Dell 6200 SERIES Bedienungsanleitung
- Schauen Sie die Anleitung online durch oderladen Sie diese herunter
- 176 Seiten
- 2.07 mb
Zur Seite of
Ähnliche Gebrauchsanleitungen
-
Computer Accessories
Dell 3448P
402 Seiten 6.55 mb -
Computer Accessories
Dell 530
8 Seiten 0.1 mb -
Computer Accessories
Dell IN1930
41 Seiten 3.03 mb -
Computer Accessories
Dell SFF 980
15 Seiten 1.41 mb -
Computer Accessories
Dell 34XX
402 Seiten 6.55 mb -
Computer Accessories
Dell 2950
182 Seiten 18.71 mb -
Computer Accessories
Dell LATITUDE Latitude C400
72 Seiten 5.34 mb -
Computer Accessories
Dell MD3220
272 Seiten 7.62 mb
Richtige Gebrauchsanleitung
Die Vorschriften verpflichten den Verkäufer zur Übertragung der Gebrauchsanleitung Dell 6200 SERIES an den Erwerber, zusammen mit der Ware. Eine fehlende Anleitung oder falsche Informationen, die dem Verbraucher übertragen werden, bilden eine Grundlage für eine Reklamation aufgrund Unstimmigkeit des Geräts mit dem Vertrag. Rechtsmäßig lässt man das Anfügen einer Gebrauchsanleitung in anderer Form als Papierform zu, was letztens sehr oft genutzt wird, indem man eine grafische oder elektronische Anleitung von Dell 6200 SERIES, sowie Anleitungsvideos für Nutzer beifügt. Die Bedingung ist, dass ihre Form leserlich und verständlich ist.
Was ist eine Gebrauchsanleitung?
Das Wort kommt vom lateinischen „instructio”, d.h. ordnen. Demnach kann man in der Anleitung Dell 6200 SERIES die Beschreibung der Etappen der Vorgehensweisen finden. Das Ziel der Anleitung ist die Belehrung, Vereinfachung des Starts, der Nutzung des Geräts oder auch der Ausführung bestimmter Tätigkeiten. Die Anleitung ist eine Sammlung von Informationen über ein Gegenstand/eine Dienstleistung, ein Hinweis.
Leider widmen nicht viele Nutzer ihre Zeit der Gebrauchsanleitung Dell 6200 SERIES. Eine gute Gebrauchsanleitung erlaubt nicht nur eine Reihe zusätzlicher Funktionen des gekauften Geräts kennenzulernen, sondern hilft dabei viele Fehler zu vermeiden.
Was sollte also eine ideale Gebrauchsanleitung beinhalten?
Die Gebrauchsanleitung Dell 6200 SERIES sollte vor allem folgendes enthalten:
- Informationen über technische Daten des Geräts Dell 6200 SERIES
- Den Namen des Produzenten und das Produktionsjahr des Geräts Dell 6200 SERIES
- Grundsätze der Bedienung, Regulierung und Wartung des Geräts Dell 6200 SERIES
- Sicherheitszeichen und Zertifikate, die die Übereinstimmung mit entsprechenden Normen bestätigen
Warum lesen wir keine Gebrauchsanleitungen?
Der Grund dafür ist die fehlende Zeit und die Sicherheit, was die bestimmten Funktionen der gekauften Geräte angeht. Leider ist das Anschließen und Starten von Dell 6200 SERIES zu wenig. Eine Anleitung beinhaltet eine Reihe von Hinweisen bezüglich bestimmter Funktionen, Sicherheitsgrundsätze, Wartungsarten (sogar das, welche Mittel man benutzen sollte), eventueller Fehler von Dell 6200 SERIES und Lösungsarten für Probleme, die während der Nutzung auftreten könnten. Immerhin kann man in der Gebrauchsanleitung die Kontaktnummer zum Service Dell finden, wenn die vorgeschlagenen Lösungen nicht wirksam sind. Aktuell erfreuen sich Anleitungen in Form von interessanten Animationen oder Videoanleitungen an Popularität, die den Nutzer besser ansprechen als eine Broschüre. Diese Art von Anleitung gibt garantiert, dass der Nutzer sich das ganze Video anschaut, ohne die spezifizierten und komplizierten technischen Beschreibungen von Dell 6200 SERIES zu überspringen, wie es bei der Papierform passiert.
Warum sollte man Gebrauchsanleitungen lesen?
In der Gebrauchsanleitung finden wir vor allem die Antwort über den Bau sowie die Möglichkeiten des Geräts Dell 6200 SERIES, über die Nutzung bestimmter Accessoires und eine Reihe von Informationen, die erlauben, jegliche Funktionen und Bequemlichkeiten zu nutzen.
Nach dem gelungenen Kauf des Geräts, sollte man einige Zeit für das Kennenlernen jedes Teils der Anleitung von Dell 6200 SERIES widmen. Aktuell sind sie genau vorbereitet oder übersetzt, damit sie nicht nur verständlich für die Nutzer sind, aber auch ihre grundliegende Hilfs-Informations-Funktion erfüllen.
Inhaltsverzeichnis der Gebrauchsanleitungen
-
Seite 1
www .dell.com | support.dell.com Dell™ PowerConnect™ 6200 Series Configuration Guide Model: PC6224, PC6248, P C6224P , PC6248P , and PC6224F[...]
-
Seite 2
Notes, Cautions, and Warnings NOTE: A NOTE i ndic ates import ant inf orma tion th at he lps you make bet ter us e of your computer . CAUTION: A CAUTION in dicates pot ential damage to hardware or loss of data if in structions a re not f ollowed. WAR N I N G : A WARNIN G indi cate s a pot entia l for pr ope rty dama ge, pe rson al in jury, or deat [...]
-
Seite 3
3 Contents 1 About this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Organiz ation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Additiona l Documentatio n . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2 System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 T rac e[...]
-
Seite 4
4 3 Switching Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 29 Vir t u a l L A Ns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 VLA N Config uration Example . . . . . . . . . . . . . . . . . . . . . . . . 30 CLI Exa mples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Web Interf ace .[...]
-
Seite 5
5 sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Overv iew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 sFlow Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 CLI Exa mples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 4 Routing Configura[...]
-
Seite 6
6 5 Device Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 802.1x Ne twork Acce ss Control . . . . . . . . . . . . . . . . . . . . . . . . 106 802. 1x Network Acces s Control Exa mples . . . . . . . . . . . . . . . . 106 802.1 X Authentic ation and VLANs . . . . . . . . . . . . . . . . . . . . . . . 109 Authe nti cate d and[...]
-
Seite 7
7 6I P v 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Overv iew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Interfac e Configu ration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 CLI Exa mple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 7 Qual[...]
-
Seite 8
8 9 Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 1 Auto Co nfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Overv iew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Functi onal Descr ipti on . . . . . . . . . . . . . . . . . . . . . . . . . . 162 CLI Exa mp[...]
-
Seite 9
About th is Document 9 1 About this Do cument This configuration guide prov ides examples of how to use the Dell™P owe rConnect™ 6200 Series switch in a ty pical network. It describes the adv a ntages of specific functi ons the P owerConnect 6200 Series swit ch provides and includes informat ion about configuring those functions using the comma[...]
-
Seite 10
10 About this Docume nt Additional Do cumentation The following document ation provides additional information about P owerConnect 6200 Series softwa re: •T h e CLI Command Reference for your Dell P owerConnect switch describes the commands avail able from the comma nd-line in terface (CLI) for m ana ging , monit oring, an d configurin g the sw i[...]
-
Seite 11
System Configurat ion 11 2 System Configuration This section provide s configuration scenarios for the following features: •" T r a c e r o u t e " o n p a g e 1 2 • "C onfigura tion Scrip ting" on page 13 • "Outbound T el net" on pag e 16 • "Simple Network Time P rotocol (SNTP)" on page 17 • "[...]
-
Seite 12
12 System C onfigu rati on T rac eroute Use T ra ceroute to di scove r the route s that packets take when tra veling on a hop -by-ho p basis to their destination through the network. • Maps network rout es by sending pack ets with small T ime-to-Live (TTL) values and watches t he ICMP time -out anno uncements • Command di splays al l L3 device [...]
-
Seite 13
System Configurat ion 13 --More-- or (q)uit 20 64.233.174.99 250 ms 240 m s 250 ms Hop Count = 20 Last TTL = 30 Test atte mpt = 90 Test Success = 90 Configuration Scripting Configuration scripting allows you to generate a text-f ormatt ed script file that shows the curr ent system configuration. Y ou can ge nerate mu ltiple s cripts and upload and [...]
