Dell Networking Configuration Guide for the Z9500 Switch 9.7(0.0) March 2015 Rev.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. NOTE: A WARNING indicates a potential for property damage, personal injury, or death. Copyright © 2015 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents Chapter 1: About this Guide......................................................................................................... 27 Audience.............................................................................................................................................................................. 27 Conventions........................................................................................................................................................................
Allowing Access to the Following Modes.............................................................................................................. 48 Applying a Privilege Level to a Username............................................................................................................. 50 Applying a Privilege Level to a Terminal Line....................................................................................................... 50 Configuring Logging....................................
IP Access Control Lists (ACLs)..................................................................................................................................... 80 CAM Usage................................................................................................................................................................... 80 Implementing ACLs .....................................................................................................................................................
Configure BFD for VRRP......................................................................................................................................... 122 Configuring Protocol Liveness................................................................................................................................125 Chapter 9: Border Gateway Protocol IPv4 (BGPv4)....................................................................126 Autonomous Systems (AS).............................................
Filtering BGP Routes Using AS-PATH Information........................................................................................... 162 Configuring BGP Route Reflectors........................................................................................................................163 Aggregating Routes...................................................................................................................................................163 Configuring BGP Confederations...............
Configuring PFC and ETS in a DCB Map.................................................................................................................. 209 Configuring Priority-Based Flow Control................................................................................................................... 212 Configuring Lossless Queues..................................................................................................................................
Displaying Dataplane Statistics...............................................................................................................................261 Displaying Line-Card Counters.............................................................................................................................. 262 Accessing Application Core Dumps............................................................................................................................ 263 Mini Core Dumps..............
Ensure Robustness in a Converged Ethernet Network.........................................................................................286 FIP Snooping on Ethernet Bridges..............................................................................................................................287 Using FIP Snooping........................................................................................................................................................ 289 FIP Snooping Prerequisites.......
Configure GVRP...............................................................................................................................................................316 Enabling GVRP Globally..................................................................................................................................................316 Enabling GVRP on a Layer 2 Interface.......................................................................................................................
Null Interfaces..................................................................................................................................................................340 Port Channel Interfaces................................................................................................................................................ 340 Port Channel Definition and Standards................................................................................................................
Assigning IP Addresses to an Interface.....................................................................................................................369 Configuring Static Routes.............................................................................................................................................370 Configure Static Routes for the Management Interface....................................................................................... 371 Enabling Directed Broadcast............
Configuring Telnet with IPv6................................................................................................................................. 394 SNMP over IPv6........................................................................................................................................................394 Displaying IPv6 Information....................................................................................................................................
Introduction to Dynamic LAGs and LACP................................................................................................................. 429 Important Points to Remember............................................................................................................................. 429 LACP Modes...............................................................................................................................................................430 Configuring LACP Commands.
Enabling LLDP on Management Ports....................................................................................................................... 463 Disabling and Undoing LLDP on Management Ports........................................................................................464 Advertising TLVs............................................................................................................................................................. 464 Viewing the LLDP Configuration.........
Configure Multiple Spanning Tree Protocol..............................................................................................................501 Related Configuration Tasks...................................................................................................................................501 Enable Multiple Spanning Tree Globally.................................................................................................................... 502 Adding and Removing Interfaces......
Redistributing Routes...............................................................................................................................................544 Configuring a Default Route...................................................................................................................................545 OSPFv3 Authentication Using IPsec....................................................................................................................545 Troubleshooting OSPFv3.......
Chapter 41: Private VLANs (PVLAN)..........................................................................................584 Private VLAN Concepts................................................................................................................................................ 584 Using the Private VLAN Commands.......................................................................................................................... 585 Configuration Task List..................................
ECN Packet Classification...................................................................................................................................... 620 Example: Color-marking non-ECN Packets in One Traffic Class................................................................... 621 Example: Color-marking non-ECN Packets in Different Traffic Classes......................................................621 Using A Configurable Weight for WRED and ECN................................................
Display Information About User Roles................................................................................................................. 660 AAA Accounting............................................................................................................................................................... 661 Configuration Task List for AAA Accounting...................................................................................................... 661 AAA Authentication.............
Setting Rate-Limit BPDUs...................................................................................................................................... 698 Debugging Layer 2 Protocol Tunneling................................................................................................................698 Provider Backbone Bridging.........................................................................................................................................698 Chapter 49: sFlow.............
Assigning a VLAN Alias............................................................................................................................................. 721 Displaying the Ports in a VLAN...............................................................................................................................721 Add Tagged and Untagged Ports to a VLAN...................................................................................................... 721 Managing Overload on Startup.........
Setting Daylight Saving Time Once...................................................................................................................... 749 Setting Recurring Daylight Saving Time..............................................................................................................750 Chapter 54: Tunneling .............................................................................................................. 752 Configuring a Tunnel...............................................
Configuring a Static Route......................................................................................................................................779 Sample VRF Configuration............................................................................................................................................779 Route Leaking VRFs.......................................................................................................................................................
VRRP Benefits................................................................................................................................................................. 837 VRRP Implementation.................................................................................................................................................... 837 VRRP Configuration...............................................................................................................................................
1 About this Guide This guide describes the protocols and features that the Dell Networking Operating Software (OS) supports on the Z9500 system and provides configuration instructions and examples for implementing them. Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Networking systems.
2 Configuration Fundamentals The Dell Networking OS command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. After you enter a command, the command is added to the running configuration file.
● EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password section in the Getting Started chapter.
Table 1.
Table 1.
TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet 0/0 0/1 0/2 0/3 0/4 0/5 0/6 0/7 0/8 0/9 unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned NO NO NO NO YES YES YES YES YES YES Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual up up up up up up up up up up down down down down up up up u
Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command: ● To list the keywords available in the current mode, enter ? at the prompt or after a keyword. ● Enter ? after a command prompt lists all of the available keywords. The output of this command is the same as the help command.
Short-Cut Key Action Combination CNTL-N Return to more recent commands in the history buffer after recalling commands with CTRL-P or the UP arrow key. CNTL-P Recalls commands, beginning with the last command. CNTL-R Re-enters the previous command. CNTL-U Deletes the line. CNTL-W Deletes the previous word. CNTL-X Deletes the line. CNTL-Z Ends continuous scrolling of command outputs. Esc B Moves the cursor back one word. Esc F Moves the cursor forward one word.
PID 538 535 614 557 615 508 720 19 30 25 22 533 12 2 1 529 523 646 445 579 329 655 244 74 Runtime(ms) 43770 51140 300 190 130 290 330 410 60 1720 0 0 0 10 0 0 10 0 0 5670 0 270 30 30 Invoked 4377 5114 30 19 13 29 33 41 6 172 0 0 0 1 0 0 1 0 0 567 0 27 3 3 uSecs 10000 10000 10000 10000 10000 10000 10000 10000 10000 10000 0 0 0 10000 0 0 10000 0 0 10000 0 10000 10000 10000 5Sec 6.50% 3.54% 0.59% 0.20% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.
Multiple Users in Configuration Mode The Z9500 operating system notifies all users when there are multiple users logged in to CONFIGURATION mode. A warning message indicates the username, type of connection (console or VTY), and in the case of a VTY connection, the IP address of the terminal on which the connection was established.
3 Getting Started This chapter describes how you start configuring your Z9500 operating software. When you power up the chassis, the system performs a power-on self test (POST) and loads the Dell Networking operating software. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LED remains online (green) and the console monitor displays the EXEC mode prompt.
Serial Console The RJ-45/RS-232 console port is labeled on the I/O side (upper right-hand) of the Z9500 chassis. Figure 1. RJ-45 Console Port 1. RJ-45 Console Port Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the Z9500 console port to a terminal server. 2.
Table 2.
CONFIGURATION mode interface ManagementEthernet 0/0 ● The slot number is 0. ● The port number is 0. 2. Assign an IP address to the interface. INTERFACE mode ip address ip-address/mask ● ip-address: an address in dotted-decimal format (A.B.C.D). ● mask: a subnet mask in /prefix-length format (/ xx). 3. Enable the interface. INTERFACE mode no shutdown Configure a Management Route Define a path from the Z9500 to the network from which you are accessing the system remotely.
CONFIGURATION mode enable [password | secret] [level level] [encryption-type] password ○ level: is the privilege level, is 15 by default, and is not required ○ encryption-type: specifies how you are inputting the password, is 0 by default, and is not required. ■ ■ ■ 0 is for inputting the password in clear text. 7 is for inputting a password that is already encrypted using a DES hash. Obtain the encrypted password from the configuration file of another Dell Networking system.
Table 3.
● Save the running-configuration to an FTP server. EXEC Privilege mode copy running-config ftp:// username:password@{hostip | hostname}/filepath/ filename ● Save the running-configuration to a TFTP server. EXEC Privilege mode copy running-config tftp://{hostip | hostname}/ filepath/filename ● Save the running-configuration to an SCP server.
14 -rw- 27674906 Jul 06 2007 19:52:22 boot-image 15 -rw- 27674906 Jul 06 2007 02:23:22 boot-flash --More-- Changes in Configuration Files Configuration files have three commented lines at the beginning of the file, as shown in the following example, to help you track the last time any user made a change to the file, which user made the changes, and when the file was last saved to the startupconfiguration.
Based on whether VRF feature is identified as supported in the Feature Configuration file, configuration command feature vrf becomes available for usage. This command will be stored in running-configuration and will precede all other VRF-related configurations. NOTE: The MXL and Z9000 platforms currently do not support VRF. These platforms support only the management and default VRFs, which are available by default. As a result, the feature vrf command is not available for these platforms.
3. Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256 flash://FTOSSE-9.5.0.0.bin 4. Compare the generated hash value to the expected hash value published on the iSupport page. To validate the software image on the flash drive after the image has been transferred to the system, but before the image has been installed, use the verify {md5 | sha256} [ flash://]img-file [hash-value] command in EXEC mode.
4 Switch Management This chapter describes the switch management tasks supported on the Z9500.
Removing a Command from EXEC Mode To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each command you wish to restrict.
privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword} ● Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...
Applying a Privilege Level to a Username To set the user privilege level, use the following command. ● Configure a privilege level for a user. CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command. ● Configure a privilege level for a user.
Enabling Audit and Security Logs You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode. This command is available with or without RBAC enabled. For information about RBAC, see Role-Based Access Control. Audit Logs The audit log contains configuration events and information.
May 12 12:20:42: Dell#: %CLI-6-service timestamps log datetime by admin from vty0 (10.14.1.98) For information about the logging extended command, see Enabling Audit and Security Logs Example of the show logging Command for Security Dell#show logging Jun 10 04:23:40: %STKUNIT0-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 ( 10.14.1.91 ) Clearing Audit Logs To clear audit logs, use the clear logging auditlog command in Exec mode.
Setting Up a Secure Connection to a Syslog Server You can use reverse tunneling with the port forwarding to securely connect to a syslog server. Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server Dell(conf)#ip ssh server enable 2.
Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are logged in the internal buffer.
Configuring a UNIX System as a Syslog Server To configure a UNIX System as a syslog server, use the following command. ● Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the UNIX system and assigning write permissions to the file. ○ Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/ftos.log ○ Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.
To specify the system logging settings, use the following commands. ● Specify the minimum severity level for logging to the logging buffer. CONFIGURATION mode logging buffered level ● Specify the minimum severity level for logging to the console. CONFIGURATION mode logging console level ● Specify the minimum severity level for logging to terminal lines. CONFIGURATION mode logging monitor level ● Specify the minimum severity level for logging to a syslog server.
○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ mail (for mail system messages) news (for USENET news messages) sys9 (system use) sys10 (system use) sys11 (system use) sys12 (system use) sys13 (system use) sys14 (system use) syslog (for syslog messages) user (for user programs) uucp (UNIX to UNIX copy protocol) To view non-default settings, use the show running-config logging command in EXEC mode.
● Add timestamp to syslog messages. CONFIGURATION mode service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] | uptime] Specify the following optional parameters: ○ You can add the keyword localtime to include the localtime, msec, and show-timezone. If you do not add the keyword localtime, the time is UTC. ○ uptime: To view time since last boot. If you do not specify a parameter, the system configures uptime.
Configuring FTP Server Parameters After you enable the FTP server on the system, you can configure different parameters. To specify the system logging settings, use the following commands. ● Specify the directory for users using FTP to reach the system. CONFIGURATION mode ftp-server topdir dir The default is the internal flash directory. ● Specify a user name for all FTP users and configure either a plain text or encrypted password.
Denying and Permitting Access to a Terminal Line Dell Networking recommends applying only standard access control lists (ACLs) to deny and permit access to VTY lines. ● Layer 3 ACLs deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with no rules does not deny traffic. ● You cannot use the show ip accounting access-list command to display the contents of an ACL that is applied only to a VTY line. To apply an IP ACL to a line, Use the following command.
Dell(conf)#aaa authentication login myvtymethodlist line Dell(conf)#line vty 0 2 Dell(config-line-vty)#login authentication myvtymethodlist Dell(config-line-vty)#password myvtypassword Dell(config-line-vty)#show config line vty 0 password myvtypassword login authentication myvtymethodlist line vty 1 password myvtypassword login authentication myvtymethodlist line vty 2 password myvtypassword login authentication myvtymethodlist Dell(config-line-vty)# Setting Time Out of EXEC Privilege Mode EXEC time-out is
Exit character is '^]'. Login: Login: admin Password: Dell>exit Dell#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin Dell# Lock CONFIGURATION Mode The system allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2).
Recovering from a Forgotten Password on the Z9500 If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter. If you forget your password, follow these steps: 1. Log onto the system using the console. 2. Power-cycle the chassis by disconnecting and.then reconnecting the power cord. 3. During bootup, press Esc when prompted to abort the boot process.
BOOT_USER mode BOOT_USER# boot change primary You are prompted to enter a valid boot device (for example, ftp o r tftp) and a path or filename for the Dell Networking OS image that you want to use. 4. (Optional) Set the secondary and default boot locations by entering the following commands: BOOT_USER mode BOOT_USER# boot change secondary BOOT_USER# boot change default 5. Reboot the chassis.
● If the primary boot line is A: and the A: partition contains a valid image, the primary boot line is set to A:, the secondary boot line is set to B: (if B: also contains a valid image), and default boot line is set to a Null String. ● If the primary boot line is B: and the B: partition contains a valid image, the primary boot line is set to B:, the secondary boot line is set to A: (if A: also contains a valid image), and default boot line is set to a Null string.
default-gateway gateway_ip_address For example, 10.16.150.254. 6. The environment variables are auto saved. 7. Reload the system.
5 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: ● The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. ● The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
The Port-Authentication Process The authentication process begins when the authenticator senses that a link status has changed from down to up: 1. When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request frame. 2. The supplicant responds with its identity in an EAP Response Identity frame. 3.
Figure 5. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Enabling 802.1X Enable 802.1X globally. Figure 6. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. The bold lines show that 802.1X is enabled.
no ip address dot1x authentication no shutdown ! Dell# View 802.1X configuration information for an interface using the show dot1x interface command. The bold lines show that 802.1X is enabled on all ports unauthorized by default. Dell#show dot1x interface TenGigabitEthernet 2/1 802.
Configuring a Quiet Period after a Failed Authentication If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default, but you can configure this period. NOTE: The quiet period (dot1x quiet-period) is a transmit interval for after a failed authentication; the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive supplicant. To configure a quiet period, use the following command.
dot1x port-control {force-authorized | force-unauthorized | auto} The default state is auto. The example shows configuration information for a port that has been force-authorized. The bold line shows the new port-control state. Dell(conf-if-Te-0/0)#dot1x port-control force-authorized Dell(conf-if-Te-0/0)#show dot1x interface TenGigabitEthernet 0/0 802.
Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize Configuring Timeouts If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default.
Configuring Dynamic VLAN Assignment with Port Authentication On the Z9500, 802.1X authentication supports dynamic VLAN assignment. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure: 1. The host sends a dot1x packet to the Dell Networking system 2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number 3.
Guest and Authentication-Fail VLANs Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured or the VLAN that the authentication server indicates in the authentication data. NOTE: Ports cannot be dynamically assigned to the default VLAN.
switchport dot1x authentication dot1x guest-vlan 200 no shutdown Dell(conf-if-Te-2/1)# Dell(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 Dell(conf-if-Te-2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown Dell(conf-if-Te-2/1)# View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest VLAN or using the show dot1x interface command
6 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
• • • • IP Prefix Lists ACL Resequencing Route Maps Important Points to Remember IP Access Control Lists (ACLs) You can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet.
To determine whether sufficient ACL CAM space is available to enable a service-policy, use this command. To verify the actual CAM space required, create a class map with all the required ACL rules, then execute the test cam-usage command in Privilege mode. The following example shows the output when executing this command. The status column indicates whether you can enable the policy.
In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use the order keyword to specify the order in which you want to apply ACL rules. The order can range from 0 to 254. The system writes to the CAM ACL rules with lower-order numbers (order numbers closer to 0) before rules with higher-order numbers so that packets are matched as you intended. By default, all ACL rules have an order of 254.
Example of Denying Second and Subsequent Fragments Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32 Dell(conf-ext-nacl) Layer 4 ACL Rules Examples The following examples show the ACL commands for Layer 4 packet filtering. Permit an ACL line with L3 information only, and the fragments keyword is present: If a packet’s L3 information matches the L3 information in the ACL line, the packet's FO is checked.
Configure a Standard IP ACL To configure an ACL, use commands in IP ACCESS LIST mode and INTERFACE mode. For a complete list of all the commands related to IP ACLs, refer to the Dell Networking OS Command Line Interface Reference Guide. To set up extended ACLs, refer to Configure an Extended IP ACL. A standard IP ACL uses the source IP address as its match criterion. 1. Enter IP ACCESS LIST mode by naming a standard IP access list. CONFIGURATION mode ip access-list standard access-listname 2.
CONFIG-STD-NACL mode {deny | permit} {source [mask] | any | host ip-address} [count [byte]] [order] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details. The following example shows a standard IP ACL in which the system assigns the sequence numbers.
Configure Filters, TCP Packets To create a filter for TCP packets with a specified sequence number, use the following commands. 1. Create an extended IP ACL and assign it a unique name. CONFIGURATION mode ip access-list extended access-list-name 2. Configure an extended IP ACL filter for TCP packets.
{deny | permit} udp {source mask | any | host ip-address}} [count [byte]] [order] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details. The following example shows an extended IP ACL in which the sequence numbers were assigned by the software.
Using ACL VLAN Groups Use an ACL VLAN group to optimize ACL CAM usage by minimizing the number of CAM entries when you apply an egress IP ACL on the member interfaces of specified VLANs. When you apply an ACL on individual VLANs, the amount of CAM space required increases greatly because the ACL rules are saved for each VLAN ID.
ACL-VLAN-GROUP CONFIGURATION (conf-acl-vl-grp) mode description description 3. Apply an egress IP ACL. ACL-VLAN-GROUP CONFIGURATION (conf-acl-vl-grp) mode ip access-group access-list-name out implicit-permit 4. Specify the VLAN members in the ACL VLAN group. ACL-VLAN-GROUP CONFIGURATION (conf-acl-vl-grp) mode member vlan vlan-range 5. Verify the currently configured ACL VLAN groups on the switch.
Applying an IP ACL to an Interface To pass traffic through a configured IP ACL, assign that ACL to a physical interface, a port channel interface, or a VLAN. The IP ACL is applied to all traffic entering a physical or port channel interface and the traffic is either forwarded or dropped depending on the criteria and actions specified in the ACL. The same ACL may be applied to different interfaces and that changes its functionality.
no ip address ip access-group abcd in no shutdown Dell(conf-if-gige0/0)#end Dell#configure terminal Dell(conf)#ip access-list extended abcd Dell(config-ext-nacl)#permit tcp any any Dell(config-ext-nacl)#deny icmp any any Dell(config-ext-nacl)#permit 1.1.1.2 Dell(config-ext-nacl)#end Dell#show ip accounting access-list ! Extended Ingress IP access list abcd on gigethernet 0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.
1. Apply Egress ACLs to IPv4 system traffic. CONFIGURATION mode ip control-plane [egress filter] 2. Apply Egress ACLs to IPv6 system traffic. CONFIGURATION mode ipv6 control-plane [egress filter] 3. Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic.
Implementation Information Prefix lists are used in processing routes for routing protocols (for example, router information protocol [RIP], open shortest path first [OSPF], and border gateway protocol [BGP]). NOTE: It is important to know which protocol your system supports prior to implementing prefix-lists. Configuration Task List for Prefix Lists To configure a prefix list, use commands in PREFIX LIST, ROUTER RIP, ROUTER OSPF, and ROUTER BGP modes.
If you are creating a standard prefix list with only one or two filters, you can let the system assign a sequence number based on the order in which the filters are configured. The system assigns filters in multiples of five. Creating a Prefix List Without a Sequence Number To create a filter without a specified sequence number, use the following commands. 1. Create a prefix list and assign it a unique name. CONFIGURATION mode ip prefix-list prefix-name 2.
The following example shows the show ip prefix-list summary command. Dell> Dell>show ip prefix summary Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 Dell> Applying a Prefix List for Route Redistribution To pass traffic through a configured prefix list, use the prefix list in a route redistribution command.
To view the configuration, use the show config command in ROUTER OSPF mode, or the show running-config ospf command in EXEC mode. Dell(conf-router_ospf)#show config ! router ospf 34 network 10.2.1.1 255.255.255.255 area 0.0.0.1 distribute-list prefix awe in Dell(conf-router_ospf)# ACL Resequencing ACL resequencing allows you to re-number the rules and remarks in an access or prefix list. The placement of rules within the list is critical because packets are matched against rules in sequential order.
The following example shows resequencing ACLs when the remarks and rules have the same number. Dell(config-ext-nacl)# show config ! ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.
Implementation Information The implementation of route maps allows route maps with the no match or no set commands. When there is no match command, all traffic matches the route map and the set command applies. Important Points to Remember ● For route-maps with more than one match clause: ○ Two or more match clauses within the same route-map sequence have the same match commands (though the values are different), matching a packet against these clauses is a logical OR operation.
applied to a command, such as redistribute, traffic passes through all instances of that route map until a match is found. The following is an example with two instances of a route map. Dell#show route-map route-map zakho, permit, sequence 10 Match clauses: Set clauses: route-map zakho, permit, sequence 20 Match clauses: interface TengigabitEthernet 0/1 Set clauses: tag 35 level stub-area Dell# To delete all instances of that route map, use the no route-map map-name command.
Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens in any instance of that route-map. Example of the match Command to Match All Specified Values Dell(conf)#route-map force permit 10 Dell(config-route-map)#match tag 1000 Dell(config-route-map)#match metric 2000 In the following example, instance 10 permits the route having a tag value of 1000 and instances 20 and 30 deny the route having a tag value of 1000.
CONFIG-ROUTE-MAP mode match ip route-source {access-list-name | prefix-list prefix-list-name} ● Match source routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode match ipv6 route-source {access-list-name | prefix-list prefix-list-name} ● Match routes with a specific value. CONFIG-ROUTE-MAP mode match metric metric-value ● Match BGP routes based on the ORIGIN attribute.
CONFIG-ROUTE-MAP mode set origin {egp | igp | incomplete} ● Specify a tag for the redistributed routes. CONFIG-ROUTE-MAP mode set tag tag-value ● Specify a value as the route’s weight. CONFIG-ROUTE-MAP mode set weight value To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the number of set filters in a route map low. Set commands do not require a corresponding match command.
! set tag 34 Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed. If you configure the continue command at the end of a module, the next module (or a specified module) is processed even after a match is found. The following example shows a continue clause at the end of a route-map module. In this example, if a match is found in the route-map “test” module 10, module 30 is processed.
7 Bare Metal Provisioning (BMP) Starting with Dell Networking OS Release 9.2(1.0), BMP is supported on the Z9500 switch. This chapter describes the latest Bare Metal Provisioning (BMP) enhancements that apply to the Z9500. For details about supported BMP commands and configuration procedures, refer to the Dell Networking Open Automation Guide.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 8. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
Up Both systems are exchanging control packets. The session is declared down if: ● A control packet is not received within the detection time. ● Sufficient echo packets are lost. ● Demand mode is active and a control packet is not received in response to a poll packet. BFD Three-Way Handshake A three-way handshake must take place between the systems that participate in the BFD session.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 10.
