receiver owner is receiver1, and the timeout is 100000 seconds. A counter
sample is generated on the ports every 60 seconds (polling interval), and 1 out
of every 8192 packets is sampled. Note that sFlow monitoring is not enabled
until a receiver owner string is configured.
To configure the switch:
1
Configure information about the sFlow receiver.
console#configure
console(config)#sflow 1 destination 192.168.30.34
console(config)#sflow 1 destination owner
receiver1 timeout 100000
2
Configure the polling and sampling information for Tengigabit Ethernet
ports 10-20.
console(config)#sflow 1 polling te1/0/10-15 60
console(config)#sflow 1 sampling te1/0/10-15 8192
3
Configure the polling and sampling information for Tengigabit Ethernet
port 23.
console(config)#interface te1/0/23
console(config-if-Te1/0/23)#sflow 1 polling 60
console(config-if-Te1/0/23)#sflow 1 sampling 8192
4
Verify the configured information.
console#show sflow 1 destination
Receiver Index.................... 1
448 Monitoring Switch Traffic
Owner String...................... receiver1
Time out.......................... 99994
IP Address:....................... 192.168.30.34
Address Type...................... 1
Port.............................. 6343
Datagram Version.................. 5
Maximum Datagram Size............. 1400
console#show sflow 1 polling
Poller Receiver Poller
Data Source Index Interval
----------- ------- -------
Te1/0/10 1 60
Te1/0/11 1 60
Te1/0/12 1 60
Te1/0/13 1 60
Te1/0/14 1 60
Te1/0/15 1 60
Te1/0/23 1 60
console#show sflow 1 sampling
Sampler Receiver Packet Max Header
Data Source Index Sampling Rate Size
----------- ------- ------------- ----------
Te1/0/10 1 8192 128
Te1/0/11 1 8192 128
Te1/0/12 1 8192 128
Te1/0/13 1 8192 128
Te1/0/14 1 8192 128
Te1/0/15 1 8192 128
Te1/0/23 1 8192 128
Monitoring Switch Traffic 449
Configuring RMON
This example generates a trap and creates a log entry when the number of
inbound packets are undeliverable due to errors increases by 20 or more.
First, an RMON event is created. Then, the alarm is created. The event
(event 1) generates a trap and creates a log entry. The alarm is configured for
the MIB object ifInErrors (OID: 1.3.6.1.2.1.2.2.1.14.1). The OID is the
variable. The alarm checks the variable every 30 seconds to compare the MIB
counter to the configured rising and falling thresholds. If the rise is equal to
or greater than 20, event 1 goes into effect.
To configure the switch:
1
Create the event. The trap is sent to the private SNMP community.
console#configure
console(config)#rmon event 1 description
"emergency event" log trap private
2
Create the alarm.
console(config)#rmon alarm 1
1.3.6.1.2.1.2.2.1.14.1 30 delta rising-threshold
20 1 falling-threshold 1
3
Verify the configuration.
console#show rmon events
Index Description Type Community Owner Last time sent
-------------------------------------------------------------
1 emergency log-trap private 0 days 0h:0m:0s
event
console#show rmon alarms
Index OID Owner
----------------------------------------------
1 1.3.6.1.2.1.2.2.1.14.1
450 Monitoring Switch Traffic
Configuring Remote Capture
This example configures the switch to mirror packets transmitted and
received by the switch CPU to a Wireshark client. This is useful to diagnose
switch behavior and to determine if an attached device is sending properly
formatted packets with correct information to the switch, or just to monitor
traffic sent to the switch CPU. The capture feature can also be configured to
capture to a local file in pcap format or to capture to an in-memory buffer
(text format).
1
Configure capture for Wireshark remote access on port 2002.
console(config)#monitor capture remote
console(config)#exit
2
Start the capture enabling capture of both transmitted and received
packets.
console# monitor capture start all
3
Configure Wireshark for remote capture by selecting
Capture >
Interfaces
from the top tab. (The screens shown in this example are from
Wireshark 1.10.1.)
4
On the Capture Interfaces dialog, click
Options
.
Monitoring Switch Traffic 451
5
On the Capture Options dialog, click
Manage Interfaces
.
452 Monitoring Switch Traffic
6
Add a new interface by giving the switch IP address and the default remote
port (2002). First, select the
Remote Interfaces
tab and click
Add
.
7
Enter the switch IP address and port (2002). Choose
Null authentication
(default).
Monitoring Switch Traffic 453
8
Click
OK
to accept the entry.
9
On the Add new interfaces dialog, click
Apply
and then click
Close
.
454 Monitoring Switch Traffic
10
From the Wireshark:Capture Options dialog, select the remote switch and
click
Start
.
Remote Capture Caveats
Remote capture over an in-band port captures the capture packets
transmitted to the Wireshark client. Therefore, when using remote capture
over an in-band port, it is best to configure remote capture to capture only
received packets, to configure remote capture to operate over the out-of-band
port, or to configure local capture to capture to the in-memory buffer or a
local pcap file.
Monitoring Switch Traffic 455
Configuring RSPAN
RSPAN supports the transport of mirrored packets across the network to a
remote switch. Ports may be configured as source ports, intermediate ports, or
destination ports.
RSPAN Source Switch
This example mirrors interface gi1/0/3 to VLAN 723. VLAN 723 is the
selected transit VLAN. Administrators should reserve a VLAN as the RSPAN
VLAN when designing their network. The source switch requires a reflector
port to carry packets to the transit switch. The reflector port must be
configured as trunk port. Untagged packets on the source port are transmitted
on the RSPAN VLAN tagged with the RSPAN VLAN. Tagged packets on the
source port are transmitted over the RPSAN VLAN double-tagged with the
outer tag containing the RSPAN VLAN.
The last line in this configuration enables the monitor session. It is
recommended that configuration proceed with the destination switch first,
followed by the intermediate switches, and then by the source switch.
1
Configure RSPAN on VLAN 723:
console#configure
console(config)#vlan 723
console(config-vlan723)#remote-span
console(config-vlan723)#exit
2
Configure interface te1/0/1 as the reflector port in trunk mode:
console(config)#interface te1/0/1
console(config-if-Te1/0/1)#switchport mode trunk
console(config-if-Te1/0/1)#switchport trunk
allowed vlan 723
console(config-if-Te1/0/1)#exit
3
Configure a mirroring session with a source port gi1/0/3, the destination
VLAN 723, and reflector port te1/0/1:
console(config)# monitor session 1 source
interface gi1/0/3
console(config)# monitor session 1 destination
remote vlan 723 reflector-port te1/0/1
456 Monitoring Switch Traffic
4
Enable the monitor session:
console(config)#monitor session 1 mode
RSPAN cannot use the CPU as a mirror source. Instead, configure remote
capture to view packets sent to or from the switch CPU.
RSPAN Transit Switch
The following is an example of an RSPAN transit switch configuration. The
RSPAN VLAN should be configured as a remote-span in order to disable
MAC learning on the VLAN. In this case, the transit switch ports are
configured as trunk ports (members of all VLANs) and may be used by other
traffic. Packets on the transit switch (in this example) are received and
transmitted tagged.
1
Configure remote span on a VLAN:
console#configure
console(config)#vlan 723
console(config-vlan723)#remote-span
console(config-vlan723)#exit
2
Configure the transit switch ports in trunk mode:
console(config)#interface te1/0/1
console(config-if-Te1/0/1)#switchport mode trunk
console(config-if-Te1/0/1)#interface te1/0/2
console(config-if-Te1/0/2)#switchport mode trunk
RSPAN Destination Switch
The following example shows the configuration of the RSPAN destination
switch. The RSPAN mirrored packets are transmitted over the destination
port untagged.
1
Configure remote span on VLAN 723:
console#configure
console(config)#vlan 723
console(config-vlan723)#remote-span
console(config-vlan723)#exit
2
Configure interface te1/0/1 as the destination port.
console(config)#interface te1/0/1
Monitoring Switch Traffic 457
console(config-if-Te1/0/1)#switchport mode trunk
console(config-if-Te1/0/1)#switchport trunk
allowed vlan 723
console(config-if-Te1/0/1)#exit
3
Configure a mirroring session with the remote VLAN 723 as the source
and inteface gi1/0/1 as the destination port:
console(config)#monitor session 1 source remote
vlan 723
console(config)#monitor session 1 destination
interface gi1/0/1
4
Enable the mirroring session:
console(config)#monitor session 1 mode
458 Monitoring Switch Traffic
Configuring iSCSI Optimization 459
17
Configuring iSCSI Optimization
NOTE: This feature is not available on N2000 switches.
This chapter describes how to configure Internet Small Computer System
Interface (iSCSI) optimization, which enables special quality of service
(QoS) treatment for iSCSI traffic.
The topics covered in this chapter include:
iSCSI Optimization Overview
Default iSCSI Optimization Values
Configuring iSCSI Optimization (Web)
Configuring iSCSI Optimization (CLI)
iSCSI Optimization Configuration Examples
iSCSI Optimization Overview
iSCSI optimization provides a means of monitoring iSCSI sessions and iSCSI
traffic on the switch. This is accomplished by monitoring, or “snooping,”
traffic to detect packets used by iSCSI stations to establish iSCSI sessions
and connections. Data from these exchanges may optionally be used to create
classification rules to assign traffic between the stations to a configured traffic
class. The traffic classification affects how the packets in the flow are queued
and scheduled for egress on the destination port.
460 Configuring iSCSI Optimization
What Does iSCSI Optimization Do?
In networks containing iSCSI initiators and targets, iSCSI Optimization
helps to monitor iSCSI sessions or give iSCSI traffic preferential QoS
treatment. Dynamically-generated classifier rules generated by snooping
iSCSI traffic are used to direct iSCSI data traffic to queues that can be given
the desired preference characteristics over other data traveling through the
switch. This may help to avoid session interruptions during times of
congestion that would otherwise cause iSCSI packets to be dropped.
However, in systems where a large proportion of traffic is iSCSI, it may also
interfere with other network control-plane traffic, such as ARP or LACP.
The preferential treatment of iSCSI traffic needs to be balanced against the
needs of other critical data in the network.
How Does the Switch Detect iSCSI Traffic Flows?
The switch snoops iSCSI session establishment (target login) and
termination (target logout) packets by installing classifier rules that trap
iSCSI protocol packets to the CPU for examination. Devices that initiate
iSCSI sessions generally use well-known TCP ports 3260 or 860 to contact
targets. When iSCSI optimization is enabled, by default the switch identifies
IP packets to or from these ports as iSCSI session traffic. In addition, the
switch separately tracks connections associated with a login session (ISID)
(dynamically allocated source/destination TCP port numbers). You can
configure the switch to monitor traffic for additional port numbers or port
number-target IP address combinations, and you can remove the well-known
port numbers from monitoring. You can also associate a target name with a
configured target TCP port entry.
How Is Quality of Service Applied to iSCSI Traffic Flows?
The iSCSI CoS mode is configurable and controls whether CoS queue
assignment and/or packet marking is performed on iSCSI traffic. When the
iSCSI CoS mode is enabled, the CoS policy is applied to packets in detected
iSCSI sessions. In addition, if DCBX is enabled (on N4000 switches only), the
iSCSI application priority TLV is generated by the switch. When the iSCSI
CoS mode is disabled, iSCSI sessions and connections are detected and
shown in the status tables, but no CoS policy is applied to packets.
Configuring iSCSI Optimization 461
On N4000 switches, when the iSCSI CoS mode is disabled, the DCBX iSCSI
Application Priority TLV is not generated by the switch. In either case, if
DCBX is enabled and ports are configured as auto-up or auto-down, the
Application Priority TLVs received from the configuration source are proxied
to the other ports and, on the N4000 series switches, the CoS policy for iSCSI
received via DCBX is applied to iSCSI packets.
When iSCSI CoS mode is enabled, iSCSI login sessions up to the switch
limits are tracked, and data packets for those sessions are given the configured
CoS treatment. iSCSI sessions in excess of the switch limits are not given the
configured CoS treament; therefore, it is not advisable to exceed the iSCSI
session limit. Multiple connections within a session are counted against the
session limit, even though they show in the session table as a single session.
In the switch, iSCSI connections are aged out using the session aging timer. If
the connection has no detected data packets during the timeout period, the
connection is deleted from the switch internal session table. When all
connections associated with a session age out or disconnect, the session is
deleted.
You can configure whether the iSCSI optimization feature uses the VLAN
priority or IP DSCP mapping to determine the traffic class queue. By default,
iSCSI flows are assigned to the highest VLAN priority tag or DSCP value
mapped to the highest queue not used for stack management or voice VLAN.
Use the classofservice dot1p-mapping command or the Quality of Service
Class of Service Mapping Table Configuration page to configure the
relevant Class of Service parameters for the queue in order to complete the
setting.
You can configure whether iSCSI frames are remarked to contain the
configured VLAN priority tag or IP DSCP when forwarded through the
switch.
How Does iSCSI Optimization Use ACLs?
iSCSI Optimization borrows ACL lists from the global system pool. ACL lists
allocated by iSCSI Optimization reduce the total number of ACLs available
for use by the network operator. Enabling iSCSI Optimization uses one ACL
list to monitor for iSCSI sessions. Each monitored iSCSI session utilizes two
rules from additional ACL lists up to a maximum of two ACL lists. This
means that the maximum number of ACL lists allocated by iSCSI is three.
462 Configuring iSCSI Optimization
What Information Does the Switch Track in iSCSI Traffic Flows?
Packets are examined to find the following data, which is used in tracking the
session and creating the classifier entries that enable QoS treatment:
Initiator's IP Address
Target's IP Address
ISID (Initiator defined session identifier)
Initiator's IQN (iSCSI Qualified Name)
•Target's IQN
•Initiator's TCP Port
•Target's TCP Port
If no iSCSI traffic is detected for a session for a configurable aging period, the
session data is cleared.
Configuring iSCSI Optimization 463
How Does iSCSI Optimization Interact With Dell EqualLogic Arrays?
The iSCSI feature includes auto-provisioning support with the ability to
detect directly connected Dell EqualLogic (EQL) SAN storage arrays and
automatically reconfigure the switch to enhance storage traffic flows.
The Dell Networking series switches use LLDP, a vendor-neutral protocol, to
discover Dell EQL devices on the network. LLDP is enabled by default. For
more information about LLDP, see "Discovering Network Devices" on
page 761.
When the switch detects a Dell EQL array, the following actions occur:
An MTU of 9216 is enabled on the system, if it is not already enabled.
Spanning tree portfast is enabled on the EQL-connected interface
identified by LLDP.
Unicast storm control is disabled on the EQL-connected interface
identified by LLDP.
It is advisable to enable spanning tree portfast and disable unicast storm
control on ports connected to the initiators as well.
If the iSCSI CoS policy feature is enabled on the switch and an EQL array is
detected, the switch applies additional iSCSI CoS policies to the EQL inter-
array traffic on TCP ports 9876 and 25555. If the iSCSI CoS policy is disabled
and EQL arrays are present, the additional CoS policy is removed globally.
What Occurs When iSCSI Optimization Is Enabled or Disabled?
When iSCSI is enabled on the switch, the following actions occur:
Flow control is globally enabled, if it is not already enabled.
iSCSI session snooping is enabled
iSCSI LLDP monitoring starts to automatically detect Dell EqualLogic
arrays.
If the iSCSI feature is disabled on the switch, iSCSI resources are released
and the detection of Dell EqualLogic arrays by using LLDP is disabled.
Disabling iSCSI does not remove the MTU, flow control, portfast or storm
control configuration applied as a result of enabling iSCSI. iSCSI
Optimization is enabled by default.
464 Configuring iSCSI Optimization
How Does iSCSI Optimization Interact with DCBx?
The Data Center Bridging Exchange (DCBx) component supports the
reception, decoding, and transmission of the Application Priority TLV. In
general, if the Application Priority TLV has been received from the
configuration source, it will be transmitted to the other auto configuration
ports. The DCBx component contains a control to generate the Application
Priority TLV for iSCSI if it is not already present in the DCBX information.
DCBx generates an Application Priority TLV whenever the following
conditions are met:
•An
EqualLogic
array has been detected on the port
iSCSI CoS is enabled using a VPT value
The generated Application Priority TLV will contain the following values (in
addition to any other information contained in the TLV):
•AE Selector=14
AE Protocol=3260
AE Priority=priority configured for iSCSI PFC by the
iscsi cos vpt
command (default priority is 4)
The existing application priority entries being transmitted, if any, will not be
disturbed.
How Does iSCSI Optimization Interact with Dell Compellent Arrays?
Dell Networking switches support a macro that may be used to configure a
port connected to a Dell Compellent storage array. The name of the macro is
profile-compellent-nas. The macro takes a single argument: the
interface identifier to which the Dell Compellent array is connected. The
macro disables unicast storm control and sets the spanning tree configuration
on the port to portfast. For an example of how to execute the macro, see
NOTE: The DCBx feature is available on the N4000 switches only.
NOTE: If it is desired to utilize DCBX to configure lossless transport of iSCSI using
PFC, the operator MUST configure a non-default VLAN end-to-end in order to
transport the VLAN priority tag and ensure proper COS treatment on every network
enabled device, including CNAs and the EQL arrays.
Configuring iSCSI Optimization 465
"Configuring iSCSI Optimization Between Servers and a Disk Array" on
page 473.
iSCSI CoS and Priority Flow Control/Enhanced Transmission Selection
Interactions
When manually or automatically enabling the classification of iSCSI flows on
N4000 series switches, enabling iSCSI CoS is not recommended unless
required as follows.
When using manual configuration of the switch or auto-configuration via
DCBX, the iSCSI packets are classified based on the user priority present in
the VLAN tag and, in this case, enabling iSCSI CoS classification via the
iSCSI command set provides no benefit. The only case for enabling iSCSI
CoS prioritization is when using N4000 series switches to originate iSCSI
configuration information via DCBX. In this case, enabling iSCSI CoS
classification configures the N4000 switch to generate the iSCSI TLV via
DCBX in support of configuring directly connected storage and initiator
devices. N4000 series switches support both ETS and DCBx and support
DCB configuration in conjunction with EQL devices.
NOTE: The ETS feature is available on the N4000 switches only.
466 Configuring iSCSI Optimization
Default iSCSI Optimization Values
Table 17-1 shows the default values for the iSCSI optimization feature.
Table 17-1. iSCSI Optimization Defaults
Parameter Default Value
iSCSI optimization global status Enabled
iSCSI CoS mode Disabled
Jumbo frames Disabled
Spanning tree portfast Disabled
Unicast storm control Disabled
Classification iSCSI packets are classified by VLAN
instead of by DSCP values.
VLAN priority tag iSCSI flows are assigned by default the
highest 802.1p VLAN priority tag mapped
to the highest queue not used for stack
management or the voice VLAN.
DSCP When DSCP is selected as the
classification, iSCSI flows are assigned by
default the highest DSCP tag mapped to
the highest queue not used for stack
management or the voice VLAN.
Remark Not enabled
iSCSI session aging time 10 minutes
iSCSI optimization target ports iSCSI well-known ports 3260 and 860 are
configured as default (with no IP address or
name) but can be removed as any other
configured target.
Configuring iSCSI Optimization 467
Configuring iSCSI Optimization (Web)
This section provides information about the OpenManage Switch
Administrator pages to use to the iSCSI features on a Dell Networking
N2000, N3000, and N4000 series switches. For details about the fields on a
page, click at the top of the page.
iSCSI Global Configuration
Use the Global Configuration page to allow the switch to snoop for iSCSI
sessions/connections and to configure QoS treatment for packets where the
iSCSI protocol is detected.
To access the iSCSI Global Configuration page, click System iSCSI
Global Configuration in the navigation panel.
Figure 17-1. iSCSI Global Configuration
468 Configuring iSCSI Optimization
iSCSI Targets Table
Use the Targets Table page to view and configure iSCSI targets on the switch.
To access the Targ ets Table page, click System iSCSI Targets in the
navigation panel.
Figure 17-2. iSCSI Targets Table
To add an iSCSI Target, click Add at the top of the page and configure the
relevant information about the iSCSI target.
Figure 17-3. Add iSCSI Targets
Configuring iSCSI Optimization 469
iSCSI Sessions Table
Use the Sessions Table page to view summary information about the iSCSI
sessions that the switch has discovered. An iSCSI session occurs when an
iSCSI initiator and iSCSI target communicate over one or more TCP
connections. The maximum number of iSCSI sessions is 192. Redundant
(MPIO paths) may not be accounted for in the iSCSI sessions table if a
separate iSCSI login is not issued during establishment of the session.
To access the Sessions Table page, click System iSCSI Sessions Table in
the navigation panel.
Figure 17-4. iSCSI Sessions Table
470 Configuring iSCSI Optimization
iSCSI Sessions Detailed
Use the Sessions Detailed page to view detailed information about an iSCSI
sessions that the switch has discovered.
To access the Sessions Detailed page, click System iSCSI Sessions
Detailed in the navigation panel.
Figure 17-5. iSCSI Sessions Detail
Configuring iSCSI Optimization 471
Configuring iSCSI Optimization (CLI)
This section provides information about the commands you use to configure
iSCSI settings on the switch. For more information about the commands, see
the
Dell Networking N2000, N3000, and N4000 Series Switches CLI
Reference Guide
at support.dell.com/manuals.
Command Purpose
configure Enter Global Configuration mode. iSCSI
optimization is enabled by default.
iscsi target port
tcp-port-1
[
tcp-port-2...tcp-port-16
]
[address
ip-address
] [name
targetname
]
Configure an iSCSI target port and, optionally,
address and name.
tcp-port-n
—TCP port number or list of TCP port
numbers on which the iSCSI target listens to
requests. Up to 16 TCP ports can be defined in the
system in one command or by using multiple
commands.
ip-address
—IP address of the iSCSI target. When
the no form of this command is used, and the tcp
port to be deleted is one bound to a specific IP
address, the address field must be present.
targetname
—iSCSI name of the iSCSI target. The
name can be statically configured; however, it can be
obtained from iSNS or from sendTargets response.
The initiator must present both its iSCSI Initiator
Name and the iSCSI Target Name to which it wishes
to connect in the first login request of a new session
or connection.
472 Configuring iSCSI Optimization
iscsi cos {enable | disable |
vtp
vtp
| dscp
dscp
[remark]
Optionally set the quality of service profile that will
be applied to iSCSI flows.
enable
—Enables application of preferential QoS
treatment to iSCSI frames. On switches that
support DCBX, this also enables the generation of
the Application Priority TLV for iSCSI.
disable
—Disables application of preferential QoS
treatment to iSCSI frames.
vpt
/
dscp
—The VLAN Priority Tag or DSCP value to
assign received iSCSI session packets.
remark
Mark the iSCSI frames with the configured
DSCP value when egressing the switch.
iscsi aging time
time
Optionally set aging time (range: 1–43,200 seconds)
for iSCSI connections. When all connections
associated with a session are aged out, the session is
deleted.
exit Exit to Privilege Exec mode.
show iscsi Display iSCSI settings.
show iscsi sessions Display iSCSI session information. Redundant
(MPIO paths) may not be accounted for in the iSCSI
sessions table if a separate iSCSI login is not issued
during establishment of the session.
Command Purpose
Configuring iSCSI Optimization 473
iSCSI Optimization Configuration Examples
iSCSI optimization is enabled by default with the appropriate settings to
operate properly is almost all configurations. However, you find it necessary to
alter those settings, the following procedure illustrates the configuration steps
required.
Configuring iSCSI Optimization Between Servers and a Disk Array
Figure 17-6 illustrates a stack of three Dell Networking series switches
connecting two servers (iSCSI initiators) to a disk array (iSCSI targets).
An iSCSI application running on the management unit (the top unit in the
diagram) has installed priority filters to ensure that iSCSI traffic that is part
of these two sessions receives priority treatment when forwarded in hardware.
Figure 17-6. iSCSI Optimization
474 Configuring iSCSI Optimization
The following commands show how to configure the iSCSI example depicted
in Figure 17-6. Remember that iSCSI optimization is enabled by default.
1
Set the system MTU to 9216 to enable the use of jumbo frames.
console#config
console(config)#system jumbo mtu 9216
2
Optionally configure the switch to associate CoS queue 5 with detected
iSCSI session traffic.
console(config)#iscsi cos enable
console(config)#exit
The default target port and IP address criteria is used to determine which
packets are snooped for iSCSI session data (ports 860 and 3260; any IP
address).
3
If the array is a Compellent storage array, execute the Compellent macro
on the ports attached to the array:
console#config
console(config)#macro global apply profile-compellent-nas
$interface_name te1/0/21
console(config)#macro global apply profile-compellent-nas
$interface_name te1/0/22
console(config)#macro global apply profile-compellent-nas
$interface_name te1/0/23
To configure a N4000 switch in a lossless DCBX environment where another
switch connected to storage arrays supplies the DCBX configuration, perform
the following steps starting with a default configuration:
1
Enter global configuration mode and configure the system MTU on the
switch.
console#configure
console(config)#system jumbo mtu 9216
2
Create VLAN 100. This command also enters the VLAN configuration
mode for VLAN 100.
console(config)#vlan 100
console(config-vlan100)#exit
3
Enable VLAN tagging to allow the CNA ports 1-4 to carry 802.1p priority
values through the network.
console(config)#interface range te1/0/1-4
Configuring iSCSI Optimization 475
console(config-if)#switchport mode trunk
4
Configure the DCBx port role as auto-downstream. This step
automatically enables PFC and ETS on the ports using the configuration
received from the other switch.
console(config-if)#lldp dcbx port-role auto-down
console(config-if)#exit
5
Enter interface configuration mode for the switch-facing ports and
configure the DCBx port role as auto-up. This step automatically enables
PFC and ETS on the ports using the configuration received from the other
switch.
console(config)#interface range te1/0/16-17
console(config-if)#lldp dcbx port-role auto-up
6
Add the ports to port-channel 1:
console(config-if)#channel-group 1 mode active
console(config-if)#exit
7
Configure the port-channel to be in trunk mode:
console(config)#interface po1
console(config-if)#switchport mode trunk
console(config-if)#exit
To configure a N4000 switch in a lossless DCBX environment where the
switch is directly connected to storage arrays and the CNAs (no other switch
is present), perform the following steps starting from a default configuration:
1
Enter global configuration mode and configure the system MTU on the
switch.
console#configure
console(config)#system jumbo mtu 9216
2
Create VLAN 100. This command also enters the VLAN configuration
mode for VLAN 100.
console(config)#vlan 100
console(config-vlan100)#exit
3
Enable iSCSI CoS. This enables generation of the iSCSI Application
Priority TLV required by the CNAs.
console(config)#iscsi cos enable
4
Map VLAN priority 4 onto traffic class 4.
(config)#classofservice dot1p-mapping 4 4
476 Configuring iSCSI Optimization
5
Enter Interface Configuration mode for CNA connected ports 1-4 and
array connected ports 16-17.
console(config)#interface range te1/0/1-4,te1/0/16-17
6
Enable VLAN tagging to allow the CNA connected ports to carry 802.1p
priority values through the network.
console(config-if)#switchport mode trunk
7
Enter datacenter bridging mode to enable PFC on the ports.
console(config-if)#datacenter-bridging
8
Enable PFC and configure traffic marked with 802.1p priority 4 to be
paused rather than dropped when congestion occurs.
console(config-if-dcb)#priority-flow-control mode on
console(config-if-dcb)#priority-flow-control priority 4
no-drop
console(config-if-dcb)#exit
9
Configure ETS by mapping the lossless traffic onto TC 1 and sharing
bandwidth equally between the lossless and lossy traffic classes.
console(config-if)#classofservice traffic-class-group 0 0
console(config-if)#classofservice traffic-class-group 1 0
console(config-if)#classofservice traffic-class-group 2 0
console(config-if)#classofservice traffic-class-group 3 0
console(config-if)#classofservice traffic-class-group 4 1
console(config-if)#classofservice weight 50 50 0
10
Exit interface configuration mode for the range of interfaces.
console(config-if)#exit
Configuring Port Characteristics 477
18
Configuring Port Characteristics
This chapter describes how to configure physical switch port characteristics,
including settings such as administrative status and maximum frame
sizeGreen Ethernet settings. This chapter also describes the link dependency
feature.
The topics covered in this chapter include:
•Port Overview
Default Port Values
Configuring Port Characteristics (Web)
Configuring Port Characteristics (CLI)
Port Configuration Examples
Port Overview
A port is a physical interface. Cables physically connect ports on devices such
as PCs or servers to ports on the switch to provide access to the network. The
number and type of physical ports available on your Dell Networking N2000,
N3000, and N4000 series switches depends on the model.
What Physical Port Characteristics Can Be Configured?
Table 18-1Table 18-2 provides a summary of the physical characteristics that
can be configured on the switch ports.
Table 18-1. Port Characteristics
Feature Description
Administrative status Controls whether the port is administratively
enabled or disabled.
Description Provides a text-based description of the port.
478 Configuring Port Characteristics
Auto negotiation Enables a port to advertise its transmission rate,
duplex mode and flow control abilities to its
partner.
Speed Specifies the transmission rate for frames.
Duplex mode Specifies whether the interface supports
transmission between the switch and the
connected client in one direction at a time (half)
or both directions simultaneously (both).
Maximum frame size Indicates the maximum frame size that can be
handled by the port.
Green Ethernet features Green Ethernet features include:
Energy detect mode
Energy Efficient Ethernet (EEE), which
enables the l
ow-power idle mode
Flow control This is a global setting that affects all ports. For
more information about this feature, see
"Configuring Port-Based Traffic Control" on
page 787.
Storm control For more information about this feature, see
"Configuring Port-Based Traffic Control" on
page 787.
Port security For more information about this feature, see
"Configuring Port and System Security" on
page 503.
Protected port For more information about this feature, see
"Configuring Port-Based Traffic Control" on
page 787.
Table 18-2. Port Characteristics
Feature Description
Administrative status Controls whether the port is administratively
enabled or disabled.
Description Provides a text-based description of the port.
Table 18-1. Port Characteristics
Feature Description
Configuring Port Characteristics 479
What is Link Dependency?
The link dependency feature provides the ability to enable or disable one or
more ports based on the link state of one or more different ports. With link
dependency enabled on a port, the link state of that port is dependent on the
link state of another port. For example, if port A is dependent on port B and
the switch detects a link loss on port B, the switch automatically brings down
the link on port A. When the link is restored to port B, the switch
automatically restores the link to port A.
Auto negotiation Enables a port to advertise its transmission rate,
duplex mode and flow control abilities to its
partner.
Speed Specifies the transmission rate for frames.
Duplex mode Specifies whether the interface supports
transmission between the switch and the
connected client in one direction at a time (half)
or both directions simultaneously (both).
Maximum frame size Indicates the maximum frame size that can be
handled by the port.
Flow control This is a global setting that affects all ports. For
more information about this feature, see
"Configuring Port-Based Traffic Control" on
page 787.
Storm control For more information about this feature, see
"Configuring Port-Based Traffic Control" on
page 787.
Port security For more information about this feature, see
"Configuring Port and System Security" on
page 503.
Protected port For more information about this feature, see
"Configuring Port-Based Traffic Control" on
page 787.
Table 18-2. Port Characteristics (Continued)
Feature Description
480 Configuring Port Characteristics
You can create a maximum of 72 dependency groups16 groups. The ports
participating in the Link Dependency can be across all the Stack Units
(Manager/Member unit).
Link Action
The link action specifies the action that the group members will take when
the dependent port is down. The group members can transition to the same
state as the dependant port, or they can transition to the opposite state. In
other words, if the link action is down and the dependent port goes down, the
members ports will go down as well. Conversely, when the link action is up
and the dependant link goes down, the group member ports are enabled
(brought up).
Creating a link dependency group with the up link action essentially creates a
backup link for the dependent link and alleviates the need to implement STP
to handle the fail-over.
Link Dependency Scenarios
The Link Dependency feature supports the scenarios in the following list.
Port dependent on port — If a port loses the link, the switch brings
up/down the link on another port.
Port dependent on LAG — If all ports in a channel-group lose the link, the
switch brings up/down the link on another port.
LAG dependent on port — If a port loses the link, the switch brings
up/down all links in a channel-group.
Multiple port command — If a group of ports lose their link, the switch
brings up/down the link on another group of ports.
Overlapping ports — Overlapping ports on different groups will be
brought up/down only if both dependent ports lose the link.
NOTE: Whether the member ports or LAGs are brought
up
or
down
depends on
the link action.
Configuring Port Characteristics 481
What Interface Types are Supported?
The physical ports on the switch include the out-of-band (OOB) interface
(N3000 and N4000 only) and Ethernet switch ports. The OOB interface
supports a limited set of features and is for switch management only. The
Ethernet switch ports support many logical features that are often supported
by logical interfaces. The switch supports the following types of logical
interfaces:
Port-based VLANs — For more information, see
"Configuring VLANs
" on
page 645
.
VLAN routing interfaces — For more information, see
"Configuring
Routing Interfaces
" on page 1021
.
Link Aggregation Groups (LAGs), which are also called port-channels) —
For more information, see
"Configuring Link Aggregation
" on page 913
.
Tunnels — For more information, see
"Configuring Routing Interfaces
"
on page 1021
.
Loopback interfaces — For more information, see
"Configuring Routing
Interfaces
" on page 1021
.
The Dell Networking switches includes the following Power over Ethernet
(PoE) Plus models: the N2024P, N2048P, N3024P, N3048P. For information
about configuring PoE plus features for the ports, see "Managing General
System Settings" on page 279.
N3000 and N4000 switches have a single expansion slot and can support the
following module types:
•10GBaseT module
•SFP+ module
•QSFP+ module (
N4000
only)
What is Interface Configuration Mode?
When you use the CLI to configure physical or logical characteristics for an
interface, you must enter Interface Configuration Mode for that interface. To
enter the mode, type the keyword interface followed by the interface type and
additional information to identify the interface, such as the interface number.
482 Configuring Port Characteristics
To enter Interface Configuration mode for a physical switch port, the
following information is required:
Type — For physical switch ports, the type is Gigabit Ethernet
(gigabitethernet or gi) for 10/100/1000 Mbps Ethernet ports or 10-Gibabit
Ethernet (tengigabitethernet or te) for 10,000 Mbps Ethernet ports.
Stack member number— The unit number within the stack. The range is
1–12. The default unit number for a switch that has not been in a stack is
1. To view the member number assigned to each switch in a stack, use the
show switch
command.
Module (slot) number—For the N4000, the slot number is always 0.The
expansion module slot. The number is 1 for a module inserted in the left
slot or 2 when it is in the right slot (when viewing the back panel of the
switch). For front-panel ports, the slot number is 0.
Port number—The number assigned to the port. For front-panel ports the
port number is written above or below each port. Odd-numbered ports are
on the top row, and even-numbered ports are on the bottom row. The port
numbers increase from left to right. For ports on the optional modules, the
left port is 1, and the right port is 2.
For example, to enter Interface Configuration mode for Gigabit Ethernet
port 10 on a switch that is not part of a stack, use the following command:
console(config)#interface gigabitEthernet 1/0/10
For example, to enter Interface Configuration mode for 10-Gigabit Ethernet
port 10, use the following command:
console(config)#interface tengigabitEthernet 1/0/10
To enter Interface Configuration mode for Gigabit Ethernet port 6 on stack
member 3, use the following command:
console(config)#interface gigabitEthernet 3/0/6
To enter Interface Configuration mode for port 1 on a 10-Gigabit Ethernet
module in the left slot, use the following command:
console(config)#interface tengigabitEthernet 1/1/1
NOTE: When you enter Interface Configuration mode, the command prompt
changes and identifies the interface. In the previous example, the command
prompt becomes console(config-if-Te1/0/10)#.
Configuring Port Characteristics 483
For many features, you can configure a range of interfaces. When you enter
Interface Configuration mode for multiple interfaces, the commands you
execute apply to all interfaces specified in the range.
To enter Interface Configuration mode for a range of interfaces, include the
keyword range and specify the interfaces to configure. For example, to apply
the same configuration to ports 1-10 on a standalone switch, use the
following command:
console(config)#interface range tengigabitEthernet
1/0/1-10
To enter Interface Configuration mode for ports 3, 4, 5, 12, and 14 on a
standalone switch, use the following command:
console(config)#interface range tengigabitEthernet
1/0/3-5,1/0/12,1/0/14
What Are the Green Ethernet Features?
The Green Ethernet feature supports two per-port power-saving modes:
Energy-detect Mode
•EEE
All integrated 1G and module-based 10G copper ports on Dell Networking
series switches are capable of utilizing the Energy Detect and EEE modes for
reduced power consumption.
When the Energy Detect mode is enabled and the port link is down, the PHY
automatically goes down for short period of time and then wakes up to check
link pulses. This mode reduces power consumption on the port when no link
partner is present.
EEE enables ports to enter a low-power mode to reduce power consumption
during periods of low link utilization. EEE is defined by IEEE 802.3az. EEE
enables both the send and receive sides of the link to disable some
functionality for power savings when the link is lightly loaded.
NOTE: You can switch to another interface or range of interfaces by entering the
interface command while in Interface Configuration mode. It is not necessary to
exit Interface Configuration mode to select a different interface.
484 Configuring Port Characteristics
NOTE: Cable diagnostics may give misleading results if green mode is enabled
on the port. Disable green mode prior to running any cable diagnostics.
Configuring Port Characteristics 485
Default Port Values
Table 18-3Table 18-4 lists the default values for the port characteristics that
this chapter describes.
Table 18-3. Default Port Values
Feature Description
Administrative status All ports are enabled
Description None defined
Auto negotiation Enabled
Speed Auto-negotiate
Duplex mode Auto-negotiate
Flow control Enabled
Maximum frame size 1518
Energy Detect mode Disabled
EEE mode Disabled
Link Dependency None configured
Table 18-4. Default Port Values
Feature Description
Administrative status All ports are enabled
Description None defined
Auto negotiation Enabled
Speed Auto negotiate
Duplex mode Auto negotiate
Flow control Enabled
Maximum frame size 1518
Link Dependency None configured
486 Configuring Port Characteristics
Configuring Port Characteristics (Web)
This section provides information about the OpenManage Switch
Administrator pages for configuring and monitoring port characteristics on a
Dell Networking N2000, N3000, and N4000 series switches. For details about
the fields on a page, click at the top of the page.
Port Configuration
Use the Port Configuration page to define port parameters.
To display the Port Configuration page, click Switching
Ports
Port
Configuration in the navigation panel.
Figure 18-1. Port Configuration
Configuring Port Characteristics 487
Configuring Multiple Ports
To configure port settings on multiple ports:
1
Open the
Port Configuration
page.
2
Click
Show All
to display the
Port Configuration Table
page.
3
In the
Ports
list, select the check box in the
Edit
column for the port to
configure.
4
Select the desired settings.
5
Click
Apply
.
Figure 18-2. Configure Port Settings
6
Select the
Copy Parameters From
check box, and select the port with the
settings to apply to other ports.
7
In the
Ports
list, select the check box(es) in the
Copy To
column that will
have the same settings as the port selected in the
Copy Parameters From
field.
