Page 1 Dell PowerConnect M6220, M6348, M8024, and M8024-k Switch User’s Configuration Guide Regulatory Models: PCM6220, PCM6348, PCM8024, and PCM8024-k...
Page 2: Notes And Cautions
Other trademarks and trade names may be used in this publication to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own.
Page 3: Table Of Contents
Contents Introduction ..... . . About This Document ....Audience .
Page 4: Table Of Contents
Stacking Features (PCM6220 and PCM6348 Only) ..High Port Count ....Single IP Management ....Automatic Firmware Upgrade for New Stack Members .
Page 5: Table Of Contents
Switching Features ....Flow Control Support (IEEE 802.3x) ..Head of Line Blocking Prevention .
Page 6: Table Of Contents
Rapid Spanning Tree ....Multiple Spanning Tree ....Bridge Protocol Data Unit (BPDU) Guard .
Page 7: Table Of Contents
Priority-based Flow Control (PFC) ..Internet Small Computer System Interface (iSCSI) Optimization ....Layer 2 Multicast Features .
Page 8: Table Of Contents
Using Dell OpenManage Switch Administrator ..... About Dell OpenManage Switch Administrator ..Starting the Application ....
Page 9: Table Of Contents
Recalling Commands from the History Buffer . . . Specifying Physical Ports ... . . Default Settings ....Setting the IP Address and Other Basic Network Information .
Page 10: Table Of Contents
Configuring Static Network Information on the OOB Port ....Configuring Static Network Information on the Default VLAN ....Configuring and Viewing Additional Network Information .
Page 11: Table Of Contents
Stack Port Summary ....Stack Port Counters ....Stack Port Diagnostics .
Page 12: Table Of Contents
Default Management Security Values ..Controlling Management Access (Web) ..Access Profile ....Authentication Profiles .
Page 13: Table Of Contents
Configuring HTTP and HTTPS Access ..Configuring DoS Information ... . Management Access Configuration Examples ..Configuring a Management Access List .
Page 14: Table Of Contents
Log File ..... . Remote Log Server ....Email Alert Global Configuration .
Page 15: Table Of Contents
Default General System Information ..Default Port Aggregator Configurations ..Configuring General System Settings (Web) ..System Information ....CLI Banner .
Page 16: Table Of Contents
General System Settings Configuration Examples ......Configuring System and Banner Information . . . Configuring SNTP ....Configuring the Time Manually .
Page 17: Table Of Contents
SNMP Configuration Examples ... . . Configuring SNMPv1 and SNMPv2 ..Configuring SNMPv3 ....13 Managing Images and Files .
Page 18: Table Of Contents
14 Automatically Updating the Image and Configuration ... . Auto Configuration Overview ... . . What Is the DHCP Auto Configuration Process? .
Page 19: Table Of Contents
sFlow Sampler Configuration ... . sFlow Poll Configuration ....Interface Statistics ....Etherlike Statistics .
Page 20: Table Of Contents
....How Does iSCSI Optimization Interact With Dell EqualLogic Arrays? ... What Occurs When iSCSI is Enabled or Disabled? .
Page 21: Table Of Contents
Default Captive Portal Behavior and Settings ..Configuring the Captive Portal (Web) ..Captive Portal Global Configuration ..Captive Portal Configuration .
Page 22: Table Of Contents
Default Port Values ....Configuring Port Characteristics (Web) ..Port Configuration ....Link Dependency Configuration .
Page 23: Table Of Contents
Port Access Control Configuration ..Port Access Control History Log Summary ..Port Security ....Internal Authentication Server Users Configuration .
Page 24: Table Of Contents
What Are the ACL Limitations? ..How Are ACLs Configured? ... . Configuring ACLs (Web) ....IP ACL Configuration .
Page 25: Table Of Contents
....VLAN Configuration Examples ... . . Configuring VLANs Using Dell OpenManage Administrator ... .
Page 26: Table Of Contents
22 Configuring the Spanning Tree Protocol ......STP Overview ..... What Are Classic STP, Multiple STP, and Rapid STP? .
Page 27: Table Of Contents
What is LLDP? ....What is LLDP-MED? ....Why are Device Discovery Protocols Needed? .
Page 28: Table Of Contents
24 Configuring Port-Based Traffic Control ......Port-Based Traffic Control Overview ..What is Flow Control? .
Page 29: Table Of Contents
25 Configuring L2 Multicast Features ..L2 Multicast Overview ....What Are the Multicast Bridging Features? ..What Is IP Multicast Traffic? .
Page 30: Table Of Contents
Configuring L2 Multicast Features (CLI) ..Configuring Bridge Multicasting ..Configuring IGMP Snooping ... Configuring IGMP Snooping on VLANs .
Page 31: Table Of Contents
Dot1ag L2 Ping ....Dot1ag L2 Traceroute ....Dot1ag L2 Traceroute Cache .
Page 32: Table Of Contents
IPSG Interface Configuration ... IPSG Binding Configuration ... . IPSG Binding Summary ....DAI Global Configuration .
Page 33: Table Of Contents
Configuring Link Aggregation (Web) ..LAG Configuration ....LACP Parameters ....LAG Membership .
Page 34: Table Of Contents
30 Configuring Routing Interfaces ..Routing Interface Overview ....What Are VLAN Routing Interfaces? ..What Are Loopback Interfaces? .
Page 35: Table Of Contents
Configuring the DHCP Server (Web) ... DHCP Server Network Properties ..Address Pool ....Address Pool Options .
Page 36: Table Of Contents
Route Entry Configuration ... . . Configured Routes ....Route Preferences Configuration ..Configuring IP Routing Features (CLI) .
Page 37: Table Of Contents
Configuring L2 and L3 Relay Features (CLI) ..Configuring L2 DHCP Relay ... . . Configuring L3 Relay (IP Helper) Settings ..Relay Agent Configuration Example .
Page 38: Table Of Contents
Configuring OSPFv3 Features (Web) ..OSPFv3 Configuration ....OSPFv3 Area Configuration ... . OSPFv3 Stub Area Summary .
Page 39: Table Of Contents
OSPF Configuration Examples 1003 ... . . Configuring an OSPF Border Router and Setting Interface Costs 1003 ....Configuring Stub and NSSA Areas for OSPF and OSPFv3 1005...
Page 40: Table Of Contents
36 Configuring VRRP 1033 ....VRRP Overview 1033 ..... How Does VRRP Work? 1033 .
Page 41: Table Of Contents
Configuring IPv6 Routing Features (Web) 1061 ..Global Configuration 1061 ....Interface Configuration 1062 ....Interface Summary 1063 .
Page 42: Table Of Contents
DHCPv6 Pool Summary 1084 ....DHCPv6 Interface Configuration 1085 ..DHCPv6 Server Bindings Summary 1087 ..DHCPv6 Statistics 1088 .
Page 43: Table Of Contents
Class Criteria 1102 ....Policy Configuration 1104 ....Policy Class Definition 1106 .
Page 44: Table Of Contents
Interface Queue Configuration 1134 ..Interface Queue Drop Precedence Configuration 1135 ....Configuring CoS (CLI) 1137 .
Page 45: Table Of Contents
What Is IGMP? 1153 ....What Is MLD? 1154 ....What Is PIM? 1155 .
Page 46: Table Of Contents
MLD Routing Interface Source List Information 1182 ....MLD Traffic 1183 ....MLD Proxy Configuration 1184 .
Page 47: Table Of Contents
Configuring and Viewing MLD Proxy 1214 ..Configuring and Viewing PIM-DM for IPv4 Multicast Routing 1215 ....Configuring and Viewing PIM-DM for IPv6 Multicast Routing 1216 .
Page 48 Contents...
Page 49: Introduction
Introduction The Dell PowerConnect M6220, M6348, M8024, and M8024-k switches are Layer 3, blade switches that operate in the Dell PowerEdge M1000e system. The M1000e system can support up to 16 server blades and six PowerConnect M6220, M6348, M8024, and M8024-k blade switches.
Page 50: About This Document, Audience, Document Conventions
About This Document This guide describes how to configure, monitor, and maintain a Dell PowerConnect M6220, M6348, M8024, and M8024-k switch by using Web- based Dell OpenManage Switch Administrator utility or the command-line interface (CLI). Audience This guide is for network administrators in charge of managing one or more PowerConnect M6220, M6348, M8024, and M8024-k switches.