Configure BFD for Static Routes Configuring BFD for static routes is supported on the Z9500 switch.. BFD offers systems a link state detection mechanism for static routes. With BFD, systems are notified to remove static routes from the routing table as soon as the link state change occurs, rather than waiting until packets fail to reach their next hop. Configuring BFD for static routes is a three-step process: 1. Enable BFD globally. 2.
To view detailed session information, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information. Changing Static Route Session Parameters BFD sessions are configured with default intervals and a default role. The parameters you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all static routes.
● Disabling BFD for OSPF Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 12. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. ● Establish sessions with all OSPF neighbors.
* - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Te 2/1 Up 100 100 3 O * 2.2.3.1 2.2.3.2 Te 2/2 Up 100 100 3 O Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role.
Related Configuration Tasks ● Changing OSPFv3 Session Parameters ● Disabling BFD for OSPFv3 Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role. Configure these parameters for all OSPFv3 sessions or all OSPFv3 sessions on a particular interface. If you change a parameter globally, the change affects all OSPFv3 neighbors sessions.
Configure BFD for IS-IS When using BFD with IS-IS, the IS-IS protocol registers with the BFD manager. BFD sessions are then established with all neighboring interfaces participating in IS-IS. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the IS-IS protocol that a link state change occurred. Configuring BFD for IS-IS is a two-step process: 1. Enable BFD globally. 2. Establish sessions for all or particular IS-IS neighbors.
● Establish sessions with IS-IS neighbors on a single interface. INTERFACE mode isis bfd all-neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows that IS-IS BFD sessions are enabled. R2(conf-router_isis)#bfd all-neighbors R2(conf-router_isis)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.
Configure BFD for BGP In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces. BFD for BGP does not support IPv6 and the BGP multihop feature. Prerequisites Before configuring BFD for BGP, you must first configure the following settings: 1.
BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays. Incoming BFD control packets received from the BGP neighbor are assigned to the highest priority queue within the control plane policing (COPP) framework to avoid BFD packets drops due to queue congestion. BFD notifies BGP of any failure conditions that it detects on the link. Recovery actions are initiated by BGP.
ROUTER BGP mode no neighbor {ip-address | peer-group-name} bfd disable Use BFD in a BGP Peer Group You can establish a BFD session for the members of a peer group (the neighbor peer-group-name bfd command in ROUTER BGP configuration mode).
The following example shows viewing all BGP neighbors. R2# show bfd neighbors * - Active session role Ad Dn - Admin Down B - BGP C - CLI I - ISIS O - OSPF R - Static Route (RTM) M - MPLS V - VRRP LocalAddr * 1.1.1.3 * 2.2.2.3 * 3.3.3.3 RemoteAddr 1.1.1.2 2.2.2.2 3.3.3.2 Interface Te 6/0 Te 6/1 Te 6/2 State Up Up Up Rx-int 100 100 100 Tx-int 100 100 100 Mult 3 3 3 Clients B B B The following example shows viewing BFD neighbor detail.
Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 The following example shows viewing the configured BFD counters.
Last read 00:00:30, last write 00:00:30 Hold time is 180, keepalive interval is 60 seconds Received 8 messages, 0 in queue 1 opens, 0 notifications, 0 updates 7 keepalives, 0 route refresh requests Sent 9 messages, 0 in queue 2 opens, 0 notifications, 0 updates 7 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_R
Related Configuration Tasks ● Changing VRRP Session Parameters. ● Establishing Sessions with OSPF Neighbors. Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 15. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. ● Establish sessions with all VRRP neighbors.
* - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) V - VRRP LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.5.1 2.2.5.2 Te 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command. The following example shows viewing VRRP session state information. The bold line shows the VRRP BFD session. R1(conf-if-te-4/25)#do show vrrp -----------------TenGigabitEthernet 4/1, VRID: 1, Net: 2.2.5.
bfd disable ● Disable a particular VRRP session on an interface. INTERFACE mode no vrrp bfd neighbor ip-address Configuring Protocol Liveness Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled. When you disable a client, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state. To enable protocol liveness, use the following command. ● Enable Protocol Liveness.
9 Border Gateway Protocol IPv4 (BGPv4) This chapter provides a general description of BGPv4 as it is supported in the Dell Networking OS. BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
Figure 16. Interior BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 17. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor. Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies.
State Description Idle BGP initializes all resources, refuses all inbound BGP connection attempts, and initiates a TCP connection to the peer. Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state.
Figure 18. BGP Router Rules 1. Router B receives an advertisement from Router A through eBGP. Because the route is learned through eBGP, Router B advertises it to all its iBGP peers: Routers C and D. 2. Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B. 3.
order in which they were received from the neighbors because MED may or may not get compared between the adjacent paths. In deterministic mode, the system compares MED between the adjacent paths within an AS group because all paths in the AS group are from the same AS. The following illustration shows that the decisions BGP goes through to select the best path. The list following the illustration details the path selection criteria. Figure 19. BGP Best Path Selection Best Path Selection Details 1.
9. The system deems the paths as equal and does not perform steps 9 through 11, if the following criteria is met: a. the IBGP multipath or EBGP multipath are configured (the maximum-path command). b. the paths being compared were received from the same AS with the same number of ASs in the AS Path but with different NextHops. c. the paths were received from IBGP or EBGP neighbor respectively. 10. If the bgp bestpath router-id ignore command is enabled and: a.
Figure 20. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 21. Multi-Exit Discriminators Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE. Origin Type Description IGP Indicates the prefix originated from information learned through an interior gateway protocol. EGP Indicates the prefix originated from information learned from an EGP protocol, which NGP replaced. INCOMPLETE Indicates that the prefix originated from an unknown source.
Address 0x4014154 0x4013914 0x5166d6c 0x5e62df4 0x3a1814c 0x567ea9c 0x6cc1294 0x6cc18d4 0x5982e44 0x67d4a14 0x559972c 0x59cd3b4 0x7128114 0x536a914 0x2ffe884 Hash 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Refcount Metric 3 18508 3 18508 3 18508 2 18508 26 18508 75 18508 2 18508 1 18508 162 18508 2 18508 31 18508 2 18508 10 18508 3 18508 1 18508 Path 701 3549 19421 i 701 7018 14990 i 209 4637 1221 9249 9249 i 701 17302 i 209 22291 i 209 3356 2529 i 209 1239 19265 i 701 2914 4713 17935 i 209 i 701 19878 ? 209 18756 i
Advertise IGP Cost as MED for Redistributed Routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value. Use the set metric-type internal command in a route-map to advertise the IGP cost as the MED to outbound EBGP peers when redistributing routes.
Traditional Format DOT Format 100000 1.34464 4294967295 65535.65535 When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte identified routers. You cannot mix them. Configure 4-byte AS numbers with the four-octet-support command. AS4 Number Representation Multiple representations of 4-byte AS numbers (asplain, asdot+, and asdot) are supported. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature.
bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
Figure 22. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH.
Important Points to Remember ● Because eBGP packets are not controlled by the ACL, packets from BGP neighbors cannot be blocked using the deny ip command. ● The f10BgpM2AsPathTableEntry table, f10BgpM2AsPathSegmentIndex, and f10BgpM2AsPathElementIndex are used to retrieve a particular ASN from the AS path. These indices are assigned to the AS segments and individual ASN in each segment starting from 0.
● ● ● ● deterministic multi-exit discriminator (MED) (default) a path with a missing MED is treated as worst path and assigned an MED value of (0xffffffff) the community format follows RFC 1998 delayed configuration (the software at system boot reads the entire configuration file prior to sending messages to start BGP peer sessions) The following are not yet supported: ● auto-summarization (the default is no auto-summary) ● synchronization (the default is no synchronization) BGP Configuration To enable t
In BGP, routers with an established TCP connection are called neighbors or peers. After a connection is established, the neighbors exchange full BGP routing tables with incremental updates afterward. In addition, neighbors exchange KEEPALIVE messages to maintain the connection. In BGP, neighbor routers or peers can be classified as internal or external.
number displayed (in bold); the second example shows that the summary with a 4-byte AS number using the show ip bgp summary command (displays a 4–byte AS number in bold). R2#show ip bgp summary BGP router identifier 192.168.10.
For address family: IPv4 Unicast BGP table version 216613, neighbor version 201190 130195 accepted prefixes consume 520780 bytes Prefix advertised 49304, rejected 0, withdrawn 36143 Connections established 1; dropped 0 Last reset never Local host: 10.114.8.39, Local port: 1037 Foreign host: 10.114.8.60, Foreign port: 179 BGP neighbor is 10.1.1.1, remote AS 65535, internal link Administratively shut down BGP version 4, remote router ID 10.0.0.
Term Description method (asdot+). For example, the AS number 65526 appears as 65526 and the AS number 65546 appears as 1.10. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If you do not implement 4-Byte AS numbers, only ASPLAIN representation is supported. Only one form of AS number representation is supported at a time. You cannot combine the types of representations within an AS. To configure AS4 number representations, use the following commands.
neighbor 172.30.1.250 no shutdown 5332332 9911991 65057 18508 12182 7018 46164 i Configuring Peer Groups To configure multiple BGP neighbors at one time, create and populate a BGP peer group. An advantage of peer groups is that members of a peer group inherit the configuration properties of the group and share same update policy. A maximum of 256 peer groups are allowed on the system. Create a peer group by assigning it a name, then adding members to the peer group.
● neighbor route-reflector-client ● neighbor send-community A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates. NOTE: When you configure a new set of BGP policies for a peer group, always reset the peer group by entering the clear ip bgp peer-group peer-group-name command in EXEC Privilege mode.
10.68.171.1 10.68.172.1 10.68.173.1 10.68.174.1 10.68.175.1 10.68.176.1 10.68.177.1 10.68.178.1 10.68.179.1 10.68.180.1 10.68.181.1 10.68.182.1 10.68.183.1 10.68.184.1 10.68.185.1 Dell> Configuring BGP Fast Fail-Over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fail-over feature reduces the convergence time while maintaining stability.
Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dropped 5 Last reset 00:19:37, due to Reset by peer Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 200.200.200.200, Local port: 65519 Foreign host: 100.100.100.
neighbor peer-group-name subnet subnet-number mask The peer group responds to OPEN messages sent on this subnet. 3. Enable the peer group. CONFIG-ROUTER-BGP mode neighbor peer-group-name no shutdown 4. Create and specify a remote peer for BGP neighbor. CONFIG-ROUTER-BGP mode neighbor peer-group-name remote-as as-number Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED.
Allowing an AS Number to Appear in its Own AS Path This command allows you to set the number of times a particular AS number can occur in the AS path. The allow-as feature permits a BGP speaker to allow the ASN to be present for a specified number of times in the update received from the peer, even if that ASN matches its own. The AS-PATH loop is detected if the local ASN is present more than the specified number of times in the command.
neighbor {ip-address | peer-group-name} graceful-restart [restart-time time-in-seconds] The default is 120 seconds. ● Local router supports graceful restart for this neighbor or peer-group as a receiver only. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} graceful-restart [role receiver-only] ● Set the maximum time to retain the restarting neighbor’s or peer-group’s stale paths.
0x67d4a14 0x559972c 0x59cd3b4 0x7128114 0x536a914 0x2ffe884 0x2ff7284 0x2ff7ec4 0x2ff8544 0x736c144 0x3b8d224 0x5eb1e44 0x5cd891c --More-- 0 0 0 0 0 0 0 0 0 0 0 0 0 2 31 2 10 3 1 99 4 3 1 10 1 9 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 701 209 209 209 209 701 701 209 701 701 209 701 209 19878 ? 18756 i 7018 15227 i 3356 13845 i 701 6347 7781 i 3561 9116 21350 i 1239 577 855 ? 3561 4755 17426 i 5743 2648 i 209 568 721 1494 i 701 2019 i 8584 16158 i 6453 4759 i Regul
neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown Dell(conf-router_bgp)#neigh 10.155.15.2 filter-list 1 in Dell(conf-router_bgp)#ex Dell(conf)#ip as-path access-list Eagle Dell(config-as-path)#deny 32$ Dell(config-as-path)#ex Dell(conf)#router bgp 99 Dell(conf-router_bgp)#neighbor AAA filter-list Eagle in Dell(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA filter-list Eaglein neighbor AAA no shutdown neighbor 10.
○ map-name: name of a configured route map. Enabling Additional Paths The add-path feature is disabled by default. NOTE: Dell Networking recommends not using multipath and add path simultaneously in a route reflector. To allow multiple paths sent to peers, use the following commands. 1. Allow the advertisement of multiple paths for the same address prefix without the new paths replacing any previous ones.
To view the configuration, use the show config command in CONFIGURATION COMMUNITY-LIST or CONFIGURATION EXTCOMMUNITY LIST mode or the show ip {community-lists | extcommunity-list} command in EXEC Privilege mode.
deny deny deny deny deny deny Dell# 701:667 702:667 703:667 704:666 705:666 14551:666 Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. 1. Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2.
2. Configure a set filter to delete all COMMUNITY numbers in the IP community list. CONFIG-ROUTE-MAP mode set comm-list community-list-name delete OR set community {community-number | local-as | no-advertise | no-export | none} Configure a community list by denying or permitting specific community numbers or types of community. ● community-number: use AA:NN format where AA is the AS number (2 or 4 Bytes) and NN is a value specific to that autonomous system.
Changing MED Attributes By default, the system uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from the same AS. To change how the MED attribute is used, enter any or all of the following commands. ● Enable MED comparison in the paths from neighbors with different ASs. CONFIG-ROUTER-BGP mode bgp always-compare-med By default, this comparison is not performed. ● Change the bestpath MED selection.
Changing the NEXT_HOP Attribute You can change how the NEXT_HOP attribute is used. To change how the NEXT_HOP attribute is used, enter the first command. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. You can also use route maps to change this and other BGP attributes. For example, you can include the second command in a route map to specify the next hop address.
Filtering BGP Routes Filtering routes allows you to implement BGP policies. You can use either IP prefix lists, route maps, AS-PATH ACLs or IP community lists (using a route map) to control which routes the BGP neighbor or peer group accepts and advertises. Prefix lists filter routes based on route and prefix length, while AS-Path ACLs filter routes based on the ASN. Route maps can filter and set conditions, change attributes, and assign update policies.
● After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route. To view the BGP configuration, use the show config command in ROUTER BGP mode. To view a prefix list configuration, use the show ip prefix-list detail or show ip prefix-list summary commands in EXEC Privilege mode. Filtering BGP Routes Using Route Maps To filter routes using a route map, use these commands. 1. Create a route map and assign it a name.
neighbor {ip-address | peer-group-name} filter-list as-path-name {in | out} Configure the following parameters: ● ● ● ● ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. as-path-name: enter the name of a configured AS-PATH ACL. in: apply the AS-PATH ACL map to inbound routes. out: apply the AS-PATH ACL to outbound routes.
Origin codes: i - IGP, e - EGP, ? - incomplete Network *> 7.0.0.0/29 *> 7.0.0.0/30 *>a 9.0.0.0/8 *> 9.2.0.0/16 *> 9.141.128.0/24 Dell# Next Hop 10.114.8.33 10.114.8.33 192.0.0.0 10.114.8.33 10.114.8.33 Metric LocPrf Weight Path 0 0 18508 ? 0 0 18508 ? 32768 18508 701 {7018 2686 3786} ? 0 18508 701 i 0 18508 701 7018 2686 ? Configuring BGP Confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations.
To configure route flap dampening parameters, set dampening parameters using a route map, clear information on route dampening and return suppressed routes to active state, view statistics on route flapping, or change the path selection from the default mode (deterministic) to non-deterministic, use the following commands. ● Enable route dampening.
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. The following example shows how to configure values to reuse or restart a route. In the following example, default = 15 is the set time before the value decrements, bgp dampening 2 ? is the set re-advertise value, bgp dampening 2 2000 ? is the suppress value, and bgp dampening 2 2000 3000 ? is the time to suppress a route. Default values are also shown.
timers bgp keepalive holdtime ○ keepalive: the range is from 1 to 65535. Time interval, in seconds, between keepalive messages sent to the neighbor routers. The default is 60 seconds. ○ holdtime: the range is from 3 to 65536. Time interval, in seconds, between the last keepalive message and declaring the router dead. The default is 180 seconds. To view non-default values, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode.
Route Map Continue The BGP route map continue feature, continue [sequence-number], (in ROUTE-MAP mode) allows movement from one route-map entry to a specific route-map entry (the sequence number). If you do not specify a sequence number, the continue feature moves to the next sequence number (also known as an “implied continue”). If a match clause exists, the continue feature executes only after a successful match occurs. If there are no successful matches, continue is ignored.
address family ipv4 multicast ● Enable IPv4 multicast support on a BGP neighbor/peer group. CONFIG-ROUTER-BGP-AF (Address Family) mode neighbor [ip-address | peer-group-name] activate BGP Regular Expression Optimization The system optimizes processing time when using regular expressions by caching and re-using regular expression evaluated results, at the expense of some memory in RP1 processor.
Storing Last and Bad PDUs The system stores the last notification sent/received and the last bad protocol data unit (PDU) received on a per peer basis. The last bad PDU is the one that causes a notification to be issued. In the following example, the last seven lines shown in bold are the last PDUs. Example of the show ip bgp neighbor Command to View Last and Bad PDUs Dell(conf-router_bgp)#do show ip bgp neighbors 1.1.1.2 BGP neighbor is 1.1.1.2, remote AS 2, external link BGP version 4, remote router ID 2.
● ● ● ● ● BGP is disabled. A neighbor is unconfigured. The clear ip bgp command is issued. New PDU are captured and there is no more space to store them. The max buffer size is reduced. (This may cause PDUs to be cleared depending on the buffer space consumed and the new limit.) To change the maximum buffer size, use the capture bgp-pdu max-buffer-size command. To view the captured PDUs, use the show capture bgp-pdu neighbor command. Dell#show capture bgp-pdu neighbor 20.20.20.
PDU Counters Additional counters for various types of PDUs that are sent and received from neighbors are also supported. These are seen in the output of the show ip bgp neighbor command. Sample Configurations The following example configurations show how to enable BGP and set up some peer groups. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations.
R1(conf-if-te-1/21)#show config ! interface TenGigabitEthernet 1/21 ip address 10.0.1.21/24 no shutdown R1(conf-if-te-1/21)#int tengig 1/31 R1(conf-if-te-1/31)#ip address 10.0.3.31/24 R1(conf-if-te-1/31)#no shutdown R1(conf-if-te-1/31)#show config ! interface TenGigabitEthernet 1/31 ip address 10.0.3.31/24 no shutdown R1(conf-if-te-1/31)#router bgp 99 R1(conf-router_bgp)#network 192.168.128.0/24 R1(conf-router_bgp)#neighbor 192.168.128.2 remote 99 R1(conf-router_bgp)#neighbor 192.168.128.
interface TenGigabitEthernet 2/31 ip address 10.0.2.2/24 no shutdown R2(conf-if-te-2/31)# R2(conf-if-te-2/31)#router bgp 99 R2(conf-router_bgp)#network 192.168.128.0/24 R2(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R2(conf-router_bgp)#neighbor 192.168.128.1 no shut R2(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0 R2(conf-router_bgp)#neighbor 192.168.128.3 remote 100 R2(conf-router_bgp)#neighbor 192.168.128.3 no shut R2(conf-router_bgp)#neighbor 192.168.128.
R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#network 192.168.128.0/24 R3(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R3(conf-router_bgp)#neighbor 192.168.128.1 no shut R3(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0 R3(conf-router_bgp)#neighbor 192.168.128.2 remote 99 R3(conf-router_bgp)#neighbor 192.168.128.2 no shut R3(conf-router_bgp)#neighbor 192.168.128.2 update loop 0 R3(conf-router_bgp)#show config ! router bgp 100 network 192.168.128.0/24 neighbor 192.
Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.2 99 23 24 1 0 (0) 00:00:17 1 192.168.128.3 100 30 29 1 0 (0) 00:00:14 1 ! R1#show ip bgp neighbors BGP neighbor is 192.168.128.2, remote AS 99, internal link Member of peer-group AAA for session parameters BGP version 4, remote router ID 192.168.128.
Connections established 4; dropped 3 Last reset 00:00:54, due to user reset R1# Example of Enabling Peer Groups (Router 2) R2#conf R2(conf)#router bgp 99 R2(conf-router_bgp)# neighbor CCC peer-group R2(conf-router_bgp)# neighbor CC no shutdown R2(conf-router_bgp)# neighbor BBB peer-group R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.
R3(conf-router_bgp)# R3(conf-router_bgp)# R3(conf-router_bgp)# R3(conf-router_bgp)# R3(conf-router_bgp)# R3(conf-router_bgp)# R3(conf-router_bgp)# neighbor neighbor neighbor neighbor neighbor neighbor CCC peer-group CCC no shutdown 192.168.128.2 peer-group BBB 192.168.128.2 no shutdown 192.168.128.1 peer-group BBB 192.168.128.1 no shutdown R3(conf-router_bgp)#end R3#show ip bgp summary BGP router identifier 192.168.128.
Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Connections established 6; dropped 5 Last reset 00:12:01, due to Closed by neighbor Notification History 'HOLD error/Timer expired' Sent : 1 Recv: 0 'Connection Reset' Sent : 2 Recv: 2 Last notification (len 21) received 00:12:01 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Local host: 192.168.128.2, Local port: 65464 Foreign host: 192.168.128.
10 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On the Z9500, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. On a line card, there are one or two CAM (Dual-CAM) modules per port-pipe.
Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 nlbclusteracl: 0 Openflow : 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 nlbclusteracl: 0 Openflow : 0 The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 10).
Example of the test cam-usage Command Dell# test cam-usage service-policy input pcam linecard all linecard | Portpipe | CAM Partition | Available CAM | Estimated CAM per Port | Status ----------------------------------------------------------------------------------------0 | 0 | IPv4Flow | 408 | 1 | Allowed (408) 0 | 1 | IPv4Flow | 408 | 1 | Allowed (408) 0 | 2 | IPv4Flow | 408 | 1 | Allowed (408) 1 | 0 | IPv4Flow | 408 | 1 | Allowed (408) 1 | 1 | IPv4Flow | 408 | 1 | Allowed (408) 1 | 2 | IPv4Flow | 408 |
Ipv4Acl Ipv6Acl Ipv4Qos L2Qos L2PT IpMacAcl VmanQos EcfmAcl Openflow : : : : : : : : : 4 0 2 1 0 0 0 0 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL subpartitions) using the show cam-usage command from EXEC Privilege mode.
Example of the cam-profile default Command Dell(conf)#cam-profile ? default Enable default CAM profile eg-default Enable eg-default CAM profile ipv4-320k Enable 320K CAM profile ipv4-egacl-16k Enable CAM profile with 16K IPv4 egress ACL ipv6-extacl Enable CAM profile with extended ACL l2-ipv4-inacl Enable CAM profile with 32K L2 and 28K IPv4 ingress ACL unified-default Enable default unified CAM profile Dell(conf)#cam-profile default microcode ? default Enable default microcode lag-hash-align Enable microco
Unified Forwarding Table (UFT) Modes Unified Forwarding Table (UFT) consolidates the resources of several search tables (Layer 2, Layer 3 Hosts, and Layer 3 Route [Longest Prefix Match — LPM]) into a single flexible resource. Dell Networking OS supports several UFT modes to extract the forwarding tables, as required. By default, Dell Networking OS initializes the table sizes to UFT mode 2 profile, since it provides a reasonable shared memory for all the tables.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) protects the Z9500 routing, control, and line-card processors from undesired or malicious traffic and Denial of Service (DoS) attacks by filtering control-plane flows. CoPP uses a dedicated control-plane service policy that consists of ACLs and QoS policies, which provide filtering and ratelimiting capabilities for control-plane packets.
