Dell POWERCONNECT 6200 SERIES manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176

Ir para a página of

Bom manual de uso

As regras impõem ao revendedor a obrigação de fornecer ao comprador o manual com o produto Dell POWERCONNECT 6200 SERIES. A falta de manual ou informações incorretas fornecidas ao consumidor são a base de uma queixa por não conformidade do produto com o contrato. De acordo com a lei, pode anexar o manual em uma outra forma de que em papel, o que é frequentemente utilizado, anexando uma forma gráfica ou manual electrónicoDell POWERCONNECT 6200 SERIES vídeos instrutivos para os usuários. A condição é uma forma legível e compreensível.

O que é a instrução?

A palavra vem do latim "Instructio" ou instruir. Portanto, no manual Dell POWERCONNECT 6200 SERIES você pode encontrar uma descrição das fases do processo. O objetivo do manual é instruir, facilitar o arranque, a utilização do equipamento ou a execução de determinadas tarefas. O manual é uma coleção de informações sobre o objeto / serviço, um guia.

Infelizmente, pequenos usuários tomam o tempo para ler o manual Dell POWERCONNECT 6200 SERIES, e um bom manual não só permite conhecer uma série de funcionalidades adicionais do dispositivo, mas evita a formação da maioria das falhas.

Então, o que deve conter o manual perfeito?

Primeiro, o manual Dell POWERCONNECT 6200 SERIES deve conte:
- dados técnicos do dispositivo Dell POWERCONNECT 6200 SERIES
- nome do fabricante e ano de fabricação do dispositivo Dell POWERCONNECT 6200 SERIES
- instruções de utilização, regulação e manutenção do dispositivo Dell POWERCONNECT 6200 SERIES
- sinais de segurança e certificados que comprovam a conformidade com as normas pertinentes

Por que você não ler manuais?

Normalmente, isso é devido à falta de tempo e à certeza quanto à funcionalidade específica do dispositivo adquirido. Infelizmente, a mesma ligação e o arranque Dell POWERCONNECT 6200 SERIES não são suficientes. O manual contém uma série de orientações sobre funcionalidades específicas, a segurança, os métodos de manutenção (mesmo sobre produtos que devem ser usados), possíveis defeitos Dell POWERCONNECT 6200 SERIES e formas de resolver problemas comuns durante o uso. No final, no manual podemos encontrar as coordenadas do serviço Dell na ausência da eficácia das soluções propostas. Atualmente, muito apreciados são manuais na forma de animações interessantes e vídeos de instrução que de uma forma melhor do que o o folheto falam ao usuário. Este tipo de manual é a chance que o usuário percorrer todo o vídeo instrutivo, sem ignorar especificações e descrições técnicas complicadas Dell POWERCONNECT 6200 SERIES, como para a versão papel.

Por que ler manuais?

Primeiro de tudo, contem a resposta sobre a construção, as possibilidades do dispositivo Dell POWERCONNECT 6200 SERIES, uso dos acessórios individuais e uma gama de informações para desfrutar plenamente todos os recursos e facilidades.

Após a compra bem sucedida de um equipamento / dispositivo, é bom ter um momento para se familiarizar com cada parte do manual Dell POWERCONNECT 6200 SERIES. Atualmente, são cuidadosamente preparados e traduzidos para sejam não só compreensíveis para os usuários, mas para cumprir a sua função básica de informação

Índice do manual

  • Página 1

    www .dell.com | support.dell.com Dell™ PowerConnect™ 6200 Series Configuration Guide Model: PC6224, PC6248, P C6224P , PC6248P , and PC6224F[...]

  • Página 2

    Notes, Cautions, and W arnings NOTE: A NOT E indic ates impor tant i nforma tio n that he lps you make bet ter us e of you r comput er . CAUTION: A CAUTION indicates p otential damage to hardware or loss of data if in structions are not f ollowed. WA RN IN G : A WARNING indica tes a po tent ia l for pro pert y dama ge, pe rson al in jury, or death [...]

  • Página 3

    3 Contents 1 About this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Orga nization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Additio nal Documentatio n . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2 System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 T rac e[...]

  • Página 4

    4 3 Switching Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 29 Vi rt u a l L A N s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 VLA N Config uration Example . . . . . . . . . . . . . . . . . . . . . . . . 30 CLI Exa mples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 W e b Int erfac[...]

  • Página 5

    5 sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Overv iew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 sFlow Agent s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 CLI Exa mples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 4 Routing Configur[...]

  • Página 6

    6 5 Device Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 802.1x Network Acce ss Control . . . . . . . . . . . . . . . . . . . . . . . . 106 802. 1x Network Acces s Control Exa mples . . . . . . . . . . . . . . . . 106 802.1 X Authentic ation and VLANs . . . . . . . . . . . . . . . . . . . . . . . 109 Authe nti cate d and [...]

  • Página 7

    7 6I P v 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Overv iew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Interfac e Configu ration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 CLI Exa mple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 7 Qual[...]

  • Página 8

    8 9 Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Auto Co nfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2 Overv iew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Functi onal Descr ipti on . . . . . . . . . . . . . . . . . . . . . . . . . . 162 CLI Exa mp[...]

  • Página 9

    About th is Document 9 1 About this Document This configuration guide provides examples of how to use the Dell™P owerConnect™ 6200 Series switch in a typical network. It describes the adv a ntages of specific functi ons the P owerConnect 6200 Series swit ch provides and includes informat ion ab ou t configuring those functions using the command[...]

  • Página 10

    10 About this Docume nt Additional Do cumentation The following do cum entation pro vides additional informat ion about P owerConnect 6200 Serie s sof tware: •T h e CLI Comman d Reference for your Dell P owerConnect swi tch describes th e commands av ailable from the comm and-line in terface (CLI) for m ana gin g, mon itoring, and configu ring th[...]

  • Página 11

    System Configur ation 11 2 System Configuratio n This section prov ides configuration scenarios for the following featur es: •" T r a c e r o u t e " o n p a g e 1 2 • "C onfigura tion Scrip ting" on page 13 • "Outb ound T el net" on pag e 16 • "Simple Network Time P rotocol (SNTP)" on p age 17 • &q[...]

  • Página 12

    12 System C onfi gurat ion T rac eroute Use T ra cerout e to discove r the route s that packets take when tr aveling on a hop-by-ho p basi s to their destination through the network . • Maps network rout es by sending pack ets with small T ime-to-Live (TTL) values and watches t he ICMP time -out a nnouncemen ts • Command di splays a ll L3 devi [...]

  • Página 13

    System Configur ation 13 --More-- or (q)uit 20 64.233.174.99 250 ms 240 ms 250 ms Hop Count = 20 Last T TL = 30 Test attempt = 90 Test Success = 90 Configuration Scripting Configuration scripting allows y ou to generate a te xt-f ormatted scrip t file that show s the curr e nt s y stem configuration. Y ou can generate mu ltiple scrip t s and upl o [...]

  • Página 14

    14 System C onfi gurat ion CLI Exa m ples The following are e xamples of the comma nds used for configurations scripting. Exam ple # 1: Viewin g the Scri pt O ptio ns console#script ? apply Applies configuration script to the switch. delete Deletes a configuratio n script file from the switch. list Lists all configuratio n script files present on t[...]

  • Página 15

    System Configur ation 15 Example #4: Copying the Active Configuration into a Sc ript Use this command to captur e the running configuration into a script . console#show running- config running-config.scr Config script created successfully. Exam ple # 5: Upload in g a Conf igura tion Scri pt t o th e T FTP Ser ver Use this command to upload a confi [...]

  • Página 16

    16 System C onfi gurat ion exit configure logging web-session bridge aging-time 100 exit Configuration script validated. File transfer operati on completed successfully. Exam ple #7: Validatin g a Scr ipt console#script valida te abc.scr ip address dhcp username "admin" pass word 16d7a4fca7442dda3ad93c9a726597e4 level 15 encrypted exit Co[...]

  • Página 17

    System Configur ation 17 CLI Exa m ples The following are e xamples of the commands used in the out bound telnet feature. Exam ple #1: Conne ctin g to Anot her System by Usin g T eln et console#telnet 192.16 8.77.151 Trying 192.168.77.151 ... console# User:admin Password: (Dell PC62XX Routing) >enable Password: console#show ip inter face Managem[...]