In the following example, Ports 3, 4, and 5 will be updated with the
settings that are applied to Port 1.
488 Configuring Port Characteristics
Figure 18-3. Copy Port Settings
8
Click
Apply
.
Configuring Port Characteristics 489
Link Dependency Configuration
Use the Link Dependency Configuration page to create link dependency
groups. You can create a maximum of 16 dependency groups. The page
displays the groups whether they have been configured or not.
To display the Link Dependency Configuration page, click Switching
Link Dependency
Configuration in the navigation panel.
Figure 18-4. Link Dependency Configuration
Creating a Link Dependency Group
To create link dependencies:
1
Open the
Link Dependency Configuration
page.
2
In the
Group ID
field, select the ID of the group to configure.
3
Specify the link action.
4
To add a port to the
Member Ports
column, click the port in the
Available
Ports
column, and then click the < button to the left of the
Available
Ports
column. Ctrl + click to select multiple ports.
5
To add a port to the
Ports Depended On
column, click the port in the
Available Ports
column, and then click the > button to the right of the
Available Port
s column.
490 Configuring Port Characteristics
In the following example, Group 1 is configured so that Port 3 is
dependent on Port 4.
Figure 18-5. Link Dependency Group Configuration
6
Click
Apply
.
The Link Dependency settings for the group are modified, and the device
is updated.
Configuring Port Characteristics 491
Link Dependency Summary
Use the Link Dependency Summary page to view all link dependencies on
the system and to access the Link Dependency Configuration page. You can
create a maximum of 16 dependency groups. The page displays the groups
whether they have been configured or not.
To display the Link Dependency Summary page, click Switching
Link
Dependency
Link Dependency Summary in the navigation panel.
Figure 18-6. Link Dependency Summary
To configure a group, click the Modify link associated with the ID of the
group to configure. Clicking the Modify link takes you to the Link
Dependency Configuration page. The Group ID is automatically selected
based on the link that was clicked.
492 Configuring Port Characteristics
Port Green Ethernet Configuration
Use the Green Ethernet Configuration page to enable or disable energy-
saving modes on each port.
To display the Green Ethernet Configuration page, click System
Green
Ethernet
Green Ethernet Configuration in the navigation panel.
Figure 18-7. Green Ethernet Configuration
Configuring Port Characteristics 493
Port Green Ethernet Statistics
Use the Green Ethernet Statistics page to view information about per-port
energy savings.
To display the Green Ethernet Statistics page, click System
Green
Ethernet
Green Ethernet Statistics in the navigation panel.
Figure 18-8. Green Ethernet Statistics
494 Configuring Port Characteristics
To view a summary of energy savings for the switch and all ports, click
Summary.
Figure 18-9. Green Ethernet Statistics Summary
To view a chart that shows the estimated per-port energy savings, click Chart.
Figure 18-10. Green Ethernet Statistics Chart
Configuring Port Characteristics 495
Port Green Ethernet LPI History
Use the Green Ethernet LPI History page to view data about the amount of
time the switch has spent in low-power idle (LPI) mode.
To display the Green Ethernet LPI History page, click System
Green
Ethernet
Green Ethernet LPI History in the navigation panel.
Figure 18-11. Green Ethernet LPI History
496 Configuring Port Characteristics
Configuring Port Characteristics (CLI)
This section provides information about the commands you use to configure
port characteristics. For more information about the commands, see the
Dell
Networking N2000, N3000, and N4000 Series Switches CLI Reference Guide
at support.dell.com/manuals.
Configuring Port Settings
Beginning in Privileged EXEC mode, use the following commands to
configure various port settings.
Command Purpose
configure Enter Global Configuration mode.
interface
interface
Enter interface configuration mode for the specified
interface. The
interface
variable includes the interface type
and number, for example tengigabitethernet 1/0/3.
You can also specify a range of interfaces with the interface
range command, for example, interface range
tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,
11, and 12.
description
string
Add a description to the port. The text string can be
from1-64 characters.
shutdown Administratively disable the interface.
Configuring Port Characteristics 497
Configuring Link Dependencies
Beginning in Privileged EXEC mode, use the following commands to
configure ports that are dependent on the state of other ports.
speed {10
|100|1000|10000 | auto
[100|1000|10000]}
Configure the speed of a given Ethernet interface or allow
the interface to automatically detect the speed.
If you use the 100, 1000, or 10000 keywords with the auto
keyword, the port auto-negotiates only at the specified
speeds. Setting the speed without the auto keyword forces
the speed to the selected value and disables auto-
negotiation. It is possible to configure a fiber port for a
speed not supported by the transceiver. In this case, the
port will not link up.
On combo ports, it is possible to configure auto
negotiation even if only the fiber interface is active. The
auto negotiation settings will be utilized when the copper
port is active. Auto negotiation settings are ignored for the
fiber ports, as fiber ports alway operate in full-duplex
fixed-speed mode.
system jumbo mtu
size
Enable jumbo frames on the switch by adjusting the
maximum size of a packet.
CTRL + Z Exit to Privileged EXEC mode.
show interfaces status Show summary information about all interfaces.
show interfaces
configuration
View a summary of the configuration for all ports.
show interfaces advertise View a summary of the speeds that are advertised on each
port.
show interfaces
description
View configured descriptions for all ports.
show interfaces detail
interface
View detailed information about the specified port.
Command Purpose
configure Enter Global Configuration mode.
Command Purpose
498 Configuring Port Characteristics
Configuring Green Features
Beginning in Privileged EXEC mode, use the following commands to
configure and monitor energy-saving features for the ports and the switch.
link-dependency group
group_id
Enter the link-dependency mode to configure a link-
dependency group.
add
interface
Add member ports to the group.
The
interface
variable includes the interface type and
number, for example tengigabitethernet 1/0/3. You can
also add port-channels (LAGs) as members by using the
keyword port-channel followed by an ID.
You can also specify a range of interfaces. For example,
interface tengigabitethernet 1/0/8-10,1/0/20 configures
interfaces 8, 9, 10 and 20.
depends-on
interface
Specify the port(s) upon which the member ports are
dependent. For information about the
interface
variable,
see the previous command description.
action {down|up} Specifies the action the member ports take when the
dependent link goes down.
down
—When the dependent link is down, the group
members are down (the members are up otherwise).
up
—When the dependent link goes down, the group
members are brought up (the members are down
otherwise)
CTRL + Z Exit to Privileged EXEC mode.
show link-dependency
[group
group_id
]
View link dependency settings for all groups or for the
specified group, along with the group state.
Command Purpose
configure Enter Global Configuration mode.
Command Purpose
Configuring Port Characteristics 499
interface
interface
Enter interface configuration mode for the specified
interface. The
interface
variable includes the interface type
and number, for example gigabitethernet 1/0/3.
You can also specify a range of interfaces with the interface
range command, for example, interface range
gigabitethernet 1/0/8-12 configures interfaces 8, 9, 10, 11,
and 12.
green-mode energy-
detect
Enable energy-detect mode on the interface.
green-mode eee Enable EEE low power idle mode on the interface.
exit Exit to global configuration mode.
green-mode eee-lpi-
history {sampling-
interval
seconds
| max-
samples
max
}
Configure the global EEE LPI history collection interval
and buffer size.
exit Exit to Privileged EXEC mode.
show green-mode
interface
View green mode settings for the specified port.
show green-mode eee-
lpi-history interface
interface
View the EEE LPI history statistics for the specified port.
Command Purpose
500 Configuring Port Characteristics
Port Configuration Examples
This section contains the following examples:
Configuring Port Settings
Configuring a Link Dependency Groups
Configuring Port Settings
The commands in this example specify the speed and duplex mode for port 1
(gigabitEthernet 1/0/1) and change the system MTU size.
To configure the switch:
1
Enter Interface Configuration mode for port 1.
console#configure
console(config)#interface gigabitEthernet 1/0/1
2
Change the speed and duplex settings for the port.
console(config-if-Gi1/0/1)#speed 100
console(config-if-Gi1/0/1)#exit
3
Enable jumbo frame support on the interfaces.
console(config)#system jumbo mtu 9216
console(config)#CTRL + Z
4
View summary information about the ports
console#show interfaces configuration
Port Type Duplex Speed Neg Admin St.
--------- ------------- ------ ------- ---- -----
Gi1/0/1 Gigabit - Level Full 100 Off Up
Gi1/0/2 Gigabit - Level N/A Unknown Auto Up
Gi1/0/3 Gigabit - Level N/A Unknown Auto Up
Gi1/0/4 Gigabit - Level N/A Unknown Auto Up
Gi1/0/5 Gigabit - Level N/A Unknown Auto Up
Te1/0/1 10G - Level N/A Unknown Auto Up
Te1/0/2 10G - Level N/A Unknown Auto Up
Te1/0/3 10G - Level N/A Unknown Auto Up
Te1/0/4 10G - Level N/A Unknown Auto Up
Te1/0/5 10G - Level N/A Unknown Auto Up
--More-- or (q)uit
Configuring Port Characteristics 501
Configuring a Link Dependency Groups
The commands in this example create two link dependency groups. Group 1
has port 3 as a member port that is dependent on port 4. The group uses the
default link action, which is down. This means that if port 4 goes down, port 3
goes down. When port 4 returns to the up state, port 3 is brought back up. In
Group 2, port 6 dependent on port-channel (LAG) 1, and the link action is
up. If port-channel 1 goes down, port 6 is brought up. This also means that
when port-channel 1 is up, port 6 is down.
To configure the switch:
1
Enter the configuration mode for Group 1.
console#configure
console(config)#link-dependency group 1
2
Configure the member and dependency information for the group.
console(config-linkDep-group-1)#add
tengigabitethernet 1/0/3
console(config-linkDep-group-1)#depends-on
tengigabitethernet 1/0/4
console(config-linkDep-group-1)#exit
3
Enter the configuration mode for Group 2
console(config)#link-dependency group 2
console(config-linkDep-group-2)#add
tengigabitethernet 1/0/6
console(config-linkDep-group-2)#depends-on port-
channel 1
console(config-linkDep-group-2)#action up
console(config-linkDep-group-2)#CTRL + Z
4
View the configured link dependency groups.
console#show link-dependency
GroupId Member Ports Ports Depended On Link Action
------- ------------- ----------------- ----------
1 Te1/0/3 te/0/4 Link Down
2 te/0/6 ch1 Link Up
502 Configuring Port Characteristics
Configuring Port and System Security 503
19
Configuring Port and System
Security
This chapter describes how to configure port-based and system security
features, which control access to the network through the switch ports, and
the denial of service (DoS) feature.
The topics covered in this chapter include:
Port-based Security—IEEE 802.1X and Port MAC Locking
Captive Portal
Authentication Manager
Denial of Service
Port-based Security—IEEE 802.1X and Port MAC
Locking
Port-based security includes IEEE 802.1X authentication and port MAC
locking.
IEEE 802.1X provides an authentication mechanism to devices connected
to the switch. Network access is permitted only to authorized devices
(clients).
Port MAC locking is used to enable security on a per-port basis. When a
port is locked, only packets with allowable source MAC addresses can be
forwarded. All other packets are discarded. Port-MAC locking allows a
configurable limit to the number of source MAC addresses that can be
learned on a port.
NOTE: Port-based security can also be accomplished by using Access Control
Lists (ACLs). For information about configuring ACLs, see "Configuring Access
Control Lists" on page 583.
504 Configuring Port and System Security
IEEE 802.1X
What is IEEE 802.1X?
The IEEE 802.1X standard provides a means of preventing unauthorized
access by supplicants (clients) to the services the switch offers, such as access
to the LAN.
The 802.1X network has three components:
Supplicant
The client connected to the authenticated port that
requests access to the network.
Authenticator
— The network device that prevents network access prior to
authentication.
Authentication Server
— The network server (such as a RADIUS server)
that performs the authentication on behalf of the authenticator, and
indicates whether the user is authorized to access system services.
Figure 19-1 shows the 802.1X network components.
Figure 19-1. IEEE 802.1X Network
As shown in Figure 19-1, the Dell Networking N2000, N3000, and N4000
series switches is the authenticator and enforces the supplicant (a PC) that is
attached to an 802.1X-controlled port to be authenticated by an
Authenticator
Supplicant
Authentication
Server
LAN
Configuring Port and System Security 505
authentication server (a RADIUS server). The result of the authentication
process determines whether the supplicant is authorized to access services on
that controlled port. Dell Networking switches support authentication using
remote RADIUS or TACACS servers and also support authentication using a
local authentication service.
Supported security methods for communication with remote servers include
MD5, PEAP, EAP-TTL, EAP-TTLS, and EAP-TLS. Only EAP-MD5 is
supported when using the local authentication server (IAS).
For a list of RADIUS attributes that the switch supports, see "Using RADIUS
Servers to Control Management Access" on page 232.
What are the 802.1X Port States?
The 802.1X port state determines whether to allow or prevent network traffic
on the port. A port can configured to be in one of the following 802.1X
control modes:
•Auto (default)
•MAC-based
• Force-authorized
Force-unauthorized.
These modes control the behavior of the port. The port state is either
Authorized or Unauthorized.
If the port is in the authorized state, the port sends and receives normal
traffic without client port-based authentication. When a port is in an
unauthorized state, it ignores supplicant authentication attempts and does
not provide authentication services to the client. By default, when 802.1X is
globally enabled on the switch, all ports are in Auto, which means the port will
be unauthorized until a successful authentication exchange has taken place.
In addition to authorized, unauthorized, and automode, the 802.1X mode of
a port can be MAC based, as the following section describes.
NOTE: Only MAC-Based and Automode actually use 802.1X to authenticate.
Authorized and Unauthorized modes are manual overrides.
506 Configuring Port and System Security
What is MAC-Based 802.1X Authentication?
MAC-based authentication allows multiple supplicants connected to the
same port to each authenticate individually. For example, a 5-port hub might
be connected to a single port on the switch. Each host connected to the hub
must authenticate separately in order to gain access to the network.
The hosts are distinguished by their MAC addresses.
When multiple hosts (for example, a PC, a printer, and a phone in the same
office) are connected to the switch on the same port, each of the connected
hosts authenticates separately with the RADIUS server.
If a port uses MAC-based 802.1X authentication, the option to use MAC
Authentication Bypass (MAB) is available. MAB is a supplemental
authentication mechanism that allows 802.1X unaware clients – such as
printers, fax machines, and some IP phones — to authenticate to the network
using the client MAC address as an identifier.
The known and allowable MAC address and corresponding access rights of
the client must be pre-populated in the authentication server.
When a port configured for MAB receives traffic from an unauthenticated
client, the switch (Authenticator):
Sends a EAP Request packet to the unauthenticated client
Waits a pre-determined period of time for a response
Retries – resends the EAP Request packet up to three times
Considers the client to be 802.1X unaware client (if it does not receive an
EAP response packet from that client)
The authenticator sends a request to the authentication server with the MAC
address of the client in a hexadecimal format as the username and the MD5
hash of the MAC address as the password. The authentication server checks
its database for the authorized MAC addresses and returns an Access-Accept
or an Access-Reject response, depending on whether the MAC address is
found in the database. MAB also allows 802.1X-unaware clients to be placed
in a RADIUS-assigned VLAN or to apply a specific Filter ID to the client
traffic.
NOTE: By default, all ports are in VLAN Access mode. A port that uses MAC-
based authentication should be configured to be in General mode.
Configuring Port and System Security 507
What is the Role of 802.1X in VLAN Assignment?
Dell Networking series switches allow a port to be placed into a particular
VLAN based on the result of the authentication or type of 802.1X
authentication a client uses when it accesses the switch. The authentication
server can provide information to the switch about which VLAN to assign the
supplicant.
When a host connects to a switch that uses an authentication server to
authenticate, the host authentication can typically have one of three
outcomes:
The host is authenticated.
The host attempts to authenticate but fails because it lacks certain
security credentials.
The host is a guest and does not try to authenticate at all (802.1X unaware).
You can create three separate VLANs on the switch to handle a host
depending on whether the host authenticates, fails the authentication, or is a
guest. The RADIUS server informs the switch of the selected VLAN as part of
the authentication.
Authenticated and Unauthenticated VLANs
Hosts that authenticate normally use a VLAN that includes access to network
resources. Hosts that fail the authentication might be denied access to the
network or placed on a
quarantine
VLAN with limited network access.
Much of the configuration to assign authenticated hosts to a particular VLAN
takes place on the 802.1X authenticator server (for example, a RADIUS
server). If you use an external RADIUS server to manage VLANs, you
configure the server to use Tunnel attributes in Access-Accept messages in
order to inform the switch about the selected VLAN. These attributes are
defined in RFC 2868, and their use for dynamic VLAN is specified in RFC
3580.
The VLAN attributes defined in RFC3580 are as follows:
Tunnel-Type=VLAN (13)
NOTE: MAB initiates only after the dot1x guest VLAN period times out. If the client
responds to any of the EAPOL identity requests, MAB does not initiate for that
client.
508 Configuring Port and System Security
• Tunnel-Medium-Type=802
• Tunnel-Private-Group-ID=VLANID
VLANID is 12-bits and has a value between 1 and 4093.
Dynamic VLAN Creation
If RADIUS-assigned VLANs are enabled though the Authorization Network
RADIUS configuration option, the RADIUS server is expected to include the
VLAN ID in the 802.1X tunnel attributes of its response message to the
switch. If dynamic VLAN creation is enabled on the switch and the RADIUS-
assigned VLAN does not exist, then the assigned VLAN is dynamically
created. This implies that the client can connect from any port and can get
assigned to the appropriate VLAN. This gives flexibility for clients to move
around the network without much additional configuration required.
Guest VLAN
The Guest VLAN feature allows a switch to provide a distinguished service to
unauthenticated users. This feature provides a mechanism to allow users
access to hosts on the guest VLAN. For example, a company might provide a
guest VLAN to visitors and contractors to permit network access that allows
visitors to connect to external network resources, such as the Internet, with
no ability to browse information on the internal LAN.
In port-based 802.1X mode, when a client that does not support 802.1X is
connected to an unauthorized port that is 802.1X-enabled, the client does not
respond to the 802.1X requests from the switch. Therefore, the port remains
in the unauthorized state, and the client is not granted access to the network.
If a guest VLAN is configured for that port, then the port is placed in the
configured guest VLAN and the port is moved to the authorized state,
allowing access to the client. However, if the port is in MAC-based 802.1X
authentication mode, it will not move to the authorized state. MAC-based
mode makes it possible for both authenticated and guest clients to use the
same port at the same time.
Client devices that are 802.1X-supplicant-enabled authenticate with the
switch when they are plugged into the 802.1X-enabled switch port. The
switch verifies the credentials of the client by communicating with an
NOTE: MAB and the guest VLAN feature are mutually exclusive on a port.
Configuring Port and System Security 509
authentication server. If the credentials are verified, the authentication server
informs the switch to
unblock
the switch port and allows the client
unrestricted access to the network; i.e., the client is a member of an internal
VLAN.
Guest VLAN mode can be configured on a per-port basis. If a client does not
attempt authentication on a port, and the port is configured for the guest
VLAN, the client is assigned to the guest VLAN configured on that port. The
port is assigned a guest VLAN ID and is moved to the authorized status.
When the guest VLAN is disabled, users authorized by the guest VLAN are
removed.
What is Monitor Mode?
The monitor mode is a special mode that can be enabled in conjunction with
802.1X authentication. Monitor mode provides a way for network
administrators to identify possible issues with the 802.1X configuration on
the switch without affecting the network access to the users of the switch. It
allows network access even in case where there is a failure to authenticate but
logs the results of the authentication process for diagnostic purposes.
The monitor mode can be configured globally on a switch. If the switch fails
to authenticate a user for any reason (for example, RADIUS access reject
from RADIUS server, RADIUS timeout, or the client itself is dot1x-unaware),
the client is authenticated and is undisturbed by the failure condition(s). The
reasons for failure are logged for tracking purposes.
Table 19-1 provides a summary of the 802.1X Monitor Mode behavior.
Table 19-1. IEEE 802.1X Monitor Mode Behavior
Case Sub-case Regular Dot1x Dot1x Monitor Mode
RADIUS/IAS
Success
Success Port State: Permit
VLAN: Assigned
Filter: Assigned
Port State: Permit
VLAN: Assigned
Filter: Assigned
Incorrect NAS Port Port State: Deny Port State: Permit
VLAN: Default PVID
of the port
Invalid VLAN
Assignment
Port State: Deny Port State: Permit
VLAN: Default PVID
of the port
510 Configuring Port and System Security
Invalid Filter-id Port State: Deny Port State: Permit
VLAN: Default PVID
of the port
Bad RADIUS packet Port State: Deny Port State: Permit
VLAN: Default PVID
of the port
RADIUS/IAS
Failure
Default behavior Port State: Deny Port State: Permit
VLAN: Default PVID
of the port
Unauth VLAN
enabled
Port State: Permit
VLAN: Unauth
Port State: Permit
VLAN: Unauth
RADIUS
Timeout
Default behavior Port State: Deny Port State: Permit
VLAN: Default PVID
of the port
Unauth VLAN
enabled
Port State: Deny Port State: Permit
VLAN: Unauth
EAPOL Timeout Default behavior Port State: Deny Port State: Permit
3 × EAPOL
Timeout
(Guest VLAN
timer expiry or
MAB timer
expiry)
Guest VLAN
enabled
Port State: Permit
VLAN: Guest
Port State: Permit
VLAN: Guest
MAB Success Case Port State: Permit
VLAN: Assigned
Filter: Assigned
Port State: Permit
VLAN: Assigned
Filter: Assigned
MAB Fail Case
Port State: Deny Port State: Permit
VLAN: Default PVID
of the port
Supplicant
Timeout
Port State: Deny Port State: Deny
Table 19-1. IEEE 802.1X Monitor Mode Behavior (Continued)
Case Sub-case Regular Dot1x Dot1x Monitor Mode
Configuring Port and System Security 511
How Does the Authentication Server Assign DiffServ Filters?
The Dell Networking series switches allow the external 802.1X Authenticator
or RADIUS server to assign DiffServ policies to users that authenticate to the
switch. When a host (supplicant) attempts to connect to the network
through a port, the switch contacts the 802.1X authenticator or RADIUS
server, which then provides information to the switch about which DiffServ
policy to assign the host (supplicant). The application of the policy is applied
to the host after the authentication process has completed.
For additional guidelines about using an authentication server to assign
DiffServ policies, see "Configuring Authentication Server DiffServ Filter
Assignments" on page 535.
What is the Internal Authentication Server?
The Internal Authentication Server (IAS) is a dedicated database for localized
authentication of users for network access through 802.1X. In this database,
the switch maintains a list of username and password combinations to use for
802.1X authentication. You can manually create entries in the database, or
you can upload the IAS information to the switch.
If the authentication method for 802.1X is IAS, the switch uses the locally
stored list of username and passwords to provide port-based authentication to
users instead of using an external authentication server. Authentication using
the IAS supports the EAP-MD5 method only.
Default 802.1X Values
Table 19-2 lists the default values for the 802.1X features.
Port/Client
Authenticated
on Guest VLAN
Delete Guest
VLANID through
Dot1Q
Port State: Deny Port State: Permit
VLAN: Default PVID
of the port
NOTE: The IAS database does not handle VLAN assignments or DiffServ policy
assignments.
Table 19-1. IEEE 802.1X Monitor Mode Behavior (Continued)
Case Sub-case Regular Dot1x Dot1x Monitor Mode
512 Configuring Port and System Security
Configuring IEEE 802.1X (Web)
This section provides information about the OpenManage Switch
Administrator pages for configuring and monitoring the IEEE 802.1X
features and Port Security on a Dell Networking N2000, N3000, and N4000
Table 19-2. Default Port-Based Security Values
Feature Description
Global 802.1X status Disabled
802.1X authentication method none
Per-port 802.1X status Disabled
Port state automode
Periodic reauthentication Disabled
Seconds between reauthentication
attempts
3600
Authentication server timeout 30 seconds
Resending EAP identity Request 30 seconds
Quiet period 60 seconds
Supplicant timeout 30 seconds
Max EAP request 2 times
Maximum number of supplicants per port
for MAC-based authentication mode
16
Guest VLAN Disabled
Unauthenticated VLAN Disabled
Dynamic VLAN creation Disabled
RADIUS-assigned VLANs Disabled
IAS users none configured
Port security Unlocked
Port security traps Disabled
Maximum learned MAC addresses 100 (when locked)
Monitor mode Disabled
Configuring Port and System Security 513
series switches. For details about the fields on a page, click at the top of
the page.
Dot1x Authentication
Use the Dot1x Authentication
page
to configure the 802.1X administrative
mode on the switch and to configure general 802.1X parameters for a port.
To display the Dot1x Authentication
page, click Switching
Network
Security
Dot1x Authentication
Authentication in the navigation panel.
Figure 19-2. Dot1x Authentication
To configure 802.1X authentication on multiple ports:
1
Open the
Dot1x Authentication
page.
514 Configuring Port and System Security
2
Click
Show All
to display the
Dot1x Authentication
Table
page.
3
In the Ports list, select the check box in the
Edit
column for the port to
configure.
4
Select the desired settings to change for all ports that are selected for
editing.
Figure 19-3. Configure Dot1x Settings
5
Click
Apply
.
To reauthenticate a port:
1
Open the
Dot1x Authentication
page.
2
Click
Show All
.
The
Dot1x Authentication
Table
displays.
3
Check
Edit
to select the Unit/Port to re-authenticate.
4
Check
Reauthenticate Now
.
5
Click
Apply
.
The authentication process is restarted on the specified port.
To reauthenticate multiple ports:
1
Open the
Dot1x Authentication
page.
2
Click
Show All
.
The
Dot1x Authentication
Table
displays.
3
Check
Edit
to select the Units/Ports to re-authenticate.
4
To re-authenticate on a periodic basis, set
Periodic Re-Authentication
to
Enable, and specify a
Re-Authentication Period
for all desired ports.
Configuring Port and System Security 515
5
To re-authenticate immediately, check
Reauthenticate Now
for all ports to
be re-authenticated.
6
Click
Apply
.
The authentication process is restarted on the specified ports (either
immediately or periodically).
To change the administrative port control:
1
Open the
Dot1x Authentication
page.
2
Click
Show All
.
The
Dot1x Authentication
Table
displays.
3
Scroll to the right side of the table and select the
Edit
check box for each
port to configure. Change
Admin Port Control
to
Authorized
,
Unauthorized
, or
Automode
as needed for chosen ports. Only
MAC-
Based
and
Automode
actually use 802.1X to authenticate.
Authorized
and
Unauthorized
are manual overrides.
4
Click
Apply
.
Admin Port Control is updated for the specified ports, and the device is
updated.
Authenticated Users
The Authenticated Users page is used to display lists of ports that have
authenticated users.
To display the Authenticated Users page, click Switching
Network
Security
Authenticated Users in the navigation panel.
516 Configuring Port and System Security
Figure 19-4. Network Security Authenticated Users
Port Access Control Configuration
Use the Port Access Control Configuration page to globally enable or disable
RADIUS-assigned VLANs and to enable Monitor Mode to help troubleshoot
802.1X configuration issues.
To display the Port Access Control Configuration page, click Switching
Network Security
Dot1x Authentication
Monitor Mode
Port Access
Control Configuration in the navigation panel.
Figure 19-5. Port Access Control Configuration
NOTE: The VLAN Assignment Mode field is the same as the Admin Mode field on
the System Management Security Authorization Network RADIUS page.
Configuring Port and System Security 517
Port Access Control History Log Summary
Use the Port Access Control History Log Summary page to view log messages
about 802.1X client authentication attempts. The information on this page
can help you troubleshoot 802.1X configuration issues.
To display the Port Access Control History Log Summary page, click Port
Access Control Configuration page, click Switching
Network Security
Dot1x Authentication
Monitor Mode
Port Access Control History Log
Summary in the navigation panel.
Figure 19-6. Port Access Control History Log Summary
Internal Authentication Server Users Configuration
Use the Internal Authentication Server Users Configuration page to add
users to the local IAS database and to view the database entries.
To display the Internal Authentication Server Users Configuration page,
click System
Management Security
Internal Authentication Server
Users Configuration in the navigation panel.
518 Configuring Port and System Security
Figure 19-7. Internal Authentication Server Users Configuration
To add IAS users:
1
Open the
Internal Authentication Server Users Configuration
page.
2
Click
Add
to display the
Internal Authentication Server Users Add
page.
3
Specify a username and password in the appropriate fields.
Figure 19-8. Adding an IAS User
4
Click
Apply
.
To view the Internal Authentication Server Users Table page, click Show All.
To delete an IAS user:
1
Open the
Internal Authentication Server Users Configuration
page.
NOTE: If no users exist in the IAS database, the IAS Users Configuration Page
does not display the fields shown in the image.
Configuring Port and System Security 519
2
From the User menu, select the user to remove, select the user to remove.
3
Select the
Remove
check box
.
Figure 19-9. Removing an IAS User
4
Click
Apply
.
520 Configuring Port and System Security
Configuring IEEE 802.1X (CLI)
This section provides information about commands you use to configure
802.1X and Port Security settings. For additional information about the
commands in this section, see the
Dell Networking N2000, N3000, and
N4000 Series Switches CLI Reference Guide
at support.dell.com/manuals.
Configuring Basic 802.1X Authentication Settings
Beginning in Privileged EXEC mode, use the following commands to enable
and configure 802.1X authentication on the switch.
Command Purpose
configure Enter Global Configuration mode.
aaa accounting dot1x
default
Sets 802.1X accounting to the default operational mode
aaa authentication
dot1x default
method1
Specify the authentication method to use to authenticate
802.1X clients that connect to the switch.
method1
—The method keyword can be radius, none, or
ias.
dot1x system-auth-
control
Globally enable 802.1X authentication on the switch.
interface
interface
Enter interface configuration mode for the specified
interface. The
interface
variable includes the interface type
and number, for example tengigabitethernet 1/0/3.
You can also specify a range of interfaces with the interface
range command, for example, interface range
tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,
11, and 12.
Configuring Port and System Security 521
dot1x port-control
{force-authorized |
force-unauthorized |
auto | mac-based}
Specify the 802.1X mode for the port.
NOTE: For standard 802.1X implementations in which one
client is connected to one port, use the dot1x port-control
auto command to enable 802.1X authentication on the port.
auto
— Enables 802.1X authentication on the interface
and causes the port to transition to the authorized or
unauthorized state based on the 802.1X authentication
exchange between the switch and the client.
force-authorized
— Disables 802.1X authentication on
the interface and causes the port to transition to the
authorized state without any authentication exchange
required. The port sends and receives normal traffic
without 802.1X-based authentication of the client.
force-unauthorized
— Denies all access through this
interface by forcing the port to transition to the
unauthorized state, ignoring all attempts by the client to
authenticate. The switch cannot provide authentication
services to the client through the interface.
mac-based
— Enables 802.1X authentication on the
interface and allows multiple hosts to authenticate on a
single port. The hosts are distinguished by their MAC
addresses.
dot1x mac-auth-bypass If the 802.1X mode on the interface is mac-based, you can
optionally use this command to enable MAB on an
interface.
CTRL + Z Exit to Privileged EXEC mode.
show dot1x View the current 802.1X configuration.
show dot1x clients {all |
interface
}
View information about 802.1X clients that have
successfully authenticated and are connected to the
switch. The
interface
variable includes the interface type
and number.
show dot1x users
[username
username
]
View the 802.1X authenticated users for the switch.
Command Purpose
522 Configuring Port and System Security
Configuring Additional 802.1X Interface Settings
Beginning in Privileged EXEC mode, use the following commands to
configure 802.1X interface settings such as the reauthentication period and
switch-to-client retransmission time.
NOTE: To enable 802.1X Monitor Mode to help troubleshoot authentication issues,
use the dot1x system-auth-control monitor command in Global Configuration
mode. To view 802.1X authentication events and information, use the show dot1x
authentication-history {<
interface
> | all} [failed-auth-only] [detail] command in
Privileged EXEC mode. To clear the history, use the clear dot1x authentication-
history command.
Command Purpose
configure Enter Global Configuration mode.
interface
interface
Enter interface configuration mode for the specified
interface. The
interface
variable includes the interface type
and number, for example tengigabitethernet 1/0/3.
You can also specify a range of interfaces with the interface
range command, for example, interface range
tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,
11, and 12.
dot1x reauthentication Enable periodic re-authentication of the client.
dot1x timeout re-
authperiod
seconds
Set the number of seconds between re-authentication
attempts.
dot1x timeout server-
timeout
seconds
Set the time that the switch waits for a response from the
authentication server.
dot1x timeout tx-period
seconds
Set the number of seconds that the switch waits for a
response to an Extensible Authentication Protocol (EAP)-
request/identity frame from the client before resending the
request.
dot1x timeout quiet-
period
seconds
Set the number of seconds that the switch remains in the
quiet state following a failed authentication exchange (for
example, the client provided an invalid password).
Configuring Port and System Security 523
Configuring 802.1X Settings for RADIUS-Assigned VLANs
Beginning in Privileged EXEC mode, use the following commands to
configure 802.1X settings that affect the RADIUS-assigned VLAN.
dot1x timeout supp-
timeout
seconds
Set the time that the switch waits for a response before
retransmitting an Extensible Authentication Protocol
(EAP)-request frame to the client.
dot1x max-req
count
Set the maximum number of times that the switch sends
an Extensible Authentication Protocol (EAP)-request
frame (assuming that no response is received) to the client
before restarting the authentication process.
dot1x max-users
users
Set the maximum number of clients supported on the port
when MAC-based 802.1X authentication is enabled on the
port.
CTRL + Z Exit to Privileged EXEC mode.
dot1x re-authenticate
[
interface
]
Manually initiate the re-authentication of all 802.1X-
enabled ports or on the specified 802.1X-enabled port.
The
interface
variable includes the interface type and
number.
dot1x initialize
[
interface
]
Start the initialization sequence on all ports or on the
specified port.
NOTE: This command is valid only if the port-control mode
for the specified port is auto or MAC-based.
show dot1x [interface
interface]
View 802.1X settings for the switch or for the specified
interface.
show dot1x interface
interface
statistics
View 802.1X statistics for the specified interface.
Command Purpose
configure Enter Global Configuration mode.
aaa authorization
network default radius
Allow the RADIUS server to assign VLAN IDs to clients.
Command Purpose
524 Configuring Port and System Security
dot1x dynamic-vlan
enable
If the RADIUS assigned VLAN does not exist on the
switch, allow the switch to dynamically create the assigned
VLAN.
interface
interface
Enter interface configuration mode for the specified
interface. The
interface
variable includes the interface type
and number, for example tengigabitethernet 1/0/3.
You can also specify a range of interfaces with the interface
range command, for example, interface range
tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,
11, and 12.
dot1x guest-vlan
vlan-id
Specify the guest VLAN.
dot1x unauth-vlan
vlan-
id
Specify the unauthenticated VLAN. The VLAN must
already have been created.
CTRL + Z Exit to Privileged EXEC mode.
show dot1x advanced
interface
View the current 802.1X configuration.
NOTE: When dynamically creating VLANs, the uplink port should be in trunk
mode so that it will automatically participate in all dynamically-created VLANs.
Otherwise, the supplicant may be placed in a VLAN that does not go beyond the
switch because no other ports are participating.
Command Purpose
Configuring Port and System Security 525
Configuring Internal Authentication Server Users
Beginning in Privileged EXEC mode, use the following commands to add
users to the IAS database and to use the database for 802.1X authentication.
IEEE 802.1X Configuration Examples
This section contains the following examples:
Configuring 802.1X Authentication
Controlling Authentication-Based VLAN Assignment
Allowing Dynamic VLAN Creation of RADIUS-Assigned VLANs
Configuring Authentication Server DiffServ Filter Assignments
Configuring 802.1X Authentication
The network in this example requires clients to use 802.1X authentication to
access the network through the switch ports. The administrator must
configure the following settings on systems other than the switch before
configuring the switch:
1
Add the users to the client database on the Authentication Server, such as
a RADIUS server with Cisco
®
Secure Access Control Server (ACS)
software.
2
Configure the settings on the client, such a PC running Microsoft
®
Windows, to require 802.1X authentication.
Command Purpose
configure Enter Global Configuration mode.
aaa ias-user username
user
Add a user to the IAS user database. This command also
changes the mode to the AAA User Config mode.
password
password
[encrypted]
Configure the password associated with the user.
CTRL + Z Exit to Privileged EXEC mode.
show aaa ias-users View all configured IAS users.
clear aaa ias-users Delete all IAS users from the database.
526 Configuring Port and System Security
The switch uses an authentication server with an IP address of 10.10.10.10 to
authenticate clients. Port 7 is connected to a printer in the unsecured area.
The printer is an 802.1X unaware client, so Port 7 is configured to use MAC-
based authentication with MAB.
An IP phone is directly connected to Port 8, and a PC is connected to the IP
phone. Both devices are authenticated through MAC-based authentication,
which allows multiple hosts to authenticate on a single port. The hosts are
distinguished by their MAC addresses, and hosts authenticate separately with
the RADIUS server.
Port 9 is connected to a server in a part of the network that has secure physical
access (i.e. the doors to the wiring closet and data center are locked), so this
port is set to the Authorized state, meaning that the device connected to this
port does not need to authenticate using 802.1X. Port 24 is the uplink to a
router and is also in the Authorized state.
NOTE: The printer requires an entry in the client database that uses the printer
MAC address as the username.
Configuring Port and System Security 527
Figure 19-10. 802.1X Example
The following example shows how to configure the example shown in
Figure 19-10.
1
Configure the RADIUS server IP address and shared secret (
secret
).
console#configure
console(config)#radius-server host 10.10.10.10
console(Config-radius)#exit
console(config)#radius-server key secret
console(config)#exit
2
Enable 802.1X port-based access control on the switch.
console(config)#dot1x system-auth-control
3
Configure ports 9 and 24 to be in the Authorized state, which allows the
devices to connect to these ports to access the switch services without
authentication.
console(config)#interface range Gi1/0/9,Gi1/0/24
Authentication Server
(RADIUS)
LAN
Dell Networking Switch
Server
(Port 9)
Clients
(Ports 1 and 3)
Printer
(Port 7)
LAN Uplink
(Port 24)
Physically Unsecured Devices Physically Secured Devices
Clients
(Port 8)
528 Configuring Port and System Security
console(config-if)#dot1x port-control force-
authorized
console(config-if)#exit
4
Configure Port 7 to require MAC-based authentication with MAB.
console(config)#interface gi1/0/7
console(config-if-Gi1/0/7)#dot1x port-control mac-
based
console(config-if-Gi1/0/7)#dot1x mac-auth-bypass
5
Set the port to an 802.1Q VLAN. The port must be in general mode in
order to enable MAC-based 802.1X authentication.
console(config-if-Gi1/0/7)#switchport mode general
console(config-if-Gi1/0/7)#exit
6
Enable MAC-based authentication on port 8 and limit the number of
devices that can authenticate on that port to 2.
console(config)#interface gi1/0/8
console(config-if-Gi1/0/8)#dot1x port-control mac-
based
console(config-if-Gi1/0/8)#dot1x max-users 2
7
Set Port 8 to switchport mode general. The port must be in general mode
in order to enable MAC-based 802.1X authentication.
console(config-if-Gi1/0/8)#switchport mode general
console(config-if-Gi1/0/8)#exit
console(config)#exit
8
View the client connection status.