CPU Queue Protocols Mapped to Control Processor Queues Rate Limit (in kbps) 0 TTL0, IP options, L3 Broadcast MAC destination address 1000 1 L3 MTU Fail 200 2 ARP request, NS, RS 1800 3 ARP reply, NA, RA 1800 4 FTP, Telnet, SSH, Local terminated, NTP, VLT IPM PDU, VLT ARPM 2800 5 ICMPv6 300 6 ICMP 300 7 DHCP, LLDP, FEFD, 8021x 3200 CPU Queue Protocols Mapped to Route Processor Queues Rate Limit (in kbps) 8 Unknown L3, L3 with Broadcast MAC destination address 400 9 PIM DR, M
Figure 24. Control Plane Policing NOTE: On the Z9500, CoPP does not convert the input rate of control-plane traffic from kilobits per second (kbps) to packets per second (pps) as on other Dell Networking switches. On other switch, CoPP converts the input kilobit-per-second rate to a packet-per-second rate, assuming 64 bytes as the average packet size. CoPP then applies the packet-per-second rate to the appropriate queue. On these switches, 1 kbps is approximately equal to 2 pps.
Configure Control Plane Policing You can create a CoPP service policy on a per-protocol and/or a per-queue basis that serves as the system-wide configuration for filtering and rate limiting control-plane traffic. Configuring CoPP for Protocols This section describes how to create a protocol-based CoPP service policy and apply it to control plane traffic. To create a protocol-based CoPP service policy, you must first create a Layer 2, Layer 3, and/or an IPv6 ACL rule for specified protocol traffic.
Dell(conf-ip-acl-cpuqos)#permit bgp Dell(conf-ip-acl-cpuqos)#exit Dell(conf)#mac access-list extended lacp cpu-qos Dell(conf-mac-acl-cpuqos)#permit lacp Dell(conf-mac-acl-cpuqos)#exit Dell(conf)#ipv6 access-list ipv6-icmp cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit icmp Dell(conf-ipv6-acl-cpuqos)#exit Dell(conf)#ipv6 access-list ipv6-vrrp cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit vrrp Dell(conf-ipv6-acl-cpuqos)#exit Example of Creating a QoS Rate-Limiting Input Policy Dell(conf)#qos-policy-in rate_limit_200k
To create a queue-based CoPP service policy, you must create a QoS input policy with rate-limiting, associate it with a controlplane queue in a QoS policy map, and apply the complete queue-based rate limiting configuration to control-plane traffic. 1. Create a QoS input policy and configure a rate limit. CONFIGURATION mode qos-policy-input name cpu-qos rate-police [rate-kbps] [burst-kbytes] peak [rate-kbps] [burst-kbytes] 2.
Displaying CoPP Configuration The CLI provides show commands to display the protocol traffic assigned to each control-plane queue and the current rate-limit applied to each queue. Other show commands display statistical information for trouble shooting CoPP operation. Viewing Queue Rates To view the rates that are currently applied on each control-plane queue, use the show cpu-queue rate [all | queueid id | range from-queue to-queue] command.
--------------TCP (BGP) any/179 UDP (DHCP) 67/68 UDP (DHCP-R) 67 TCP (FTP) any ICMP any IGMP any TCP (MSDP) any/639 UDP (NTP) any OSPF any PIM any UDP (RIP) any TCP (SSH) any TCP (TELNET) any VRRP any -------179/any 68/67 67 21 any any 639/any 123 any any 520 22 23 any ------_ _ _ _ _ _ _ _ _ _ _ _ _ _ ----Q15 Q7 Q7 Q4 Q6 Q14 Q14 Q4 Q15 Q14 Q15 Q4 Q4 Q15 -----RP CP CP CP CP RP RP CP RP RP RP CP CP RP ----------2500 1200 1200 400 300 300 100 200 2500 300 200 400 400 400 Viewing IPv6 Protocol-Queue Mapp
v6 VRRP MLD v6 MULTICAST CATCH ALL v6 ICMP NA v6 ICMP RA v6 ICMP NS v6 ICMP RS v6 ICMP BGP OSPF RIP VRRP ICMP IGMP PIM MSDP BFD 802.
NOTE: You must manually enable the collection of CPU traffic statistics with the debug cpu-traffic-stats command before the statistics display in show cpu-traffic-stats output. It is recommended that when you finish CoPP troubleshooting, you disable the collection of CPU traffic statistics by entering the no debug cpu-trafficstats command. Viewing CPU Traffic Statistics To view the statistics collected on CPU traffic, use the show cpu-traffic-stats [cp | rp | linecard {0–2} | all] command.
Stage InPorts DATA=0x0000000000000000000000000000000000000000000000000000222222222222 MASK=0x0000000000000000000000000000000000000000000000000000222222222223 DstMac Offset: 88 Width: 48 DATA=0x00000180 c200000e MASK=0x0000ffff ffffffff action={act=DropPrecedence, param0=1(0x1), param1=0(0), param2=0(0), param3=0(0)} action={act=Drop, param0=0(0), param1=0(0), param2=0(0), param3=0(0)} action={act=CosQCpuNew, param0=1(0x1), param1=0(0), param2=0(0), param3=0(0)} action={act=CopyToCpu, param0=1(0x1), param1=2
--More-######################## FP Entry --More-######################## FP Entry --More-######################## FP Entry --More-######################## FP Entry --More-######################## FP Entry --More-######################## FP Entry --More-######################## FP Entry --More-######################## FP Entry --More-######################## FP Entry --More-######################## FP Entry ########################## --More-######################## FP Entry --More-######################## FP
OSPF 0 v6 OSPF 0 RIP 0 VRRP 0 v6 VRRP 0 IGMP 0 PIM 0 NTP 0 MULTICAST CATCH ALL 0 v6 MULTICAST CATCH ALL 0 DHCP RELAY/DHCP 0 v6 ICMP NA/v6 ICMP RA 0 v6 ICMP NS/v6 ICMP RS 0 v6 ICMP/ICMP 0 MLD 0 MSDP 0 FTP/TELNET/SSH/L3 LOCAL TERMINATED 0 L3 UNKNOWN/UNRESOLVED ARP 0 iSCSI 0 FCoE 0 SFLOW 0 VLT CTRL/VLT IPM PDU 0 HYPERPULL 0 OPENFLOW 0 L2 DST HIT/BROADCAST 0 VLT TTL1/TRACEFLOW/TTL0/ 0 STATION MOVE/TTL1/IP OPTION/L3 MTU FAIL/SOURCE MISS 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
VLT TTL1 HYPERPULL OPENFLOW FEFD TRACEFLOW FCoE SFLOW L3 LOCAL TERMINATED L3 UNKNOWN/UNRESOLVED ARP L2 DST HIT/BROADCAST MULTICAST CATCH ALL v6 MULTICAST CATCH ALL L3 HEADER ERROR/TTL0 IP OPTION/TTL1 L3 MTU FAIL SOURCE MISS STATION MOVE TX ENTRY DROP ENTRY 0 0 0 0 0 0 0 0 0 0 0 12600 0 0 0 0 0 887040 0 0 0 0 0 0 0 0 0 0 0 0 12600 0 0 0 0 0 887040 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 To clear the per-protocol counters of rate-limited control-plane traffic at the aggregated (switch) or line card and po
Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 Q21 Q22 Q23 0 1160300 8515864 0 0 0 0 0 0 1157004 0 0 1160300 8515864 0 0 0 0 0 0 1157004 0 0 0 0 0 0 0 0 0 0 0 0 To clear the per-queue counters of rate-limited traffic at the aggregated (switch) or individual queue level, use the clear control-traffic queue {all | queue-id queue-number} counters command; for example: Dell#clear control-traffic queue queue-id 2 counters Dell# 200 Control Plane Policing (CoPP)
12 Data Center Bridging (DCB) NOTE: Data center bridging (DCB) is enabled in Z9500 switch.
LAN traffic LAN traffic consists of many flows that are insensitive to latency requirements, while certain applications, such as streaming video, are more sensitive to latency. Ethernet functions as a best-effort network that may drop packets in the case of network congestion.
In the Dell Networking OS, PFC is implemented as follows: ● PFC supports buffering to receive data that continues to arrive on an interface while the remote system reacts to the PFC operation. ● PFC uses DCB MIB IEEE 802.1azd2.5 and PFC MIB IEEE 802.1bb-d2.2. ● PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface.
Table 9. ETS Traffic Groupings (continued) Traffic Groupings Description Group bandwidth Percentage of available bandwidth allocated to a priority group. Group transmission selection algorithm (TSA) Type of queue scheduling a priority group uses. In Dell Networking OS, ETS is implemented as follows: ● ETS supports groups of 802.1p priorities that have: ○ PFC enabled or disabled ○ No bandwidth limit or no ETS processing ● ETS uses the DCB MIB IEEE 802.1azd2.5.
Enabling Data Center Bridging DCB is automatically configured when you configure FCoE or iSCSI optimization. Data center bridging supports converged enhanced Ethernet (CEE) in a data center network. DCB is disabled by default. It must be enabled to support CEE. ● ● ● ● Priority-based flow control Enhanced transmission selection Data center bridging exchange protocol FCoE initialization protocol (FIP) snooping DCB processes virtual local area network (VLAN)-tagged packets and dot1p priority values.
dot1p Value in Egress Queue Assignment the Incoming Frame 7 7 SNMP Support for PFC and Buffer Statistics Tracking Buffer Statistics Tracking (BST) feature provides a mechanism to aid in Resource Monitoring and Tuning of Buffer Allocation. The support for Max Use Count mode in Buffer Statistics is introduced in Dell Networking OS 9.3(0.). Max Use Count mode provides the maximum value of the counters accumulated over a period of time.
Afterwards, you can configure either the peak rates or the committed rates. The bandwidth allocated to other priority groups is made available and allocated according to the specified percentages. If a priority group does not use its allocated bandwidth, the unused bandwidth is made available to other priority groups. ● Repeat the above procedure to configure PFC and ETS traffic handling for each priority group ● Specify the dot1p priority-to-priority group mapping for each priority.
Configuring PFC without a DCB Map In a network topology that uses the default ETS bandwidth allocation (assigns equal bandwidth to each priority), you can also enable PFC for specific dot1p-priorities on individual interfaces without using a DCB map. This type of DCB configuration is useful on interfaces that require PFC for lossless traffic, but do not transmit converged Ethernet traffic. Step Task Command Command Mode 1 Enter interface configuration mode on an Ethernet port.
Step Task Command Command Mode 4 Return to interface configuration mode. exit DCB MAP 5 Apply the DCB map, created to disable the PFC operation, on the interface dcb-map {name | default} INTERFACE 6 Configure the port queues that still function as nodrop queues for lossless traffic. For the dot1p-queue assignments. pfc no-drop queuesqueue-range INTERFACE The maximum number of lossless queues globally supported on a port is 2.
When traffic congestion occurs, PFC sends a pause frame to a peer device with the CoS priority values of the traffic that needs to be stopped. DCBx provides the link-level exchange of PFC parameters between peer devices. PFC allows network administrators to create zero-loss links for SAN traffic that requires no-drop service, while at the same time retaining packetdrop congestion management for LAN traffic. On a Z9500 switch, PFC is enabled by default on Ethernet ports (pfc mode on command).
ETS Configuration Notes ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic. Different traffic types have different service needs. Using ETS, you can create groups within an 802.1p priority class to configure different treatment for traffics with different bandwidth, latency, and best-effort needs.
● The maximum number of priority groups supported in a DCB map on an interface is equal to the number of data queues (4) on the port. Each priority group can support more than one data queue. ● You can enable PFC on a maximum of two priority queues on an interface. ● If you configure more than one priority group as strict priority, the higher numbered priority queue is given preference when scheduling data traffic.
Lossless traffic egresses out the no-drop queues. Ingress dot1p traffic from PFC-enabled interfaces is automatically mapped to the no-drop egress queues. 1. Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port 2. Configure the port queues that will still function as no-drop queues for lossless traffic. INTERFACE mode pfc no-drop queues queue-range For the dot1p-queue assignments, refer to the dot1p Priority-Queue Assignment table.
dcb-map dcb-map-name The dcb-map-name variable can have a maximum of 32 characters. 2. Create an ETS priority group. CONFIGURATION mode priority-group group-num {bandwidth bandwidth | strict-priority} pfc off The range for priority group is from 0 to 7. Set the bandwidth in percentage. The percentage range is from 1 to 100% in units of 1%. Committed and peak bandwidth is in megabits per second. The range is from 0 to 40000. Committed and peak burst size is in kilobytes. Default is 50.
○ The CIN version supports two types of strict-priority scheduling: ■ ■ Group strict priority: Use this to increase its bandwidth usage to the bandwidth total of the priority group and allow a single priority flow in a priority group. A single flow in a group can use all the bandwidth allocated to the group. Link strict priority: Use this to increase to the maximum link bandwidth and allow a flow in any priority group. CIN supports only the dot1p priority-queue assignment in a priority group.
Applying DCB Policies on SFM Ports To apply DCP configuration on SFM ports, follow these steps. Configure DCB-MAP on backplane ports in both leaf and spine. CONFIGURATION Mode dcb-map sfm all backplane all dcb-map-name The default is none. If you apply a DCB Map with PFC disabled (no pfc mode on): ● You can enable link-level flow control on the interface (refer to Using Ethernet Pause Frames). To delete the input policy, first disable link-level flow control.
overwrites its local configuration with the new parameter values. When an auto-upstream port (besides the configuration source) receives and overwrites its configuration with internally propagated information, one of the following actions is taken: ● If the peer configuration received is compatible with the internally propagated port configuration, the link with the DCBx peer is enabled.
port, the auto-upstream and auto-downstream ports use the internally propagated PFC priorities to match against the received application priority. Otherwise, these ports use their locally configured PFC priorities in application priority TLVs. ○ If no configuration source is configured, auto-upstream and auto-downstream ports check to see that the locally configured PFC priorities match the priorities in a received application priority TLV.
NOTE: DCB configurations internally propagated from a configuration source do not overwrite the configuration on a DCBx port in a manual role. When a configuration source is elected, all auto-upstream ports other than the configuration source are marked as willing disabled. The internally propagated DCB configuration is refreshed on all auto-configuration ports and each port may begin configuration negotiation with a DCBx peer again.
Expected PFC Priority 1 2 To configure the aforementioned DSCP and PFC priority values, perform the following tasks: 1. Create class-maps to group the DSCP subsets class-map match ip ! class-map match ip match-any dscp-pfc-1 dscp 0-5,10-15 match-any dscp-pfc-2 dscp 20-25,30-35 2. Associate above class-maps to Queues Queue assignment to be based on the below table (This internal table has been modified for Z9500 platform) . Table 10.
Figure 28. DCBx Sample Topology DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: ● For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
The default is Auto. 4. Configure the DCBx port role the interface uses to exchange DCB information. PROTOCOL LLDP mode [no] DCBx port-role {config-source | auto-downstream | auto-upstream | manual} ● auto-upstream: configures the port to receive a peer configuration. The configuration source is elected from autoupstream ports. ● auto-downstream: configures the port to accept the internally propagated DCB configuration from a configuration source.
● auto: configures all ports to operate using the DCBx version received from a peer. ● cee: configures a port to use CEE (Intel 1.01). cin configures a port to use Cisco-Intel-Nuova (DCBx 1.0). ● ieee-v2.5: configures a port to use IEEE 802.1Qaz (Draft 2.5). The default is Auto. NOTE: To configure the DCBx port role the interfaces use to exchange DCB information, use the DCBx port-role command in INTERFACE Configuration mode (Step 3). 4.
DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs. LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface. DSM_DCBx_PEER_VERSION_CONFLICT: A local port expected to receive the IEEE, CIN, or CEE version in a DCBx TLV from a remote peer but received a different, conflicting DCBx version.
Table 11. Displaying DCB Configurations (continued) Command Output show dcb [linecard {all | unit-number}] [sfm {all | unit-number}] Displays the data center bridging status, number of PFCenabled ports, and number of PFC-enabled queues. You can optionally specify the linecard or SFM number. The range for line card is from 0 to 3 and for SFM is from 0 to 5. show qos priority-groups Displays the ETS priority groups configured on the switch, including the 802.1p priority classes and ID of each group.
State :Complete PfcMode:ON -------------------PG:0 TSA:ETS BW:50 PFC:OFF Priorities:0 1 2 5 6 7 PG:1 TSA:ETS BW:50 Priorities:3 4 PFC:ON The following example shows the show interfaces pfc summary command.
Table 12. show interface pfc summary Command Description (continued) Fields Description Remote is enabled; Priority list Remote Willing Status is enabled Operational status (enabled or disabled) of peer device for DCBx exchange of PFC configuration with a list of the configured PFC priorities. Willing status of peer device for DCBx exchange (Willing bit received in PFC TLV): enabled or disabled.
0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 The following example shows the show interface ets summary command.
4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Priority# Bandwidth TSA 0 13% ETS 1 13% ETS 2 13% ETS 3 13% ETS 4 12% ETS 5 12% ETS 6 12% ETS 7 12% ETS Remote Parameters: ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# Bandwidth TSA 0 0,1,2,3,4,5,6,7 100% ETS 1 0% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Priority# Bandwidth TSA 0 13% ETS 1 13% ETS 2 13% ETS 3 13% ETS 4 12% ETS 5 12% ETS 6 12% ETS 7 12% ETS Oper status is init Conf TLV Tx Status
Local is enabled PG-grp Priority# BW-% BW-COMMITTED BW-PEAK TSA % Rate(Mbps) Burst(KB) Rate(Mpbs) Burst(KB) ---------------------------------------------------------------------------------0 0,1,2,4,5,6,7 50 400 100 4000 400 ETS 1 3 50 - - ETS 2 - - - - 3 - - - - 4 - - - - 5 - - - - 6 - - - - 7 - - - - Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 0 Input Traffic Class TLV Pkts, 0 Output Traffic
Table 13. show interface ets detail Command Description (continued) Field Description ETS TLV Statistic: Input Conf TLV pkts Number of ETS Configuration TLVs received. ETS TLV Statistic: Output Conf TLV pkts Number of ETS Configuration TLVs transmitted. ETS TLV Statistic: Error Conf TLV pkts Number of ETS Error Configuration TLVs received. The following example shows the show linecard 2 port-set 0 backplane all pfc details command.
2 3 4 5 6 7 - - The following example shows the show interface DCBx detail command (IEEE).
Total DCBx Frame errors 0 Total DCBx Frames unrecognized 0 The following table describes the show interface DCBx detail command fields. Table 14. show interface DCBx detail Command Description Field Description Interface Interface type with chassis slot and port number. Port-Role Configured DCBx port role: auto-upstream, auto-downstream, config-source, or manual.
Generation of PFC for a Priority for Untagged Packets In order to generate PFC for a particular priority for untagged packets, and configuring PFC for that priority, you should find the queue number associated with priority from TABLE 1 and Associate a DCB map to forward the matched DSCP packet to that queue. PFC frames gets generated with PFC priority associated with the queue when the queue gets congested.
Table 15. Priority to Queue Mapping Internalpriority 0 1 2 3 4 5 6 7 Queue 2 0 1 3 4 5 6 7 Default dot1p to queue configuration is as follows: Table 16. Dot1p to Queue Mapping PacketDot1p 0 1 2 3 4 5 6 7 Queue 2 0 1 3 4 5 6 7 PFC and ETS Configuration Examples This section contains examples of how to configure and apply DCB policies on an interface.
Figure 29. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
The following describes the priority group-bandwidth assignment. Priority Group Bandwidth Assignment IPC 5% SAN 50% LAN 45% PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic.
● If priority group 1 or 2 has free bandwidth, (20 + 30)% of the free bandwidth is distributed to priority group 3. Priority groups 1 and 2 retain whatever free bandwidth remains up to the (20+ 30)%. Strict-priority groups: If two priority groups have strict-priority scheduling, traffic assigned from the priority group with the higher priority-queue number is scheduled first.
By default the total available buffer for PFC is 6.6 MB and when you configure dynamic ingress buffering, a minimum of least 52 KB per queue is used when all ports are congested. By default, the system enables a maximum of 1 lossless queue on the Z9500 platform. This default behavior is impacted if you modify the total buffer available for PFC or assign static buffer configurations to the individual PFC queues.
CONFIGURATION mode dcb pfc-shared-buffer-size buffer-size sfm all 12. Configuring global shared buffer size on linecards. CONFIGURATION mode dcb pfc-shared-buffer-size buffer-size linecard {linecard-number | all} [port-set {portpipe | all}] Sample Configurations Figure 30.
Description Link to RoCE Adapter in Blade Server no ip address mtu 12000 portmode hybrid switchport no spanning-tree ! protocol lldp dcbx port-role auto-downstream no shutdown ! interface fortyGigE 0/33 Description “To S4810s” no ip address mtu 12000 ! port-channel-protocol LACP port-channel 1 mode active ! protocol lldp no advertise dcbx-tlv ets-reco dcbx port-role auto-upstream no shutdown S4810 1 and S4810 2, VLT, RoCE, and iSCSI ! dcb enable iscsi enable ! dcb-map converged Description DCB map for S4810
mtu 12000 channel-member fortyGigE 0/56 no shutdown interface fortyGigE 0/56 no ip address mtu 12000 dcb-map Converged protocol lldp no shutdown S4810 2 vlt domain 2 peer-link port-channel 128 back-up destination interface Port-channel 128 no ip address mtu 12000 channel-member fortyGigE 0/56 no shutdown interface fortyGigE 0/56 no ip address mtu 12000 dcb-map Converged protocol lldp no shutdown Description From MXL-B1 no ip address mtu 12000 dcb-map RoCE ! port-channel-protocol LACP por
Description SOFS- iSCSI no ip address mtu 12000 portmode hybrid switchport spanning-tree rstp edge-port spanning-tree 0 portfast dcb-map iSCSI ! protocol lldp no shutdown Data Center Bridging (DCB) 243
13 Debugging and Diagnostics This chapter describes the debugging and diagnostics tasks you can perform on the switch. Topics: • • • • • • • • • • Offline Diagnostics TRACE Logs Last Restart Reason show hardware Commands Environmental Monitoring Troubleshooting Packet Loss Accessing Application Core Dumps Mini Core Dumps Full Kernel Core Dumps Enabling TCP Dumps Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware.
issued. Proceed with Offline [confirm yes/no]: 2. Verify offline status of the switch. EXEC Privilege mode show system brief 3. Start diagnostics on the switch. diag system unit When the tests complete, the system displays a syslog message: 00:13:17 : Diagnostic test results are stored on file: flash:/TestReport-LP-0.txt 00:13:19 : Diagnostic test results are stored on file: flash:/TestReport-LP-1.txt 00:13:20 : Diagnostic test results are stored on file: flash:/TestReport-LP-2.
00:10:30: 00:10:30: 00:10:30: 00:10:30: 00:10:30: 00:10:30: 00:10:30: 00:10:31: %SYSTEM:CP %SYSTEM:CP %SYSTEM:CP %SYSTEM:CP %SYSTEM:CP %SYSTEM:CP %SYSTEM:CP %SYSTEM:CP %IFMGR-1-DEL_PORT: Removed port: Fo 0/0-44, %CHMGR-2-UNIT_DOWN: linecard 1 down - linecard offline %IFMGR-5-OSTATE_DN: Changed interface state to down: Fo 1/0 %IFMGR-1-DEL_PORT: Removed port: Fo 1/0-44, %CHMGR-2-UNIT_DOWN: linecard 2 down - linecard offline %IFMGR-5-OSTATE_DN: Changed interface state to down: Fo 2/0 %IFMGR-1-DEL_PORT: Remov
Dell# dir Directory of flash: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 drwx drwx drwx drwx drwx d---rwx -rwx -rwx drwx drwx -rwx drwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx drwx -rwx 4096 2048 4096 4096 4096 4096 3 91459902 6127 4096 4096 32 4096 96573311 40 5398 9716 4568 2690 6283 6479 6479 4096 21762 Jan Mar Apr Apr Apr Apr Mar Apr Mar Apr Apr Mar Apr Apr Apr Apr Apr Mar Mar Mar Mar Mar Mar Mar 01 06 13 13 13 13 06 13 06 13 13 06 13 13 30 20 22 06 06 06 06 06 06 06 1980 2
fabricIdTest ................................................ PASS fabricPllStatusTest ......................................... PASS Starting test: fanTest ...... +Fan tray[0] Sanity test PASS +Fan tray[1] Sanity test PASS +Fan tray[2] Sanity test PASS +Fan tray[3] Sanity test PASS +Fan tray[4] Sanity test PASS fanTest ..................................................... PASS Starting test: fpgaTest ......