  • Página 18

    18 System C onfi gurat ion CLI Exa m ples The following are e xamples of the commands used in the SN TP feature. Exam ple #1: Viewin g SNTP Option s (Dell PC62XX Routing) (Config) #sntp ? console(config)#sntp ? authenticate Require authentication for received Network Time Protocol (NTP) traffic from servers. authentication-key Defi ne an authentica[...]

  • Página 19

    System Configur ation 19 Exam ple #3: Viewin g SNTP I nform ation console#show sntp ? configuration Show the configuration of the Simple Network Time Protocol (SNTP). status To show the status of the Simple Network Time Protocol (SNTP). console#show sntp con figuration Polling interval: 64 seconds MD5 Authentication ke ys: Authentication is not req[...]

  • Página 20

    20 System C onfi gurat ion Syslog Overview Syslog: • A llow s y ou to sto re sy ste m m es sag es a nd /o r err or s. • Can store to local files on the switch or a remote server running a syslog daemon. • P rovides a meth od of collecting mess age logs from many systems . Interpreting Lo g Files F igur e 2-1 describ e s the i nformation that [...]

  • Página 21

    System Configur ation 21 Web Session Logging : disabled SNMP Set Command Logg ing : disabled 0 Messages were not l ogged. Buffer Log: <189> JAN 01 03:57:58 10.27.65.86-1 TRAPMGR[216282304]: traputil.c(908) 31 %% Instance 0 has electe d a new STP root: 8000:00ff:f2a3:8888 <189> JAN 01 03:57:58 10.27.65.86-1 TRAPMGR[216282304]: traputil.c[...]

  • Página 22

    22 System C onfi gurat ion alert Immediate action needed critical Critical conditions debug Debugging messages emergency System is unusable error Error conditions info Informational messages notice Normal but significant conditions warning Warning conditions console(Config-loggin g)#level critical Port D escrip tion The P ort D escription feature l[...]

  • Página 23

    System Configur ation 23 Storm Control A traffic storm occurs when incoming pack ets flood the LAN result ing in network performance degradation. The St orm Control featur e protects against this condition. The switch so ftware p rovides broadcast, multicast, and unicast storm r ecovery for individual interfaces. Unicast St o rm Control pro tects a[...]

  • Página 24

    24 System C onfi gurat ion Example #1: Set Broadcast Storm Control for an Interface console#configure console(config)#inter face ethernet 1/g17 console(config-if-1/g17)#storm-control broadcast ? <cr> Press enter to execute the command. level Configure storm-control thresholds. console(config-if-1/g17)#storm-control broadcast level ? <rate&[...]

  • Página 25

    System Configur ation 25 Cable Diagno stics This sectio n describes: • "Copper P ort Cable T est" on page 2 5 • "F iber P ort Cable T est" on page 27 NOTE: Cab le Diag nost ics is support ed on SFP/XFP ports but not on the Sta ckin g/CX- 4/SFP +/10Gb aseT po rts. Copper Port Cabl e T est The cable test feature enables you to[...]

  • Página 26

    26 System C onfi gurat ion Exam ple #1: Cabl e T est for Co pper Ports console#test copper-p ort tdr 1/g1 Cable Status......... .......................... Short Cable Length......... .......................... 5m console#show copper-p orts tdr Port Result Le ngth [meters] Date ------- ------ -- ------------- --------------------- 1/g1 Short 9 Jan 0[...]

  • Página 27

    System Configur ation 27 Exa mple #3 : Show La st T im e Doma in Refle ctometry T ests Use the show copper-ports tdr comm and in P rivileged EXEC mode to display the last Time Domai n Refle ctometry (TDR) tests o n specifi ed ports . The following examp le displays the last TDR tests on a ll ports. console#show copper-ports tdr Port Result Length [[...]

  • Página 28

    28 System C onfi gurat ion[...]

  • Página 29

    Switch ing Confi guratio n 29 3 Switching Configuration This section prov ides configuration scenarios for the following featur es: • "Virtual LANs " on page 29 • "V oice VLAN" on page 3 7 • "IGMP Snooping" on page 40 • "IGMP Snooping Q uerier" on page 43 • "Link Aggr egatio n/P ort Channels &q[...]

  • Página 30

    30 Switch ing C onfigu rat ion • The IP -subnet Ba sed VLAN featur e lets you map IP addr esses to VLANs by specifyi ng a source IP addr ess, net work mask, and the desir ed VLAN ID. • The MAC-based VL AN feature let packets originating fr om end stat ions become p art of a VLAN accor ding to so urce MAC addr ess. T o confi gur e the fe ature, [...]

  • Página 31

    Switch ing Confi guratio n 31 CLI Exa m ples T h e f o l l o w i n g e x a m p l e s s h o w h o w t o c r e a te V L A N s , a s s i g n p o r t s t o t h e V L A N s, a n d a s s i g n a V L A N a s t h e default VLAN to a port. Exam ple #1: Crea te T wo VLAN s Use the following commands to create two VLANs and to assign the V LAN IDs while leavi[...]

  • Página 32

    32 Switch ing C onfigu rat ion Example #3: Assign Ports to VLAN3 This e xample shows how to assign the ports t hat will belong to VLAN 3. Unta gg ed frames will be acce pted on ports 1/g19 a nd 1/ g20. Note tha t port 1/g1 8 bel ongs to b oth VL ANs and t hat port 1/g1 7 can neve r belo ng to VLA N 3. console(config)#interface ethernet 1/g18 cconso[...]

  • Página 33

    Switch ing Confi guratio n 33 Exa mple #6 : View Infor mation About VL AN 2 console#show ip interface vlan 2 Primary IP Address............................ 192.168.10.33/255.255.255.0 Routing Mode.................................. Ena ble Administrative Mode........................... Ena ble Forward Net Directed Broadcasts............... Dis able [...]

  • Página 34

    34 Switch ing C onfigu rat ion IP Subne t and MAC-Based VLANs In additio n to port-based VLANs, the sw itch also support s VLANs that are bas ed on the IP addr ess or MA C address of a host. W ith IP subnet and MA C-based VL ANs, the VLAN member ship is determined by the address of the ho st rather tha n the port to which the host i s attached. CLI[...]

  • Página 35

    Switch ing Confi guratio n 35 Exam ple # 4: Viewing IP S ubn et a nd MA C-Ba sed V LAN Ass ociat ions console#show vlan association mac MAC Address VLAN ID ----------------- ------- 00FF.F2A3.8886 10 console#show vlan association subnet IP Subnet IP Mask VLAN ID ---------------- ---------------- ------- 192.168.25.0 255.255.255.0 10 192.168.1.11 25[...]

  • Página 36

    36 Switch ing C onfigu rat ion CLI Exa m ple Exam ple #1: Con figur ing a P rotec ted Po rt The comm ands in t his exampl e name the protected p ort gro up 1 “PP_ T e st” and a ssign po rts 1 and 2 to the grou p. console(config)#switchport protected 1 name PP_Tes t console(config)#interface ethernet 1/g17 console(config-if-1/g17)#switchport pro[...]

  • Página 37

    Switch ing Confi guratio n 37 Vo i c e V L A N V o ice VLAN enable s switch ports to carry voice tra ffic with a de fined priority in order to en able th e separati on of voice a nd data traffic com ing onto the por t. A prima ry benefi t of using V oice VLAN is to ensure that t he sound quality of an IP p hone is safe guarded from det eriorating w[...]

  • Página 38

    38 Switch ing C onfigu rat ion • Wh en a dot1p prio rity is assoc iate d w ith th e V oice V LAN por t instea d of a VL AN I D, th en th e prio rit y inform ation is p assed onto th e VOIP phone usin g the LLD P - MED mechan ism. B y this m ethod, th e voic e data coming from the V OIP ph one is tagge d with VLAN 0 and with t he ex chang e d pr i[...]

  • Página 39

    Switch ing Confi guratio n 39 Exam ple #2: Conf iguri ng Voice VLAN on an Unau then tica ted Po rt I n s o m e n e t w o r k s , m u lt i p l e d e v i c e s ( f o r ex a m p l e, a P C , Pr i n t e r , a n d p h o n e ) a re c o n n e c t e d t o a si n g l e p o r t on t he switch . The PCs and pr inters are a uthenti cated b y 802.1X , but th e [...]

  • Página 40

    40 Switch ing C onfigu rat ion IGMP Snoopin g This sect ion describes the Inte rnet Group Manage ment P rotocol (IGMP) Snooping feature. IGMP Snooping enables the s witch to moni tor IGMP tr ansa ctions between ho sts and routers. It can help conserve bandwidth by allowing the switch to forwar d IP mult icast traffic only to connected hosts that re[...]

