Other trademarks and trade names may be used in this publication to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own.
Contents Introduction ..... . . About This Document ....Audience .
Page 4
Stacking Features (PCM6220 and PCM6348 Only) ..High Port Count ....Single IP Management ....Automatic Firmware Upgrade for New Stack Members .
Page 5
Switching Features ....Flow Control Support (IEEE 802.3x) ..Head of Line Blocking Prevention .
Page 6
Rapid Spanning Tree ....Multiple Spanning Tree ....Bridge Protocol Data Unit (BPDU) Guard .
Page 7
Priority-based Flow Control (PFC) ..Internet Small Computer System Interface (iSCSI) Optimization ....Layer 2 Multicast Features .
Page 8
Using Dell OpenManage Switch Administrator ..... About Dell OpenManage Switch Administrator ..Starting the Application ....
Page 9
Recalling Commands from the History Buffer . . . Specifying Physical Ports ... . . Default Settings ....Setting the IP Address and Other Basic Network Information .
Page 10
Configuring Static Network Information on the OOB Port ....Configuring Static Network Information on the Default VLAN ....Configuring and Viewing Additional Network Information .
Page 11
Stack Port Summary ....Stack Port Counters ....Stack Port Diagnostics .
Page 13
Configuring HTTP and HTTPS Access ..Configuring DoS Information ... . Management Access Configuration Examples ..Configuring a Management Access List .
Page 14
Log File ..... . Remote Log Server ....Email Alert Global Configuration .
Page 15
Default General System Information ..Default Port Aggregator Configurations ..Configuring General System Settings (Web) ..System Information ....CLI Banner .
Page 16
General System Settings Configuration Examples ......Configuring System and Banner Information . . . Configuring SNTP ....Configuring the Time Manually .
Page 17
SNMP Configuration Examples ... . . Configuring SNMPv1 and SNMPv2 ..Configuring SNMPv3 ....13 Managing Images and Files .
Page 18
14 Automatically Updating the Image and Configuration ... . Auto Configuration Overview ... . . What Is the DHCP Auto Configuration Process? .
Page 20
....How Does iSCSI Optimization Interact With Dell EqualLogic Arrays? ... What Occurs When iSCSI is Enabled or Disabled? .
Page 21
Default Captive Portal Behavior and Settings ..Configuring the Captive Portal (Web) ..Captive Portal Global Configuration ..Captive Portal Configuration .
Page 22
Default Port Values ....Configuring Port Characteristics (Web) ..Port Configuration ....Link Dependency Configuration .
Page 23
Port Access Control Configuration ..Port Access Control History Log Summary ..Port Security ....Internal Authentication Server Users Configuration .
Page 24
What Are the ACL Limitations? ..How Are ACLs Configured? ... . Configuring ACLs (Web) ....IP ACL Configuration .
Page 34
30 Configuring Routing Interfaces ..Routing Interface Overview ....What Are VLAN Routing Interfaces? ..What Are Loopback Interfaces? .
Page 35
Configuring the DHCP Server (Web) ... DHCP Server Network Properties ..Address Pool ....Address Pool Options .
Page 36
Route Entry Configuration ... . . Configured Routes ....Route Preferences Configuration ..Configuring IP Routing Features (CLI) .
Page 37
Configuring L2 and L3 Relay Features (CLI) ..Configuring L2 DHCP Relay ... . . Configuring L3 Relay (IP Helper) Settings ..Relay Agent Configuration Example .
Page 38
Configuring OSPFv3 Features (Web) ..OSPFv3 Configuration ....OSPFv3 Area Configuration ... . OSPFv3 Stub Area Summary .
Page 39
OSPF Configuration Examples 1003 ... . . Configuring an OSPF Border Router and Setting Interface Costs 1003 ....Configuring Stub and NSSA Areas for OSPF and OSPFv3 1005...
Page 40
36 Configuring VRRP 1033 ....VRRP Overview 1033 ..... How Does VRRP Work? 1033 .
Introduction The Dell PowerConnect M6220, M6348, M8024, and M8024-k switches are Layer 3, blade switches that operate in the Dell PowerEdge M1000e system. The M1000e system can support up to 16 server blades and six PowerConnect M6220, M6348, M8024, and M8024-k blade switches.
About This Document This guide describes how to configure, monitor, and maintain a Dell PowerConnect M6220, M6348, M8024, and M8024-k switch by using Web- based Dell OpenManage Switch Administrator utility or the command-line interface (CLI). Audience This guide is for network administrators in charge of managing one or more PowerConnect M6220, M6348, M8024, and M8024-k switches.
Additional Documentation The following documents for the PowerConnect M6220, M6348, M8024, and M8024-k switches are available at support.dell.com/manuals: Getting Started Guide— provides information about the switch models in • the series, including front and back panel features. It also describes the installation and initial configuration procedures.
Switch Features This section describes the switch user-configurable software features. NOTE: Before proceeding, read the release notes for this product. The release notes are part of the firmware download. The topics covered in this section include: • System Management • Link Aggregation Features Features &...
Multiple Management Options You can use any of the following methods to manage the switch: • Use a Web browser to access the Dell OpenManage Switch Administrator interface. The switch contains an embedded Web server that serves HTML pages. •...
Port Aggregator The Port Aggregator feature minimizes the administration required for managing the PowerConnect M6220/M6348/M8024/M8024-k switch. When the switch is operating in simple mode, the administrator can map internal ports to external ports without having to know anything about STP, VLANs, Link Aggregation or other L2/L3 protocols.
Integrated DHCP Server PowerConnect M6220, M6348, M8024, and M8024-k switches include an integrated DHCP server that can deliver host-specific configuration information to hosts on the network. The switch DHCP server allows you to configure IP address pools (scopes), and when a host’s DHCP client requests an address, the switch DHCP server automatically assigns the host an address from the pool.
File Management You can upload and download files such as configuration files and system images by using HTTP (web only), TFTP , Secure FTP (SFTP), or Secure Copy (SCP). Configuration file uploads from the switch to a server are a good way to back up the switch configuration.
sFlow sFlow is the standard for monitoring high-speed switched and routed networks. sFlow technology is built into network equipment and gives complete visibility into network activity, enabling effective management and control of network resources. The PowerConnect M6220, M6348, M8024, and M8024-k switches support sFlow version 5. For information about configuring managing sFlow settings, see "Monitoring Switch Traffic"...