PSU[3] sensor[1] temperature 30.0 C PSU[3] sensor[2] temperature 21.0 C Ethernet MAC temperature 48.0 C temperatureTest ............................................. PASS Starting test: triumphAccessTest ...... + Access Test for unit 6 : PASSED triumphAccessTest ........................................... PASS triumphPllStatusTest ........................................ PASS Starting test: usbTest ...... -USB "/dev/rsd0d" is not plugged/mounted/formatted; test SKIPPED usbTest ..............................
Total : 26 Passed : 25 Failed : 1 Elapsed time : 00H:05M:21S Stop reason : after completion ------ Failed tests (level, times) ------ psuTest (0, 1) Sample Test Log for Line-Card CPU: TestReport-LP-0.txt Example of a Test Log for Line-Card CPU 0: TestReport-LP-0.txt Dell#show file flash://TestReport-LP-0.txt DELL DIAGNOSTICS-Z9500-CP00 PPID PPID Rev Service Tag Part Number Part Number Revision SW Version ------- [0] NA NA NA NA NA 9.2(1.
Starting test: portcardXELinkStatusTest ...... + XE Link Status Test for unit 0 (Portcard 0): PASSED + XE Link Status Test for unit 1 (Portcard 1): PASSED ERROR: Unit 2 (Portcard 2): XE 11 is DOWN + XE Link Status Test for unit 2 (Portcard 2): FAILED portcardXELinkStatusTest .................................... qsfpOpticsTest .............................................. qsfpPhyTest ................................................. qsfpPresenceTest ............................................ rtcTest .....
Port card[0]: Average temperature 38.3 C, maximum 41.1 C Port card[1]: Average temperature 40.5 C, maximum 43.3 C Port card[2]: Average temperature 42.8 C, maximum 44.9 C Ethernet MAC temperature 45.0 C temperatureTest ............................................. PASS LEVEL 1 DIAGNOSTIC eepromTest .................................................. i2cTest ..................................................... macPhyRegTest ............................................... Starting test: partyLinkStatusTest ..
Last Restart Reason If a switch restarted for some reason (automatically or manually), the show system command output includes the reason for the restart. The following table shows the reasons displayed in the output and their corresponding causes.
show hardware linecard {0-2} unit {0-3} counters ● Display the details of the FP devices, and HiGig ports on a port-pipe unit on a line card. show hardware linecard {0-2} unit {0-3} details ● Execute a specified bShell command from the CLI without going into the bShell. show hardware linecard {0-2} unit {0-3} execute-shell-cmd {command} ● Display the Multicast IPMC replication table from the bShell.
-- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) Power Usage (W) ----------------------------------------------------------------------------0 0 down AC up 1376 0.0 0 1 up AC up 18848 666.0 0 2 down AC up 1312 0.0 0 3 up AC up 18880 643.0 When an under-voltage condition occurs on a power supply (for example, a power cable is removed): ● A Syslog message is displayed to inform you that the power supply is down.
Display Transceiver Type To monitor the types of transceivers installed in switch ports, use the show inventory media command.
QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP 168 168 168 168 168 168 168 168 168 168 168 168 168 168 Length(SFM) Km = 0x0a Length(OM3) 2m = 0x00 Length(OM2) 1m = 0x00 Length(OM1) 1m = 0x00 Length(Copper) 1m = 0x00 Vendor Rev = X Laser Wavelength = 1301.
S3 S4 S5 S6 S7 S8 S9 50 40 50 67 68 66 66 45 35 45 62 63 61 61 50 40 50 67 68 66 66 45 35 45 62 63 61 61 N/A N/A N/A N/A N/A N/A N/A -- Switching Core --- Temperature Limits (deg C) ---------------------------------------------------------------------------Minor Minor Off Major Major Off Shutdown S0 93 86 100 95 105 S1 93 86 100 95 105 S2 93 86 100 95 105 S3 93 86 100 95 105 S4 93 86 100 95 105 S5 93 86 100 95 105 -- Port Modules --- Temperature Limits (deg C) -----------------------------------------
The following examples display over-temperature event messages. Note that although the minimum speed for system fans is 40% of full speed, the corresponding power-supply fan speed is 60% of full speed.
● ● ● ● clear clear clear clear hardware hardware hardware hardware cp cpu {data-plane | i2c | sata-interface} statistics rp cpu {data-plane | i2c | sata-interface} statistics sfm sfm-unit-num counters cp-switch counters Displaying Drop Counters To display drop counters, use the show hardware linecard drops commands. ● Identify the line card, port pipe, and port that is experiencing internal drops. show hardware linecard {0–2} drops [unit {0–3} [port {1–104}]] ● Display drop counters.
0 0 0 0 0 0 0 0 0 0 Internal Internal Internal Internal Internal Internal Internal Internal Internal 0 0 0 0 0 0 0 0 0 0 53 0 0 0 54 0 0 0 55 0 0 0 56 0 0 0 57 0 0 0 58 0 0 0 59 0 0 0 60 0 0 0 61 0 0 0 Displaying Dataplane Statistics The show hardware linecard {0–2} cpu data-plane statistics command provides information about the packet types entering a line-card CPU.
Oversize frames recvd = 0 Fragments = 0 Jabber = 0 Dropped Frames = 0 Under/oversized frames = 0 FLR frames = 0 RCDE frames = 0 RCSE frames = 0 Dell#show hardware party-bus port 0 statistics Party Bus Transmit Counters for port 0: Tx Octets = 350320163 Tx Drop Packets = 0 tx_q0_pkts = 597876 tx_q1_pkts = 0 tx_q2_pkts = 0 tx_q3_pkts = 0 tx_q4_pkts = 0 tx_q5_pkts = 0 tx_broad_pkts = 114500 tx_multi_pkts = 7422 tx_uni_pkts = 475954 tx_pause_pkts = 0 tx_cols = 0 tx_single_cols = 0 tx_multi_cols = 0 tx_late_cols
PERQ_BYTE(0).cpu0 PERQ_BYTE(41).cpu0 PERQ_DROP_PKT(0).cpu0 PERQ_DROP_PKT(41).cpu0 PERQ_DROP_BYTE(0).cpu0 PERQ_DROP_BYTE(41).cpu0 QUEUE_PEAK(0).cpu0 QUEUE_PEAK(41).cpu0 RUC.xe0 RDBGC0.xe0 RDBGC5.xe0 ING_NIV_RX_FRAMES.xe0 TDBGC3.xe0 TDBGC6.xe0 TDBGC10.xe0 R127.xe0 RPKT.
timestamp is a text string in the format: yyyyddmmhhmmss (YearDayMonthHourMinuteSecond). The panic string contains key information regarding the crash. Several panic string types exist, and are displayed in normal English text to enable easier understanding of the crash cause.
14 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network endstations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters. Multiple servers might respond to a single DHCPDISCOVER; the client might wait a period of time and then act on the most preferred offer. 3. The client broadcasts a DHCPREQUEST message in response to the offer, requesting the offered values. 4.
pools can be configured. The maximum subnet that can be configured for a single pool is /17. The system displays an error message for configurations that exceed the allocated memory. ● The Z9500 switch supports 4K DHCP Snooping entries. ● All platforms support Dynamic ARP Inspection on 16 VLANs per system. For more information, refer to Dynamic ARP Inspection.
The prefix-length range is from 17 to 31. 4. Display the current pool configuration. DHCP mode show config After an IP address is leased to a client, only that client may release the address. The system performs a IP + MAC source address validation to ensure that no client can release another clients address. This validation is a default behavior and is separate from IP+MAC source address validation.
Configure a Method of Hostname Resolution Dell Networking systems are capable of providing DHCP clients with parameters for two methods of hostname resolution— using DNS or NetBIOS WINS. Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1. Create a domain. DHCP domain-name name 2. Specify in order of preference the DNS servers that are available to a DHCP client.
Debugging the DHCP Server To debug the DHCP server, use the following command. ● Display debug information for DHCP server. EXEC Privilege mode debug ip dhcp server [events | packets] Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. ● Clear DHCP binding entries for the entire binding table. EXEC Privilege mode. clear ip dhcp binding ● Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode.
Figure 33. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: ● The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (OS version and a configuration file). BMP is enabled as a factory-default setting on a switch.
DHCP Snooping A DHCP client can run on a switch simultaneously with the DHCP snooping feature as follows: ● If you enable DHCP snooping globally on a switch and you enable a DHCP client on an interface, the trust port, source MAC address, and snooping table validations are not performed on the interface by DHCP snooping for packets destined to the DHCP client daemon. The following criteria determine packets destined for the DHCP client: ○ DHCP is enabled on the interface.
The server echoes the option back to the relay agent in its response, and the relay agent can use the information in the option to forward a reply out the interface on which the request was received rather than flooding it on the entire VLAN. The relay agent strips Option 82 from DHCP responses before forwarding them to the client. To insert Option 82 into DHCP packets, follow this step. ● Insert Option 82 into DHCP packets.
Enabling IPv6 DHCP Snooping To enable IPv6 DHCP snooping, use the following commands. 1. Enable IPv6 DHCP snooping globally. CONFIGURATION mode ipv6 dhcp snooping 2. Specify ports connected to IPv6 DHCP servers as trusted. INTERFACE mode ipv6 dhcp snooping trust 3. Enable IPv6 DHCP snooping on a VLAN or range of VLANs. CONFIGURATION mode ipv6 dhcp snooping vlan vlan-id Adding a Static Entry in the Binding Table To add a static entry in the binding table, use the following command.
● Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping View the DHCP snooping statistics with the show ip dhcp snooping command. Dell#show ip dhcp snooping IP IP IP IP DHCP DHCP DHCP DHCP Snooping Snooping Mac Verification Relay Information-option Relay Trust Downstream : : : : Enabled. Disabled. Disabled. Disabled.
CONFIGURATION mode ipv6 dhcp snooping verify mac-address Drop DHCP Packets on Snooped VLANs Only Binding table entries are deleted when a lease expires or the relay agent encounters a DHCPRELEASE. Line cards maintain a list of snooped VLANs. When the binding table fills, DHCP packets are dropped only on snooped VLANs, while such packets are forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made.
nine for DAI. L2Protocol can have a maximum of 100 entries; you must expand this region to capacity before you can increase the size of L2SystemFlow. This is relevant when you are enabling DAI on VLANs. If, for example, you want to enable DAI on 16 VLANs, you need seven more entries; in this case, reconfigure the SystemFlow region for 122 entries using the layer-2 eg-acl value fib value frrp value ing-acl value learn value l2pt value qos value system-flow 122 command.
Source Address Validation Using the DHCP binding table, the system can perform three types of source address validation (SAV). Table 18. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table. DHCP MAC Source Address Validation Verifies a DHCP packet’s source hardware address matches the client hardware address field (CHADDR) in the payload.
CONFIGURATION mode cam-acl l2acl 2. Save the running-config to the startup-config. EXEC Privilege mode copy running-config startup-config 3. Reload the system. EXEC Privilege reload 4. Enable IP+MAC SAV. INTERFACE mode ip dhcp source-address-validation ipmac The system creates an ACL entry for each IP+MAC address pair in the binding table and applies it to the interface.
15 Equal Cost Multi-Path (ECMP) Equal cost multi-path (ECMP) supports multiple paths in next-hop packet forwarding to a destination device. Topics: • • • ECMP for Flow-Based Affinity Link Bundle Monitoring ECMP Support in L3 Host and LPM Tables ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Enabling Deterministic ECMP Next Hop Deterministic ECMP next hop arranges all ECMPs in order before writing them into the content addressable memory (CAM).
To configure the hash algorithm seed, use the following command. ● Specify the hash algorithm seed. CONFIGURATION mode. hash-algorithm seed value [linecard slot-id] [port-set number] The range is from 0 to 4095. Link Bundle Monitoring Link bundle monitoring allows the system to monitor the use of multiple links for an uneven distribution.
1. Create a user-defined ECMP group bundle. CONFIGURATION mode ecmp-group ecmp-group-id The range is from 1 to 64. 2. Add interfaces to the ECMP group bundle. CONFIGURATION ECMP-GROUP mode interface interface interface tengigabitethernet 0/0 interface port-channel 100 3. Enable the monitoring for the bundle. CONFIGURATION ECMP-GROUP mode link-bundle-monitor enable Modifying the ECMP Group Threshold You can customize the threshold percentage for monitoring ECMP group bundles.
Use the ipv4 unicast-host-route or ipv6 unicast-host-route commands to program IPv4 /32 or IPv6 /128 route prefixes to be stored in the L3 host table. A warning message states that the change takes effect only when IPv4 or IPv6 route prefixes are cleared from the routing table (RTM) using the clear ip route * command. The IPv6 /128 and IPv4 /32 route-prefix entries that you move to the host table receive ECMP handling.
16 FCoE Transit The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces or in a Z9500 switch.
Table 19. FIP Functions FIP Function Description FIP VLAN discovery FCoE devices (ENodes) discover the FCoE VLANs on which to transmit and receive FIP and FCoE traffic. FIP discovery FCoE end-devices and FCFs are automatically discovered. Initialization FCoE devices learn ENodes from the FLOGI and FDISC to allow immediate login and create a virtual link with an FCoE switch. Maintenance A valid virtual link between an FCoE device and an FCoE switch is maintained and the LOGO functions properly.
Port-based ACLs These ACLs are applied on all three port modes: on ports directly connected to an FCF, server-facing ENode ports, and bridge-to-bridge links. Port-based ACLs take precedence over global ACLs. FCoE-generated ACLs These take precedence over user-configured ACLs. A user-configured ACL entry cannot deny FCoE and FIP snooping frames. The following illustration shows a switch used as a FIP snooping bridge in a converged Ethernet network.
● To ensure that they are operationally active, check FIP snooping-enabled VLANs. ● Process FIP VLAN discovery requests and responses, advertisements, solicitations, FLOGI/FDISC requests and responses, FLOGO requests and responses, keep-alive packets, and clear virtual-link messages. Using FIP Snooping There are four steps to configure FCoE transit. 1. 2. 3. 4. Enable the FCoE transit feature on a switch.
NOTE: Manually add the CAM-ACL space to the FCoE region as it is not applied by default. To support FIP-Snooping and set CAM-ACL in the Z9500 switch, usecam-acl l2acl 4 ipv4acl 4 ipv6acl 0 ipv4qos 2 l2qos 1 l2pt 0 ipmacacl 0 vman-qos 0 ecfmacl 0 fcoeacl 2 iscsioptacl 0 command.
Configure the FC-MAP Value You can configure the FC-MAP value to be applied globally by the switch on all or individual FCoE VLANs to authorize FCoE traffic. The configured FC-MAP value is used to check the FC-MAP value for the MAC address assigned to ENodes in incoming FCoE frames. If the FC-MAP value does not match, FCoE frames are dropped. A session between an ENode and an FCF is established by the switch-bridge only when the FC-MAP value on the FCF matches the FC-MAP value on the FIP snooping bridge.
● The maximum number of FIP snooping sessions supported per ENode server is 32. To increase the maximum number of sessions to 64, use the fip-snooping max-sessions-per-enodemac command. ● The maximum number of FCFs supported per FIP snooping-enabled VLAN is twelve. Configuring FIP Snooping You can enable FIP snooping globally on all FCoE VLANs on a switch or on an individual FCoE VLAN. By default, FIP snooping is disabled.
FCoE Transit Configuration Example The following illustration shows a switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 36. Configuration Example: FIP Snooping on a Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
Example of Configuring the ENode Server-Facing Port Dell(conf)# interface tengigabitethernet 1/1 Dell(conf-if-te-1/1)# portmode hybrid Dell(conf-if-te-1/1)# switchport Dell(conf-if-te-1/1)# protocol lldp Dell(conf-if-te-1/1-lldp)# dcbx port-role auto-downstream NOTE: A port is enabled by default for bridge-ENode links.
Table 21. Displaying FIP Snooping Information (continued) Command Output clear fip-snooping database interface vlan vlan-id {fcoe-mac-address | enode-macaddress | fcf-mac-address} Clears FIP snooping information on a VLAN for a specified FCoE MAC address, ENode MAC address, or FCF MAC address, and removes the corresponding ACLs generated by FIP snooping.
Global FC-MAP Value: 0X0EFC00 FIP Snooping enabled VLANs VLAN Enabled FC-MAP ---- -------------100 TRUE 0X0EFC00 The following example shows the show fip-snooping enode command. Dell# show fip-snooping enode Enode MAC Enode Interface FCF MAC VLAN ----------------------- ---------d4:ae:52:1b:e3:cd Te 1/11 54:7f:ee:37:34:40 100 FC-ID ----62:00:11 The following table describes the show fip-snooping enode command fields. Table 23.
Number of VN Port Keep Alive Number of Multicast Discovery Advertisement Number of Unicast Discovery Advertisement Number of FLOGI Accepts Number of FLOGI Rejects Number of FDISC Accepts Number of FDISC Rejects Number of FLOGO Accepts Number of FLOGO Rejects Number of CVL Number of FCF Discovery Timeouts Number of VN Port Session Timeouts Number of Session failures due to Hardware Config Dell(conf)# :3349 :4437 :2 :2 :0 :16 :0 :0 :0 :0 :0 :0 :0 Dell# show fip-snooping statistics int tengigabitethernet 1/1
Table 25. show fip-snooping statistics Command Descriptions (continued) Field Description Number of VLAN Notifications Number of FIP-snooped VLAN notification frames received on the interface. Number of Multicast Discovery Solicits Number of FIP-snooped multicast discovery solicit frames received on the interface. Number of Unicast Discovery Solicits Number of FIP-snooped unicast discovery solicit frames received on the interface.
The following example shows the show fip-snooping vlan command.
17 Enabling FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a softwarebased cryptographic module.
Enabling FIPS Mode To enable or disable FIPS mode, use the console port. Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. When you enable FIPS mode, the following actions are taken: ● ● ● ● If enabled, the SSH server is disabled. All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.
Reload Type : normal-reload [Next boot : normal-reload] -- Unit 0 -Unit Type Status Next Boot Required Type Current Type Master priority Hardware Rev Num Ports Up Time FTOS Version Jumbo Capable POE Capable FIPS Mode Burned In MAC No Of MACs ... : : : : : : : : : : : : : : : Management Unit online online S4810 - 52-port GE/TE/FG (SE) S4810 - 52-port GE/TE/FG (SE) 0 3.0 64 7 hr, 3 min 4810-8-3-7-1061 yes no enabled 00:01:e8:8a:ff:0c 3 Disabling FIPS Mode The following describes disabling FIPS mode.
18 Flex Hash This chapter describes the Flex Hash enhancements. Topics: • • • • Flex Hash Capability Overview Configuring the Flex Hash Mechanism RDMA Over Converged Ethernet (RoCE) Overview Preserving 802.1Q VLAN Tag Value for Lite Subinterfaces Flex Hash Capability Overview This functionality is supported on the platform. The flex hash functionality enables you to configure a packet search key and matches packets based on the search key.
2. Use the load-balance flexhash command to specify whether IPv4 or IPv6 packets must be subjected to the flex hash functionality, a unique protocol number, the offset of hash fields from the start of the L4 header to be used for hash calculation, and a meaningful description to associate the protocol number with the name.
If a VLAN is split into multiple, different sub-VLANs, each VLAN is denoted by a unique 8021.Q tag to enable the nodes that receive the traffic frames determine the VLAN for which the frames are destined. Typically, a Layer 3 physical interface processes only untagged or priority-tagged packets. Tagged packets that are received on Layer 3 physical interfaces are dropped.
19 Force10 Resilient Ring Protocol (FRRP) Force10 resilient ring protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. ● ● ● ● ● ● ● ● ● ● The Master node transmits ring status check frames at specified intervals. You can run multiple physical rings on the same switch. One Master node per ring — all other nodes are Transit.
Concept Explanation Ring HealthCheck Frame (RHF) The Master node generates two types of RHFs. RHFs never loop the ring because they terminate at the Master node’s secondary port. ● Hello RHF (HRHF) — These frames are processed only on the Master node’s Secondary port. The Transit nodes pass the HRHF through without processing it. An HRHF is sent at every Hello interval. ● Topology Change RHF (TCRHF) — These frames contains ring status, keepalive, and the control and member VLAN hash.
Configuring the Control VLAN Control and member VLANS are configured normally for Layer 2. Their status as control or member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to Layer 2. Be sure to follow these guidelines: ● ● ● ● ● ● ● ● All VLANS must be in Layer 2 mode. You can only add ring nodes to the VLAN. A control VLAN can belong to one FRRP group only. Tag control VLAN ports.
Configuring and Adding the Member VLANs Control and member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to the Layer 2 chapter. Be sure to follow these guidelines: ● All VLANS must be in Layer 2 mode. ● Tag control VLAN ports. Member VLAN ports, except the Primary/Secondary interface, can be tagged or untagged.
timer {hello-interval|dead-interval} milliseconds ○ Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500). ○ Dead-Interval: the range is from 50 to 6000, in increments of 50 (default is 1500). Clearing the FRRP Counters To clear the FRRP counters, use one of the following commands. ● Clear the counters associated with this Ring ID. EXEC PRIVELEGED mode. clear frrp ring-id Ring ID: the range is from 1 to 255. ● Clear the counters associated with all FRRP groups.
○ When the interface ceases to be a part of any FRRP process, if you enable Spanning Tree globally, also enable it explicitly for the interface. ● The maximum number of rings allowed on a chassis is 255. Sample Configuration and Topology The following example shows a basic FRRP topology.
Example of R3 TRANSIT interface TengigabitEthernet 3/14 no ip address switchport no shutdown ! interface TengigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TengigabitEthernet 3/14,21 no shutdown ! interface Vlan 201 no ip address tagged TengigabitEthernet 3/14,21 no shutdown ! protocol frrp 101 interface primary TengigabitEthernet 3/21 secondary TengigabitEthernet 3/14 control-vlan 101 member-vlan 201 mode transit no disable 314 Force10 Resilient Ring Pr
20 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. GVRP configuration is per interface on a switch-byswitch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 37. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
gvrp enable Dell(conf)#protocol gvrp Dell(config-gvrp)#no disable Dell(config-gvrp)#show config ! protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. ● Enable GVRP on a Layer 2 interface.
gvrp registration fixed 34-35 gvrp registration forbidden 45-46 no shutdown Dell(conf-if-te-1/21)# Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings. ● Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The default is 200ms.
21 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 38. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. ● Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. ● To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1. Include messages prevents traffic from all other sources in the group from reaching the subnet.
Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
● ● ● ● ● ● ● Adjusting Timers Configuring a Static IGMP Group Preventing a Host from Joining a Group Enabling IGMP Immediate-Leave IGMP Snooping Fast Convergence after MSTP Topology Changes Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. ● View IGMP-enabled interfaces.
Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command. ● View both learned and statically configured IGMP groups. EXEC Privilege mode show ip igmp groups Dell(conf-if-te-1/0)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Uptime 224.1.1.1 GigabitEthernet 1/0 00:00:03 224.1.2.1 GigabitEthernet 1/0 00:56:55 Expires Never 00:01:22 Last Reporter CLI 1.1.1.
Adjusting the IGMP Querier Timeout Value If there is more than one multicast router on a subnet, only one is elected to be the querier, which is the router that sends queries to the subnet. 1. Routers send queries to the all multicast systems address, 224.0.0.1. Initially, all routers send queries. 2. When a router receives a query, it compares the IP address of the interface on which it was received with the source IP address given in the query.
IGMP Snooping IGMP snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers. Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device.
INTERFACE VLAN mode show config Dell(conf-if-vl-100)#show config ! interface Vlan 100 no ip address ip igmp snooping fast-leave shutdown Dell(conf-if-vl-100)# Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. When you configure the no ip igmp snooping flood command, the system drops the packets immediately.
Adjusting the Last Member Query Interval To adjust the last member query interval, use the following command. When the querier receives a Leave message from a receiver, it sends a group-specific query out of the ports specified in the forwarding table. If no response is received, it sends another. The amount of time that the querier waits to receive a response to the initial query before sending a second one is the last member query interval (LMQI).