  • Página 41

    Switch ing Confi guratio n 41 1. Create VLAN 1 00. console#configure console(config)#vlan database console(config-vlan)#vlan 100 2. Enable IGMP snooping on the VLAN. console(config-vlan)#ip igmp snooping 100 console(config-vlan)#exit 3. F orbid the forw ard i ng of unregistered multicast a d dresses on VLAN 100 to prevent multicast floodin g to por[...]

  • Página 42

    42 Switch ing C onfigu rat ion 9. View information about the IGM P snoop ing configu ration. console#show ip igmp snooping Admin Mode..................................... Ena ble Multicast Control Frame Count.................. 0 Interfaces Enabled for IGMP Snooping........... Non e Vlans enabled for IGMP snooping................ 100 In this e xampl[...]

  • Página 43

    Switch ing Confi guratio n 43 Multicast Packets Received..................... 62 6494 Broadcast Packets Received..................... 0 console#show statistics ethernet 1/g10 ... Total Packets Received Without Errors.......... 12 Unicast Packets Received....................... 0 Multicast Packets Received..................... 12 Broadcast Packets R[...]

  • Página 44

    44 Switch ing C onfigu rat ion Exa m ple #2: Conf igure I GMP Snoo ping Que rier Prop erties The firs t com man d in this e x ampl e sets the IGMP Quer ier Qu ery Inte rval time to 1 00. Th is me ans that the swit ch waits 100 s econds befor e sending another general query . The second command sets the IGMP Querier ti me r e xpiration period to 100[...]

  • Página 45

    Switch ing Confi guratio n 45 Exa mple #5: Show IGMP S nooping Qu erier Inf ormati on for VLAN 10 console#show ip igmp snooping querier vlan 10 Vlan 10 : IGMP Snooping querier status ---------------------------------------------- IGMP Snooping Querier Vlan Mode................ En able Querier Election Participate Mode.............. En able Querier [...]

  • Página 46

    46 Switch ing C onfigu rat ion CLI Exa m ple The following shows an e xample of configuring the softwar e to suppor t Link Aggr egation (L AG) to a server and t o a Layer 3 switch. F igur e 3-3 shows the exampl e network. Figur e 3-3. LA G/Port- chan nel Exa mple Net work D iagra m Subnet 3 Port 1/0/8 LAG_20 Lay er 2 Switch Port 1/0/9 LAG_20 Serve [...]

  • Página 47

    Switch ing Confi guratio n 47 Exa m ple 1: Creat e Names f or T wo Port-Chan nels console#configure console(config)#interface port-channel 1 console(config-if-ch1)#description lag_1 console(config-if-ch1)#exit console(config)#interface port-channel 2 console(config-if-ch2)#description lag_2 console(config-if-ch2)#exit Exam ple 2 : A dd th e Ph ysi [...]

  • Página 48

    48 Switch ing C onfigu rat ion ch2 No Configured Ports 3 ch3 No Configured Ports 3 ch4 No Configured Ports 3 ch5 No Configured Ports 3 ch6 No Configured Ports 3 ch7 No Configured Ports 3 ch8 No Configured Ports 3 ch9 No Configured Ports 3 ch10 No Configured Ports 3 ch11 No Configured Ports 3 ch12 No Configured Ports 3 ch13 No Configured Ports 3 ch1[...]

  • Página 49

    Switch ing Confi guratio n 49 Port Mirrorin g This section describes the P ort Mirroring feature, whic h can serve as a diag nostic tool, debugging to o l, or mea ns of fe ndin g off at tacks. Overview P ort mirroring selects network traffic from specific po rt s for analysis by a networ k analyzer , while allowing the same t raffic to be sw itched[...]

  • Página 50

    50 Switch ing C onfigu rat ion Port Security This sectio n describes the P ort Security fe ature. Overview P ort Security : • Allow s for lim iting the num ber o f MAC ad dresses on a giv en po rt. • P ackets that have a mat ching MAC ad dress (secur e packe ts) ar e forwar ded; all other pack ets (uns ecure packets) ar e restricted. • Enable[...]

  • Página 51

    Switch ing Confi guratio n 51 CLI Exa m ples The following are e xamples of the commands used in the P ort Security feature. Exam ple #1: Enab le P ort Secu rity on a n I nter fac e console(config)#interface ethernet 1/g18 console(config-if-1/g18)#port security ? <cr> Press enter to execute th e command. discard Discard frames with unlea rned[...]

  • Página 52

    52 Switch ing C onfigu rat ion Link Layer D iscovery Pr otocol The Link Layer D iscovery Pr o tocol (LLDP) fea ture allows individual interfaces on the switch to advertis e major capabil ities and p hysical de scription s. Networ k managers can view this information and identify system topology and detect ba d configurations on the LAN. LLDP has s [...]

  • Página 53

    Switch ing Confi guratio n 53 Exa m ple # 3: Show Glob al LLDP Param eters console#show lldp LLDP Global Configuration Transmit Interval............................ 30 s econds Transmit Hold Multiplier..................... 8 Reinit Delay................................. 5 se conds Notification Interval........................ 1000 seconds Exam ple [...]

  • Página 54

    54 Switch ing C onfigu rat ion Deni al of Service Attac k Protec tion This sectio n describes the P o werConnect 62 00 Se ries Denial of Service P rotection feature. Overview Denial of Servic e: •S p a n s t w o c a t e g o r i e s : – P rotect ion of the swi tch – P rotect ion of the ne twork • Pr otects agains t the expl oitation of a num[...]

  • Página 55

    Switch ing Confi guratio n 55 T able 3- 1 describes t he dos-control key w ord s . T abl e 3-1. DoS Contr ol CLI Exa m ples The commands shown be low show how to enab le DoS protection and vi ew its status. Exam ple # 1: Enab ling all DOS Con trol s console#configure console(config)#dos-control sipdip console(config)#dos-control firstfrag console(c[...]

  • Página 56

    56 Switch ing C onfigu rat ion Example #2: V iewing the DoS Configuration Information console#show dos-control SIPDIP Mode.................................... En able First Fragment Mode............................ En able Min TCP Hdr Size............................... 20 TCP Fragment Mode.............................. En able TCP Flag Mode.......[...]

  • Página 57

    Switch ing Confi guratio n 57 The har dware rate limits DHCP pack ets sent to the CP U from interfaces to 64 Kbps. The DHCP sno o ping appli cation processes incoming DHCP messag e s. F o r DHCPRELEASE and DHCPDEC LINE messages, the a pplication comp ares the r eceive i nterface and V LAN with the client interfa ce and VLAN in the bi ndings datab a[...]

  • Página 58

    58 Switch ing C onfigu rat ion Figure 3-4. DHCP Bind ing The DHCP snoo ping co mponent does not forward server messages since they are forwarded in hardware. DHCP snooping forwar ds valid DHCP client messages r ecei ved on un-truste d interfac es to all trusted interfac es within the V LAN. The binding's data base includes the followi ng infor[...]

  • Página 59

    Switch ing Confi guratio n 59 CLI Exa m ples The commands below show exa mples of configuring DHCP Snooping for the switch and for individual interfaces. Exa mple #1 Enab le DHCP snoo ping for the sw itch console(config)#ip dhcp snooping console(config)#exit console# Exa mple #2 Enab le DHCP snoo ping on a VLAN console(config)#ip dhcp snooping vlan[...]

  • Página 60

    60 Switch ing C onfigu rat ion console(config)# console(config)#exit Exa m ple #6 Conf igure D HCP snoo ping dat abase Pe rsiste ncy inte rval console(config)#ip dhcp snooping database write-de lay 500 console(config)# console(config)#exit Exam ple #7 C onfi gure an inter fac e as DHC P snoo ping trust ed console(config-if-1/g1)#ip dhcp snooping tr[...]

  • Página 61

    Switch ing Confi guratio n 61 Exa mple #10 Sho w DHCP Sno oping confi guratio n on VLANs and Por ts show ip dhcp snooping binding DHCP snooping is Enabled DHCP snooping source MAC verification is enabled DHCP snooping is enabled on the following VLANs: 1 Interface Trusted Log Invalid Pkts ----------- ---------- ---------------- 1/g1 Yes Yes 1/g2 No[...]