Page 51: Additional Documentation
Additional Documentation The following documents for the PowerConnect M6220, M6348, M8024, and M8024-k switches are available at support.dell.com/manuals: Getting Started Guide— provides information about the switch models in • the series, including front and back panel features. It also describes the installation and initial configuration procedures.
Page 52 Introduction...
Page 53: Switch Features
Switch Features This section describes the switch user-configurable software features. NOTE: Before proceeding, read the release notes for this product. The release notes are part of the firmware download. The topics covered in this section include: • System Management • Link Aggregation Features Features &...
Page 54: System Management Features, Multiple Management Options, Simple Mode
Multiple Management Options You can use any of the following methods to manage the switch: • Use a Web browser to access the Dell OpenManage Switch Administrator interface. The switch contains an embedded Web server that serves HTML pages. •...
Page 55: Port Aggregator, System Time Management, Log Messages
Port Aggregator The Port Aggregator feature minimizes the administration required for managing the PowerConnect M6220/M6348/M8024/M8024-k switch. When the switch is operating in simple mode, the administrator can map internal ports to external ports without having to know anything about STP, VLANs, Link Aggregation or other L2/L3 protocols.
Page 56: Integrated Dhcp Server, Management Of Basic Network Information, Ipv6 Management Features, Dual Software Images
Integrated DHCP Server PowerConnect M6220, M6348, M8024, and M8024-k switches include an integrated DHCP server that can deliver host-specific configuration information to hosts on the network. The switch DHCP server allows you to configure IP address pools (scopes), and when a host’s DHCP client requests an address, the switch DHCP server automatically assigns the host an address from the pool.
Page 57: File Management, Switch Database Management Templates, Automatic Installation Of Firmware And Configuration
File Management You can upload and download files such as configuration files and system images by using HTTP (web only), TFTP , Secure FTP (SFTP), or Secure Copy (SCP). Configuration file uploads from the switch to a server are a good way to back up the switch configuration.
Page 58: Sflow, Snmp Alarms And Trap Logs, Cdp Interoperability Through Isdp, Remote Monitoring (rmon)
sFlow sFlow is the standard for monitoring high-speed switched and routed networks. sFlow technology is built into network equipment and gives complete visibility into network activity, enabling effective management and control of network resources. The PowerConnect M6220, M6348, M8024, and M8024-k switches support sFlow version 5. For information about configuring managing sFlow settings, see "Monitoring Switch Traffic"...
Page 59: Stacking Features (pcm6220 And Pcm6348 Only), High Port Count, Single Ip Management, Members
Stacking Features (PCM6220 and PCM6348 Only) NOTE: PowerConnect M6220 switches can be stacked only with other PowerConnect M6220 switches. PCM6220 and PCM6348 switches cannot be combined within the same stack. For information about creating and maintaining a stack of switches, see "Managing a Switch Stack"...
Page 60: Master Failover With Transparent Transition, Nonstop Forwarding On The Stack, Synchronization, Security Features
Master Failover with Transparent Transition Standby The stacking feature supports a or backup unit that assumes the Master unit role if the Master unit in the stack fails. As soon as a Master failure is detected in the stack, the Standby unit initializes the control plane and enables all other stack units with the current configuration.
Page 61: Password-protected Management Access, Strong Password Enforcement, Tacacs+ Client, Radius Support
Password-Protected Management Access Access to the Web, CLI, and SNMP management interfaces is password protected, and there are no default users on the system. For information about configuring local user accounts, see "Controlling Management Access" on page 171. Strong Password Enforcement The Strong Password feature enforces a baseline password strength for all locally administered users.
Page 62: Ssh/ssl, Inbound Telnet Control, Denial Of Service, Captive Portal
SSH/SSL The switch supports Secure Shell (SSH) for secure, remote connections to the CLI and Secure Sockets Layer (SSL) to increase security when accessing the Web-based management interface. For information about configuring SSH and SSL settings, see "Controlling Management Access" on page 171. Inbound Telnet Control You can configure the switch to prevent new Telnet sessions from being established with the switch.
Page 63: Dot1x Authentication (ieee 802.1x), Mac-based 802.1x Authentication, Dot1x Monitor Mode, Mac-based Port Security
Dot1x Authentication (IEEE 802.1X) Dot1x authentication enables the authentication of system users through a local internal server or an external server. Only authenticated and approved system users can transmit and receive data. Supplicants are authenticated using the Extensible Authentication Protocol (EAP). Also supported are PEAP , EAP-TTL, EAP-TTLS, and EAP-TLS.
Page 64: Access Control Lists (acl), Time-based Acls, Ip Source Guard (ipsg)
Access Control Lists (ACL) Access Control Lists (ACLs) ensure that only authorized users have access to specific resources while blocking off any unwarranted attempts to reach network resources. ACLs are used to provide traffic flow control, restrict contents of routing updates, decide which types of traffic are forwarded or blocked, and above all provide security for the network.
Page 65: Dhcp Snooping, Dynamic Arp Inspection, Protected Ports (private Vlan Edge)
DHCP Snooping DHCP Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server. It filters harmful DHCP messages and builds a bindings database of (MAC address, IP address, VLAN ID, port) tuples that are specified as authorized. DHCP snooping can be enabled globally and on specific VLANs.
Page 66: Switching Features, Flow Control Support (ieee 802.3x), Head Of Line Blocking Prevention
For information about how to configure the AFS CLI Reference Guide feature, see the available at support.dell.com/manuals. Jumbo Frames Support Jumbo frames enable transporting data in fewer frames to ensure less overhead, lower processing time, and fewer interrupts.
Page 67: Vlan-aware Mac-based Switching, Back Pressure Support, Auto Negotiation, Broadcast Storm Control
VLAN-Aware MAC-based Switching Packets arriving from an unknown source address are sent to the CPU and added to the Hardware Table. Future packets addressed to or from this address are more efficiently forwarded. Back Pressure Support On half-duplex links, a receiver may prevent buffer overflows by occupying the link so that it is unavailable for additional traffic.
Page 68: Port Mirroring, Static And Dynamic Mac Address Tables, Link Layer Discovery Protocol (lldp)
Port Mirroring Port mirroring monitors and mirrors network traffic by forwarding copies of incoming and outgoing packets from up to four source ports to a monitoring port. The switch also supports flow-based mirroring, which allows you to copy certain types of traffic to a single destination port. This provides flexibility— instead of mirroring all ingress or egress traffic on a port the switch can mirror a subset of that traffic.
Page 69: Cisco Protocol Filtering, Dhcp Layer 2 Relay
Connectivity Fault Management (IEEE 802.1ag) NOTE: The Connectivity Fault Management feature is available only on the PowerConnect M6348. The Connectivity Fault Management (CFM) feature, also known as Dot1ag, supports Service Level Operations, Administration, and Management (OAM). CFM is the OAM Protocol provision for end-to-end service layer instance in carrier networks.
Page 70: Virtual Local Area Network Supported Features, Vlan Support, Port-based Vlans, Ip Subnet-based Vlan, Mac-based Vlan
Virtual Local Area Network Supported Features For information about configuring VLAN features see "Configuring VLANs" on page 575. VLAN Support VLANs are collections of switching ports that comprise a single broadcast domain. Packets are classified as belonging to a VLAN based on either the VLAN tag or a combination of the ingress port and packet contents.
Page 71: Garp And Gvrp Support, Voice Vlan, Guest Vlan, Double Vlans
GARP and GVRP Support The switch supports the configuration of Generic Attribute Registration Protocol (GARP) timers GARP VLAN Registration Protocol (GVRP) relies on the services provided by GARP to provide IEEE 802.1Q-compliant VLAN pruning and dynamic VLAN creation on 802.1Q trunk ports. When GVRP is enabled, the switch registers and propagates VLAN membership on all ports that are part of the active spanning tree protocol topology.
Page 72: Spanning Tree Protocol Features, Spanning Tree Protocol (stp), Spanning Tree Port Settings, Rapid Spanning Tree
Spanning Tree Protocol Features For information about configuring Spanning Tree Protocol features, see "Configuring the Spanning Tree Protocol" on page 633. Spanning Tree Protocol (STP) Spanning Tree Protocol (IEEE 802.1D) is a standard requirement of Layer 2 switches that allows bridges to automatically prevent and resolve L2 forwarding loops.