22 Interfaces This chapter describes interface types, both physical and logical, and how to configure them on the Z9500 switch. ● 10-Gigabit Ethernet and 40-Gigabit Ethernet interfaces are supported on the Z9500.
• • • • • • • • • Monitoring HiGig Link Bundles Fanning out 40G Ports Dynamically Splitting QSFP Ports to SFP+ Ports Link Dampening Using Ethernet Pause Frames for Flow Control Configure the MTU Size on an Interface Auto-Negotiation on Ethernet Interfaces View Advanced Interface Information Dynamic Counters Port Numbering Convention On the switch, all ports operate by default in 40GbE mode. If you use a breakout cable, each port can operate in 4x10GbE mode.
View Basic Interface Information To view basic interface information, use the following command. You have several options for viewing interface status and configuration parameters. ● Lists all configurable interfaces on the chassis. EXEC mode show interfaces This command has options to display the interface status, IP and MAC addresses, and multiple counters for the amount and type of traffic passing through the interface.
TengigabitEthernet 1/6 TengigabitEthernet 1/7 TengigabitEthernet 1/8 unassigned unassigned unassigned NO NO NO Manual Manual Manual administratively down administratively down administratively down down down down To view only configured interfaces, use the show interfaces configured command in the EXEC Privilege mode. In the previous example, TengigabitEthernet interface 1/5 is in Layer 3 mode because an IP address has been assigned to it and the interface’s status is operationally up.
Port Pipes A port pipe is a Dell Networking-specific term for the hardware packet-processing elements that handle network traffic to and from a set of front-end I/O ports. The physical, front-end I/O ports are referred to as a port set. In the command-line interface, a Z9500 port pipe is entered as portset port-pipe-number. A line card is a Dell Networking-specific term that describes the subsystem for a logical grouping of one or more port pipes.
Type of Interface Possible Modes Requires Creation Default State Yes, except for the default VLAN. No shutdown (active for Layer 2) Layer 3 VLAN Layer 2 Layer 3 Shutdown (disabled for Layer 3) Configuring Layer 2 (Data Link) Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface unless the interface has been set to Layer 2 mode. To set Layer 2 data transmissions through an individual interface, use the following command.
If an interface is in the incorrect layer mode for a given command, an error message is displayed (shown in bold). In the following example, the ip address command triggered an error message because the interface is in Layer 2 mode and the ip address command is a Layer 3 command only. Dell(conf-if)#show config ! interface TengigabitEthernet 1/2 no ip address switchport no shutdown Dell(conf-if)#ip address 10.10.1.1 /24 % Error: Port is in Layer 2 mode Te 1/2.
Important Points to Remember ● Deleting a management route removes the route from both the EIS routing table and the default routing table. ● If the management port is down or route lookup fails in the management EIS routing table, the outgoing interface is selected based on route lookup from the default routing table. ● If a route in the EIS table conflicts with a front-end port route, the front-end port route has precedence.
The following rules apply to having two IPv6 addresses on a management interface: ● IPv6 addresses on a single management interface cannot be in the same subnet. ● IPv6 secondary addresses on management interfaces: ○ across a platform must be in the same subnet. ○ must not match the virtual IP address and must not be in the same subnet as the virtual IP.
To display the configuration for a given port, use the show interface command in EXEC Privilege mode, as shown in the following example. To display the routing table, use the show ip route command in EXEC Privilege mode. Dell#show int fortyGigE 2/12 fortyGigE 2/12 is up, line protocol is up Hardware is DellForce10Eth, address is 74:86:7a:ff:6f:48 Current address is 74:86:7a:ff:6f:48 Pluggable media present, QSFP type is 40GBASE-CR4-1M Interface index is 154288642 Internet address is 6.1.1.
interface Vlan 10 ip address 1.1.1.2/24 tagged TenGigabitEthernet 2/2-13 tagged TenGigabitEthernet 5/0 ip ospf authentication-key force10 ip ospf cost 1 ip ospf dead-interval 60 ip ospf hello-interval 15 no shutdown ! Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Because this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability.
Port Channel Definition and Standards Link aggregation is defined by IEEE 802.3ad as a method of grouping multiple physical interfaces into a single logical interface— a link aggregation group (LAG) or port channel. A LAG is “a group of links that appear to a MAC client as if they were a single link” according to IEEE 802.3ad. In the Dell Networking OS, a LAG is referred to as a port channel interface. A port channel provides redundancy by aggregating physical interfaces into one logical interface.
first interface specified (TenGig 0/1) is up. After it is up, the common speed of the port channel is 10 Gb/s. The system disables those interfaces configured with speed 40 Gb/s or whose speed is 40 Gb/s as a result of auto-negotiation. In this example, you can change the common speed of the port channel by changing its configuration so the first enabled interface referenced in the configuration is a 10 Gb/s speed interface.
To view the interface’s configuration, enter INTERFACE mode for that interface and use the show config command or from EXEC Privilege mode, use the show running-config interface interface command. When an interface is added to a port channel, the system recalculates the hash algorithm. To add a physical interface to a port, use the following commands. 1. Add the interface to a port channel.
interface that is part of that port channel. In the following example, interface TengigabitEthernet 1/6 is part of port channel 5, which is in Layer 2 mode, and an error message appeared when an IP address was configured. Dell(conf-if-portch)#show config ! interface Port-channel 5 no ip address switchport channel-member TengigabitEthernet 1/6 Dell(conf-if-portch)#int te 1/6 Dell(conf-if)#ip address 10.56.4.4 /24 % Error: Port is part of a LAG Te 1/6.
The default is 1. Dell#config t Dell(conf)#int po 1 Dell(conf-if-po-1)#minimum-links 5 Dell(conf-if-po-1)# Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to a VLAN, place the port channel in Layer 2 mode (by using the switchport command). To add or remove a VLAN port channel and to view VLAN port channel members, use the following commands. ● Add the port channel to the VLAN as a tagged interface.
When you disable a port channel, all interfaces within the port channel are operationally down also. Load Balancing Through Port Channels The system uses hash algorithms for distributing traffic evenly over channel members in a port channel (LAG). The hash algorithm distributes traffic among electronic commerce messaging protocol (ECMP) paths and LAG members. The distribution is based on a flow, except for packet-based hashing. A flow is identified by the hash and is assigned to one link.
● Change to another algorithm. CONFIGURATION mode hash-algorithm ecmp {crc-upper} | {dest-ip} | {lsb} Dell(conf)#hash-algorithm ecmp xor1 lag crc16 Dell(conf)# The hash-algorithm command is specific to ECMP group. The default ECMP hash configuration is crc-lower. This command takes the lower 32 bits of the hash key to compute the egress port. Other options for ECMP hash-algorithms are: ● crc-upper — uses the upper 32 bits of the hash key to compute the egress port.
Example of the interface range Command (Single Range) Dell(config)# interface range tengigabitethernet 0/1 - 23 Dell(config-if-range-te-0/1-23)# no shutdown Dell(config-if-range-te-0/1-23)# Create a Multiple-Range The following is an example of multiple range.
Add Ranges The following example shows how to use commas to add VLAN and port-channel interfaces to the range.
Monitoring and Maintaining Interfaces Monitor interface statistics with the monitor interface command. This command displays an ongoing list of the interface status (up/down), number of packets, traffic statistics, and so on. To view the interface’s statistics, use the following command. ● View the interface’s statistics. EXEC Privilege mode Enter the type of interface and slot/port information: ○ For the Management interface, enter the keyword ManagementEthernet then the slot/port information.
Displaying Traffic Statistics on HiGig Ports You can verify the buffer usage and queue counters for high-Gigabit Ethernet (HiGig) ports and link bundles (port channels). The buffer counters supported for front-end ports are extended to HiGig backplane ports. You can display the queue statistics and buffer counters for backplane line-card (leaf) and switch fabric module (SFM - spine) NPU port queues on a Z9500 switch using the show commands described in this section.
● A line-card (leaf) NPU supports 12 front-end I/O ports and 12 backplane HiGig ports. The 12 backplane links are members of a single HiGig link bundle that connects the line-card NPU to each SFM (spine) NPU. Two HiGig links in the bundle are used to connect to each SFM NPU. You can enable the capability to detect uneven traffic distribution in the member links of a HiGig link bundle on a line-card or SFM NPU. You can also enable a notification to be sent using alarms and SNMP traps.
The difference in utilization percentage between the high-used link and low-used link determines the alarm condition. Alarm reporting for link-bundle monitoring is based on the same algorithm used for LAG/ECMP. An alarm condition occurs when the unevenness in link-bundle utilization exceeds 10% of the configured threshold and remains active until traffic on member links falls below the trigger threshold. If unevenness is recorded for three consecutive measurements, an alarm event is generated.
Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port You can convert a QSFP or QSFP+ port to an SFP or SFP+ port using the Quad to Small Form Factor Pluggable Adapter (QSA). QSA provides smooth connectivity between devices that use Quad Lane Ports (such as the 40 Gigabit Ethernet adapters) and 10 Gigabit hardware that uses SFP+ based cabling. Using this adapter, you can effectively use a QSFP or QSFP+ module to connect to a lower-end switch or server that uses an SFP or SFP+ based module.
● QSFP port 0 is connected to a QSA with SFP+ optical cables plugged in. ● QSFP port 4 is connected to a QSA with SFP optical cables plugged in. ● QSFP port 8 in fanned-out mode is plugged in with QSFP optical cables. ● QSFP port 12 in 40 G mode is plugged in with QSFP optical cables.
SFP 0 Voltage High Alarm threshold SFP 0 Bias High Alarm threshold = 0.000V = 0.000mA NOTE: In the following show interfaces tengigbitethernet transceiver commands, the ports 5,6, and 7 are inactive and no physical SFP or SFP+ connection actually exists on these ports. However, Dell Networking OS still perceives these ports as valid and the output shows that pluggable media (optical cables) is inserted into these ports. This is a software limitation for this release.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Dell#show interfaces tengigabitethernet 0/0 tengigabitethernet 0/0 is up, line protocol is up Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, SFP+ type is 10GBASE-SX Interface index is 35012865 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :90b11cf49afa MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit Dell#show interfaces tengigabitethernet
Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, QSFP type is 4x10GBASE-CR1-3M …….. LineSpeed 10000 Mbit The show inventory command shows the following output: NOTE: In the following show inventory media command output, the port numbers 1, 2, 3, 5, 6, and 7 ports are actually inactive. However, Dell Networking OS still shows that optical cables are inserted into these ports. This is a software limitation for this release.
dampening R1(conf-if-te-1/1)#show config ! interface TengigabitEthernet 1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown R1(conf-if-te-1/1)#exit To view the link dampening configuration on an interface, use the show config command. To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode.
The following table lists the range for each transmission media. Transmission Media MTU Range (in bytes) Ethernet 594-9216 = link MTU The IP MTU automatically configures. Using Ethernet Pause Frames for Flow Control Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it.
○ tx on: enter the keywords tx on to send control frames from this port to the connected device when a higher rate of traffic is received. ○ tx off: enter the keywords tx off so that flow control frames are not sent from this port to the connected device when a higher rate of traffic is received. ○ threshold: when you configure tx on, you can set the threshold values for: ■ Number of flow-control packet pointers: the range is from 1 to 2047 (default = 75).
The local interface and the directly connected remote interface must have the same setting, and auto-negotiation is the easiest way to accomplish that, as long as the remote interface is capable of auto-negotiation. NOTE: As a best practice, Dell Networking recommends keeping auto-negotiation enabled. Only disable auto-negotiation on switch ports that attach to devices not capable of supporting negotiation or where connectivity issues arise from interoperability issues.
In EXEC mode, the show interfaces switchport command displays only interfaces in Layer 2 mode and their relevant configuration information. The show interfaces switchport command displays the interface, whether it supports IEEE 802.1Q tagging or not, and the VLANs to which the interface belongs. Dell#show interfaces switchport Name: TengigabitEthernet 13/0 802.1QTagged: True Vlan membership: Vlan 2 Name: TengigabitEthernet 13/1 802.1QTagged: True Vlan membership: Vlan 2 Name: TengigabitEthernet 13/2 802.
Dell(conf-if-te-10/0)#rate-interval 100 Dell#show interfaces TenGigabitEthernet 10/0 is down, line protocol is down Hardware is Force10Eth, address is 00:01:e8:01:9e:d9 Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 1d23h45m Queueing strategy: fifo 0 packets input, 0 bytes Input 0 IP Packets, 0 Vlans 0 MPLS 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over
○ For a Port Channel interface, enter the keywords port-channel then a number. ○ For the management interface, enter the keyword ManagementEthernet 0/0. The slot number is 0; the port number is 0. ○ For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. ○ For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. ○ For a VLAN, enter the keyword vlan then a number.
23 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. ● Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3. Apply the crypto policy to management traffic.
24 IPv4 Routing IPv4 routing and various IP addressing features are supported. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
IP Addresses The Dell Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks. Supernetting, which increases the number of subnets, is also supported. To subnet, you add a mask to the IP address to separate the network and host portions of the IP address.
● ip-address mask: the IP address must be in dotted decimal format (A.B.C.D). The mask must be in slash prefixlength format (/24). ● secondary: add the keyword secondary if the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. To view the configuration, use the show config command in INTERFACE mode or use the show ip interface command in EXEC privilege mode, as shown in the second example.
S 6.1.2.7/32 S 6.1.2.8/32 S 6.1.2.9/32 S 6.1.2.10/32 S 6.1.2.11/32 S 6.1.2.12/32 S 6.1.2.13/32 S 6.1.2.14/32 S 6.1.2.15/32 S 6.1.2.16/32 S 6.1.2.17/32 S 11.1.1.0/24 Direct, Lo 0 --More-- via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.
Resolution of Host Names Domain name service (DNS) maps host names to IP addresses. This feature simplifies such commands as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default. Unless you enable the feature, the system resolves only host names entered into the host table with the ip host command. The following sections describe DNS and the resolution of host names.
● Enter up to 63 characters to configure names to complete unqualified host names. CONFIGURATION mode ip domain-list name Configure this command up to six times to specify a list of possible domain names. The system searches the domain names in the order they were configured until a match is found or the list is exhausted. Configuring DNS with Traceroute To configure your switch to perform DNS with traceroute, use the following commands. ● Enable dynamic resolution of host names.
Configuration Tasks for ARP For a complete listing of all ARP-related commands, refer to the Dell Networking OS Command Line Reference Guide.
● Clear the ARP caches for all interfaces or for a specific interface by entering the following information. EXEC privilege clear arp-cache [interface | ip ip-address] [no-refresh] ○ ip ip-address (OPTIONAL): enter the keyword ip then the IP address of the ARP entry you wish to clear. ○ no-refresh (OPTIONAL): enter the keywords no-refresh to delete the ARP entry from CAM. Or to specify which dynamic ARP entries you want to delete, use this option with interface or ip ip-address.
Figure 44. ARP Learning via ARP Request When you enable ARP learning via gratuitous ARP, the system installs a new ARP entry, or updates an existing entry for all received ARP requests. Figure 45. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP. It only updates the ARP entry for the Layer 3 interface with the source IP of the request.
show arp retries ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP error messages inform the router of problems in a particular packet. These messages are sent only on unicast traffic. Configuration Tasks for ICMP The following lists the configuration tasks for ICMP.
○ UDP broadcast traffic with port number 67 or 68 are unicast to the dynamic host configuration protocol (DHCP) server per the ip helper-address configuration whether or not the UDP port list contains those ports. ○ If the UDP port list contains ports 67 or 68, UDP broadcast traffic is forwarded on those ports. Enabling UDP Helper To enable UDP helper, use the following command. ● Enable UPD helper. ip udp-helper udp-ports The following example shows how to enable UDP helper.
0 packets, 0 bytes Time since last interface status change: 00:07:44 Configurations Using UDP Helper When you enable UDP helper and the destination IP address of an incoming packet is a broadcast address, the system suppresses the destination address of the packet. The following sections describe various configurations that employ UDP helper to direct broadcasts.
UDP Helper with Subnet Broadcast Addresses When the destination IP address of an incoming packet matches the subnet broadcast address of any interface, the system changes the address to the configured broadcast address and sends it to matching interface. In the following illustration, Packet 1 has the destination IP address 1.1.1.255, which matches the subnet broadcast address of VLAN 101.
UDP Helper with No Configured Broadcast Addresses The following describes UDP helper with no broadcast addresses configured. ● If the incoming packet has a broadcast destination IP address, the unaltered packet is routed to all Layer 3 interfaces. ● If the Incoming packet has a destination IP address that matches the subnet broadcast address of any interface, the unaltered packet is routed to the matching interfaces.
25 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration. NOTE: The system provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS). By default, RA response messages are sent when an RS message is received. The manipulation of IPv6 stateless autoconfiguration supports the router side only.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 49. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Value Description 0 Hop-by-Hop option header 4 IPv4 6 TCP 8 Exterior Gateway Protocol (EGP) 41 IPv6 43 Routing header 44 Fragmentation header 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current listing, refer to the Internet Assigned Numbers Authority (IANA) web page.
Hop-by-Hop Options Header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path. It follows the IPv6 header and is designated by the Next Header value 0 (zero). When a Hop-by-Hop Options header is not included, the router knows that it does not have to process any router specific information and immediately processes the packet to its final destination.
Link-local Addresses Link-local addresses, starting with fe80:, are assigned only in the local link area. The addresses are generated usually automatically by the operating system's IP layer for each network interface. This provides instant automatic network connectivity for any IPv6 host and means that if several hosts connect to a common hub or switch, they have an instant communication path via their link-local IPv6 address. Link-local addresses cannot be routed to the public Internet.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location Z9000 IPv6 BGP MD5 Authentication 8.3.11 IPv6 BGP in the Dell Networking OS Command Line Reference Guide. IS-IS for IPv6 8.3.11 Intermediate System to Intermediate System IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide. IS-IS for IPv6 support for redistribution 8.3.11 Intermediate System to Intermediate System IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide.
partition. The valid values are 1024, 2048 or 3072 prefixes. You must save the configuration and reload the switch for the change to take effect. ● The number of entries in Partition II is reduced as the number of entries in Partition I increases. ● To disable LPM CAM partitioning and return the number of the IPv6 /65-/128 route prefixes stored in Partition 1 to 0, enter the no cam-ipv6 extended-prefix command.
IPv6 Neighbor Discovery The IPv6 neighbor discovery protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In place of address resolution protocol (ARP), NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes. Using these messages, an IPv6 device learns the link-layer addresses for neighbors known to reside on attached links, quickly purging cached values that become invalid.
● link local addresses ● loopback addresses ● prefix addresses ● multicast addresses ● invalid host addresses If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed. Example for Configuring an IPv6 Recursive DNS Server The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
IPV6 is enabled Link Local address: fe80::201:e8ff:fe8b:7570 Global Unicast address(es): 1212::12, subnet is 1212::/64 (MANUAL) Remaining lifetime: infinite Global Anycast address(es): Joined Group address(es): ff02::1 ff02::2 ff02::1:ff00:12 ff02::1:ff8b:7570 ND MTU is 0 ICMP redirects are not sent DAD is enabled, number of DAD attempts: 3 ND reachable time is 20120 milliseconds ND base reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is
Adjusting Your CAM Profile Although adjusting your CAM profile is not a mandatory step, if you plan to implement IPv6 ACLs, Dell Networking recommends that you adjust your CAM settings. The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. There are 16 FP blocks, but the System Flow requires three blocks that cannot be reallocated. You must enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10).
Assigning a Static IPv6 Route To configure IPv6 static routes, use the ipv6 route command. NOTE: After you configure a static IPv6 route (the ipv6 route command) and configure the forwarding router’s address (specified in the ipv6 route command) on a neighbor’s interface, the IPv6 neighbor does not display in the show ipv6 route command output. ● Set up IPv6 static routes.
Displaying IPv6 Information To view a specified IPv6 configuration, use the show ipv6command. ● List the IPv6 show options.
DAD is enabled, number of DAD attempts: 3 ND reachable time is 32000 milliseconds ND base reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND hop limit is 64 Displaying IPv6 Routes To view the global IPv6 routing information, use the following command. ● Display IPv6 routing information for the specified route type. EXEC mode show ipv6 route type The following keywords are available: ○ To display information about a network, enter ipv6 address (X:X:X:X::X).
L fe80::/10 [0/0] Direct, Nu 0, 00:34:42 Dell#show ipv6 route static Destination Dist/Metric, Gateway, Last Change ----------------------------------------------------S 8888:9999:5555:6666:1111:2222::/96 [1/0] via 2222:2222:3333:3333::1, Te 9/1, 00:03:16 S 9999:9999:9999:9999::/64 [1/0] via 8888:9999:5555:6666:1111:2222:3333:4444, 00:03:16 Displaying the Running Configuration for an Interface To view the configuration for any interface, use the following command.
26 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables qualityof-service (QoS) treatment for iSCSI traffic.
switch. Preferential treatment helps to avoid session interruptions during times of congestion that would otherwise cause dropped iSCSI packets. ● iSCSI DCBx TLVs are supported. The following illustration shows iSCSI optimization between servers and a storage array in which a stack of three switches connect installed servers (iSCSI initiators) to a storage array (iSCSI targets) in a SAN network.
Table 27. iSCSI Optimization Defaults (continued) Parameter Default Value VLAN priority tag iSCSI flows are assigned by default to dot1p priority 4 without the remark setting. DSCP None: user-configurable. Remark Not configured. iSCSI session aging time 10 minutes iSCSI optimization target ports iSCSI well-known ports 3260 and 860 are configured as default (with no IP address or name) but can be removed as any other configured target. iSCSI session monitoring Disabled.
5. Reload the switch. EXEC Privilege mode reload After the switch is reloaded, DCB/ DCBx and iSCSI monitoring are enabled. 6. (Optional) Configure the iSCSI target ports and optionally the IP addresses on which iSCSI communication is monitored. CONFIGURATION mode [no] iscsi target port tcp-port-1 [tcp-port-2...tcp-port-16] [ip-address address] ● tcp-port-n is the TCP port number or a list of TCP port numbers on which the iSCSI target listens to requests.
11. (Optional) Configures the auto-detection of Compellent arrays on a port. INTERFACE mode [no] iscsi profile-compellent. The default is: Compellent disk arrays are not detected. Displaying iSCSI Optimization Information To display information on iSCSI optimization, use the following show commands. ● Display the currently configured iSCSI settings. show iscsi ● Display information on active iSCSI sessions on the switch.
IP Address TCP Port IP Address TCPPort ID 10.10.0.44 33345 10.10.0.101 3260 0 VLT PEER2 Session 0: ------------------------------------------------------------Target:iqn.2010-11.com.ixia:ixload:iscsi-TG1 Initiator:iqn.2010-11.com.ixia.ixload:initiator-iscsi-2c Up Time:00:00:01:28(DD:HH:MM:SS) Time for aging out:00:00:09:34(DD:HH:MM:SS) ISID:806978696102 Initiator Initiator Target Target Connection IP Address TCP Port IP Address TCPPort ID 10.10.0.53 33432 10.10.0.
Monitoring iSCSI Traffic Flows The switch snoops iSCSI session-establishment and termination packets by installing classifier rules that trap iSCSI protocol packets to the CPU for examination. Devices that initiate iSCSI sessions usually use well-known TCP ports 3260 or 860 to contact targets. When you enable iSCSI optimization, by default the switch identifies IP packets to or from these ports as iSCSI traffic.
The following message displays the first time a Dell EqualLogic array is detected and describes the configuration changes that are automatically performed: %SYSTEM:CP %IFMGR-5-IFM_ISCSI_AUTO_CONFIG: This switch is being configured for optimal conditions to support iSCSI traffic which will cause some automatic configuration to occur including jumbo frames and flow-control on all ports; no storm control and spanning-tree port fast to be enabled on the port of detection.
You can configure whether iSCSI frames are re-marked to contain the configured VLAN priority tag or IP DSCP when forwarded through the switch. NOTE: On a switch in which a large proportion of traffic is iSCSI, CoS queue assignments may interfere with other network control-plane traffic, such as ARP or LACP. Balance preferential treatment of iSCSI traffic against the needs of other critical data in the network.
27 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter.
The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.0001) are the area address. The system portion is 000c.000a.4321 and the last byte is always 0. Figure 53. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases.