  • Página 62

    62 Switch ing C onfigu rat ion ----------- ---------- ---------------- 1/g15 No No 1/g16 No No 1/g17 No No 1/g18 No No 1/g19 No No 1/g20 No No 1/g21 No No 1/g22 No No 1/g23 No No 1/g24 No No 1/xg3 No No 1/xg4 No No ch1 No No ch2 No No ch3 No No ch4 No No ch5 No No ch6 No No --More-- or (q)uit console#[...]

  • Página 63

    Switch ing Confi guratio n 63 Exa mple #12 Sho w DHCP Sno oping datab ase confi guratio ns console#show ip dhcp snooping database agent url: local write-delay: 500 console# Exam ple # 13 Show DHC P Sn oop ing b ind ing e ntri es Total number of bindi ngs: 2 MAC Address IP Address VLAN Interface Type Lease (Secs) ----------------- -- ------------- -[...]

  • Página 64

    64 Switch ing C onfigu rat ion 1/g3 No 15 1 1/g4 No 15 1 1/g5 No 15 1 1/g6 No 15 1 1/g7 No 15 1 1/g8 No 15 1 1/g9 No 15 1 1/g10 No 15 1 1/g11 No 15 1 1/g12 No 15 1 1/g13 No 15 1 1/g14 No 15 1 1/g15 No 15 1 1/g16 No 15 1 1/g17 No 15 1 1/g18 No 15 1 --More-- or (q)uit 1/g19 No 15 1 1/g20 No 15 1 1/g21 No 15 1 1/g22 No 15 1 1/g23 No 15 1 1/g24 No 15 1[...]

  • Página 65

    Switch ing Confi guratio n 65 ch3 No 15 1 ch4 No 15 1 ch5 No 15 1 ch6 No 15 1 ch7 No 15 1 ch8 No 15 1 ch9 No 15 1 ch10 No 15 1 --More-- or (q)uit console# Example #15 Show D HCP Snooping Per Port Statistics console#show ip dhcp snooping statistics Interface MAC Verify Client Ifc DHCP Serve r Failures Mismatch Msgs Rec'd ----------- ---------- [...]

  • Página 66

    66 Switch ing C onfigu rat ion 1/g11 0 0 0 1/g12 0 0 0 1/g13 0 0 0 1/g14 0 0 0 1/g15 0 0 0 1/g16 0 0 0 1/g17 0 0 0 1/g18 0 0 0 1/g19 0 0 0 1/g20 0 0 0 --More-- or (q)uit 1/g21 0 0 0 1/g22 0 0 0 1/g23 0 0 0 1/g24 0 0 0 1/xg3 0 0 0 1/xg4 0 0 0 ch1 0 0 0 ch2 0 0 0 ch3 0 0 0 ch4 0 0 0 ch5 0 0 0 ch6 0 0 0 ch7 0 0 0 ch8 0 0 0 ch9 0 0 0 ch10 0 0 0 ch11 0 [...]

  • Página 67

    Switch ing Confi guratio n 67 ch13 0 0 0 ch14 0 0 0 ch15 0 0 0 ch16 0 0 0 ch17 0 0 0 --More-- or (q)uit sFlow This sectio n describes the sFlow feature. s Flow is the industry standard fo r monitoring high-spee d switch ed and route d networ ks. sFlow te chnology is built i nto netw ork equip ment and giv es compl ete visibi lity i nto netwo rk act[...]

  • Página 68

    68 Switch ing C onfigu rat ion The advantages of using sFlow ar e: • It is possibl e to monitor al l ports of th e switch conti nuously , with no i mpact on the dist ributed switching perf ormance. • Minim al memory /CPU is r equ ir e d. Samples are not aggregated into a flow-table on th e switch; they a r e forwarded immediately over the netwo[...]

  • Página 69

    Switch ing Confi guratio n 69 The mech anism involv es a counter t hat is decr emen ted w ith each pack et. When th e counter r eaches zero a sample is taken. 5. When a sam ple is taken, the counter ind icating how many packets to skip before t a king the next sample is reset. The value of th e counter is set to a ran dom integer wh er e th e seque[...]

  • Página 70

    70 Switch ing C onfigu rat ion Exa m ple # 4: Show the s F low co nfigur ation for rec eiver ind ex 1 console#show sflow 1 destination Receiver Index................................. 1 Owner String................................... si te77 Time out....................................... 15 29 IP Address:.................................... 30 .30.[...]

  • Página 71

    Switch ing Confi guratio n 71 Example #6: Show sFlow polling for receiver index 1 console#show sflow 1 polling Poller Receiver Poller Data Source Index Interval ----------- ------- ------- 1/g1 1 200 1/g2 1 200 1/g3 1 200 1/g4 1 200 1/g5 1 200 1/g6 1 200 1/g7 1 200 1/g8 1 200 1/g9 1 200 1/g10 1 200 1/g15 1 400[...]

  • Página 72

    72 Switch ing C onfigu rat ion[...]

  • Página 73

    Rou ting Configu ration 73 4 Routing Co nfiguration This sectio n describes configurat ion scenari o s and instr uct ions for the following routing featur es: • "V LAN Rout ing" on page 74 • "Virtual Router Redun dancy P rotocol" on page 77 • "Proxy Addr ess Resolution P rotocol (ARP) " on page 80 •" O S P[...]

  • Página 74

    74 Rou ting Configu ration VLAN Routing This section prov ides an exampl e of how to config ure P owerConnect 6200 Series s oftware to support VLA N r ou tin g. NOTE: The managemen t VLAN cannot be conf igure d as a routin g int erfac e. The swi tch may also be mana ged vi a VLAN rout ing in ter fac es. CLI Exa m ples The diagram in t his section s[...]

  • Página 75

    Rou ting Configu ration 75 console(config-vlan)#vlan 10 console(config-vlan)#vlan 20 console(config-vlan)#exit Exam ple 2 : Co nfig ure th e VLAN Me mbers The following code sequence shows an example o f adding po rts to the VLANs and a ssigning the P VID for each port. The PVID determine s the VLAN ID assigned to unt agged frames received on the p[...]

  • Página 76

    76 Rou ting Configu ration Exa mple 3: Set Up VLA N Rout ing for th e VLANs and As sign an IP Add ress The following co de seque nce shows how to enab le routing for the VLANs and how to configure the IP addr esses and subnet mas k s for t he virtual r outer ports.: console#configure console(config)#interface vlan 10 console(config-if-vlan10)#routi[...]

  • Página 77

    Rou ting Configu ration 77 V irtual Rou ter Redundan cy Protocol When an end station is statically configured with the addr ess of the rou ter that will handle its routed traffic, a s ingle point of failur e is introduced int o th e network. If the rou ter goes down, the en d station is unable to communicate. Since static confi g uration is a conve[...]

  • Página 78

    78 Rou ting Configu ration Configuring VRRP on the Switch as a Master Rou te r 1 Enable rou ting for th e switch. IP forw arding is then ena bled by def ault. console#config console(config)#ip routing 2 Configur e the IP addr esses and subnet masks f or th e VLAN routin g interface t hat wi ll particip ate in the protocol: console(config)#interface[...]

  • Página 79

    Rou ting Configu ration 79 4 Assign virtual router ID to the interfac e that will participate in th e protocol: console(config)#interface vlan 50 console(config-if-vlan50)#ip vrrp 20 5 Specify the IP ad dress that the virt ual router function w ill recognize. console(config-if-vlan50)#ip vrrp 20 ip 192.150.2.1 6 Set the priority for the interface. [...]

  • Página 80

    80 Rou ting Configu ration Proxy Ad dress Resolution Prot ocol (ARP) This sect ion describes the P roxy Address Resolution P rotocol ( ARP) featur e. Overview • P roxy ARP allows a router to a nswer ARP requests wher e the target IP address is n ot the router itself but a des tinat ion th at t he r oute r can reac h. • If a host does not know t[...]

  • Página 81

    Rou ting Configu ration 81 Active State................................... In active Link Speed Data Rate........................... 10 Half MAC Address.................................... 00 FF.F2A3.888A Encapsulation Type............................. Et hernet IP MTU......................................... 15 00 OSPF Larger networks typi cally u[...]

  • Página 82

    82 Rou ting Configu ration A virtual link can be used to connect an ar ea to Area 0 when a direct li nk is not possible. A vi rtual link traverses an area between the remote area and Ar ea 0 (see F igur e 4-5). A stub ar ea is an ar ea that does not re ceive routes that wer e learned from a protocol other than OSP F or were statically configur ed. [...]