Page 73: Bridge Protocol Data Unit (bpdu) Guard, Bpdu Filtering, Link Aggregation Features, Link Aggregation
Bridge Protocol Data Unit (BPDU) Guard Spanning Tree BPDU Guard is used to disable the port in case a new device tries to enter the already existing topology of STP. Thus devices, which were originally not a part of STP, are not allowed to influence the STP topology. BPDU Filtering When spanning tree is disabled on a port, the BPDU Filtering feature allows BPDU packets received on that port to be dropped.
Page 74: Routing Features, Management, Vlan Routing, Ip Configuration, Open Shortest Path First (ospf)
Routing Features Address Resolution Protocol (ARP) Table Management You can create static ARP entries and manage many settings for the dynamic ARP table, such as age time for entries, retries, and cache size. For information about managing the ARP table, see "Configuring IP Routing" on page 895.
Page 75: Bootp/dhcp Relay Agent, Ip Helper And Udp Relay, Routing Information Protocol, Router Discovery, Routing Table
BOOTP/DHCP Relay Agent The switch BootP/DHCP Relay Agent feature relays BootP and DHCP messages between DHCP clients and DHCP servers that are located in different IP subnets. For information about configuring the BootP/DHCP Relay agent, see "Configuring L2 and L3 Relay Features" on page 919. IP Helper and UDP Relay The IP Helper and UDP Relay features provide the ability to relay various protocols to servers on a different subnet.
Page 76: Virtual Router Redundancy Protocol (vrrp), Tunnel And Loopback Interfaces, Ipv6 Routing Features, Ipv6 Configuration
Virtual Router Redundancy Protocol (VRRP) VRRP provides hosts with redundant routers in the network topology without any need for the hosts to reconfigure or know that there are multiple routers. If the primary (master) router fails, a secondary router assumes control and continues to use the virtual router IP (VRIP) address.
Page 77: Ipv6 Routes, Ospfv3, Dhcpv6
IPv6 Routes Because IPv4 and IPv6 can coexist on a network, the router on such a network needs to forward both traffic types. Given this coexistence, each switch maintains a separate routing table for IPv6 routes. The switch can forward IPv4 and IPv6 traffic over the same set of interfaces.
Page 78: Quality Of Service (qos) Features, Differentiated Services (diffserv), Class Of Service (cos)
Quality of Service (QoS) Features NOTE: Some features that can affect QoS, such as ACLs and Voice VLAN, are described in other sections within this chapter. Differentiated Services (DiffServ) The QoS Differentiated Services (DiffServ) feature allows traffic to be classified into streams and given certain QoS treatment in accordance with defined per-hop behaviors.
Page 79: Priority-based Flow Control (pfc), Internet Small Computer System Interface Iscsi) Optimization
Priority-based Flow Control (PFC) NOTE: PFC is supported only on the PCM8024-k. The PCM6220, PCM6348, and PCM8024 switches do not support PFC. The Priority-based Flow Control feature allows the user to pause or inhibit transmission of individual priorities within a single physical link. By configuring PFC to pause a congested priority (priorities) independently, protocols that are highly loss sensitive can share the same link with traffic that has different loss tolerances.
Page 80: Layer 2 Multicast Features, Mac Multicast Support, Igmp Snooping, Igmp Snooping Querier, Mld Snooping
Layer 2 Multicast Features For information about configuring L2 multicast features, see "Configuring L2 Multicast Features" on page 713. MAC Multicast Support Multicast service is a limited broadcast service that allows one-to-many and many-to-many connections. In Layer 2 multicast services, a single frame addressed to a specific multicast address is received, and copies of the frame to be transmitted on each relevant port are created.
Page 81: Multicast Vlan Registration, Layer 3 Multicast Features, Distance Vector Multicast Routing Protocol
Multicast VLAN Registration NOTE: MVR is not supported on the PowerConnect M6220. The Multicast VLAN Registration (MVR) protocol, like IGMP Snooping, allows a Layer 2 switch to listen to IGMP frames and forward the multicast traffic only to the receivers that request it. Unlike IGMP Snooping, MVR allows the switch to listen across different VLANs.
Page 82: Protocol Independent Multicast—dense Mode, Protocol Independent Multicast—sparse Mode, Protocol Independent Multicast—source Specific Multicast
Protocol Independent Multicast—Dense Mode Protocol Independent Multicast (PIM) is a standard multicast routing protocol that provides scalable inter-domain multicast routing across the Internet, independent of the mechanisms provided by any particular unicast routing protocol. The Protocol Independent Multicast-Dense Mode (PIM- DM) protocol uses an existing Unicast routing table and a Join/Prune/Graft mechanism to build a tree.
Page 83: Hardware Overview, Powerconnect M6220, M6348, M8024, And M8024-k Front Panel, Powerconnect M6220 Front Panel
Hardware Overview This section provides an overview of the switch hardware. The topics covered in this section include: • PowerConnect M6220, M6348, M8024, and M8024-k Front Panel • Console (RS-232) Port • Out-of-Band Management Port • LED Definitions PowerConnect M6220, M6348, M8024, and M8024-k Front Panel The images in this section show the front panels of the PowerConnect M6220, M6348, M8024, and M8024-k switches.
Page 84 Figure 3-1. PowerConnect M6220 Stacking Module or 10 Gb Module 10 Gb Module 10/100/100Base-T Auto-sensing Full-Duplex RJ-45 Ports Console Port • The switch automatically detects crossed and straight-through cables on RJ-45 ports. • The 10/100/100Base-T Auto-sensing RJ-45 ports support half- and full- duplex mode.
Page 85: Powerconnect M6348 Front Panel
PowerConnect M6348 Front Panel The PowerConnect M6348 front panel provides 16 10/100/1000Base-T ports. There are also 32 internal 1 gigabit ports that connect to each of the server blades. Figure 3-2. PowerConnect M6348 10/100/100Base-T Auto-sensing Full-Duplex RJ-45 Ports 10 Gb SFP+ Ports 10 Gb CX4 Ports Console Port Hardware Overview...
Page 86: Powerconnect M8024 Front Panel
PowerConnect M8024 Front Panel The PowerConnect M8024 front panel supports up to eight 10-gigabit ports. It has two 10-gigabit bays that can support SFP+, CX-4, or 10GBase-T modules. The SFP+ Module supports four ports, the CX-4 module supports three ports, and the 10GBase-T module supports two ports. The modules can be used in any combination and are sold separately.
Page 87: Powerconnect M8024-k Front Panel, Console (rs-232) Port
PowerConnect M8024-k Front Panel The PowerConnect M8024-k front panel includes four SFP+ ports an expansion slot for 10-Gigabit modules. The expansion slot can support SFP+, CX-4, or 10GBase-T modules. The SFP+ Module supports four ports, the CX-4 module supports three ports, and the 10GBase-T module supports two ports.
Page 88: Console Redirect, Out-of-band Management Port
CLI. Console Redirect The Dell M1000e Server Chassis includes a console redirect feature that allows you to manage each PCM6220, PCM6348, PCM8024, and PCM8024-k module from a single serial connection to the chassis. For more...
Page 89: Led Definitions, Port Leds
LED Definitions This section describes the light emitting diodes (LEDs) on the front panel of the switch and on the optional modules that plug into the back panel. Port LEDs The integrated external 10/100/1000Base-T switch ports on the PowerConnect M6220 and M6348 switches include two LEDs. The integrated SFP+ switch ports on the PowerConnect M8024-k include one LED.
Page 90 SFP+ Port LEDs (PowerConnect M6348 and M8024-k) Each integrated SFP port on the PowerConnect M6348 switch includes two LEDs. Table 3-3 contains SFP port LED definitions for the PowerConnect M6348. Table 3-2. PowerConnect M6348 SFP+ Port LEDs Definitions Color/Activity Definition Green solid The port is linked.
Page 91: Module Leds
Module LEDs The 10GBase-T module has two or three LEDs per port, the SFP+ module has one LED per port, and the Stacking/10 GbE module does not have any LEDs. 10GBase-T Module LEDs Each 10GBase-T Module has three LEDs. Table 3-4 contains 10GBase-T port LED definitions for the PowerConnect M6220 and M8024.
Page 92 SFP+ Port LEDs Table 3-5 contains LED definitions for SFP+ port on the plug-in module available for PowerConnect M6220, M6348, M8024, and M8024-k switches. Table 3-5. SFP+ Port LEDs Definitions Color/Activity Definition LNK/ACT Green solid The port is linked. Green blinking The port is sending and/or receiving network traffic.