When the clients on Ports 1, 3, and 7(supplicants), attempt to
communicate via the switch, the switch challenges the supplicants for
802.1X credentials. The switch encrypts the provided information and
transmits it to the RADIUS server. If the RADIUS server grants access, the
system sets the 802.1X port state of the interface to authorized and the
supplicants are able to access network resources.
console#show dot1x clients all
Interface...................................... Gi1/0/1
User Name...................................... aoversmit
Supp MAC Address............................... 0012.1753.031A
Session Time................................... 756
Configuring Port and System Security 529
Filter Id......................................
VLAN Assigned.................................. 1 (Default)
Interface...................................... Gi1/0/3
User Name...................................... dflint
Supp MAC Address............................... 0004.5A55.EFAD
Session Time................................... 826
Filter Id......................................
VLAN Assigned.................................. 1 (Default)
Interface...................................... Gi1/0/7
User Name...................................... 0006.6B33.06BA
Supp MAC Address............................... 0006.6B33.06BA
Session Time................................... 826
Filter Id......................................
VLAN Assigned.................................. 1 (Default)
9
View a summary of the port status.
console#show dot1x
Administrative Mode............... Enabled
Port Admin Oper Reauth Reauth
Mode Mode Control Period
------- ---------------- ------------ -------- ----------
Gi1/0/1 auto Authorized FALSE 3600
Gi1/0/2 auto N/A FALSE 3600
Gi1/0/3 auto Authorized FALSE 3600
Gi1/0/4 auto N/A FALSE 3600
Gi1/0/5 auto N/A FALSE 3600
Gi1/0/6 auto N/A FALSE 3600
Gi1/0/7 mac-based Authorized FALSE 3600
Gi1/0/8 mac-based N/A FALSE 3600
Gi1/0/9 force-authorized Authorized FALSE 3600
Gi1/0/10 force-authorized Authorized FALSE 3600
Gi1/0/11 auto N/A FALSE 3600
--More-- or (q)uit
530 Configuring Port and System Security
10
View 802.1X information about Port 8.
console#show dot1x interface Gi1/0/8
Administrative Mode............... Enabled
Dynamic VLAN Creation Mode........ Enabled
Monitor Mode...................... Disabled
Port Admin Oper Reauth Reauth
Mode Mode Control Period
------- ---------------- ------------ -------- ----------
Gi1/0/8 mac-based Authorized FALSE 3600
Quiet Period................................... 60
Transmit Period................................ 30
Maximum Requests............................... 2
Max Users...................................... 2
VLAN Assigned.................................. 1 (Default)
Supplicant Timeout............................. 30
Guest-vlan Timeout............................. 90
Server Timeout (secs).......................... 30
MAB mode (configured).......................... Disabled
MAB mode (operational)......................... Disabled
Controlling Authentication-Based VLAN Assignment
The network in this example uses three VLANs to control access to network
resources. When a client connects to the network, it is assigned to a particular
VLAN based on one of the following events:
It attempts to contact the 802.1X server and is authenticated.
It attempts to contact the 802.1X server and fails to authenticate.
It does not attempt to contact the 802.1X server.
The following table describes the three VLANs:
VLAN ID VLAN Name VLAN Purpose
100 Authorized Data from authorized clients
200 Unauthorized Data traffic from clients that fail the authentication
with the RADIUS server
300 Guest Data traffic from clients that do not attempt to
authenticate with the RADIUS server
Configuring Port and System Security 531
The commands in this example show how to configure the switch to control
VLAN assignment for the example network. This example also contains
commands to configure the uplink, or trunk, port (a port connected to a
router or the internal network), and to configure the downlink, or access,
ports (ports connected to one or more hosts). Ports 1–23 are downstream
ports. Port 24 is an uplink port. An external RADIUS server handles the
VLAN assignment.
NOTE: Dynamic VLAN creation applies only to authorized ports. The VLANs for
unauthorized and guest users must be configured on the switch and cannot be
dynamically created based on RADIUS-based VLAN assignment.
NOTE: The configuration to control the VLAN assignment for authorized users is
done on the external RADIUS server.
532 Configuring Port and System Security
To configure the switch:
1
Create the VLANs and configure the VLAN names.
console(config)#vlan 100
console(config-vlan100)#name Authorized
console(config-vlan100)#exit
console(config)#vlan 200
console(config-vlan200)#name Unauthorized
console(config-vlan200)#exit
console(config)#vlan 300
console(config-vlan300)#name Guest
console(config-vlan300)#exit
2
Configure information about the external RADIUS server the switch uses
to authenticate clients. The RADIUS server IP address is 10.10.10.10, and
the shared secret is qwerty123.
console(config)#radius-server key qwerty123
console(config)#radius-server host 10.10.10.10
console(Config-auth-radius)#exit
3
Enable 802.1X on the switch.
console(config)#dot1x system-auth-control
4
Create a default authentication login list and use the RADIUS server for
port-based authentication for connected clients.
console(config)#aaa authentication dot1x default
radius
5
Allow the switch to accept VLAN assignments by the RADIUS server.
console(config)#aaa authorization network default
radius
6
Enter interface configuration mode for the downlink ports.
console(config)#interface range Gi1/0/1-23
7
Set the downlink ports to the access mode because each downlink port
connects to a single host that belongs to a single VLAN.
console(config-if)#switchport mode access
Configuring Port and System Security 533
8
Enable periodic reauthentication of the client on the ports and set the
number of seconds to wait between reauthentication attempts to 300
seconds. Reauthentication is enabled to increase security. If the client
information is removed from the RADIUS server after it has been
authenticated, the client will be denied access when it attempts to
reauthenticate.
console(config-if)#dot1x reauthentication
console(config-if)#dot1x timeout re-authperiod 300
9
Set the unauthenticated VLAN on the ports to VLAN 200 so that any
client that connects to one of the ports and fails the 802.1X authentication
is placed in VLAN 200.
console(config-if)#dot1x unauth-vlan 200
10
Set the guest VLAN on the ports to VLAN 300. This command
automatically enables the Guest VLAN Mode on the downlink ports. Any
client that connects to the port and does not attempt to authenticate is
placed on the guest VLAN.
console(config-if)#dot1x guest-vlan 300
console(config-if)#exit
11
Enter Interface Configuration mode for port 24, the uplink (trunk) port.
console(config)#interface Gi1/0/24
12
Disable 802.1X authentication on the interface. This causes the port to
transition to the authorized state without any authentication exchange
required. This port does not connect to any end-users, so there is no need
for 802.1X-based authentication.
console(config-if-Gi1/0/24)#dot1x port-control
force-authorized
13
Set the uplink port to trunk mode so that it accepts tagged traffic and
transmits it to the connected device (another switch or router).
console(config-if-Gi1/0/24)#switchport mode trunk
534 Configuring Port and System Security
Allowing Dynamic VLAN Creation of RADIUS-Assigned VLANs
The network in this example uses a RADIUS server to provide VLAN
assignments to host that connect to the switch. In this example, the VLANs
are not configured on the switch. Instead, the switch is configured to allow
the dynamic creation of VLANs when a RADIUS-assigned VLAN does not
already exist on the switch.
In this example, Ports 1–23 are configured as downlink, or access, ports, and
Port 24 is the trunk port. As a trunk port, Port 24 is automatically added as a
member to all VLANs that are statically or dynamically configured on the
switch. However, the network administrator in this example has determined
that traffic in VLANs 1000–2000 should not be forwarded on the trunk port,
even if the RADIUS server assigns a connected host to a VLAN in this range,
and the switch dynamically creates the VLAN.
To configure the switch:
1
Configure information about the external RADIUS server the switch uses
to authenticate clients. The RADIUS server IP address is 10.10.10.10, and
the shared secret is qwerty123.
console(config)#radius-server key qwerty123
console(config)#radius-server host 10.10.10.10
console(Config-auth-radius)#exit
2
Enable 802.1X on the switch.
console(config)#dot1x system-auth-control
3
Create a default authentication login list and use the RADIUS server for
port-based authentication for connected clients.
console(config)#aaa authentication dot1x default
radius
4
Allow the switch to accept VLAN assignments by the RADIUS server.
console(config)#aaa authorization network default
radius
NOTE: The configuration to control the VLAN assignment for hosts is done on
the external RADIUS server.
Configuring Port and System Security 535
5
Allow the switch to dynamically create VLANs when a RADIUS-assigned
VLAN does not exist on the switch.
console(config)#dot1x dynamic-vlan enable
6
Enter interface configuration mode for the downlink ports.
console(config)#interface range Gi1/0/1-23
7
Set the downlink ports to the access mode because each downlink port
connects to a single host that belongs to a single VLAN.
console(config-if)#switchport mode access
console(config-if)#exit
8
Enter Interface Configuration mode for port 24, the uplink (trunk) port.
console(config)#interface Gi1/0/24
9
Disable 802.1X authentication on the interface. This causes the port to
transition to the authorized state without any authentication exchange
required. This port does not connect to any end-users, so there is no need
for 802.1X-based authentication.
console(config-if-Gi1/0/24)#dot1x port-control
force-authorized
10
Set the uplink port to trunk mode so that it accepts tagged traffic and
transmits it to the connected device (another switch or router).
console(config-if-Gi1/0/24)#switchport mode trunk
11
Forbid the trunk from forwarding traffic that has VLAN tags for any VLAN
from 1000–2000, inclusive.
console(config-if-Gi1/0/24)#switchport trunk
allowed vlan remove 1000-2000
console(config-if-Gi1/0/24)#exit
Configuring Authentication Server DiffServ Filter Assignments
To enable DiffServ filter assignment by an external server, the following
conditions must be true:
The port that the host is connected to must be enabled for MAC-based
port access control by using the following command in Interface Config
mode:
dot1x port-control mac-based
536 Configuring Port and System Security
The RADIUS or 802.1X server must specify the policy to assign.
For example, if the DiffServ policy to assign is named internet_access,
include the following attribute in the RADIUS or 802.1X server
configuration:
Filter-id = “internet_access”
The DiffServ policy specified in the attribute must already be configured
on the switch, and the policy names must be identical.
For information about configuring a DiffServ policy, see "DiffServ
Configuration Examples" on page 1307. The example "Providing Subnets
Equal Access to External Network" on page 1307, describes how to
configure a policy named internet_access.
If you use an authentication server to assign DiffServ policies to an
authenticated user, note the following guidelines:
If the policy specified within the server attribute does not exist on the
switch, authentication will fail.
Do not delete policies used as the filter ID in the RADIUS server while
802.1X is enabled.
Do not use the DiffServ
service-policy
command to apply the filter to an
interface if you configure the RADIUS server or 802.1X authenticator to
assign the DiffServ filter.
In the following example, Company XYZ uses IEEE 802.1X to authenticate
all users. Contractors and temporary employees at Company XYZ are not
permitted to have access to SSH ports, and data rates for Web traffic is
limited. When a contractor is authenticated by the RADIUS server, the server
assigns a DiffServ policy to control the traffic restrictions.
The network administrator configures two DiffServ classes:
cl-ssh
and
cl-http
.
The class
cl-ssh
matches all incoming SSH packets. The class
cl-http
matches
all incoming HTTP packets. Then, the administrator configures a traffic
policy called
con-pol
and adds the
cl-ssh
and
cl-http
. The policy is configured
so that that SSH packets are to be dropped, and HTTP data rates are limited
to 1 MB with a burst size of 64 Kbps. HTTP traffic that exceeds the limit is
dropped.
The host ports, ports 1–23, are configured to use MAC-based dot1x
authentication to allow the DiffServ policy to be applied. Finally,
the
administrator configures the RADIUS server with the attribute
Filter-id =
“con-pol”.
Configuring Port and System Security 537
To configure the switch:
1
Configure the DiffServ traffic class that matches SSH traffic.
console#configure
console(config)#class-map match-all cl-ssh
console(config-classmap)#match srcl4port 23
console(config-classmap)#exit
2
Configure the DiffServ traffic class that matches HTTP traffic.
console(config)#class-map match-all cl-http
console(config-classmap)#match srcl4port 80
console(config-classmap)#exit
3
Configure the DiffServ policy.
console(config)#policy-map con-pol in
console(config-policy-map)#class cl-ssh
console(config-policy-classmap)#drop
console(config-policy-classmap)#exit
console(config-policy-map)#class cl-http
console(config-policy-classmap)#police-simple
1000000 64 conform-action transmit violate-action
drop
console(config-policy-classmap)#exit
console(config-policy-map)#exit
4
Enable DiffServ on the switch.
console(config)#diffserv
5
Configure information about the external RADIUS server the switch uses
to authenticate clients. The RADIUS server IP address is 10.10.10.10, and
the shared secret is qwerty123.
console(config)#radius-server key qwerty123
console(config)#radius-server host 10.10.10.10
console(Config-auth-radius)#exit
6
Enable 802.1X on the switch.
console(config)#dot1x system-auth-control
7
Create a default authentication login list and use the RADIUS server for
port-based authentication for connected clients.
538 Configuring Port and System Security
console(config)#aaa authentication dot1x default
radius
8
Enter Interface Configuration mode for ports 1–23 and enable MAC-
based authentication.
console(config)#interface range Gi1/0/1-23
console(config-if)#dot1x port-control mac-based
9
Set the ports to an 802.1Q VLAN. The ports must be in general mode in
order to enable MAC-based 802.1X authentication.
console(config-if)#switchport mode general
console(config-if)#exit
console(config)#exit
Configuring Port and System Security 539
Port Security (Port-MAC Locking)
The Port Security feature allows you to limit the number of source MAC
addresses that can be learned on a port. If a port reaches the configured limit,
any other addresses beyond that limit are not learned and the frames are
discarded. Frames with a source MAC address that has already been learned
will be forwarded.
The purpose of this feature, which is also known as port-MAC locking, is to
help secure the network by preventing unknown devices from forwarding
packets into the network. For example, to ensure that only a single device can
be active on a port, you can set the number of allowable dynamic addresses to
one. After the MAC address of the first device is learned, no other devices will
be allowed to forward frames into the network.
When link goes down on a port, all of the dynamically locked addresses are
cleared from the source MAC address table the feature maintains. When the
link is restored, that port can once again learn addresses up to the specified
limit.
The port can learn MAC addresses dynamically, and you can manually specify
a list of static MAC addresses for a port.
Default 802.1X Values
Table 19-2 lists the default values for the Port Security feature.
Configuring Port Security Configuration (Web)
This section provides information about the OpenManage Switch
Administrator pages for configuring and monitoring the IEEE 802.1X
features and Port Security on a Dell Networking N2000, N3000, and N4000
series switches. For details about the fields on a page, click at the top of
the page.
Table 19-3. Default Port Security Values
Feature Description
Port security Unlocked
Port security traps Disabled
Maximum learned MAC addresses 100 (when locked)
Monitor mode Disabled
540 Configuring Port and System Security
Port Security
Use the Port Security page to enable MAC locking on a per-port basis. When
a port is locked, you can limit the number of source MAC addresses that are
allowed to transmit traffic on the port.
To display the Port Security page, click Switching
Network Security
Port Security in the navigation panel.
Figure 19-11. Network Security Port Security
Configuring Port Security Settings on Multiple Ports
To configure port security on multiple ports:
1
Open the
Port Security
page.
2
Click
Show All
to display the
Port Security
Ta bl e
page.
3
In the Ports list, select the check box in the
Edit
column for the port to
configure.
4
Select the desired settings for all ports that are selected for editing.
Configuring Port and System Security 541
Figure 19-12. Configure Port Security Settings
5
Click
Apply
.
542 Configuring Port and System Security
Configuring Port Security (CLI)
Beginning in Privileged EXEC mode, use the following commands to enable
port security on an interface to limit the number of source MAC addresses
that can be learned.
19
Command Purpose
configure Enter Global Configuration mode.
interface
interface
Enter interface configuration mode for the specified
interface. The
interface
variable includes the interface type
and number, for example tengigabitethernet 1/0/3.
You can also specify a range of interfaces with the interface
range command, for example, interface range
tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,
11, and 12.
port security [discard]
[trap
seconds
]
Enable port security on the port. This prevents the switch
from learning new addresses on this port after the
maximum number of addresses has been learned.
discard
— Discards frames with unlearned source
addresses. This is the default if no option is indicated.
trap
seconds
— Sends SNMP traps and defines the
minimal amount of time in seconds between two
consecutive traps. (Range: 1–1000000)
port security max
max-
addr
Set the maximum number of MAC addresses that can be
learned on the port while port security is enabled.
CTRL + Z Exit to Privileged EXEC mode.
show ports security
[
interface
]
View port security settings on all interfaces or the specified
interface.
show ports security
addresses [
interface
]
View the current MAC addresses that have been learned
on all ports or the specified port.
Configuring Port and System Security 543
Captive Portal
This section describes how to configure the Captive Portal feature.
The topics covered in this section include:
Captive Portal Overview
Default Captive Portal Behavior and Settings
Configuring the Captive Portal (Web)
Configuring Captive Portal (CLI)
IEEE 802.1X Configuration Examples
Captive Portal Overview
A Captive Portal helps manage or restrict network access. Captive Portals are
often used in locations that provide wired Internet access to customers, such
as business centers and hotels. For example, a hotel might provide an
Ethernet port in each room so that guests can connect to the Internet during
their stay. The hotel might charge for Internet use, or the hotel might allow
guests to connect only after they indicate that they have read and agree to the
acceptable use policy.
What Does Captive Portal Do?
The Captive Portal feature allows you to require a user to enter login
information on a custom Web page before gaining access to the network.
When the user connects to the port and opens a browser, the user is
presented with a welcome screen. To gain network access, the user must enter
a username (for guest access) or a username and password (for authenticated
access) and accept the terms of use. You can also configure the Captive Portal
feature to redirect the user to another web page after successful
authentication, for example your company home page.
544 Configuring Port and System Security
Figure 19-13. Connecting to the Captive Portal
The Captive Portal feature blocks hosts connected to the switch from
accessing the network until user verification has been established. You can
configure Captive Portal verification to allow access for both guest and
authenticated users. Authenticated users must be validated against a
database of authorized Captive Portal users before access is granted. The
database can be stored locally on the switch or on a RADIUS server.
Is the Captive Portal Feature Dependent on Any Other Feature?
If you require RADIUS authentication, you must configure the RADIUS
server information on the switch (see "Using RADIUS Servers to Control
Management Access" on page 232). You must also configure the RADIUS
attributes for Captive Portal users on the RADIUS server. For information
about the RADIUS attributes to configure, see Table 19-5.
For a list of RADIUS attributes that the switch supports, see "Which
RADIUS Attributes Does the Switch Support?" on page 234.
Default Captive Portal Welcome Screen (Displays in Captive Portal User’s Browser)
Switch with Captive Portal
RADIUS Server
(Optional) Captive
Portal User
(Host)
Configuring Port and System Security 545
You can configure the switch to send SNMP trap messages to any enabled
SNMP Trap Receivers for several Captive Portal events, such as when a
Captive Portal user has an authentication failure or when a Captive Portal
user successfully connects to the network. If you enable the traps, the switch
also writes a message to the trap log when the event occurs. To enable the
Captive Portal traps, see "Configuring SNMP Notifications (Traps and
Informs)" on page 351.
What Factors Should Be Considered When Designing and Configuring a Captive
Portal?
Before enabling the Captive Portal feature, decide what type (or types) of
authentication to require. Since the Dell Networking series switches support
up to 10 different Captive Portal instances, you can configure one Captive
Portal that requires a username and password and another that only requires
the username. For each Captive Portal, you can customize the welcome
screen, including the colors and logo.
If you require authentication, consider the number of users that must exist in
the user database. The local user database supports up to 128 users. If you
need to support more than 128 authenticated users, you must use a remote
RADIUS server for authentication.
You can specify whether the captive portal uses HTTP or HTTPS as the
protocol during the user verification process. HTTP does not use encryption
during verification, and HTTPS uses the Secure Sockets Layer (SSL), which
requires a certificate to provide encryption. The certificate is presented to the
user at connection time.
The initial Web page that a user sees when he or she connects to the Captive
Portal can be customized. You can change the logo, color schemes, welcome
messages, and all text on the page, including the field and button labels. The
welcome page the user sees after a successful verification or authentication
can also be customized.
546 Configuring Port and System Security
Figure 19-14. Customized Captive Portal Welcome Screen
How Does Captive Portal Work?
When a port is enabled for Captive Portal, all the traffic coming onto the port
from the unverified clients are dropped except for the ARP, DHCP, DNS and
NETBIOS packets. These packets are allowed to be forwarded by the switch
so that the unverified clients can get an IP address and are able to resolve the
hostname or domain names. Data traffic from verified clients goes through as
expected. If an unverified client opens a web browser and tries to connect to
the network, the Captive Portal redirects all the HTTP/HTTPS traffic from
the unverified clients to the authenticating server on the switch. A Captive
Portal web page is sent back to the unverified client. If the verification mode
for the Captive Portal associated with the port is Guest, the client can be
verified without providing authentication information. If the verification
mode is Local or RADIUS, the client must provide credentials that are
compared against the information in the Local or RADIUS client database.
After the user successfully provides the required information, the Captive
Portal feature grants access to the network.
What Captive Portal Pages Can Be Customized?
You can customize the following three Captive Portal pages:
Authentication Page —This page displays when a client attempts to
connect to the network. You can customize the images, text, and colors
that display on this page.
Configuring Port and System Security 547
Logout Page — If the user logout mode is enabled, this page displays in a
pop-up window after the user successfully authenticates. This window
contains the logout button.
Logout Success Page — If the user logout mode is enabled, this page
displays after a user clicks the logout button and successfully
deauthenticates.
Understanding User Logout Mode
The User Logout Mode feature allows a user who successfully authenticates
to the network through the captive portal to explicitly deauthenticate from
the network. When User Logout Mode is disabled or the user does not
specifically request logout, the connection status will remain authenticated
until the Captive Portal deauthenticates the user based on the configured
session timeout value. In order for the user logout feature to function
properly, the client browser must have JavaScript enabled an must allow
popup windows.
Localizing Captive Portal Pages
The Captive Portal localization feature allows you to create up to five
language-specific web pages for each captive portal as long as all pages use the
same verification type; either guest or authorized user web pages. This allows
you to create pages in a variety of languages to accommodate a diverse group
of users.
To customize the pages that the user sees, click the language tab. By default,
the English tab is available. The settings for the Authentication Page display.
548 Configuring Port and System Security
Default Captive Portal Behavior and Settings
Captive Portal is disabled by default. If you enable Captive Portal, no
interfaces are associated with the default Captive Portal. After you associate
an interface with the Captive Portal and globally enable the Captive Portal
feature, a user who connects to the switch through that interface is presented
with the Captive Portal Welcome screen shown in Figure 19-15.
Figure 19-15. Default Captive Portal Welcome Screen
The user types a name in the Username field, selects the Acceptance Use
Policy check box, and clicks Connect to gain network access. By default, the
user does not need to be defined in a database or enter a password to access
the network because the default verification mode is Guest. Note that
duplicate Username entries can exist in this mode because the client IP and
MAC addresses are obtained for identification.
Table 19-4 shows the default values for the Captive Portal feature.
Table 19-4. Default Captive Portal Values
Feature Value
Global Captive Portal Operational
Status
Disabled
Additional HTTP or HTTPS Ports Disabled
Captive Portal can be configured to use an
additional HTTP and/or HTTPS port (in
support of Proxy networks).
Configuring Port and System Security 549
Authentication Timeout 300 seconds
Configured Captive Portals 1
Captive Portal Name Default
Protocol Mode HTTP
Verification Mode Guest
URL Redirect Mode Off
User Group 1-Default
Session Timeout 86400 seconds
Local Users None configured
Interface associations None
Interface status Not blocked
If the Captive Portal is blocked, users cannot
gain access to the network through the
Captive Portal. Use this function to
temporarily protect the network during
unexpected events, such as denial of service
attacks.
Supported Captive Portal users 1024
Supported local users 128
Supported Captive Portals 10
Table 19-4. Default Captive Portal Values
Feature Value
550 Configuring Port and System Security
Configuring the Captive Portal (Web)
This section provides information about the OpenManage Switch
Administrator pages for configuring and monitoring Captive Portal settings
on a Dell Networking N2000, N3000, and N4000 series switches. For details
about the fields on a page, click at the top of the page.
Captive Portal Global Configuration
Use the Captive Portal Global Configuration page to control the
administrative state of the Captive Portal feature and configure global
settings that affect all captive portals configured on the switch.
To display the Captive Portal Global Configuration page, click System
Captive Portal
Global Configuration.
Figure 19-16. Captive Portal Global Configuration
Captive Portal Configuration
Use the Captive Portal Configuration page to view summary information
about captive portals on the system, add a captive portal, and configure
existing captive portals.
The switch supports 10 Captive Portal configurations. Captive Portal
configuration 1 is created by default and cannot be deleted. Each captive
portal configuration can have unique guest or group access modes and a
customized acceptance use policy that displays when the client connects.
Configuring Port and System Security 551
To display the Captive Portal Configuration page, click System
Captive
Portal
Configuration.
Figure 19-17. Captive Portal Configuration
From the Captive Portal Configuration page, click Add to create a new
Captive Portal instance.
Figure 19-18. Add Captive Portal Configuration
552 Configuring Port and System Security
From the Captive Portal Configuration page, click Summary to view
summary information about the Captive Portal instances configured on the
switch.
Figure 19-19. Captive Portal Summary
Customizing a Captive Portal
The procedures in this section customize the pages that the user sees when he
or she attempts to connect to (and log off of) a network through the captive
portal. These procedures configure the English version of the Default captive
portal.
To configure the switch:
1
From the
Captive Portal Configuration
page click the
(English)
tab.The
settings for the
Authentication Page
display, and the links to the Captive
Portal customization appear.
2
Click
Download Image
to download one or more custom images to the
switch. You can use a downloaded custom image for the branding logo
(default: Dell logo) on the Authentication Page and Logout Success page,
the account image (default: blue banner with keys) on the Authentication
Page, and the background image (default: blank) on the Logout Success
Page.
NOTE: The image to download must be accessible from your local system.
The image should be 5 KB max, 200x200 pixels, GIF or JPG format.
Configuring Port and System Security 553
Figure 19-20. Captive Portal Download Image Page
3
Make sure Download is selected in the
Available Images
menu, and click
Browse
.
4
Browse to the directory where the image to be downloaded is located and
select the image.
5
Click
Apply
to download the selected file to the switch.
6
To customize the Authentication Page, which is the page that a user sees
upon attempting to connect to the network, click the
Authentication Page
link.
554 Configuring Port and System Security
Figure 19-21. Captive Portal Authentication Page
7
Select the branding image to use and customize other page components
such as the font for all text the page displays, the page title, and the
acceptance use policy.
8
Click
Apply
to save the settings to the running configuration or click
Preview
to view what the user will see. To return to the default views, click
Clear
.
Configuring Port and System Security 555
9
Click the
Logout Page
link to configure the page that contains the logout
window.
Figure 19-22. Captive Portal Logout Page
10
Customize the look and feel of the Logout Page, such as the page title and
logout instructions.
11
Click
Apply
to save the settings to the running configuration or click
Preview
to view what the user will see. To return to the default views, click
Clear
.
12
Click the
Logout Success Page
link to configure the page that contains the
logout window. A user is required to logout only if the User Logout Mode
is selected on the
Configuration
page.
Figure 19-23. Captive Portal Logout Success Page
NOTE: You can configure the Logout Page settings only if the User Logout
Mode is selected on the Configuration page. The User Logout Mode allows
an authenticated client to deauthenticate from the network.
556 Configuring Port and System Security
13
Customize the look and feel of the Logout Page, such as the background
image and successful logout message.
14
Click
Apply
to save the settings to the running configuration or click
Preview
to view what the user will see. To return to the default views, click
Clear
.
Local User
You can configure a portal to accommodate guest users and authorized users.
Guest users do not have assigned user names and passwords. Authorized users
provide a valid user name and password that must first be validated against a
local database or RADIUS server. Authorized users can gain network access
once the switch confirms the user’s credentials.
By default, each Captive Portal instance contains the default group. The
default group can be renamed, or a different group can be created and
assigned to each Captive Portal instance. A Captive Portal instance can be
associated to one user group only. A user, however, can be assigned to multiple
groups.
The Local User page allows you to add authorized users to the local database,
which can contain up to 128 user entries. You can also add and delete users
from the local database from the Local User page.
To display the Local User page, click System
Captive Portal
Local User.
Figure 19-24 shows the Local User page after a user has been added. If no
users have been added to the switch, many of the fields do not display on the
screen.
NOTE: Multiple user groups can be selected by holding the CTRL key down while
clicking the desired groups.
Configuring Port and System Security 557
Figure 19-24. Local User Configuration
From the Local User page, click Add to add a new user to the local database.
Figure 19-25. Add Local User
558 Configuring Port and System Security
From the Local User page, click Show All to view summary information
about the local users configured in the local database.
Figure 19-26. Captive Portal Local User Summary
To delete a configured user from the database, select the Remove check box
associated with the user and click Apply.
Configuring Users in a Remote RADIUS Server
You can use a remote RADIUS server client authorization. You must add all
users to the RADIUS server. The local database does not share any
information with the remote RADIUS database.
Table 19-5 indicates the RADIUS attributes you use to configure authorized
captive portal clients. The table indicates both RADIUS attributes and
vendor-specific attributes (VSA). VSAs are denoted in the Attribute column
and are comma delimited (vendor ID, attribute ID).
Table 19-5. Captive Portal User RADIUS Attributes
Attribute Number Description Range Usage Default
User-Name 1 User name to be
authorized
1-32
characters
Required None
User-Password 2 User password 8-64
characters
Required None
Configuring Port and System Security 559
User Group
You can assign Local Users to User Groups that you create. If the Verification
Mode is Local or RADIUS, you assign a User Group to a Captive Portal
Configuration. All users who belong to the group are permitted to access the
network through this portal. The User Group list is the same for all Captive
Portal configurations on the switch.
To display the User Group page, click System
Captive Portal
User
Group.
Session-Timeout 27 Logout once
session timeout is
reached (seconds).
If the attribute is 0
or not present
then use the value
configured for the
captive portal.
Integer
(seconds)
Optional 0
Dell-Captive-
Portal-Groups
6231,
127
A comma-
delimited list of
group names that
correspond to the
configured CP
instance
configurations.
String Optional None. The
default
group is
used if not
defined here
Table 19-5. Captive Portal User RADIUS Attributes
Attribute Number Description Range Usage Default
560 Configuring Port and System Security
Figure 19-27. User Group
From the User Group page, click Add to configure a new user group.
Figure 19-28. Add User Group
From the User Group page, click Show All to view summary information
about the user groups configured on the switch.
Figure 19-29. Captive Portal User Group Summary
Configuring Port and System Security 561
To delete a configured group, select the Remove check box associated with
the group and click Apply.
Interface Association
From the Interface Association page, you can associate a configured captive
portal with specific interfaces. The captive portal feature only runs on the
interfaces that you specify. A captive portal can have multiple interfaces
associated with it, but an interface can be associated to only one Captive
Portal at a time.
To display the Interface Association page, click System
Captive Portal
Interface Association.
Figure 19-30. Captive Portal Interface Association
NOTE: When you associate an interface with a Captive Portal, the interface is
disabled in the Interface List. Each interface can be associated with only one
Captive Portal at a time.
562 Configuring Port and System Security
Captive Portal Global Status
The Captive Portal Global Status page contains a variety of information
about the Captive Portal feature. From the Captive Portal Global Status
page, you can access information about the Captive Portal activity and
interfaces.
To display the Global Status page, click System
Captive Portal
Status
Global Status.
Figure 19-31. Captive Portal Global Status
Captive Portal Activation and Activity Status
The Captive Portal Activation and Activity Status page provides information
about each Captive Portal configured on the switch.
The Captive Portal Activation and Activity Status page has a drop-down
menu that contains all captive portals configured on the switch. When you
select a captive portal, the activation and activity status for that portal
displays.
To display the Activation and Activity Status page, click System
Captive
Portal
Status
Activation and Activity Status.
Configuring Port and System Security 563
Figure 19-32. Captive Portal Activation and Activity Status
Interface Activation Status
The Interface Activation Status page shows information for every interface
assigned to a captive portal instance.
To display the Interface Activation Status page, click System
Captive
Portal
Interface Status
Interface Activation Status.
NOTE: Use the Block and Unblock buttons to control the blocked status. If the
Captive Portal is blocked, users cannot gain access to the network through the
Captive Portal. Use this function to temporarily protect the network during
unexpected events, such as denial of service attacks.
564 Configuring Port and System Security
Figure 19-33. Interface Activation Status
Interface Capability Status
The Interface Capability Status page contains information about interfaces
that can have CPs associated with them. The page also contains status
information for various capabilities. Specifically, this page indicates what
services are provided through the Captive Portal to clients connected on this
interface. The list of services is determined by the interface capabilities.
To display the Interface Capability Status page, click System
Captive
Portal
Interface Status
Interface Capability Status.
Figure 19-34. Interface Capability Status
Configuring Port and System Security 565
Client Summary
Use the Client Summary page to view summary information about all
authenticated clients that are connected through the captive portal. From
this page, you can manually force the captive portal to disconnect one or
more authenticated clients. The list of clients is sorted by client MAC
address.
To display the Client Summary page, click System
Captive Portal
Client Connection Status
Client Summary.
Figure 19-35. Client Summary
To force the captive portal to disconnect an authenticated client, select the
Remove check box next to the client MAC address and click Apply. To
disconnect all clients from all captive portals, click Delete All.
Client Detail
The Client Detail page shows detailed information about each client
connected to the network through a captive portal.
To display the Client Detail page, click System
Captive Portal
Client
Connection Status
Client Detail.
566 Configuring Port and System Security
Figure 19-36. Client Detail
Captive Portal Interface Client Status
Use the Interface Client Status page to view clients that are authenticated to
a specific interface.
To display the Interface Client Status page, click System
Captive
Portal
Client Connection Status
Interface Client Status.
Figure 19-37. Interface - Client Status
Captive Portal Client Status
Use the Client Status page to view clients that are authenticated to a specific
Captive Portal configuration.
To display the Client Status page, click System
Captive Portal
Client
Connection Status
Client Status.
Configuring Port and System Security 567
Figure 19-38. Captive Portal - Client Status
568 Configuring Port and System Security
Configuring Captive Portal (CLI)
This section provides information about the commands you use to create and
configure Captive Portal settings. For more information about the
commands, see the
Dell Networking N2000, N3000, and N4000 Series
Switches CLI Reference Guide
at support.dell.com/manuals.
Configuring Global Captive Portal Settings
Beginning in Privileged EXEC mode, use the following commands to
configure global Captive Portal settings.
Command Purpose
configure Enter global configuration mode.
captive-portal Enter Captive Portal mode.
http port
port-num
(Optional) Configure an additional HTTP port for
Captive Portal to monitor. Use this command on networks
that use an HTTP proxy server.
port-num
— The port number to monitor (Range:
1–65535, excluding ports 80, 443, and the configured
switch management port).
https port
port-num
(Optional) Configure an additional HTTPS port for
Captive Portal to monitor. Use this command on networks
that use an HTTPS proxy server.
port-num
— The port number to monitor Range:
1–65535, excluding ports 80, 443, and the configured
switch management port).
authentication timeout
timeout
(Optional) Configure the number of seconds the user has
to enter valid credentials into the verification page. If the
user exceeds the configured timeout, the verification page
needs to be served again in order for the client to gain
access to the network.
timeout
— The authentication timeout (Range: 60–600
seconds).
enable Globally enable the Captive Portal feature.
Configuring Port and System Security 569
Creating and Configuring a Captive Portal
Beginning in Privileged EXEC mode, use the following commands to create a
Captive Portal instance and configure its settings.
CTRL + Z Exit to Privileged EXEC mode.
show captive-portal
[status]
View the Captive Portal administrative and operational
status. Use the status keyword to view additional global
Captive Portal information and summary information
about all configured Captive Portal instances.
Command Purpose
configure Enter global configuration mode.
captive-portal Enter Captive Portal mode.
configuration
cp-id
Enter the captive portal instance mode
cp-id
— The Captive Portal instance (Range: 1–10). The
Captive Portal configuration identified by CP ID 1 is the
default CP configuration.
name
string
Add a name to the Captive Portal instance.
string
— CP configuration name (Range: 1–32 characters).
protocol {http | https} Specify whether to use HTTP or HTTPs during the
Captive Portal user verification process.
verification {guest |
local | radius}
Specify how to process user credentials the user enters on
the verification page.
guest — Allows access for unauthenticated users (users
that do not have assigned user names and passwords).
local — Authenticates users against a local user database.
radius — Authenticates users against a remote RADIUS
database.
radius-auth-server
name
Specify the name of the RADIUS server to use for
RADIUS verification. Use the commands described in
"Using RADIUS Servers to Control Management Access"
on page 232 to configure RADIUS server settings for the
switch.
Command Purpose
570 Configuring Port and System Security
user-logout (Optional) Enable user logout mode to allow an
authenticated client to deauthenticate from the network.
If this option is clear or the user does not specifically
request logout, the client connection status remains
authenticated until the CP deauthenticates the user, for
example by reaching the idle timeout or session timeout
values.
redirect (Optional) Enable the redirect mode for a Captive Portal
configuration so that the user is redirected to a specific
Web page after the verification or authentication process.
When the redirect mode is not enabled, the user sees the
Captive Portal welcome page after the verification or
authentication process.
redirect-url
url
(Optional) Specify the web page that the users sees after
successful verification or authentication through the
Captive Portal.
url
— The URL for redirection (Range: 1–512 characters).
group
group-number
(For Local and RADIUS verification) Configure the group
number associated with this Captive Portal configuration.
By default, only the default group exists. To assign a
different user group to the Captive Portal instance, you
must first configure the group.
group-number
— The number of the group to associate
with this configuration (Range: 1–10)
session-timeout
timeout
(Optional) Enter the number of seconds to wait before
terminating a session. A user is logged out once the session
timeout is reached. You can also set the session timeout for
each user if the Captive Portal requires authentication.
timeout
— Session timeout. 0 indicates timeout not
enforced (Range: 0–86400 seconds)
interface
interface
Associate an interface with this Captive Portal. (
The
interface
variable includes the interface type and
number, for example tengigabitethernet 1/0/3.
enable Enable the Captive Portal instance.