  • Página 83

    Rou ting Configu ration 83 External routes ar e those imported into OSPF from other routing pro tocol or processes . OSPF compute s the path cos t differently for external type 1 and externa l type 2 routes. The c ost of an external type 1 route is the cost adverti sed in the external LSA plus the path cost from the calculating rout er to the ASBR.[...]

  • Página 84

    84 Rou ting Configu ration IPv4 (OSP Fv2) IPv6 (O SPFv3) • E nable routing for the switch : console#config ip routing exit console#config ipv6 unicast-routi ng exit Enable routing and a ssign IP for VLANs 70, 80 a n d 90. config interface vlan 70 routing ip address 192.150.2.2 255. 255.255.0 exit interface vlan 80 routing ip address 192.130.3.1 2[...]

  • Página 85

    Rou ting Configu ration 85 Exa m ple 2 : Configur ing Stub and NS SA Areas In t hi s exa mp le, A rea 0 co nn ects di rect ly t o t wo othe r areas: Are a 1 i s d efin e d as a s tub area an d Area 2 is defined as an NS SA area. NOTE: OSPF v2 and OS PFv3 can ope rate co ncur rent ly on a ne twor k and on the same in ter faces ( althou gh th ey do n[...]

  • Página 86

    86 Rou ting Configu ration Figur e 4-4. O SPF Co nfigu rati on—St ub Are a and N SSA Are a Configure Rout e r A : Router A is a back bone rout er . It links to an ASBR (not define d he re ) that rout es traff ic outs ide the AS. • Globa lly enab le IPv6 an d IPv4 ro uting: (console) #configure ipv6 unicast-routing ip routing • Configur e IP a[...]

  • Página 87

    Rou ting Configu ration 87 ipv6 address 3000:3:10 0::/64 eui64 ip ospf area 0.0.0.0 ipv6 ospf exit • Define an OS PF router: ipv6 router ospf router-id 3.3.3.3 exit router ospf router-id 3.3.3.3 exit exit Configure Rout e r B: Router B is a ABR th at con nects Ar ea 0 to Area s 1 an d 2. • Configure IPv6 and IPv 4 routing. The static rou tes ar[...]

  • Página 88

    88 Rou ting Configu ration • F or IPv4: Define an OSPF router . Def ine Are a 1 as a st ub. Enabl e OSPF for IPv 4 on VLANs 10, 5, and 17 by global ly defining th e range of IP addresses associated with ea ch interface, an d then associating those ranges with A reas 1, 0, and 17, respectively . Th en, configu r e a metric cost to associate with s[...]

  • Página 89

    Rou ting Configu ration 89 Exa mple 3: Con figurin g a V irtual L ink In this e xample, Ar ea 0 connects dir ectly to Ar e a 1. A virtual link is defined that traverses Ar ea 1 and connects to Area 2 . F igur e 4-5 illustrates this example OSPF confi g uration. Figure 4 -5. OSPF Con figuration—V irtual Lin k Configure Rout er A : Router A is a ba[...]

  • Página 90

    90 Rou ting Configu ration router ospf router-id 3.3.3.3 network 10.2.3.0 0.0.0 .255 area 0.0.0.0 exit exit Configure Rout e r B: Router B is a ABR that directly connects Ar ea 0 to Ar ea 1. In addition to the configuration steps described in the pre vious example , we define a virtual link that trav erse s Area 1 to Router C (5.5.5.5). (console)#c[...]

  • Página 91

    Rou ting Configu ration 91 routing ip address 10.1.2.1 255.255.255.0 ipv6 address 3000:1:2: :/64 eui64 ipv6 ospf ipv6 ospf areaid 1 exit interface vlan 11 routing ip address 10.1.101.1 255.255.255.0 ipv6 address 3000:1:10 1::/64 eui64 ipv6 ospf ipv6 ospf areaid 2 exit ipv6 router ospf router-id 5.5.5.5 area 0.0.0.1 virtual-l ink 4.4.4.4 exit router[...]

  • Página 92

    92 Rou ting Configu ration Routing Inform ation Protocol Routing Information Pr otoco l (RIP) is o ne of the protocols wh ich may be used by routers to e xchange network topology informat ion. It is characterized as an “interior ” gateway protocol, and is typically used in small to medium-sized networks. RIP Configu ration A router running RIP [...]

  • Página 93

    Rou ting Configu ration 93 CLI Exa m ples The configuratio n commands used in the foll o wing e xample enable R IP on port s vlan 2 and vlan 3 as shown in the network illustrated in F igur e 4-6. Figur e 4-6. Po rt Routin g Examp le Net work Di agra m Example #1: Enable Routing for the Switch The following sequence ena bles routing for the switch: [...]

  • Página 94

    94 Rou ting Configu ration Exam ple #3. Enab le RIP for the Switch The next sequence enables RIP for the swit ch. The route preference defaults to 15. console#config router rip enable exit exit Exam ple # 4. Enab le R IP fo r the VLA N R outin g I nterf aces This command sequence enables RIP for V L AN 2 and VLAN 3 . Authentication defaults to none[...]

  • Página 95

    Rou ting Configu ration 95 Route Prefere nces Y ou can use route prefer e nce assignment to control how the router chooses which routes to use when alternat ives exis t. This secti on describes thr ee uses of ro ute prefe rence assi gnment: • "Assigning Admi nistrative P ref erences t o Routing Prot ocols" on page 95 • "Using E q[...]

  • Página 96

    96 Rou ting Configu ration Exam ple 1 : Co nfig ure Admi nis trativ e P refere nce s The following commands configure the administrative pr eference for the RIP and OSPF : console#Config router rip distance rip 130 exit F or OSPF , an a dditional p arameter ident ifies the t ype of OS PF route t hat the preference value appli es to: router ospf dis[...]

  • Página 97

    Rou ting Configu ration 97 Using Equal Cost Multipath The equal cost multipath ( E CMP) feature a llows a ro uter to use more than one ne xt hop to forward packets to a given destination prefix. I t can be used to promote a more optimal use of network r esources and bandwidth . A router that does not use ECM P forwards all pa cket s to a given dest[...]

  • Página 98

    98 Rou ting Configu ration Routing protocols can also be configur ed to compute ECMP routes. F or example, r e ferring to F igure 4-8, if OSPF were configur ed in on both links connecting Router A and Router B, and if Router B advertised its connectio n to 20.0.0.0/8 , then Ro uter A could compute an OS PF route to 20.0.0.0/8 with next hops of 10.1[...]

  • Página 99

    Rou ting Configu ration 99 Loopback Interfaces P owerConnect 620 0 Series softwar e prov ides for th e creation, deletion, and management of loopback interfaces. A loopback interfa ce is a software-onl y int erface that is not ass o ciated with a physical locat ion; as such it is not d ependent o n the physical s tatus of a parti cular router inter[...]

  • Página 100

    100 Rou ting Configu ration IP MTU............... .......................... 1500 Bandwidth............ .......................... 100000 kbps Destination Unreachab les....................... Enabled ICMP Redirects........................ ......... Enabled T o delete a loopback interface, ent er the following comman d from the Global Config mode: c[...]

  • Página 101

    Rou ting Configu ration 101 T able 4-1. Defau lt Ports - UD P Port Numbers Implied By W ildcard The sw itch li mits the number of r elay en tries t o four ti mes the maximum n umber of VLAN ro uting interfaces (512 relay entries). There is no limit to the number of relay entries on an individual interface, and no limi t to the number of servers for[...]

  • Página 102

    102 Rou ting Configu ration The r elay agent only rela ys packet s that meet the following conditions: • The destinati on MAC addr ess must be the al l-ones broad cast addr ess (FF :FF : F F :FF :FF : F F). • The destina tion IP addr ess must be the limit e d broa dcast addr ess (255. 255.255.2 55) or a dir ected broadcast address for the recei[...]

  • Página 103

    Rou ting Configu ration 103 Exam ple 5: Enabl e IP Help er on a V LAN Rou ting Inter face to a Se rver (D HCP an d DNS) T o relay DHCP and DNS pack ets t o 192.168.30.1 , use the follo wing commands: console(config-if-vlan100)#ip helper-address 192.1 68.30.1 dhcp console(config-if-vlan100)#ip helper-address 192.1 68.30.1 domain Example 6: Enable IP[...]

  • Página 104

    104 Rou ting Configu ration Exam ple 7 : Sh ow IP He lper Con fig uration s The following command shows IP Helper configurations: console#show ip helpe r-a IP helper is enabled Interface UDP Port Discard Hit Count Server Address -------------------- ----------- ---------- ---------- ------------------ vlan 100 domain No 0 192.168.30.1 vlan 100 dhcp[...]