Interface Support MT IS-IS is supported on physical Ethernet interfaces, physical synchronous optical network technologies (SONET) interfaces, port-channel interfaces (static and dynamic using LACP), and virtual local area network (VLAN) interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions.
Multi-topology IS-IS adds TLVs: ● MT TLV — contains one or more Multi-Topology IDs in which the router participates. This TLV is included in IIH and the first fragment of an LSP. ● MT Intermediate Systems TLV — appears for every topology a node supports. An MT ID is added to the extended IS reachability TLV type 22. ● MT Reachable IPv4 Prefixes TLV — appears for each IPv4 an IS announces for a given MT ID. Its structure is aligned with the extended IS Reachability TLV Type 236 and it adds an MT ID.
● ● ● ● ● ● ● Configuring the IS-IS Metric Style Configuring IS-IS Cost Changing the IS-Type Controlling Routing Updates Configuring Authentication Passwords Setting the Overload Bit Debuging IS-IS Enabling IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process and assign a NET address. To exchange protocol information with neighbors, enable IS-IS on an interface, instead of on a network as with other routing protocols.
● mask: The prefix length is from 0 to 128. The IPv6 address must be on the same subnet as other IS-IS neighbors, but the IP address does not need to relate to the NET address. 6. Enable IS-IS on the IPv4 interface. ROUTER ISIS mode ip router isis [tag] If you configure a tag variable, it must be the same as the tag variable assigned in step 1. 7. Enable IS-IS on the IPv6 interface.
● A Level 2 router becomes a neighbor with another Level 2 router regardless of the area address configured. However, if the area addresses are different, the link between the Level 2 routers is only at Level 2. Configuring Multi-Topology IS-IS (MT IS-IS) To configure multi-topology IS-IS (MT IS-IS), use the following commands. 1. Enable multi-topology IS-IS for IPv6.
graceful-restart t1 {interval seconds | retry-times value} ○ interval: wait time (the range is from 5 to 120. The default is 5.) ○ retry-times: number of times an unacknowledged restart request is sent before the restarting router gives up the graceful restart engagement with the neighbor. (The range is from 1 to 10 attempts. The default is 1.) ● Configure the time for the graceful restart timer T2 that a restarting router uses as the wait time for each database to synchronize.
To view all interfaces configured with IS-IS routing along with the defaults, use the show isis interface command in EXEC Privilege mode. Dell#show isis interface G1/34 GigabitEthernet 2/10 is up, line protocol is up MTU 1497, Encapsulation SAP Routing Protocol: IS-IS Circuit Type: Level-1-2 Interface Index 0x62cc03a, Local circuit ID 1 Level-1 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.
Dell#show running-config isis ! router isis lsp-refresh-interval 902 net 47.0005.0001.000C.000A.4321.00 net 51.0005.0001.000C.000A.4321.00 Dell# Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63.
Loopback 0 Redistributing: Distance: 115 Generate narrow metrics: level-1-2 Accept narrow metrics: level-1-2 Generate wide metrics: none Accept wide metrics: none Dell# Configuring the IS-IS Cost When you change from one IS-IS metric style to another, the IS-IS metric value could be affected. For each interface with IS-IS enabled, you can assign a cost or metric that is used in the link state calculation. To change the metric or cost of the interface, use the following commands. ● Assign an IS-IS metric.
Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. ● Configure IS-IS operating level for a router. ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2-only} Default is level-1-2. ● Change the IS-type for the IS-IS process.
Distribute Routes Another method of controlling routing information is to filter the information through a prefix list. Prefix lists are applied to incoming or outgoing routes and routes must meet the conditions of the prefix lists or the system does not install the route in the routing table. The prefix lists are globally applied on all interfaces running IS-IS. Configure the prefix list in PREFIX LIST mode prior to assigning it to the IS-IS process.
○ ○ ○ ○ ○ For For For For For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. a port channel, enter the keywords port-channel then a number. a SONET interface, enter the keyword sonet then the slot/port information. a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. a VLAN, enter the keyword vlan then a number from 1 to 4094. ● Apply a configured prefix list to all outgoing IPv6 IS-IS routes.
○ metric-type: external or internal. ○ map-name: enter the name of a configured route map. Redistributing IPv6 Routes To add routes from other routing instances or protocols, use the following commands. NOTE: These commands apply to IPv6 IS-IS only. To apply prefix lists to IPv4 routes, use the ROUTER ISIS mode previously shown. ● Include BGP, directly connected, RIP, or user-configured (static) routes in IS-IS.
domain-password [encryption-type | hmac-md5] password FTOS supports both DES and HMAC-MD5 authentication methods. This password is inserted in Level 2 LSPs, Complete SNPs, and Partial SNPs. To view the passwords, use the show config command in ROUTER ISIS mode or the show running-config isis command in EXEC Privilege mode. To remove a password, use either the no area-password or no domain-password commands in ROUTER ISIS mode.
EXEC Privilege mode debug isis local-updates [interface] To view specific information, enter the following optional parameter: ○ interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. ● View IS-IS SNP packets, include CSNPs and PSNPs.
Metric Style Correct Value Range for the isis metric Command wide transition 0 to 16777215 narrow transition 0 to 63 transition 0 to 63 Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow.
Table 30. Metric Value When the Metric Style Changes (continued) Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value wide transition wide original value wide transition narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Table 32.
Figure 54. IPv6 IS-IS Sample Topography The following is a sample configuration for enabling IPv6 IS-IS. IS-IS Sample Configuration — Congruent Topology Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ip address 24.3.1.1/24 ipv6 address 24:3::1/76 ip router isis ipv6 router isis no shutdown Dell (conf-if-te-3/17)# Dell(conf-router_isis)#show config ! router isis metric-style wide level-1 metric-style wide level-2 net 34.0000.0000.AAAA.
IS-IS Sample Configuration — Multi-topology Transition Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell(conf-if-te-3/17)# Dell(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
28 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. Topics: • • • • Introduction to Dynamic LAGs and LACP LACP Configuration Tasks Shared LAG State Tracking LACP Basic Configuration Example Introduction to Dynamic LAGs and LACP The Dell Networking OS uses LACP to create dynamic LAGs.
● You can configure a maximum of 128 port-channels with up to 16 members per channel. LACP Modes Three LACP configuration modes are supported — Off, Active, and Passive. ● Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. ● Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state.
● Monitoring and Debugging LACP ● Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. ● Create a dynamic port channel (LAG). CONFIGURATION mode interface port-channel ● Create a dynamic port channel (LAG). CONFIGURATION mode switchport The following example shows configuring a LAG interface.
Setting the LACP Long Timeout PDUs are exchanged between port channel (LAG) interfaces to maintain LACP sessions. PDUs are transmitted at either a slow or fast transmission rate, depending upon the LACP timeout value. The timeout value is the amount of time that a LAG interface waits for a PDU from the remote system before bringing the LACP session down. The default timeout value is 1 second. You can configure the default timeout value to be 30 seconds.
Figure 55. Shared LAG State Tracking To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). the system has the ability to bring LAG 2 down if LAG 1 fails, so that traffic can be redirected. This redirection is what is meant by shared LAG state tracking. To achieve this functionality, you must group LAG 1 and LAG 2 into a single entity, called a failover group. Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group.
Figure 56. Configuring Shared LAG State Tracking The following are shared LAG state tracking console messages: ● 2d1h45m: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 1 ● 2d1h45m: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 To view the status of a failover group member, use the show interface port-channel command.
LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 57. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unicasts 0 Vlans, 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec,0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec,0 packets/sec, 0.
Figure 59.
Figure 60.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-te-3/21-lacp)#port-channel 10 mode active Bravo(conf-if-te-3/21-lacp)#no shut Bravo(conf-if-te-3/21)#end ! interface TengigabitEthernet 3/21 no ip address ! port-ch
Figure 61.
Figure 62.
Figure 63. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
29 Layer 2 This chapter describes the Layer 2 features supported on the Z9500. Topics: • • • • • Manage the MAC Address Table MAC Learning Limit NIC Teaming Configure Redundant Pairs Far-End Failure Detection Manage the MAC Address Table You can perform the following management tasks inr the MAC address table.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. ● Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. ● Display the contents of the MAC address table.
INTERFACE mode mac learning-limit address_limit Three options are available with the mac learning-limit command: ○ dynamic ○ no-station-move ○ station-move NOTE: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations. mac learning-limit Dynamic The MAC address table is stored on the Layer 2 forwarding information base (FIB) region of the CAM.
To display a list of all interfaces with a MAC learning limit, use the following command. Display a list of all interfaces with a MAC learning limit. EXEC Privilege mode show mac learning-limit Dell Networking OS Behavior: The systems do not generate a station-move violation log entry for physical interfaces or portchannels when you configure mac learning-limit or when you configure mac learning-limit station-moveviolation log.
Recovering from Learning Limit and Station Move Violations After a learning-limit or station-move violation shuts down an interface, you must manually reset it. To reset the learning limit, use the following commands. NOTE: Alternatively, you can reset the interface by shutting it down using the shutdown command and then re-enabling it using the no shutdown command. ● Reset interfaces in the ERR_Disabled state caused by a learning limit violation or station move violation.
Figure 65. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 66. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
As shown in the previous illustration, interface 3/41 is a backup interface for 3/42, and 3/42 is in the Down state. If 3/41 fails, 3/42 transitions to the Up state, which makes the backup link active. A message similar to the following message appears whenever you configure a backup port.
Dell(conf-if-po-1)#switchport backup interface tengigabitethernet 0/2 Apr 9 00:16:29: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Te 0/2 Dell(conf-if-po-1)# Far-End Failure Detection Far-end failure detection (FEFD) is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval. You can enable FEFD globally or locally on an interface basis.
2. After you enable FEFD on an interface, it transitions to the Unknown state and sends an FEFD packet to the remote end of the link. 3. When the local interface receives the echoed packet from the remote end, the local interface transitions to the Bi-directional state. 4. If the FEFD enabled system is configured to use FEFD in Normal mode and neighboring echoes are not received after three intervals, (you can set each interval can be set between 3 and 300 seconds) the state changes to unknown. 5.
fefd {interval | mode} To display information about the state of each interface, use the show fefd command in EXEC privilege mode. Dell#show fefd FEFD is globally 'ON', interval is 3 seconds, mode is 'Normal'.
Debugging FEFD To debug FEFD, use the first command. To provide output for each packet transmission over the FEFD enabled connection, use the second command. ● Display output whenever events occur that initiate or disrupt an FEFD enabled connection. EXEC Privilege mode debug fefd events ● Provide output for each packet transmission over the FEFD enabled connection. EXEC Privilege mode debug fefd packets The following example shows the debug fefd events command.
30 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP) on the Z9500 switch. Topics: • • • • • • • • • • • • • • • 802.
TLVs are encapsulated in a frame called an LLDP data unit (LLDPDU) (shown in the following table), which is transmitted from one LLDP-enabled device to its LLDP-enabled neighbors. LLDP is a one-way protocol. LLDP-enabled devices (LLDP agents) can transmit and/or receive advertisements, but they cannot solicit and do not respond to advertisements. There are five types of TLVs. All types are mandatory in the construction of an LLDPDU except Optional TLVs.
Figure 70. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80C2. You can configure the Dell Networking system to advertise any or all of these TLVs. Table 35. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. The Dell Networking OS does not currently support this TLV.
Table 35. Optional TLV Types (continued) Type TLV Description and mandatory (non-configurable) in the LLDP-MED implementation. 127 Power via MDI Dell Networking supports the LLDP-MED protocol, which recommends that Power via MDI TLV be not implemented, and therefore Dell Networking implements Extended Power via MDI TLV only. 127 Link Aggregation Indicates whether the link is capable of being aggregated, whether it is currently in a LAG, and the port identification of the LAG.
Table 36. TIA-1057 (LLDP-MED) Organizationally Specific TLVs (continued) Type SubType TLV Description 127 2 Network Policy Indicates the application type, VLAN ID, Layer 2 Priority, and DSCP value. 127 3 Location Identification Indicates that the physical location of the device expressed in one of three possible formats: ● Coordinate Based LCI ● Civic Address LCI ● Emergency Call Services ELIN 127 4 Location Identification Indicates power requirements, priority, and power status.
Figure 71. LLDP-MED Capabilities TLV Table 37. LLDP-MED Capabilities Bit Position TLV Supported? 0 LLDP-MED Capabilities Yes 1 Network Policy Yes 2 Location Identification Yes 3 Extended Power via MDI-PSE Yes 4 Extended Power via MDI-PD No 5 Inventory No 6–15 reserved No Table 38.
Table 39. Network Policy Applications (continued) Type Application Description 1 Voice Specify this application type for dedicated IP telephony handsets and other appliances supporting interactive voice services. 2 Voice Signaling Specify this application type only if voice control packets use a separate network policy than voice data.
Figure 73. Extended Power via MDI TLV Configure LLDP Configuring LLDP is a two-step process. 1. Enable LLDP globally. 2. Advertise TLVs out of an interface. Related Configuration Tasks ● ● ● ● ● ● Viewing the LLDP Configuration Viewing Information Advertised by Adjacent LLDP Agents Configuring LLDPDU Intervals Configuring Transmit and Receive Mode Configuring a Time to Live Debugging LLDP Important Points to Remember ● LLDP is enabled by default.
mode multiplier no show LLDP mode configuration (default = rx and tx) LLDP multiplier configuration Negate a command or set its defaults Show LLDP configuration R1(conf-lldp)#exit R1(conf)#interface tengigabitethernet 1/31 R1(conf-if-te-1/31)#protocol lldp R1(conf-if-te-1/31-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol on this interface end Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode configuration (default = rx and tx)
Disabling and Undoing LLDP on Management Ports To disable or undo LLDP on management ports, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION mode. protocol lldp 2. Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode. management-interface 3. Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no.
Figure 74. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command. ● Display the LLDP configuration. CONFIGURATION or INTERFACE mode show config The following example shows viewing an LLDP global configuration.
● Display brief information about adjacent devices. show lldp neighbors ● Display all of the information that neighbors are advertising. show lldp neighbors detail The following example shows viewing brief information advertised by neighbors.
advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#mode ? rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description mode tx no disable R1(conf-lldp)#no mode R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id adverti
advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Configuring a Time to Live The information received from a neighbor expires after a specific amount of time (measured in seconds) called a time to live (TTL). The TTL is the product of the LLDPDU transmit interval (hello) and an integer called a multiplier. The default multiplier is 4, which results in a default TTL of 120 seconds. ● Adjust the TTL value.
Figure 75. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects The system supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: ● ● ● ● received and transmitted TLVs the LLDP configuration on the local agent IEEE 802.1AB Organizationally Specific TLVs received and transmitted LLDP-MED TLVs Table 40.
Table 40. LLDP Configuration MIB Objects (continued) MIB Object Category LLDP Statistics LLDP Variable LLDP MIB Object Description mibMgmtAddrInstanceTxEnable lldpManAddrPortsTxEnable The management addresses defined for the system and the ports through which they are enabled for transmission. statsAgeoutsTotal lldpStatsRxPortAgeoutsTotal Total number of times that a neighbor’s information is deleted on the local system due to an rxInfoTTL timer expiration.
Table 41.
Table 43.
Table 43.
31 Microsoft Network Load Balancing Network Load Balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems. Microsoft NLB clustering allows multiple servers running Microsoft Windows to be represented by one MAC and one IP address to provide transparent failover and load-balancing.
NLB Multicast Mode Example Consider a sample topology in which four servers, namely S1 through S4, are configured as a cluster or a farm. This set of servers is connected to a Layer 3 switch, which in turn is connected to the end-clients. They contain a single multicast MAC address (MAC-Cluster: 03-00-5E-11-11-11). In the multicast NLB mode, a static ARP configuration command is configured to associate the cluster IP address with a multicast cluster MAC address.
● To verify if NLB VLAN flooding is enabled, enter the show running-config command. The command output displays the ip vlan-flooding CLI configuration, if enabled. Configuring NLB on a Switch You can enable NLB functionality to operate in unicast or multicast mode on a switch. To enable NLB unicast mode: Enter the ip vlan-flooding command to enable Layer 3 unicast data traffic routed through a VLAN port to be flooded on all member ports of the VLAN connected to a server cluster.
32 Multicast Source Discovery Protocol (MSDP) This chapter describes how to configure and use the multicast source discovery protocol (MSDP) on the Z9500 switch. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 77.
Implementation Information The Dell Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process. 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Refer to the following figures. The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP.
Figure 78.
Figure 79.
Figure 80.
Figure 81. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
Clearing the Source-Active Cache To clear the source-active cache, use the following command. ● Clear the SA cache of all, local, or rejected entries, or entries for a specific group. CONFIGURATION mode clear ip msdp sa-cache [group-address | local | rejected-sa] Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error.
Figure 82.
Figure 83.
Figure 84.
Figure 85. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. ● Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check. Dell(conf)#ip msdp peer 10.0.50.
Dell#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Reason Rpf-Fail Rpf-Fail Rpf-Fail Limiting the Source-Active Messages from a Peer To limit the source-active messages from a peer, use the following commands. 1.
Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1. OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache. CONFIGURATION mode ip msdp cache-rejected-sa 2. Prevent the system from caching remote sources learned from a specific peer based on source and group. CONFIGURATION mode ip msdp sa-filter list out peer list ext-acl As shown in the following example, R1 is advertising source 10.11.4.2.
R1(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 local R1(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 192.168.0.
Clearing Peer Statistics To clear the peer statistics, use the following command. ● Reset the TCP connection to the peer and clear all peer statistics. CONFIGURATION mode clear ip msdp peer peer-address R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
RPs by strategically mapping groups to RPs, but this technique is less effective as traffic increases because preemptive load balancing requires prior knowledge of traffic distributions. ● lack of scalable register decasulation: With only a single RP per group, all joins are sent to that RP regardless of the topological distance between the RP, sources, and receivers, and data is transmitted to the RP until the SPT switch threshold is reached.
CONFIGURATION mode ip pim rp-address 3. In each routing domain that has multiple RPs serving a group, create another Loopback interface on each RP serving the group with a unique IP address. CONFIGURATION mode interface loopback 4. Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5. Advertise the network of each of the unique Loopback addresses throughout the network.
ip address 192.168.0.11/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.22 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.22 ip msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.
ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface TenGigabitEthernet 0/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.
network 192.168.0.1/32 area 0 network 10.11.3.0/24 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R2 Running-Config ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.
no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.
33 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview In contrast, PVST+ allows a spanning tree instance for each VLAN.
• • • Flush MAC Addresses after a Topology Change MSTP Sample Configurations Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell Networking OS supports four variations of spanning tree, as shown in the following table. Table 44. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. ● Within an MSTI, only one path from any bridge to any other bridge is enabled. ● Bridges block a redundant path by disabling one of the link ports. 1. Enter PROTOCOL MSTP mode. CONFIGURATION mode protocol spanning-tree mstp 2. Enable MSTP.
All bridges in the MSTP region must have the same VLAN-to-instance mapping. To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode. Dell(conf-mstp)#name my-mstp-region Dell(conf-mstp)#exit Dell(conf)#do show spanning-tree mst config MST region name: my-mstp-region Revision: 0 MSTI VID 1 100 2 200-300 To view the forwarding/discarding state of the ports participating in an MSTI, use the show spanning-tree msti command from EXEC Privilege mode.
Bridge ID: 0:0001.e809.c24a Old Root: 32768:0001.e806.953e New Root: 0:0001.e809.c24a R3(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 MSTI 2 bridge-priority 0 Interoperate with Non-Dell Bridges The Dell Networking OS supports only one MSTP region. A region is a combination of three unique qualities: ● Name is a mnemonic string you assign to the region. The default region name is null. ● Revision is a 2-byte number. The default revision number is 0.
NOTE: Dell Networking recommends that only experienced network administrators change MSTP parameters. Poorly planned modification of MSTP parameters can negatively affect network performance. To change the MSTP parameters, use the following commands on the root bridge. 1. Change the forward-delay parameter. PROTOCOL MSTP mode forward-delay seconds The range is from 4 to 30. The default is 15 seconds. 2. Change the hello-time parameter.
Table 45. Default Values for Port Costs by Interface Port Cost Default Value 100-Mb/s Ethernet interfaces 200000 1-Gigabit Ethernet interfaces 20000 10-Gigabit Ethernet interfaces 2000 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 To change the port cost or priority of an interface, use the following commands. 1. Change the port cost of an interface.
■ ■ Disable spanning tree on the interface (using the no spanning-tree command in INTERFACE mode). Disabling global spanning tree (using the no spanning-tree command in CONFIGURATION mode). To verify that EdgePort is enabled, use the show config command from INTERFACE mode.
2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 2/11,31 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 2/11,31 no shutdown Router 3 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
spanning-tree spanning-tree spanning-tree spanning-tree spanning-tree spanning-tree configuration revision 123 MSTi instance 1 MSTi vlan 1 100 MSTi instance 2 MSTi vlan 2 200 MSTi vlan 2 300 (Step 2) interface 1/0/31 no shutdown spanning-tree port mode enable switchport protected 0 exit interface 1/0/32 no shutdown spanning-tree port mode enable switchport protected 0 exit (Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 ta
● MSTP Instances. ○ To verify the VLAN to MSTP instance mapping, use the show commands. ○ Are there “extra” MSTP instances in the Sending or Received logs? This may mean that an additional MSTP instance was configured on one router but not the others. The following example shows viewing an MSTP configuration.
34 Multicast Features The Dell Networking OS supports the following multicast protocols: ● PIM Sparse-Mode (PIM-SM) ● Internet Group Management Protocol (IGMP) ● Multicast Source Discovery Protocol (MSDP) Topics: • • • • • Enabling IP Multicast Multicast with ECMP Implementation Information First Packet Forwarding for Lossless Multicast Multicast Policies Enabling IP Multicast Before enabling any multicast protocols, you must enable IP multicast routing. ● Enable multicast routing.
Figure 89. Multicast with ECMP Implementation Information Because protocol control traffic is redirected using the MAC address, and multicast control traffic and multicast data traffic might map to the same MAC address, the system might forward data traffic with certain MAC addresses to the CPU in addition to control traffic. As the upper5 bits of an IP Multicast address are dropped in the translation, 32 different multicast group IDs all map to the same Ethernet address. For example, 224.0.0.
First Packet Forwarding for Lossless Multicast All initial multicast packets are forwarded to receivers to achieve lossless multicast. When the Dell Networking system is the RP, and has receivers for a group G, it forwards all initial multicast packets for the group based on the (*,G) entry rather than discarding them until the (S,G) entry is created, making Dell Networking systems suitable for applications sensitive to multicast packet loss.
The default is 15000. NOTE: The IN-L3-McastFib CAM partition is used to store multicast routes and is a separate hardware limit that exists per port-pipe. Any software-configured limit may supersede by this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit the ip multicast-limit command sets is reached.
Figure 90. Preventing a Host from Joining a Group Table 46. Preventing a Host from Joining a Group — Description Location Description 1/21 ● ● ● ● Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 ● ● ● ● Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 ● ● ● ● Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.
Table 46. Preventing a Host from Joining a Group — Description (continued) Location Description 2/11 ● ● ● ● Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 ● ● ● ● Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 ● ● ● ● Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 ● ● ● ● Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
Preventing a PIM Router from Forming an Adjacency To prevent a router from participating in PIM (for example, to configure stub multicast routing), use the following command. ● Prevent a router from participating in protocol independent multicast (PIM). INTERFACE mode ip pim neighbor-filter Preventing a Source from Registering with the RP To prevent the PIM source DR from sending register packets to RP for the specified multicast source and group, use the following command.
Figure 91. Preventing a Source from Transmitting to a Group Table 47. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 ● ● ● ● Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 ● ● ● ● Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 ● ● ● ● Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.
Table 47. Preventing a Source from Transmitting to a Group — Description (continued) Location Description 2/11 ● ● ● ● Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 ● ● ● ● Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 ● ● ● ● Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 ● ● ● ● Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
35 Open Shortest Path First (OSPFv2 and OSPFv3) This chapter describes how to configure and use Open Shortest Path First (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) on the Z9500. NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3. This chapter identifies and clarifies the differences between the two versions of OSPF.