Command Purpose
Configuring Port and System Security 571
Configuring Captive Portal Groups and Users
Beginning in Privileged EXEC mode, use the following commands to create a
Captive Portal group. You can use the default group, or you can create a new
group.
block (Optional) Block all traffic for a Captive Portal
configuration. If the Captive Portal is blocked, users
cannot gain access to the network through the Captive
Portal. Use this function to temporarily protect the
network during unexpected events, such as denial of
service attacks.
CTRL + Z Exit to Privileged EXEC mode.
show captive-portal
configuration
cp-id
[status | interface]
View summary information about a Captive Portal
instance.
cp-id
— The Captive Portal instance (Range: 1–10).
status
— View additional information about the Captive
Portal instance.
interface — View information about the interface(s)
associated with the specified Captive Portal.
show captive-portal
interface configuration
cp-id
status
View information about the interfaces associated with the
specified Captive Portal instance.
cp-id
— The Captive Portal instance (Range: 1–10).
NOTE: To return the default Captive Portal instance to its default values, use the
clear command in the Captive Portal Instance mode. You must also use the no
interface
interface
command to remove any associated interfaces from the
instance.
Command Purpose
configure Enter global configuration mode.
captive-portal Enter Captive Portal mode.
Command Purpose
572 Configuring Port and System Security
user group
group-id
[name
name
]
Configure a group. Each Captive Portal that requires
authentication has a group associated with it. Only the
users who are members of that group can be authenticated
if they connect to the Captive Portal.
group-id
— Group ID (Range: 1–10).
name
— Group name (Range: 1–32 characters).
user
user-id
name
name
Create a new user for the local user authentication
database.
user-id
User ID (Range: 1–128).
name
user name (Range: 1–32 characters).
user
user-id
password
password
Configure the password for the specified user.
user-id
User ID (Range: 1–128).
password
User password (Range: 8–64 characters).
user
user-id
group
group-
id
Associate a group with a Captive Portal user. A user can be
associated with more than one group.
user-id
— User ID (Range: 1–128).
group-id
— Group ID (Range: 1–10).
user
user-id
session-
timeout
timeout
Enter the number of seconds to wait before terminating a
session for the specified user. The user is logged out once
the session timeout is reached.
user-id
— User ID (Range: 1–128).
timeout
— Session timeout. 0 indicates timeout not
enforced (Range: 0–86400 seconds)
user group
group-id
moveusers
new-group-id
(Optional) Move all of the users in a group to a different
group. This command removes the users from the group
specified by
group-id
.
group-id
— Group ID (Range: 1–10).
new-group-id
— Group ID (Range: 1–10).
CTRL + Z Exit to Privileged EXEC mode.
show captive-portal user
[
user-id
]
View summary information about all users configured in
the local database. Specify the user ID to view additional
information about a user.
user-id
— User ID (Range: 1–128).
Command Purpose
Configuring Port and System Security 573
Managing Captive Portal Clients
The commands in this section are all executed in Privileged EXEC mode. Use
the following commands to view and manage clients that are connected to a
Captive Portal.
clear captive portal users (Optional) Delete all captive portal user entries from the
local database.
Command Purpose
show captive-portal
configuration [
cp-id
]
client status
Display information about the clients authenticated to all
Captive Portal configurations or a to specific
configuration.
cp-id
— The Captive Portal instance (Range: 1–10).
show captive-portal
interface
interface
client
status
Display information about clients authenticated on all
interfaces or no a specific interface.
interface
— Specific Ethernet interface, such as gi1/0/8.
show captive-portal
client [
macaddr
] status
Display client connection details or a connection summary
for connected Captive Portal users.
macaddr
— The MAC address of the client.
captive-portal client
deauthenticate
macaddr
Deauthenticate a specific captive portal client.
macaddr
— The MAC address of the client.
Command Purpose
574 Configuring Port and System Security
Captive Portal Configuration Example
The manager of a resort and conference center needs to provide wired
Internet access to each guest room at the resort and in each conference room.
Due to legal reasons, visitors and guests must agree to the resort’s acceptable
use policy to gain network access. Additionally, network access from the
conference rooms must be authenticated. The person who rents the
conference room space receives a list username and password combinations
upon arrival. Hotel employees have their own Captive Portal.
The network administrator for the resort and conference center decides to
configure the three Captive Portals Table 19-6 describes.
Configuration Overview
The following steps provide an overview of the process you use to configure
the Captive Portal feature.
To configure the switch:
1.
If you plan to use a RADIUS server for authentication, configure the
RADIUS server settings on the switch.
2.
If authentication is required, configure the user groups to associate with
each Captive Portal.
3.
Create (add) the Captive Portals.
Table 19-6. Captive Portal Instances
Captive Portal Name Description
Guest Free Internet access is provided in each guest room, but
guests must enter a name and agree to the acceptable use
policy before they can gain access. The manager wants guests
to be redirected to the resort’s home web page upon
successful verification. No logout is required.
Conference Because physical access to the conference rooms is less secure
than access to each guest room, the manager wants to ensure
that people who connect to the network through a port in a
conference room are authenticated. The Conference Captive
Portal uses the local database for authentication.
Employee To gain network access, resort employees must enter a
username and password that is stored on a RADIUS server.
Configuring Port and System Security 575
4.
Configure the Captive Portal settings for each Captive Portal, such as the
verification mode.
5.
Associate interfaces with the Captive Portal instances.
6.
Download the branding images, such as the company logo, to the switch.
The images you download must be accessible from the switch, either on
the system you use to manage the switch or on a server that is on the same
network as the switch.
7.
Customize the authentication, logout, and logout success web pages that a
Captive Portal user will see.
Dell recommends that you use Use Dell OpenManage Administrator to
customize the Captive Portal authentication, logout, and logout success
pages. A
Preview
button is available to allow you to see the pages that a
Captive Portal user will see.
8.
If you use the local database for user authentication, configure the users on
the switch.
9.
If you use a RADIUS server for authentication, add the users to the
database on the RADIUS server.
10.
Associate interfaces with the Captive Portal instances.
11.
Globally enable Captive Portal.
Detailed Configuration Procedures
Use the following steps to perform the Captive Portal configuration:
1.
Configure the RADIUS server information on the switch.
In this example, the RADIUS server IP address is 192.168.2.188, and the
RADIUS server name is luxury-radius.
console#configure
console(config)#radius-server host 192.168.12.182
console(Config-auth-radius)#name luxury-radius
console(Config-auth-radius)#exit
2.
Configure the Captive Portal groups.
NOTE: You must use the web interface to download images.
576 Configuring Port and System Security
console(config)#captive-portal
console(config-CP)#user group 2 name Conference
console(config-CP)#user group 3 name Employee
console(config-CP)#exit
3.
Configure the Guest Captive Portal.
console(config)#captive-portal
console(config-CP)#configuration 2
console(config-CP 2)#name Guest
console(config-CP 2)#redirect
console(config-CP 2)#redirect-url
http://www.luxuryresorturl.com
console(config-CP 2)#interface te1/0/1
console(config-CP 2)#interface te1/0/2
...
console(config-CP 2)#interface te1/0/4
console(config-CP 2)#exit
4.
Configure the Conference Captive Portal.
console(config-CP)#configuration 3
console(config-CP 3)#name Conference
console(config-CP 3)#verification local
console(config-CP 3)#group 2
console(config-CP 4)#interface te1/0/825
...
console(config-CP 4)#interface te1/0/1533
console(config-CP 3)#exit
5.
Configure the Employee Captive Portal.
console(config-CP)#configuration 4
console(config-CP 4)#name Employee
console(config-CP 4)#verification radius
console(config-CP 4)#group 3
console(config-CP 4)#interface te1/0/1834
...
console(config-CP 4)#interface te1/0/2240
console(config-CP 4)#exit
Configuring Port and System Security 577
6.
Use the web interface to customize the Captive Portal pages that are
presented to users when they attempt to connect to the network.
7.
Add the Conference users to the local database.
console(config-CP)#user 1 name EaglesNest1
console(config-CP)#user 1 password
Enter password (8 to 64 characters): *********
Re-enter password: *********
console(config-CP)#user 1 group 2
Continue entering username and password combinations to populate the
local database.
8.
Add the User-Name, User-Password, Session-Timeout, and Dell-Captive-
Portal-Groups attributes for each employee to the database on the
RADIUS server.
9.
Globally enable the Captive Portal.
console(config-CP)#enable
NOTE: Captive Portal page customization is supported only through the Web
interface. For information about customizing the Captive Portal pages, see
"Customizing a Captive Portal" on page 552.
578 Configuring Port and System Security
Authentication Manager
Overview
The Authentication Manager supports the hierarchical configuration of host
authentication methods on an interface. Dell switches support the following
host authentication methods:
IEEE 802.1x
MAC Authentication Bypass
Captive portal
Using the Authentication Manager, the administrator can configure an
authentication method list on a per-port basis. Authentication can be enabled
or disabled. If authentication is disabled, then no authentication method is
applied and the port is provided with open access. The default behavior is
that authentication is disabled for all ports.
The configured authentication methods are attempted in the configured
order. If an authentication method times out, then the next configured
method is attempted. If an authentication method fails, then the next
method is not attempted and authentication begins again from the first
method. If all the methods fail, then the Authentication Manager starts a
timer for reauthentication. Failure in this context means that host
authentication was attempted and the host was unable to successfully
authenticate. At the expiry of the timer, the Authentication Manager starts
the authentication process again from the first method in the list.
The Authentication Manager supports configuring a priority for each
authentication method on a port. The authentication priority allows a higher
priority method (not currently running) to interrupt an authentication in
progress with a lower-priority method. If a client is already authenticated, an
interrupt from a higher-priority method can cause a client previously
authenticated using a lower priority method to reauthenticate.
By default, Dell switches are configured with a method list that contains the
methods (in order) Dot1x, MAB, and captive portal (web-auth) as the default
methods for all the ports. Dell switches restrict the configuration such that no
method is allowed to follow the captive portal method, if configured.
Configuring Port and System Security 579
When a client is connected to a port, the switch tries to authenticate the
user/client using the methods in configuration order. If any authentication
method times out (an error), then the next authentication method is tried. If
all authentication methods configured for the port error out, the switch starts
a timer whose value is equal to the authentication restart timer. At the expiry
of the timer, the switch restarts the authentication process from the first
method. This timer starts only when all of the authentication methods error
out.
The authentication manager controls only the order in which the
authentication methods are executed. The switch administrator is responsible
for implementing the required configuration for the respective methods to
authenticate successfully.
Authentication Restart
Authentication restarts from the first configured method on any of the
following events:
Link flap
Authentication fails for all configured methods
Authentication priority (802.1X packet received when a lower priority
method is active)
802.1X Interaction
By default, 802.1X drops all traffic prior to successful 802.1X (or MAB)
authentication. If captive portal is configured as a method, authentication
allows certain traffic types, such as DHCP or DNS, access to the network
during the captive portal method invocation.
Authentication Priority
The default authentication priority of a method is equivalent to its position
in the order of the authentication list. If authentication method priorities are
not configured, then the relative priorities (first is highest) are in the same
order as that of the per-port based authentication list.
580 Configuring Port and System Security
Authentication priority allows a higher-priority method (not currently
running) to interrupt an authentication in progress with a lower-priority
method. Alternatively, if the client is already authenticated, an interrupt from
a higher-priority method can cause a client, which was previously
authenticated using a lower-priority method, to reauthenticate.
For example, if a client is already authenticated using a method other than
802.1X (MAB or captive portal) and 802.1X has higher priority than the
authenticated method, and if an 802.1X frame is received, then the existing
authenticated client is removed and the authentication process begins again
from the first method in the order. If 802.1X has a lower priority than the
authenticated method, then the client is not removed and the 802.1X frames
are ignored.
If administrator changes the priority of the methods, then all the users who
are authenticated using a lower-priority method are forced to reauthenticate.
If an authentication session is in progress and the administrator changes the
order of the authentication methods, then the configuration will take effect
for the next session onwards.
Configuration Example—802.1X and MAB
In this scenario, the authentication manager selects the first authentication
method, 802.1X. If authentication using 802.1X is successful, then the client
is allowed network access. If authentication using 802.1X errors out, then
authentication manager selects the next authentication method: MAB. If
authentication using MAB returns an error, then the port is unauthorized.
The authentication manager will start a timer to re-authenticate the client.
At the expiry of the timer, the authentication manager restarts authentication
by selecting the 802.1X method.
console#configure
console(config)#radius-server host 10.10.10.10
console(Config-radius)#name BigRadius
console(Config-radius)#primary
console(Config-radius)#usage 802.1x
console(Config-radius)#exit
console(config)#radius-server key thatsyoursecret-keepit-keepit
console(config)#authentication enable
console(config)#aaa authentication dot1x default radius
console(config)#dot1x system-auth-control
console(config)#interface te1/0/4
console(config-if-Te1/0/4)#authentication order dot1x mab
Configuring Port and System Security 581
console(config-if-Te1/0/4)#dot1x reauthentication
console(config-if-Te1/0/4)#dot1x port-control mac-based
console(config-if-Te1/0/4)#dot1x mac-auth-bypass
console(config-if-Te1/0/4)#exit
582 Configuring Port and System Security
Denial of Service
Denial of Service (DoS) refers to the exploitation of a variety of
vulnerabilities which would interrupt the service of a host or make a network
unstable. Use the Denial of Service page to configure settings to help prevent
DoS attacks.
DoS protection is disabled by default.
To display the Denial of Service page, click System
Management Security
Denial of Service in the navigation panel.
Figure 19-39. Denial of Service
Configuring Access Control Lists 583
20
Configuring Access Control Lists
This chapter describes how to configure Access Control Lists (ACLs),
including IPv4, IPv6, and MAC ACLs. This chapter also describes how to
configure time ranges that can be applied to any of the ACL types.
The topics covered in this chapter include:
ACL Overview
ACL Configuration Details
Policy Based Routing
Configuring ACLs (Web)
Configuring ACLs (CLI)
ACL Configuration Examples
ACL Overview
Access Control Lists (ACLs) are a collection of rules that provide security by
blocking selected packets from ingressing the switch. ACLs are implemented
in hardware and processed at line rate for the front-panel ports. A reduced
functionality set of ACLs is implemented in firmware for the OOB port.
ACLs can also provide traffic rate limiting and decide which types of traffic
are forwarded or blocked. ACLs can reside in a firewall router, a router
connecting two internal networks, or a Layer 3 switch, such as a
Dell
Networking N2000, N3000, and N4000 series switches
.
You can also create an ACL that limits access to the management interfaces
based on the connection method (for example, Telnet or HTTP) and/or the
source IP address.
The Dell Networking series switches support ACL configuration in both the
ingress and egress direction. Egress ACLs provide the capability to implement
security rules on the egress flows (traffic leaving a port) rather than the
ingress flows (traffic entering a port). Ingress and egress ACLs can be applied
to any physical port, port-channel (LAG), or VLAN routing port.
584 Configuring Access Control Lists
Depending on whether an ingress or egress ACL is applied to a port, when the
traffic enters (ingress) or leaves (egress) a port, the ACL compares the criteria
configured in its rules, in list order, to the fields in a packet or frame to check
for matching conditions. The ACL processes the traffic based on the actions
contained in the rules.
ACL rules are processed in list order, from the first to the last rule in the list.
If a matching rule is found, the rule action is taken and no subsequent rules in
the list are processed for that packet. Frequently matched rules should be
placed near or at the front of the list. A list must have at least one permit
entry or all traffic is denied (dropped).
Egress ACLs filter switched traffic only. Packets generated by the switch are
sent regardless of any egress ACL deny rules.
You can set up ACLs to control traffic at Layer 2, Layer 3, or Layer 4. MAC
ACLs operate on Layer 2. IP ACLs operate on Layers 3 and 4. Dell
Networking series switches
support both IPv4 and IPv6 ACLs.
What Are MAC ACLs?
MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the
following fields of a packet:
Source MAC address
•Source MAC mask
Destination MAC address
•Destination MAC mask
VLAN ID
Class of Service (CoS) (802.1p)
•EtherType
L2 ACLs can apply to one or more interfaces.
Multiple access lists can be applied to a single interface; sequence number
determines the order of execution.
NOTE: The last access group configured is terminated by an implicit deny all
rule, which drops any packet not matching a preceding rule.
Configuring Access Control Lists 585
MAC access list actions include CoS queue assignment, mirroring,
redirection to another port, and logging, as well as the usual permit and deny
actions.
What Are IP ACLs?
IP ACLs classify for Layers 3 and 4 on IPv4 or IPv6 traffic.
Each ACL is a set of up to 100 rules applied to inbound or outbound traffic.
IP ACLs support logging, redirect, mirroring, and drop. The following fields
may be specified in the permit or deny rules.
Destination IP with wildcard mask
•Destination L4 port
Every protocol or a specific protocol
•IP DSCP
IP precedence
•IP TOS
•TCP flags
•Source IP with wildcard mask
Source L4 port, with eq, ne, gt, and lt operators and ranges (IP/TCP/UDP
packets only)
Destination layer 4 port, with eq, ne, gt, and lt operators and ranges
(IP/TCP/UDP packets only)
What Is the ACL Redirect Function?
The redirect function allows traffic that matches a permit rule to be
redirected to a specific physical port or LAG instead of processed on the
original port. A packet that is redirected does not go through the normal
forwarding process. It is sent to the redirect target port. The redirect function
and mirror function are mutually exclusive. In other words, you cannot
configure a given ACL rule with both mirror and redirect attributes.
What Is the ACL Mirror Function?
ACL mirroring provides the ability to mirror traffic that matches a permit
rule to a specific physical port or LAG. Mirroring is similar to the redirect
function, except that in flow-based mirroring a copy of the permitted traffic is
586 Configuring Access Control Lists
delivered to the mirror interface while the packet itself is forwarded normally
through the device. You cannot configure a given ACL rule with both mirror
and redirect attributes.
Using ACLs to mirror traffic is considered to be flow-based mirroring since
the traffic flow is defined by the ACL classification rules. This is in contrast to
port mirroring, where all traffic encountered on a specific interface is
replicated on another interface.
What Is ACL Logging
ACL Logging provides a means for counting the number of “hits” against an
ACL rule. When you configure ACL Logging, you augment the ACL deny
rule specification with a "log" parameter that enables hardware hit count
collection and reporting. The switch uses a fixed five minute logging interval,
at which time trap log entries are written for each ACL logging rule that
accumulated a non-zero hit count during that interval. You cannot configure
the logging interval.
What Are Time-Based ACLs?
The time-based ACL feature allows the switch to dynamically apply an
explicit ACL rule within an ACL for a predefined time interval by specifying a
time range on a per-rule basis within an ACL, so that the time restrictions are
imposed on the ACL rule.
With a time-based ACL, you can define when and for how long an individual
rule of an ACL is in effect. To apply a time to an ACL, first you define a
specific time interval and then apply it to an individual ACL rule so that it is
operational only during the specified time range, for example, during a
specified time period or on specified days of the week.
A time range can be absolute (specific time) or periodic (recurring). If an
absolute and periodic time range entry are defined within the same time
range, the periodic timer is active only when the absolute timer is active.
NOTE: Adding a conflicting periodic time range to an absolute time range will
cause the time range to become inactive. For example, consider an absolute time
range from 8:00 AM Tuesday March 1st 2011 to 10 PM Tuesday March 1st 2011.
Adding a periodic entry using the 'weekend' keyword will cause the time-range
to become inactive because Tuesdays are not on the weekend.
Configuring Access Control Lists 587
A named time range can contain up to 10 configured time ranges. Only one
absolute time range can be configured per time range. During the ACL
configuration, you can associate a configured time range with the ACL to
provide additional control over permitting or denying a user access to network
resources.
Benefits of using time-based ACLs include:
Providing more control over permitting or denying a user access to
resources, such as an application (identified by an IP address/mask pair and
a port number).
Providing control of logging messages. Individual ACL rules defined within
an ACL can be set to log traffic only at certain times of the day so you can
simply deny access without needing to analyze many logs generated during
peak hours.
What Are the ACL Limitations?
There are two hardware matching engines visible to the Dell switch
administrator: the ingress processor and the egress processor. Each of these
processors has different limits and actions. The ingress matching engine
processes packets on ingress to the switch and can apply actions such as
applying CoS processing, diverting to a different port, etc. The egress
matching engine processes packets after they are switched and queued for
egress and supports policies such as rewriting the DSCP or CoS values, as well
as the normal permit (forward) and deny (drop) actions.
ACLs operate by matching on specific fields within packets. Various match
conditions (operators) are supported (e.g., equal, less than, not equal, etc.),
along with masks that support selection of all or a portion of a field. Each field
to be matched is assigned to a matching engine (slice). A slice is defined by
an offset into the packet that is compared against a set of matching values
and masks along with an associated action (ACEs). Each Dell Networking
switch series supports a fixed number of slices and each slice supports a fixed
number of matching criteria (values and masks). Slices operate in parallel to
perform the configured matching operations. An ACL with a different offset
requires the use of a new hardware slice but multiple matching values can be
specified for a single slice (e.g., an IPv4 destination address with a 32-bit mask
is 192.168.21.1 or 192.168.12.3). Slices can also be joined together to match
widths larger than 32 bits or they can be concatenated to provide a larger
number of matching values with a single offset. In general, ACLs that match
588 Configuring Access Control Lists
on less than 32 bits will be expanded internally to match on 32 bits with a
variable mask. This allows other ACLs using the same offset to utilize the
same slice with potentially different masks and match values.
The user interface limits for ACLs are 1023 rules per access list and 100 access
lists. The switch automatically combines slices to operate in parallel over
greater field widths (e.g., IPv6 source address) or combines slices to supply
more match conditions (IPv4 destination address equal to multiple ranges of
addresses). In the case of a match condition specifying a 128-bit IPv6 address,
additional slices are assigned to operate in parallel on specific portions of the
address. This reduces the overall number of slices available to match on other
key fields. The switch attempts to assign slices to match conditions in an
optimal manner; however, combinations of match conditions can reduce the
maximum number of ACLs that can be configured to fewer than the
published limits. As an example, the smallest IPv6 QoS match will take 6
slices from the switch.
The N4000 switches support the following hardware limits:
2047 ingress rules and 1023 egress rules, for a total of 3072 rules.
The hardware has 10 ingress slices and 4 egress slices, with 4 ingress slices
having a depth of 128 rules, and 6 ingress slices having a depth of 256 rules.
The egress slices have a depth of 256 rules.
The N3000 switches support the following hardware limits:
3072 ingress rules and 1024 egress rules, for a total of 4096 rules.
The hardware has 14 ingress slices and 4 egress slices, with the 14 ingress
slices having a depth of 256 rules. The egress slices have a depth of 256
rules.
The N2000 switches support the following hardware limits:
1024 ingress rules and 512 egress rules, for a total of 1536 rules.
The hardware has 14 ingress slices and 4 egress slices, with the 14 ingress
slices having a depth of 256 rules. The egress slices have a depth of 256
rules.
The software limits are shown in Table 20-1:
Configuring Access Control Lists 589
Please note the following additional limitations on ingress and egress ACLs:
You can configure mirror or redirect attributes for a given ACL rule, but
not both.
•The
Dell Networking series switches
support a limited number of counter
resources, so it may not be possible to log every ACL rule. You can define
an ACL with any number of logging rules, but the number of rules that are
actually logged cannot be determined until the ACL is applied to an
interface. Furthermore, hardware counters that become available after an
ACL is applied are not retroactively assigned to rules that were unable to
be logged (the ACL must be disassociated from the interface and then re-
associated). Rules that are unable to be logged are still active in the ACL
for purposes of permitting or denying a matching packet. If console logging
is enabled and the severity is set to a numerically lower severity than the
console severity setting, a log entry may appear on the screen.
Table 20-1. ACL Software Limits
Limitation N2000 N3000 N4000
Maximum Number of ACLs (any
type)
100 100 100
Maximum Number Configurable
Rules per List
1023 1023 1023
Maximum ACL Rules per Interface
and Direction (IPv4/L2)
1024 ing/
512 egr
3072 ing/
1024 egr
2047 ing/
1023 egr
Maximum ACL Rules per Interface
and Direction (IPv6)
512 ing/
256 egr
1021 ing/
512 egr
1021 ing/
512 egr
Maximum ACL Rules (system-
wide)
2048 4096 3072
Maximum VLAN interfaces with
ACLs applied
24 24 24
Maximum ACL Logging Rules
(system-wide)
128 128 128
590 Configuring Access Control Lists
The order of the rules is important: when a packet matches multiple rules,
the first rule takes precedence. Once a packet has matched a rule, the
corresponding action is taken and no further attempts to match the packet
are made. Also, once you define an ACL for a given port, all traffic not
specifically permitted by the ACL is denied access.
Egress (out) ACLs only affect switched/routed traffic. They have no effect
on packets generated locally by the switch, e.g., LACPDUs or spanning
tree BPDUs.
Ingress ACLs filter packets before they are processed by the switching
fabric. Egress ACLs filter packets after they have been processed by the
switching fabric.
User-defined ingress ACLs are prioritized before system ACLs. User-
defined ingress ACLs that match control plane packets such as BPDUs
interfere with switch operation.
Port ranges are not supported for egress ACLs for either IPv4 or IPv6 ACLs.
•The
fragments
and
routing
keywords are not supported for egress IPv6
ACLs. The
fragments
keywords is not supported on IPv4 egress ACLs.
On the N4000 switches, the IPv6 ACL
routing
keyword is not supported
when any IPv6 address is specified. The
routing
keyword is not support for
IPv4 ACLs.
On the N4000 switches, the IPv6 ACL
fragment
keyword matches only on
the first two IPv6 extension headers for the fragment header (next header
code 44). If the fragment header appears in the third or subsequent header,
it is not matched
On the N2000 and N3000 switches, the IPv6 ACL
fragment
keyword
matches only on the first IPv6 extension header (next header code 44). If
the fragment header appears in the second or subsequent header, it is not
matched.
•The IPv6 ACL
routing
keyword matches only on the first IPv6 extension
header (next header code 43). If the fragment header appears in the
second or subsequent header, it is not matched.
NOTE: The actual number of ACLs and rules supported depends on the
resources consumed by other processes and configured features running on the
switch.
Configuring Access Control Lists 591
ACL Configuration Details
How Are ACLs Configured?
To configure ACLs, follow these steps:
1
Create a MAC ACL by specifying a name.
2
Create an IP ACL by specifying a number.
3
Add new rules to the ACL.
4
Configure the match criteria for the rules.
5
Apply the ACL to one or more interfaces.
Editing Access Lists
When editing access lists, new entries are added to the end of the list. There
is an implicit deny all statement at the end of every access-group that is not
shown and is not editable. To insert a rule in the middle of an ACL, you must
delete the list, and then add the rules again, in order, with the newly included
entry. One way to manage this process is to show the running config, copy the
access list to an editor, edit the list offline, delete the access list on the switch,
and then paste the updated access list back into the switch console.
Preventing False ACL Matches
Be sure to specify ACL access-list, permit, and deny rule criteria as fully as
possible to avoid false matches. This is especially important in networks with
protocols that have different frame or EtherType values. For example, L3
ACL rules that specify a TCP or UDP port value should also specify the TCP
or UDP protocol. MAC ACL rules that specify an EtherType value for the
frame should also specify a source or destination MAC address wherever
possible.
NOTE: When configuring access lists, complete checks are made only when the
access list is applied to an active interface. It is recommended that you configure
and test an access list on an active (up) interface prior to deploying it on links in
the production network. If an ACL is configured on an interface that is not up,
error messages regarding ACL resource allocation may be logged when the
interface is brought up.
592 Configuring Access Control Lists
In general, any rule that specifies matching on an upper-layer protocol field
should also include matching constraints for as many of the lower-layer as
where possible. For example, a rule to match packets directed to the well-
known UDP port number 22 (SSH) should also include matching constraints
on the IP protocol field (protocol=0x11 or UDP) and the source or
destination IP address. Table 20-2 lists commonly-used EtherTypes numbers:
Figure 20-3 lists commonly-used IP protocol numbers:
Table 20-2. Common EtherType Numbers
EtherType Protocol
0x0800 Internet Protocol version 4 (IPv4)
0x0806 Address Resolution Protocol (ARP)
0x0842 Wake-on LAN Packet
0x8035 Reverse Address Resolution Protocol (RARP)
0x8100 VLAN tagged frame (IEEE 802.1Q)
0x86DD Internet Protocol version 6 (IPv6)
0x8808 MAC Control
0x8809 Slow Protocols (IEEE 802.3)
0x8870 Jumbo frames
0x888E EAP over LAN (EAPOL – 802.1x)
0x88CC Link Layer Discovery Protocol
0x8906 Fibre Channel over Ethernet
0x9100 Q in Q
Table 20-3. Common IP Protocol Numbers
IP Protocol Number Protocol
0x00 IPv6 Hop-by-hop option
0x01 ICMP
0x02 IGMP
0x06 TCP
Configuring Access Control Lists 593
Using IP and MAC Address Masks
Masks are used with IP and MAC addresses to specify what should be
considered in the address for a match. Masks are expanded internally into a
bit mask and are applied bit-wise in the hardware even though they are
entered in decimal or hexadecimal format. Masks need not have contiguous 0
or 1 bits. A 0 bit value in the mask indicates that the address field in the
packet being compared must match the address bit exactly. A 1 value in the
mask indicates a wildcard or don't care value, i.e. the access bits are not
compared and match any possible value. For example, an IP address of 3.3.3.3
with a mask of 0.0.0.0 indicates that the ACL matches on all four bytes of the
IP address. Likewise, a MAC address of 68:94:23:AD:F3:18 with a mask of
00:00:00:00:00:ff indicates that the first five bytes must match (e.g.,
68:94:23:AD:F3) and the last byte may take on any value from 0x00 to 0xff
(0–255) and still be considered a match.
The following ACL equivalents are noted:
0x08 EGP
0x09 IGP
0x11 UDP
Address Mask Equivalent Address
0.0.0.0 255.255.255.255 any
x.x.x.x host x.x.x.x
0:0:0:0:0:0 ff:ff:ff:ff:ff:ff any
Table 20-3. Common IP Protocol Numbers (Continued)
IP Protocol Number Protocol
594 Configuring Access Control Lists
Policy Based Routing
Overview
In contemporary inter-networks, network administrators often need to
implement packet routing according to specific organizational policies. Policy
Based Routing (PBR) exactly fits this purpose. PBR provides a flexible
mechanism to implement solutions where organizational constraints dictate
that traffic be routed through specific network paths. PBR does not affect
route redistribution that occurs via routing protocols.
PBR is a true routing solution. The packet TTL is decremented in PBR-
routed packets. The destination MAC is rewritten in PBR routed packets.
ARP lookups are sent when required for unresolved next hop addresses. PBR
routed packets are routed via routing table lookups. Routes must exist in the
routing table for PBR next-hop and default next-hop rules.
Configuring PBR consists of installing a route-map with match and set
commands, and then applying the corresponding route-map to the interface.
IP routing must be enabled on the interfaces and globally.
PBR is applied to inbound traffic on IP routing interfaces. Enabling the
feature causes the router to analyze packets entering the interface using a
route-map. A VLAN can only have one associated route-map, but the
administrator can configure multiple route-map entries in the route-map
with different sequence numbers. Packets entering the interface are filtered
by a user-selected ACL. Packets that are allowed by the ACL are evaluated in
order of increasing sequence number until a viable routing destination is
found. Other actions may also be specified. If no action is executed, packets
are routed via normal routing table lookup.
ACLs present in a route-map’s match clauses inherit the ordering of the
containing route-map sequence number. Therefore, it is recommended that
ACLs used in route-map match clauses be independent of ACLs used in
access-groups in order to preserve access-group ordering.
A route-map rule may be configured as a permit or deny rule. If the rule is
marked as deny, traditional destination-based routing is performed on the
packet meeting the ACL match criteria. If the rule is marked as permit, and if
the packet meets the ACL match criteria, then the action specified by the set
commands in the route-map statement are evaluated. If no active route is
found in the route-map, the packet is forwarded using traditional destination-
Configuring Access Control Lists 595
based routing. If the network administrator instead wants to drop a packet
that does not match the specified criteria, a set statement must be configured
to route the packet to interface null0 as the last entry in the route-map.
Deny route-maps forward packets with matching ACL criteria using normal
route table lookups. If an associated ACL rule is marked as deny, traditional
destination-based routing is performed on the packet meeting the match
criteria. A set clause is required in a deny route map for it to be processed.
Route-maps may specify multiple packet attributes in match statements.
These attributes can be matched through a “match” clause based on the
length of the packet or a “match” clause linked with an ACL.
The following packet attributes are supported to classify L3 routed traffic for
PBR:
MAC access list (match mac-list)
Source MAC address
802.1p priority
IP access list (match ip address)
Source or destination IP address
Source or destination TCP/UDP port
L3 packet length in the IP header (match length)
The Policy Based Routing feature overrides the normal routing decisions
taken by the router and attempts to route the packet using the criteria in the
set clause:
List of next hop IP addresses — The
set ip next-hop
command checks for
the next-hop address in the routing table, and if the next-hop address is
present and active in the routing table, then the policy routes the ACL
matching packets to the next hop. If the next hop is not present in the
routing table, the command uses the normal routing table to route the
packet. Non-matching packets are routed using the normal routing table.
The IP address must specify an adjacent next-hop router in the path
toward the destination to which the packets should be routed. The first
available IP address associated with a currently active routing entry is used
to route the packets. This type of rule takes priority over explicit routing
entries in the routing table, but not default routing entries.
596 Configuring Access Control Lists
List of default next hop IP addresses — The
set ip default next-hop
command checks the list of destination IP addresses in the routing table
and, if there is no explicit route for the packet's destination address in the
routing table, the next-hop destinations in the rule are evaluated, and
packets are routed to the first available next hop. Packets that do not
match are routed using the routing table default. A default route in the
routing table is not considered an explicit route for an unknown
destination address. This type of rule takes priority over default entries in
the routing table but is processed after explicit routing table entries.
IP precedence — Packets matching the criteria have their IP precedence
rewritten. The IP precedence value is the four ToS bits in the IP packet
header.
Limitations
Set Clause Required
Route-map deny/permit statements without “set” clauses are ignored.
No Implicit “deny all” Rule
When an access-group is applied to an interface, an implicit rule of “deny all”
is applied after the last access-group on the interface. When match rules in an
ACL associated with a permit route-map are successful, the packets are
considered as candidates to be routed according to the set clauses specified in
the route-map. If none of the permit rules match, then the packet is routed
by the standard L3 routing process. The implicit “deny all” rule is not
applicable to ACLs associated with “permit” route-maps.
Black Holes Possible
If the next hop specified by a policy based rule is not reachable, packets
matching the rule are routed using the routing table. If the routing table does
not supply a route to the destination, then the packets are lost. If a set
interface Null0 clause is present in the policy map, the packets are dropped.
The set interface null0 command can also be used to drop undesirable or
unwanted traffic, i.e., to create a black hole route.
Configuring Access Control Lists 597
Resource-Sharing Between ACLs and PBR
ACLs associated with a route-map and general ACLs share the same hardware
resources. If PBR consumes the maximum number of HW resources on an
interface or system-wide, general purpose ACLs cannot be configured and
vice versa. Hardware allocation is performed on a first-come, first-serve basis.
Counter Support for Route-map ACL
A counter is associated with each ACL rule associated with a route-map. The
counter indicates how many packets were policy routed. There is no provision
to nondestructively clear these counters from the UI. Counters associated
with a route-map statement are cleared when the route-map is removed from
the VLAN. The hardware does not support both a counter and a rate-limit.
Therefore, the system does not support configuring ACLs with a rate-limit
being used for PBR.
Priority of ACL/PBR Rules When Applied to Hardware
Each ACL normally is associated with a sequence number that indicates the
order in which an ACL needs to be applied when multiple ACLs are applied
on a single VLAN. The sequence number or priority indicates the order in
which ACLs (and corresponding rules associated with ACLs) are applied.
When an ACL is used in a route-map's “match” clause, it is applied to
hardware with the same priority as if it were an independent ACL, but with
the exception of the implicit “deny all” rule. A route-map may have multiple
statements with different sequence numbers associated with each ACL entry.
In this case, the ACL inherits the sequence number of the route-map entry.
Therefore, it is advisable to segregate ACLs used in route-maps from ACLs
applied directly to interfaces.
ACL Resource Usage
When a route-map defines a “match” rule associated with an ACL, except for
the implicit routing behavior mentioned above, the resource consumption is
the same as if a normal ACL is applied on an interface. Rules consumed by an
ACL corresponding to a route-map “match” clause share hardware resources
with the ACL component. Certain resources cannot be shared. For example,
the rate-limit clause cannot be utilized in a PBR ACL, as the hardware cannot
support both a counter (allocated by every PBR route-map) and a rate limit.
Resources are not consumed until the route-map is associated with an
598 Configuring Access Control Lists
interface. Changes to an existing route-map associated with an interface (or
to the associated ACLs) do not take effect until the route-map is reapplied to
the interface.
ACL Resource Sharing
An ACL rule contains match and action attributes. For example, an ACL rule
may have a match clause on the source IP address and action attributes
independent of PBR, such as queue assignment, as shown below:
ip access-list example-1
permit ip 1.1.1.1 0.0.0.255 any assign-queue 2
permit every
exit
Actions specified in the “set” clauses of a route-map utilize the hardware
entries of the corresponding ACL. This sharing does not consume additional
hardware resources, as DNOS supports multiple actions in an ACL rule.
However, if conflicting actions are specified, an error is thrown.
Locally Generated Packets
Policy Based Routing does not affect locally generated packets, i.e. packets
generated by protocols running on the switch.
Route-Map Changes Require Reapply
Once a route-map has been applied to an interface (e.g., using the ip policy
route-map command), changes to the ACL or route-map do not take effect
on the interface until one of the following activities is completed:
The route-map is removed from the interface and reapplied.
The router is reloaded.
Examples
See
"Policy Based Routing Examples
" on page 640.
Configuring Access Control Lists 599
Configuring ACLs (Web)
This section provides information about the OpenManage Switch
Administrator pages for configuring and monitoring ACLs on a Dell
Networking N2000, N3000, and N4000 series switches. For details about the
fields on a page, click at the top of the page.
IP ACL Configuration
Use the IP ACL Configuration page to add or remove IP-based ACLs.
To display the IP ACL Configuration page, click Switching
Network
Security
Access Control Lists
IP Access Control Lists
Configuration in the navigation panel.
Figure 20-1. IP ACL Configuration
Adding an IPv4 ACL
To add an IPv4 ACL:
1
Open the
IP ACL Configuration
page.
2
Click
Add
to display the
Add IP ACL
page.
3
Specify an ACL name.
600 Configuring Access Control Lists
Figure 20-2. Add IP ACL
4
Click
Apply
.
Removing IPv4 ACLs
To delete an IPv4 ACL:
1
From the
IP ACL Name
menu on the
IP ACL Configuration
page, select
the ACL to remove.
2
Select the
Remove
checkbox.
3
Click
Apply
.
Viewing IPv4 ACLs
To view configured ACLs, click Show All from the IP ACL Configuration
page.