  • Página 105

    Devi ce S ecu rit y 105 5 Device S ecurity This sectio n describes co nfiguration scenarios for the following featur es: • "8 02.1x N etwork Access C ont rol" on page 106 • "802.1X A uthentica tion and VLANs " on page 1 09 • "Au then tica tion Se rver F ilte r As signm ent" on pa ge 11 1 • "Access Control [...]

  • Página 106

    106 Devic e Security 802.1x Network Access Control P ort-b ased network access control allows the operation of a system’s port(s) to b e controlled to ensure that access to its services is permit ted only by systems that are authorized to do so . P ort Access Control provides a means of pr eventing unauthorized access by supplicants o r users to [...]

  • Página 107

    Devi ce S ecu rit y 107 Figure 5-1. Switch wit h 802.1x Net work Acce ss Control If a us e r , or supplicant, attempts to communicat e via the switch o n any i nterface ex cept interface 1/g1, the system challenges t he supplica nt for login credentials. The sys tem encryp ts the p rovided informa tion and transmits it to the RAD IUS server . If th[...]

  • Página 108

    108 Devic e Security Exam ple #2: MAC -Base d Aut henti cati on Mod e The P ow erConnect 62 00 Series switches s upport MAC-based 802.1X authenti cation. This feature allows multiple hos t s to a uthenticate on a single port. The hosts are disting uished by their MA C addr e sses. When multiple hosts (for example, a PC, a printer , and a phone in t[...]

  • Página 109

    Devi ce S ecu rit y 109 802.1X Authentication and VLANs The P owe rConnect 62 00 Series s witches allow a port to be placed into a part icular VLAN based on the r esult of type of 802.1X authentication a client uses when it accesses the switch. The R ADIUS server or IEEE 802.1X Authenticator can provide info rmation to the switch about which V LAN [...]

  • Página 110

    110 Devic e Security VL A N a n d t h e p o r t i s m ov e d t o t h e a u t h o r iz e d s t a t e , al l o w i n g a c c e s s t o t h e c l i e nt . H o w e ve r , i f t h e p o r t i s in MAC-base d 802.1X a uthenti cation mode, i t will not mov e to the a uthorized state. MAC-bas ed mode mak es it po ssible for both authentic ated and g uest c[...]

  • Página 111

    Devi ce S ecu rit y 111 Authentication Server Filter Assignment The P owerConnect 6 200 Series switches allow the external 802.1X Authenticator or RADIUS server to assign Diff Serv policies to users th at au thenticat e to the s witch. W hen a host (su pplican t) attem pts to connect to the networ k throug h a port, th e switch cont acts the 802.1 [...]

  • Página 112

    112 Devic e Security Ingr ess ACL s support Flow-base d Mirroring and A CL L ogging, whi ch have the following characteristics: • Flow-ba sed mirrorin g is the abil ity to mirror tra ffic tha t match es a perm it rul e to a specific ph ysical port or LAG. Flow-based mirroring is similar to the r edir ect fun ction, e x cept that in flow-base d mi[...]

  • Página 113

    Devi ce S ecu rit y 113 Egress ACL Limitations Egr ess A CLs h ave some add itional limitat ions. T h e fo llowing limita tions app ly to eg ress A CLs only : • Egress A C Ls support IP Pro tocol/Destination, IP A ddres s S ource/Destination, L4 Source/Destination port, IP DSCP , IP T oS , and IP precedence match conditions only . • MAC ACLs ar[...]

  • Página 114

    114 Devic e Security IP ACLs IP A CLs classify for Layers 3 a nd 4. Each ACL is a s et of up to te n rules a pplie d to inbo und traffic. Each ru le speci fies whe ther th e conten ts of a given field should be used to permit or deny a c cess to the network , and may a pply to one or more of the following fields within a packet: • Destinat ion IP[...]

  • Página 115

    Devi ce S ecu rit y 115 IP ACL CLI Exampl e The script in this section shows you how to set up an IP ACL with tw o rules , one appl icable to TCP traffic an d one to UD P tra ffic. The cont ent of the t wo rules is the sa me. TCP and UD P packets will o nly be accepted by the P owerConnect 6200 Seri es switch if the source and destination stations [...]

  • Página 116

    116 Devic e Security Step 1: Creat e an ACL and Define an ACL Rul e This command creates a n ACL named list1 and configur es a rule for the ACL. Afte r the mask has been appl ied, it permits pack ets carrying TCP t raffic that matche s the specified So urce IP addr ess, and sends these pa ckets to the specifie d Dest ination IP addr e ss. console#c[...]

  • Página 117

    Devi ce S ecu rit y 117 Step 4: V iewing the MAC ACL Information console#show mac acce ss-lists Current number of all ACLs: 2 Maximum number of all ACLs: 100 MAC ACL Name Rules Interface(s) Direction --------------------- ---------- ----- ------------------------- --------- mac1 1 1/g5 Inbound console#show mac acce ss-lists mac1 MAC ACL Name: mac1 [...]

  • Página 118

    118 Devic e Security attributes containing configuration in formation. If the server re jects the user , it r eturns a nega tive r esult. If the server rejects the client or the shared “secrets ” differ , the server returns no result. If the server re q uires additional verificat ion from the user , it returns a challenge, an d the request pro [...]

  • Página 119

    Devi ce S ecu rit y 119 Figure 5-3. RADIUS Se rvers in a Net work When a user attempts to log in, the switch prompts for a userna m e and passwo rd. The switch then attempts to communicate with the p rimary R ADIUS server at 10.10.10.10. Upon successf u l connection with the server , the login credentials are ex changed over an encrypted cha nnel. [...]

  • Página 120

    120 Devic e Security Example #2: Set the NAS-IP Ad dress for the RADIUS Ser ver The NAS-IP address attribute identifies the IP Address of the netwo rk authenticat ion server (NAS) that is requesting authe ntication of the us er . The address should be unique to the NAS withi n the scope of the R AD IUS server . The NAS-IP -Addr ess is only us ed in[...]

  • Página 121

    Devi ce S ecu rit y 121 Figure 5-4. PowerCo nnect 620 0 Series Switc h with T ACACS+ When a user attempts to log into the switch, the NAS or switch prompt s for a username and passwor d. The switch attempt s to communicate with the highes t priority configured T A CACS+ server at 10.10.10.10 . Upon successful connection with the se rver , the s wit[...]

  • Página 122

    122 Devic e Security 802.1x MAC Authentication Bypass ( MAB) MAB is a s upplemental a uthenticati o n mechani sm that allows 8 02.1x unawar e clients, such as p rinters and fax mac hines, to auth entic ate to t he net work us ing th e cli ent MA C addr ess a s an id entifi er . The known a nd allowable MAC a ddress and corr espondin g access rig ht[...]

  • Página 123

    Devi ce S ecu rit y 123 Figure 5-5. MAB Op eration – A uthenticat ions Based on MAC Ad dress in Da tabase CLI Exa m ples Exam ple 1 : E nabl e/Dis abl e MAB T o enable/disable MAB on interface 1/5, use the following commands: console(config-if-1/g5)#dot1x mac-auth-bypass console(config-if-1/g5)#no dot1x mac-auth-bypass Client DO T 1x/MAB RADIUS T[...]

  • Página 124

    124 Devic e Security Exam ple 2: S how MA B Con figu rat ion T o show the MAB configuration for inte rface 1/ 5, use the follow ing command: console#show dot1x ethernet 1/g5 Administrative Mode............... Enabled Port Admin Oper Reauth Reauth Mode Mode Control Period ------- ------------------ ------------ ------- - ---------- 1/g5 mac-based Au[...]

  • Página 125

    Devi ce S ecu rit y 125 Captive Portal Overview Captive P ortal feat ure is a softwar e implementati o n that allows client access only on user verification. V e rification can be configured t o allow access for guest and aut henticated users. Users must be v alidated against a database of authorized capti ve p ortal users locally o r through a rad[...]

  • Página 126

    126 Devic e Security In th e unknown state, t he CP does n't r edire ct HTTP/S tra ffic to the switc h, but qu eries the switch t o determine whet her the client is authenticated or unauthenticated . In the Una uthenti cated sta te, the CP di rects the HT T P/S traff ic to th e swit ch to allo w the client to authent icat e with the swit ch. O[...]