Stacking Features (PCM6220 and PCM6348 Only) NOTE: PowerConnect M6220 switches can be stacked only with other PowerConnect M6220 switches. PCM6220 and PCM6348 switches cannot be combined within the same stack. For information about creating and maintaining a stack of switches, see "Managing a Switch Stack"...
Master Failover with Transparent Transition Standby The stacking feature supports a or backup unit that assumes the Master unit role if the Master unit in the stack fails. As soon as a Master failure is detected in the stack, the Standby unit initializes the control plane and enables all other stack units with the current configuration.
Password-Protected Management Access Access to the Web, CLI, and SNMP management interfaces is password protected, and there are no default users on the system. For information about configuring local user accounts, see "Controlling Management Access" on page 171. Strong Password Enforcement The Strong Password feature enforces a baseline password strength for all locally administered users.
SSH/SSL The switch supports Secure Shell (SSH) for secure, remote connections to the CLI and Secure Sockets Layer (SSL) to increase security when accessing the Web-based management interface. For information about configuring SSH and SSL settings, see "Controlling Management Access" on page 171. Inbound Telnet Control You can configure the switch to prevent new Telnet sessions from being established with the switch.
Dot1x Authentication (IEEE 802.1X) Dot1x authentication enables the authentication of system users through a local internal server or an external server. Only authenticated and approved system users can transmit and receive data. Supplicants are authenticated using the Extensible Authentication Protocol (EAP). Also supported are PEAP , EAP-TTL, EAP-TTLS, and EAP-TLS.
Access Control Lists (ACL) Access Control Lists (ACLs) ensure that only authorized users have access to specific resources while blocking off any unwarranted attempts to reach network resources. ACLs are used to provide traffic flow control, restrict contents of routing updates, decide which types of traffic are forwarded or blocked, and above all provide security for the network.
DHCP Snooping DHCP Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server. It filters harmful DHCP messages and builds a bindings database of (MAC address, IP address, VLAN ID, port) tuples that are specified as authorized. DHCP snooping can be enabled globally and on specific VLANs.
For information about how to configure the AFS CLI Reference Guide feature, see the available at support.dell.com/manuals. Jumbo Frames Support Jumbo frames enable transporting data in fewer frames to ensure less overhead, lower processing time, and fewer interrupts.
VLAN-Aware MAC-based Switching Packets arriving from an unknown source address are sent to the CPU and added to the Hardware Table. Future packets addressed to or from this address are more efficiently forwarded. Back Pressure Support On half-duplex links, a receiver may prevent buffer overflows by occupying the link so that it is unavailable for additional traffic.
Port Mirroring Port mirroring monitors and mirrors network traffic by forwarding copies of incoming and outgoing packets from up to four source ports to a monitoring port. The switch also supports flow-based mirroring, which allows you to copy certain types of traffic to a single destination port. This provides flexibility— instead of mirroring all ingress or egress traffic on a port the switch can mirror a subset of that traffic.
Connectivity Fault Management (IEEE 802.1ag) NOTE: The Connectivity Fault Management feature is available only on the PowerConnect M6348. The Connectivity Fault Management (CFM) feature, also known as Dot1ag, supports Service Level Operations, Administration, and Management (OAM). CFM is the OAM Protocol provision for end-to-end service layer instance in carrier networks.
Virtual Local Area Network Supported Features For information about configuring VLAN features see "Configuring VLANs" on page 575. VLAN Support VLANs are collections of switching ports that comprise a single broadcast domain. Packets are classified as belonging to a VLAN based on either the VLAN tag or a combination of the ingress port and packet contents.
GARP and GVRP Support The switch supports the configuration of Generic Attribute Registration Protocol (GARP) timers GARP VLAN Registration Protocol (GVRP) relies on the services provided by GARP to provide IEEE 802.1Q-compliant VLAN pruning and dynamic VLAN creation on 802.1Q trunk ports. When GVRP is enabled, the switch registers and propagates VLAN membership on all ports that are part of the active spanning tree protocol topology.
Spanning Tree Protocol Features For information about configuring Spanning Tree Protocol features, see "Configuring the Spanning Tree Protocol" on page 633. Spanning Tree Protocol (STP) Spanning Tree Protocol (IEEE 802.1D) is a standard requirement of Layer 2 switches that allows bridges to automatically prevent and resolve L2 forwarding loops.
Bridge Protocol Data Unit (BPDU) Guard Spanning Tree BPDU Guard is used to disable the port in case a new device tries to enter the already existing topology of STP. Thus devices, which were originally not a part of STP, are not allowed to influence the STP topology. BPDU Filtering When spanning tree is disabled on a port, the BPDU Filtering feature allows BPDU packets received on that port to be dropped.
Routing Features Address Resolution Protocol (ARP) Table Management You can create static ARP entries and manage many settings for the dynamic ARP table, such as age time for entries, retries, and cache size. For information about managing the ARP table, see "Configuring IP Routing" on page 895.
BOOTP/DHCP Relay Agent The switch BootP/DHCP Relay Agent feature relays BootP and DHCP messages between DHCP clients and DHCP servers that are located in different IP subnets. For information about configuring the BootP/DHCP Relay agent, see "Configuring L2 and L3 Relay Features" on page 919. IP Helper and UDP Relay The IP Helper and UDP Relay features provide the ability to relay various protocols to servers on a different subnet.
Virtual Router Redundancy Protocol (VRRP) VRRP provides hosts with redundant routers in the network topology without any need for the hosts to reconfigure or know that there are multiple routers. If the primary (master) router fails, a secondary router assumes control and continues to use the virtual router IP (VRIP) address.
IPv6 Routes Because IPv4 and IPv6 can coexist on a network, the router on such a network needs to forward both traffic types. Given this coexistence, each switch maintains a separate routing table for IPv6 routes. The switch can forward IPv4 and IPv6 traffic over the same set of interfaces.