Page 93: System Leds
System LEDs The system LEDs for the PowerConnect M6220, M6348, M8024, and M8024-k switches are located on the right side of the front panel next to the console port. Figure 3-6. System LEDs System Status LED System Power LED Table 3-7 contains the status LED definitions for the PowerConnect M6220 and M6348 switches.
Page 94 Table 3-8 contains the status LED definitions for the PowerConnect M8024 and M8024-k switches. Table 3-8. PCM8024 and PCM8024-k Power and Status LED Definitions Color Definition Green Power is being supplied to the switch. The switch does not have power. Blue The switch is operating normally.
Page 95: Administrator, About Dell Openmanage Switch Administrator
Dell OpenManage Switch Administrator is a Web-based tool to help you manage and monitor a PowerConnect M6220/M6348/M8024/M8024-k switch. Table 4-1 lists the Web browsers that are compatible with Dell OpenManage Switch Administrator. The browsers have been tested on a PC running the Microsoft Windows operating system.
Page 96: Starting The Application
Starting the Application To access the Dell OpenManage Switch Administrator and log on to the switch: 1 Open a web browser. 2 Enter the IP address of the switch in the address bar and press <Enter>. For information about assigning an IP address to a switch, see "Setting the IP Address and Other Basic Network Information"...
Page 97: Understanding The Interface
5 The Dell OpenManage Switch Administrator home page displays. The home page is the Device Information page, which contains a graphical representation of the front panel of the switch. For more information about the home page, see "Device Information" on page 244.
Page 98 Save, Print, Refresh, Help Configuration and Status Options Command Button Using the Switch Administrator Buttons and Links Table 4-2 describes the buttons and links available from the Dell OpenManage Switch Administrator interface. Table 4-2. Button and Link Descriptions Button or Link Description...
Page 99: Defining Fields
Defining Fields User-defined fields can contain 1 159 characters, unless otherwise noted on – the Dell OpenManage Switch Administrator Web page. All characters may be used except for the following: • • •...
Page 100: Understanding The Device View, Using The Device View Port Features
Each port image is a hyperlink to the Port Configuration page for the specific port. Using Dell OpenManage Switch Administrator...
Page 101: Using The Command-line Interface, Accessing The Switch Through The Cli, Console Connection
For more information about creating a serial connection, see the Getting Started Guide available at support.dell.com/manuals. 1 Connect the DB-9 connector of the supplied serial cable to a management station, and connect the USB type-A connector to the switch console port.
Page 102: Telnet Connection
2 Start the terminal emulator, such as Microsoft HyperTerminal, and select the appropriate serial port (for example, COM 1) to connect to the console. 3 Configure the management station serial port with the following settings: • Data rate — 9600 baud. •...
Page 103: Understanding Command Modes
Understanding Command Modes The CLI groups commands into modes according to the command function. Each of the command modes supports specific software commands. The commands in one mode are not available until you switch to that particular mode, with the exception of the User EXEC mode commands. You can execute the User EXEC mode commands in the Privileged EXEC mode.
Page 104 Table 5-1. Command Mode Overview Command Mode Access Method Command Prompt Exit or Access Previous Mode User EXEC The user is logout console> automatically in User EXEC mode unless the user is defined as a privileged user. Privileged EXEC From User Use the exit console# EXEC mode,...
Page 105: Entering Cli Commands, Using The Question Mark To Get Help
Entering CLI Commands The switch CLI uses several techniques to help you enter commands. Using the Question Mark to Get Help Enter a question mark (?) at the command prompt to display the commands available in the current mode. console(config-vlan)#? exit To exit from the mode.
Page 106: Using Command Completion, Entering Abbreviated Commands, Negating Commands
You can also enter a question mark (?) after typing one or more characters of a word to list the available command or parameters that begin with the letters, as shown in the following example: console#show po? policy-map port ports Using Command Completion The CLI can complete partially entered commands when you press the <Tab>...
Page 107: Understanding Error Messages, Recalling Commands From The History Buffer
Understanding Error Messages If you enter a command and the system is unable to execute it, an error message appears. Table 5-2 describes the most common CLI error messages. Table 5-2. CLI Error Messages Message Text Description Indicates that you entered an incorrect or % Invalid input unavailable command.
Page 108: Specifying Physical Ports
Table 5-3. History Buffer Navigation Keyword Source or Destination Up-arrow key Recalls commands in the history buffer, beginning with the most recent command. Repeats the key sequence to recall successively <Ctrl>+<P> older commands. Down-arrow key Returns to more recent commands in the history buffer after recalling commands with the up-arrow key.
Page 109 Unit, Slot, and Port Numbers The unit, slot, and port numbers are separated by forward slashes and follow the port type. For switches that do not support stacking (PCM8024 and PCM8024-k), the unit number is always 1. For stackable switches (PCM6220 and PCM6348), the unit number can be 1–12.
Page 110 Using the Command-Line Interface...
Page 111: Default Settings
Default Settings This section describes the default settings for many of the software features on the PowerConnect M6220, M6348, M8024, and M8024-k switches. Table 6-1. Default Settings Feature Default IP address None Subnet mask None Default gateway None DHCP client Enabled on out-of-band (OOB) interface.
Page 112 Table 6-1. Default Settings (Continued) Feature Default SNMP logging Disabled Console logging Enabled (Severity level: debug and above) RAM logging Enabled (Severity level: debug and above) Persistent (FLASH) logging Disabled Enabled (No servers configured) SNMP Enabled (SNMPv1) SNMP Traps Enabled Auto Configuration Enabled Auto Save...
Page 113 Table 6-1. Default Settings (Continued) Feature Default Protected Ports (Private VLAN Edge) None Flow Control Support (IEEE 802.3x) Enabled Head of Line Blocking Prevention Disabled Maximum Frame Size 1500 bytes Auto-MDI/MDIX Support Enabled Auto Negotiation Enabled Advertised Port Speed Maximum Capacity Broadcast Storm Control Disabled Port Mirroring...
Page 114 Table 6-1. Default Settings (Continued) Feature Default STP Bridge Priority 32768 Multiple Spanning Tree Disabled Link Aggregation No LAGs configured LACP System Priority Routing Mode Disabled OSPF Admin Mode Enabled OSPF Router ID 0.0.0.0 IP Helper and UDP Relay Enabled Enabled VRRP Disabled...
Page 115: Basic Network Information, Ip Address And Network Information Overview, What Is The Basic Network Information
Setting the IP Address and Other Basic Network Information This chapter describes how to configure basic network information for the switch, such as the IP address, subnet mask, and default gateway. The topics in this chapter include: • IP Address and Network Information Overview •...
Page 116: Why Is Basic Network Information Needed
IP addresses. Default Domain Name Identifies your network, such as dell.com. If you enter a hostname and do not include the domain name information, the default domain name is automatically appended to the hostname.
Page 117: How Is Basic Network Information Configured, What Is Out-of-band Management And In-band Management
You must use a console-port connection to perform the initial switch configuration. When you boot the switch for the first time and the configuration file is empty, the Dell Easy Setup Wizard starts. The Dell Easy Setup Wizard is a CLI-based tool to help you perform the initial switch configuration.
Page 118 Dell recommends that you use the OOB port for remote management. The following list highlights some advantages of using OOB management instead of in-band management: •...
Page 119: Default Network Information
Destination Unreachable, Fragmentation needed but DF set an ICMP notification, the switch will reduce the MSS. However, many firewalls block ICMP Destination Unreachable messages, which causes the destination to request the packet again until the connection times out. In order to resolve this issue, you can reduce the MSS setting to a more appropriate value on the local host or alternatively, you can set the MTU on the PowerConnect management port to a smaller value.
Page 120: Configuring Basic Network Information (web), Out-of-band Interface
Configuring Basic Network Information (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring basic network information on the PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. Out-of-Band Interface Use the Out of Band Interface page to assign the Out of Band Interface IP address and subnet mask or to enable/disable the DHCP client for address...
Page 121: Ip Interface Configuration (default Vlan Ip Address)
IP Interface Configuration (Default VLAN IP Address) Use the IP Interface Configuration page to assign the Default VLAN IP address and Subnet Mask, the Default Gateway IP address, and to assign the boot protocol. To display the IP Interface Configuration page, click Routing → IP → IP Interface Configuration in the navigation panel.
Page 122 4 If you select Manual for the configuration method, specify the IP Address and Subnet Mask in the appropriate fields. 5 Click Apply. NOTE: You do not need to configure any additional fields on the page. For information about VLAN routing interfaces, see "Configuring Routing Interfaces" on page 855.