-
Seite 14
14 System C onfigu rati on CLI Examp les The following are e xamples of the comma nds used for configurations scripting. Exam ple # 1: Viewing the Scri pt O ptio ns console#script ? apply Applies configuration script to the sw itch. delete Deletes a configuration script file fr om the switch. list Lists all configuration script files p resent on th[...]
-
Seite 15
System Configurat ion 15 Example #4: Cop ying the Active Co nfiguration into a Sc ript Use this command to captur e the running configuration into a script. console#show running-config running-co nfig.scr Config script created successfully. Exam ple # 5: Upload in g a C onfi gura tion Scri pt t o th e T FTP Serv er Use this command to upload a conf[...]
-
Seite 16
16 System C onfigu rati on exit configure logging web-session bridge aging-time 100 exit Configuration script validated. File transfer operation completed succ essfully. Exam ple #7: Validatin g a Scri pt console#script validate abc.scr ip address dhcp username "admin" password 16d7a4fca744 2dda3ad93c9a726597e4 level 15 encrypted exit Con[...]
-
Seite 17
System Configurat ion 17 CLI Examp les The following are e xamples of the commands used in the outbo und telnet feature. Exam ple #1: Conne ctin g to Anot her System by Usin g T eln et console#telnet 192.168.77.151 Trying 192.168.77.151... console# User:admin Password: (Dell PC62XX Routing) >enable Password: console#show ip interface Management [...]
-
Seite 18
18 System C onfigu rati on CLI Examp les The following are e xamples of the commands used in the SNTP fea ture. Exam ple #1: Viewing S NTP Opt ion s (Dell PC62XX Routing)(Config) #sntp ? console(config)#sntp ? authenticate Require authentication for received Ne twork Time Protocol (NTP) traffic from servers. authentication-key Defi ne an authentica[...]
-
Seite 19
System Configurat ion 19 Exam ple #3: Viewing S NTP I nforma tion console#show sntp ? configuration Show the conf iguration of the Simple Network Time Protocol (SNT P). status To show the s tatus of the Simple Network Time Protocol (SNT P). console#show sntp configuration Polling interval: 64 seconds MD5 Authentication keys: Authentication is not r[...]
-
Seite 20
20 System C onfigu rati on Syslog Overview Syslog: • Al low s y ou to sto re syst em m es sage s a nd /or err ors . • Can store to local files on the switch or a remote server running a syslog daem on. • P rovides a meth od of collecting mess age logs from many systems . Interpreting Log Files F igur e 2-1 describes the information that displ[...]
-
Seite 21
System Configurat ion 21 Web Session Logging : disabled SNMP Set Command Logging : disabled 0 Messages were not logged. Buffer Log: <189> JAN 01 03:57:58 10.27.65.86-1 TR APMGR[216282304]: traputil.c(908) 31 %% Instance 0 has elected a new STP root: 8000:00ff:f2a3:8888 <189> JAN 01 03:57:58 10.27.65.86-1 TR APMGR[216282304]: traputil.c([...]
-
Seite 22
22 System C onfigu rati on alert Immediate act ion needed critical Critical cond itions debug Debugging mes sages emergency System is unu sable error Error conditi ons info Informational messages notice Normal but si gnificant conditions warning Warning condi tions console(Config-logging)#level critical Port D escrip tion The P ort D escription fea[...]
-
Seite 23
System Configurat ion 23 Storm Control A traffic storm occurs when incoming pack ets flood the LAN result ing in network performance degradation. The St orm Control featur e protects against this condition. The switch soft ware pro vides broadcast, multicast, and unicast storm r ecovery for individual interfaces. Unicast Stor m Control protects ag [...]
-
Seite 24
24 System C onfigu rati on Example #1: Set Broadcast Storm Control for an Interface console#configure console(config)#interface ethernet 1/g17 console(config-if-1/g17)#storm-control broadcast ? <cr> Press enter t o execute the command. level Configure sto rm-control thresholds. console(config-if-1/g17)#storm-control broadcast level ? <rate[...]
-
Seite 25
System Configurat ion 25 Cable Diagno stics This section de scribes: • "Copper P ort Cable T est" on page 25 • "F iber P ort Cable T est" on page 27 NOTE: Cable Diag nostic s is support ed on SFP/XFP ports but not on the Sta ckin g/CX- 4/SFP +/10Gb aseT po rts. Copper Po rt Cabl e T est The cable test feature enables you to [...]
-
Seite 26
26 System C onfigu rati on Exam ple #1: Cabl e T est for Copp er Po rts console#test copper-port tdr 1/g1 Cable Status.......................... ......... Short Cable Length.......................... ......... 5m console#show copper-ports tdr Port Result Length [meters] D ate ------- ------ --------------- - -------------------- 1/g1 Short 9 J an 0[...]
-
Seite 27
System Configurat ion 27 Examp le #3: S how La st T ime Doma in Refle ctomet ry T ests Use the sho w copper-ports tdr comm and in P rivileged EXEC mode to display the last Time Domain Refle ctometry (T DR) tests o n specifi ed ports. The following examp le displays the last TDR tests on a ll ports. console#show copper-ports tdr Port Result Length [[...]
-
Seite 28
28 System C onfigu rati on[...]
-
Seite 29
Switch ing Confi guration 29 3 Switching Configuration This section provide s configuration scenarios for the following features: • "Virtu al LANs" on page 29 • "V oice VLAN" on page 3 7 • "IGMP Snooping" on page 40 • "IGMP Snooping Q uerier" on page 43 • "Link Aggr egation/P ort Chan nels"[...]
-
Seite 30
30 Switch ing C onfigu rati on • The IP -subne t Based VLAN fe ature l ets you map IP addresses to VLANs by specifying a source IP addr ess, net work mask, and the desir ed VLAN ID. • The MAC-based VL AN feature let packets originating from end stat ions become part of a VLAN accor ding to sour ce MAC addr ess. T o confi gure t he featur e, you[...]
-
Seite 31
Switch ing Confi guration 31 CLI Examp les T h e fo ll ow in g e x a m p l e s s h o w ho w t o c r e at e V LA N s , a ss i gn p o r t s t o t h e V L AN s, an d a ss i g n a V LA N a s t he default VLAN to a port. Exam ple #1: Crea te T wo VLA Ns Use the following commands to create two VLANs and to assign the VLA N IDs while leaving the names bl[...]
-
Seite 32
32 Switch ing C onfigu rati on Example #3: Assign Ports to VLAN3 This ex ample shows how to assign the ports t hat will belong to VLAN 3. Untagged frames wi ll be acce pted on po rts 1/g19 a nd 1/ g20. Note that port 1/g1 8 bel ongs to bo th VLA Ns and t hat po rt 1/g17 c an n eve r belo ng t o VLA N 3. console(config)#interface ethernet 1/g18 ccon[...]
-
Seite 33
Switch ing Confi guration 33 Examp le #6: V iew Infor mation About V LAN 2 console#show ip interface vlan 2 Primary IP Address............................ 192.168.10.33/255.255.255.0 Routing Mode.................................. Enable Administrative Mode........................... Enable Forward Net Directed Broadcasts............... Disable Prox[...]
-
Seite 34
34 Switch ing C onfigu rati on IP Subnet and MAC-B ased VLANs In addition to port-based V LANs, the sw itch also supports VLANs that are bas ed on the IP addr ess or MAC address of a host. W ith IP subnet and MA C-based VLANs , the VLAN membership is determined by the address of the host rather tha n the port to which the host is attached. CLI Exam[...]
-
Seite 35
Switch ing Confi guration 35 Exam ple # 4: Viewing IP S ubnet a nd MAC -Ba sed V LAN Ass ociati ons console#show vlan association mac MAC Address VLAN ID ----------------- ------- 00FF.F2A3.8886 10 console#show vlan association subnet IP Subnet IP Mask VLAN ID ---------------- ---------------- ------- 192.168.25.0 255.255.255.0 10 192.168.1.11 255.[...]
-
Seite 36
36 Switch ing C onfigu rati on CLI Examp le Exam ple #1: Conf iguri ng a Pro tec ted Po rt The comma nds in th is example na me the protected p ort gro up 1 “PP_ T e st” and a ssign po rts 1 and 2 to the group. console(config)#switchport protected 1 name PP_Test console(config)#interface ethernet 1/g17 console(config-if-1/g17)#switchport protec[...]