Quality of Service (QoS) Features NOTE: Some features that can affect QoS, such as ACLs and Voice VLAN, are described in other sections within this chapter. Differentiated Services (DiffServ) The QoS Differentiated Services (DiffServ) feature allows traffic to be classified into streams and given certain QoS treatment in accordance with defined per-hop behaviors.
Priority-based Flow Control (PFC) NOTE: PFC is supported only on the PCM8024-k. The PCM6220, PCM6348, and PCM8024 switches do not support PFC. The Priority-based Flow Control feature allows the user to pause or inhibit transmission of individual priorities within a single physical link. By configuring PFC to pause a congested priority (priorities) independently, protocols that are highly loss sensitive can share the same link with traffic that has different loss tolerances.
Layer 2 Multicast Features For information about configuring L2 multicast features, see "Configuring L2 Multicast Features" on page 713. MAC Multicast Support Multicast service is a limited broadcast service that allows one-to-many and many-to-many connections. In Layer 2 multicast services, a single frame addressed to a specific multicast address is received, and copies of the frame to be transmitted on each relevant port are created.
Multicast VLAN Registration NOTE: MVR is not supported on the PowerConnect M6220. The Multicast VLAN Registration (MVR) protocol, like IGMP Snooping, allows a Layer 2 switch to listen to IGMP frames and forward the multicast traffic only to the receivers that request it. Unlike IGMP Snooping, MVR allows the switch to listen across different VLANs.
Protocol Independent Multicast—Dense Mode Protocol Independent Multicast (PIM) is a standard multicast routing protocol that provides scalable inter-domain multicast routing across the Internet, independent of the mechanisms provided by any particular unicast routing protocol. The Protocol Independent Multicast-Dense Mode (PIM- DM) protocol uses an existing Unicast routing table and a Join/Prune/Graft mechanism to build a tree.
Hardware Overview This section provides an overview of the switch hardware. The topics covered in this section include: • PowerConnect M6220, M6348, M8024, and M8024-k Front Panel • Console (RS-232) Port • Out-of-Band Management Port • LED Definitions PowerConnect M6220, M6348, M8024, and M8024-k Front Panel The images in this section show the front panels of the PowerConnect M6220, M6348, M8024, and M8024-k switches.
Page 84
Figure 3-1. PowerConnect M6220 Stacking Module or 10 Gb Module 10 Gb Module 10/100/100Base-T Auto-sensing Full-Duplex RJ-45 Ports Console Port • The switch automatically detects crossed and straight-through cables on RJ-45 ports. • The 10/100/100Base-T Auto-sensing RJ-45 ports support half- and full- duplex mode.
PowerConnect M6348 Front Panel The PowerConnect M6348 front panel provides 16 10/100/1000Base-T ports. There are also 32 internal 1 gigabit ports that connect to each of the server blades. Figure 3-2. PowerConnect M6348 10/100/100Base-T Auto-sensing Full-Duplex RJ-45 Ports 10 Gb SFP+ Ports 10 Gb CX4 Ports Console Port Hardware Overview...
PowerConnect M8024 Front Panel The PowerConnect M8024 front panel supports up to eight 10-gigabit ports. It has two 10-gigabit bays that can support SFP+, CX-4, or 10GBase-T modules. The SFP+ Module supports four ports, the CX-4 module supports three ports, and the 10GBase-T module supports two ports. The modules can be used in any combination and are sold separately.
PowerConnect M8024-k Front Panel The PowerConnect M8024-k front panel includes four SFP+ ports an expansion slot for 10-Gigabit modules. The expansion slot can support SFP+, CX-4, or 10GBase-T modules. The SFP+ Module supports four ports, the CX-4 module supports three ports, and the 10GBase-T module supports two ports.
CLI. Console Redirect The Dell M1000e Server Chassis includes a console redirect feature that allows you to manage each PCM6220, PCM6348, PCM8024, and PCM8024-k module from a single serial connection to the chassis. For more...
LED Definitions This section describes the light emitting diodes (LEDs) on the front panel of the switch and on the optional modules that plug into the back panel. Port LEDs The integrated external 10/100/1000Base-T switch ports on the PowerConnect M6220 and M6348 switches include two LEDs. The integrated SFP+ switch ports on the PowerConnect M8024-k include one LED.
Page 90
SFP+ Port LEDs (PowerConnect M6348 and M8024-k) Each integrated SFP port on the PowerConnect M6348 switch includes two LEDs. Table 3-3 contains SFP port LED definitions for the PowerConnect M6348. Table 3-2. PowerConnect M6348 SFP+ Port LEDs Definitions Color/Activity Definition Green solid The port is linked.
Module LEDs The 10GBase-T module has two or three LEDs per port, the SFP+ module has one LED per port, and the Stacking/10 GbE module does not have any LEDs. 10GBase-T Module LEDs Each 10GBase-T Module has three LEDs. Table 3-4 contains 10GBase-T port LED definitions for the PowerConnect M6220 and M8024.
Page 92
SFP+ Port LEDs Table 3-5 contains LED definitions for SFP+ port on the plug-in module available for PowerConnect M6220, M6348, M8024, and M8024-k switches. Table 3-5. SFP+ Port LEDs Definitions Color/Activity Definition LNK/ACT Green solid The port is linked. Green blinking The port is sending and/or receiving network traffic.
System LEDs The system LEDs for the PowerConnect M6220, M6348, M8024, and M8024-k switches are located on the right side of the front panel next to the console port. Figure 3-6. System LEDs System Status LED System Power LED Table 3-7 contains the status LED definitions for the PowerConnect M6220 and M6348 switches.
Page 94
Table 3-8 contains the status LED definitions for the PowerConnect M8024 and M8024-k switches. Table 3-8. PCM8024 and PCM8024-k Power and Status LED Definitions Color Definition Green Power is being supplied to the switch. The switch does not have power. Blue The switch is operating normally.
Dell OpenManage Switch Administrator is a Web-based tool to help you manage and monitor a PowerConnect M6220/M6348/M8024/M8024-k switch. Table 4-1 lists the Web browsers that are compatible with Dell OpenManage Switch Administrator. The browsers have been tested on a PC running the Microsoft Windows operating system.
Starting the Application To access the Dell OpenManage Switch Administrator and log on to the switch: 1 Open a web browser. 2 Enter the IP address of the switch in the address bar and press <Enter>. For information about assigning an IP address to a switch, see "Setting the IP Address and Other Basic Network Information"...