Page 123 Configuring a Default Gateway for the Switch: To configure the switch default gateway: 1 Open the Route Entry Configuration page. 2 From the Route Type field, select Default. Figure 7-4. Default Route Configuration (Default VLAN) 3 In the Next Hop IP Address field, enter the IP address of the default gateway.
Page 124: Domain Name Server
Domain Name Server Use the Domain Name Server page to configure the IP address of the DNS server. The switch uses the DNS server to translate hostnames into IP addresses. To display the Domain Name Server page, click System → IP Addressing → Domain Name Server in the navigation panel.
Page 125: Default Domain Name
Default Domain Name Use the Default Domain Name page to configure the domain name the switch adds to a local (unqualified) hostname. To display the Default Domain Name page, click System → IP Addressing → Default Domain Name in the navigation panel. Figure 7-7.
Page 126: Host Name Mapping
Host Name Mapping Use the Host Name Mapping page to assign an IP address to a static host name. The Host Name Mapping page provides one IP address per host. To display the Host Name Mapping page, click System → IP Addressing → Host Name Mapping.
Page 127: Dynamic Host Name Mapping
The switch learns hosts dynamically by using the configured DNS server to resolve a hostname. For example, if you ping www.dell.com from the CLI, the switch uses the DNS server to lookup the IP address of dell.com and adds the entry to the Dynamic Host Name Mapping table.
Page 128: Configuring Basic Network Information (cli), Enabling The Dhcp Client On The Oob Port, Vlan
M6220/M6348/M8024/M8024-k switch. For more information about these PowerConnect M6220/M6348/M8024/M8024-k CLI commands, see the Reference Guide at support.dell.com/manuals. Enabling the DHCP Client on the OOB Port Beginning in Privileged EXEC mode, use the following commands to enable the DHCP client on the OOB port.
Page 129: Managing Dhcp Leases
Managing DHCP Leases Beginning in Privileged EXEC mode, use the following commands to manage and troubleshoot DHCP leases on the switch. Command Purpose interface release dhcp Force the DHCPv4 client to release a leased address on the specified interface. interface renew dhcp Force the DHCP client to immediately renew an IPv4 address lease.
Page 130: The Oob Port, Configuring Static Network Information On The Default Vlan
Configuring Static Network Information on the OOB Port Beginning in Privileged EXEC mode, use the following commands to configure a static IP address, subnet mask, and default gateway on the OOB port. Command Purpose configure Enter Global Configuration mode. interface out-of-band Enter Interface Configuration mode for the OOB port.
Page 131: Configuring And Viewing Additional Network Information
Configuring and Viewing Additional Network Information Beginning in Privileged EXEC mode, use the following commands to configure a DNS server, the default domain name, and a static host name-to- address entry. Use the show commands to verify configured information and to view dynamic host name mappings.
Page 132: Basic Network Information Configuration Example
Basic Network Information Configuration Example In this example, an administrator at a Dell office in California decides not to use the Dell Easy Setup Wizard to perform the initial switch configuration. The administrator configures a PowerConnect M6220/M6348/M8024/M8024-k switch to obtain its information from a DHCP server on the network and creates the administrative user with read/write access.
Page 133 Default Gateway....10.27.22.1 Protocol Current....DHCP Burned In MAC Address.... 001E.C9AA.AA08 5 View additional network information. console#show hosts Host name: Default domain: sunny.dell.com dell.com Name/address lookup is enabled Name servers (Preference order): 10.27.138.20, 10.27.138.21 Configured host name-to-address mapping: Host Addresses...
Page 134 Setting Basic Network Information...
Page 135: Managing A Switch Stack, Stacking Overview
Managing a Switch Stack This chapter describes how to configure and manage a stack of switches. NOTE: Stacking is supported on the PowerConnect M6220 and PowerConnect M6348 switches. The PowerConnect M8024 and PowerConnect M8024-k switches do not support stacking. The topics covered in this chapter include: •...
Page 136: Creating A Powerconnect M6220 Stack
The running configuration and application state is synchronized between the Master and Standby during the normal stacking operation. In a stack of three or more switches, Dell strongly recommends connecting the stack in a ring topology so that each switch is connected to two other switches.
Page 137: Creating A Powerconnect M6348 Stack
Figure 8-1. Connecting a Stack of PowerConnect M6220 Switches M6220 Switches Stacking Cables The stack in Figure 8-1 has six M6220 switches connected through the stacking ports. The first stacking port on each switch is physically connected to the second stacking port on the next switch by using a stacking cable. The first stacking port on switch six is connected to the second stacking port on switch one.
Page 138 NOTE: The PowerConnect M6348 and M6220 can not be stacked together. 1 For each switch in the stack, connect one of the short stacking cables from stacking port one on the switch to stacking port two on the next switch. 2 If necessary, use a separately purchased, long (3 meter) stacking cable to connect the switches.
Page 139: Powerconnect 7000 Series And M6348 Stacking Compatibility, How Is The Management Unit Selected
PowerConnect 7000 Series and M6348 Stacking Compatibility The stack can contain any combination of switch models in the PowerConnect 7000 Series as well as the PowerConnect M6348 switch, as long as all switches are running the same firmware version. For example, a single stack of six switches might include the following members: •...
Page 140: Adding A Switch To The Stack
• If the Management Unit function is disabled, the unit remains a non- Management Unit. If the entire stack is powered OFF and ON again, the unit that was the Management Unit before the reboot will remain the Management Unit after the stack resumes operation.
Page 141: Removing A Switch From The Stack
might trigger many other protocols. However, it is possible to intentionally pre-configure a unit. You can view the preconfigured/unassigned units by using the show switch CLI command. If a new switch is added to a stack of switches that are powered and running and already have an elected Management Unit, the newly added switch becomes a stack member rather than the Management Unit.
Page 142: How Is The Firmware Updated On The Stack, What Is Stacking Standby
How is the Firmware Updated on the Stack? When you add a new switch to a stack, the Stack Firmware Synchronization feature automatically synchronizes the firmware version with the version running on the stack master. The synchronization operation may result in either upgrade or downgrade of firmware on the mismatched stack member.
Page 143 management plane is application software running on the Management Unit that provides interfaces allowing a network administrator to configure the device. The Nonstop Forwarding (NSF) feature allows the forwarding plane of stack units to continue to forward packets while the control and management planes restart as a result of a power failure, hardware failure, or software fault on the stack Management Unit.
Page 144 Checkpointing Switch applications (features) that build up a list of data such as neighbors or clients can significantly improve their restart behavior by remembering this data across a warm restart. This data can either be stored persistently, as DHCP server and DHCP snooping store their bindings database, or the Management Unit can checkpoint this data directly to the standby unit.
Page 145: Switch Stack Mac Addressing And Stack Design Considerations
Table 8-1. Applications that Checkpoint Data Application Checkpointed Data IGMP/MLD Snooping Multicast groups, list of router ports, last query data for each VLAN IPv6 NDP Neighbor cache entries iSCSI Connections LLDP List of interfaces with MED devices attached OSPFv2 Neighbors and designated routers OSPFv3 Neighbors and designated routers Route Table Manager...
Page 146: Nsf Network Design Considerations, Why Is Stacking Needed
If you move the master unit of stack to a different place in the network, make sure you power down the whole stack before you redeploy the master unit so that the stack members do not continue to use the MAC address of the redeployed switch.
Page 147: Default Stacking Values
Default Stacking Values Stacking is always enabled. NSF is enabled by default. You can disable NSF in order to redirect the CPU resources consumed by data checkpointing. Checkpointing only occurs when a backup unit is elected, so there is no need to disable the NSF feature on a standalone switch.
Page 148: Managing And Monitoring The Stack (web), Unit Configuration
Managing and Monitoring the Stack (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring stacking on a PowerConnect M6220 or PowerConnect M6348 switch. For details about the fields on a page, click at the top of the page. NOTE: The changes you make to the Stacking configuration pages take effect only after the device is reset.
Page 149 Changing the ID or Switch Type for a Stack Member To change the switch ID or type: 1 Open the Unit Configuration page. 2 Click Add to display the Add Unit page. Figure 8-4. Add Remote Log Server Settings 3 Specify the switch ID, and select the model number of the switch. 4 Click Apply.
Page 150: Stack Summary
Stack Summary Use the Stack Summary page to view a summary of switches participating in the stack. To display the Stack Summary page, click System → Stack Management → Stack Summary in the navigation panel. Figure 8-5. Stack Summary Managing a Switch Stack...