Figure 92. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. In this case, backbone connectivity must be restored through virtual links. Virtual links are configured between any backbone routers that share a link to a non-backbone area and function as if they were direct links.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
● Type 3: Summary LSA (OSPFv2), Inter-Area-Prefix LSA (OSPFv3) — An ABR takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to. The link-state ID of the Type 3 LSA is the destination network number. ● Type 4: AS Border Router Summary LSA (OSPFv2), Inter-Area-Router LSA (OSPFv3) — In some cases, Type 5 External LSAs are flooded to areas where the detailed next-hop information may not be available.
Router Priority and Cost Router priority and cost is the method the system uses to “rate” the routers. For example, if not assigned, the system selects the router with the highest priority as the DR. The second highest priority is the BDR. ● Priority is a numbered rating 0 to 255. The higher the number, the higher the priority. ● Cost is a numbered rating 1 to 65535. The higher the number, the greater the cost. The cost assigned reflects the cost should the router fail.
● Opaque Link-Local (type 9) ● Grace LSA, OSPFv3 only (type 11) Fast Convergence (OSPFv2, IPv4 Only) Fast convergence allows you to define the speeds at which LSAs are originated and accepted, and reduce OSPFv2 end-to-end convergence time. The system allows you to accept and originate LSAs as soon as they are available to speed up route information propagation. NOTE: The faster the convergence, the more frequent the route calculations and updates.
The following example shows no change in the updated packets (shown in bold). ACKs 2 (shown in bold) is printed only for ACK packets. 00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.2 aid:1500 chk:0xdbee aut:0 auk: keyid:0 from:Vl 1000 LSType:Type-5 AS External id:160.1.1.0 adv:6.1.0.0 seq:0x8000000c LSType:Type-5 AS External id:160.1.2.0 adv:6.1.0.0 seq:0x8000000c 00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.
In the following example, the dead interval is set at 4x the hello interval (shown in bold). Dell (conf-if-te-2/2)#ip ospf dead-interval 20 Dell (conf-if-te-2/2)#do show ip os int te 1/3 TengigabitEthernet 2/2 is up, line protocol is up Internet Address 20.0.0.1/24, Area 0 Process ID 10, Router ID 1.1.1.2, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 1.1.1.2, Interface address 30.0.0.1 Backup Designated Router (ID) 1.1.1.1, Interface address 30.0.0.
Enabling OSPFv2 To enable Layer 3 routing, assign an IP address to an interface (physical or Loopback). By default, OSPF, similar to all routing protocols, is disabled. You must configure at least one interface for Layer 3 before enabling OSPFv2 globally. If implementing multi-process OSPF, create an equal number of Layer 3 enabled interfaces and OSPF process IDs. For example, if you create four OSPFv2 process IDs, you must have four interfaces with Layer 3 enabled. 1. Assign an IP address to an interface.
Supports only single TOS (TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 Dell# Enabling Multi-Process OSPF (OSPFv2, IPv4 Only) Multi-process OSPF allows multiple OSPFv2 processes on a single router. For more information, refer to Multi-Process OSPF (OSPFv2, IPv4 Only) When configuring a single OSPF process, follow the same steps previously described. Repeat them as often as necessary for the desired number of processes.
Enable OSPFv2 on Interfaces Enable and configure OSPFv2 on each interface (configure for Layer 3 protocol), and not shutdown. You can also assign OSPFv2 to a Loopback interface as a virtual interface. OSPF functions and features, such as MD5 Authentication, Grace Period, Authentication Wait Time, are assigned on a per interface basis. NOTE: If using features like MD5 Authentication, ensure all the neighboring routers are also configured for MD5.
Example of Viewing OSPF Status on a Loopback Interface Dell#show ip ospf 1 int TengigabitEthernet 13/23 is up, line protocol is up Internet Address 10.168.0.1/24, Area 0.0.0.1 Process ID 1, Router ID 10.168.253.2, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 10.168.253.5, Interface address 10.168.0.4 Backup Designated Router (ID) 192.168.253.3, Interface address 10.168.0.
Configuring LSA Throttling Timers Configured link-state advertisement (LSA) timers replace the standard transmit and acceptance times for LSAs. The LSA throttling timers are configured in milliseconds. The interval time increases exponentially until a maximum time is reached. If the maximum time is reached, the system continues to transmit at the maximum interval. If the system is stable for twice the maximum interval time, it reverts to the start-interval timer. The cycle repeats.
Internet Address 10.1.3.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 10.1.3.100 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.0 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 No Hellos (Passive interface) Neighbor Count is 0, Adjacent neighbor count is 0 Loopback 45 is up, line protocol is up Internet Address 10.1.1.
Changing OSPFv2 Parameters on Interfaces You can modify the OSPF configuration on switch interfaces. Some interface parameter values must be consistent across all interfaces to avoid routing errors. For example, set the same time interval for the hello packets on all routers in the OSPF network to prevent misconfiguration of OSPF neighbors. To change OSPFv2 parameters on the interfaces, use any or all of the following commands. ● Change the cost associated with OSPF traffic on the interface.
To view interface configurations, use the show config command in CONFIGURATION INTERFACE mode. To view interface status in the OSPF process, use the show ip ospf interface command in EXEC mode. The bold lines in the example show the change on the interface. The change is reflected in the OSPF configuration. Dell(conf-if)#ip ospf cost 45 Dell(conf-if)#show config ! interface TengigabitEthernet 0/0 ip address 10.1.2.100 255.255.255.
CONFIG-ROUTEROSPF- id mode area area-id virtual-link router-id [hello-interval seconds | retransmit-interval seconds | transmit-delay seconds | dead-interval seconds | authentication-key key | messagedigest-key keyid md5 key] ○ ○ ○ ○ ○ ○ ○ ○ ○ area ID: assigned earlier (the range is from 0 to 65535 or A.B.C.D). router ID: IP address associated with the virtual link neighbor. hello interval seconds: the range is from 1 to 8192 (the default is 10).
distribute-list prefix-list-name in [interface] ● Assign a configured prefix list to outgoing OSPF routes. CONFIG-ROUTEROSPF-id distribute-list prefix-list-name out [connected | isis | rip | static] Redistributing Routes You can add routes from other routing instances or protocols to the OSPF process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process.
● show routes To help troubleshoot OSPFv2, use the following commands. ● View the summary of all OSPF process IDs enables on the router. EXEC Privilege mode show running-config ospf ● View the summary information of the IP routes. EXEC Privilege mode show ip route summary ● View the summary information for the OSPF database. EXEC Privilege mode show ip ospf database ● View the configuration of OSPF neighbors connected to the local router.
Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. You can copy and paste from these examples to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes. Basic OSPFv2 Router Topology The following illustration is a sample basic OSPFv2 topology. Figure 95.
interface Loopback 30 ip address 192.168.100.100/24 no shutdown ! interface TengigabitEthernet 3/1 ip address 10.1.13.3/24 no shutdown ! interface TengigabitEthernet 3/2 ip address 10.2.13.3/24 no shutdown OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface TengigabitEthernet 2/1 ip address 10.2.21.
ipv6 unicast routing Assigning IPv6 Addresses on an Interface To assign IPv6 addresses to an interface, use the following commands. 1. Assign an IPv6 address to the interface. CONF-INT-type slot/port mode ipv6 address ipv6 address IPv6 addresses are normally written as eight groups of four hexadecimal digits; separate each group by a colon (:). The format is A:B:C::F/128. 2. Bring up the interface.
EXEC Privilege mode clear ipv6 ospf process Enter an example that illustrates the current task (optional). Enter the tasks the user should do after finishing this task (optional). Configuring Stub Areas To configure IPv6 stub areas, use the following command. ● Configure the area as a stub area. CONF-IPV6-ROUTER-OSPF mode area area-id stub [no-summary] ○ no-summary: use these keywords to prevent transmission in to the area of summary ASBR LSAs.
○ metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. ○ route-map map-name: enter a name of a configured route map. ○ tag tag-value: The range is from 0 to 4294967295. Configuring a Default Route To generate a default external route into the OSPFv3 routing domain, configure the following parameters. To specify the information for the default route, use the following command. ● Specify the information for the default route.
OSPFv3 Authentication Using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552. ● To use IPsec, configure an authentication (using AH) or encryption (using ESP) security policy on an interface or in an OSPFv3 area. Each security policy consists of a security policy index (SPI) and the key used to validate OSPFv3 packets. After IPsec is configured for OSPFv3, IPsec operation is invisible to the user.
○ key-encryption-type: (optional) specifies if the key is encrypted. The valid values are 0 (key is not encrypted) or 7 (key is encrypted). ○ key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted). For SHA-1 authentication, the key must be 40 hex digits (non-encrypted) or 80 hex digits (encrypted).
show crypto ipsec sa ipv6 Configuring IPSec Authentication for an OSPFv3 Area To configure, remove, or display IPSec authentication for an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)). The security policy index (SPI) value must be unique to one IPSec security policy (authentication or encryption) on the router.
○ spi number: is the security policy index (SPI) value. The range is from 256 to 4294967295. ○ esp encryption-algorithm: specifies the encryption algorithm used with ESP. The valid values are 3DES, DES, AES-CBC, and NULL. For AES-CBC, only the AES-128 and AES-192 ciphers are supported. ○ key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information.
Policy refcount Inbound AH SPI Outbound AH SPI Inbound AH Key Outbound AH Key Transform set : : : : : : 2 500 (0x1F4) 500 (0x1F4) bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e ah-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-0-501 Policy refcount : 1 Inbound ESP SPI : 501 (0x1F5) Outbound ESP SPI : 501 (0x1F5) Inbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb
Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3 operation on the switch. This section describes typical, OSPFv3 troubleshooting scenarios. NOTE: The following troubleshooting section is not meant to be a comprehensive list, but only to provide examples of typical troubleshooting checks.
36 Pay As You Grow The Pay As You Grow (PAYG) software feature allows you to purchase a Z9500 switch with 36 40G ports (144 10G ports) and upgrade to a larger number of ports as your networking needs grow. A Z9500 switch with a 36 40G-port license has only the ports on line card 0 enabled. See the Port Numbering figure in this section for exact port location.
of licensed (usable) ports on the switch; Next Boot displays the number of licensed ports on the switch after the next reload. Dell# show license LICENSE INFORMATION Vendor Product System Service Tag License Service Tag Current State Next Boot : : : : : : Dell RtHvKsJ HW-Port-License 36 Ports (Fo 0/0 - Fo 0/140) HW-Port-License 36 Ports (Fo 0/0 - Fo 0/140) 2. Locate the license file you want to use and verify that the port license is valid for the switch.
install is successful To verify the installation of a new license before you reload the switch, enter the show license command. The following example shows the currently installed 36-port license and the newly installed 132-port license before reloading the switch.
Display of a 132 40G-Port License Dell# show license LICENSE INFORMATION Vendor Product System Service Tag License Service Tag Current State Next Boot : : : : : : Dell Dell Force10 Z9500 RtHvKsJ RTHVKSJ HW-Port-License 132 Ports (Fo 0/0 - Fo 2/188) HW-Port-License 132 Ports (Fo 0/0 - Fo 2/188) You can also display information on the currently installed Z9500 license by entering the show system brief command.
37 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
2. The last-hop DR sends a PIM Join message to the RP. All routers along the way, including the RP, create an (*,G) entry in their multicast routing table, and the interface on which the message was received becomes the outgoing interface associated with the (*,G) entry. This process constructs an RPT branch to the RP. 3. If a host on the same subnet as another multicast receiver sends an IGMP report for the same multicast group, the gateway takes no action.
CONFIGURATION mode ip multicast-routing Related Configuration Tasks The following are related PIM-SM configuration tasks. ● ● ● ● Configuring S,G Expiry Timers Configuring a Static Rendezvous Point Configuring a Designated Router Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1. Enable multicast routing on the system. CONFIGURATION mode ip multicast-routing 2. Enable PIM-Sparse mode.
(10.87.31.5, 192.1.2.1), uptime 00:01:24, expires 00:02:26, flags: FT Incoming interface: TenGigabitEthernet 1/11, RPF neighbor 0.0.0.0 Outgoing interface list: TenGigabitEthernet 0/11 TenGigabitEthernet 0/12 TenGigabitEthernet 1/13 --More-- Configuring S,G Expiry Timers By default, S, G entries expire in 210 seconds. You can configure a global expiry time (for all [S,G] entries) or configure an expiry time for a particular entry.
Configuring a Static Rendezvous Point The rendezvous point (RP) is a PIM-enabled interface on a router that acts as the root a group-specific tree; every group must have an RP. ● Identify an RP by the IP address of a PIM-enabled or Loopback interface. ip pim rp-address Dell#sh run int loop0 ! interface Loopback 0 ip address 1.1.1.1/32 ip pim sparse-mode no shutdown Dell#sh run pim ! ip pim rp-address 1.1.1.1 group-address 224.0.0.
● Display the current value of these parameter. EXEC Privilege mode show ip pim interface Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the Internet. Create multicast boundaries and domains by filtering inbound and outbound bootstrap router (BSR) messages per interface.
38 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Related Configuration Tasks ● Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode.
Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.
39 Policy-based Routing (PBR) Policy-based Routing (PBR) allows a switch to make routing decisions based on policies applied to an interface.
To enable a PBR, you create a redirect list. Redirect lists are defined by rules, or routing policies.
Implementing Policy-based Routing with Dell Networking OS ● Non-contiguous bitmasks for PBR ● Hot-Lock PBR Non-contiguous bitmasks for PBR Non-contiguous bitmasks for PBR allows more granular and flexible control over routing policies. Network addresses that are in the middle of a subnet can be included or excluded. Specific bitmasks can be entered using the dotted decimal format. Non-contiguous bitmask example Dell#show ip redirect-list IP redirect-list rcl0: Defined as: seq 5 permit ip 200.200.200.
seq {number} redirect {ip-address | tunnel CONF-REDIRECT-LIST tunnel-id} [track }{ip-protocolnumber | protocol-type [bit]} {source mask | any | hostip-address}{destination mask | any | hostip-address} Configure a rule for the redirect list. number is the number in sequence to initiate this ru ip-address is the Forwarding router’s address unnel is used to configure the tunnel settings. tunnel-id is used to redirect the traffic. track is used to track the object-id.
Multiple rules can be applied to a single redirect-list. The rules are applied in ascending order, starting with the rule that has the lowest sequence number in a redirect-list displays the correct method for applying multiple rules to one list.
FORMAT: up to 16 characters Delete the redirect list from this interface with the [no] ip redirect-gr In this example, the list “xyz” is applied to the tenGigabitEthernet 4/0 interface.
, Track 200 [up], Next-hop reachable (via Te 2/19) Use the show ip redirect-list (without the list name) to display all the redirect-lists configured on the device. Dell#show ip redirect-list IP redirect-list rcl0: Defined as: seq 5 permit ip 200.200.200.200 200.200.200.200 199.199.199.199 199.199.199.199 seq 10 redirect 1.1.1.2 tcp 234.224.234.234 255.234.234.234 222.222.222.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.254 ip 192.
View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23) seq 10 redirect 10.99.99.254 ip 192.168.2.
40 Port Monitoring Port monitoring (also referred to as mirroring) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. The Dell Networking OS supports the following mirroring techniques: ● Port monitoring — Monitors network traffic by forwarding a copy of incoming and outgoing packets from a source port to a destination port on the same network router.
2 Te 0/0 3 Te 0/0 4 Te 0/0 5 Te 0/0 Dell(conf-mon-sess-5)# Te Te Te Te 0/2 0/3 0/4 0/5 both both both both Port Port Port Port N/A N/A N/A N/A N/A N/A N/A N/A Dell(conf)#mon ses 300 Dell(conf-mon-sess-300)#source tengig 0/17 destination tengig 0/4 direction tx %Unable to create MTP entry for MD tenG 0/17 MG tenG 0/4 in stack-unit 0 port-pipe 0.
Configuring Port Monitoring To configure port monitoring, use the following commands. 1. Verify that the intended monitoring port has no configuration other than no shutdown, as shown in the following example. EXEC Privilege mode show interface 2. Create a monitoring session, as shown in the following example. CONFIGURATION mode monitor session 3. Specify the source and destination port and direction of traffic, as shown in the following example.
Remote Port Mirroring While local port monitoring allows you to monitor traffic from one or more source ports by directing it to a destination port on the same switch/router, remote port mirroring allows you to monitor Layer 2 and Layer 3 ingress and/or egress traffic on multiple source ports on different switches and forward the mirrored traffic to multiple destination ports on different switches.
Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
● By default, ingress traffic on a destination port is dropped. Restrictions When you configure remote port mirroring, the following restrictions apply: ● You can configure the same source port to be used in multiple source sessions. ● You cannot configure a source port channel or source VLAN in a source session if the port channel or VLAN has a member port that is configured as a destination port in a remote-port mirroring session.
Step Command Description 1 configure terminal Enter global configuration mode. 2 monitor session id type rpm Specify a unique session ID number and RPM as the session type, and enter Monitoring-Session configuration mode. 3 source {interface | range} destination interface direction {rx | tx | both} Enter a source port or a range of source port interfaces to be monitored. Enter the destination port interface. Specify ingress (rx), egress (tx), or both ingress and egress traffic to be monitored.
SessID Source ------ -----1 Te 0/5 2 Vl 100 3 Po 10 Dell# Destination ----------remote-vlan 10 remote-vlan 20 remote-vlan 30 Dir --rx rx both Mode ---Port Port Port Source IP --------N/A N/A N/A Dest IP -------N/A N/A N/A Dell(conf)#interface te 0/0 Dell(conf-if-te-0/0)#switchport Dell(conf-if-te-0/0)#no shutdown Dell(conf-if-te-0/0)#exit Dell(conf)#interface te 0/1 Dell(conf-if-te-0/1)#switchport Dell(conf-if-te-0/1)#no shutdown Dell(conf-if-te-0/1)#exit Dell(conf)#interface te 0/2 Dell(conf-if-te-0/
2. Create an extended MAC access list and add a deny rule for (0x0180c2xxxxxx) packets using the following commands: mac access-list extended mac2 seq 5 deny any 01:80:c2:00:00:00 00:00:00:ff:ff:ff count 3. Apply the extended MAC ACL on the RPM VLAN (VLAN 10 in the following example). Dell#show running-config interface vlan 10 ! interface Vlan 10 no ip address mode remote-port-mirroring tagged Port-channel 2 mac access-group mac2 out no shutdown 4.
To configure an ERPM session: Step Command Description 1 configure terminal Enter global configuration mode. 2 monitor session id type erpm Specify a session ID and ERPM as the type of monitoring session, and enter Monitoring-Session configuration mode. The session number needs to be unique and not already defined. 3 source {interface | range } direction {rx | tx | both} Specify the source port or range of ports.
41 Private VLANs (PVLAN) Private VLANs (PVLANs) extend Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN). A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports or trunk ports.
PVLAN port types include: ● Community port — a port that belongs to a community VLAN and is allowed to communicate with other ports in the same community VLAN and with promiscuous ports. ● Host port — in the context of a private VLAN, is a port in a secondary VLAN: ○ The port must first be assigned that role in INTERFACE mode. ○ A port assigned the host role cannot be added to a regular VLAN. ● Isolated port — a port that, in Layer 2, can only communicate with promiscuous ports that are in the same PVLAN.
NOTE: For more information about PVLAN commands, refer to the Dell Networking OS Command Line Reference Guide. Configuration Task List The following sections contain the procedures that configure a private VLAN. ● ● ● ● Creating Creating Creating Creating PVLAN Ports a Primary VLAN a Community VLAN an Isolated VLAN Creating PVLAN ports PVLAN ports are those that will be assigned to the PVLAN. 1. Access INTERFACE mode for the port that you want to assign to a PVLAN.
Creating a Primary VLAN A primary VLAN is a port-based VLAN that is specifically enabled as a primary VLAN to contain the promiscuous ports and PVLAN trunk ports for the private VLAN. A primary VLAN also contains a mapping to secondary VLANs, which are comprised of community VLANs and isolated VLANs. 1. Access INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3.
INTERFACE VLAN mode private-vlan mode community 4. Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add host (isolated) ports to the VLAN. Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 98. Sample Private VLAN Topology The following configuration is based on the example diagram for the C300–1: ● ● ● ● ● Te Te Te Te Te 0/0 and Te 23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. 0/24 and Te 0/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
The result is that: ● The S50V ports would have the same intra-switch communication characteristics as described for the C300. ● For transmission between switches, tagged packets originating from host PVLAN ports in one secondary VLAN and destined for host PVLAN ports in the other switch travel through the promiscuous ports in the local VLAN 4000 and then through the trunk ports (0/25 in each switch).
Isolated Community : 4003 : 4001 NOTE: In the following example, notice the addition of the PVLAN codes – P, I, and C – in the left column. The following example shows the VLAN status.
42 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN).
Figure 99. Per-VLAN Spanning Tree The Dell Networking OS supports three other versions of spanning tree, as shown in the following table. Table 48. Spanning Tree Versions Supported Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
4. Optionally, for load balancing, select a nondefault bridge-priority for a VLAN.
Figure 100. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. ● Assign a bridge priority.
BPDU sent 1159, received 632 The port is not in the Edge port mode Port 385 (TengigabitEthernet 1/32) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.385 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.
Table 49. Default Values for Port Cost (continued) Port Cost Default Value 1-Gigabit Ethernet interfaces 20000 10-Gigabit Ethernet interfaces 2000 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 NOTE: The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs. Other implementations use IEEE 802.1w costs as the default costs.
● When you remove a physical port from a port channel in an Error Disable state, the Error Disabled state is cleared on this physical port (the physical port is enabled in the hardware). ● The reset linecard command does not clear the Error Disabled state of the port or the hardware Disabled state. The interface continues to be disables in the hardware. ● You can clear the Error Disabled state with any of the following methods: ○ Perform a shutdown command on the interface.
extend system-id Dell(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
no ip address tagged TengigabitEthernet 2/12,32 no shutdown ! interface Vlan 300 no ip address tagged TengigabitEthernet 2/12,32 no shutdown ! protocol spanning-tree pvst no disable vlan 200 bridge-priority 4096 Example of PVST+ Configuration (R3) interface TengigabitEthernet 3/12 no ip address switchport no shutdown ! interface TengigabitEthernet 3/22 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TengigabitEthernet 3/12,22 no shutdown ! interface Vlan 200 no ip address tag
43 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Figure 102.
Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication. It also implements these Internet Engineering Task Force (IETF) documents: ● ● ● ● RFC RFC RFC RFC 2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 Headers 2475, An Architecture for Differentiated Services 2597, Assured Forwarding PHB Group 2598, An Expedited Forwarding PHB You cannot configure port-based and policy-based QoS on the same interface.
Honoring dot1p Priorities on Ingress Traffic By default, the system does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries.
Traffic Monitor 3: normal Out of profile yellow 0 Traffic Monitor 4: normal Out of profile yellow 0 NA peak NA red 0 NA peak NA red 0 Configuring Port-Based Rate Shaping Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted. If any stream exceeds the configured bandwidth on a continuous basis, it can consume all of the buffer space that is allocated to the port. ● Apply rate shaping to outgoing traffic on a port.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 103. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, the system matches packets against match criteria in the order that you configure them.
class-map match-any class-map-name 2. Create a match-all class map. CONFIGURATION mode class-map match-all class-map-name 3. Specify your match criteria. CLASS MAP mode match {ip | ipv6 | ip-any} After you create a class-map, you are placed in CLASS MAP mode. Match-any class maps allow up to five ACLs. Match-all class-maps allow only one ACL. 4. Link the class-map to a queue. POLICY MAP mode service-queue Dell(conf)#ip access-list standard acl1 Dell(config-std-nacl)#permit 20.0.0.
match mac After you create a class-map, you are placed in CLASS MAP mode. Match-any class maps allow up to five access-lists. Match-all class-maps allow only one. You can match against only one VLAN ID. 4. Link the class-map to a queue. POLICY MAP mode service-queue Applying Layer 2 Match Criteria on a Layer 3 Interface To process Layer 3 packets that contain a dot1p (IEEE 802.
Dell(conf)#qos-policy-input pp_qospolicy 5. Configure the DSCP value to be set on matched packets. QOS-POLICY-IN mode Dell(conf-qos-policy-in)#set ip-dscp 5 6. Create an input policy map. CONFIGURATION mode Dell(conf)#policy-map-input pp_policmap 7. Create a service queue to associate the class map and QoS policy map.