Figure 20-3. View IPv4 ACLs
Configuring Access Control Lists 601
IP ACL Rule Configuration
Use the IP ACL Rule Configuration page to define rules for IP-based ACLs.
The access list definition includes rules that specify whether traffic matching
the criteria is forwarded normally or discarded. Additionally, you can specify
to assign traffic to a particular queue, filter on some traffic, change VLAN tag,
shut down a port, and/or redirect the traffic to a particular port.
To display the IP ACL Rule Configuration page, click Switching
Network
Security
Access Control Lists
IP Access Control Lists
Rule
Configuration in the navigation panel.
NOTE: There is an implicit deny all rule at the end of an ACL list. This means that
if an ACL is applied to a packet and if none of the explicit rules match, then the
final implicit "deny all" rule applies and the packet is dropped.
602 Configuring Access Control Lists
Figure 20-4. IP ACL - Rule Configuration
Removing an IP ACL Rule
To delete an IP ACL rule:
1
From the
Rule ID
menu, select the ID of the rule to delete.
2
Select the
Remove
option near the bottom of the page.
3
Click
Apply
to remove the selected rule.
Configuring Access Control Lists 603
MAC ACL Configuration
Use the MAC ACL Configuration page to define a MAC-based ACL.
To display the MAC ACL Configuration page, click Switching
Network
Security
Access Control Lists
MAC Access Control Lists
Configuration in the navigation panel.
Figure 20-5. MAC ACL Configuration
Adding a MAC ACL
To add a MAC ACL:
1
Open the
MAC ACL Configuration
page.
2
Click
Add
to display the
Add MAC ACL
page.
3
Specify an ACL name.
Figure 20-6. Add MAC ACL
4
Click
Apply
.
604 Configuring Access Control Lists
Renaming or Removing MAC ACLs
To rename or delete a MAC ACL:
1
From the
MAC ACL Name
menu on the
MAC ACL Configuration
page, select the ACL to rename or remove.
2
To rename the ACL, select the
Rename
checkbox and enter a new name in
the associated field.
3
To remove the ACL, select the
Remove
checkbox.
4
Click
Apply
.
Viewing MAC ACLs
To view configured ACLs, click Show All from the MAC ACL Configuration
page.
Configuring Access Control Lists 605
MAC ACL Rule Configuration
Use the MAC ACL Rule Configuration page to define rules for MAC-based
ACLs. The access list definition includes rules that specify whether traffic
matching the criteria is forwarded normally or discarded. A default deny all
rule is the last rule of every list.
To display the MAC ACL Rule Configuration page, click Switching
Network Security
Access Control Lists
MAC Access Control Lists
Rule Configuration in the navigation panel.
Figure 20-7. MAC ACL Rule Configuration
Removing a MAC ACL Rule
To delete a MAC ACL rule:
1
From the
Rule ID
menu, select the ID of the rule to delete.
2
Select the
Remove
option near the bottom of the page.
3
Click
Apply
to remove the selected rule.
606 Configuring Access Control Lists
IPv6 ACL Configuration
Use the IPv6 ACL Configuration page to add or remove IP-based ACLs. To
display the IP ACL Configuration page, click Switching
Network Security
Access Control Lists
IPv6 Access Control Lists
IPv6 ACL
Configuration in the navigation panel.
Figure 20-8. IPv6 ACL Configuration
Adding an IPv6 ACL
To add an IPv6 ACL:
1
Open the
IPv6 ACL Configuration
page.
2
Click
Add
to display the
Add IPv6 ACL
page.
3
Specify an ACL name.
Figure 20-9. Add IPv6 ACL
4
Click
Apply
.
Configuring Access Control Lists 607
Removing IPv6 ACLs
To delete an IPv6 ACL:
1
From the
IPv6 ACL Name
menu on the
IPv6 ACL Configuration
page,
select the ACL to remove.
2
Select the
Remove
checkbox.
3
Click
Apply
.
Viewing IPv6 ACLs
To view configured ACLs, click Show All from the IPv6 ACL Configuration
page. The IPv6 ACL Table page displays.
IPv6 ACL Rule Configuration
Use the IPv6 ACL Rule Configuration page to define rules for IPv6-based
ACLs. The access list definition includes rules that specify whether traffic
matching the criteria is forwarded normally or discarded. Additionally, you
can specify to assign traffic to a particular queue, filter on some traffic,
change VLAN tag, shut down a port, and/or redirect the traffic to a particular
port. By default, no specific value is in effect for any of the IPv6 ACL rules.
There is an implicit deny all rule at the end of an ACL list. This means that if
an ACL is applied to a packet and if none of the explicit rules match, then the
final implicit deny all rule applies and the packet is dropped.
To display the IPv6 ACL Rule Configuration page, click Switching
Network Security
Access Control Lists
IPv6 Access Control Lists
Rule Configuration in the navigation menu.
608 Configuring Access Control Lists
Figure 20-10. IPv6 ACL - Rule Configuration
Removing an IPv6 ACL Rule
To delete an IPv6 ACL rule:
1
From the
Rule ID
menu, select the ID of the rule to delete.
2
Select the
Remove
option near the bottom of the page.
3
Click
Apply
to remove the selected rule.
Configuring Access Control Lists 609
ACL Binding Configuration
When an ACL is bound to an interface, all the rules that have been defined
are applied to the selected interface. Use the ACL Binding Configuration
page to assign ACL lists to ACL Priorities and Interfaces.
From the web interface, you can configure the ACL rule in the ingress or
egress direction so that the ACLs implement security rules for packets
entering or exiting the port. You can apply ACLs to any physical (including 10
Gb) interface, LAG, or routing port.
To display the ACL Binding Configuration page, click Switching
Network
Security
Access Control Lists
Binding Configuration in the navigation
panel.
Figure 20-11. ACL Binding Configuration
610 Configuring Access Control Lists
Time Range Entry Configuration
Use the Time Range Entry Configuration page to define time ranges to
associate with ACL rules.
To display the Time Range Entry Configuration page, click System
Time
Synchronization
Time Range Configuration in the navigation panel. The
following image shows the page after at least one time range has been added.
Otherwise, the page indicates that no time ranges are configured, and the
time range configuration fields are not displayed.
Figure 20-12. Time Range Configuration
NOTE: A time-range parameter in an ACL that is referred to by a route-map
statement is active only during the time range specified. When the ACL is not active
(outside the time range), the route-map simply treats the ACL as a “no match”.
Adding a Time Range
To configure a time range:
1
From the
Time Range Entry Configuration page, click Add.
2
Specify a name to identify the time range.
Configuring Access Control Lists 611
Figure 20-13. Add a Time Range
3
Click
Apply
.
4
Click
Configuration
to return to the
Time Range Entry Configuration
page.
5
In the
Time Range Name
field, select the name of the time range to
configure.
6
Specify an ID for the time range. You can configure up to 10 different time
range entries to include in the named range. However, only one absolute
time entry is allowed per time range.
7
Configure the values for the time range entry.
8
Click
Apply
.
9
To add additional entries to the named time range, repeat step 5 through
step 8.
612 Configuring Access Control Lists
Configuring ACLs (CLI)
This section provides information about the commands you use to create and
configure ACLs. For more information about the commands, see the
Dell
Networking N2000, N3000, and N4000 Series Switches CLI Reference Guide
at support.dell.com/manuals.
Configuring an IPv4 ACL
Beginning in Privileged EXEC mode, use the following commands to create
an IPv4 ACL, configure rules for the ACL, and bind the ACL to an interface.
NOTE: The ip access-group command can be issued in Global Configuration
mode or Interface configuration mode. If it is applied in Global Configuration
mode, the ACL binding is applied to all interfaces. If it is applied in Interface
Configuration mode, it is applied only to the specified interfaces within the mode.
Command Purpose
configure Enter global configuration mode.
access-list name Create an extended ACL and enter IPv4 access-list
configuration mode.
Configuring Access Control Lists 613
{deny | permit} {every |
{{
ipv4-protocol
|
0-255
|
every
} {
srcip srcmask
|
any | host
srcip
} [{range
{
portkey
|
startport
}
{
portkey
|
endport
} |
{eq | neq | lt | gt}
{
portkey
|
0-65535
} ]
{
dstip dstmask
| any |
host
dstip
} [{range
{
portkey
|
startport
}
{
portkey
|
endport
} |
{eq | neq | lt | gt}
{
portkey
|
0-65535
}]
[flag [+fin | -fin] [+syn
| -syn] [+rst | -rst]
[+psh | -psh] [+ack | -
ack] [+urg | -urg]
[established]] [icmp-
type
icmp-type
[icmp-
code
icmp-code
] | icmp-
message
icmp-message
]
[igmp-type
igmp-type
]
[fragments] [precedence
precedence
| tos
tos
[
tosmask
] | dscp
dscp
]}} [time-range
time-range-name
] [log]
[assign-queue
queue-id
]
[{mirror | redirect}
unit/slot/port
] [rate-
limit
rate burst-size
]
Enter the permit and deny conditions for the extended
ACL.
•{
deny | permit
}–Specifies whether the IP ACL rule
permits or denies the matching traffic.
{
ipv4-protocol
|
number
|
every
}—
Specifies the
protocol to match for the IP ACL rule.
IPv4 protocols:
eigrp, gre, icmp, igmp, ip, ipinip, ospf,
tcp, udp, pim
Every
: Match any protocol (don’t care)
srcip
srcmask
| any | host
srcip
—Specifies a source IP
address and netmask to match for the IP ACL rule.
Specifying “any” implies specifying
srcip
as “0.0.0.0”
and
srcmask
as “255.255.255.255” for IPv4.
Specifying “host A.B.C.D” implies
srcip
as “A.B.C.D”
and
srcmask
as “0.0.0.0”.
[{{eq | neq | lt | gt} {
portkey
|
number
} | range
startport endport
}]
—Specifies the layer 4 destination
port match condition for the IP ACL rule. A destination
port number, which ranges from 0-65535, can be entered,
or a
portkey
, which can be one of the following keywords:
domain, echo, ftp, ftp-data, http, smtp, snmp, telnet,
tftp, and www. Each of these keywords translates into its
equivalent destination port number.
When “range” is specified, IP ACL rule matches only if
the layer 4 port number falls within the specified
portrange. The
startport
and
endport
parameters
identify the first and last ports that are part of the port
range. They have values from 0 to 65535. The ending
port must have a value equal or greater than the
starting port. The starting port, ending port, and all
ports in between will be part of the layer 4 port range.
Command Purpose
614 Configuring Access Control Lists
continued
When “eq” is specified, IP ACL rule matches only if
the layer 4 port number is equal to the specified port
number or portkey.
Whenlt is specified, IP ACL rule matches if the layer
4 destination port number is less than the specified
port number or portkey. It is equivalent to specifying
the range as 0 to <specified port number – 1>.
When “gt” is specified, IP ACL rule matches if the
layer 4 destination port number is greater than the
specified port number or portkey. It is equivalent to
specifying the range as <specified port number + 1>
to 65535.
When “neq” is specified, IP ACL rule matches only if
the layer 4 destination port number is not equal to the
specified port number or portkey.
IPv4 TCP port names
: bgp, domain, echo, ftp, ftp-
data, http, smtp, telnet, www, pop2, pop3
–IPv4 UDP port names:
domain, echo, ntp, rip, snmp,
tftp, time, who
dstip
dstmask
|
any | host
dstip
—Specifies a destination
IP address and netmask for match condition of the IP
ACL rule.
Specifying “any” implies specifying
dstip
as “0.0.0.0”
and
dstmask
as “255.255.255.255”.
Specifying “host A.B.C.D” implies
dstip
as “A.B.C.D”
and
dstmask
as “0.0.0.0”.
[precedence
precedence
| tos
tos
[
tosmask
] | dscp
dscp
]—
Specifies the TOS for an IP/TCP/UDP ACL rule
depending on a match of precedence or DSCP values
using the parameters dscp, precedence, or tos tosmask.
Command Purpose
Configuring Access Control Lists 615
continued
flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -
psh] [+ack | -ack] [+urg | -urg] [established]
Specifies that the IP/TCP/UDP ACL rule matches on the
TCP flags.
Ack
– Acknowledgement bit
Fin
– Finished bit
Psh
– push bit
Rst
– reset bit
Syn
– Synchronize bit
Urg
– Urgent bit
When “+<tcpflagname>
is specified, a match occurs
if specified <tcpflagname> flag is set in the TCP
header.
When “-<tcpflagname>
is
specified, a match occurs
if specified <tcpflagname> flag is *NOT* set in the
TCP header.
When “established
” is
specified, a match occurs if
either the RST or ACK bits are set in the TCP header.
This option is visible only if protocol is “tcp”.
[icmp-type
icmp-type
[icmp-code
icmp-code
] |
icmp-
message
icmp-message
] —
Specifies a match condition
for ICMP packets.
When icmp-type is specified, IP ACL rule matches on
the specified ICMP message type, a number from 0
to 255.
When icmp-code is specified, IP ACL rule matches on
the specified ICMP message code, a number from 0
to 255.
Specifying icmp-message implies both icmp-type and
icmp-code are specified.
ICMP message is decoded into corresponding ICMP
type and ICMP code within that ICMP type. This
option is visible only if the protocol is “icmp”.
IPv4 ICMP message types: echo echo-reply host-
redirect mobile-redirect net-redirect net-unreachable
redirect packet-too-big port-unreachable source-
quench router-solicitation router-advertisement time-
exceeded ttl-exceeded unreachable
Command Purpose
616 Configuring Access Control Lists
continued
•igmp-type
igmp-type
When igmp-type is specified, IP
ACL rule matches on the specified IGMP message type
(i.e., a number from 0 to 255).
fragments—
Specifies the rule matches packets that are
non-initial fragments (fragment bit asserted). Not valid
for rules that match L4 information such as TCP port
number since that information is carried in the initial
packet.
This keyword is visible only if the protocol is IP, TCP, or
UDP.
log—
Specifies that this rule is to be logged.
•time-range
time-range-name
Allows imposing time
limitation on the ACL rule as defined by the parameter
time-range-name. If a time range with the specified name
does not exist and the ACL containing this ACL rule is
applied to an interface or bound to a VLAN, then the
ACL rule is applied immediately. If a time range with
specified name exists and the ACL containing this ACL
rule is applied to an interface or bound to a VLAN, then
the ACL rule is applied when the time-range with
specified name becomes active. The ACL rule is removed
when the time-range with specified name becomes
inactive.
assign-queue
queue-id
—Specifies the assign-queue,
which is the queue identifier to which packets matching
this rule are assigned.
{mirror | redirect}
unit/slot/ port
—Specifies the mirror
or redirect interface which is the unit/slot/port to which
packets matching this rule are copied or forwarded,
respectively.
rate-limit
rate burst-size
—Specifies the allowed rate of
traffic as per the configured rate in kbps, and burst-size in
kbytes.
Rate – the committed rate in kilobits per second
Burst-size – the committed burst size in Kilobytes.
Command Purpose
Configuring Access Control Lists 617
interface
interface
(Optional) Enter interface configuration mode for the
specified interface. The
interface
variable includes the
interface type and number, for example tengigabitethernet
1/0/3.
You can also specify a range of interfaces with the interface
range command, for example, interface range
tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,
11, and 12.
ip access-group
name
direction seqnum
Bind the specified ACL to an interface.
NOTE: To apply this ACL to all interfaces, issue the command
in Global Configuration mode.
name
— Access list name. (Range: Valid IP access-list
name up to 31 characters in length)
direction
Direction of the ACL. (Range: In or out.
Default is
in
.)
seqnum
— Precedence for this interface and direction. A
lower sequence number has higher precedence. Range: 1
– 4294967295. Default is1.
CTRL + Z Exit to Privileged EXEC mode.
show ip access-lists
[
name
]
Display all IPv4 access lists and all of the rules that are
defined for the IPv4 ACL. Use the optional
name
parameter to identify a specific IPv4 ACL to display.
Command Purpose
618 Configuring Access Control Lists
Configuring a MAC ACL
Beginning in Privileged EXEC mode, use the following commands to create
an MAC ACL, configure rules for the ACL, and bind the ACL to an interface.
Command Purpose
configure Enter global configuration mode.
mac access-list extended
name
Create a named MAC ACL. This command also enters
MAC Access List Configuration mode. If a MAC ACL
with this name already exists, this command enters the
mode to update the existing ACL.
{deny | permit}
{
srcmac
srcmacmask
|
any} {
dstmac
dstmacmask
| any |
bpdu} [{
ethertypekey
|
0x0600-0xFFFF
} [vlan
eq
0-4093
] [cos
0-7
]
[secondary-vlan eq
0-
4093
] [secondary-cos
0-
7
] [log] [time-range
time-range-name
]
[assign-queue
queue-id
]
[{mirror |redirect}
interface
]
Specify the rules (match conditions) for the MAC access
list.
srcmac
— Valid source MAC address in format
xxxx.xxxx.xxxx.
srcmacmask
— Valid MAC address bitmask for the source
MAC address in format xxxx.xxxx.xxxx.
any
Packets sent to or received from any MAC address
dstmac
— Valid destination MAC address in format
xxxx.xxxx.xxxx.
destmacmask
— Valid MAC address bitmask for the
destination MAC address in format xxxx.xxxx.xxxx.
bpdu
— Bridge protocol data unit
ethertypekey
— Either a keyword or valid four-digit
hexadecimal number. (Range: Supported values are
appletalk, arp, ibmsna, ipv4, ipv6, ipx, mplsmcast,
mplsucast, Netbios, novell, pppoe, rarp.)
0x0600-0xFFFF
— Specify custom EtherType value
(hexadecimal range 0x0600-0xFFFF)
vlan eq
VLAN number. (Range 0-4093)
cos
— Class of service. (Range 0-7)
log
— Specifies that this rule is to be logged.
time-range-name
Specifies the named time range to
associate with the ACL rule.
Configuring Access Control Lists 619
continued
When “gt” is specified, IPv6 ACL rule matches if the
layer 4 destination port number is greater than the
specified port number or portkey. It is equivalent to
specifying the range as <specified port number + 1>
to 65535.
When “neq” is specified, IPv6 ACL rule matches only if
the layer 4 destination port number is not equal to the
specified port number or portkey.
IPv6 TCP port names:
bgp, domain, echo, ftp, ftp-
data, http, smtp, telnet, www, pop2, pop3
–IPv6 UDP port names:
domain, echo, ntp, rip, snmp,
time, who
destination-ipv6-prefix
/
prefix-length
|
any
|
host
destination-ipv6-address
—Specifies a destination IP
address and netmask for match condition of the IP ACL
rule.
For IPv6 ACLs, “any” implies 0::/128 prefix and a mask
of all ones.
Specifying host implies prefix length as “/128” and a
mask of 0::/128.
[precedence
precedence
| tos
tos
[
tosmask
] | dscp
dscp
]—Specifies the TOS for an IP/TCP/UDP ACL rule
depending on a match of precedence or DSCP values
using the parameters dscp, precedence, or tos tosmask.
flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -
psh] [+ack | -ack] [+urg | -urg] [established]—Specifies
that the IP/TCP/UDP ACL rule matches on the TCP
flags.
When “+<tcpflagname>
” is
specified, a match occurs
if specified <tcpflagname> flag is set in the TCP
header.
When “-<tcpflagname>
” is
specified, a match occurs
if specified <tcpflagname> flag is *NOT* set in the
TCP header.
When “established
” is
specified, a match occurs if
specified either RST or ACK bits are set in the TCP
header.
Command Purpose
620 Configuring Access Control Lists
continued
This option is visible only if the protocol is tcp.
Ack
– Acknowledgement bit
Fin
– Finished bit
Psh
– push bit
Rst
– reset bit
Syn
– Synchronize bit
Urg
– Urgent bit
•[icmp-type
icmp-type
[icmp-code
icmp-code
] | icmp-
message
icmp-message
]—Specifies a match condition for
ICMP packets.
When icmp-type is specified, IP ACL rule matches on
the specified ICMP message type, a number from 0
to 255.
When icmp-code is specified, IP ACL rule matches on
the specified ICMP message code, a number from 0
to 255.
Specifying icmp-message implies both icmp-type and
icmp-code are specified.
ICMP message is decoded into corresponding ICMP
type and ICMP code within that ICMP type. This
option is visible only if the protocol is “icmpv6”.
ICMPv6 message types: destination-unreachable echo-
reply echo-request header hop-limit mld-query mld-
reduction mld-report nd-na nd-ns next-header no-
admin no-route packet-too-big port-unreachable
router-solicitation router-advertisement router-
renumbering time-exceeded unreachable
The icmpv6 message types are available only if the
protocol is icmpv6.
fragments—Specifies the rule matches packets that are
non-initial fragments (fragment bit asserted). Not valid
for rules that match L4 information such as TCP port
number since that information is carried in the initial
packet. IPv6 fragments contain an IPv6 Fragment
extension header.
Command Purpose
Configuring Access Control Lists 621
continued
routing—Specifies that IP ACL rule matches on routed
packets. Routed packets contain an IPv6 “routing”
extension header.
log—Specifies that this rule is to be logged.
•time-range
time-range-name
—Allows imposing time
limitation on the ACL rule as defined by the parameter
time-range-name. If a time range with the specified name
does not exist and the ACL containing this ACL rule is
applied to an interface or bound to a VLAN, then the
ACL rule is applied immediately. If a time range with
specified name exists and the ACL containing this ACL
rule is applied to an interface or bound to a VLAN, then
the ACL rule is applied when the time-range with
specified name becomes active. The ACL rule is removed
when the time-range with specified name becomes
inactive.
assign-queue
queue-id
—Specifies the assign-queue,
which is the queue identifier to which packets matching
this rule are assigned.
{mirror | redirect}
unit/slot/ port
—Specifies the mirror
or redirect interface which is the unit/slot/port to which
packets matching this rule are copied or forwarded,
respectively.
•rate-limit
rate burst-size
—Specifies the allowed rate of
traffic as per the configured rate in kbps, and burst-size in
kbytes.
Rate – the committed rate in kilobits per second
Burst-size – the committed burst size in Kilobytes.
interface
interface
(Optional) Enter interface configuration mode for the
specified interface. The
interface
variable includes the
interface type and number, for example tengigabitethernet
1/0/3.
You can also specify a range of interfaces with the interface
range command, for example, interface range
tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,
11, and 12.
Command Purpose
622 Configuring Access Control Lists
mac access-group
name
direction seqnum
Bind the specified MAC ACL to an interface.
NOTE: To apply this ACL to all interfaces, issue the command
in Global Configuration mode.
name
— Access list name. (Range: Valid MAC access-list
name up to 31 characters in length)
direction
Direction of the ACL. (Range: In or out.
Default is
in
.)
seqnum
— Precedence for this interface and direction. A
lower sequence number has higher precedence. Range: 1
– 4294967295. Default is1.
CTRL + Z Exit to Privileged EXEC mode.
show mac access-lists
[
name
]
Display all MAC access lists and all of the rules that are
defined for the MAC ACL. Use the optional
name
parameter to identify a specific MAC ACL to display.
Command Purpose
Configuring Access Control Lists 623
Configuring an IPv6 ACL
Beginning in Privileged EXEC mode, use the following commands to create
an IPv6 ACL, configure rules for the ACL, and bind the ACL to an interface.
Command Purpose
configure Enter global configuration mode.
ipv6 traffic-filter
name
Create an extended IPv6 ACL. This command also enters
IPv6 Access List Configuration mode. If an IPv6 ACL with
this name already exists, this command enters the mode to
update the existing ACL.
624 Configuring Access Control Lists
{deny | permit} {ipv6-
protocol | number |
every} {
source-ipv6-
prefix/prefix-length
| any
|
host source-ipv6-
address
} [{range
{
portkey
|
startport
}
{
portkey
|
endport
} |
{eq | neq | lt | gt}
{
portkey
|
0-65535
}]
{
destination-ipv6-
prefix/prefix-length
| any
|
host destination-ipv6-
address
} [{range
{
portkey
|
startport
}
{
portkey
|
endport
} |
{eq | neq | lt | gt}
{
portkey
|
0-65535
}]
[flag [+fin | -fin] [+syn
| -syn] [+rst | -rst]
[+psh | -psh] [+ack | -
ack] [+urg | -urg]
[established]] [flow-
label
value
] [icmp-type
icmp-type
[icmp-code
icmp-code
] | icmp-
message
icmp-message
]
[routing] [fragments]
[dscp
dscp
]}} [log]
[assign-queue
queue-id
]
[{mirror | redirect}
unit/slot/port
] [rate-
limit
rate burst-size
]
•{
deny | permit
}–Specifies whether the IP ACL rule
permits or denies the matching traffic.
•{
ipv6-protocol
|
number
|
every
}—Specifies the protocol
to match for the IP ACL rule.
IPv4 protocols:
icmpv6, ipv6, tcp and udp
Every
: Match any protocol (don’t care)
source-ipv6-prefix
/prefixlength |
any | host
src-ipv6-
address
—Specifies a source IP address and netmask to
match for the IP ACL rule.
For IPv6 ACLs, “any” implies a 0::/128 prefix and a
mask of all ones.
Specifying “host X::X” implies a prefix length as “/128”
and a mask of 0::/128.
•[{range {
portkey
|
startport
} {
portkey
|
endport
} | {eq |
neq | lt | gt} {
portkey
|
0-65535
}]—Specifies the layer 4
destination port match condition for the IP/TCp/UDP
ACL rule. A destination port number, which ranges from
0-65535, can be entered, or a
portkey
, which can be one of
the following keywords: bgp, domain, echo, ftp, ftp-data,
http, ntp, pop2, pop3, rip, smtp, snmp, telnet, tftp,
telnet, time, who and www. Each of these keywords
translates into its equivalent destination port number.
When “range” is specified, IPv6 ACL rule matches only
if the layer 4 port number falls within the specified
portrange. The
startport
and
endport
parameters
identify the first and last ports that are part of the port
range. They have values from 0 to 65535. The ending
port must have a value equal or greater than the
starting port. The starting port, ending port, and all
ports in between will be part of the layer 4 port range.
When “eq” is specified, IPv6 ACL rule matches only if
the layer 4 port number is equal to the specified port
number or portkey.
When “lt” is specified, IPv6 ACL rule matches if the
layer 4 destination port number is less than the
specified port number or portkey. It is equivalent to
specifying the range as 0 to <specified port number –
1>.
Command Purpose
Configuring Access Control Lists 625
(Continued)
destination ipv6 prefix
— IPv6 prefix in IPv6 global
address format.
flow label
value
The value to match in the Flow Label
field of the IPv6 header (Range 0–1048575).
dscp
dscp
— Specifies the TOS for an IPv6 ACL rule
depending on a match of DSCP values using the
parameter dscp.
log
— Specifies that this rule is to be logged.
time-range-name
Specifies the named time range to
associate with the ACL rule.
assign-queue
queue-id
Specifies particular hardware
queue for handling traffic that matches the rule.
mirror
interface
— Allows the traffic matching this rule
to be copied to the specified interface.
redirect
interface
— This parameter allows the traffic
matching this rule to be forwarded to the specified
interface.
interface
interface
(Optional) Enter interface configuration mode for the
specified interface. The
interface
variable includes the
interface type and number, for example tengigabitethernet
1/0/3.
You can also specify a range of interfaces with the interface
range command, for example, interface range
tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,
11, and 12.
ipv6 traffic-filter
name
direction
[sequence
seq-
num
]
Bind the specified IPv6 ACL to an interface.
NOTE: To apply this ACL to all interfaces, issue the command
in Global Configuration mode.
name
— Access list name. (Range: Valid IPv6 access-list
name up to 31 characters in length)
direction
Direction of the ACL. (Range: In or out.
Default is
in
.)
seqnum
— Precedence for this interface and direction. A
lower sequence number has higher precedence. Range: 1
– 4294967295. Default is1.
Command Purpose
626 Configuring Access Control Lists
Configuring a Time Range
Beginning in Privileged EXEC mode, use the following commands to create a
time range and configure time-based entries for the time range.
CTRL + Z Exit to Privileged EXEC mode.
show ipv6 access-lists
[
name
]
Display all IPv6 access lists and all of the rules that are
defined for the IPv6 ACL. Use the optional
name
parameter to identify a specific IPv6 ACL to display.
Command Purpose
configure Enter global configuration mode.
time-range
name
Create a named time range and enter the Time-Range
Configuration mode for the range.
absolute {[start
time
date
] [end
time date
]}
Configure a nonrecurring time entry for the named time
range.
start
time
date
— Time and date the ACL rule starts
going into effect. The time is expressed in a 24-hour
clock, in the form of hours:minutes. For example, 8:00 is
8:00 am and 20:00 is 8:00 pm. The date is expressed in
the format day month year. If no start time and date are
specified, the configuration statement is in effect
immediately.
end
time
date
— Time and date the ACL rule is no
longer in effect.
Command Purpose
Configuring Access Control Lists 627
periodic {
days-of-the-
week time
} to {[
days-of-
the-week
]
time
}
Configure a recurring time entry for the named time
range.
days-of-the-week
—The first occurrence indicates the
starting day(s) the ACL goes into effect. The second
occurrence is the ending day(s) when the ACL rule is no
longer in effect. If the end
days-of-the-week
are the same
as the start, they can be omitted
This variable can be any single day or combinations of
days:
Monday
,
Tues day
,
Wednesday
,
Thursday
,
Friday
,
Saturday
,
Sunday
. Other possible values are:
daily
-- Monday through Sunday
weekdays
-- Monday through Friday
weekend
-- Saturday and Sunday
time
— Time the ACL rule starts going into effect (first
occurrence) or ends (second occurrence). The time is
expressed in a 24-hour clock, in the form of
hours:minutes.
CTRL + Z Exit to Privileged EXEC mode.
show time-range [
name
] View information about all configured time ranges,
including the absolute/periodic time entries that are
defined for each time range. Use the
name
variable to view
information about the specified time range.
Command Purpose
628 Configuring Access Control Lists
ACL Configuration Examples
This section contains the following examples:
•"Basic Rules" on page628
•"Internal System ACLs" on page629
•"Complete ACL Example" on page629
"Advanced Examples" on page 633
"Policy Based Routing Examples" on page 640
Basic Rules
Inbound rule allowing all packets:
permit every
Administrators should be cautious when using the
permit every
rule in an
access list, especially when using multiple access lists. All packets match a
permit every
rule and no further processing is done on the packet. This
means that a
permit every
match in an access list will skip processing
subsequent rules in the current or subsequent access-lists and allow all
packets not previously denied by a prior rule.
Inbound rule to drop all packets:
As the last rule in a list, this rule is redundant as an implicit "deny every" is
added after the end of the last access-group configured on an interface.
deny every
Administrators should be cautious when using the
deny every
rule in an
access list, especially when using multiple access lists. When a packet
matches a rule, no further processing is done on the packet. This means
that a
deny every
match in an access list will skip processing subsequent
rules in the current or subsequent access-lists and drop all packets not
previously allowed by a prior rule.
Inbound rule allowing access FROM hosts with IP addresses ranging from
10.0.46.0 to 10.0.47.254:
NOTE: None of these ACL rules are applicable to the OOB interface.
Configuring Access Control Lists 629
permit ip 10.0.46.0 0.0.1.255 any
Inbound rule allowing access TO hosts with IP addresses ranging from
10.0.48.0 to 10.0.49.254:
permit ip any 10.0.48.0 0.0.1.255
As the last rule in an administrator-defined list, the narrower scope of this
inbound rule has no effect other than to possibly interfere with switch
operations. The system installs an implicit deny every rule after the end of
the last access group bound to an interface:
deny ip any any
Internal System ACLs
The switch installs a number of internal ACLS to trap packets to the CPU for
processing. Examples of these types of packets are spanning tree BPDUs,
IEEE 802.1x EAPOL packets, iSCSI packets, IP source guard packets, LLPF
packets, LLDP packets, IEEE 802.1AD packets, etc. These internal ACLs are
generally configured at the lowest priority (higher numerically) so that the
switch administrator, through the use of ACLs, can override the default
switch behavior. Some of the system rules are installed when the
administrator enables specific protocols; other rules are always present and
may have their behaviors altered by enabling or disabling protocols. For
example, spanning tree BPDUs, LLDP packets, and IEEE 802.1X packets are
never forwarded by the switch.
Complete ACL Example
The following example is a complete inbound ACL that allows access for
hosts connected to gi1/0/1 with IP address in 10.1.1.x range to send IP packets
to 192.168.0.X hosts on gi1/0/2. IP packets not from 10.1.1.x addresses or not
addressed to 192.168.0.x hosts are dropped. Packets with protocols other than
IP, DNS, ARP, or ICMP are dropped. Allowing ICMP supports the 10.1.1.x
hosts in reliably receiving and initiating TCP connections and pinging
through the switch. This example also allows ARP and DNS packets to any
destination and is suitable for an L2 switch.
mac access-list extended Allow-ARP
permit any any arp
exit
630 Configuring Access Control Lists
ip access-list Allow-10-1-1-x
permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255
permit icmp 10.1.1.0 0.0.0.255 any
permit ip 0.0.0.0 255.255.255.255 any
permit udp any any eq domain
exit
interface gi1/0/1
mac access-group Allow-ARP in 10
ip access-group Allow-10-1-1-x in 20
exit
Another list on the 192.168.0.x network attached port (gi1/0/2) is configured
for this example. Because the two access lists are complementary/end-to-end,
it is necessary to allow ICMP packets to travel between the attached hosts.
ip access-list Allow-192-168-0-x
permit ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255
permit icmp 192.168.0.0 0.0.0.255 any
permit udp any any eq domain
exit
interface gi1/0/2
mac access-group Allow-ARP in 10
ip access-group Allow-192-168-0-x in 20
exit
Consider the following inbound rules that allow Telnet connections and UDP
traffic from the 192.168.0.x network to host 10.1.1.23:
ip access-list Host10-1-1-23
! Permit Telnet traffic from 192.168.0.X network to host 10.1.1.23
permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 eq telnet
! Permit TCP traffic from 192.168.0.X network to host 10.1.1.23
permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23
! Permit UDP traffic from 192.168.0.X network to host 10.1.1.23
permit udp 192.168.0.0 0.0.0.255 host 10.1.1.23
! Permit IP traffic from 192.168.0.X network to 10.1.1.x network
permit ip 192.168.0.0 0.0.0.255 10.1.1.23 0.0.0.255
In the above list, the fourth rule allows all IP packets between the network
and host. The narrower scope of the first three rules is redundant, as all IP
traffic, including TCP and UDP, is permitted by the fourth rule. The
Configuring Access Control Lists 631
following list has corrected rules that allow Telnet and UDP packets only and
rely on the implicit "deny all" after the end of the last access group to deny
other traffic.
ip access-list Host10-1-1-23
! Permit Telnet traffic from 192.168.0.X network to host 10.1.1.23
permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 eq telnet
! Permit UDP traffic from 192.168.0.X network to host 10.1.1.23
permit udp 192.168.0.0 0.0.0.255 host 10.1.1.23
ACLs support TCP and UDP port matching using operators:
ip access-list Host10-1-1-23
! Permit Telnet traffic from 192.168.0.X network to host 10.1.1.23
permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 eq telnet
! Permit UDP traffic from 192.168.0.X network to host 10.1.1.23
permit udp 192.168.0.0 0.0.0.255 host 10.1.1.23
ip access-list Host10-1-1-23
! Permit Telnet traffic from 192.168.0.X network to host 10.1.1.23
permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 eq telnet
! Permit UDP traffic from 192.168.0.X network to host 10.1.1.23
permit udp 192.168.0.0 0.0.0.255 host 10.1.1.23
The range operator is inclusive of the specified port parameters.
ACLs support TCP flags. If multiple flags are set (+flag) in a single rule, only
packets with the all the same flags asserted are matched (logical AND).
Likewise, if multiple flags are cleared (–flag) in a single rule, only packets with
the same flags cleared are matched. The established keyword matches TCP
packets with either the RST or ACK bits set (logical OR). Flags that are
neither set nor cleared in the rule are not checked in the ACL (don't care or
wildcard).
ip access-list Host10-1-1-23
! Permit Telnet traffic from 192.168.0.X network to host 10.1.1.23
permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 eq telnet
! Permit UDP traffic from 192.168.0.X network to host 10.1.1.23
permit udp 192.168.0.0 0.0.0.255 host 10.1.1.23
The following is an example rule to match TCP packets with the PUSH flag
asserted AND the RESET flag cleared. The other flags bits are "don't care":
ip access-list Host10-1-1-23
632 Configuring Access Control Lists
! Permit Telnet traffic from 192.168.0.X network to host 10.1.1.23
permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 eq telnet
! Permit UDP traffic from 192.168.0.X network to host 10.1.1.23
permit udp 192.168.0.0 0.0.0.255 host 10.1.1.23
ACLs may also contain a number of shorthand qualifiers for protocols and IP,
TCP, and UDP port numbers, as shown below. Note that not all of these
qualifiers make sense in the context of any given port number; e.g., ftp and
ftp-data only make sense in the context of the IP or UDP protocols, while an
HTTP port number only makes sense in terms of the TCP or IP protocols.
Refer to RFC 1700 or iana.org/protocols for a list of protocol numbers.
ip access-list Host10-1-1-23
! Permit Telnet traffic from 192.168.0.X network to host 10.1.1.23
permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 eq telnet
! Permit UDP traffic from 192.168.0.X network to host 10.1.1.23
permit udp 192.168.0.0 0.0.0.255 host 10.1.1.23
ip access-list Host10-1-1-23
! Permit Telnet traffic from 192.168.0.X network to host 10.1.1.23
permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 eq telnet
! Permit UDP traffic from 192.168.0.X network to host 10.1.1.23
permit udp 192.168.0.0 0.0.0.255 host 10.1.1.23
ip access-list Host10-1-1-23
! Permit Telnet traffic from 192.168.0.X network to host 10.1.1.23
permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 eq telnet
! Permit UDP traffic from 192.168.0.X network to host 10.1.1.23
permit udp 192.168.0.0 0.0.0.255 host 10.1.1.23
To bind an access-list to an interface, use the access-group command. The in
parameter specifies that the ACL is applied to ingress packets. The out
parameter specifies that the ACL is applied to egress packets not generated by
the switch/router. If no in/out parameter is specified, the access list default is
to apply the ACL to ingress packets.
ip access-list Host10-1-1-23
! Permit Telnet traffic from 192.168.0.X network to host 10.1.1.23
permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 eq telnet
! Permit UDP traffic from 192.168.0.X network to host 10.1.1.23
permit udp 192.168.0.0 0.0.0.255 host 10.1.1.23
Configuring Access Control Lists 633
Multiple access lists can be configured on an interface. The processing order
is determined by the last parameter on the access-group command where the
lowest sequence number is processed first, followed by the next higher
sequence number, etc.