Page 151: Stack Firmware Synchronization
Stack Firmware Synchronization Use the Stack Firmware Synchronization page to control whether the firmware image on a new stack member can be automatically upgraded or downgraded to match the firmware image of the stack master. To display the Stack Firmware Synchronization page, click System → Stack Management →...
Page 152: Supported Switches
Supported Switches Use the Supported Switches page to view information regarding each type of supported switch for stacking, and information regarding the supported switches. To display the Supported Switches page, click System → Stack Management → Supported Switches in the navigation panel. Figure 8-7.
Page 153: Stack Port Summary
Stack Port Summary Use the Stack Port Summary page to configure the stack-port mode and to view information about the stackable ports. This screen displays the unit, the stackable interface, the configured mode of the interface, the running mode as well as the link status and link speed of the stackable port. To display the Stack Port Summary page, click System →...
Page 154: Stack Port Counters, Stack Port Diagnostics
Stack Port Counters Use the Stack Port Counters page to view the transmitted and received statistics, including data rate and error rate. To display the Stack Port Counters page, click System → Stack Management → Stack Point Counters in the navigation panel. Figure 8-9.
Page 155: Nsf Summary
NSF Summary Use the NSF Summary page to change the administrative status of the NSF feature and to view NSF information. NOTE: The OSPF feature uses NSF to enable the hardware to continue forwarding IPv4 packets using OSPF routes while a backup unit takes over Management Unit responsibility.
Page 156: Checkpoint Statistics
Checkpoint Statistics Use the Checkpoint Statistics page to view information about checkpoint messages generated by the master unit. To display the Checkpoint Statistics page, click System → Stack Management → Checkpoint Statistics in the navigation panel. Figure 8-11. Checkpoint Statistics Managing a Switch Stack...
Page 157: Managing The Stack (cli), Configuring Stack Member And Nsf Settings
For more information PowerConnect M6220/M6348/M8024/M8024-k about these commands, see the CLI Reference Guide at support.dell.com/manuals. Configuring Stack Member and NSF Settings Beginning in Privileged EXEC mode, use the following commands to configure stacking and NSF settings.
Page 158: Information
Command Purpose boot auto-copy-sw allow- Allow the firmware version on the newly added stack downgrade member to be downgraded if the firmware version on manager is older. exit Exit to Privileged EXEC mode. show auto-copy-sw View the Stack Firmware Synchronization settings for the stack.
Page 159: Stacking And Nsf Usage Scenarios
Command Purpose show checkpoint View information about checkpoint messages generated by statistics the master unit. clear checkpoint Reset the checkpoint statistics counters to zero. statistics Stacking and NSF Usage Scenarios Only a few settings are available to control the stacking configuration, such as the designation of the standby unit or enabling/disabling NSF.
Page 160: Basic Failover
Basic Failover In this example, the stack has four members that are connected through a daisy-chain, as Figure 8-12 shows. Figure 8-12. Basic Stack Failover When all four units are up and running, the show switch CLI command gives the following output: console#show switch Management Standby...
Page 161 At this point, if Unit 2 is powered off or rebooted due to an unexpected failure, show switch gives the following output: console#show switch Management Standby Preconfig Plugged- Switch Code Status Status Model ID in Model Status Version --- --------- ------- -------- ------------------- --------...
Page 162: Preconfiguring A Stack Member
Preconfiguring a Stack Member To preconfigure a stack member before connecting the physical unit to the stack, use the show support switchtype command to obtain the SID of the unit to be added. The example in this section demonstrates pre-configuring a PowerConnect 7048P switch on a stand-alone PowerConnect 7048R switch.
Page 163 3 Confirm the stack configuration. Some of the fields have been omitted from the following output due to space limitations. console#show switch SW Management Standby Preconfig Plugged-in Switch Code Status Status Model ID Model ID Status Version --- --------- ------- -------- --------- ---------- -------- Mgmt Sw PCT7048R PCT7048R...
Page 164: Nsf In The Data Center
NSF in the Data Center Figure 8-13 illustrates a data center scenario, where the stack of two PowerConnect switches acts as an access switch. The access switch is connected to two aggregation switches, AS1 and AS2. The stack has a link from two different units to each aggregation switch, with each pair of links grouped together in a LAG.
Page 165: Nsf And Voip
NSF and VoIP Figure 8-14 shows how NSF maintains existing voice calls during a Management Unit failure. Assume the top unit is the Management Unit. When the Management Unit fails, the call from phone A is immediately disconnected. The call from phone B continues. On the uplink, the forwarding plane removes the failed LAG member and continues using the remaining LAG member.
Page 166: Nsf And Dhcp Snooping
NSF and DHCP Snooping Figure 8-15 illustrates an L2 access switch running DHCP snooping. DHCP trusted snooping only accepts DHCP server messages on ports configured as ports. DHCP snooping listens to DHCP messages to build a bindings database that lists the IP address the DHCP server has assigned to each host. IP Source Guard (IPSG) uses the bindings database to filter data traffic in hardware based on source IP address and source MAC address.
Page 167: Nsf And The Storage Access Network
If a host is in the middle of an exchange with the DHCP server when the failover occurs, the exchange is interrupted while the control plane restarts. When DHCP snooping is enabled, the hardware traps all DHCP packets to the CPU. The control plane drops these packets during the restart. The DHCP client and server retransmit their DHCP messages until the control plane has resumed operation and messages get through.
Page 168 Figure 8-16. NSF and a Storage Area Network Disc Array (iSCSI Targets) Servers (iSCSI Initiators) 10.1.1.2 10.1.1.3 10.1.1.1 10.1.1.10 10.1.1.11 When the Management Unit fails, session A drops. The initiator at 10.1.1.10 detects a link down on its primary NIC and attempts to reestablish the session on its backup NIC to a different IP address on the disk array.
Page 169: Nsf And Routed Access
NSF and Routed Access Figure 8-17 shows a stack of three units serving as an access router for a set of hosts. Two LAGs connect the stack to two aggregation routers. Each LAG is a member of a VLAN routing interface. The stack has OSPF and PIM adjacencies with each of the aggregation routers.
Page 170 JOIN messages upstream. The control plane updates the driver with checkpointed unicast routes. The forwarding plane reconciles L3 hardware tables. The OSPF graceful restart finishes, and the control plane deletes any stale unicast routes not relearned at this point. The forwarding plane reconciles L3 multicast hardware tables.
Page 171: Controlling Management Access, Management Access Control Overview
Controlling Management Access This chapter describes how to control access to the switch management interface through switch-based authentication or by using TACACS+ or RADIUS servers. It also includes information about controlling access through Telnet, SSH, HTTP, and HTTPs. The Denial of Service (DoS) protection feature is also described in this chapter.
Page 172 Table 9-1. Management Security Features Management Security Description Feature Management Access Contains rules to apply to one or more in-band ports, LAGs, Control List (ACL) or VLANs to limit management access by method (for example, Telnet or HTTP) and/or source IP address. NOTE: Management ACLs cannot be applied to the OOB port.
Page 173: What Are The Recommendations For Management Security, What Is An Authentication Profile
What Are the Recommendations for Management Security? Selecting the authentication policy for a network is very important. In large deployments, many administrators prefer to use a RADIUS or TACACS+ server because it allows the authentication policy to be applied system wide with little administrative effort.
Page 174: Access
• Console—Authenticates access through the console port (CLI only). • Telnet—Authenticates users accessing the CLI by using a Telnet or SSH client. • Secure HTTP—Authenticates users accessing OpenManage Switch Administrator by using an HTTPS connection. • HTTP—Authenticates users accessing OpenManage Switch Administrator by using an HTTP connection.
Page 175 Figure 9-1. Basic TACACS+ Topology Backup TACACS+ Server PowerConnect Switch Primary TACACS+ Server Management Network Management Host You can configure the TACACS+ server list with one or more hosts defined via their network IP address. You can also assign each a priority to determine the order in which the TACACS+ client will contact them.
Page 176 How Does RADIUS Control Management Access? Many networks use a RADIUS server to maintain a centralized user database that contains per-user authentication information. RADIUS servers provide a centralized authentication method for: • Telnet Access • Web Access • Console to Switch Access •...
Page 177 Figure 9-2. RADIUS Topology Backup RADIUS Server PowerConnect Switch Primary RADIUS Server Management Network Management Host The server can authenticate the user itself or make use of a back-end device to ascertain authenticity. In either case a response may or may not be forthcoming to the client.