-
Seite 37
Switch ing Confi guration 37 Vo i c e V L A N V oice VLAN enables sw itch ports to ca rry voice tra ffic with a defin ed priority in order to en able the separati on of voice a nd data traffic coming onto the port. A primary b enefi t of using V oice VLAN is to ensure that t he sound q uality of an IP phon e is safegua rded from det eriorating when[...]
-
Seite 38
38 Switch ing C onfigu rati on • Wh en a d ot1p prio rity is assoc iated wi th the V oice V LAN port in stea d of a VL AN I D, th en th e prio rity inform ation is p assed onto the VOIP ph one using t he LLD P -M ED m echan ism. B y this me thod, th e voice data coming from the V OIP phone is tagge d with VLAN 0 and with t he ex chang ed priori t[...]
-
Seite 39
Switch ing Confi guration 39 Exam ple #2: Conf iguri ng Voice VLAN on an Unau then tica ted Port I n s o me n e t w or ks , m u l t i p l e de vi c e s ( f or ex a m p l e , a P C, Pri nt e r , an d p h on e ) a r e c o n n e c te d t o a s in gl e p o r t on t he switch. The PC s and pri nters are a uthenti cated b y 802.1X, but the phone m ight n[...]
-
Seite 40
40 Switch ing C onfigu rati on IGMP Snooping This sectio n describes the Interne t Group Manage ment P rotocol (IGMP) Snooping feature. IGMP Snooping enables the swi tch to moni tor IGMP tra nsa ctions between ho sts and routers. It can help conserve bandwidth by allowing the switch to forwar d IP mult icast traffic only to connected hosts that req[...]
-
Seite 41
Switch ing Confi guration 41 1. Create VLAN 1 00. console#configure console(config)#vlan database console(config-vlan)#vlan 100 2. Enable IGMP snooping on the VLAN. console(config-vlan)#ip igmp snooping 100 console(config-vlan)#exit 3. F orbid the forwarding of unregistered multicast a ddresses on VLAN 100 to pr even t multicast floodin g to ports [...]
-
Seite 42
42 Switch ing C onfigu rati on 9. View information about the IGM P snooping configu ration. console#show ip igmp snooping Admin Mode..................................... Enable Multicast Control Frame Count.................. 0 Interfaces Enabled for IGMP Snooping........... None Vlans enabled for IGMP snooping................ 100 In this e xample, [...]
-
Seite 43
Switch ing Confi guration 43 Multicast Packets Received..................... 626494 Broadcast Packets Received..................... 0 console#show statistics ethernet 1/g10 ... Total Packets Received Without Errors.......... 12 Unicast Packets Received....................... 0 Multicast Packets Received..................... 12 Broadcast Packets Rec[...]
-
Seite 44
44 Switch ing C onfigu rati on Examp le #2: C onfigur e IGMP Sn ooping Q uerier P roperti es The firs t com mand in th is examp le se ts the IG MP Que rier Q uery In terva l time to 1 00. T his me ans that the swit ch waits 100 s econds befor e sending another general query . The second command sets the IGMP Querier timer expiration period t o 100.[...]
-
Seite 45
Switch ing Confi guration 45 Examp le #5: Show IGMP Sn ooping Qu erier Info rmation f or VLAN 10 console#show ip igmp snooping querier vlan 10 Vlan 10 : IGMP Snooping querier status ---------------------------------------------- IGMP Snooping Querier Vlan Mode................ Enable Querier Election Participate Mode.............. Enable Querier Vla[...]
-
Seite 46
46 Switch ing C onfigu rati on CLI Examp le The following shows an e xample of configuring the softwar e to support Link Aggr egation (L AG) to a server and to a Layer 3 switch. F igur e 3-3 shows the exampl e network. Figure 3- 3. LAG/Port- channe l Exa mple Netw ork D iagram Subnet 3 Port 1/0/8 LAG_20 Lay er 2 Switch Port 1/0/9 LAG_20 Serve r Por[...]
-
Seite 47
Switch ing Confi guration 47 Examp le 1: C reate Nam es for T wo Port- Channels console#configure console(config)#interface port-channel 1 console(config-if-ch1)#description lag_1 console(config-if-ch1)#exit console(config)#interface port-channel 2 console(config-if-ch2)#description lag_2 console(config-if-ch2)#exit Exam ple 2 : A dd th e Ph ysica [...]
-
Seite 48
48 Switch ing C onfigu rati on ch2 No Configured Ports 3 ch3 No Configured Ports 3 ch4 No Configured Ports 3 ch5 No Configured Ports 3 ch6 No Configured Ports 3 ch7 No Configured Ports 3 ch8 No Configured Ports 3 ch9 No Configured Ports 3 ch10 No Configured Ports 3 ch11 No Configured Ports 3 ch12 No Configured Ports 3 ch13 No Configured Ports 3 ch1[...]
-
Seite 49
Switch ing Confi guration 49 Port Mirrorin g This section describes the P ort Mirroring feature, whic h can serve as a diag nostic tool, debugging tool , or mea ns of fe ndin g off at tacks. Overview P ort mirroring selects network traffic from specific po rts fo r analysis by a networ k analyzer , while allowing the same t raffic to be swit ched t[...]
-
Seite 50
50 Switch ing C onfigu rati on Port Security This sectio n describes the P ort Security feat ure. Overview P ort Security : • Allow s for limi ting the num ber of M AC add resses on a giv en po rt. • P ack ets that have a matchin g MAC addr ess (secur e packets) ar e forwar ded; all other pack ets (uns ecure packets) ar e restricted. • Enable[...]
-
Seite 51
Switch ing Confi guration 51 CLI Examp les The following are e xamples of the commands used in the P ort Security feature. Exam ple # 1: Enab le P ort S ecu rity on a n I nter fac e console(config)#interface ethernet 1/g18 console(config-if-1/g18)#port security ? <cr> Press enter to execute the command. discard Discard frames with unlearned s[...]
-
Seite 52
52 Switch ing C onfigu rati on Link Layer D iscovery Protocol The Link Layer D iscovery Protocol (LLDP) feature allows individual interfaces on the switch to adv ertise major capabili ties and p hysical de scriptions . Networ k managers can view this information and identify system topology and detect ba d configurations on the LAN. LLDP has separa[...]
-
Seite 53
Switch ing Confi guration 53 Examp le #3: Show Global LLDP Param eters console#show lldp LLDP Global Configuration Transmit Interval............................ 30 seconds Transmit Hold Multiplier..................... 8 Reinit Delay................................. 5 seconds Notification Interval........................ 1000 seconds Exam ple #4 S h[...]
-
Seite 54
54 Switch ing C onfigu rati on Denial of Se rvice Attac k Protec tion This sectio n describes the P owerConnect 6200 Se ries Denial of Service P r otection feature. Overview Denial of Service: •S p a n s t w o c a t e g o r i e s : – P rotect ion of the switc h – P rotect ion of the networ k • P rotect s against the e xploita tion of a numb[...]
-
Seite 55
Switch ing Confi guration 55 T able 3- 1 describes t he dos-control key w ord s . T abl e 3-1. DoS Control CLI Examp les The commands shown below s how how to enab le DoS protection and view i ts status. Exam ple # 1: Enab ling a ll D OS Con trols console#configure console(config)#dos-control sipdip console(config)#dos-control firstfrag console(con[...]
-
Seite 56
56 Switch ing C onfigu rati on Example #2: V iewing the DoS Configuration Information console#show dos-control SIPDIP Mode.................................... Enable First Fragment Mode............................ Enable Min TCP Hdr Size............................... 20 TCP Fragment Mode.............................. Enable TCP Flag Mode..........[...]
-
Seite 57
Switch ing Confi guration 57 The hardw are rate limits DHCP pack ets sent to the CP U from interfaces to 64 Kbps. The DHCP snooping application pro cesses incoming DHCP mess ages. F or DHCPREL EASE and DHCPDEC LINE messages, the a pplication comp ares the r eceive i nterface and V LAN with the client interfac e and VLAN i n the binding s datab ase.[...]
-
Seite 58
58 Switch ing C onfigu rati on Figure 3-4. DHCP Bind ing The DHCP snoo ping compo nent does not forward server mes sages since they are forwarded in hardware. DHCP snooping forwar ds valid DHCP client messages r eceiv ed on un-truste d interface s to all trusted interfac es within the V LAN. The binding's databa se includes the following i nfo[...]
-
Seite 59
Switch ing Confi guration 59 CLI Examp les The commands below show exa mples of configuring DHCP Snooping for the switch and for individual interfaces. Exa mple #1 Enabl e DHCP snoo ping for the swi tch console(config)#ip dhcp snooping console(config)#exit console# Exa mple #2 Enab le DHCP snoo ping on a VLAN console(config)#ip dhcp snooping vlan 1[...]