5 The Dell OpenManage Switch Administrator home page displays. The home page is the Device Information page, which contains a graphical representation of the front panel of the switch. For more information about the home page, see "Device Information" on page 244.
Page 98
Save, Print, Refresh, Help Configuration and Status Options Command Button Using the Switch Administrator Buttons and Links Table 4-2 describes the buttons and links available from the Dell OpenManage Switch Administrator interface. Table 4-2. Button and Link Descriptions Button or Link Description...
Defining Fields User-defined fields can contain 1 159 characters, unless otherwise noted on – the Dell OpenManage Switch Administrator Web page. All characters may be used except for the following: • • •...
For more information about creating a serial connection, see the Getting Started Guide available at support.dell.com/manuals. 1 Connect the DB-9 connector of the supplied serial cable to a management station, and connect the USB type-A connector to the switch console port.
2 Start the terminal emulator, such as Microsoft HyperTerminal, and select the appropriate serial port (for example, COM 1) to connect to the console. 3 Configure the management station serial port with the following settings: • Data rate — 9600 baud. •...
Understanding Command Modes The CLI groups commands into modes according to the command function. Each of the command modes supports specific software commands. The commands in one mode are not available until you switch to that particular mode, with the exception of the User EXEC mode commands. You can execute the User EXEC mode commands in the Privileged EXEC mode.
Page 104
Table 5-1. Command Mode Overview Command Mode Access Method Command Prompt Exit or Access Previous Mode User EXEC The user is logout console> automatically in User EXEC mode unless the user is defined as a privileged user. Privileged EXEC From User Use the exit console# EXEC mode,...
Entering CLI Commands The switch CLI uses several techniques to help you enter commands. Using the Question Mark to Get Help Enter a question mark (?) at the command prompt to display the commands available in the current mode. console(config-vlan)#? exit To exit from the mode.
You can also enter a question mark (?) after typing one or more characters of a word to list the available command or parameters that begin with the letters, as shown in the following example: console#show po? policy-map port ports Using Command Completion The CLI can complete partially entered commands when you press the <Tab>...
Understanding Error Messages If you enter a command and the system is unable to execute it, an error message appears. Table 5-2 describes the most common CLI error messages. Table 5-2. CLI Error Messages Message Text Description Indicates that you entered an incorrect or % Invalid input unavailable command.
Table 5-3. History Buffer Navigation Keyword Source or Destination Up-arrow key Recalls commands in the history buffer, beginning with the most recent command. Repeats the key sequence to recall successively <Ctrl>+<P> older commands. Down-arrow key Returns to more recent commands in the history buffer after recalling commands with the up-arrow key.
Page 109
Unit, Slot, and Port Numbers The unit, slot, and port numbers are separated by forward slashes and follow the port type. For switches that do not support stacking (PCM8024 and PCM8024-k), the unit number is always 1. For stackable switches (PCM6220 and PCM6348), the unit number can be 1–12.
Default Settings This section describes the default settings for many of the software features on the PowerConnect M6220, M6348, M8024, and M8024-k switches. Table 6-1. Default Settings Feature Default IP address None Subnet mask None Default gateway None DHCP client Enabled on out-of-band (OOB) interface.
Page 112
Table 6-1. Default Settings (Continued) Feature Default SNMP logging Disabled Console logging Enabled (Severity level: debug and above) RAM logging Enabled (Severity level: debug and above) Persistent (FLASH) logging Disabled Enabled (No servers configured) SNMP Enabled (SNMPv1) SNMP Traps Enabled Auto Configuration Enabled Auto Save...
Page 113
Table 6-1. Default Settings (Continued) Feature Default Protected Ports (Private VLAN Edge) None Flow Control Support (IEEE 802.3x) Enabled Head of Line Blocking Prevention Disabled Maximum Frame Size 1500 bytes Auto-MDI/MDIX Support Enabled Auto Negotiation Enabled Advertised Port Speed Maximum Capacity Broadcast Storm Control Disabled Port Mirroring...
Page 114
Table 6-1. Default Settings (Continued) Feature Default STP Bridge Priority 32768 Multiple Spanning Tree Disabled Link Aggregation No LAGs configured LACP System Priority Routing Mode Disabled OSPF Admin Mode Enabled OSPF Router ID 0.0.0.0 IP Helper and UDP Relay Enabled Enabled VRRP Disabled...
Setting the IP Address and Other Basic Network Information This chapter describes how to configure basic network information for the switch, such as the IP address, subnet mask, and default gateway. The topics in this chapter include: • IP Address and Network Information Overview •...
IP addresses. Default Domain Name Identifies your network, such as dell.com. If you enter a hostname and do not include the domain name information, the default domain name is automatically appended to the hostname.
You must use a console-port connection to perform the initial switch configuration. When you boot the switch for the first time and the configuration file is empty, the Dell Easy Setup Wizard starts. The Dell Easy Setup Wizard is a CLI-based tool to help you perform the initial switch configuration.
Page 118
Dell recommends that you use the OOB port for remote management. The following list highlights some advantages of using OOB management instead of in-band management: •...
Destination Unreachable, Fragmentation needed but DF set an ICMP notification, the switch will reduce the MSS. However, many firewalls block ICMP Destination Unreachable messages, which causes the destination to request the packet again until the connection times out. In order to resolve this issue, you can reduce the MSS setting to a more appropriate value on the local host or alternatively, you can set the MTU on the PowerConnect management port to a smaller value.
Configuring Basic Network Information (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring basic network information on the PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. Out-of-Band Interface Use the Out of Band Interface page to assign the Out of Band Interface IP address and subnet mask or to enable/disable the DHCP client for address...
IP Interface Configuration (Default VLAN IP Address) Use the IP Interface Configuration page to assign the Default VLAN IP address and Subnet Mask, the Default Gateway IP address, and to assign the boot protocol. To display the IP Interface Configuration page, click Routing → IP → IP Interface Configuration in the navigation panel.
4 If you select Manual for the configuration method, specify the IP Address and Subnet Mask in the appropriate fields. 5 Click Apply. NOTE: You do not need to configure any additional fields on the page. For information about VLAN routing interfaces, see "Configuring Routing Interfaces" on page 855.