In this example, access list Host10-1-1-21 is processed first, followed by Host-
1-1-23:
ip access-list Host10-1-1-23
! Permit Telnet traffic from 192.168.0.X network to host 10.1.1.23
permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 eq telnet
! Permit UDP traffic from 192.168.0.X network to host 10.1.1.23
permit udp 192.168.0.0 0.0.0.255 host 10.1.1.23
Advanced Examples
Configuring a Time-Based ACL
The following example configures an ACL that denies HTTP traffic from
8:00 pm to 12:00 pm and 1:00 pm to 6:00 pm on weekdays and from 8:30 am
to 12:30 pm on weekends. The ACL affects all hosts connected to ports that
are members of VLAN 100. The ACL permits VLAN 100 members to browse
the Internet only during lunch and after hours.
To configure the switch:
1
Create a time range called work-hours.
console#config
console(config)#time-range work-hours
2
Configure an entry for the time range that applies to the morning shift
Monday through Friday.
console(config-time-range)#periodic weekdays 8:00 to 12:00
3
Configure an entry for the time range that applies to the afternoon shift
Monday through Friday.
console(config-time-range)#periodic weekdays 13:00
to 18:00
4
Configure an entry for the time range that applies to Saturday and Sunday.
console(config-time-range)#periodic weekend 8:30 to 12:30
console(config-time-range)#exit
634 Configuring Access Control Lists
5
Create an ACL named web-limit that denies HTTP traffic during the
work-hours time range.
console(config)#ip access-list web-limit
console(config-ip-acl)#deny tcp any any eq http time-range
work-hours
console(config-ip-acl)#permit every
6
Enter interface configuration mode for VLAN 100 and apply the ACL to
ingress traffic.
console(config)#interface vlan 100
console(config-if-vlan100)#ip access-group weblimit
in
console(config-if-vlan100)#exit
console(config)#exit
7
Verify the configuration.
console(config)#show ip access-lists web-limit
IP ACL Name: web-limit
Rule Number: 1
Action......................................... deny
Match All...................................... FALSE
Protocol....................................... 6(tcp)
Source IP Address.............................. any
Destination IP Address......................... any
Destination Layer 4 Operator................... Equal To
Destination L4 Port Keyword.................... 80(www/http)
Rule Number: 2
Action......................................... permit
Match All...................................... TRUE
Denying FTP Traffic
This example drops incoming FTP setup and data traffic on interfaces
gi1/0/24 to 48. This example is suitable for configuration on a switch or a
router:
ip access-list deny-ftp
!
deny tcp any any eq ftp
deny tcp any any eq ftp-data
permit every
exit
Configuring Access Control Lists 635
interface range gi1/0/24-48
ip access-list deny-ftp in
exit
Allow FTP Traffic Only to an FTP Server
This ACL limits traffic from a router to a directly connected FTP server
(172.16.0.5) on gi1/0/11. Notice that this is an “out” ACL. Traffic to the
router from the FTP server is not affected by this rule. Traffic from the router
to the FTP server is limited to ICMP and packets destined to the FTP ports.
There is no need to add permit rules for all the protocols the router can send
to the host (e.g., ARP, ICMP, LLDP, etc.), as internally generated packets are
not limited by ACLs. Routing must be enabled to process ARPs or they must
be allowed by an explicit rule. We allow ICMP from remote hosts so that the
FTP server can receive ICMP feedback from clients utilizing the FTP service.
A better implementation would narrow the scope of the ICMP to eliminate
ICMP messages not required for the FTP service, e.g., echo, echo-reply,
redirect, timestamp, etc.
ip access-list allow-ftp-server
permit tcp any host 172.16.0.5 eq ftp-data flag established
permit tcp any host 172.16.0.5 eq ftp
permit icmp any any
exit
interface gi1/0/11
ip access-group allow-ftp-server out
exit
Block Incoming Pings
ip access-list no-ping
deny icmp any any icmp-message echo
permit every
exit
interface gi1/0/1
ip access-group no-ping in
exit
Block Incoming Pings and Responses
This example configures an ACL that blocks incoming pings and ping
responses. Since packets generated by the CPU are not affected by ACLs, to
block pinging from the switch we add a rule to block the ping responses.
636 Configuring Access Control Lists
ip access-list no-ping
deny icmp any any icmp-message echo
deny icmp any any icmp-message echo-reply
permit every
exit
interface gi1/0/1
ip access-group no-ping in
exit
Block RFC 1918 Addresses
This ACL may be useful on connections to ISPs to block traffic from non-
routable addresses.
ip access-list no-private-internet
deny ip 10.0.0.0. 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
permit every
exit
interface port-channel 1
access-group no-private-internet in
exit
Assign Packets to a CoS Queue
Assign a range of source or destination TCP ports to CoS queue 3 to provide
elevated service. Two rules are necessary to handle packets that have source or
destination ports outside the range.
ip access-list elevated-cos
permit tcp any range 49152 65535 any assign-queue 3
permit tcp any any range 49152 65535 assign-queue 3
permit every
exit
ip access-group elevated-cos in 25
Schedule Forwarding of Packets to a Different Port
This ACL L2 forwards matching packets to a different port based on a time
schedule. This is not equivalent to Policy-Based Forwarding, as the TTL in
the packet is not decremented, nor is a new destination MAC address written
into the packet.
time-range work-hours
Configuring Access Control Lists 637
periodic weekdays 07:30 to 18:00
exit
ip access-list redirect-traffic
permit ip any 172.16.1.0 255.255.255.0 redirect te1/0/1 time-range
work-hours
permit every
exit
ip access-group redirect-traffic in 30
Rate Limit WWW Traffic (Diffserv)
This ACL creates a Diffserv policy to rate-limit WWW packets. Limit and
burst values require tuning for local traffic patterns and link speeds. Compare
this to the next example.
class-map match-all rate-limit-control ipv4
match protocol tcp
match srcl4port www
exit
policy-map rate-limit-policy in
class rate-limit-control
police-simple 9216 128 conform-action transmit violate-action drop
exit
exit
interface te1/0/1
service-policy in rate-limit-policy
exit
Rate limit WWW traffic (ACL)
This example creates an ACL to rate-limit WWW traffic ingressing the
switch on te1/0/1. Initial and established values require tuning for local traffic
patterns and link speeds. Note that this ACL applies to traffic sent to the
switch IP address as well as traffic forwarded by the switch (in rule). Permit
rules with a rate-limit parameter do not require a following deny rule as
matching packets exceeding the rate limit are discarded. Compare this with
the example above.
ip access-list rate-limit-www
permit tcp any any eq www flag established rate-limit 9216 128
permit tcp any any eq www rate-limit 1024 64
permit every
exit
638 Configuring Access Control Lists
interface te1/0/1
ip access-group rate-limit-www in
exit
Rate Limit In-Band Management Traffic
The following is an example of rate limiting in-band management traffic on
an L2 switch. The first two rules rate limit Telnet and SSH (22) traffic for
established connections. The third and fourth rules set specific limits for in-
bound Telnet and SSH connection requests (third and fourth rules). Setting
the control plane mode on the access group limits the requests to those
packets transferred to the CPU and does not affect packets transiting the
switching silicon. Likewise, because this is internally an egress ACL, it rate
limits packets egressing the silicon to the CPU and does not affect packets
that are routed in software due to L3 table lookup failures, nor does it affect
packets sent to the CPU via the system rules, as they are applied on ingress.
The established connection rate limit parameters are 1024 Kbits/second and a
burst of 128 Kbytes. The non-established rate limits are 12 Kbytes/second
with a 2 Kbyte burst.
ip access-list rate-limit-inband-mgmt
permit tcp any any eq telnet flag established rate-limit 1024 128
permit tcp any any eq 22 flag established rate-limit 1024 128
permit tcp any any eq telnet rate-limit 12 2
permit tcp any any eq 22 rate-limit 12 2
permit every
exit
ip access-group rate-limit-inband-mgmt control-plane
!
! Block fragmented traffic from being sent to the CPU.
!
ip access-list no-frag-inband-mgmt
deny tcp any any fragments
deny udp any any fragments
deny ip any any fragments
permit every
exit
ip access-group no-frag-inband-mgmt control-plane
Configuring Access Control Lists 639
A Consolidated DoS Example
This example includes some ACL rules to consider to reduce DoS attacks on
the switch. It does not represent a complete DoS suite. A firewall with deep
packet inspection capabilities should be used for true DoS protection.
ip access-list reduce-dos-attacks
!
! Rate limit echo requests
!
permit icmp any any icmp-message echo rate-limit 32 64
!
! Deny telnet and rate-limit SSH to the CPU
!
deny tcp any any eq telnet flag established
permit tcp any any eq 22 flag established rate-limit 1024 128
deny tcp any any eq telnet
permit tcp any any eq 22 rate-limit 12 2
!
! Rate limit TCP opens
!
permit tcp any any flag +syn rate-limit 8 2
!
! Rate limit TCP closes
!
permit tcp any any flag +fin rate-limit 8 2
!
! Block TCP/UDP/IP frag attacks
!
deny ip any any fragments
!
! Limit SNMP (should set source address to management stations)
! Must be tuned for SNMP walks. May need to adjust the SNMP client
! retry count or timeout.
!
permit udp any any eq snmp rate-limit 1024 128
!
! Allow other traffic types to come to CPU
!
permit every
exit
ip access-group reduce-dos-attacks control-plane
!
NOTE: The rate limits below should be adjusted to match the expected rates of
traffic coming to the CPU.
640 Configuring Access Control Lists
! Further limit inbound traffic on in-band management ports.
! Allow only VLAN 99 SSH and TFTP, no telnet, HTTP, HTTPS, or SNMP.
! The management access list actions are performed by the switch
! firmware in addition to the access list actions performed by
! the switching silicon, e.g. reduce-dos-attacks. Note that
! the switch forces TFTP accesses to use the well-known TFTP port
! number 69.
!
management access-list mgmt-blocks
permit vlan 99 service ssh
permit vlan 99 service tftp
deny vlan 99
permit service any
exit
! Create an in-band Management VLAN (99), assign it to two ports
(gi1/0/47
! and gi1/0/48), and add both ACLs and Management ACLs to ALL ports
! in global config mode.
vlan 99
exit
interface vlan 99
ip address dhcp
exit
interface gi1/0/47-48
switchport access vlan 99
exit
management access-class mgmt-blocks
line ssh
login authentication default
exit
crypto key generate rsa
crypto key generate dsa
ip ssh server
Policy Based Routing Examples
ACL That Matches All IP Packets
ip access-list match-all
permit ip any any
exit
Configuring Access Control Lists 641
Route-Map with Scheduled Redirection of RFC 1918 Addresses to a Different Next-
Hop
time-range work-hours
periodic weekdays 07:30 to 18:00
exit
ip access-list subnet-172-16
permit ip any 172.16.0.0 0.15.255.255 time-range work-hours
exit
ip access-list subnet-192-168
permit ip any 192.168.0.0 0.0.255.255 time-range work-hours
exit
ip access-list subnet-10-0
permit ip any 10.0.0.0 0.255.255.255 time-range work-hours
exit
route-map redirect-vlan12 permit 32
match ip address subnet-172-16 subnet-192-168 subnet-10-0
set ip next-hop 12.1.13.1
set ip next-hop 12.1.14.1
exit
Complete Example of Policy Based Routing on VLAN Routing Interfaces
In this example, an L3 router with four VLAN routing interfaces (VLAN 10,
VLAN 20, VLAN 30 and VLAN 40) is configured. Each of these interfaces is
connected to L2 switches.
Traffic sent to host 2.2.2.2 from host 1.1.1.2 on VLAN interface 10 is normally
routed over VLAN interface 20. The steps to override the normal routing
decision and policy route traffic from VLAN interface 10 to VLAN interface
30 are described following the figure.
642 Configuring Access Control Lists
Figure 20-14. Policy Based Routing on VLAN Interfaces Example
Create VLANs 10, 20, 30 and 40
vlan 10,20,30,40
exit
Add VLAN Membership to Physical Ports
Also, configure the native VLAN on the corresponding interfaces:
interface gi1/0/2
switchport mode trunk
switchport trunk allowed vlan remove 1
switchport trunk native vlan 10
exit
interface gi 1/0/4
switchport mode trunk
swithport trunk allowed vlan remove 1
switchport trunk native vlan 20
exit
interface gi1/0/22
switchport mode trunk
switch trunk allowed vlan remove 1
switch trunk native vlan 30
exit
Layer 3 Switch
L2 Switch
L2 Switch
VLAN 10
VLAN 20
L2 Switch
VLAN 30
L2 Switch
VLAN 40
Physical Port 1/0/2
VLAN Interface 10
1.1.1.1/24
Physical Port 1/0/4
VLAN Interface 20
2.2.2.1/24 Physical Port 1/0/22
VLAN Interface 30
3.3.3.1/24
Physical Port 1/0/24
VLAN Interface 40
4.4.4.3/24
Configuring Access Control Lists 643
interface gi 1/0/24
switchport mode trunk
switchport trunk native vlan 40
switchport trunk allowed vlan remove 1
Enable Routing on Each VLAN Interface
interface vlan 10
ip address 1.1.1.1 255.255.255.0
exit
interface vlan 20
ip address 2.2.2.1 255.255.255.0
exit
interface vlan 30
ip address 3.3.3.1 255.255.255.0
exit
interface vlan 40
ip address 4.4.4.3 255.255.255.0
exit
Enable IP Routing (Global Configuration)
ip routing
In this configuration, traffic from host 1.1.1.2 to host 2.2.2.2 is routed from
VLAN routing interface 10 to VLAN routing interface 20 using the directly
connected subnets as they appear in the routing table.
Configure Policy Routing
To policy-route such traffic to VLAN routing interface 30, the following
additional steps should be performed:
1
Create an access-list matching all incoming IP traffic from host 1.1.1.1
destined to host 2.2.2.2:
ip access-list Match-ip-1_1_1_2-to-2_2_2_2
permit ip host 1.1.1.2 host 2.2.2.2
exit
There is no need to add a ’permit every’ rule, as would be configured in a
normal access list, as this ACL will only be used for PBR. The default for
644 Configuring Access Control Lists
PBR is to route non-matching traffic or traffic which is addressed to a non-
connected interface normally.
2
Create a route-map and add match/set rules to the route-map:
route-map Redirect_to_3_3_3_3 permit 100
match ip address Match-ip-1_1_1_2-to-2_2_2_2
set ip next-hop 3.3.3.3
exit
3
Assign the route-map to VLAN routing interface 10:
interface vlan 10
ip policy route-map Redirect_to_3_3_3_3
exit
Traffic matching ACL
Match-ip-1_1_1_2-to-2_2_2_2
is now policy-routed to
VLAN interface 30 when an interface in VLAN 30 is connected via policy
Redirect_to_3_3_3_3
. Counters are incremented in the “show route-map”
command indicating that traffic is being policy routed.
console(config)#show route-map Redirect_to_3_3_3_3
route-map "Redirect_to_3_3_3_3" permit 10
Match clauses:
ip address (access-lists) : match-subnet-1_1_1_X
Set clauses:
ip next-hop 3.3.3.3
Policy routing matches: 19922869 packets, 1275063872 bytes
Configuring VLANs 645
21
Configuring VLANs
This chapter describes how to configure VLANs, including port-based
VLANs, protocol-based VLANs, double-tagged VLANs, subnet-based VLANs,
and Voice VLANs.
The topics covered in this chapter include:
VLAN Overview
Default VLAN Behavior
Configuring VLANs (Web)
Configuring VLANs (CLI)
VLAN Configuration Examples
VLAN Overview
By default, all switchports on a Dell Networking N2000, N3000, and N4000
series switches are in the same broadcast domain. This means when one host
connected to the switch broadcasts traffic, every device connected to the
switch receives that broadcast. All ports in a broadcast domain also forward
multicast and unknown unicast traffic to the connected host. Large broadcast
domains can result in network congestion, and end users might complain that
the network is slow. In addition to latency, large broadcast domains are a
greater security risk since all hosts receive all broadcasts.
Virtual Local Area Networks (VLANs) allow you to divide a broadcast domain
into smaller, logical networks. Like a bridge, a VLAN switch forwards traffic
based on the Layer 2 header, which is fast, and like a router, it partitions the
network into logical segments, which provides better administration, security,
and management of multicast traffic.
Network administrators have many reasons for creating logical divisions, such
as department or project membership. Because VLANs enable logical
groupings, members do not need to be physically connected to the same
switch or network segment. Some network administrators use VLANs to
segregate traffic by type so that the time-sensitive traffic, like voice traffic, has
646 Configuring VLANs
priority over other traffic, such as data. Administrators also use VLANs to
protect network resources. Traffic sent by authenticated clients might be
assigned to one VLAN, while traffic sent from unauthenticated clients might
be assigned to a different VLAN that allows limited network access.
When one host in a VLAN sends a broadcast, the switch forwards traffic only
to other members of that VLAN. For traffic to go from a host in one VLAN to
a host in a different VLAN, the traffic must be forwarded by a layer 3 device,
such as a router. VLANs work across multiple switches and switch stacks, so
there is no requirement for the hosts to be located near each other to
participate in the same VLAN.
Each VLAN has a unique number, called the VLAN ID. The Dell Networking
series switches support a configurable VLAN ID range of 1–4093. A VLAN
with VLAN ID 1 is configured on the switch by default. VLAN 1 is named
default
, which cannot be changed. However, you can associate names with
any other VLANs that you create.
In a tagged frame, the VLAN is identified by the VLAN ID in the tag. In an
untagged frame, the VLAN identifier is the Port VLAN ID (PVID) specified
for the port that received the frame. For information about tagged and
untagged frames, see "VLAN Tagging" on page 649.
The Dell Networking series switches support adding individual ports and Link
Aggregation Groups (LAGs) as VLAN members.
Figure 21-1 shows an example of a network with three VLANs that are
department-based. The file server and end stations for the department are all
members of the same VLAN.
NOTE: Dell Networking series switches support VLAN routing. When you
configure VLAN routing, the switch acts as a layer 3 device and can forward traffic
between VLANs. For more information, see "What Are VLAN Routing Interfaces?"
on page 1021.
Configuring VLANs 647
Figure 21-1. Simple VLAN Topology
In this example, each port is manually configured so that the end station
attached to the port is a member of the VLAN configured for the port. The
VLAN membership for this network is port-based or static.
Dell Networking series switches also support VLAN assignment based on any
of the following criteria:
MAC address of the end station
IP subnet of the end station
Protocol of the packet transmitted by the end station
Payroll
VLAN 300
Engineering
VLAN 100
Tech Pubs
VLAN 200
Router
Switch
648 Configuring VLANs
Table 21-1 provides an overview of the types of VLANs you can use to
logically divide the network.
Switchport Modes
You can configure each port on a Dell Networking N2000, N3000, and N4000
series switches to be in one of the following modes:
Access — Access ports are intended to connect end-stations to the system,
especially when the end-stations are incapable of generating VLAN tags.
Access ports support a single VLAN (the PVID). Packets received untagged
are processed as if they are tagged with the access port PVID. Packets
received that are tagged with the PVID are also processed. Packets received
that are tagged with a VLAN other than the PVID are dropped. If the
VLAN associated with an access port is deleted, the PVID of the access
port is set to VLAN 1. VLAN 1 may not be deleted.
Trunk — Trunk-mode ports are intended for switch-to-switch links. Trunk
ports can receive both tagged and untagged packets. Tagged packets
received on a trunk port are forwarded on the VLAN contained in the tag if
the trunk port is a member of the VLAN. Untagged packets received on a
Table 21-1. VLAN Assignment
VLAN Assignment Description
Port-based (Static) This is the most common way to assign hosts to VLANs.
The port where the traffic enters the switch determines the
VLAN membership.
IP Subnet Hosts are assigned to a VLAN based on their IP address. All
hosts in the same subnet are members of the same VLAN.
MAC-Based The MAC address of the device determines the VLAN
assignment. This type of VLAN is useful when a host
might not always connect to the network through the same
port but needs to be on the same VLAN.
Protocol Protocol-based VLANs were developed to separate traffic
based on the protocol type before IP traffic became the de
facto standard in the LAN. Use a protocol-based VLAN on
networks where you might have a group of hosts that use
IPX or another legacy protocol. With protocol-based
VLANs, you can segregate traffic based on the EtherType
value in the frame.
Configuring VLANs 649
trunk port are forwarded on the native VLAN. Packets received on another
interface belonging to the native VLAN are transmitted untagged on a
trunk port.
General — General ports can act like access or trunk ports or a hybrid of
both.
VLAN membership rules that apply to a port are based on the switchport
mode configured for the port. Table 21-2 shows the behavior of the three
switchport modes.
When a port is in General mode, all VLAN features are configurable. When
ingress filtering is on, the frame is dropped if the port is not a member of the
VLAN identified by the VLAN ID in the tag. If ingress filtering is off, all
tagged frames are forwarded. The port decides whether to forward or drop the
frame when the port receives the frame.
VLAN Tagging
Dell Networking series switches support IEEE 802.1Q tagging. Ethernet
frames on a tagged VLAN have a 4-byte VLAN tag in the header. VLAN
tagging is required when a VLAN spans multiple switches, which is why trunk
ports transmit and receive only tagged frames.
Table 21-2. Switchport Mode Behavior
Mode VLAN Membership Frames
Accepted
Frames Sent Ingress
Filtering
Access One VLAN Untagged/
Tagged
Untagged Always On
Trunk All VLANs that exist in
the system (default)
Untagged/
Tagged
Tagg ed a n d
Untagged
Always On
General As many as desired Tagged or
Untagged
Tagg ed o r
Untagged
On or Off
NOTE: A stack of switches behaves as a single switch, so VLAN tagging is not
required for packets traversing different stack members.
650 Configuring VLANs
Tagging may be required when a single port supports multiple devices that are
members of different VLANs. For example, a single port might be connected
to an IP phone, a PC, and a printer (the PC and printer are connected via
ports on the IP phone). IP phones are typically configured to use a tagged
VLAN for voice traffic, while the PC and printers typically use the untagged
VLAN.
Trunk ports can receive tagged and untagged traffic. Untagged traffic is
tagged internally with the native VLAN. Native VLAN traffic received
untagged is transmitted untagged on a trunk port.
By default, trunk ports are members of all existing VLANs and will
automatically participate in any newly created VLANs. The administrator can
restrict the VLAN membership of a trunk port. VLAN membership for tagged
frames received on a trunk port is configured separately from the membership
of the native VLAN. To configure a trunk port to accept frames only for a
single VLAN, both the native VLAN and the tagged VLAN membership
settings must be configured. If the native VLAN for a trunk port is deleted,
the trunk port drops untagged packets.
Access ports accept untagged traffic and traffic tagged with the access port
PVID. Untagged ingress traffic is considered to belong to the VLAN
identified by the PVID. If the PVID for an access port is deleted, the PVID is
set to VLAN 1.
GVRP
The GARP VLAN Registration Protocol (GVRP) helps to dynamically
manage VLAN memberships on trunk ports. When GARP is enabled,
switches can dynamically register (and de-register) VLAN membership
information with other switches attached to the same segment.
Information about the active VLANs is propagated across all networking
switches in the bridged LAN that support GVRP. You can configure ports to
forbid dynamic VLAN assignment through GVRP.
The operation of GVRP relies upon the services provided by the Generic
Attribute Registration Protocol (GARP). GVRP can create up to 1024 VLANs.
For information about GARP timers, see "What Are GARP and GMRP?" on
page 810.
Configuring VLANs 651
Double-VLAN Tagging
For trunk ports, which are ports that connect one switch to another switch,
the Dell Networking series switches support double-VLAN tagging. This
feature allows service providers to create Virtual Metropolitan Area Networks
(VMANs). With double-VLAN tagging, service providers can pass VLAN
traffic from one customer domain to another through a metro core in a
simple and cost-effective manner. By using an additional tag on the traffic,
the switch can differentiate between customers in the MAN while preserving
an individual customer’s VLAN identification when the traffic enters the
customer’s 802.1Q domain.
With the introduction of this second tag, customers are no longer required to
divide the 4-byte VLAN ID space to send traffic on a Ethernet-based MAN.
In short, every frame that is transmitted from an interface has a double-VLAN
tag attached, while every packet that is received from an interface has a tag
removed (if one or more tags are present).
In Figure 21-2, two customers share the same metro core. The service
provider assigns each customer a unique ID so that the provider can
distinguish between the two customers and apply different rules to each.
When the configurable EtherType is assigned to something different than the
802.1Q (0x8100) EtherType, it allows the traffic to have added security from
misconfiguration while exiting the metro core. For example, if the edge
device on the other side of the metro core is not stripping the second tag, the
packet would never be classified as a 802.1Q tag, so the packet would be
dropped rather than forwarded in the incorrect VLAN.
652 Configuring VLANs
Figure 21-2. Double VLAN Tagging Network Example
Voice VLAN
The Voice VLAN feature enables switch ports to carry voice traffic with
defined priority. When multiple devices, such as a PC and an IP phone, are
connected to the same port, you can configure the port to use one VLAN for
voice traffic and another VLAN for data traffic.
Voice over IP (VoIP) traffic is inherently time-sensitive: for a network to
provide acceptable service, the transmission rate is vital. The priority level
enables the separation of voice and data traffic coming onto the port.
A primary benefit of using Voice VLAN is to ensure that the sound quality of
an IP phone is safeguarded from deteriorating when the data traffic on the
port is high. The switch uses the source MAC address of the traffic traveling
through the port to identify the IP phone data flow.
The Voice VLAN feature can be enabled on a per-port basis. This feature
supports a configurable voice VLAN DSCP value. This value is later retrieved
by LLDP when the LLDPDU is transmitted, if LLDP has been enabled on
the port and the required TLV is configured for the port.
Configuring VLANs 653
Identifying Voice Traffic
Some VoIP phones contain full support for IEEE 802.1X. When these phones
are connected to a port that uses 802.1X port-based authentication, these
phones authenticate and receive their VLAN information from LLDP-MED.
However, if a VoIP phone has limited support for 802.1X authentication it
might try to authenticate and fail. A phone with no 802.1X support would not
attempt to authenticate at all. Instead of placing these phones on an
unauthenticated or guest VLAN, the switch can automatically direct the VoIP
traffic to the Voice VLAN without manual configuration.
The switch identifies the device as a VoIP phone by one of the following
protocols:
Cisco Discovery Protocol (CDP) or Industry Standard Discovery Protocol
(ISDP) for Cisco VoIP phones
DHCP vendor-specific options for Avaya VoIP phones
LLDP-MED for most VoIP phones
After the VoIP phone receives its VLAN information, all traffic is tagged with
the VLAN ID of the Voice VLAN. The phone is considered to be authorized
to send traffic but not necessarily authenticated.
Segregating Traffic with the Voice VLAN
You can configure the switch to support Voice VLAN on a port that is
connecting the VoIP phone. Both of the following methods segregate the
voice traffic and the data traffic in order to provide better service to the voice
traffic.
When a VLAN is associated with the Voice VLAN port, then the VLAN ID
information is passed onto the VoIP phone using either the LLDP-MED or
the CPD mechanism, depending on how the phone is identified: if it is
identified via CDP, then the VLAN assignment is via CDP and if it is
identified via LLDP-MED, then the VLAN assignment is via LLDP-MED.
By this method, the voice data coming from the VoIP phone is tagged with
the exchanged VLAN ID. Untagged data arriving on the switch is given the
NOTE: By default, ISDP is enabled globally and per-interface on the switch.
LLDP-MED is disabled on each interface by default. Port-based authentication
using 802.1X is also disabled on each port by default.
654 Configuring VLANs
default PVID of the port, and the voice traffic is received tagged with the
predefined VLAN. As a result, both kinds of traffic are segregated in order
to provide better service to the voice traffic.
When a dot1p priority is associated with the Voice VLAN port instead of a
VLAN ID, then the priority information is passed onto the VoIP phone
using the LLDP-MED or CDP mechanism. By this method, the voice data
coming from the VoIP phone is tagged with VLAN 0 and with the
exchanged priority; thus regular data arriving on the switch is given the
default priority of the port (default 0), and the voice traffic is received with
a higher priority.
You can configure the switch to override the data traffic CoS. This feature can
override the 802.1 priority of the data traffic packets arriving at the port
enabled for Voice VLAN. Therefore, any rogue client that is also connected to
the Voice VLAN port does not deteriorate the voice traffic.
Voice VLAN and LLDP-MED
The interactions with LLDP-MED are important for Voice VLAN:
LLDP-MED notifies the Voice VLAN component of the presence and
absence of a VoIP phone on the network.
The Voice VLAN component interacts with LLDP-MED for applying
VLAN ID, priority, and tag information to the VoIP phone traffic.
Private VLANs
Private VLANs partition a standard VLAN domain into two or more
subdomains. Each subdomain is defined by a primary VLAN and a secondary
VLAN. The primary VLAN ID is the same for all subdomains that belong to a
particular private VLAN instance. The secondary VLAN ID differentiates the
subdomains from each other and provides layer 2 isolation between ports on
the same private VLAN.
The following types of VLANs can be configured in a private VLAN:
Primary VLAN
—Forwards the traffic from the promiscuous ports to
isolated ports, community ports and other promiscuous ports in the same
private VLAN. Only one primary VLAN can be configured per private
VLAN. All ports within a private VLAN share the same primary VLAN.
Configuring VLANs 655
Isolated VLAN
—A secondary VLAN. It carries traffic from isolated ports
to promiscuous ports. Only one isolated VLAN can be configured per
private VLAN.
Community VLAN
—A secondary VLAN. It forwards traffic between ports
which belong to the same community and to the promiscuous ports. There
can be multiple community VLANs per private VLAN.
A port may be designated as one of the following types in a private VLAN:
Promiscuous port
—A port associated with a primary VLAN that is able to
communicate with all interfaces in the private VLAN, including other
promiscuous ports, community ports and isolated ports.
Host port
—A port associated with a secondary VLAN that can either
communicate with the promiscuous ports in the VLAN and with other
ports in the same community (if the secondary VLAN is a community
VLAN) or can communicate only with the promiscuous ports (if the
secondary VLAN is an isolated VLAN).
Private VLANs may be configured across a stack and on physical and port-
channel interfaces.
Private VLAN Usage Scenarios
Private VLANs are typically implemented in a DMZ for security reasons.
Servers in a DMZ are generally not allowed to communicate with each other
but they must communicate to a router, through which they are connected to
the users. Such servers are connected to host ports, and the routers are
attached to promiscuous ports. Then, if one of the servers is compromised,
the intruder cannot use it to attack another server in the same network
segment.
The same traffic isolation can be achieved by assigning each port with a
different VLAN, allocating an IP subnet for each VLAN, and enabling layer 3
routing between them. In a private VLAN domain, on the other hand, all
members can share the common address space of a single subnet, which is
associated with a primary VLAN. So, the advantage of the private VLANs
feature is that it reduces the number of consumed VLANs, improves IP
addressing space utilization, and helps to avoid layer 3 routing.
656 Configuring VLANs
Figure 21-3 shows an example Private VLAN scenario, in which five hosts (H-
A through H-E) are connected to a stack of switches (SW1, SW2). The
switch stack is connected to router R1. Port references shown are with
reference to the stack.
Figure 21-3. Private VLAN Domain
Promiscuous Ports
An endpoint connected to a promiscuous port is allowed to communicate
with any endpoint within the private VLAN. Multiple promiscuous ports can
be defined for a single private VLAN domain.
In the configuration shown in Figure 21-3, the port connected from SW1 to
R1 (TE1/1/1) is configured as a promiscuous port. It is possible to configure a
port-channel as a promiscuous port in order to provide a level of redundancy
on the private VLAN uplink.
R1
TE1/1/1
SW1
Gi1/0/10 Gi1/0/11
Gi1/0/12
H-A H-B H-C H-D H-E
Gi2/0/10 Gi2/0/11
SW2
Configuring VLANs 657
Isolated Ports
An endpoint connected to an isolated port is allowed to communicate with
endpoints connected to promiscuous ports only. Endpoints connected to
adjacent isolated ports cannot communicate with each other.
Community Ports
An endpoint connected to a community port is allowed to communicate with
the endpoints within a community and can also communicate with any
configured promiscuous port. The endpoints that belong to one community
cannot communicate with endpoints that belong to a different community, or
with endpoints connected to isolated ports.
Private VLAN Operation in the Switch Stack and Inter-switch Environment
The Private VLAN feature is supported in a stacked switch environment. The
stack links are transparent to the configured VLANs; thus, there is no need for
special private VLAN configuration beyond what would be configured for a
single switch. Any private VLAN port can reside on any stack member.
To enable private VLAN operation across multiple switches that are not
stacked, trunk ports must be configured between the switches to transport
the private VLANs. The trunk ports must be configured with the
promiscuous, isolated, and community VLANs. Trunk ports must also be
configured on all devices separating the switches.
In regular VLANs, ports in the same VLAN switch traffic at L2. However, for a
private VLAN, the promiscuous port forwards received traffic to secondary
ports in the VLAN (isolated and community). Community ports forward
received traffic to the promiscuous ports and other community ports using
the same secondary VLAN. Isolated ports transmit received traffic to the
promiscuous ports only.
The ports to which the broadcast traffic is forwarded depend on the type of
port on which the traffic was received. If the received port is a host port,
traffic is broadcast to all promiscuous and trunk ports. If the received port is a
community port, the broadcast traffic is forwarded to all promiscuous, trunk,
and community ports in the same secondary VLAN. A promiscuous port
broadcasts traffic to other promiscuous ports, isolated ports, and community
ports.
658 Configuring VLANs
Table 21-3. Forwarding Rules for Traffic in Primary VLAN
Table 21-4. Forwarding Rules for Traffic in Community 1 VLAN
Table 21-5. Forwarding Rules for Traffic in Isolated VLAN
To
From promiscuous community 1 community 2 isolated stack (trunk)
promiscuous allow allow allow allow allow
community 1 N/A N/A N/A N/A N/A
community 2 N/A N/A N/A N/A N/A
isolatedN/AN/AN/AN/AN/A
stack (trunk) allow allow allow allow allow
To
From promiscuous community 1 community 2 isolated stack (trunk)
promiscuous N/A N/A N/A N/A N/A
community 1 allow allow deny deny allow
community 2 N/A N/A N/A N/A N/A
isolatedN/AN/AN/AN/AN/A
stack (trunk) allow allow deny deny allow
To
From promiscuous community 1 community 2 isolated stack (trunk)
promiscuous N/A N/A N/A N/A N/A
community 1 N/A N/A N/A N/A N/A
community 2 N/A N/A N/A N/A N/A
isolated allowdenydenydenyallow
stack (trunk)allowdenydenydenyAllow
Configuring VLANs 659
Limitations and Recommendations
Only a single isolated VLAN can be associated with a primary VLAN.
Multiple community VLANs can be associated with a primary VLAN.
Trunk and general modes are not supported on private VLAN ports.
Do not configure access ports using the VLANs participating in any of the
private VLANs.
Multiple primary VLANs may be configured. Each primary VLAN must be
unique and each defines a separate private VLAN domain. The operator
must take care to use only the secondary VLANs associated with the
primary VLAN of a domain.
Private VLANs cannot be enabled on a preconfigured interface. The
interface must physically exist in the switch.
Secondary (community and isolated) VLANS are associated to the same
multiple spanning tree instance as the primary VLAN.
GVRP/MVRP cannot be enabled after the private VLAN is configured.
The administrator will need to disable both before configuring the private
VLAN.
DHCP snooping can be configured on the primary VLAN. If it is enabled
for a secondary VLAN, the configuration does not take effect if a primary
VLAN is already configured.
If IP source guard is enabled on private VLAN ports, then DHCP snooping
must be enabled on the primary VLAN.
Do not configure private VLAN ports on interfaces configured for voice
VLAN.
If static MAC addresses are added for the host port, the same static MAC
address entry must be added to the associated primary VLAN. This does
not need to be replicated for dynamic MAC addresses.
A private VLAN cannot be enabled on a management VLAN.
A private VLAN cannot be enabled on the default VLAN.
VLAN routing can be enabled on private VLANs. It is not very useful to
enable routing on secondary VLANs, as the access to them is restricted.
However, primary VLANs can be enabled for routing.
660 Configuring VLANs
It is recommended that the private VLAN IDs be removed from the trunk
ports connected to devices that do not participate in the private VLAN
traffic.
Private VLAN Configuration Example
See "Configuring a Private VLAN" on page 711.
Additional VLAN Features
The Dell Networking series switches also support the following VLANs and
VLAN-related features:
VLAN routing interfaces — See "Configuring Routing Interfaces" on
page 1021.
Guest VLAN — See "Configuring Port and System Security" on page 503.
Configuring VLANs 661
Default VLAN Behavior
One VLAN is configured on the Dell Networking series switches by default.
The VLAN ID is 1, and all ports are included in the VLAN as access ports,
which are untagged. This means when a device connects to any port on the
switch, the port forwards the packets without inserting a VLAN tag. If a
device sends a tagged frame to a port with a VLAN ID other than 1, the frame
is dropped. Since all ports are members of this VLAN, all ports are in the same
broadcast domain and receive all broadcast and multicast traffic received on
any port.
When you create a new VLAN, all trunk ports are members of the VLAN by
default. The configurable VLAN range is 2–4093. VLANs 4094 and 4095 are
reserved for internal system use.
Ports in trunk and access mode have the default behavior shown in Table 21-2
and cannot be configured with different tagging or ingress filtering values.
When you add a VLAN to a port in general mode, the VLAN has the behavior
shown in Table 21-6.
Table 21-6. General mode Default Settings
Feature Default Value
Frames accepted Untagged
Incoming untagged frames are classified into the VLAN
whose VLAN ID is the currently configured PVID.
Frames sent Untagged
Ingress Filtering On
PVID 1
662 Configuring VLANs
Table 21-7 shows the default values or maximum values for VLAN features.
Table 21-7. Additional VLAN Default and Maximum Values
Feature Value
Default VLAN VLAN 1
VLAN Name No VLAN name is configured except for VLAN 1,
whose name “default” cannot be changed.
VLAN Range 2–4093
Switchport mode Access
Double-VLAN tagging Disabled
If double-VLAN tagging is enabled, the default
EtherType value is 802.1Q
Maximum number of
configurable MAC-to-VLAN
bindings
128
Maximum number of
configurable
IP Subnet-to-VLAN bindings
64
GVRP Disabled
If GVRP is enabled, the default per-port parameters
are:
•GVRP State: Disabled
Dynamic VLAN Creation: Enabled
•GVRP Registration: Enabled
Number of dynamic VLANs
that can be assigned through
GVRP
1024
Voice VLAN Disabled
Voice VLAN DSCP value 46
Voice VLAN authentication
mode
Enabled
Configuring VLANs 663
Configuring VLANs (Web)
This section provides information about the OpenManage Switch
Administrator pages for configuring and monitoring VLANs on a Dell
Networking N2000, N3000, and N4000 series switches. For details about the
fields on a page, click at the top of the page.
VLAN Membership
Use the VLAN Membership page to create VLANs and define VLAN groups
stored in the VLAN membership table.
To display the VLAN Membership page, click Switching
VLAN
VLAN
Membership in the navigation panel.