-
Seite 60
60 Switch ing C onfigu rati on console(config)# console(config)#exit Examp le #6 C onfigur e DHCP sn ooping d atabas e Persist ency int erval console(config)#ip dhcp snooping database write-delay 500 console(config)# console(config)#exit Exam ple #7 C onfig ure an inter fac e as DHC P snoo ping truste d console(config-if-1/g1)#ip dhcp snooping trus[...]
-
Seite 61
Switch ing Confi guration 61 Exa mple #10 Sho w DHCP Sno oping confi guratio n on VLANs and Ports show ip dhcp snooping binding DHCP snooping is Enabled DHCP snooping source MAC verification is enabled DHCP snooping is enabled on the following VLANs: 1 Interface Trusted Log Invalid Pkts ----------- ---------- ---------------- 1/g1 Yes Yes 1/g2 No N[...]
-
Seite 62
62 Switch ing C onfigu rati on ----------- ---------- ---------------- 1/g15 No No 1/g16 No No 1/g17 No No 1/g18 No No 1/g19 No No 1/g20 No No 1/g21 No No 1/g22 No No 1/g23 No No 1/g24 No No 1/xg3 No No 1/xg4 No No ch1 No No ch2 No No ch3 No No ch4 No No ch5 No No ch6 No No --More-- or (q)uit console#[...]
-
Seite 63
Switch ing Confi guration 63 Exa mple #12 Sho w DHCP Snoopi ng datab ase config uratio ns console#show ip dhcp snooping database agent url: local write-delay: 500 console# Exam ple # 13 S how DHC P Sn oop ing b indi ng e ntri es Total number of bindings: 2 MAC Address IP Address VL AN Interface Type Lease (Secs) ----------------- --------------- --[...]
-
Seite 64
64 Switch ing C onfigu rati on 1/g3 No 15 1 1/g4 No 15 1 1/g5 No 15 1 1/g6 No 15 1 1/g7 No 15 1 1/g8 No 15 1 1/g9 No 15 1 1/g10 No 15 1 1/g11 No 15 1 1/g12 No 15 1 1/g13 No 15 1 1/g14 No 15 1 1/g15 No 15 1 1/g16 No 15 1 1/g17 No 15 1 1/g18 No 15 1 --More-- or (q)uit 1/g19 No 15 1 1/g20 No 15 1 1/g21 No 15 1 1/g22 No 15 1 1/g23 No 15 1 1/g24 No 15 1[...]
-
Seite 65
Switch ing Confi guration 65 ch3 No 15 1 ch4 No 15 1 ch5 No 15 1 ch6 No 15 1 ch7 No 15 1 ch8 No 15 1 ch9 No 15 1 ch10 No 15 1 --More-- or (q)uit console# Example #15 Show D HCP Snooping Per Port Statistics console#show ip dhcp snooping statistics Interface MAC Verify Client Ifc DHCP Server Failures Mismatch Msgs Rec'd ----------- ---------- --[...]
-
Seite 66
66 Switch ing C onfigu rati on 1/g11 0 0 0 1/g12 0 0 0 1/g13 0 0 0 1/g14 0 0 0 1/g15 0 0 0 1/g16 0 0 0 1/g17 0 0 0 1/g18 0 0 0 1/g19 0 0 0 1/g20 0 0 0 --More-- or (q)uit 1/g21 0 0 0 1/g22 0 0 0 1/g23 0 0 0 1/g24 0 0 0 1/xg3 0 0 0 1/xg4 0 0 0 ch1 0 0 0 ch2 0 0 0 ch3 0 0 0 ch4 0 0 0 ch5 0 0 0 ch6 0 0 0 ch7 0 0 0 ch8 0 0 0 ch9 0 0 0 ch10 0 0 0 ch11 0 [...]
-
Seite 67
Switch ing Confi guration 67 ch13 0 0 0 ch14 0 0 0 ch15 0 0 0 ch16 0 0 0 ch17 0 0 0 --More-- or (q)uit sFlow This sectio n describes the sFlow feature. s Flow is the industry standard fo r monitoring high-spee d switched a nd route d networks . sFlow te chnology is built i nto netw ork equip ment and giv es complet e visibi lity in to netwo rk act [...]
-
Seite 68
68 Switch ing C onfigu rati on The advantages o f using sFlow ar e: • It is possible to monit or all port s of the switch continuousl y , with no impact on t he distri buted switching perf ormance. • Minim al memory /CPU is r equ ired. Samples are not aggregated into a flow-tabl e on the switch; th ey are forwarded immediately over the network [...]
-
Seite 69
Switch ing Confi guration 69 The mechani sm involv es a counter t hat is decr emen ted w ith each pack et. When th e counter r eaches zero a sample is taken. 5. When a sam ple is taken, the counter indicatin g how many packets to skip before taking the next sample is reset. The value of the coun ter is set to a random integer wh ere the sequence of[...]
-
Seite 70
70 Switch ing C onfigu rati on Examp le #4: Show the sFlo w config uration f or receive r index 1 console#show sflow 1 destination Receiver Index................................. 1 Owner String................................... site77 Time out....................................... 1529 IP Address:.................................... 30.30.30.1 Ad[...]
-
Seite 71
Switch ing Confi guration 71 Example #6: Show sFlow polling for receiver index 1 console#show sflow 1 polling Poller Receiver Poller Data Source Index Interval ----------- ------- ------- 1/g1 1 200 1/g2 1 200 1/g3 1 200 1/g4 1 200 1/g5 1 200 1/g6 1 200 1/g7 1 200 1/g8 1 200 1/g9 1 200 1/g10 1 200 1/g15 1 400[...]
-
Seite 72
72 Switch ing C onfigu rati on[...]
-
Seite 73
Rout ing Configu ration 73 4 Routing Co nfiguration This section de scribes configurat ion scenari os and instructions for the following routing features: • "V LAN Routing" o n page 74 • "Virtu al Router Redundancy P rotocol" on page 77 • "P roxy Addr ess Resolution P rotocol (ARP)" on page 80 •" O S P F &[...]
-
Seite 74
74 Rout ing Configu ration VLAN Routing This section prov ides an exampl e of how to config ure P owerConnect 6200 Series so ftware to support VLA N ro u ting . NOTE: The mana gemen t VLAN cannot be config ured as a r outin g inter face. The swi tch may als o be mana ged vi a VLAN r out ing in ter faces . CLI Examp les The diagram in t his section [...]
-
Seite 75
Rout ing Configu ration 75 console(config-vlan)#vlan 10 console(config-vlan)#vlan 20 console(config-vlan)#exit Exam ple 2 : Co nfig ure the VLAN Mem bers The following co de sequence shows an example of adding ports to the V LANs and assignin g the PVID for each port. The PVID determines t he VLAN ID assigned to untag ged frames received on the por[...]
-
Seite 76
76 Rout ing Configu ration Exa mple 3: Set Up VLAN Routin g for the VLAN s and Assi gn an IP Addre ss The following co de sequence shows how to enable routing for the VLANs and how to configure the IP addr esses and subnet masks for the virtual route r ports.: console#configure console(config)#interface vlan 10 console(config-if-vlan10)#routing con[...]
-
Seite 77
Rout ing Configu ration 77 V irtual Rout er Redundancy Pr otocol When an end station is statically configured with the addr ess of the rou ter that will handle its routed traffic, a s ingle point of failur e is introduced into th e network. If the rou ter goes down, the en d station is unable to communicate. Since static confi guration is a conveni[...]
-
Seite 78
78 Rout ing Configu ration Configuring VRRP on the Switch as a Master Router 1 Enable routin g for the s witch. IP forw arding is then ena bled by def ault. console#config console(config)#ip routing 2 Configur e the IP addr esses and subnet masks f or th e VLAN routing in terface t hat wi ll particip ate in the protocol: console(config)#interface v[...]
-
Seite 79
Rout ing Configu ration 79 4 Assign virtual router ID to the interfac e that will pa rticipate in the prot ocol: console(config)#interface vlan 50 console(config-if-vlan50)#ip vrrp 20 5 Specify the IP address that the virtual router function will recognize. console(config-if-vlan50)#ip vrrp 20 ip 192.150.2.1 6 Set the priority for the interface. As[...]
-
Seite 80
80 Rout ing Configu ration Proxy Ad dress Resolution Protoc ol (ARP) This sectio n describes the P roxy Address Resolution P rotocol ( ARP) featur e. Overview • P roxy ARP allows a router to a nswer ARP requests where the target IP address is n ot t he router itself but a des tinatio n th at t he r outer can reac h. • If a ho st does not know t[...]