Page 123
Configuring a Default Gateway for the Switch: To configure the switch default gateway: 1 Open the Route Entry Configuration page. 2 From the Route Type field, select Default. Figure 7-4. Default Route Configuration (Default VLAN) 3 In the Next Hop IP Address field, enter the IP address of the default gateway.
Domain Name Server Use the Domain Name Server page to configure the IP address of the DNS server. The switch uses the DNS server to translate hostnames into IP addresses. To display the Domain Name Server page, click System → IP Addressing → Domain Name Server in the navigation panel.
Default Domain Name Use the Default Domain Name page to configure the domain name the switch adds to a local (unqualified) hostname. To display the Default Domain Name page, click System → IP Addressing → Default Domain Name in the navigation panel. Figure 7-7.
Host Name Mapping Use the Host Name Mapping page to assign an IP address to a static host name. The Host Name Mapping page provides one IP address per host. To display the Host Name Mapping page, click System → IP Addressing → Host Name Mapping.
The switch learns hosts dynamically by using the configured DNS server to resolve a hostname. For example, if you ping www.dell.com from the CLI, the switch uses the DNS server to lookup the IP address of dell.com and adds the entry to the Dynamic Host Name Mapping table.
M6220/M6348/M8024/M8024-k switch. For more information about these PowerConnect M6220/M6348/M8024/M8024-k CLI commands, see the Reference Guide at support.dell.com/manuals. Enabling the DHCP Client on the OOB Port Beginning in Privileged EXEC mode, use the following commands to enable the DHCP client on the OOB port.
Managing DHCP Leases Beginning in Privileged EXEC mode, use the following commands to manage and troubleshoot DHCP leases on the switch. Command Purpose interface release dhcp Force the DHCPv4 client to release a leased address on the specified interface. interface renew dhcp Force the DHCP client to immediately renew an IPv4 address lease.
Configuring Static Network Information on the OOB Port Beginning in Privileged EXEC mode, use the following commands to configure a static IP address, subnet mask, and default gateway on the OOB port. Command Purpose configure Enter Global Configuration mode. interface out-of-band Enter Interface Configuration mode for the OOB port.
Configuring and Viewing Additional Network Information Beginning in Privileged EXEC mode, use the following commands to configure a DNS server, the default domain name, and a static host name-to- address entry. Use the show commands to verify configured information and to view dynamic host name mappings.
Basic Network Information Configuration Example In this example, an administrator at a Dell office in California decides not to use the Dell Easy Setup Wizard to perform the initial switch configuration. The administrator configures a PowerConnect M6220/M6348/M8024/M8024-k switch to obtain its information from a DHCP server on the network and creates the administrative user with read/write access.
Page 133
Default Gateway....10.27.22.1 Protocol Current....DHCP Burned In MAC Address.... 001E.C9AA.AA08 5 View additional network information. console#show hosts Host name: Default domain: sunny.dell.com dell.com Name/address lookup is enabled Name servers (Preference order): 10.27.138.20, 10.27.138.21 Configured host name-to-address mapping: Host Addresses...
Managing a Switch Stack This chapter describes how to configure and manage a stack of switches. NOTE: Stacking is supported on the PowerConnect M6220 and PowerConnect M6348 switches. The PowerConnect M8024 and PowerConnect M8024-k switches do not support stacking. The topics covered in this chapter include: •...
The running configuration and application state is synchronized between the Master and Standby during the normal stacking operation. In a stack of three or more switches, Dell strongly recommends connecting the stack in a ring topology so that each switch is connected to two other switches.
Figure 8-1. Connecting a Stack of PowerConnect M6220 Switches M6220 Switches Stacking Cables The stack in Figure 8-1 has six M6220 switches connected through the stacking ports. The first stacking port on each switch is physically connected to the second stacking port on the next switch by using a stacking cable. The first stacking port on switch six is connected to the second stacking port on switch one.
Page 138
NOTE: The PowerConnect M6348 and M6220 can not be stacked together. 1 For each switch in the stack, connect one of the short stacking cables from stacking port one on the switch to stacking port two on the next switch. 2 If necessary, use a separately purchased, long (3 meter) stacking cable to connect the switches.
PowerConnect 7000 Series and M6348 Stacking Compatibility The stack can contain any combination of switch models in the PowerConnect 7000 Series as well as the PowerConnect M6348 switch, as long as all switches are running the same firmware version. For example, a single stack of six switches might include the following members: •...
• If the Management Unit function is disabled, the unit remains a non- Management Unit. If the entire stack is powered OFF and ON again, the unit that was the Management Unit before the reboot will remain the Management Unit after the stack resumes operation.
might trigger many other protocols. However, it is possible to intentionally pre-configure a unit. You can view the preconfigured/unassigned units by using the show switch CLI command. If a new switch is added to a stack of switches that are powered and running and already have an elected Management Unit, the newly added switch becomes a stack member rather than the Management Unit.
How is the Firmware Updated on the Stack? When you add a new switch to a stack, the Stack Firmware Synchronization feature automatically synchronizes the firmware version with the version running on the stack master. The synchronization operation may result in either upgrade or downgrade of firmware on the mismatched stack member.
Page 143
management plane is application software running on the Management Unit that provides interfaces allowing a network administrator to configure the device. The Nonstop Forwarding (NSF) feature allows the forwarding plane of stack units to continue to forward packets while the control and management planes restart as a result of a power failure, hardware failure, or software fault on the stack Management Unit.
Page 144
Checkpointing Switch applications (features) that build up a list of data such as neighbors or clients can significantly improve their restart behavior by remembering this data across a warm restart. This data can either be stored persistently, as DHCP server and DHCP snooping store their bindings database, or the Management Unit can checkpoint this data directly to the standby unit.
Table 8-1. Applications that Checkpoint Data Application Checkpointed Data IGMP/MLD Snooping Multicast groups, list of router ports, last query data for each VLAN IPv6 NDP Neighbor cache entries iSCSI Connections LLDP List of interfaces with MED devices attached OSPFv2 Neighbors and designated routers OSPFv3 Neighbors and designated routers Route Table Manager...