The VLAN Membership tables display which Ports and LAGs are members of
the VLAN, and whether they’re tagged (T), untagged (U), or forbidden (F).
The tables have two rows: Static and Current. Only the Static row is
configurable. The Current row is updated either dynamically through GVRP
or when the Static row is changed and Apply is clicked.
There are two tables on the page:
Ports
— Displays and assigns VLAN membership to ports. To assign
membership, click in
Static
for a specific port. Each click toggles between
U, T, and blank. See
Tab le 21-8
for definitions.
LAGs
— Displays and assigns VLAN membership to LAGs. To assign
membership, click in
Static
for a specific LAG. Each click toggles between
U, T, and blank. See
Tab le 21-8
for definitions.
Table 21-8. VLAN Port Membership Definitions
Port Control Definition
T Tagged: the interface is a member of a VLAN. All packets forwarded by
the interface in this VLAN are tagged. The packets contain VLAN
information.
U Untagged: the interface is a VLAN member. Packets forwarded by the
interface in this VLAN are untagged.
F Forbidden: indicates that the interface is forbidden from becoming a
member of the VLAN. This setting is primarily for GVRP, which
enables dynamic VLAN assignment.
664 Configuring VLANs
To perform additional port configuration, such as making the port a trunk
port, use the Port Settings page.
Figure 21-4. VLAN Membership
Adding a VLAN
To create a VLAN:
1
Open the
VLAN Membership
page.
2
Click
Add
to display the
Add VLAN
page.
3
Specify a VLAN ID and a VLAN name.
Blank Blank: the interface is not a VLAN member. Packets in this VLAN are
not forwarded on this interface.
Table 21-8. VLAN Port Membership Definitions
Port Control Definition
Configuring VLANs 665
Figure 21-5. Add VLAN
4
Click
Apply
.
Configuring Ports as VLAN Members
To add member ports to a VLAN:
1
Open the
VLAN Membership
page.
2
From the
Show VLAN
menu, select the VLAN to which you want to assign
ports.
3
In the
Static
row of the
VLAN Membership
table, click the blank field to
assign the port as an untagged member.
Figure 21-6 shows 10-Gigabit Ethernet ports 8–10 being added to VLAN
300.
666 Configuring VLANs
Figure 21-6. Add Ports to VLAN
4
Click
Apply
.
5
Verify that the ports have been added to the VLAN.
Configuring VLANs 667
In Figure 21-7, the presence of the letter
U
in the
Current
row indicates
that the port is an untagged member of the VLAN.
Figure 21-7. Add Ports to VLAN
668 Configuring VLANs
VLAN Port Settings
Use the VLAN Port Settings page to add ports to an existing VLAN and to
configure settings for the port. If you select Trunk or Access as the Port VLAN
Mode, some of the fields are not configurable because of the requirements for
that mode.
To display the Port Settings page, click Switching
VLAN
Port Settings
in the navigation panel.
Figure 21-8. VLAN Port Settings
From the Port Settings page, click Show All to see the current VLAN settings
for all ports. You can change the settings for one or more ports by clicking the
Edit option for a port and selecting or entering new values.
NOTE: You can add ports to a VLAN through the table on the VLAN Membership
page or through the PVID field on the Port Settings page. The PVID is the VLAN
that untagged received packets are assigned to. To include a general-mode port
in multiple VLANs, use the VLAN Membership page.
Configuring VLANs 669
Figure 21-9. VLAN Settings for All Ports
VLAN LAG Settings
Use the VLAN LAG Settings page to map a LAG to a VLAN and to configure
specific VLAN settings for the LAG.
To display the LAG Settings page, click Switching
VLAN
LAG Settings
in the navigation panel.
Figure 21-10. VLAN LAG Settings
670 Configuring VLANs
From the LAG Settings page, click Show All to see the current VLAN settings
for all LAGs. You can change the settings for one or more LAGs by clicking
the Edit option for a port and selecting or entering new values.
Figure 21-11. VLAN LAG Table
Configuring VLANs 671
Bind MAC to VLAN
Use the Bind MAC to VLAN page to map a MAC address to a VLAN. After
the source MAC address and the VLAN ID are specified, the MAC to VLAN
configurations are shared across all ports of the switch. The MAC to VLAN
table supports up to 128 entries.
To display the Bind MAC to VLAN page, click Switching
VLAN
Bind
MAC to VLAN in the navigation panel.
Figure 21-12. Bind MAC to VLAN
From the Bind MAC to VLAN page, click Show All to see the MAC
addresses that are mapped to VLANs. From this page, you can change the
settings for one or more entries or remove an entry.
Figure 21-13. MAC-VLAN Bind Table
672 Configuring VLANs
Bind IP Subnet to VLAN
Use the Bind IP Subnet to VLAN page to assign an IP Subnet to a VLAN.
The IP Subnet to VLAN configurations are shared across all ports of the
switch. There can be up to 64 entries configured in this table.
To display the Bind IP Subnet to VLAN page, click Switching
VLAN
Bind IP Subnet to VLAN in the navigation panel.
Figure 21-14. Bind IP Subnet to VLAN
From the Bind IP Subnet to VLAN page, click Show All to see the IP subnets
that are mapped to VLANs. From this page, you can change the settings for
one or more entries or remove an entry.
Figure 21-15. Subnet-VLAN Bind Table
Configuring VLANs 673
GVRP Parameters
Use the GVRP Parameters page to enable GVRP globally and configure the
port settings.
To display the GVRP Parameters page, click Switching
VLAN
GVRP
Parameters in the navigation panel.
Figure 21-16. GVRP Parameters
From the GVRP Parameters page, click Show All to see the GVRP
configuration for all ports. From this page, you can change the settings for
one or more entries.
NOTE: Per-port and per-LAG GVRP Statistics are available from the
Statistics/RMON page. For more information, see "Monitoring Switch Traffic" on
page 407.
674 Configuring VLANs
Figure 21-17. GVRP Port Parameters Table
Configuring VLANs 675
Protocol Group
Use the Protocol Group page to configure which EtherTypes go to which
VLANs, and then enable certain ports to use these settings. Protocol-based
VLANs are most often used in situations where network segments contain
hosts running multiple protocols.
To display the Protocol Group page, click Switching
VLAN
Protocol
Group in the navigation panel.
Figure 21-18. Protocol Group
676 Configuring VLANs
Adding a Protocol Group
To add a protocol group:
1
Open the
Protocol Group page.
2
Click
Add
to display the
Add
Protocol Group
page.
3
Create a name for the group and associate a VLAN with the group.
Figure 21-19. Add Protocol Group
4
Click
Apply
.
5
Click
Protocol Group
to return to the main
Protocol Group
page.
6
From the
Group ID
field, select the group to configure.
7
In the
Protocol Settings
table, select the protocol and interfaces to
associate with the protocol-based VLAN.
In Figure 21-20, the Protocol Group 1 (named IPX) is associated with the
IPX protocol and ports 14–16. Ports 20-22 are selected in
Available Ports
list. After clicking the right arrow, they will be added to the
Selected Ports
list.
Configuring VLANs 677
Figure 21-20. Configure Protocol Group
8
Click
Apply
.
9
Click
Show All
to see the protocol-based VLANs and their members.
Figure 21-21. Protocol Group Table
678 Configuring VLANs
Double VLAN Global Configuration
Use the Double VLAN Global Configuration page to specify the value of the
EtherType field in the first EtherType/tag pair of the double-tagged frame.
To display the Double VLAN Global Configuration page, click Switching
VLAN
Double VLAN
Global Configuration in the navigation panel.
Figure 21-22. Double VLAN Global Configuration
Configuring VLANs 679
Double VLAN Interface Configuration
Use the Double VLAN Interface Configuration page to specify the value of
the EtherType field in the first EtherType/tag pair of the double-tagged
frame.
To display the Double VLAN Interface Configuration page, click Switching
VLAN
Double VLAN
Interface Configuration in the navigation
panel.
Figure 21-23. Double VLAN Interface Configuration
To view a summary of the double VLAN configuration for all interfaces and to
edit settings for one or more interfaces, click Show All.
680 Configuring VLANs
Figure 21-24. Double VLAN Port Parameter Table
Configuring VLANs 681
Voice VLAN
Use the Voice VLAN Configuration
page to configure and view voice VLAN
settings that apply to the entire system and to specific interfaces.
To display the page, click Switching
VLAN
Voice VLAN
Configuration
in the
navigation panel
.
Figure 21-25. Voice VLAN Configuration
NOTE: IEEE 802.1X must be enabled on the switch before you disable voice
VLAN authentication. Voice VLAN authentication can be disabled in order to
allow VoIP phones that do not support authentication to send and receive
unauthenticated traffic on the Voice VLAN.
682 Configuring VLANs
Configuring VLANs (CLI)
This section provides information about the commands you use to create and
configure VLANs. For more information about the commands, see the
Dell
Networking N2000, N3000, and N4000 Series Switches CLI Reference Guide
at support.dell.com/manuals.
Creating a VLAN
Beginning in Privileged EXEC mode, use the following commands to
configure a VLAN and associate a name with the VLAN.
Configuring a Port in Access Mode
Beginning in Privileged EXEC mode, use the following commands to
configure an access mode VLAN interface and, optionally, assign the interface
to a VLAN. When a port is in access mode, it can only be a member of one
VLAN and will accept tagged packets with the access VLAN ID or untagged
Command Purpose
configure Enter global configuration mode.
vlan {
vlan-id
|
vlan-
range
}
Create a new VLAN or a range of VLANs and enter the
interface configuration mode for the specified VLAN or
VLAN range.
vlan-id
—A valid VLAN IDs (Range: 2–4093).
vlan-range
— A list of valid VLAN IDs to be added. List
separate, non-consecutive VLAN IDs separated by
commas (without spaces); use a hyphen to designate a
range of IDs. (Range: 2–4093)
name
string
Add a name to the specified VLAN.
string
— Comment or description to help identify a
specific VLAN (Range: 1–32 characters).
CTRL + Z Exit to Privileged EXEC mode.
show vlan [id
vlan-id
|
name
vlan-name
]
Display VLAN information.
vlan-id
— A valid VLAN ID.
(Range: 1–4093)
vlan-name
— A valid VLAN name string. (Range: 1–32
characters)
Configuring VLANs 683
packets. Untagged packets are treated as belonging to the access VLAN.
Packets received with a VLAN ID other than the access VLAN ID are
discarded. When you configure an interface as an access mode port, the
interface is automatically made a member of VLAN 1 and removed from all
other VLAN memberships. You can configure each interface separately, or you
can configure a range of interfaces with the same settings.
Configuring a Port in Trunk Mode
Beginning in Privileged EXEC mode, use the following commands to
configure an interface as a layer 2 trunking interface, which connects two
switches. Trunk mode ports support traffic tagged with different VLAN IDs.
Untagged received traffic is switched in the native VLAN. A trunk port is
Command Purpose
configure Enter global configuration mode.
interface
interface
Enter interface configuration mode for the specified
interface. The
interface
variable includes the interface type
and number, for example tengigabitethernet 1/0/3.
You can also specify a range of interfaces with the interface
range command, for example, interface range
tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,
11, and 12.
switchport mode access Configure the interface as an access mode VLAN interface.
Access mode VLANs accept tagged or untagged packets for
the access VLAN only.
switchport access vlan
vlan-id
Configure the interface as a member of the specified
VLAN. By default, access mode ports are members of
VLAN 1.
vlan-id
— A valid VLAN ID of the VLAN to which the port
is configured. (Range: 1–4093)
CTRL + Z Exit to Privileged EXEC mode.
show interfaces
switchport
interface
Display information about the VLAN settings configured
for the specified interface.
684 Configuring VLANs
automatically configured as a member of all VLANs. You can remove them
from membership in specific VLANs. By default, the native VLAN for a trunk
port is VLAN 1.
Command Purpose
configure Enter global configuration mode.
interface
interface
Enter interface configuration mode for the specified
interface. The
interface
variable includes the interface type
and number, for example tengigabitethernet 1/0/3.
You can also specify a range of interfaces with the interface
range command, for example, interface range
tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,
11, and 12.
switchport mode trunk Configure the interface as a tagged layer 2 VLAN interface.
Configuring VLANs 685
switchport trunk
{allowed vlan
vlan-
list
|native vlan
vlan-id
}
Set the list of allowed VLANs that can receive and send
traffic on this interface in tagged format when in trunking
mode.
allowed
vlan-list
— Set the list of allowed VLANs that
can receive and send traffic on this interface in tagged
format when in trunking mode. Separate non-consecutive
VLAN IDs with a comma and no spaces. Use a hyphen to
designate a range of IDs.
The
vlan-list
format is
all
| [
add
|
remove
|
except
]
vlan-
atom
[
vlan-atom
...] where:
all
—Specifies all VLANs from 1 to 4093. This keyword
is not allowed on commands that do not permit all
VLANs in the list to be set at the same time.
add
—Adds the list of VLANs to the allowed set.
remove
—Removes the list of VLANs from the allowed
set. Removing the native VLAN from a trunk port
forces the port to allow tagged packets only.
except
—Allows all VLANs other than those in the list.
vlan-atom
—Either a single VLAN number from 1 to
4093 or a continuous range of VLANs described by two
VLAN numbers, the lesser one first, separated by a
hyphen.
native
vlan-id
— The untagged VLAN. Untagged packets
received on this interface are switched in the native
VLAN. Transmitted packets in this VLAN are sent
untagged.
CTRL + Z Exit to Privileged EXEC mode.
show interfaces
switchport
interface
Display information about the VLAN settings configured
for the specified interface. The
interface
variable includes
the interface type and number.
Command Purpose
686 Configuring VLANs
Configuring a Port in General Mode
Beginning in Privileged EXEC mode, use the following commands to
configure an interface with full 802.1q support and configure the VLAN
membership information for the interface. Except when noted as required
(for example, when configuring MAB, Voice VLAN, or 802.1x), it is
recommended that operators use either trunk or access mode.
Command Purpose
configure Enter global configuration mode.
interface
interface
Enter interface configuration mode for the specified
interface. The
interface
variable includes the interface type
and number, for example tengigabitethernet 1/0/3.
You can also specify a range of interfaces with the interface
range command, for example, interface range
tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,
11, and 12.
switchport mode general Configure the interface as a tagged and an untagged layer
2 VLAN interface.
switchport general
allowed vlan
[add|remove]
vlan-list
{tagged|untagged}
Configure the VLAN membership for the port. You can
also use this command to change the egress tagging for
packets without changing the VLAN assignment.
add
vlan-list
— List of VLAN IDs to add. Separate
nonconsecutive VLAN IDs with a comma and no spaces.
Use a hyphen to designate a range of IDs.
(Range:
1–4093)
remove
vlan-list
— List of VLAN IDs to remove. Separate
nonconsecutive VLAN IDs with a comma and no spaces.
Use a hyphen to designate a range of IDs.
tagged
— Sets the port to transmit tagged packets for the
VLANs. If the port is added to a VLAN without specifying
tagged or untagged, the default is untagged.
untagged
— Sets the port to transmit untagged packets
for the VLANs.
Configuring VLANs 687
switchport general pvid
vlan-id
(Optional) Set the port VLAN ID. Untagged traffic that
enters the switch through this port is tagged with the
PVID.
vlan-id
— PVID. The selected PVID assignment must be
to an existing VLAN. (Range: 1–4093). Entering a PVID
value does not remove the previous PVID value from the
list of allowed VLANs.
switchport general
acceptable-frame-type
tagged-only
(Optional) Specifies that the port will only accept tagged
frames. Untagged frames are dropped at ingress.
switchport general
ingress-filtering disable
(Optional) Turn off ingress filtering so that all received
tagged frames are forwarded whether or not the port is a
member of the VLAN in the tag.
CTRL + Z Exit to Privileged EXEC mode.
show interfaces
switchport
interface
Display information about the VLAN settings configured
for the specified interface. The
interface
variable includes
the interface type and number.
Command Purpose
688 Configuring VLANs
Configuring VLAN Settings for a LAG
The VLAN mode and memberships settings you configure for a port are also
valid for a LAG (port-channel). Beginning in Privileged EXEC mode, use the
following commands to configure the VLAN mode for a LAG. Once you
specify the switchport mode settings for a LAG, you can configure other
VLAN memberships settings that are valid that the switchport mode.
Command Purpose
configure Enter global configuration mode.
interface port-channel
channel-id
Enter interface configuration mode for the specified
interface.
channel-id
— Specific port-channel. (Range 1–48). You
can also specify a range of LAGs with the interface range
port-channel command, for example, interface range port-
channel 4-8.
switchport mode
[access|general|trunk]
Configure the interface as an untagged layer 2 VLAN
interface.
CTRL + Z Exit to Privileged EXEC mode.
show interfaces
switchport port-channel
channel-id
Display information about the VLAN settings configured
for the specified LAG.
Configuring VLANs 689
Configuring Double VLAN Tagging
Beginning in Privileged EXEC mode, use the following commands to
configure an interface to send and accept frames with double VLAN tagging.
DVLAN uplink interfaces must be configured for tagging (trunk mode) for
double tags to be observed on frames egressing the interface. DVLAN uplink
interfaces should be configured to accept tagged frames for the DVLAN or
outer VLAN. Ensure that the native VLAN on the uplink port is set to the
DVLAN ID. MAC address learning on DVLAN enabled ports occurs on the
DVLAN uplink port's native VLAN.
Enabling DVLAN tunneling configures all ports in the system as access ports
except those configured as uplink ports. Access ports must be configured with
the uplink ports native VLAN as their PVID.
Command Purpose
configure Enter global configuration mode.
vlan 100 Configure the DVLAN (outer) VLAN.
exit Exit VLAN configuration mode
interface
interface
Enter interface configuration mode for the specified
interface. The
interface
variable includes the interface type
and number, for example tengigabitethernet 1/0/3.
You can also specify a range of interfaces with the interface
range command, for example, interface range
tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,
11, and 12.
switchport mode trunk Configure the interface as tagging.
switchport trunk native
vlan 100
Configure MAC learning on the DVLAN VLAN
mode dvlan-tunnel Enable Double VLAN Tunneling on the uplink (service
provider) interface.
exit Exit to global configuration mode
690 Configuring VLANs
dvlan-tunnel ethertype
{802.1Q | vman |
custom <
0-65535
>}
[primary-tpid]
Configure the EtherType to use for uplink or access
interfaces.
802.1Q — Configures the EtherType as 0x8100 (default).
vman — Configures the EtherType as 0x88A8.
custom — Custom configures the EtherType for the
DVLAN tunnel. The value must be 0-65535.
primary-tpid — Configure the primary (outer) TPID. If
this parameter is not present, the inner TPID is
configured. Only a single outer TPID may be configured
for a switch. The inner VLAN TPID can be configured on
all interfaces or on individual interfaces.
CTRL + Z Exit to Privileged EXEC mode.
show dvlan-tunnel Display all interfaces enabled for Double VLAN Tunneling
show dvlan-tunnel
interface {
interface
|
all}
Display detailed information about Double VLAN
Tunneling for the specified interface or all interfaces.
Command Purpose
Configuring VLANs 691
Configuring MAC-Based VLANs
Beginning in Privileged EXEC mode, use the following commands to
associate a MAC address with a configured VLAN. The VLAN does not need
to be configured on the system to associate a MAC address with it. You can
create up to 256 VLAN to MAC address associations.
Command Purpose
configure Enter global configuration mode.
vlan 10 Enter VLAN 10 configuration mode.
vlan association mac
mac-address
Associate a MAC address with a VLAN.
mac-address
— MAC address to associate. (Range: Any
MAC address in the format xxxx.xxxx.xxxx or
xx:xx:xx:xx:xx:xx)
CTRL + Z Exit to Privileged EXEC mode.
show vlan association
mac [
mac-address
]
Display the VLAN associated with a specific configured
MAC address. If no MAC address is specified, the VLAN
associations of all the configured MAC addresses are
displayed.
692 Configuring VLANs
Configuring IP-Based VLANs
Beginning in Privileged EXEC mode, use the following commands to
associate an IP subnet with a configured VLAN. The VLAN does not need to
be configured on the system to associate an IP subnet with it. You can create
up to 256 VLAN to MAC address associations.
Command Purpose
configure Enter global configuration mode.
vlan 10 Enter VLAN 10 configuration mode.
vlan association subnet
ip-address subnet-mask
vlanid
Associate an IP subnet with a VLAN.
ip-address
— Source IP address. (Range: Any valid IP
address)
subnet-mask
— Subnet mask. (Range: Any valid subnet
mask)
vlanid
— VLAN to associated with subnet. (Range: 1-
4093)
CTRL + Z Exit to Privileged EXEC mode.
show vlan association
subnet [
ip-address ip-
mask ]
Display the VLAN associated with a specific configured IP-
Address and netmask. If no IP Address and net mask are
specified, the VLAN associations of all the configured IP-
subnets are displayed.
Configuring VLANs 693
Configuring a Protocol-Based VLAN
Beginning in Privileged EXEC mode, use the following commands to create
and name a protocol group, and associate VLANs with the protocol group.
When you create a protocol group, the switch automatically assigns it a
unique group ID number. The group ID is used for both configuration and
script generation to identify the group in subsequent commands.
A protocol group may have more than one interface associated with it, but
each interface and protocol combination can be associated with one group
only. If adding an interface to a group causes any conflicts with protocols
currently associated with the group, adding the interface(s) to the group fails
and no interfaces are added to the group. Ensure that the referenced VLAN is
created prior to the creation of the protocol-based group except when GVRP
is expected to create the VLAN.
Command Purpose
configure Enter global configuration mode.
vlan protocol group
name
Create a new protocol group.
exit Exit to Privileged EXEC mode.
show port protocol all Obtain the group ID for the newly configured group.
configure Enter global configuration mode.
vlan protocol group add
protocol
groupid
ethertype
value
Add any EtherType protocol to the protocol-based VLAN
groups identified by
groupid
. A group may have more than
one protocol associated with it. Each interface and
protocol combination can be associated with one group
only. If adding a protocol to a group causes any conflicts
with interfaces currently associated with the group, this
command fails and the protocol is not added to the group.
groupid
— The protocol-based VLAN group ID.
protocol
— The protocol you want to add. The ethertype
can be any valid number in the range 0x0600-0xffff.
694 Configuring VLANs
protocol vlan group all
groupid
(Optional) Add all physical interfaces to the protocol-
based group identified by
groupid
. You can add individual
interfaces to the protocol-based group as shown in the next
two commands.
groupid
— The protocol-based VLAN group ID.
interface
interface
Enter interface configuration mode for the specified
interface.
interface
— Specific interface type and number, such as
gi1/0/8.
protocol vlan group
groupid
Add the physical unit/port interface to the protocol-based
group identified by groupid.
groupid
— The protocol-based VLAN group ID.
exit Exit to global configuration mode.
vlan 5 Enter VLAN 5 configuration mode.
protocol group
groupid
vlanid
Attach a VLAN ID to the protocol-based group identified
by groupid. A group may only be associated with one
VLAN at a time. However, the VLAN association can be
changed.
groupid
— The protocol-based VLAN group ID, which is
automatically generated when you create a protocol-
based VLAN group with the
vlan protocol group
command. To see the group ID associated with the name
of a protocol group, use the
show port protocol all
command.
vlanid
— A valid VLAN ID.
CTRL + Z Exit to Privileged EXEC mode.
show port protocol [all|
groupid
]
Display the Protocol-Based VLAN information for either
the entire system or for the indicated group.
Command Purpose
Configuring VLANs 695
Configuring GVRP
Beginning in Privileged EXEC mode, use the following commands to enable
GVRP on the switch and on an interface, and to configure various GVRP
settings.
Command Purpose
configure Enter global configuration mode.
gvrp enable Enable GVRP on the switch.
interface
interface
Enter interface configuration mode for the specified port
or LAG. The
interface
variable includes the interface type
and number, for example tengigabitethernet 1/0/3 or port-
channel 3.
You can also specify a range of interfaces with the interface
range command, for example, interface range
tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,
11, and 12.
gvrp enable Enable GVRP on the interface.
switchport general
forbidden vlan {add
vlan-list
|remove
vlan-
list
}
—and—
switchport trunk allowed
vlan {add
vlan-list
|
remove
vlan-list
}
(Optional) Forbids dynamically adding the VLANs
specified by the remove parameter to a port. To revert to
allowing the addition of specific VLANs to the port, use
the add parameter of this command.
add
vlan-list
— List of valid VLAN IDs to remove from the
forbidden list. Separate nonconsecutive VLAN IDs with a
comma and no spaces. Use a hyphen to designate a range
of IDs.
remove
vlan-list
— List of valid VLAN IDs to add to the
forbidden list. Separate nonconsecutive VLAN IDs with a
comma and no spaces. Use a hyphen to designate a range
of IDs.
gvrp registration-forbid (Optional) Deregister all VLANs on a port and prevent any
dynamic registration on the port.
gvrp vlan-creation-
forbid
(Optional) Disable dynamic VLAN creation.
exit Exit to global configuration mode.
696 Configuring VLANs
vlan makestatic
vlan-id
(Optional) Change a dynamically created VLAN (one that
is created by GVRP registration) to a static VLAN (one
that is permanently configured and defined).
vlan-id
— Valid vlan ID. Range is 2-4093.
CTRL + Z Exit to Privileged EXEC mode.
show gvrp configuration Display GVRP configuration information. Timer values are
displayed. Other data shows whether GVRP is enabled and
which ports are running GVRP.
show vlan Display the VLAN configuration, including the VLAN
configuration type and the associated ports.
Command Purpose
Configuring VLANs 697
Configuring Voice VLANs
Beginning in Privileged EXEC mode, use the following commands to enable
the Voice VLAN feature on the switch and on an interface.
Command Purpose
configure Enter global configuration mode.
voice vlan Enable the voice VLAN capability on the switch.
interface
interface
Enter interface configuration mode for the specified
interface.
interface
Specific interface, such as gi1/0/8. You can also
specify a range of interfaces with the interface range
command, for example, interface range gi1/0/8-12 enters
Interface Configuration mode for ports 8–12.
voice vlan {
vlanid
|
dot1p
priority
| none |
untagged | data
priority
{trust | untrust} | auth
{enable | disable} |
dscp
value
}
Enable the voice vlan capability on the interface.
vlanid
The voice VLAN ID.
priority
—The Dot1p priority for the voice VLAN on the
port.
trust
Trust the dot1p priority or DSCP values
contained in packets arriving on the voice vlan port.
untrust
Do not trust the dot1p priority or DSCP values
contained in packets arriving on the voice vlan port.
auth {enable
|
disable
} — Use
enable
to allow voice
traffic on unauthorized voice vlan port. Use
disable
to
prevent voice traffic on an Unauthorized voice vlan port
dscp
value
The DSCP value (Range: 0–64).
CTRL + Z Exit to Privileged EXEC mode.
show voice vlan
[interface {
interface
|all}]
Display voice VLAN configuration information for the
switch, for the specified interface, or for all interfaces.
698 Configuring VLANs
VLAN Configuration Examples
This section contains the following examples:
Configuring VLANs Using Dell OpenManage Administrator
Configuring VLANs Using the CLI
Configuring a Voice VLAN
This example assumes that network administrator wants to create the VLANs
in Table 21-9:
NOTE: For an example that shows how to use a RADIUS server to provide VLAN
information, see "Controlling Authentication-Based VLAN Assignment" on
page 530. For an example that shows how to allow the switch to dynamically
create RADIUS-assigned VLANS, see "Allowing Dynamic VLAN Creation of
RADIUS-Assigned VLANs" on page 534.
Table 21-9. Example VLANs
VLAN
ID
VLAN Name VLAN Type Purpose
100 Engineering Port-based All employees in the Engineering department
use this VLAN. Confining this department’s
traffic to a single VLAN helps reduce the amount
of traffic in the broadcast domain, which
increases bandwidth.
200 Marketing Port-based All employees in the Marketing department use
this VLAN.
300 Sales MAC-based The sales staff works remotely but occasionally
comes to the office. Since these employees do
not have assigned work areas, they typically plug
their laptops into a network port in an available
cubicle, office, or conference room.
400 Payroll Port-based The payroll department has sensitive traffic and
needs its own VLAN to help keep that traffic
private.
Configuring VLANs 699
Figure 21-26 shows the network topology for this example. As the figure
shows, there are two switches, two file servers, and many hosts. One switch
has an uplink port that connects it to a layer 3 device and the rest of the
corporate network.
Figure 21-26. Network Topology for Port-Based VLAN Configuration
The network in Figure 21-26 has the following characteristics:
Each connection to a host represents multiple ports and hosts.
The Payroll and File servers are connected to the switches through a LAG.
Some of the Marketing hosts connect to Switch 1, and some connect to
Switch 2.
The Engineering and Marketing departments share the same file server.
Because security is a concern for the Payroll VLAN, the ports and LAG that
are members of this VLAN will accept and transmit only traffic tagged
with VLAN 400.
The Sales staff might connect to a port on Switch 1 or Switch 2.
VLAN 400
Payroll
Payroll
Server
Shared File
Server
Payroll
Hosts
Marketing
Hosts
Engineering
Hosts
Switch 1 Switch 2
VLAN 100
Engineering
VLAN 200
Marketing
LAN/WAN
700 Configuring VLANs
Table 21-10 shows the port assignments on the switches.
Table 21-10. Switch Port Connections
Port/LAG Function
Switch 1
1 Connects to Switch 2
2–15 Host ports for Payroll
16–20 Host ports for Marketing
LAG1 (ports 21–24) Connects to Payroll server
Switch 2
1 Connects to Switch 1
2–10 Host ports for Marketing
11–30 Host ports for Engineering
LAG1 (ports 35–39) Connects to file server
LAG2 (ports 40–44) Uplink to router.
Configuring VLANs 701
Configuring VLANs Using Dell OpenManage Administrator
This example shows how to perform the configuration by using the web-
based interface.
Configure the VLANs and Ports on Switch 1
Use the following steps to configure the VLANs and ports on Switch 1. None
of the hosts that connect to Switch 1 use the Engineering VLAN (VLAN
100), so it is not necessary to create it on that switch.
To configure Switch 1:
1
Create the Marketing, Sales, and Payroll VLANs.
a
From the
Switching
VLAN
VLAN Membership page, click
Add.
b
In the
VLAN ID
field, enter 200.
c
In the
VLAN Name
field, enter Marketing.
d
Click
Apply
.
Figure 21-27. Add VLANs
e
Repeat steps b–d to create VLANs 300 (Sales) and 400 (Payroll).
2
Assign ports 16–20 to the Marketing VLAN.
a
From the
Switching
VLAN
VLAN Membership page, select
200-Marketing from the Show VLAN field.
b
In the
Static
row, click the space for ports 13–16 so the U (untagged)
displays for each port.
702 Configuring VLANs
Figure 21-28. VLAN Membership - VLAN 200
3
Click
Apply
.
4
Assign ports 2–15 and LAG1 to the Payroll VLAN.
a
From the
Switching
VLAN
VLAN Membership page, select
400-Payroll from the Show VLAN field.
b
In the Static row, click the space for ports 2–15 and LAG 1 so the U
(untagged) displays for each port, and then click
Apply
.
5.
Configure LAG 1 to be in general mode and specify that the LAG will
accept tagged or untagged frames, but that untagged frames will be
transmitted tagged with PVID 400.
a.
From the
Switching
VLAN
LAG Settings page, make sure Po1
is selected.
b.
Configure the following settings:
Port VLAN Mode — General
•PVID 400
Frame Type — AdmitAll
c.
Click
Apply
.
Configuring VLANs 703
Figure 21-29. LAG Settings
6
Configure port 1 as a trunk port.
a
From the
Switching
VLAN
Port Settings page, make sure port
Gi1/0/1 i
s selected.
b
From the
Port VLAN Mode
field, select Trunk.
c
Click
Apply
.
Figure 21-30. Trunk Port Configuration
7
From the
Switching
VLAN
VLAN Membership page, verify that
port 1 is marked as a tagged member (T) for each VLAN.
Figure 21-31 shows VLAN 200, in which port 1 is a tagged member, and
ports 13–16 are untagged members.
704 Configuring VLANs
Figure 21-31. Trunk Port Configuration
8
Configure the MAC-based VLAN information.
a
Go to the
Switching
VLAN
Bind MAC to VLAN page.
b
In the
MAC Address
field, enter a valid MAC address, for example
00:1C:23:55:E9:8B.
c
In the
Bind to VLAN
field, enter 300, which is the Sales VLAN ID.
d
Click
Apply
.
Figure 21-32. Trunk Port Configuration
e
Repeat steps b–d to add additional MAC address-to-VLAN
information for the Sales department.
9
To save the configuration so that it persists across a system reset, use the
following steps:
a
Go to the
System
File Management
Copy Files page
b
Select Copy Configuration and ensure that Running Config is the
source and Startup Config is the destination.
c
Click
Apply
.
Configuring VLANs 705
Configure the VLANs and Ports on Switch 2
Use the following steps to configure the VLANs and ports on Switch 2. Many
of the procedures in this section are the same as procedures used to configure
Switch 1. For more information about specific procedures, see the details and
figures in the previous section.
To configure Switch 2:
1.
Create the Engineering, Marketing, Sales, and Payroll VLANs.
Although the Payroll hosts do not connect to this switch, traffic from the
Payroll department must use Switch 2 to reach the rest of the network and
Internet through the uplink port. For that reason, Switch 2 must be aware
of VLAN 400 so that traffic is not rejected by the trunk port.
2.
Configure LAG 1 as a general port so that it can be a member of multiple
VLANs.
a.
From the
Switching
VLAN
LAG Settings page, make sure Po1
is selected.
b.
From the
Port VLAN Mode
field, select General.
c.
Click
Apply
.
3.
Configure port 1 as a trunk port.
4.
Configure LAG2 as a trunk port.
5.
Assign ports 1–10 to VLAN 200 as untagged (U) members.
6.
Assign ports 11–30 to VLAN 100 as untagged (U) members.
7.
Assign LAG1 to VLAN 100 and 200 as a tagged (T) member.
8.
Assign port 1 and LAG2 to VLAN 100, VLAN 200, VLAN 300, and VLAN
400 as a tagged (T) member.
9.
Configure the MAC-based VLAN information.
10.
If desired, copy the running configuration to the startup configuration.
706 Configuring VLANs
Configuring VLANs Using the CLI
This example shows how to perform the same configuration by using CLI
commands.
Configure the VLANs and Ports on Switch 1
Use the following steps to configure the VLANs and ports on Switch 1. None
of the hosts that connect to Switch 1 use the Engineering VLAN (VLAN
100), so it is not necessary to create it on that switch.
To configure Switch 1:
1.
Create VLANs 200 (Marketing), 300 (Sales), and 400 (Payroll), and
associate the VLAN ID with the appropriate name.
console#configure
console(config)#vlan 200,300,400
console(config)#vlan 200
console(config-vlan200)#name Marketing
console(config-vlan200)#exit
console(config)#vlan 300
console(config-vlan300)#name Sales
console(config-vlan300)#exit
console(config)#vlan 400
console(config-vlan400)#name Payroll
console(config-vlan400)#exit
2.
Assign ports 16–20 to the Marketing VLAN.
console(config)#interface range tengigabitEthernet
1/0/16-20
console(config-if)#switchport mode access
console(config-if)#switchport access vlan 200
console(config-if)#exit
3.
Assign ports 2–15 to the Payroll VLAN
console(config)#interface range tengigabitEthernet
1/0/2-15
console(config-if)#switchport mode access
console(config-if)#switchport access vlan 400
console(config-if)#exit
Configuring VLANs 707
4.
Assign LAG1 to the Payroll VLAN and specify that frames will always be
transmitted tagged with a VLAN ID of 400. By default, all VLANs are
members of a trunk port.
console(config)#interface port-channel 1
console(config-if-Po1)#switchport mode trunk
console(config-if-Po1)#switchport trunk native
vlan 400
console(config-if-Po1)#exit
5.
Configure port 1 as a trunk port and add VLAN 200, VLAN 300, and
VLAN 400 as members. All VLANs are added to trunk ports by default,
including those created after the trunk port has been created.
console(config)#interface tengigabitEthernet 1/0/1
console(config-if-Te1/0/1)#switchport mode trunk
console(config-if-Te1/0/1)#exit
6.
Configure the MAC-based VLAN information.
The following commands show how to associate a system with a MAC
address of 00:1C:23:55:E9:8B with VLAN 300. Repeat the
vlan association
mac
command to associate additional MAC addresses with VLAN 300.
console(config)#vlan 10
console(config-vlan10)#vlan association mac
00:1C:23:55:E9:8B 300
console(config-vlan10)#exit
console(config)#exit
7.
To save the configuration so that it persists across a system reset, use the
following command:
console#copy running-config startup-config
708 Configuring VLANs
8.
View the VLAN settings.
console#show vlan
9.
View the VLAN membership information for a port.
console#show interfaces switchport te1/0/1
Port: Te1/0/1
VLAN Membership mode:Trunk Mode
Operating parameters:
PVID: 1
Ingress Filtering: Enabled
Acceptable Frame Type: VLAN Only
Default Priority: 0
GVRP status:Disabled
Protected:Disabled
Port Te1/0/1 is member in:
VLAN Name Egress rule Type
---- ----------------- ----------- --------
200 Marketing Tagged Static
300 Sales Tagged Static
400 Payroll Tagged Static
VLAN Name Ports Type Authorization
----- --------- ------------ --------- -------------
1 Default Po1-1248,
Te1/0/2-15,
Te1/0/21-24
Te1/1/1-2
Default Required
200 Marketing Te1/0/1,
Te1/0/16-20
Static Required
300 Sales Te1/0/1 Static Required
400 Payroll Te1/0/1-15 Static Required
Configuring VLANs 709
Configure the VLANs and Ports on Switch 2
Use the following steps to configure the VLANs and ports on Switch 2. Many
of the procedures in this section are the same as procedures used to configure
Switch 1. For more information about specific procedures, see the details and
figures in the previous section.
To configure Switch 2:
1.
Create the Engineering, Marketing, Sales, and Payroll VLANs.
Although the Payroll hosts do not connect to this switch, traffic from the
Payroll department must use Switch 2 to reach the rest of the network and
Internet through the uplink port. For that reason, Switch 2 must be aware
of VLAN 400 so that traffic is not rejected by the trunk port.
2.
Configure ports 2-10 as access ports and add VLAN 200 to the ports.
3.
Configure ports 11–30 as access ports and add VLAN 100 to the ports.
4.
Configure LAG 1 as a general port so that it can be a member of multiple
untagged VLANs and add VLAN 100 and VLAN 200 to the LAG.
5.
Configure port 1 and LAG 2 trunk ports and add VLAN 100, VLAN 200,
VLAN 300, and VLAN 400 to the port and LAG.
6.
Configure the MAC-based VLAN information.
7.
If desired, copy the running configuration to the startup configuration.
8
View VLAN information for the switch and ports.