-
Seite 81
Rout ing Configu ration 81 Active State................................... Inactive Link Speed Data Rate........................... 10 Half MAC Address.................................... 00FF.F2A3.888A Encapsulation Type............................. Ethernet IP MTU......................................... 1500 OSPF Larger networks typi cally use t[...]
-
Seite 82
82 Rout ing Configu ration A virtual link can be used to connect an ar ea to Area 0 when a direct li nk is not possible. A virtua l link traverses an area between the remote area and Ar ea 0 (see F i gure 4-5). A stub ar ea is an ar ea that does not receive rout es that were learned from a protocol other than OSP F or were statically configur ed. T[...]
-
Seite 83
Rout ing Configu ration 83 External routes ar e those imported into OSPF from other routing pro tocol or processes. OSPF compute s the path cos t differently for external typ e 1 and external type 2 route s. The cos t of an external typ e 1 route is the cost advertis ed in the external LSA plus the path cost from the calculating rout er to the ASBR[...]
-
Seite 84
84 Rout ing Configu ration IPv4 (OSP Fv2) IPv6 (O SPFv3) • Enable routing for the switch : console#config ip routing exit console#config ipv6 unicast-routing exit Enable routing and a ssign IP for VLANs 70, 80 a nd 90. config interface vlan 70 routing ip address 192.150.2.2 255.255.255.0 exit interface vlan 80 routing ip address 192.130.3.1 255.2[...]
-
Seite 85
Rout ing Configu ration 85 Examp le 2: Confi guring Stub an d NSSA Areas In t his exam ple , A rea 0 c o nne cts di rect ly t o tw o o the r are as: Are a 1 i s d efin ed as a s tub area and Area 2 is defined as an NS SA area. NOTE: OSPF v2 and OS PFv3 can ope rate co ncurr ent ly on a ne twor k and on th e same in ter faces ( althou gh th ey do no[...]
-
Seite 86
86 Rout ing Configu ration Figur e 4-4. OSPF Co nfigu rati on—St ub Are a and N SSA Are a Configure Router A : Router A is a backbone router . It li nks to an ASBR (not define d her e) that routes traff ic outs ide the AS . • Globa lly enable IP v6 an d IPv4 rou ting: (console) #configure ipv6 unicast-routing ip routing • Config ure IP addr e[...]
-
Seite 87
Rout ing Configu ration 87 ipv6 address 3000:3:100::/64 eui64 ip ospf area 0.0.0.0 ipv6 ospf exit • Define an OS PF router: ipv6 router ospf router-id 3.3.3.3 exit router ospf router-id 3.3.3.3 exit exit Configure Router B: Rout er B is a ABR that c onnec ts Ar ea 0 t o Ar eas 1 and 2. • Configure IPv6 and IPv 4 routing. T he static rou tes are[...]
-
Seite 88
88 Rout ing Configu ration • F or IPv4: Defin e an OSPF ro uter . Define Ar ea 1 as a stub. En able OSPF for IPv4 on VLANs 10, 5, and 17 by globally d efining the ra nge of IP addresses associated with ea ch interface, an d then associating those ranges with A reas 1, 0, and 17, respectively . Th en, configure a met ric cost to associate wit h st[...]
-
Seite 89
Rout ing Configu ration 89 Exa mple 3: Conf iguring a V irtual Link In this e xample, Ar ea 0 connects dire ctly to Area 1. A virtual link is defined tha t traverses Area 1 and connects to Area 2. F igur e 4-5 illustrates this example OSPF configurati on. Figure 4 -5. OS PF Configura tion—Virt ual Link Configure Router A : Router A is a backbone [...]
-
Seite 90
90 Rout ing Configu ration router ospf router-id 3.3.3.3 network 10.2.3.0 0.0.0.255 area 0.0.0. 0 exit exit Configure Router B: Router B is a A BR that dire ctly connects Area 0 to Area 1. In addit ion to the configuration steps described in the prev ious example, we define a virtual link that trav erse s Area 1 to Router C (5.5.5.5). (console)#con[...]
-
Seite 91
Rout ing Configu ration 91 routing ip address 10.1.2.1 255.255.255.0 ipv6 address 3000:1:2::/64 eui64 ipv6 ospf ipv6 ospf areaid 1 exit interface vlan 11 routing ip address 10.1.101.1 255.255.255.0 ipv6 address 3000:1:101::/64 eui64 ipv6 ospf ipv6 ospf areaid 2 exit ipv6 router ospf router-id 5.5.5.5 area 0.0.0.1 virtual-link 4.4.4.4 exit router os[...]
-
Seite 92
92 Rout ing Configu ration Routing Inform ation Protocol Routing Information Pr otocol (RIP) is one of the proto cols which may be used by routers to ex change network topology informat ion. It is characterized as an “interior ” gateway protocol, and is typically used in small to medium-sized networks. RIP Configu ration A router running RIP se[...]
-
Seite 93
Rout ing Configu ration 93 CLI Examp les The configuration co mmands used in the following example enabl e RIP on ports vlan 2 and vlan 3 as shown in the network illustrated in F igur e 4-6. Figur e 4-6. Port Rou tin g Examp le Netw ork Di agra m Example #1: Enable Routing for the Switch The following sequence enables routi ng for the switch: conso[...]
-
Seite 94
94 Rout ing Configu ration Exam ple #3. Enab le RIP for the Switch The next sequence enables RIP for the swit ch. The route preference defaults to 15. console#config router rip enable exit exit Exam ple # 4. Enab le RI P fo r the VLA N Ro utin g I nterfa ces This command sequence enables RIP for VLAN 2 and VLAN 3. Authentication defaults to none, a[...]
-
Seite 95
Rout ing Configu ration 95 Route Preferenc es Y ou can use route preference assignment to control how the router chooses which routes to use when alternativ es exis t. This secti on describes thr ee uses of route prefer e nce assignme nt: • "Assigning Admin istrative P refer ences to Routing Pr otocols" on page 95 • "Using E qual[...]
-
Seite 96
96 Rout ing Configu ration Exam ple 1 : Co nfig ure Admini st rativ e Pr efere nce s The following commands configure the administrative pr eference for the RIP and OSPF : console#Config router rip distance rip 130 exit F or OSPF , an a dditional p arameter ident ifies the t ype of OSPF route t hat the preference value appli es to: router ospf dist[...]
-
Seite 97
Rout ing Configu ration 97 Using E qual Cost Multipath The equal cost multipath (ECMP) feat ure allows a ro uter to use mor e than one next hop to forward packets to a given destination prefix. I t can be used to promote a mor e optimal use of network r esources and bandwidth . A router that does not use ECM P forwards all packet s to a given desti[...]
-
Seite 98
98 Rout ing Configu ration Routing protocols can also be configur ed to compute ECMP routes. F or example, r eferring t o F igure 4-8, if OSPF were configur ed in on both links connecting Router A and Router B, and if Router B advertised its connectio n to 20.0.0.0/8 , then Ro uter A could comp ute an OSPF rout e to 20.0.0.0/8 with next hops of 10.[...]
-
Seite 99
Rout ing Configu ration 99 Loopback Interfaces P owerConnect 6200 Se ries softwar e provide s for th e creation, deletion, and management of loopback interfaces. A loopback interfa ce is a software-onl y int erface that is not ass ociated with a phys ical location; as such it is not dependent on the physi cal status of a p articular router inter fa[...]
-
Seite 100
100 Rout ing Configu ration IP MTU................................ ......... 1500 Bandwidth............................. ......... 100000 kbps Destination Unreachables.............. ......... Enabled ICMP Redirects................................. Enabled T o delete a loopback interface, ent er the following command from the Glob al Config mode: co[...]
-
Seite 101
Rout ing Configu ration 101 T able 4-1. Default Port s - UDP P ort Numb ers Impli ed By Wild card The sw itch li mits the number of r elay en tries t o four ti mes the maximum n umber of VLAN rou ting interfaces (512 relay entries). There is no limit to the number of relay entries on an individual interface, and no limit t o the number of servers f[...]
-
Seite 102
102 Rout ing Configu ration The re lay agent only rela ys packets t hat meet the following conditions: • The des tination MAC ad dress must be the all-one s broadcast ad dres s (FF :FF :FF :FF :FF :FF). • The des tination IP addr ess must b e the limit ed broadcast address (2 55.255. 255.255) or a d irected broadcast address for the receive int[...]