If you move the master unit of stack to a different place in the network, make sure you power down the whole stack before you redeploy the master unit so that the stack members do not continue to use the MAC address of the redeployed switch.
Default Stacking Values Stacking is always enabled. NSF is enabled by default. You can disable NSF in order to redirect the CPU resources consumed by data checkpointing. Checkpointing only occurs when a backup unit is elected, so there is no need to disable the NSF feature on a standalone switch.
Managing and Monitoring the Stack (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring stacking on a PowerConnect M6220 or PowerConnect M6348 switch. For details about the fields on a page, click at the top of the page. NOTE: The changes you make to the Stacking configuration pages take effect only after the device is reset.
Page 149
Changing the ID or Switch Type for a Stack Member To change the switch ID or type: 1 Open the Unit Configuration page. 2 Click Add to display the Add Unit page. Figure 8-4. Add Remote Log Server Settings 3 Specify the switch ID, and select the model number of the switch. 4 Click Apply.
Stack Summary Use the Stack Summary page to view a summary of switches participating in the stack. To display the Stack Summary page, click System → Stack Management → Stack Summary in the navigation panel. Figure 8-5. Stack Summary Managing a Switch Stack...
Stack Firmware Synchronization Use the Stack Firmware Synchronization page to control whether the firmware image on a new stack member can be automatically upgraded or downgraded to match the firmware image of the stack master. To display the Stack Firmware Synchronization page, click System → Stack Management →...
Supported Switches Use the Supported Switches page to view information regarding each type of supported switch for stacking, and information regarding the supported switches. To display the Supported Switches page, click System → Stack Management → Supported Switches in the navigation panel. Figure 8-7.
Stack Port Summary Use the Stack Port Summary page to configure the stack-port mode and to view information about the stackable ports. This screen displays the unit, the stackable interface, the configured mode of the interface, the running mode as well as the link status and link speed of the stackable port. To display the Stack Port Summary page, click System →...
Stack Port Counters Use the Stack Port Counters page to view the transmitted and received statistics, including data rate and error rate. To display the Stack Port Counters page, click System → Stack Management → Stack Point Counters in the navigation panel. Figure 8-9.
NSF Summary Use the NSF Summary page to change the administrative status of the NSF feature and to view NSF information. NOTE: The OSPF feature uses NSF to enable the hardware to continue forwarding IPv4 packets using OSPF routes while a backup unit takes over Management Unit responsibility.
Checkpoint Statistics Use the Checkpoint Statistics page to view information about checkpoint messages generated by the master unit. To display the Checkpoint Statistics page, click System → Stack Management → Checkpoint Statistics in the navigation panel. Figure 8-11. Checkpoint Statistics Managing a Switch Stack...
For more information PowerConnect M6220/M6348/M8024/M8024-k about these commands, see the CLI Reference Guide at support.dell.com/manuals. Configuring Stack Member and NSF Settings Beginning in Privileged EXEC mode, use the following commands to configure stacking and NSF settings.
Command Purpose boot auto-copy-sw allow- Allow the firmware version on the newly added stack downgrade member to be downgraded if the firmware version on manager is older. exit Exit to Privileged EXEC mode. show auto-copy-sw View the Stack Firmware Synchronization settings for the stack.
Command Purpose show checkpoint View information about checkpoint messages generated by statistics the master unit. clear checkpoint Reset the checkpoint statistics counters to zero. statistics Stacking and NSF Usage Scenarios Only a few settings are available to control the stacking configuration, such as the designation of the standby unit or enabling/disabling NSF.
Basic Failover In this example, the stack has four members that are connected through a daisy-chain, as Figure 8-12 shows. Figure 8-12. Basic Stack Failover When all four units are up and running, the show switch CLI command gives the following output: console#show switch Management Standby...
Page 161
At this point, if Unit 2 is powered off or rebooted due to an unexpected failure, show switch gives the following output: console#show switch Management Standby Preconfig Plugged- Switch Code Status Status Model ID in Model Status Version --- --------- ------- -------- ------------------- --------...
Preconfiguring a Stack Member To preconfigure a stack member before connecting the physical unit to the stack, use the show support switchtype command to obtain the SID of the unit to be added. The example in this section demonstrates pre-configuring a PowerConnect 7048P switch on a stand-alone PowerConnect 7048R switch.
Page 163
3 Confirm the stack configuration. Some of the fields have been omitted from the following output due to space limitations. console#show switch SW Management Standby Preconfig Plugged-in Switch Code Status Status Model ID Model ID Status Version --- --------- ------- -------- --------- ---------- -------- Mgmt Sw PCT7048R PCT7048R...
NSF in the Data Center Figure 8-13 illustrates a data center scenario, where the stack of two PowerConnect switches acts as an access switch. The access switch is connected to two aggregation switches, AS1 and AS2. The stack has a link from two different units to each aggregation switch, with each pair of links grouped together in a LAG.
NSF and VoIP Figure 8-14 shows how NSF maintains existing voice calls during a Management Unit failure. Assume the top unit is the Management Unit. When the Management Unit fails, the call from phone A is immediately disconnected. The call from phone B continues. On the uplink, the forwarding plane removes the failed LAG member and continues using the remaining LAG member.
NSF and DHCP Snooping Figure 8-15 illustrates an L2 access switch running DHCP snooping. DHCP trusted snooping only accepts DHCP server messages on ports configured as ports. DHCP snooping listens to DHCP messages to build a bindings database that lists the IP address the DHCP server has assigned to each host. IP Source Guard (IPSG) uses the bindings database to filter data traffic in hardware based on source IP address and source MAC address.
If a host is in the middle of an exchange with the DHCP server when the failover occurs, the exchange is interrupted while the control plane restarts. When DHCP snooping is enabled, the hardware traps all DHCP packets to the CPU. The control plane drops these packets during the restart. The DHCP client and server retransmit their DHCP messages until the control plane has resumed operation and messages get through.
Page 168
Figure 8-16. NSF and a Storage Area Network Disc Array (iSCSI Targets) Servers (iSCSI Initiators) 10.1.1.2 10.1.1.3 10.1.1.1 10.1.1.10 10.1.1.11 When the Management Unit fails, session A drops. The initiator at 10.1.1.10 detects a link down on its primary NIC and attempts to reestablish the session on its backup NIC to a different IP address on the disk array.