  • Página 127

    Devi ce S ecu rit y 127 All new captive portal insta nces are also assigned to the "Default" group. The adminis trator can create new groups and m odify the user/group association to only allow a subset of users access to a specific captive por t al instance. Net work access is granted upon successful verification of user credentials . A [...]

  • Página 128

    128 Devic e Security In response to the request, the authenti cated user is removed from the connection status tables. I f the client logout request featur e is not enabled, or the user does not s pecifically request logout, the connectio n stat us remain s authe nticated unti l Capt ive P ortal dea uthenti cates (sessio n timeout , idle tim e, e t[...]

  • Página 129

    Devi ce S ecu rit y 129 Capt ive Port al S tat isti cs Client sess ion statistics are ava ilable for both g uest and authenticat ed users.Client s tatistics ar e used to enforce the idle timeout and other limits configured for the user and captive portal instance. Client statis tics may not be c lear ed by the ad ministr ator since this would affec[...]

  • Página 130

    130 Devic e Security console#show captive-portal Administrative Mode....................... Enabled Operational Status........................ Enabled Disable Reason............................ Adminis trator Disabled Captive Portal IP Address................. 1.2.3.4 Exam ple 6: Show C apti ve Por tal I nstan ces T o show the status of all Captive[...]

  • Página 131

    Devi ce S ecu rit y 131 Example 7: Modify the Default Captive Portal Configuration (Change V erific ation Method to Local) T o change the verification method to local, use the following command: console(config-CP 1)#verification local T o v iew the configuration change, use the following command: console#show captive-portal configuration 1 status C[...]

  • Página 132

    132 Devic e Security T o create a local user , use the following command: console(Config-CP)#user 1 name user1 console(config-CP)#user 1 password Enter password (8 to 64 characters): ******** Re-enter password: ******** console(Config-CP)#user 1 session-timeout 14400 T o verify the creation of a local user , use the follow ing command: console#show[...]

  • Página 133

    Devi ce S ecu rit y 133 Operational Block Interface Inte rface Description Status Status --------- ----------- ----------------------------- ------------ ----------- 1/g18 Unit: 1 Slo t: 0 Port: 18 Gigabit - Level Disabled Not Blocked T o view the status of a captive client (connected to 1 /g18), use the following command: console#show captive- por[...]

  • Página 134

    134 Devic e Security[...]

  • Página 135

    IPv6 135 6 IPv6 This section includes the following subsections: • "Over view" on page 135 • "Inte rface C onfiguration" on page 135 Overv iew Ther e are ma n y conceptual similarities betw een IPv4 and IPv6 network ope ration. Addresses still have a network prefix p o rtion (subnet) and a device interface specific p ortion [...]

  • Página 136

    136 IPv6 • Allocated f rom part of the IPv6 unicast addre ss space • Not visible off the local link • N ot global ly unique Ne xt hop addresses computed by rout ing protocols are usually link-local. During a t ransition period, a global IPv6 Inte rne t back bone may not be available. The solut ion of t his is to tunnel IPv6 pack ets inside IP[...]

  • Página 137

    IPv6 137 ip ospf area 0.0.0.0 exit interface vlan 2 routing ipv6 enable ipv6 address 2020:1::1/64 ipv6 ospf ipv6 ospf network poi nt-to-point exit interface tunnel 0 ipv6 address 2001::1/64 tunnel mode ipv6ip tunnel source 20.20.2 0.1 tunnel destination 10 .10.10.1 ipv6 ospf ipv6 ospf network poi nt-to-point exit interface loopback 0 ip address 1.1[...]

  • Página 138

    138 IPv6 ipv6 address 2020:2::2/64 ipv6 ospf ipv6 ospf network poi nt-to-point exit interface tunnel 0 ipv6 address 2001::2/64 tunnel mode ipv6ip tunnel source 10.10.1 0.1 tunnel destination 20 .20.20.1 ipv6 ospf ipv6 ospf network poi nt-to-point exit interface loopback 0 ip address 2.2.2.2 25 5.255.255.0 exit exit[...]

  • Página 139

    Qua lity of Servic e 139 7 Quality of Service This section includes the following subsections: • "Cla ss of Service Qu euing" on page 139 • "Differentiated Services" on page 143 Class of Service Queuing The Class of Servic e (CoS) f eature lets yo u give preferential treatme nt to certai n types of traffic over others. T o s[...]

  • Página 140

    140 Quality of Service CoS Mapping T able fo r T rust ed Ports Mapping is from the designated field values on trusted ports’ incoming p ackets to a traffic cl as s priority (actuall y a CoS tra ffic qu eue). The tr usted por t field-to -tr affic cl ass conf igurat ion entr ies for m the Mapping T able the switch uses to dire ct ingress pack ets f[...]

  • Página 141

    Qua lity of Servic e 141 Figur e 7-1. CoS Mappin g and Queue Co nfigurati on Continuing this examp le, yo u configur ed the egress P o rt 1/g8 for strict priority on queue 6, a nd a set a weighted scheduling scheme for qu eues 5-0. A ssuming queue 5 ha s a higher weighti ng than queu e 1 (r elative weight values shown as a percentage, with 0% indic[...]

  • Página 142

    142 Quality of Service Figur e 7-2. C oS1 /g Conf igur ation Example S ystem Diagr am Y ou will configure the ingress interface uniquely for all cos-queue an d VLAN parameters. console#config interface ethernet 1/ g10 classofservice trust dot1p classofservice dot1p- mapping 6 3 vlan priority 2 exit interface ethernet 1/ g8 cos-queue min-bandwid th [...]

  • Página 143

    Qua lity of Servic e 143 Differentiated Services Differentiated Services (DiffServ) is one technique for implemen ting Quality of Service (QoS) policies. Using DiffServ in your network allows you to dir ectly configure the r elevant parameters on the switche s and routers rather than using a r esource reserv ation protocol.This section explains how[...]

  • Página 144

    144 Quality of Service CLI Exa m ple This e xample shows how a net work administrator ca n provide equal access to the Internet (or other e xt ernal network) to different depart ments wi thin a compan y . Each of four departments has its own Class B su bnet that is alloca ted 25% of the availabl e bandwidth on the port acce ssing the I nternet. Fig[...]

  • Página 145

    Qua lity of Servic e 145 match srcip 172.16.20 .0 255.255.255.0 exit class-map match-all t est_dept match srcip 172.16.30 .0 255.255.255.0 exit class-map match-all d evelopment_dept match srcip 172.16.40 .0 255.255.255.0 exit Cr e ate a DiffS erv policy for inbound t raffic name d internet_a ccess, adding the previously created dep art ment cla sse[...]

  • Página 146

    146 Quality of Service Set the CoS queue configuration for the (presumed) egress interface 1/g5 such t hat each of queues 1, 2, 3 and 4 get a minimum guaranteed bandwidth of 25%. All queues for t his interface use weighted round robin scheduling by default. The DiffServ inbound poli cy de signat es tha t thes e que ues a re t o be us ed for the dep[...]

  • Página 147

    Qua lity of Servic e 147 Figur e 7-4. Dif fServ VoIP Exampl e Netw ork Diag ram[...]

  • Página 148

    148 Quality of Service Example #2: Configuring DiffServ V oIP Support Enter G lobal Confi g mode. Set que ue 6 on al l ports to use strict pr iority mode. This queue shall be used for all V oIP pack ets. Activate Di ffServ for the switch. console#config cos-queue strict 6 diffserv Cr e ate a D iffServ classifier name d class_voip and define a si ng[...]

  • Página 149

    Multi cas t 149 8 Multicast This section prov ides configuration scenarios for the following featur es: • "IGM P Configu ration" on page 150 •" I G M P P r o x y " o n p a g e 1 5 1 •" D V M R P " o n p a g e 1 5 2 • "PIM" on page 154 • "M ulticast R outing an d IGMP S nooping" on page 157[...]

  • Página 150

    150 Multi cas t When to Enab le IP Multicast on t he PowerConnect 6200 Ser ies Switch Use the IP multica st feature on the P owerConn ect 6200 Ser ies swit ch to route multicas t traff ic between VLANs on the switch. If all host s connected to the switch a r e on the same subnet, th ere is no need to configur e the IP multicast feature. If the swit[...]

  • Página 151

    Multi cas t 151 IGMP Proxy IGMP pro xy enables a multi cast router to learn multicast group me m bership info rmation and forwar d multicast p ackets base d upon the group membership informat ion. The IGMP P roxy is capabl e of functioning only in certain topologies that do no t req uire Mult icast Routing P rotocols (i .e., D VMRP , PIM-DM, and PI[...]