-
Seite 103
Rout ing Configu ration 103 Exam ple 5: Ena bl e IP Help er on a VL AN Rou ting In terf ace to a Serv er (DHC P and DN S) T o relay DHCP and DNS pack ets to 192.168.30.1 , use the follo wing commands: console(config-if-vlan100)#ip helper-address 192.168.30.1 dhcp console(config-if-vlan100)#ip helper-address 192.168.30.1 domain Example 6: Enable IP [...]
-
Seite 104
104 Rout ing Configu ration Exam ple 7 : Sh ow IP He lper Conf igura tion s The following command shows IP Helper configurations: console#show ip helper-a IP helper is enabled Interface UDP Port Di scard Hit Count Server Address -------------------- ----------- ----- ----- ---------- ------------------ vlan 100 domain No 0 192.168.30.1 vlan 100 dhc[...]
-
Seite 105
Devi ce S ecur it y 105 5 Device S ecurity This section de scribes co nfiguration scenarios for the following featur es: • "802 .1x Ne twork Access C ontro l" on page 106 • "802.1 X Auth entication and VLANs" on page 109 • "Au then tica tion Ser ver F ilte r Assig nm ent" on pag e 11 1 • "Access Control Li[...]
-
Seite 106
106 Device Se curity 802.1x Network Access Control P ort-b ased network access control allows the op eration of a system’s port(s) to be cont rolled to ensure that access to i ts services is permit ted only by systems that ar e authorized to do so . P ort Access Control provides a means of pr eventing unauthorized access by supplicants or users t[...]
-
Seite 107
Devi ce S ecur it y 107 Figure 5-1. Switch wit h 802.1x Net work Access Co ntrol If a user , or supplicant, at tempts to communicate via the switch on any interface e xcept i nterface 1/g1, the system challenges t he supplicant for login credentia ls. The syste m encryp ts the pr ovided informa tion and transmits it to the RAD IUS server . If the R[...]
-
Seite 108
108 Device Se curity Exam ple #2: MAC -Base d Aut hentic atio n Mod e The P ow erConnect 62 00 Series switches sup port MAC-based 802.1X authentica tion. This feature allows multiple hosts to authenticat e on a single port. The hos ts are di stinguished by thei r MAC addr esses. When multiple hosts (for example, a PC, a printer , and a phone in the[...]
-
Seite 109
Devi ce S ecur it y 109 802.1X Authentication and VLANs The P owe rConnect 6200 Series swi tches allow a port to be placed into a particular VLAN based on the re sult of type of 802.1X authentication a client uses when it accesses the switch. The R ADIUS server or IEEE 802.1X Authenticator can provide information to t he switch about which V LAN to[...]
-
Seite 110
110 Device Se curity VL A N a n d t h e p o r t i s mo v ed t o t h e a u t h o r iz ed s ta t e , a l l o w in g a c c e s s t o t h e c l i e n t . H o w e ve r , i f t he po r t i s in MAC-based 80 2.1X au thentic ation mode, i t will not mov e to the au thorized state. MAC-bas ed mode mak es it po ssible f or both au thentica ted and g uest cli[...]
-
Seite 111
Devi ce S ecur it y 111 Authentication Server Filter Assignment The P owerConnect 6 200 Series switches allow the external 802.1X Authenticator or RADIUS server to assign Diff Serv policies to users th at au thenticat e to the sw itch. W hen a host (su pplicant) a ttemp ts to connect to the network t hrough a por t, the switch contacts the 802.1 X [...]
-
Seite 112
112 Device Se curity Ingr ess ACL s support Flow-based Mirroring and A CL L ogging, whic h have the following charact eristics: • Flow-ba sed mirroring is the abil ity to m irror tra ffic that match es a perm it rule to a specific phy sical port or LAG. Flow-based mirroring is similar to the r edir ect func tion, e xce pt that in fl ow-based mirr[...]
-
Seite 113
Devi ce S ecur it y 113 Egress ACL Limitations Egr ess A CLs have some add itional limitat ions. The follow ing limi tations apply to e gres s AC Ls only : • Egress ACLs support IP P rotocol/Destination, IP Address Source/Destination, L4 Source/Destination port, IP DSCP , IP T oS , and IP precedence match conditions only . • MAC ACLs ar e not s[...]
-
Seite 114
114 Device Se curity IP ACLs IP A CLs classify for Layers 3 a nd 4. Each ACL is a set of up to te n rules a pplie d to inbound tr affic. Each rule specif ies whe ther the c ontents of a given field should be used to permit or deny a ccess to the netwo rk, and may ap ply to one or more of the following fields within a packet: • Destin ation IP wit[...]
-
Seite 115
Devi ce S ecur it y 115 IP ACL CLI Exampl e The script in this section shows you how to set up an IP ACL with two r ules, one appli cable to TCP traffic and on e to UD P traffi c. The cont ent of the t wo rules i s the sam e. TCP and UDP p ackets will o nly be accepted by the P owerConnect 6200 Seri es switch if the source and destination stat ions[...]
-
Seite 116
116 Device Se curity Step 1 : C reate an ACL and Define an ACL Rule This command creates a n ACL named list1 and configur es a rule for the ACL. After the mask has been applie d, it permits pack ets carrying TCP traff ic that matche s the specified So urce IP addre ss, and sends these pa ckets to t he specified Destination IP addr ess. console#conf[...]
-
Seite 117
Devi ce S ecur it y 117 Step 4: V iewing the MAC ACL Information console#show mac access-lists Current number of all ACLs: 2 Maximum number of all ACLs: 100 MAC ACL Name Rules Interface(s) Direction ------------------------------- ----- ------------------------- --------- mac1 1 1/g5 Inbound console#show mac access-lists mac1 MAC ACL Name: mac1 Rul[...]
-
Seite 118
118 Device Se curity attributes containing configuration in formation. If the se rver reje cts the user , it r eturns a nega tive r esult. If the server rejects the client or the shared “secrets ” differ , the server returns no result. If the server requir es additi onal verificat ion from the user , it returns a challenge, an d the request pro[...]
-
Seite 119
Devi ce S ecur it y 119 Figure 5-3. RADIUS Servers in a Network When a user attempts to log in, t he switch prompts for a username an d password. The switch then attempts to communicate with the primary RADIUS server at 10.10.10.10. Up on successful connection with the server , the login credentials are ex changed over an encrypted cha nnel. The se[...]
-
Seite 120
120 Device Se curity Example #2: Set the NAS-IP Add ress for the RADIUS Server The NAS-IP address attribute identifies the IP Address of the netwo rk authentication server (NAS) that is requesting authenti cation of the us er . The address should be unique to the NAS withi n the scope of the R ADI US server . The NAS-IP -Add ress is only used in Ac[...]
-
Seite 121
Devi ce S ecur it y 121 Figure 5-4. PowerCo nnect 620 0 Series Switc h with T ACACS+ When a user attempts to log int o the switch, the NAS or switch prompt s for a username and passwor d. The switch attempts t o communicate with the highes t priority configured T A CACS+ server at 10.10.10.10 . Upon successful connection with the se rver , the s wi[...]
-
Seite 122
122 Device Se curity 802.1x MAC Authentication Bypass ( MAB) MAB is a s upplemental a uthentication mechanism that allow s 802.1x unawar e clients, such a s printers and fax mach ines, to auth entic ate to t he net work usi ng th e clien t MA C addr ess a s an iden tifi er . The known a nd allowable M AC ad dress and corr esponding access righ ts o[...]
-
Seite 123
Devi ce S ecur it y 123 Figure 5 -5. MAB Operatio n – Authen tications Based on MAC Addres s in Data base CLI Examp les Exam ple 1 : Ena bl e/Dis able MAB T o enable/disable MAB on interface 1/5 , use the following commands: console(config-if-1/g5)#dot1x mac-auth-bypass console(config-if-1/g5)#no dot1x mac-auth-bypass Client DO T 1x/MAB RADIUS Tr[...]
-
Seite 124
124 Device Se curity Exam ple 2 : Sh ow MAB Con figu rat ion T o show the MAB configuration for inte rface 1/5, us e the follow ing command: console#show dot1x ethernet 1/g5 Administrative Mode............... Enabled Port Admin Oper Reauth Reauth Mode Mode Control Period ------- ------------------ ------------ -------- ---------- 1/g5 mac-based Aut[...]
-
Seite 125
Devi ce S ecur it y 125 Captive Portal Overview Captive P ortal feat ure is a software implementation that allows client access only o n user verificatio n. V erification can be configured to al low access for guest and auth enticated users. Users must be validat ed against a database of authorized captive portal users locally or through a radius c[...]