NSF and Routed Access Figure 8-17 shows a stack of three units serving as an access router for a set of hosts. Two LAGs connect the stack to two aggregation routers. Each LAG is a member of a VLAN routing interface. The stack has OSPF and PIM adjacencies with each of the aggregation routers.
Page 170
JOIN messages upstream. The control plane updates the driver with checkpointed unicast routes. The forwarding plane reconciles L3 hardware tables. The OSPF graceful restart finishes, and the control plane deletes any stale unicast routes not relearned at this point. The forwarding plane reconciles L3 multicast hardware tables.
Controlling Management Access This chapter describes how to control access to the switch management interface through switch-based authentication or by using TACACS+ or RADIUS servers. It also includes information about controlling access through Telnet, SSH, HTTP, and HTTPs. The Denial of Service (DoS) protection feature is also described in this chapter.
Page 172
Table 9-1. Management Security Features Management Security Description Feature Management Access Contains rules to apply to one or more in-band ports, LAGs, Control List (ACL) or VLANs to limit management access by method (for example, Telnet or HTTP) and/or source IP address. NOTE: Management ACLs cannot be applied to the OOB port.
What Are the Recommendations for Management Security? Selecting the authentication policy for a network is very important. In large deployments, many administrators prefer to use a RADIUS or TACACS+ server because it allows the authentication policy to be applied system wide with little administrative effort.
• Console—Authenticates access through the console port (CLI only). • Telnet—Authenticates users accessing the CLI by using a Telnet or SSH client. • Secure HTTP—Authenticates users accessing OpenManage Switch Administrator by using an HTTPS connection. • HTTP—Authenticates users accessing OpenManage Switch Administrator by using an HTTP connection.
Page 175
Figure 9-1. Basic TACACS+ Topology Backup TACACS+ Server PowerConnect Switch Primary TACACS+ Server Management Network Management Host You can configure the TACACS+ server list with one or more hosts defined via their network IP address. You can also assign each a priority to determine the order in which the TACACS+ client will contact them.
How Does RADIUS Control Management Access? Many networks use a RADIUS server to maintain a centralized user database that contains per-user authentication information. RADIUS servers provide a centralized authentication method for: • Telnet Access • Web Access • Console to Switch Access •...
Page 177
Figure 9-2. RADIUS Topology Backup RADIUS Server PowerConnect Switch Primary RADIUS Server Management Network Management Host The server can authenticate the user itself or make use of a back-end device to ascertain authenticity. In either case a response may or may not be forthcoming to the client.
enable Auth-Type := Local, User-Password == "pass5678" Service-Type = Administrative-User The values for the Service-Type attribute are as follows: • NAS-Prompt-User indicates the user should be provided a command prompt on the switch, which is acting as the Network Access Server (NAS), from which nonprivileged commands can be executed.
Page 179
When multiple RADIUS servers are configured with different names, the servers are in different groups. The primary/secondary designation and priority applies to RADIUS servers only within the same group. Within a named group, the switch always attempts to contact the primary RADIUS server first.
What Other Features Use Authentication? In addition to controlling access to the management interface, the switch can use RADIUS, IAS, or the local user database to provide port-based access control. Port-based access control specifies whether devices that are connected to the switch ports are allowed access to the network. The IEEE 802.1X feature (also known as Dot1X) and Captive Portal feature use RADIUS or the local user database to control network access.
Page 181
Table 9-2. Management Security Default Values (Continued) Management Security Default Feature Authentication The following three Authentication Profiles are configured Profiles by default: • defaultList—Method is NONE, which means no authentication is required. • networkList—Method is LOCAL, which means the user credentials are verified against the information in the local user database.
Controlling Management Access (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring management security on a PowerConnect M6220/M6348/M8024/M8024-k switch. For details about the fields on a page, click at the top of the page. Access Profile Use the Access Profile page to define a profile and rules for accessing the switch.
Page 183
Adding and Configuring an Access Profile To configure an access profile: 1 Open the Access Profile page. 2 Click Add Profile to display the Add an Access Profile page. 3 Enter a name for the Access Profile. 4 Specify a rule for management access, and then click Apply. In Figure 9-4, the Access Profile name is mgmt_ACL, and access is permitted on VLAN 1 from any host in the 10.27.65.0/24 subnet.
Page 184
Figure 9-5 shows the configuration of an additional rule that allows management access to a host in the 10.27.65.0/24 subnet that is connected to Port 1. The rule priority is 2. This rule might be necessary if Port 1 is not a member of VLAN 1.
Page 185
Figure 9-6. View Access Profile Information 8 Click Access Profile to return to the main page for the feature. 9 To activate the profile, select the Set Active Access Profile option, and then click Apply. NOTE: The switch enforces the profile rules only if the profile is active. If an access profile is not activated, the device can be accessed by any host and on any interface.
Figure 9-7. Activate the Access Profile Authentication Profiles User authentication occurs locally and on an external server. Use the Authentication Profiles page to select the user authentication methods for the defaultList and networkList. These Authentication Profiles are created by default. To display the Authentication Profiles page, click System →...
Page 187
Figure 9-8. Authentication Profiles Adding and Configuring an Authentication Profile To configure an authentication profile: 1 Open the Authentication Profiles page. 2 Click Add to display the Add Authentication Profiles page. 3 Enter a name for the Authentication Profile. 4 Select the authentication methods to use for the profile. The order in which you select the methods is the order the switch will use to attempt to authentication the user.
Page 188
Figure 9-9. Configure Authentication Profile 5 Click Apply. A profile is created. You can apply the newly created authentication profile to an access method by using the System → Management Security → Select Authentication page. For example, you can select myList as the login authentication for anyone who connects to the switch by using Telnet.
Page 189
6 To view the existing Authentication Profiles and the order in which the login methods are used, click Show All. Figure 9-10. View Authentication Profile Table Controlling Management Access...
Select Authentication After authentication profiles are defined, you can apply them to management access methods. For example, console users can be authenticated by Authentication Profile List 1, while Telnet users are authenticated by Authentication Profile List 2. To display the Select Authentication page, click System → Management Security →...