710 Configuring VLANs
Configuring a Voice VLAN
The commands in this example create a VLAN for voice traffic with a VLAN
ID of 25. Port 10 is set to an 802.1Q VLAN. In in this example, there are
multiple devices connected to port 10, so the port must be in general mode in
order to enable MAC-based 802.1X authentication. Next, Voice VLAN is
enabled on the port with the Voice VLAN ID set to 25. Finally, Voice VLAN
authentication is disabled on port 10 because the phone connected to that
port does not support 802.1X authentication. All other devices are required to
use 802.1X authentication for network access. For more information about
802.1X authentication, see "Configuring Port and System Security" on
page 503.
To configure the switch:
1
Create the voice VLAN.
console#configure
console(config)#vlan 25
console(config-vlan25)#exit
2
Enable the Voice VLAN feature on the switch.
console(config)#voice vlan
3
Configure port 10 to be in general mode.
console(config)#interface gi1/0/10
console(config-if-Gi1/0/10)#switchport mode
general
4
Enable port-based 802.1X authentication on the port. This step is required
only if there are multiple devices that use port-based authentication
connected to the port.
console(config-if-Gi1/0/10)#dot1x port-control
mac-based
5
Enable the voice VLAN feature on the interface
console(config-if-Gi1/0/10)#voice vlan 25
NOTE: In an environment where the IP phone uses LLDP-MED to obtain
configuration information, an additional step to enable LLDP-MED on the
interface would be required by issuing the lldp med command in Interface
Configuration mode.
Configuring VLANs 711
6
Disable authentication for the voice VLAN on the port. This step is
required only if the voice phone does not support port-based
authentication.
console(config-if-Gi1/0/10)#voice vlan auth
disable
7
Exit to Privileged Exec mode.
console(config-if-Gi1/0/10)#<CTRL+Z>
8
View the voice VLAN settings for port 10.
console#show voice vlan interface gi1/0/10
Interface............................. Gi1/0/10
Voice VLAN Interface Mode............. Enabled
Voice VLAN ID......................... 25
Voice VLAN COS Override............... False
Voice VLAN DSCP Value................. 46
Voice VLAN Port Status................ Disabled
Voice VLAN Authentication............. Disabled
Configuring a Private VLAN
1
Configure the VLANs and their roles:
This example configures VLAN 100 as the primary VLAN, secondary
VLAN 101 as the community VLAN and secondary VLANs 102 and 103 as
the isolated VLANs:
switch# configure
switch(config)# vlan 100
switch(config-vlan-100)# private-vlan primary
switch(config-vlan-100)# exit
switch(config)# vlan 101
switch(config-vlan-101)# private-vlan community
switch(config-vlan-101)# exit
switch(config)# vlan 102
switch(config-vlan-102)# private-vlan isolated
switch(config-vlan-102)# exit
switch(config)# vlan 103
switch(config-vlan-103)# private-vlan isolated
switch(config-vlan-103)# exit
2
Associate the community and isolated VLANs with the primary VLAN.
switch(config)# vlan 100
712 Configuring VLANs
switch(config-vlan-100)# private-vlan association 101-102
switch(config-vlan-100)# exit
This completes the configuration of the private VLAN. The only
remaining step is to assign the ports to the private VLAN.
3
Assign the router connected port to the primary VLAN:
console(config)#interface te1/1/1
console(config-if-Te1/1/1)#switchport mode private-vlan
promiscuous
console(config-if-Te1/1/1)#switchport private-vlan mapping 100
101-102
console(config-if-Te1/1/1)#exit
4
Assign the community VLAN ports:
console(config)#interface gi1/0/11
console(config-if-Gi1/0/11)#switchport mode private-vlan host
console(config-if-Gi1/0/11)#switchport private-vlan host-
association 100 101
console(config-if-Gi1/0/11)#interface gi1/0/12
console(config-if-Gi1/0/12)#switchport mode private-vlan host
console(config-if-Gi1/0/12)#switchport private-vlan host-
association 100 101
5
Assign the isolated VLAN ports:
console(config)#interface gi1/0/10
console(config-if-Gi1/0/10)#switchport mode private-vlan host
console(config-if-Gi1/0/10)#switchport private-vlan host-
association 100 102
console(config-if-Gi1/0/10)#interface gi2/0/10
console(config-if-Gi2/0/10)#switchport mode private-vlan host
console(config-if-Gi2/0/10)#switchport private-vlan host-
association 100 102
console(config-if-Gi2/0/10)#interface gi2/0/11
console(config-if-Gi2/0/11)#switchport mode private-vlan host
console(config-if-Gi2/0/11)#switchport private-vlan host-
association 100 102
6
Show the configuration:
console(config)#show vlan private-vlan type
VLAN Type
---- -----------------------
100 primary
101 community
102 isolated
Configuring VLANs 713
103 isolated
console#show vlan private-vlan
Primary VLAN Secondary VLAN Community
------------ -------------- -------------------
100 102 101
console(config)#show vlan
VLAN Name Ports Type
----- ----------- ------------- -------------
1 default Po1-128, Default
Te1/1/1,
Gi1/0/1-10,
Gi1/0/13-24
100 VLAN0100 Te1/1/1, Static
Gi1/0/11-12
101 VLAN0101 Gi1/0/11 Static
102 VLAN0102 Gi1/0/12 Static
714 Configuring VLANs
Configuring the Spanning Tree Protocol 715
22
Configuring the Spanning Tree
Protocol
This chapter describes how to configure the Spanning Tree Protocol (STP)
settings on the switch.
The topics covered in this chapter include:
STP Overview
•RSTP-PV
Default STP Values
Configuring Spanning Tree (Web)
Configuring Spanning Tree (CLI)
STP Configuration Examples
STP Overview
STP is a layer 2 protocol that provides a tree topology for switches on a
bridged LAN. STP allows a network to have redundant paths without the risk
of network loops. STP uses the spanning tree algorithm to provide a single
path between end stations on a network.
Dell Networking series switches support Classic STP, Multiple STP, and Rapid
STP.
What Are Classic STP, Multiple STP, and Rapid STP?
Classic STP provides a single path between end stations, avoiding and
eliminating loops.
Multiple Spanning Tree Protocol (MSTP) supports multiple instances of
Spanning Tree to efficiently channel VLAN traffic over different interfaces.
Each instance of the Spanning Tree behaves in the manner specified in IEEE
802.1w, Rapid Spanning Tree (RSTP), with slight modifications in the
working but not the end effect (chief among the effects, is the rapid
716 Configuring the Spanning Tree Protocol
transitioning of the port to Forwarding). The difference between the RSTP
and the traditional STP (IEEE 802.1d) is the ability to configure and
recognize full-duplex connectivity and ports which are connected to end
stations, resulting in rapid transitioning of the port to the Forwarding state
and the suppression of Topology Change Notifications.
MSTP is compatible with both RSTP and STP. It behaves appropriately when
connected to STP and RSTP bridges. A MSTP bridge can be configured to
behave entirely as a RSTP bridge or a STP bridge.
How Does STP Work?
The switches (bridges) that participate in the spanning tree elect a switch to
be the root bridge for the spanning tree. The root bridge is the switch with the
lowest bridge ID, which is computed from the unique identifier of the bridge
and its configurable priority number. When two switches have an equal
bridge ID value, the switch with the lowest MAC address is the root bridge.
After the root bridge is elected, each switch finds the lowest-cost path to the
root bridge. The port that connects the switch to the lowest-cost path is the
root port on the switch. The switches in the spanning tree also determine
which ports have the lowest-path cost for each segment. These ports are the
designated ports. Only the root ports and designated ports are placed in a
forwarding state to send and receive traffic. All other ports are put into a
blocked state to prevent redundant paths that might cause loops. Both
internal and external path costs can be configured. For STP, RSTP, and the
MSTP CIST, only the external path costs are utilized in the lowest path cost
calculation. The internal path cost is used by the MST instances.
To determine the root path costs and maintain topology information,
switches that participate in the spanning tree use Bridge Protocol Data Units
(BPDUs) to exchange information.
Configuring the Spanning Tree Protocol 717
How Does MSTP Operate in the Network?
In the following diagram of a small 802.1d bridged network, STP is necessary
to create an environment with full connectivity and without loops.
Figure 22-1. Small Bridged Network
Assume that Switch A is elected to be the Root Bridge, and Port 1 on Switch
B and Switch C are calculated to be the root ports for those bridges, Port 2 on
Switch B and Switch C would be placed into the Blocking state. This creates a
loop-free topology. End stations in VLAN 10 can talk to other devices in
VLAN 10, and end stations in VLAN 20 have a single path to communicate
with other VLAN 20 devices.
718 Configuring the Spanning Tree Protocol
Figure 22-2 shows the logical single STP network topology.
Figure 22-2. Single STP Topology
For VLAN 10 this single STP topology is fine and presents no limitations or
inefficiencies. On the other hand, VLAN 20's traffic pattern is inefficient. All
frames from Switch B will have to traverse a path through Switch A before
arriving at Switch C. If the Port 2 on Switch B and Switch C could be used,
these inefficiencies could be eliminated. MSTP does just that, by allowing the
configuration of MSTIs based upon a VLAN or groups of VLANs. In this
simple case, VLAN 10 could be associated with Multiple Spanning Tree
Instance (MSTI)1 with an active topology similar to Figure 22-2 and VLAN
20 could be associated with MSTI 2 where Port 1 on both Switch A and
Switch B begin discarding and all others forwarding. This simple modification
creates an active topology with a better distribution of network traffic and an
increase in available bandwidth.
Configuring the Spanning Tree Protocol 719
The logical representation of the MSTP environment for these three switches
is shown in Figure 22-3.
Figure 22-3. Logical MSTP Environment
720 Configuring the Spanning Tree Protocol
In order for MSTP to correctly establish the different MSTIs as above, some
additional changes are required. For example, the configuration would have
to be the same on each and every bridge. That means that Switch B would
have to add VLAN 10 to its list of supported VLANs (shown in Figure 22-3
with a *). This is necessary with MSTP to allow the formation of Regions
made up of all switches that exchange the same MST Configuration
Identifier. It is within only these MST Regions that multiple instances can
exist. It will also allow the election of Regional Root Bridges for each instance.
One common and internal spanning tree (CIST) Regional Root for the CIST
and an MSTI Regional Root Bridge per instance will enable the possibility of
alternate paths through each Region. Above Switch A is elected as both the
MSTI 1 Regional Root and the CIST Regional Root Bridge, and after
adjusting the Bridge Priority on Switch C in MSTI 2, it would be elected as
the MSTI 2 Regional Root.
To further illustrate the full connectivity in an MSTP active topology, the
following rules apply:
1
Each Bridge or LAN is in only one Region.
2
Every frame is associated with only one VID.
3
Frames are allocated either to the IST or MSTI within any given Region.
4
The internal spanning tree (IST) and each MSTI provides full and simple
connectivity between all LANs and Bridges in a Region.
5
All Bridges within a Region reach a consistent agreement as to which ports
interconnect that Region to a different Region and label those as Boundary
Ports.
6
At the Boundary Ports, frames allocated to the CIST or MSTIs are
forwarded or not forwarded alike.
7
The CIST provides full and simple connectivity between all LANs and
Bridges in the network.
Configuring the Spanning Tree Protocol 721
MSTP with Multiple Forwarding Paths
Consider the physical topology shown in Figure 22-4. It might be assumed
that MSTI 2 and MSTI 3 would follow the most direct path for VLANs 20
and 30. However, using the default path costs, this is not the case. MSTI
operates without considering the VLAN membership of the ports. This results
in unexpected behavior if the active topology of an MSTI depends on a port
that is not a member of the VLAN assigned to the MSTI and the port is
selected as root port. In this configuration, port TE 1/0/11 is selected as the
root port and ports TE1/0/12 and TE1/0/13 are blocked. To resolve the issue,
set the port path cost of the directly connected links to allow the MSTIs to
connect directly.
Figure 22-4. MSTP with Multiple Forwarding Paths
722 Configuring the Spanning Tree Protocol
What are the Optional STP Features?
The Dell Networking series switches support the following optional STP
features:
BPDU flooding
•PortFast
BPDU filtering
Root guard
Loop guard
BPDU protection
BPDU Flooding
The BPDU flooding feature determines the behavior of the switch when it
receives a BPDU on a port that is disabled for spanning tree. If BPDU
flooding is configured, the switch will flood the received BPDU to all the
ports on the switch which are similarly disabled for spanning tree.
Port Fast
The PortFast feature reduces the STP convergence time by allowing edge
ports that are connected to end devices (such as a desktop computer, printer,
or file server) to transition to the forwarding state without going through the
listening and learning states.
BPDU Filtering
Ports that have the PortFast feature enabled continue to transmit BPDUs.
The BPDU filtering feature prevents PortFast-enabled ports from sending
BPDUs.
If BPDU filtering is configured globally on the switch, the feature is
automatically enabled on all operational PortFast-enabled ports. These ports
are typically connected to hosts that drop BPDUs. However, if an operational
edge port receives a BPDU, the BPDU filtering feature disables PortFast and
allows the port to participate in the spanning tree calculation.
Enabling BPDU filtering on a specific port prevents the port from sending
BPDUs and allows the port to drop any BPDUs it receives.
Configuring the Spanning Tree Protocol 723
Root Guard
Root guard is another way of controlling the spanning-tree topology other
than setting the bridge priority or path costs. Root guard ensures that a port
does not become a root port or a blocked port. When a switch is elected as
the root bridge, all ports are assigned roles as designated ports unless two or
more ports of the root bridge are connected in a loop. If the switch receives a
superior STP BPDU on a root-guard enabled port, the root guard feature
moves the port to a root-inconsistent spanning-tree state. No traffic is
forwarded across the port, but it continues to receive BPDUs, discards
received traffic, and is included in the active topology. Essentially, this is
equivalent to the IEEE 802.1D listening state. By not transitioning the port
on which the superior BPDU has been received to the forwarding state
(designated role), root guard helps maintain the existing spanning-tree
topology.
When the STP mode is configured as MSTP, the port may be a designated
port in one MSTI and an alternate port in the CIST, etc. Root guard is a per
port (not a per port instance command) configuration, so all the MSTP
instances this port participates in should not be expected to take on a root
role.
Loop Guard
Loop guard protects a network from forwarding loops induced by BPDU
packet loss. The reasons for failing to receive packets are numerous, including
heavy traffic, software problems, incorrect configuration, and unidirectional
link failure. When a non-designated port no longer receives BPDUs, the
spanning tree algorithm considers the link to be loop free and transitions the
link from blocking to forwarding. Once in the forwarding state, the link may
create a loop in the network.
Enabling loop guard prevents such accidental loops. When a port is no longer
receiving BPDUs and the max age timer expires, the port is moved to a
loop-
inconsistent blocking state
. In the loop-inconsistent blocking state, traffic is
not forwarded so the port behaves as if it is in the blocking state; that is, it
discards received traffic, does not learn MAC addresses, and is not part of the
active topology. The port will remain in this state until it receives a BPDU. It
will then transition through the normal spanning tree states based on the
information in the received BPDU.
724 Configuring the Spanning Tree Protocol
BPDU Protection
When the switch is used as an access layer device, most ports function as edge
ports that connect to a device such as a desktop computer or file server. The
port has a single, direct connection and is configured as an edge port to
implement the fast transition to a forwarding state. When the port receives a
BPDU packet, the system sets it to non-edge port and recalculates the
spanning tree, which causes network topology flapping. In normal cases, these
ports do not receive any BPDU packets. However, someone may forge BPDU
to maliciously attack the switch and cause network flapping.
BPDU protection can be enabled in RSTP to prevent such attacks. When
BPDU protection is enabled, the switch disables an edge port that has
received BPDU and notifies the network manager about it.
RSTP-PV
Dell Networking switches support both Rapid Spanning Tree Per VLAN
(RSTP-PV) and Spanning Tree Per VLAN (STP-PV) with a high degree of
interoperability with other vendor implementations, such as Cisco's PVST+
and RPVST+. RSTP-PV is the IEEE 802.1w (RSTP) standard implemented
per VLAN. A single instance of rapid spanning tree (RSTP) runs on each
configured VLAN. Each RSTP instance on a VLAN has a root switch. The
RSTP-PV protocol state machine, port roles, port states, and timers are
similar to those defined for RSTP. RSTP-PV embeds the DRC and
IndirectLink Fast Rapid Convergence (IRC) features, which cannot be
disabled.
STP-PV is the IEEE 802.1s (STP) standard implemented per VLAN. The
STP-PV-related state machine, roles, and timers are similar to those defined
for STP. STP-PV does not have the DirectLink Rapid Convergence (DRC) or
IndirectLink Rapid Convergence (IRC) features enabled by default. These
features can be enabled by the switch administrator.
NOTE: Loop Guard should be configured only on non-designated ports. These
include ports in alternate or backup roles. Root ports and designated ports
should not have loop guard enabled so that they can forward traffic.
Configuring the Spanning Tree Protocol 725
The switch spanning tree configuration is global in nature. Enabling RSTP-
PV disables other spanning tree modes on the switch. The switch cannot
operate with some ports configured to operate in standard spanning tree
mode and others to operate in RSTP-PV mode. However, RSTP-PV has
fallback modes for compatibility with standards-based versions of spanning
tree.
Access Ports—For an access port, normal IEEE BPDUs will be received and
sent, though STP-PV or RSTP-PV is enabled on the switch. BPDUs received
on the access port will be associated with the CST instance.
Trunk Ports—If the native VLAN on an IEEE 802.1Q trunk is VLAN 1:
VLAN 1 STP BPDUs are sent to the IEEE STP MAC address
(0180.c200.0000), untagged.
VLAN 1 STP BPDUs are also sent to the SSTP MAC address, untagged.
Non-VLAN 1 STP BPDUs are sent to the SSTP MAC address (also called
the Shared Spanning Tree Protocol [SSTP] MAC address, 0100.0ccc.cccd),
tagged with a corresponding IEEE 802.1Q VLAN tag.
If the native VLAN on an IEEE 802.1Q trunk is not VLAN 1:
VLAN 1 STP BPDUs are sent to the SSTP MAC address, tagged with a
corresponding IEEE 802.1Q VLAN tag.
VLAN 1 STP BPDUs are also sent to the IEEE STP MAC address on the
Native VLAN of the IEEE 802.1Q trunk, untagged.
Non-VLAN 1 STP BPDUs are sent to the SSTP MAC address, tagged with
a corresponding IEEE 802.1Q VLAN tag.
DirectLink Rapid Convergence
The DirectLink Rapid Convergence (DRC) feature is designed for an access-
layer switch that has redundant blocked uplinks. It operates on ports blocked
by spanning tree. DRC can be configured for the entire switch; it cannot be
enabled for individual VLANs.
The DRC feature is based on the concept of an uplink group. An uplink group
consists of all the ports that provide a path to the root bridge (the root port
and any blocked ports). If the root port fails, the blocked port with next
lowest cost from the uplink group is selected and immediately put in the
forwarding state without going through the standard spanning tree listening
and learning states.
726 Configuring the Spanning Tree Protocol
To accelerate convergence time once DRC has switched over to a new root
port, STP-PV transmits dummy packets out the new root port, with the
source MAC addresses taken from its forwarding table. The destination
address is an SSTP MAC address that ensures that the packet is flooded on
the whole network. The packets update the forwarding tables on the other
upstream switches. The rate at which the dummy multicasts are sent can be
configured by the administrator. RSTP-PV has a different mechanism
adopted from IEEE 802.1w that handles the update of the forwarding
database and the fast transition to a new uplink. DRC can be enabled on
RSTP-PV enabled switches but has no effect.
DRC is disabled when the administrator modifies the spanning-tree priority
of a VLAN and is re-enabled only when the default priority is restored.
DRC and Link Up Events
In the event of failure of the primary uplink, a replacement uplink is
immediately selected from the uplink group and put into the forwarding
state. If another port is enabled that, in accordance with STP rules, should
become the primary uplink (root port), the switch delays migrating to the
new port for twice the forwarding delay. The purpose of this delay is two-fold:
Stability—If the primary uplink is flapping, reenabling the link
immediately can introduce additional instability into the network.
Reduced Traffic Loss—DRC moves a port into the forwarding state as
soon as it is up, but the connected port obeys the usual STP rules; i.e. it
goes through the listening and learning stages, which take 15 seconds each
by default. Delaying the switchover allows the connected port to go to
through the listening and learning states while the switch is still
transmitting packets on the original uplink.
The optimal behavior is to keep the current uplink active and hold the new
port in the blocked state for twice the forwarding delay.
Configuring the Spanning Tree Protocol 727
IndirectLink Rapid Convergence Feature
To handle indirect link failure, the STP standard requires that a switch
passively wait for “max_age” seconds once a topology change has been
detected. IndirectLink Rapid Convergence (IRC) handles these failures in
two phases:
Rapid detection of an indirect link failure. Tracking the inferior BPDUs
that a designated bridge detects when it transmits a direct link failure
indicates that a failure has occurred elsewhere in the network.
Performing an immediate check if the BPDU information stored on a port
is still valid. This is implemented with a new protocol data unit (PDU) and
the Root Link Query message (RLQ).
Receiving an inferior BPDU on a port from the designated bridge indicates
that one of the following has occurred on the designated bridge:
The path to the root has been lost and the switch starts to advertise a root
with a numerically higher bridge ID (worse root) than the local switch.
The path cost to the root has increased above the path cost of the local
switch.
IEEE 802.1s behavior is to ignore inferior BPDUs. IRC retains the inferior
BPDUs sent by the designated bridge and processes them to determine if a
failure has occurred on the path to the root. In this case, it must age-out at
least one port. This process occurs only in the case that a bridge in the
network detects a direct link failure.
The switch tracks inferior BPDUs sent by the designated bridge only, since
this is the BPDU that is stored for the port. If, for instance, a newly inserted
bridge starts to send inferior BPDUs, it does not start the IRC feature.
Similar to DRC, the IEEE 802.1w standard incorporated the IRDC feature.
RSTP-PV enabled switches allow IRC to be enabled or disabled, but ignore
the setting as the RSTP-PV state machines already implement IRC.
Reacting to Indirect Link Failures
When an inferior BPDU is received on a non-designated port, phase 2 of IRC
processing starts. An RLQ PDU is transmitted on all non-designated ports
except the port where the inferior BPDU was received and self-looped ports.
This action is intended to verify that the switch can still receive from the root
728 Configuring the Spanning Tree Protocol
on ports that should have a path to the root. The port where the switch
received the inferior BPDU is excluded because it already failed; self-looped
and designated ports are eliminated as they do not have a path to the root.
Figure 22-5. IRC Flow
Upon receiving a negative RLQ response on a port, the port has lost
connection to the root and the switch ages-out its BPDU. If all other non-
designated ports received a negative answer, the switch has lost the root and
restarts the STP calculation.
If the response confirms the switch can still access the root bridge via a
particular port, it immediately ages-out the port on which the inferior BPDU
was received.
If the switch only received responses with a root different from the original
root, it has lost the root port and restarts the STP calculation immediately.
Inferior BDPU received. Are there
other non-self-looped
non-designated ports?
Connectivity to root is lost.
Recompute spanning-tree.
No Yes: Can still reach root on a port.
No
Yes -> Send RLQ query on non-designated ports.
Wait for RLQ responses.
Connectivity to root still exists
age out port with inferior BPDU.
Have received response for every
RLQ sent?
No Are all RLQ responses negative?
No, end
processing
Yes
Negative: Root lost on this port
Age-out the BPDU for this port.
Have received response for
every RLQ sent?
Yes
No
Configuring the Spanning Tree Protocol 729
Interoperability Between STP-PV and RSTP-PV Modes
STP-PV is derived from 802.1D and RSTP-PV is derived from 802.1w. The
fallback mechanism is the same as between a standard 802.1D switch and a
standard 802.1w switch. When a lower protocol version BPDU is received on
a switch that runs a higher protocol version, the latter falls back to the lower
version after its migration delay timer expires.
For example, an RSTP-PV switch, when connected to STP-PV switch, falls
back to the STP-PV protocol after the migration delay timer expires.
Interoperability With IEEE Spanning Tree Protocols
When a switch configured with RSTP-PV receives IEEE standard RSTP
BPDUs on a port, it responds with two versions of BPDUs on the port: SSTP
formatted BPDUs and IEEE standard STP BPDUs. The IEEE standard
BPDUs are processed by the peer switch running MSTP/RSTP, and the SSTP
format BPDUs are flooded across the MSTP/RSTP domain.
Figure 22-6. RSTP-PV and IEEE Spanning Tree Interoperability
Common Spanning Tree
There are differences between the ways that MSTP and RSTP-PV map
spanning tree instances to VLANs: RSTP-PV creates a spanning tree instance
for each VLAN, and MSTP maps one or more VLANs to each MST instance.
Where an RSTP-PV region is connected to an MSTP region, the set of RSTP-
PV instances does not generally match the set of MST instances. Therefore,
the RSTP-PV region and the MSTP region communicate with each other on a
single common spanning tree instance.
For the MSTP region, the MSTP instance communicates to the RSTP-PV
region using the CIST. For the RSTP-PV region, switches use the VLAN 1
RSTP-PV instance as the common spanning tree. On the link between the
RSTP-PV IEEE
IEEE BPDUs for VLAN1 (untagged)
IEEE BPDUs for VLAN1 (untagged)
SSTP BPDUs for VLAN1 (untagged)
SSTP BPDUs for other VLANs (tagged)
730 Configuring the Spanning Tree Protocol
RSTP-PV region and the MSTP region, the RSTP-PV switch sends VLAN1
BPDUs in IEEE standard format, so they can be interpreted by the MSTP
peers. Similarly, the RSTP-PV switch processes incoming MSTP BPDUs as
though they were BPDUs for the VLAN 1 RSTP-PV instance.
If the RSTP-PV switch ports connected to the MSTP switches are configured
with a native VLAN, the RSTP-PV switches are able to detect IEEE standard
format BPDUs arriving from peer switches, incorporate them into the
common spanning tree that operates in the native VLAN (VLAN 1), and
transmit untagged STP or RSTP packets to the STP/RSTP peers, in addition
to the SSTP format BPDUs.
SSTP BPDUs Flooding Across MST (CST) Regions
In addition to the IEEE standard RSTP or STP BPDUs that the RSTP-PV
switch sends to the MSTP (or RSTP or STP) region, the switch sends SSTP
format BPDUs for VLAN 1 untagged. The MSTP switch does not interpret
the SSTP BPDUs as standard BPDUs because they do not use the standard
destination MAC address, so it makes no spanning tree decisions based on
them. Instead, it floods the SSTP BPDUs over all ports in the corresponding
VLAN. These SSTP BPDUs may be multicast over the MSTP region to other
RSTP-PV switches, which use them to maintain the VLAN 1 spanning tree
topology across the MSTP (non-RSTP-PV) switches.
The RSTP-PV switches also send SSTP format BPDUs for the other (non-
VLAN 1) RSTP-PV instances into the MSTP region, tagged with the VID of
their associated VLANs. These SSTP packets are also be multicast by the
switches in the MSTP region, and will reach any other RSTP-PV regions
connected to the MSTP region. The switches in the remote RSTP-PV regions
receive and process them as normal RSTP-PV BPDUs. Thus, RSTP-PV
instances are transparently expanded across the MSTP region and their
spanning trees span the MSTP region. For RSTP-PV, the MSTP region is
treated as a single hub.
Interoperability with RSTP
In Figure 22-7:
SW1 and SW2 are Dell Networking switches running RSTP-PV with
default bridge priority 32768.
SW3 is a Dell Networking switch running RSTP with default bridge
priority 32768.
Configuring the Spanning Tree Protocol 731
Figure 22-7. RSTP-PV and RSTP Interoperability
SW3 sends IEEE STP BPDUs to the IEEE multicast MAC address as
untagged frames. These BPDUs are processed by the VLAN 1 STP instance
on the RSTP-PV switch as part of the VLAN 1 STP instance.
The RSTP-PV side sends IEEE STP BPDUs corresponding to the VLAN 1
STP to the IEEE MAC address as untagged frames across the link. At the
same time, SSTP BPDUs are sent as untagged frames. IEEE switches simply
flood the SSTP BPDUs throughout VLAN 1. This facilitates RSTP-PV
connectivity in case there are other RSTP-PV switches connected to the IEEE
STP domain.
For non-native VLANs (VLANs 2–4093), the RSTP-PV switch sends SSTP
BPDUs, tagged with their VLAN number. The VLAN STP instances are
multicast across the RSTP region, as if it were a hub switch.
SW1 SW2
SW3
1/0/1 1/0/1
1/0/2
1/0/3 1/0/4
Root for VLAN1
1/0/1
Root for VLAN2 and 3
VLAN1
VLAN2
VLAN3
732 Configuring the Spanning Tree Protocol
The VLAN 1 STP instance of SW1 and SW2 are joined with the STP
instance running in SW3. VLANs 2 and 3 consider the path across SW3 as
another segment linking SW1 and SW2, and their SSTP information is
multicast across SW3.
The bridge priority of SW1 and SW2 for VLAN1 instance is 32769 (bridge
priority + VLAN identifier).
The bridge priority of SW3 is 32768, per the IEEE 802.w standard.
SW3 is selected as Root Bridge for the VLAN1 instance that is CST, and SW1
is selected as Root Bridge for VLAN2 and VLAN3 (based on the low MAC
address of SW1).
Interoperability with MSTP
RSTP-PV runs an individual RSTP instance for each VLAN. MSTP maps
VLANs to MSTIs, so one-to-one mapping between VLAN and STP instance
is not possible.
MSTP runs multiple MSTIs inside a region and maps them to the CIST on
the border ports. The interoperability model must ensure that internal MSTIs
are aware of changes to any of the RSTP-PV trees. Therefore, the simplest way
to ensure the correct behavior is to join ALL RSTP-PV trees to the CST.
Connecting RSTP-PV trees to the CST ensures that changes in any of the
RSTP-PV STP instances will affect the CST and all MSTIs. This approach
ensures that no changes go unnoticed and no black holes occur in a single
VLAN. As with IEEE STP, every tree in the RSTP-PV domain views the
MSTP regions as virtual bridges with multiple boundary ports. A topology
change in any of RSTP-PV trees will affect the CST and propogate through
every MSTI instance in all MSTP regions. This behavior, consequently, makes
the MSTP topology less stable.
The MSTP implementation simulates RSTP-PV by replicating CIST BPDUs
on the link facing the RSTP-PV domain and sending those BPDUs on ALL
VLANs active on the trunk. The MSTP switch processes IEEE STP VLAN 1
BPDUs received from the RSTP-PV domain using the CIST instance. The
RSTP-PV+ domain interprets the MSTP domain as an RSTP-PV bridge with
all per-VLAN instances claiming the CIST Root as the root of their individual
spanning tree. For the common STP Root elected between MSTP and RSTP-
PV, two options are possible:
Configuring the Spanning Tree Protocol 733
The MSTP domain contains the root bridge for ALL VLANs. This implies
that the CIST Root Bridge ID is configured to be better than any RSTP-
PV STP root Bridge ID. If there is only one MSTP region connected to the
RSTP-PV domain, then all boundary ports on the virtual-bridge will be
unblocked and used by RSTP-PV. This is the only supported topology, as
the administrator can manipulate uplink costs on the RSTP-PV side and
obtain optimal traffic engineering results. In Figure 22-8, VLANs 2 and 3
have their STP costs configured to select different uplinks connected to
the MSTP region's boundary ports. Since the CIST Root is inside the
MSTP region, both boundary ports are non-blocking designated and the
load balancing scheme operates as expected.
Figure 22-8. MSTP and RSTP-PV Interoperability
MSTP Region
CIST Root
PVST+ Bridge
Boundary
Port 1
Boundary
Port 2
VLAN 3 STPVLAN 2 STP
×
×
734 Configuring the Spanning Tree Protocol
The alternative is that the RSTP-PV domain contains the root bridges for
ALL VLANs. This is only true if all RSTP-PV root bridges’ Bridge IDs for
all VLANs are better than the MSTP CIST Root Bridge ID. This is not a
supported topology, because all MSTIs map to CIST on the border link,
and it is not possible to load-balance the MSTIs as they enter the RSTP-
PV domain.
The Dell Networking RSTP-PV implementation does not support the second
option. The MSTP domain must contain the bridge with the best Bridge ID
to ensure that the CIST Root is also the root for all RSTP-PV trees. In any
other case, the MSTP border switch will place the ports that receive superior
BPDUs from the RSTP-PV region in the root-inconsistent state. To resolve
this issue, ensure that the RSTP-PV domain does not have any bridges with
Bridge IDs better than the CIST Root Bridge ID.
Native VLAN Inconsistent State
This occurs if a trunk port receives an untagged SSTP BPDU with a VLAN
type, length, value (TLV) that does not match the VLAN where the BPDU
was received. In this case, the port transitions to the blocked state.
Configuration Examples
See "RSTP-PV Access Switch Configuration Example" on page 756.
Configuring the Spanning Tree Protocol 735
Default STP Values
Spanning tree is globally enabled on the switch and on all ports and LAGs.
Table 22-1 summarizes the default values for STP.
Table 22-1. STP Defaults
Parameter Default Value
Enable state Enabled (globally and on all ports)
Spanning tree mode RSTP (Classic STP, STP-PV, RSTP-PV and
MSTP are disabled)
Switch priority 32768
BPDU flooding Disabled
PortFast mode Disabled
PortFast BPDU filter Disabled
Loop guard Disabled
BPDU protection Disabled
Spanning tree port priority 128
Maximum-aging time 20 seconds
Forward-delay time 15 seconds
Maximum hops 20
Spanning tree transmit hold count 6
MSTP region name MAC address of switch
MSTP included VLANs 1
736 Configuring the Spanning Tree Protocol
Configuring Spanning Tree (Web)
This section provides information about the OpenManage Switch
Administrator pages for configuring and monitoring STP settings on a Dell
Networking N2000, N3000, and N4000 series switches. For details about the
fields on a page, click at the top of the page.
STP Global Settings
The STP Global Settings page contains fields for enabling STP on the
switch.
To display the STP Global Settings page, click Switching
Spanning Tree
Global Settings in the navigation panel.
Configuring the Spanning Tree Protocol 737
Figure 22-9. Spanning Tree Global Settings
738 Configuring the Spanning Tree Protocol
STP Port Settings
Use the STP Port Settings page to assign STP properties to individual ports.
To display the STP Port Settings page, click Switching
Spanning Tree
STP Port Settings in the navigation panel.
Figure 22-10. STP Port Settings
Configuring the Spanning Tree Protocol 739
Configuring STP Settings for Multiple Ports
To configure STP settings for multiple ports:
1
Open the
STP Port Settings
page.
2
Click
Show All
to display the
STP Port Table
.
Figure 22-11. Configure STP Port Settings
3
For each port to configure, select the check box in the
Edit
column in the
row associated with the port.
4
Select the desired settings.
5
Click
Apply
.
740 Configuring the Spanning Tree Protocol
STP LAG Settings
Use the STP LAG Settings page to assign STP aggregating ports parameters.
To display the STP LAG Settings page, click Switching
Spanning Tree
STP LAG Settings in the navigation panel.
Figure 22-12. STP LAG Settings
Configuring STP Settings for Multiple LAGs
To configure STP settings on multiple LAGS:
1
Open the
STP LAG Settings
page.
2
Click
Show All
to display the
STP LAG Table
.
Configuring the Spanning Tree Protocol 741
Figure 22-13. Configure STP LAG Settings
3
For each LAG to configure, select the check box in the
Edit
column in the
row associated with the LAG.
4
Select the desired settings.
5
Click
Apply
.
Rapid Spanning Tree
Rapid Spanning Tree Protocol (RSTP) detects and uses network topologies
that allow a faster convergence of the spanning tree without creating
forwarding loops.
To display the Rapid Spanning Tree page, click Switching
Spanning Tree
Rapid Spanning Tree in the navigation panel.
Figure 22-14. Rapid Spanning Tree
742 Configuring the Spanning Tree Protocol
To view RSTP Settings for all interfaces, click the Show All link. The Rapid
Spanning Tree Table displays.
Figure 22-15. RSTP Settings
Configuring the Spanning Tree Protocol 743
MSTP Settings
The Multiple Spanning Tree Protocol (MSTP) supports multiple instances of
Spanning Tree to efficiently channel VLAN traffic over different interfaces.
MSTP is compatible with both RSTP and STP; a MSTP bridge can be
configured to behave entirely as a RSTP bridge or a STP bridge.
To display the MSTP Settings page, click Switching
Spanning Tree
MSTP Settings in the navigation panel.
Figure 22-16. MSTP Settings
744 Configuring the Spanning Tree Protocol
Viewing and Modifying the Instance ID for Multiple VLANs
To configure MSTP settings for multiple VLANS:
1
Open the
MSTP Settings
page.
2
Click
Show All
to display the
MSTP Settings Table
.
Figure 22-17. Configure MSTP Settings
3
For each Instance ID to modify, select the check box in the
Edit
column in
the row associated with the VLAN.
4
Update the
Instance ID
settings for the selected VLANs.
5
Click
Apply
.
Configuring the Spanning Tree Protocol 745
MSTP Interface Settings
Use the MSTP Interface Settings page to assign MSTP settings to specific
interfaces.
To display the MSTP Interface Settings page, click Switching
Spanning
Tree
MSTP Interface Settings in the navigation panel.
Figure 22-18. MSTP Interface Settings
Configuring MSTP Settings for Multiple Interfaces
To configure MSTP settings for multiple interfaces:
1
Open the
MSTP Interface Settings
page.
2
Click
Show All
to display the
MSTP Interface
Table
.
3
For each interface to configure, select the check box in the
Edit
column in
the row associated with the interface.
4
Update the desired settings.
5
Click
Apply
.
746 Configuring the Spanning Tree Protocol
Configuring Spanning Tree (CLI)
This section provides information about the commands you use to configure
STP settings on the switch. For more information about the commands, see
the
Dell Networking N2000, N3000, and N4000 Series Switches CLI
Reference Guide
at support.dell.com/manuals.
Configuring Global STP Bridge Settings
Beginning in Privileged EXEC mode, use the following commands to
configure the global STP settings for the switch, such as the priority and
timers.
Command Purpose
configure Enter global configuration mode.
spanning-tree Enable spanning tree on the switch.
spanning tree mode {stp
| rstp |mst}
Specify which spanning tree mode to use on the switch.
spanning-tree priority
priority
Specify the priority of the bridge. (Range: 0–61440). The
switch with the lowest priority value is elected as the root
switch.
spanning-tree max-age
seconds
Specify the switch maximum age time, which indicates the
amount of time in seconds a bridge waits before
implementing a topological change. Valid values are from
(6 to 40) seconds.
spanning-tree forward-
time
seconds
Specify the switch forward delay time, which indicates the
amount of time in seconds a bridge remains in a listening
and learning state before forwarding packets. Valid values
are from (4 to 30) seconds.
spanning-tree max-hops
hops
Configure the maximum number of hops for the Spanning
tree. Valid values are from (6 to 40).
spanning-tree transmit
hold-count [
value
]
Set the maximum number of BPDUs that a bridge is
allowed to s