Page 178: What Are Radius Server Groups, How Does The Switch Determine Which Radius Server To Contact
enable Auth-Type := Local, User-Password == "pass5678" Service-Type = Administrative-User The values for the Service-Type attribute are as follows: • NAS-Prompt-User indicates the user should be provided a command prompt on the switch, which is acting as the Network Access Server (NAS), from which nonprivileged commands can be executed.
Page 179 When multiple RADIUS servers are configured with different names, the servers are in different groups. The primary/secondary designation and priority applies to RADIUS servers only within the same group. Within a named group, the switch always attempts to contact the primary RADIUS server first.
Page 180: What Other Features Use Authentication, Default Management Security Values
What Other Features Use Authentication? In addition to controlling access to the management interface, the switch can use RADIUS, IAS, or the local user database to provide port-based access control. Port-based access control specifies whether devices that are connected to the switch ports are allowed access to the network. The IEEE 802.1X feature (also known as Dot1X) and Captive Portal feature use RADIUS or the local user database to control network access.
Page 181 Table 9-2. Management Security Default Values (Continued) Management Security Default Feature Authentication The following three Authentication Profiles are configured Profiles by default: • defaultList—Method is NONE, which means no authentication is required. • networkList—Method is LOCAL, which means the user credentials are verified against the information in the local user database.
Page 182: Controlling Management Access (web), Access Profile
Controlling Management Access (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring management security on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. Access Profile Use the Access Profile page to define a profile and rules for accessing the switch.
Page 183 Adding and Configuring an Access Profile To configure an access profile: 1 Open the Access Profile page. 2 Click Add Profile to display the Add an Access Profile page. 3 Enter a name for the Access Profile. 4 Specify a rule for management access, and then click Apply. In Figure 9-4, the Access Profile name is mgmt_ACL, and access is permitted on VLAN 1 from any host in the 10.27.65.0/24 subnet.
Page 184 Figure 9-5 shows the configuration of an additional rule that allows management access to a host in the 10.27.65.0/24 subnet that is connected to Port 1. The rule priority is 2. This rule might be necessary if Port 1 is not a member of VLAN 1.
Page 185 Figure 9-6. View Access Profile Information 8 Click Access Profile to return to the main page for the feature. 9 To activate the profile, select the Set Active Access Profile option, and then click Apply. NOTE: The switch enforces the profile rules only if the profile is active. If an access profile is not activated, the device can be accessed by any host and on any interface.
Page 186: Authentication Profiles
Figure 9-7. Activate the Access Profile Authentication Profiles User authentication occurs locally and on an external server. Use the Authentication Profiles page to select the user authentication methods for the defaultList and networkList. These Authentication Profiles are created by default. To display the Authentication Profiles page, click System →...
Page 187 Figure 9-8. Authentication Profiles Adding and Configuring an Authentication Profile To configure an authentication profile: 1 Open the Authentication Profiles page. 2 Click Add to display the Add Authentication Profiles page. 3 Enter a name for the Authentication Profile. 4 Select the authentication methods to use for the profile. The order in which you select the methods is the order the switch will use to attempt to authentication the user.
Page 188 Figure 9-9. Configure Authentication Profile 5 Click Apply. A profile is created. You can apply the newly created authentication profile to an access method by using the System → Management Security → Select Authentication page. For example, you can select myList as the login authentication for anyone who connects to the switch by using Telnet.
Page 189 6 To view the existing Authentication Profiles and the order in which the login methods are used, click Show All. Figure 9-10. View Authentication Profile Table Controlling Management Access...
Page 190: Select Authentication
Select Authentication After authentication profiles are defined, you can apply them to management access methods. For example, console users can be authenticated by Authentication Profile List 1, while Telnet users are authenticated by Authentication Profile List 2. To display the Select Authentication page, click System → Management Security →...
Page 191: Password Management
Password Management Password management provides increased network security and improved password control. Passwords for SSH, Telnet, HTTP , HTTPS, and SNMP access are assigned security features, including: • Defining minimum password lengths (the minimum password length is 8 when password length-checking is enabled) •...
Page 192 Figure 9-12. Password Management Adding Excluded Keywords To prevent keywords from being used in passwords: 1 Make sure Create is selected from the Password Exclude-keyword menu. 2 Specify the keyword to exclude. 3 Click Add Excluded Keyword. Controlling Management Access...
Page 193: Last Password Set Result
Last Password Set Result Use the Last Password Set Result page to view information about the most recently configured password for a user in the Local User Database. To display the Last Password Set Result page, click System → Management Security →...
Page 194: User Login Configuration
User Login Configuration Use the User Login Configuration page to select the list to use to authenticate attempts to login to the switch by users configured in the Local User Database. Each user in the database can have a different list applied. To display the User Login Configuration page, click System →...
Page 195: Local User Database
Local User Database Use the Local User Database page to define passwords, access rights for users and reactivate users whose accounts have been suspended. This page also contains fields to allow you to configure SNMPv3 settings for users in the local database.
Page 196 Adding a User to the Local Database To add local users: 1 Open the Local User Database page. 2 Click Add to display the Add a New User page. 3 Specify a login name, select the access level, and type/retype the password. Figure 9-16.
Page 197: Line Password, Enable Password
Line Password Use the Line Password page to define passwords that are used to access the CLI through the Console port, SSH, or Telnet. To display the Line Password page, click System → Management Security → Line Password in the navigation panel. Figure 9-17.
Page 198: Tacacs+ Settings
TACACS+ Settings TACACS+ provides centralized security for validation of users accessing the switch, while still retaining consistency with RADIUS and other authentication processes. TACACS+ provides the following services: • Authentication — Provides authentication during login and through user names and user-defined passwords. •...
Page 199 Adding TACACS+ Host Information To add a TACACS+ host: 1 Open the TACACS+ Settings page. 2 Click Add to display the Add a TACACS+ Host page. 3 Specify a the hostname or IP address of the TACACS+ the switch will use to authenticate users.
Page 200: Radius Global Configuration
Figure 9-21. View Local User Database Entries RADIUS Global Configuration Use the RADIUS Global Configuration page to configure that affect all RADIUS servers that are configured on the switch. To display the RADIUS Global Configuration page, click System → Management Security → RADIUS Global Configuration in the navigation panel.
Page 201: Radius Server Configuration
RADIUS Server Configuration From the RADIUS Server Configuration page, you can add a new RADIUS server, configure settings for a new or existing RADIUS server, and view RADIUS server status information. The RADIUS client on the switch supports up to 32 named authentication and accounting servers. To access the RADIUS Server Configuration page, click System →...
Page 202 4 Use the default RADIUS server name or enter up to 32 alphanumeric characters. Spaces, hyphens, and underscores are also permitted. You can use the same name for multiple RADIUS Authentication servers. RADIUS clients can use RADIUS servers with the same name as backups for each other.
Page 203: Radius Accounting Server Configuration
Figure 9-25. Viewing the RADIUS Server Table RADIUS Accounting Server Configuration From the RADIUS Accounting Server Configuration page, you can add a new RADIUS accounting server, configure settings for a new or existing RADIUS accounting server, and view RADIUS accounting server status information.
Page 204 Adding and Configuring RADIUS Accounting Server Information To add a RADIUS accounting server: 1 Open the RADIUS Accounting Server Configuration page. 2 Click Add to display the Add RADIUS Accounting Server page. 3 Specify the IP address of the RADIUS accounting server. 4 Use the default RADIUS server name or enter up to 32 alphanumeric characters.
Page 205: Radius Accounting Server Statistics
Figure 9-28. Viewing the RADIUS Accounting Server Table RADIUS Accounting Server Statistics Use the RADIUS Accounting Server Statistics page to view statistical information for each RADIUS accounting server configured on the system. To access the RADIUS Accounting Server Statistics page, click System → Management Security →...
Page 206: Radius Server Statistics
RADIUS Server Statistics Use the RADIUS Server Statistics page to view statistical information for each RADIUS server configured on the system. To access the RADIUS Server Statistics page, click System → Management Security → RADIUS Server Statistics in the navigation panel. Figure 9-30.
Page 207: Authorization Network Radius
Authorization Network RADIUS In some networks, the RADIUS server is responsible for assigning traffic to a particular VLAN. From the Authorization Network RADIUS page, you can enable the switch to accept VLAN assignment by the RADIUS server. For more information about VLANs and RADIUS-assigned VLANs, see "Dynamic VLAN Creation"...