Password Management Password management provides increased network security and improved password control. Passwords for SSH, Telnet, HTTP , HTTPS, and SNMP access are assigned security features, including: • Defining minimum password lengths (the minimum password length is 8 when password length-checking is enabled) •...
Page 192
Figure 9-12. Password Management Adding Excluded Keywords To prevent keywords from being used in passwords: 1 Make sure Create is selected from the Password Exclude-keyword menu. 2 Specify the keyword to exclude. 3 Click Add Excluded Keyword. Controlling Management Access...
Last Password Set Result Use the Last Password Set Result page to view information about the most recently configured password for a user in the Local User Database. To display the Last Password Set Result page, click System → Management Security →...
User Login Configuration Use the User Login Configuration page to select the list to use to authenticate attempts to login to the switch by users configured in the Local User Database. Each user in the database can have a different list applied. To display the User Login Configuration page, click System →...
Local User Database Use the Local User Database page to define passwords, access rights for users and reactivate users whose accounts have been suspended. This page also contains fields to allow you to configure SNMPv3 settings for users in the local database.
Page 196
Adding a User to the Local Database To add local users: 1 Open the Local User Database page. 2 Click Add to display the Add a New User page. 3 Specify a login name, select the access level, and type/retype the password. Figure 9-16.
Line Password Use the Line Password page to define passwords that are used to access the CLI through the Console port, SSH, or Telnet. To display the Line Password page, click System → Management Security → Line Password in the navigation panel. Figure 9-17.
TACACS+ Settings TACACS+ provides centralized security for validation of users accessing the switch, while still retaining consistency with RADIUS and other authentication processes. TACACS+ provides the following services: • Authentication — Provides authentication during login and through user names and user-defined passwords. •...
Page 199
Adding TACACS+ Host Information To add a TACACS+ host: 1 Open the TACACS+ Settings page. 2 Click Add to display the Add a TACACS+ Host page. 3 Specify a the hostname or IP address of the TACACS+ the switch will use to authenticate users.
Figure 9-21. View Local User Database Entries RADIUS Global Configuration Use the RADIUS Global Configuration page to configure that affect all RADIUS servers that are configured on the switch. To display the RADIUS Global Configuration page, click System → Management Security → RADIUS Global Configuration in the navigation panel.
RADIUS Server Configuration From the RADIUS Server Configuration page, you can add a new RADIUS server, configure settings for a new or existing RADIUS server, and view RADIUS server status information. The RADIUS client on the switch supports up to 32 named authentication and accounting servers. To access the RADIUS Server Configuration page, click System →...
Page 202
4 Use the default RADIUS server name or enter up to 32 alphanumeric characters. Spaces, hyphens, and underscores are also permitted. You can use the same name for multiple RADIUS Authentication servers. RADIUS clients can use RADIUS servers with the same name as backups for each other.
Figure 9-25. Viewing the RADIUS Server Table RADIUS Accounting Server Configuration From the RADIUS Accounting Server Configuration page, you can add a new RADIUS accounting server, configure settings for a new or existing RADIUS accounting server, and view RADIUS accounting server status information.
Page 204
Adding and Configuring RADIUS Accounting Server Information To add a RADIUS accounting server: 1 Open the RADIUS Accounting Server Configuration page. 2 Click Add to display the Add RADIUS Accounting Server page. 3 Specify the IP address of the RADIUS accounting server. 4 Use the default RADIUS server name or enter up to 32 alphanumeric characters.
Figure 9-28. Viewing the RADIUS Accounting Server Table RADIUS Accounting Server Statistics Use the RADIUS Accounting Server Statistics page to view statistical information for each RADIUS accounting server configured on the system. To access the RADIUS Accounting Server Statistics page, click System → Management Security →...
RADIUS Server Statistics Use the RADIUS Server Statistics page to view statistical information for each RADIUS server configured on the system. To access the RADIUS Server Statistics page, click System → Management Security → RADIUS Server Statistics in the navigation panel. Figure 9-30.
Authorization Network RADIUS In some networks, the RADIUS server is responsible for assigning traffic to a particular VLAN. From the Authorization Network RADIUS page, you can enable the switch to accept VLAN assignment by the RADIUS server. For more information about VLANs and RADIUS-assigned VLANs, see "Dynamic VLAN Creation"...
Telnet Server Use the Telnet Server page to enable or disable telnet service on the switch or to modify the telnet port. To display the Telnet Server page, click System → Management Security → Telnet Server. Figure 9-32. Telnet Server Controlling Management Access...
Denial of Service Denial of Service (DoS) refers to the exploitation of a variety of vulnerabilities which would interrupt the service of a host or make a network unstable. Use the Denial of Service page to configure settings to help prevent DoS attacks.
Secure HTTP Configuration Secure HTTP (HTTPS) increases the security of web-based management by encrypting communication between the administrative system and the switch. Use the Secure HTTP page to manage the HTTPS mode and certificate information that enables management of the switch through HTTPS. To display the Secure HTTP page, click System →...
Page 211
Importing and Requesting Certificates Use the following steps to import or request a certificate by using SSH. 1 From the Secure HTTP page, click SSH Request. Figure 9-35. Secure HTTP - SSH Request 2 Select the certificate number. 3 Complete the fields that are relevant to the certificate. 4 To import the certificate, click Certificate Import.
Page 212
Viewing Certificate Information To view the certificate request or to view the generated certificate, click Show All. Figure 9-36. View Certificate Requests Controlling Management Access...
Secure Shell Configuration Secure Shell (SSH) is similar to Telnet but increases the security of CLI- based management by creating a secure channel for communication between the administrative system and the switch. Use the Secure Shell page to manage the SSH mode and other information that enables management of the switch through SSH.
Generate RSA Keys — Begin generating RSA host keys. Note that to • generate SSH key files, SSH must be administratively disabled and there must be no active SSH sessions. Generate DSA Key — Begin generating DSA host keys. Note that to •...
Page 215
Configuring a Public Key Use the following steps to configure a public key for SSH. 1 From the Secure Public Key page, click Add. Figure 9-39. Secure Public Key — Add 2 Specify the algorithm to use of the public-key cryptography, either DSA or RSA.