  • Página 152

    152 Multi cas t Exa m ple #2: V iew IG MP Proxy C onfigur ation Data Y ou can use various commands from P rivileged EXEC or User EXEC modes to show IGMP proxy configuration data. • Use the follo wing command to display a summary of th e host interface statu s p arameters. It displ ays the p ara mete rs on ly wh en IGMP P roxy is enab led. console[...]

  • Página 153

    Multi cas t 153 CLI Exa m ple The following example configures two D VMR P interfaces. F irst, this example configu r es an OSPF router 1 and globall y enables IP routing and IP multicast. IGMP is globally enable d so that this rout e r can manage group membership information for it s dire ctly-connected hosts (I GMP may not be r equired when there[...]

  • Página 154

    154 Multi cas t PIM P rotoco l Independent Multicast (PIM) is a standard multicast routing prot ocol that provides scalable inter -domain multicas t routing across the Internet , independen t of the mechanisms prov ided by any particular unicast routing protocol. PIM has two ty pes: • PIM-Dense M ode (PIM-DM) • PIM -Sp ars e Mod e ( PIM- SM) PI[...]

  • Página 155

    Multi cas t 155 Exam ple : PIM-S M The following example configur es PIM-SM for IPv4 on a router . F irst, configure a n OSPF 1 router and globally enable IP routing, multica st, IGMP , and PIM- SM. Next, configure a PIM-SM rendezvous point with a n IP address and group range. The IP address will serve as an RP for the range of potent ial multicast[...]

  • Página 156

    T o m inimize the repeated flooding of datagrams and subsequent pruning associated with a particular source-group (S,G) pair , P IM-DM uses a State Refresh message. This message is sent by the router(s) dir ect ly connected to the source and is propagated throughout the network. When received by a router on its RPF interface, the Stat e Refresh mes[...]

  • Página 157

    Multi cas t 157 Multicast Routing and IGMP Snooping In this example, p orts 1/g5 and 1/ g10 are members of VLAN 10 0, and port 1/ g15 is a member of VLAN 200. Both VLA Ns ar e configured as VLAN routin g interfaces and are in differ e nt subnets . IGMP sno opin g is co n fig ured on V LA N 1 00 so t hat a mem ber po rt will rece iv e mu lt ica st d[...]

  • Página 158

    158 Multi cas t 8 Globally enable IGM P snooping, IP m ulticast, IGMP , a nd PIM -DM on the sw itch. console(config)# ip igmp snooping console(config)# ip multicast console(config)# ip igmp console(config)# ip pimdm NOTE: Only one mult ica st ro uti ng pro toc ol (P IM-S M, P IM-DM, or DVMR P) ca n be ena bled glo ball y on th e switch a t a time. [...]

  • Página 159

    Multi cas t 159 console#s how ip igmp IGMP Admin Mode................................ En abled IGMP Router-Alert check........................ Di sabled IGMP INTERFACE STATUS Interface Interface-Mode Operational-Status --------- -------------- ---------------- vlan 100 Enabled Operational vlan 200 Enabled Operational The host connected to interface[...]

  • Página 160

    160 Multi cas t[...]

  • Página 161

    Utility 161 9 Utility This sectio n describes the following feat ures: • "Auto Co nfig" on page 162 • "Nonstop F orwardi ng on a Switch Stack" on page 168[...]

  • Página 162

    162 Utili ty Auto Config Overview Au t o Config is a s oftware featur e that automatically config ures a sw itch when the device is initialized and no configuration file is found on the switch . A uto Config is accomplished in thr ee phases: 1 Assignment (configu ration) of an IP ad dres s for the device 2 Assignme nt of a T FTP server 3 Obtainin g[...]

  • Página 163

    Utility 163 – The hos tname of the TFTP s erver (option 66 or sname). E ither the T FTP a ddress o r name is specified (not both) in most n etwo rk configu rations. If a TFT P hostname is given, a DNS server is r equ ired to translate the name t o an IP address. – The IP address of the TFTP server (option 150 ). – The address of the TFTP serv[...]

  • Página 164

    164 Utili ty Once a hostname has bee n determined, the switch then issues a TFTP request for a file named "<hostname> .cfg" file, where <hostname> is the first 32 characters of the switch's hostname. If the s witch is unable to map it s IP address to a hostname, Auto Config sends TFTP r equests for the default configurati[...]

  • Página 165

    Utility 165 Host-Sp ecific Config File Not Fo und If the A uto Config process fa ils to download a co nfiguration fil e, a message is logged. If a final configuration file is not downloaded , as described in T able 9-1, the A uto Config procedure continues to issue TFTP broadcas t requests. The frequency of the broadcasts is once pe r 10 minute per[...]

  • Página 166

    166 Utili ty Depend en cy Upon O ther N etwo rk Ser vice s The Auto Config process depends upon the following network services: • A DHCP or B OOT P server must be con figured on the network with appropriate services. • A configura tion file for the switch mu st be availa ble fro m a TFTP serv er on the ne twor k. • The switch must be connecte[...]

  • Página 167

    Utility 167 TFTP Clie nt The TFTP client downloads configur at ion files and sends TFTP requests to the broadc ast IP addr ess (255. 255.255.255). DNS C lient T h e D N S c l i e n t r e s o l v e s a n I P a d d re s s t o a h o s tn a m e a n d r e so l v e s a h o s t n am e t o a n I P a d d r e s s ( r e v e r s e I P addr ess to hostname mapp[...]

  • Página 168

    168 Utili ty Nonstop Forwa rding on a Switch Stack Networking device s, such as the P owerCo nnect 6200 Series switches , are often described in terms of three semi-independent functions ca lled the forwarding plane, the control plane, and the manage ment plane. The forwarding plane forwards data pack ets and is implemented i n hardwar e. The contr[...]

  • Página 169

    Utility 169 NOTE: The sw itch c annot gu arantee that a ba ckup un it has e xactly th e same data that the m anagement unit ha s when it fail s. For ex ample, the mana gement un it might fail be fore the c heckpoin t servic e gets data to th e backu p if an eve nt occurs sho rtly before a failov er . T able 9 -3 lists the appl icati ons on the swi [...]

  • Página 170

    170 Utili ty Switch Stack MAC Addressin g and Stack Design Con siderations The switch stack uses the MAC addr ess es 1 assigned to the management uni t. If the backup unit assume s control due to a management unit failure or warm r est art, the backup unit continues to use the original management u nit’s MAC addresses. This reduces t he amount of[...]

  • Página 171

    Utility 171 Configur ation Ex amples The actual configuration of the feature is simple. NSF is eit her enabled or disabled. The e xam ples in this section describ e how the NSF featur e acts in vario us environments and w ith various switch appli cations. Data Cent er F igure 9-1 illustrates a data center scenar io , where the stack of two P owerCo[...]

  • Página 172

    172 Utili ty Vo I P F igur e 9-2 shows how n onstop forwarding maintain s e xisting voice calls during a management unit failur e. Assume the top unit is the management uni t. W hen the managem ent unit fai ls, the call from phone A is immediately dis connected. The call from phone B continues. On the uplink, the forwarding plane removes t he faile[...]

  • Página 173

    Utility 173 Figur e 9-3. NSF and DHCP Snoo ping If the management u nit fails, all hosts connected to that unit lose network access until th at unit reboots. The har dware on surviving units continues to enforce source filters IP SG installed prior to t he failover . V alid hosts continue t o communicate normally . During the fa ilover , the har dw[...]

  • Página 174

    174 Utili ty Stor age Ac cess Netwo rk Sc enar io F igur e 9-4 illus trates a stack of thre e P owerConne ct 6200 Series switches co nnecting two servers (iSCSI initiators) to a disk array (iSCSI targets). Ther e are two iSCSI connections as follows: Session A: 10.1.1.10 to 10.1.1.3 Session B: 10 .1.1.11 to 10.1. 1.1 An iSCSI application running on[...]

  • Página 175

    Utility 175 Rout ed A cces s Sc enar io F igur e 9-5 show s a stack of thr ee units serving as an acce ss router for a se t of hosts. T wo LAGs connect the stack to tw o aggregation routers. Each LAG is a member of a VLAN rou ting interface. The stack has OSPF and PIM adja cencies with each of the agg regation routers. The top unit in the stack is [...]

  • Página 176

    176 Utili ty[...]