-
Seite 126
126 Device Se curity In the unknown state, t he CP does n't r edire ct HTTP/S tra ffic to the switch , but que ries the switch t o determine whet her the client is authenticated o r unauthenticated . In the Una uthentic ated sta te, the CP di rects the HT TP/ S traff ic to th e switc h to allo w the client to authent icate with the sw itc h. O[...]
-
Seite 127
Devi ce S ecur it y 127 All new captive portal instances are also assigned to the "Default" group. The administrator ca n create new groups and modi fy the user/group association to only allow a subs et of users access to a specific captive portal instance. Network access is granted up on successful verification of user cr edentials. A re[...]
-
Seite 128
128 Device Se curity In response to the request, the authentic ated user i s removed from the co nnection status ta bles. If the client logout request featur e is not enabled, or the user does not spe cifically request logout, the connectio n stat us remains a uthen ticated unti l Capt ive P ortal dea uthenti cates ( session timeout , idle tim e, e[...]
-
Seite 129
Devi ce S ecur it y 129 Capt ive Port al S tat isti cs Client sess ion statistics ar e availab le for both guest a nd authenticated use rs.Client statis tics ar e used to enforce the idle timeout and other limits configured for the user and captive portal instance. Client statis tics may not be cl eared b y the adm inistrat or since this woul d aff[...]
-
Seite 130
130 Device Se curity console#show captive-portal Administrative Mode....................... Enabled Operational Status........................ Enabled Disable Reason............................ Administrator Disabled Captive Portal IP Address................. 1.2.3.4 Exam ple 6: Show C apti ve Por tal Ins tan ces T o show the status of all Captive [...]
-
Seite 131
Devi ce S ecur it y 131 Example 7: Modify the Default Captive Portal Configuration (Change V erific ation Method to Local) T o change the verification method to local, use the following command: console(config-CP 1)#verification local T o v iew the configuration change, use the following command: console#show captive-portal configuration 1 status C[...]
-
Seite 132
132 Device Se curity T o create a local user , use the following command: console(Config-CP)#user 1 name user1 console(config-CP)#user 1 password Enter password (8 to 64 characters): ******** Re-enter password: ******** console(Config-CP)#user 1 session-timeout 14400 T o verify the creation of a local user , use the follow ing command: console#show[...]
-
Seite 133
Devi ce S ecur it y 133 Operational Block Interface Interface Description Status Status --------- ---------------------------- ------------ ------------ ----------- 1/g18 Unit: 1 Slot: 0 Port: 18 Gig abit - Level Disabled Not Blocked T o view t he status of a captive client (connected to 1 /g18), use the following command: console#show captive-port[...]
-
Seite 134
134 Device Se curity[...]
-
Seite 135
IPv6 135 6 IPv6 This section includes the following subsections: • "Over view" on page 135 • "Inte rface Co nfiguration" on page 135 Overv iew There ar e many conceptual simila rities between IPv4 and IPv6 network operation. Addresses still have a network prefix p ortion (subnet) and a device interface specific portion (host[...]
-
Seite 136
136 IPv6 • Allo cated from part of the IPv6 uni cast addr ess spac e • Not visible off the local lin k • Not globally un ique Ne xt hop addresses computed by rout ing protocols are usually link-local. During a transi tion period, a global IPv6 Internet b ack bone may not be availab le. The solution of this is to tunnel IPv6 pack ets inside IP[...]
-
Seite 137
IPv6 137 ip ospf area 0.0.0.0 exit interface vlan 2 routing ipv6 enable ipv6 address 2020:1::1/64 ipv6 ospf ipv6 ospf network point-to-point exit interface tunnel 0 ipv6 address 2001::1/64 tunnel mode ipv6ip tunnel source 20.20.20.1 tunnel destination 10.10.10.1 ipv6 ospf ipv6 ospf network point-to-point exit interface loopback 0 ip address 1.1.1.1[...]
-
Seite 138
138 IPv6 ipv6 address 2020:2::2/64 ipv6 ospf ipv6 ospf network point-to-point exit interface tunnel 0 ipv6 address 2001::2/64 tunnel mode ipv6ip tunnel source 10.10.10.1 tunnel destination 20.20.20.1 ipv6 ospf ipv6 ospf network point-to-point exit interface loopback 0 ip address 2.2.2.2 255.255.255.0 exit exit[...]
-
Seite 139
Quali ty of Servic e 139 7 Quality of Service This section includes the following subsections: • "Class of S ervice Queuing" on pa ge 139 • "Differentiated Services" on page 143 Class of Service Queuing The Class of Servic e (CoS) f eature lets you giv e preferential treatmen t to certai n types of traf fic over others. T o [...]
-
Seite 140
140 Quality of Service CoS Ma pping T able fo r T rusted Ports Mapping is from the designated field values on trusted ports’ incoming p ackets to a traffic cl ass priority (actuall y a CoS tra ffic queue) . The trus ted port field-to -traff ic clas s config urat ion entri es for m the Mapping T able the switch uses to direct ingr ess packets from[...]
-
Seite 141
Quali ty of Servic e 141 Figure 7-1. C oS Mapping and Qu eue Configu ration Continuing this example, y ou configured the egress P o rt 1/g8 for strict priority on queue 6, and a set a weighted scheduling scheme for qu eues 5-0. A ssuming queue 5 ha s a higher weighti ng than queue 1 (relativ e wei ght values shown as a percentage, with 0% indicati [...]
-
Seite 142
142 Quality of Service Figur e 7-2. CoS1 /g Confi gurat ion Exa mple S ystem Diagr am Y o u will configure the ingress interface uniquely for all cos-queue and VLAN pa rameters. console#config interface ethernet 1/g10 classofservice trust dot1p classofservice dot1p-mapping 6 3 vlan priority 2 exit interface ethernet 1/g8 cos-queue min-bandwidth 0 0[...]
-
Seite 143
Quali ty of Servic e 143 Differentiated Services Differentiated Services (DiffServ) is one te chnique for implemen ting Quality of Service (QoS) policies. Using DiffServ in your network allows you to dir ectly configure the r elevant parameters on the switches and routers rather than using a r esource reserv ation protocol.This section explains how[...]
-
Seite 144
144 Quality of Service CLI Examp le This exa mple shows how a network administrator ca n provide equal access to the Internet (or other external netw ork) to diff erent department s within a company . Each of four departments has its own Class B subn et that is allocate d 25% of the a vailable ba ndwidth on the port acces sing the I nternet. Figure[...]
-
Seite 145
Quali ty of Servic e 145 match srcip 172.16.20.0 255.255.255.0 exit class-map match-all test_dept match srcip 172.16.30.0 255.255.255.0 exit class-map match-all development_dept match srcip 172.16.40.0 255.255.255.0 exit Crea te a DiffServ policy f or inbound traffic name d internet_access, adding the previously created dep artm ent clas se s as in[...]
-
Seite 146
146 Quality of Service Set the CoS queue configuration for the (presumed) egress interface 1/g5 such that each of queues 1, 2, 3 and 4 get a minimum guaranteed bandwidth of 25%. All queues for thi s interface use weighted round robin scheduling by default. The DiffServ inbound poli cy des ignat es tha t thes e que ues ar e to be us ed for the depar[...]
-
Seite 147
Quali ty of Servic e 147 Figure 7- 4. DiffServ VoIP Exampl e Netw ork Diag ram[...]
-
Seite 148
148 Quality of Service Example #2: Configuring DiffServ V oIP Support Enter Glo bal Config mode. Se t que ue 6 on al l ports to use strict pri ority mode. This queue shall be used for all V oIP pack ets. Activate Di ffServ for the switch. console#config cos-queue strict 6 diffserv Cr eate a DiffServ class ifier named class_voip and define a single [...]
-
Seite 149
Multi cast 149 8 Multicast This section provide s configuration scenarios for the following features: • "IGM P Configurat ion" on page 150 •" I G M P P r o x y " o n p a g e 1 5 1 •" D V M R P " o n p a g e 1 5 2 • "PIM" on page 154 • "Mu lticast Ro uting an d IGMP S nooping" on pa ge 157 [...]
-
Seite 150
150 Multi cast When to Enable IP Multicast on the PowerC onnect 6200 Ser ies Switch Use the IP multica st feature on the P o werConn ect 6200 S eries swit ch to route multica st traf fic betw een VLANs on the switch. If all hosts conne cted to the switch are on the same subnet, th ere is no need to configure the IP multicast featur e. If the switch[...]