Page 208: Telnet Server
Telnet Server Use the Telnet Server page to enable or disable telnet service on the switch or to modify the telnet port. To display the Telnet Server page, click System → Management Security → Telnet Server. Figure 9-32. Telnet Server Controlling Management Access...
Page 209: Denial Of Service
Denial of Service Denial of Service (DoS) refers to the exploitation of a variety of vulnerabilities which would interrupt the service of a host or make a network unstable. Use the Denial of Service page to configure settings to help prevent DoS attacks.
Page 210: Secure Http Configuration
Secure HTTP Configuration Secure HTTP (HTTPS) increases the security of web-based management by encrypting communication between the administrative system and the switch. Use the Secure HTTP page to manage the HTTPS mode and certificate information that enables management of the switch through HTTPS. To display the Secure HTTP page, click System →...
Page 211 Importing and Requesting Certificates Use the following steps to import or request a certificate by using SSH. 1 From the Secure HTTP page, click SSH Request. Figure 9-35. Secure HTTP - SSH Request 2 Select the certificate number. 3 Complete the fields that are relevant to the certificate. 4 To import the certificate, click Certificate Import.
Page 212 Viewing Certificate Information To view the certificate request or to view the generated certificate, click Show All. Figure 9-36. View Certificate Requests Controlling Management Access...
Page 213: Secure Shell Configuration
Secure Shell Configuration Secure Shell (SSH) is similar to Telnet but increases the security of CLI- based management by creating a secure channel for communication between the administrative system and the switch. Use the Secure Shell page to manage the SSH mode and other information that enables management of the switch through SSH.
Page 214: Secure Public Key Configuration
Generate RSA Keys — Begin generating RSA host keys. Note that to • generate SSH key files, SSH must be administratively disabled and there must be no active SSH sessions. Generate DSA Key — Begin generating DSA host keys. Note that to •...
Page 215 Configuring a Public Key Use the following steps to configure a public key for SSH. 1 From the Secure Public Key page, click Add. Figure 9-39. Secure Public Key — Add 2 Specify the algorithm to use of the public-key cryptography, either DSA or RSA.
Page 216: Controlling Management Access (cli), Configuring A Management Access List
For more information about PowerConnect M6220/M6348/M8024/M8024-k CLI these commands, see the Reference Guide at support.dell.com/manuals. Configuring a Management Access List NOTE: Management ACLs can be applied only to in-band ports and cannot be applied to the OOB port.
Page 217 Command Purpose permit ip-source Allow access to the management interface from hosts that address mask [mask meet the specified IP address value and other optional prefix-length interface- criteria. type interface-number interface-type interface-number • — A valid port, LAG, or service [service ] [priority VLAN interface, for example gi1/0/13, port-channel 3, or...
Page 218: Adding Users To The Local Database
Adding Users to the Local Database Beginning in Privileged EXEC mode, use the following commands to add users to the local user database. Command Purpose configure Enter Global Configuration mode. name username Add a new user to the local users database. password password [level...
Page 219: Configuring And Applying Authentication Profiles
Configuring and Applying Authentication Profiles Beginning in Privileged EXEC mode, use the following commands to create an authentication list, configure the authentication methods for that list, and apply the list to an access method. Command Purpose configure Enter Global Configuration mode. aaa authentication login Configure the methods used to authenticate a user list-name...
Page 220: Managing Passwords
Command Purpose line {console|ssh Enter Line configuration mode for the specified access |telnet} method. login authentication Specify the login authentication list to use for the line list-name {default| access. The list is applied to the current line mode (console, Telnet, or SSH). enable authentication Specify the enable authentication list to use for access to list-name...
Page 221 Command Purpose passwords lock-out Specify the number of times a user can enter an incorrect attempts password before being denied access to the management interface. NOTE: Password lockout applies only to local users. Users authenticated by RADIUS and TACACS+ are subject to the policies defined by the RADIUS or TACACS+ server.
Page 222: Configuring Radius Server Information
Command Purpose passwords strength Specify up to three keywords to exclude in a password. The word exclude-keyword password does not accept the keyword in any form (in between the string, case in-sensitive and reverse) as a substring. passwords strength- Verify the strength of a password during configuration. check exit Exit to Privileged EXEC mode.
Page 223 Command Purpose key-string key [ Set the authentication and encryption key for all RADIUS communications between the switch and the RADIUS server. NOTE: You can also use the radius-server key [ key-string command in Global Configuration mode to set the same authentication and encryption key for all configured RADIUS servers.
Page 224: Configuring Tacacs+ Server Information
Command Purpose show radius statistics View the RADIUS statistics for the switch. You can specify [[accounting | additional information to narrow the scope of the authentication] command output. ipaddress hostname • accounting | authentication — The type of server servername name (accounting or authentication).
Page 225: Configuring Telnet And Ssh Access
Configuring Telnet and SSH Access Beginning in Privileged EXEC mode, use the following commands to specify Telnet and SSH server settings on the switch. Command Purpose configure Enter Global Configuration mode. ip telnet server disable Disable the Telnet service on the switch ip ssh server Allow access to the switch management interface by using SSH, which is disabled by default.
Page 226: Configuring Http And Https Access
Command Purpose show crypto key pubkey- View SSH public keys stored on the switch. chain ssh [username username • — Specifies the remote SSH client username. username ] [fingerprint (Range: 1–48 characters) bubble-babble|hex] • bubble-babble — Fingerprints in Bubble Babble format. •...
Page 227 Command Purpose <CTRL + Z> Exit to Privileged EXEC mode. crypto certificate Generate and display a certificate request for HTTPS. This number request command takes you to Crypto Certificate Request mode. In this mode, you can use the following commands to specify certificate details: •...
Page 228: Configuring Dos Information
Command Purpose show crypto certificate View the SSL certificates of your switch. mycertificate show ip http server Display the HTTPS server configuration. secure status show ip http server Display the HTTP server configuration. status Configuring DoS Information Beginning in Privileged EXEC mode, use the following commands to specify settings to help prevent DoS attacks on the switch.
Page 229 Command Purpose size dos-control icmp [ Enable Maximum ICMP Packet Size Denial of Service size protections, where is the Maximum ICMP packet size. (Range: 0-16376). If ICMP Echo Request (PING) packets ingress having a size greater than the configured value, the packets are dropped.
Page 230: Management Access Configuration Examples, Configuring A Management Access List
Management Access Configuration Examples This section contains the following examples: • Configuring a Management Access List • Configuring an Authentication Profile • Configuring the Primary and Secondary RADIUS Servers • Configuring Password Lockout Configuring a Management Access List The commands in this example create a management ACL that permits access to the switch through the in-band switch ports on VLAN 1 and on port 9 from hosts with an IP address in the 10.27.65.0 subnet.
Page 231: Configuring The Primary And Secondary Radius Servers
The commands in this example configure primary and secondary RADIUS servers that the switch will use to authenticate access. The RADIUS servers belong to the same named server group (Dell-RADIUS) and use the same RADIUS secret (test1234). A third RADIUS server is configured as an accounting server, and RADIUS accounting is globally enabled.
Page 232 2 Configure the secondary RADIUS server. console(config)#radius-server host auth 10.27.65.104 console(Config-auth-radius)#name Dell-RADIUS console(Config-auth-radius)#key test1234 console(Config-auth-radius)#exit 3 Configure the RADIUS accounting server. console(config)#radius-server host acct 10.27.65.114 console(Config-acct-radius)#key test1234 console(Config-acct-radius)#name Dell-RADIUS- Accounting console(Config-acct-radius)#exit 4 Activate RADIUS accounting. console(config)#aaa accounting network default start-stop group radius console(config)#exit 5 View the configured RADIUS servers.
Page 233: Configuring An Authentication Profile
Configuring an Authentication Profile The commands in this example create a new authenticating profile that uses the RADIUS server configured in the previous example to authenticate users who attempt to access the switch management interface by using SSH or Telnet. If the RADIUS authentication is unsuccessful, the switch uses the local user database to attempt to authenticate the users.
Page 234: Configuring Password Lockout
4 View the current authentication methods and profiles. console#show authentication methods Login Authentication Method Lists --------------------------------- defaultList none networkList local myList radius local Enable Authentication Method Lists ---------------------------------- enableList none Line Login Method List Enable Method List ------- ----------------- ------------------ Console defaultList enableList...