-
Seite 151
Multi cast 151 IGMP Proxy IGMP pro xy enables a multi cast router to le arn multicast group membe rship information and forwar d multicast pack ets based up on the group membership information. The IGMP P roxy is capabl e of functioning only in certain topologies that do no t requ ire Multicast Routing P rotocols (i .e., DVMR P , PIM-DM, and PIM-SM[...]
-
Seite 152
152 Multi cast Examp le #2: V iew IGMP P roxy Conf iguratio n Data Y ou can use various commands from P rivileged EXEC or User EXEC modes to show IGMP proxy configuration data. • Use the following comma nd to display a summary of th e host interface status paramet ers. It displays the pa ram eter s on ly wh en IGMP Proxy is enabled. console#show [...]
-
Seite 153
Multi cast 153 CLI Examp le The following example configures two D VMRP i nterfaces. F irst, this example configures an OSPF router 1 and globally en ables IP routing and IP multicast. IGMP is globally enable d so that this router can manage group membership information for it s dire ctly-connected hosts (IGMP may not be required when there are no [...]
-
Seite 154
154 Multi cast PIM P rotoco l Independent Multicast (PIM) is a standard multicast routing protocol tha t provides scalable inter -domain multicast routing across the Inte rnet , independent of the mechanisms provide d by any particular unicast routing protocol. PIM has tw o types : • PIM-Dense Mo de (PIM-DM) • PI M- Spa rse Mode (PI M-SM) PIM-S[...]
-
Seite 155
Multi cast 155 Exam ple: P IM-S M The following example configur es PIM-SM for IPv4 on a router . F irst, configure a n OSPF 1 router and globally enable IP routing, multica st, IGMP , and PIM-SM. N ext, configure a PIM-SM rendezvous point with an I P address and group range. The IP address will serve as an RP for the range of potent ial multicast [...]
-
Seite 156
T o minimize t he repeated flooding of datagrams and subsequent pruning associated with a pa rticular source-group (S,G) pair , PI M-DM uses a State Refresh message. This message is sent by the router(s) directl y connect ed to the source and is propagated throughout the net work. When received by a router on its RPF interface, the Stat e Refresh m[...]
-
Seite 157
Multi cast 157 Multicast Routing and IGMP Snooping In this e xample, p orts 1/g5 and 1/ g10 are me mbers of VLAN 10 0, and port 1/g 15 is a member of VLAN 200. Both VLANs are configured as VLAN routing interfaces and are in differ ent subnet s. IGMP sno opin g i s co nf ig ured on V LAN 10 0 so th at a m emb er po rt will rece iv e mu lt ica st d a[...]
-
Seite 158
158 Multi cast 8 Globally enable IGM P snooping, IP m ulticast, IGMP , a nd PIM -DM on the sw itch. console(config)# ip igmp snooping console(config)# ip multicast console(config)# ip igmp console(config)# ip pimdm NOTE: Only one mult ica st ro uting pro tocol (P IM-S M, PI M-DM, or D VMR P) ca n be ena bled glo bally on the switch a t a time. 9 Co[...]
-
Seite 159
Multi cast 159 console#s how ip igmp IGMP Admin Mode................................ Enabled IGMP Router-Alert check........................ Disabled IGMP INTERFACE STATUS Interface Interface-Mode Operational-Status --------- -------------- ---------------- vlan 100 Enabled Operational vlan 200 Enabled Operational The host connected to interface 1/[...]
-
Seite 160
160 Multi cast[...]
-
Seite 161
Utility 161 9 Utility This section de scribes the following feat ures: • "Auto Co nfig" on page 162 • "Nonstop F orwar ding on a Sw itch St ack" on page 1 68[...]
-
Seite 162
162 Utility Auto Config Overview Auto Config is a software feature that automatical ly configure s a switch when the dev ice is initialized and no configuration file is found on the switch . A uto Config is accomplished in thr ee phases: 1 Assignment (configurat ion) of an IP ad dress f or the device 2 Assignmen t of a T FTP s erver 3 Obtainin g a [...]
-
Seite 163
Utility 163 – The hos tname of the TFTP s erver (option 66 or snam e). E ither the T FTP a ddress or name is specified (not both) in m ost n etwo rk configu rations. If a TFTP hostname is given, a DNS server is r equired to translate t he name to an IP address. – The IP address of the TFTP se rver (option 150 ). – The address of the TFTP serv[...]
-
Seite 164
164 Utility Once a hostname has been determi ned, the switch then issues a TFTP request for a file named "<hostname> .cfg" file, where <hostname> is the first 32 characters of the switch's h ostname. If the s witch is unable to map it s IP address to a hostname, Auto Config sends TFTP r equests for the default configurati[...]
-
Seite 165
Utility 165 Host-Sp ecific Config File Not Fo und If the A uto Config process fa ils to download a co nfiguration fil e, a message is logged. If a final configuration file is not downloaded , as described in T able 9-1, the A uto Config procedure continues to issue TFTP broadcast requests . The frequency of the broadcasts is once pe r 10 minute per[...]
-
Seite 166
166 Utility Depend ency U pon O ther N etwor k Ser vices The Auto Config process depends upon the following network services: • A DHCP or B OOTP serve r must be con figured on the network with appropriate services. • A configurat ion file for the switch mu st be availa ble from a TFTP serve r on the ne twor k. • The sw itch must be conn ected[...]
-
Seite 167
Utility 167 TFTP Clie nt The TFTP client downloads configur at ion files and sends TFTP requests to the broadc ast IP addr ess (255.255 .255.255). DNS C lient T h e DN S c l i en t re s ol ve s a n I P a d d r e s s t o a h os tn am e a n d re so lv e s a h o s t n am e t o a n I P a d d re ss ( re v e r s e I P addr ess to hostname mapp ing). BOOT[...]
-
Seite 168
168 Utility Nonstop Forwa rding on a Switch Stack Networking device s, such as the P owerCo nnect 6200 Series switches, are often described in terms of three semi-independent functions called the forwarding plane, the control plane, and the management plane. The forwarding plane forwards data pack ets and is implemented in hardware. The control pla[...]
-
Seite 169
Utility 169 NOTE: The sw itch ca nnot gu arantee th at a ba ckup un it has e xactly th e same data that the man agement unit has when it fails. For ex ample, the manag ement un it might fail be fore the c heckpoin t servic e gets data to th e backu p if an eve nt occurs sho rtly before a f ailover . T able 9-3 lists the appl icatio ns on the switc [...]
-
Seite 170
170 Utility Switch Stack MAC Addressing and Stack Desi gn Considerati ons The switch stack uses the MAC addresses 1 assigned to the management uni t. If the ba ckup unit assum es control due to a management unit failure or warm r est art, the backup unit continues to use the original management u nit’s MAC addresses. This reduces the amount of di[...]
-
Seite 171
Utility 171 Configur ation Exampl es The actual configuration of the feature is simple. NSF is either enabled or disa bled. The examples in this section describ e how the NSF featur e acts in variou s environments and with v arious switch appli cations. Data Center F igure 9-1 illustrates a data center scenari o , where the stack of two P owerConne[...]
-
Seite 172
172 Utility Vo I P F igur e 9-2 shows how n onstop forwarding maintain s e xisting voice calls during a management unit failur e. Assume the top unit is the management uni t. Wh en the managem ent unit fails, the call from phone A is immediately dis connected. The call from phone B continues. On the uplink, the forwarding plane removes the failed L[...]
-
Seite 173
Utility 173 Figure 9-3. NSF and DHCP Snoo ping If the management u nit fails, all hosts connected to that unit lose network access until th at unit reboots. The hardwar e on surviving units continues to enforce source filters IPSG inst alled prior to th e failover . V alid hosts continue t o communicate normally . During the fa ilover , the har dwa[...]
-
Seite 174
174 Utility Stor age Ac cess Ne two rk Scen ari o F igur e 9-4 illus trates a stack of three P owerConne ct 6200 Series switches connecting two serv ers (iSCSI initiators) to a disk array (iSCSI targets). Ther e are two iSCSI connections as follows: Session A: 10.1.1.10 to 10.1.1.3 Session B: 10 .1.1.11 to 10.1. 1.1 An iSCSI application running on [...]
-
Seite 175
Utility 175 Rout ed A cces s Sc enar io F igur e 9-5 shows a s tack of thr ee units se rving as an access router for a set of hosts. T wo L AGs connect the stack to two ag gregation routers. Each LAG is a member of a VLAN rou ting interface. The stack has OSPF and PIM adjacenci es with each of the agg regation routers. The top unit in the stack is [...]
-
Seite 176
176 Utility[...]