! ip access-list extended AF1-FB1 seq 5 permit ip host 23.64.0.2 any seq 10 deny ip any any ! ip access-list extended AF1-FB2 seq 5 permit ip host 23.64.0.3 any seq 10 deny ip any any ! ip access-list extended AF2 seq 5 permit ip host 23.64.0.5 any seq 10 deny ip any any Dell# show cam layer3-qos interface tengigabitethernet 2/49 Cam Port Dscp Proto Tcp Src Dst SrcIp DstIp DSCP Queue Index Flag Port Port Marking ----------------------------------------------------------------------20416 1 18 IP 0x0 0 0 23.
Creating an Input QoS Policy To create an input QoS policy, use the following steps. 1. Create a Layer 3 input QoS policy. CONFIGURATION mode qos-policy-input Create a Layer 2 input QoS policy by specifying the keyword layer2 after the qos-policy-input command. 2.
qos-policy-output 2. After you configure an output QoS policy, do one or more of the following: Strict-Priority Queuing Configuring Policy-Based Rate Shaping Allocating Bandwidth to Queue Specifying WRED Drop Precedence Strict-Priority Queuing You can configure strict-priority queueing in an output QoS policy. Strict-priority means that the system de-queues all packets from the assigned queue before servicing any other queues. Strict-priority queueing is performed using the Scheduler Strict feature.
Table 51. Default Bandwidth Weights (continued) Queue Default Bandwidth Percentage for 4– Queue System Default Bandwidth Percentage for 8– Queue System 6 — 25% 7 — 50% When you assign a percentage to one queue, note that this change also affects the amount of bandwidth that is allocated to other queues. Therefore, whenever you are allocating bandwidth to one queue, Dell Networking recommends evaluating your bandwidth requirements for all other queues as well. ● Allocate bandwidth to queues.
Applying an Input QoS Policy to an Input Policy Map To apply an input QoS policy to an input policy map, use the following command. ● Apply an input QoS policy to an input policy map. POLICY-MAP-IN mode policy-aggregate Honoring DSCP Values on Ingress Packets You can configure the ability to honor DSCP values on ingress packets by using the Trust DSCP feature. The following table lists the standard DSCP definitions and indicates how DSCP values are mapped to queues.
The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN. ● Enable the trust dot1p feature. POLICY-MAP-IN mode trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets.
Applying an Output QoS Policy to a Queue Specifying an Aggregate QoS Policy Applying an Output Policy Map to an Interface 3. Apply the policy map to an interface. Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. ● Apply an output QoS policy to queues. INTERFACE mode service-queue Specifying an Aggregate QoS Policy To specify an aggregate QoS policy, use the following command. ● Specify an aggregate QoS policy.
● A DSCP value cannot be in both the yellow and red lists. Setting the red or yellow list with any DSCP value that is already in the other list results in an error and no update to that DSCP list is made. ● Each color map can only have one list of DSCP values for each color; any DSCP values previously listed for that color that are not in the new DSCP list are colored green.
Displaying a DSCP Color Policy Configuration To display the DSCP color policy configuration for one or all interfaces, use the show qos dscp-color-policy {summary [interface] | detail {interface}} command in EXEC mode. summary: Displays summary information about a color policy on one or more interfaces. detail: Displays detailed color policy information on an interface interface : Enter the name of the interface that has the color policy configured.
Enabling Strict-Priority Queueing In strict-priority queuing, the system de-queues all packets from the assigned queue before servicing any other queues. You can assign strict-priority to one unicast queue, using the strict-priority command ● Policy-based per-queue rate shaping is not supported on the queue configured for strict-priority queuing. To use queuebased rate-shaping as well as strict-priority queuing at the same time on a queue, use the Scheduler Strict feature as described in Scheduler Strict.
You can create a custom WRED profile or use one of the five pre-defined profiles. Table 54. Pre-Defined WRED Profiles Default Profile Name Minimum Threshold Maximum Threshold Maximum Drop Rate wred_drop 0 0 100 wred_teng_y 594 5941 100 wred_teng_g 594 5941 50 wred_fortyg_y 594 5941 50 wred_fortyg_g 594 5941 25 Creating WRED Profiles To create WRED profiles, use the following commands. 1. Create a WRED profile. CONFIGURATION mode wred 2.
Displaying WRED Drop Statistics To display WRED drop statistics, use the following command. ● Display the number of packets that the WRED profile drops.
● match ip precedence ● match ip vlan By default, all packets are marked for green handling if the rate-police and trust-diffserv commands are not used in an ingress policy map. All packets marked for red handling or “violate” are dropped. In the class map, in addition to color-marking matching packets for yellow handling, you can also configure a DSCP value for matching packets.
match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40 class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50 policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 The second example shows how to achieve the desired configuration by specifying ECN match criteria to classify ECN-capable packets: ip access-list standard dscp_50_ecn seq 5 permit any dscp 50 ec
size; the average queue size is used to determine when to drop packets with WRED and when to mark packets with ECN when WRED thresholds are exceeded. The user-configurable weight in WRED and ECN provides better control in how the switch responds to congestion before a queue overflows and packets are dropped or delayed. Using a configurable weight for WRED and ECN allows you to customize network performance and throughput.
Table 55. Scenarios for WRED and ECN Configuration (continued) Queue Configuration Service-Pool Configuration WRED Threshold Relationship Expected Functionality Q threshold = Q-T Service-pool threshold = SP-T Disabled Disabled N/A N/A N/A WRED/ECN not applicable Enabled Disabled Disabled N/A N/A Queue-based WRED; Enabled N/A Q-T < SP-T SP-T < Q-T No ECN marking Service-pool-based WRED; No ECN marking Enabled Enabled Disabled N/A N/A Queue-based ECN marking above queue threshold.
CONFIGURATION mode Dell(conf)#service-class wred ecn 0, 3-5, 7 backplane Pre-Calculating Available QoS CAM Space Pre-calculating available QoS CAM space allows you to measure the number of CAM entries a policy-map consumes. This feature allows you to avoid applying a policy-map on an interface that requires more CAM entries than are available and receive a CAM full error message (shown in the following example). The partial policy-map configuration might cause unintentional system behavior.
SNMP Support for Buffer Statistics Tracking SNMP support for buffer statistics tracking (BST) counters is implemented in the F10-FPSTATS MIB. BST counters allow you to better monitor system resources and allocate buffer memory. BST counters include the Max Use Count statistic, which provides the maximum counter value over a period of time. In the F10-FPSTATS MIB, the following tables display BST counters: ● fpEgrQBuffSnapshotTable: Retrieves BST statistics from the egress port used in a buffer.
44 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP protocol standards are listed in the Standards Compliance chapter. Topics: • • • Protocol Overview Implementation Information Configuration Information Protocol Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2).
Table 56. RIP Defaults Feature Default Interfaces running RIP ● Listen to RIPv1 and RIPv2 ● Transmit RIPv1 RIP timers ● ● ● ● Auto summarization Enabled ECMP paths supported 16 update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Configuration Information By default, RIP is disabled on the switch. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
To view the global RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. Dell(conf-router_rip)#show config ! router rip network 10.0.0.0 Dell(conf-router_rip)# When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes. Dell#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 0/0 160.160.0.0/16 auto-summary 2.0.0.
● Define a specific router to exchange RIP information between it and the Dell Networking system. ROUTER RIP mode neighbor ip-address You can use this command multiple times to exchange RIP information with as many RIP networks as you want. ● Disable a specific interface from sending or receiving RIP routing information.
Setting the Send and Receive Version To change the RIP version globally or on an interface, use the following command. To specify the RIP version, use the version command in ROUTER RIP mode. To set an interface to receive only one or the other version, use the ip rip send version or the ip rip receive version commands in INTERFACE mode. You can set one RIP version globally on the system using system.
Default redistribution metric is 1 Default version control: receive version 2, send version 2 Interface Recv Send FastEthernet 0/0 2 1 2 Routing for Networks: 10.0.0.0 Routing Information Sources: Gateway Distance Last Update Distance: (default is 120) Dell# Generating a Default Route Traffic is forwarded to the default route when the traffic’s network is not explicitly listed in the routing table. Default routes are not enabled in RIP unless specified.
ROUTER RIP mode distance weight [ip-address mask [access-list-name]] Configure the following parameters: ○ weight: the range is from 1 to 255. The default is 120. ○ ip-address mask: the IP address in dotted decimal format (A.B.C.D), and the mask in slash format (/x). ○ access-list-name: the name of a configured IP ACL. ● Apply an additional number to the incoming or outgoing route metrics.
Figure 105. RIP Topology Example RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Core2(conf-if-te-2/31)# Core2(conf-if-te-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change ----------- ------- ----------- -
network 192.168.1.0 network 192.168.2.0 version 2 Core3(conf-router_rip)# Core 3 RIP Output The examples in this section show the core 2 RIP output. ● To display Core 3 RIP database, use the show ip rip database command. ● To display Core 3 RIP setup, use the show ip route command. ● To display Core 3 RIP activity, use the show ip protocols command. To view learned RIP routes on Core 3, use the show ip rip database command. Core3#show ip rip database Total number of routes in RIP database: 7 10.11.10.
Interface Recv Send TenGigabitEthernet 3/21 TenGigabitEthernet 3/11 TenGigabitEthernet 3/44 TenGigabitEthernet 3/43 Routing for Networks: 10.11.20.0 10.11.30.0 192.168.2.0 192.168.1.0 2 2 2 2 2 2 2 2 Routing Information Sources: Gateway Distance Last Update 10.11.20.2 120 00:00:22 Distance: (default is 120) Core3# RIP Configuration Summary The following example shows viewing the RIP configuration on Core 2. ! interface TengigabitEthernet ip address 10.11.10.
version network network network network 638 2 10.11.20.0 10.11.30.0 192.168.1.0 192.168.2.
45 Remote Monitoring (RMON) Remote monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment.
[no] rmon alarm number variable interval {delta | absolute} rising-threshold [value event-number] falling-threshold value event-number [owner string] OR [no] rmon hc-alarm number variable interval {delta | absolute} rising-threshold value event-number falling-threshold value event-number [owner string] Configure the alarm using the following optional parameters: ○ number: alarm number, an integer from 1 to 65,535, the value must be unique in the RMON Alarm Table.
In the following example, the configuration creates RMON event number 1, with the description “High ifOutErrors”, and generates a log entry when an alarm triggers the event. The user nms1 owns the row that is created in the event table by this command. This configuration also generates an SNMP trap when the event is triggered using the SNMP community string “eventtrap”.
The following command example enables an RMON MIB collection history group of statistics with an ID number of 20 and an owner of john, both the sampling interval and the number of buckets use their respective defaults.
46 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP)..
● Flush MAC Addresses after a Topology Change Important Points to Remember ● RSTP is disabled by default on the switch. ● The system supports only one Rapid Spanning Tree (RST) instance. ● All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. ● Adding a group of ports to a range of VLANs sends multiple messages to the RSTP task, avoid using the range command.
switchport no shutdown Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. ● Only one path from any bridge to any other bridge is enabled. ● Bridges block a redundant path by disabling one of the link ports. To enable RSTP globally for all Layer 2 interfaces, use the following commands. 1.
To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Te 3/4 R3# Altr 128.684 128 20000 BLK 20000 P2P No Adding and Removing Interfaces To add and remove interfaces, use the following commands. To add an interface to the Rapid Spanning Tree topology, configure it for Layer 2 and it is automatically added. If you previously disabled RSTP on the interface using the command no spanning-tree 0 command, re-enable it using the spanningtree 0 command. ● Remove an interface from the Rapid Spanning Tree topology.
The range is from 1 to 10. The default is 2 seconds. ● Change the max-age parameter. PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps, use the following command. ● Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
A console message appears when a new root bridge has been assigned. The following example example shows the console message after the bridge-priority command is used to make R2 the root bridge (shown in bold). Dell(conf-rstp)#bridge-priority 4096 04:27:59: %SYSTEM-P:RP2 %SPANMGR-5-STP_ROOT_CHANGE: RSTP root changed. My Bridge ID: 4096:0001.e80b.88bd Old Root: 32768:0001.e801.cbb4 New Root: 4096:0001.e80b.
Configuring Fast Hellos for Link State Detection Use RSTP fast hellos to achieve sub-second link-down detection so that convergence is triggered faster. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed. RSTP fast hellos decrease the hello interval to the order of milliseconds and all timers derived from the hello timer are adjusted accordingly. This feature does not inter-operate with other vendors, and is available only for RSTP.
47 Security This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
A constrained RBAC model provides for separation of duty and as a result, provides greater security than the hierarchical RBAC model. Essentially, a constrained model puts some limitations around each role’s permissions to allow you to partition of tasks. However, some inheritance is possible. Default command permissions are based on CLI mode (such as configure, interface, router), any specific command settings, and the permissions allowed by the privilege and role commands.
login authentication test authorization exec test exec-timeout 0 0 line vty 0 login authentication test authorization exec test line vty 1 login authentication test authorization exec test To enable role-based only AAA authorization: Dell(conf)#aaa authorization role-only System-Defined RBAC User Roles By default, the Dell Networking OS provides 4 system defined user roles. You can create up to 8 additional user roles. NOTE: You cannot delete any system defined roles.
NOTE: You can change user role permissions on system pre-defined user roles or user-defined user roles. Important Points to Remember Consider the following when creating a user role: ● Only the system administrator and user-defined roles inherited from the system administrator can create roles and user names. Only the system administrator, security administrator, and roles inherited from these can use the "role" command to modify command permissions.
The following output displays the modes available for the role command. Dell (conf)#role configure exec interface line route-map router ? Global configuration mode Exec Mode Interface configuration mode Line Configuration mode Route map configuration mode Router configuration mode Examples: Deny Network Administrator from Using the show users Command.
configure exec interface line route-map router Global configuration mode Exec Mode Interface configuration mode Line Configuration mode Route map configuration mode Router configuration mode Dell(conf)#do show role mode configure line Role access:sysadmin Example: Grant and Remove Security Administrator Access to Configure Protocols By default, the system defined role, secadmin, is not allowed to configure protocols.
Configure AAA Authentication for Roles Authentication services verify the user ID and password combination. Users with defined roles and users with privileges are authenticated with the same mechanism. There are six methods available for authentication: radius, tacacs+, local, enable, line, and none. When role-based only AAA authorization is enabled, the enable, line, and none methods are not available.
exec-timeout 0 0 line vty 0 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 1 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 2 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 3 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 4 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin
In the following example, you create an AV pair for a system-defined role, sysadmin. Force10-avpair= "shell:role=sysadmin" In the following example, you create an AV pair for a user-defined role. You must also define a role, using the userrole myrole inherit command on the switch to associate it with this AV pair. Force10-avpair= ”shell:role=myrole“ The string, “myrole”, is associated with a TACACS+ user group. The user IDs are associated with the user group.
service=shell Active accounted actions on tty3, User admin Priv 15 Role sysadmin Task ID 2, EXEC Accounting record, 00:00:26 Elapsed, service=shell Display Information About User Roles This section describes how to display information about user roles.
Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the show users command in EXEC Privilege mode. The output displays privilege level and/or user role. The mode is displayed at the start of the output and both the privilege and roles for all users is also displayed. If the role is not defined, the system displays "unassigned" .
○ wait-start: ensures that the TACACS+ security server acknowledges the start notice before granting the user's process request. ○ stop-only: use for minimal accounting; instructs the TACACS+ server to send a stop record accounting notice at the end of the requested user process. ○ tacacs+: designate the security service. The system supports only TACACS+.
CONFIGURATION mode or EXEC Privilege mode show accounting Dell#show accounting Active accounted actions on tty2, User admin Priv 1 Task ID 1, EXEC Accounting record, 00:00:39 Elapsed, service=shell Active accounted actions on tty3, User admin Priv 1 Task ID 2, EXEC Accounting record, 00:00:26 Elapsed, service=shell Dell# AAA Authentication The system supports a distributed client/server system implemented through authentication, authorization, and accounting (AAA) to help secure networks against unauthoriz
The default method-list is applied to all terminal lines. Possible methods are: ● enable: use the password you defined using the enable secret or enable password command in CONFIGURATION mode. ● line: use the password you defined using the password command in LINE mode. ● local: use the username/password database defined in the local configuration. ● none: no authentication. ● radius: use the RADIUS servers configured with the radius-server host command.
To get enable authentication from the RADIUS server and use TACACS as a backup, issue the following commands. Dell(config)# aaa authentication enable default radius tacacs Radius and TACACS server has to be properly setup for this. Dell(config)# radius-server host x.x.x.x key Dell(config)# tacacs-server host x.x.x.x key To use local authentication for enable secret on the console, while using remote authentication on VTY lines, issue the following commands.
Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network. However, at times, you might need to allow others access to the router and you can limit that access to a subset of commands. You can configure a privilege level for users who need limited access to the system. Every command in the Dell Networking OS is assigned a privilege level of 0, 1, or 15. You can configure up to 16 privilege levels.
To view usernames, use the show users command in EXEC Privilege mode. Configuring the Enable Password Command To configure the Dell Networking OS, use the enable command to enter EXEC Privilege level 15. After entering the command, the system requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level. You can always change a password for any privilege level.
● encryption-type: enter 0 for plain text or 7 for encrypted text. ● password: enter a string up to 25 characters long. To change only the password for the enable command, configure only the password parameter. 3. Configure level and commands for a mode or reset a command’s level.
traceroute Dell#confi Dell(conf)#? end exit no snmp-server Dell(conf)# Trace route to destination Exit from Configuration mode Exit from Configuration mode Reset a command Modify SNMP parameters Specifying LINE Mode Password and Privilege You can specify a password authentication of all users on different terminal lines. The user’s privilege level is the same as the privilege level assigned to the terminal line, unless a more specific privilege level is assigned to the user.
RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol. This protocol transmits authentication, authorization, and configuration information between a central RADIUS server and a RADIUS client (the Dell Networking system). The system sends user information to the RADIUS server and requests authentication of the user and password. The RADIUS server returns one of the following responses: ● Access-Accept — the RADIUS server authenticates the user.
Auto-Command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line. The auto-command command is executed when the user is authenticated and before the prompt appears to the user. ● Automatically execute a command. auto-command Privilege Levels Through the RADIUS server, you can configure a privilege level for the user to enter into when they connect to a session. This value is configured on the client system. ● Set a privilege level.
Applying the Method List to Terminal Lines To enable RADIUS AAA login authentication for a method list, apply it to a terminal line. To configure a terminal line for RADIUS authentication and authorization, use the following commands. ● Enter LINE mode. CONFIGURATION mode line {aux 0 | console 0 | vty number [end-number]} ● Enable AAA login authentication for the specified RADIUS method list.
CONFIGURATION mode radius-server deadtime seconds ○ seconds: the range is from 0 to 2147483647. The default is 0 seconds. ● Configure a key for all RADIUS communications between the system and RADIUS server hosts. CONFIGURATION mode radius-server key [encryption-type] key ○ encryption-type: enter 7 to encrypt the password. Enter 0 to keep the password as plain text. ○ key: enter a string. The key can be up to 42 characters long. You cannot use spaces in the key.
To select TACACS+ as the login authentication method, use the following commands. 1. Configure a TACACS+ server host. CONFIGURATION mode tacacs-server host {ip-address | host} Enter the IP address or host name of the TACACS+ server. Use this command multiple times to configure multiple TACACS+ server hosts. 2. Enter a text string (up to 16 characters long) as the name of the method list you wish to use with the TACAS+ authentication method.
Monitoring TACACS+ To view information on TACACS+ transactions, use the following command. ● View TACACS+ transactions to troubleshoot problems. EXEC Privilege mode debug tacacs+ TACACS+ Remote Authentication and Authorization The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet sizes.
To delete a TACACS+ server host, use the no tacacs-server host {hostname | ip-address} command. freebsd2# telnet 2200:2200:2200:2200:2200::2202 Trying 2200:2200:2200:2200:2200::2202... Connected to 2200:2200:2200:2200:2200::2202. Escape character is '^]'. Login: admin Password: Dell# Command Authorization The AAA command authorization feature configures the system to send each configuration command to a TACACS server for authorization before it is added to the running configuration.
CONFIGURATION mode ip ssh server version {1|2} ● Display SSH connection information. EXEC Privilege mode show ip ssh The following example shows using the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. Dell(conf)#ip ssh server version 2 Dell(conf)#do show ip ssh SSH server : disabled. SSH server version : v2. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled.
Dell#copy scp: flash: Address or name of remote host []: 10.10.10.1 Port number of the server [22]: 99 Source file name []: test.cfg User name to login remote host: admin Password to login remote host: Removing the RSA Host Keys and Zeroizing Storage Use the crypto key zeroize rsa command to delete the host key pairs, both the public and private key information for RSA 1 and or RSA 2 types. Note that when FIPS mode is enabled there is no RSA 1 key pair.
● aes192-ctr ● aes256-ctr The default cipher list is 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr Example of Configuring a Cipher List The following example shows you how to configure a cipher list. Dell(conf)#ip ssh server cipher 3des-cbc aes128-cbc aes128-ctr Configuring the HMAC Algorithm for the SSH Server To configure the HMAC algorithm for the SSH server, use the ip ssh server mac hmac-algorithm command in CONFIGURATION mode.
● aes192-ctr ● aes256-ctr The default cipher list is 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr Example of Configuring a Cipher List The following example shows you how to configure a cipher list. Dell(conf)#ip ssh server cipher 3des-cbc aes128-cbc aes128-ctr Secure Shell Authentication Secure Shell (SSH) is disabled by default. Enable SSH using the ip ssh server enable command.
CONFIGURATION mode no ip ssh password-authentication enable 4. Bind the public keys to RSA authentication. EXEC Privilege mode ip ssh rsa-authentication enable 5. Bind the public keys to RSA authentication. EXEC Privilege mode ip ssh rsa-authentication my-authorized-keys flash://public_key admin@Unix_client#ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/admin/.ssh/id_rsa): /home/admin/.ssh/id_rsa already exists.
id_rsa id_rsa.pub shosts admin@Unix_client# cat shosts 10.16.127.201, ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8K7jLZRVfjgHJzUOmXxuIbZx/AyW hVgJDQh39k8v3e8eQvLnHBIsqIL8jVy1QHhUeb7GaDlJVEDAMz30myqQbJgXBBRTWgBpLWwL/ doyUXFufjiL9YmoVTkbKcFmxJEMkE3JyHanEi7hg34LChjk9hL1by8cYZP2kYS2lnSyQWk= The following example shows creating rhosts. admin@Unix_client# ls id_rsa id_rsa.pub rhosts shosts admin@Unix_client# cat rhosts 10.16.127.
VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in the Dell Networking OS. These depend on which authentication scheme you use — line, local, or remote. Table 59.
VTY Line Remote Authentication and Authorization The system retrieves the access class from the VTY line. The Dell Networking OS takes the access class from the VTY line and applies it to ALL users. The system does not need to know the identity of the incoming user and can immediately apply the access class. If the authentication method is RADIUS, TACACS +, or line, and you have configured an access class for the VTY line, the system immediately applies it.
48 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell Networking OS. Topics: • • • • • VLAN Stacking VLAN Stacking Packet Drop Precedence Dynamic Mode CoS for VLAN Stacking Layer 2 Protocol Tunneling Provider Backbone Bridging VLAN Stacking Virtual local area network (VLAN) stacking is supported on the platform. VLAN stacking, also called Q-in-Q, is defined in IEEE 802.
Figure 107. VLAN Stacking in a Service Provider Network Important Points to Remember ● Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-stack-enabled VLAN. ● Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-stack VLAN.
Related Configuration Tasks ● ● ● ● Configuring the Protocol Type Value for the Outer VLAN Tag Configuring Options for Trunk Ports Debugging VLAN Stacking VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. ● Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN.
NUM * 1 2 3 4 5 6 Status Active Inactive Inactive Inactive Inactive Active Dell# Q Ports U Te 1/0-5,18 M Po1(Te 1/14-15) M Te 1/13 Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. ● Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100.
Dell(conf-if-vl-103-stack)#member tengigabitethernet 0/1 Dell(conf-if-vl-103-stack)#do show vlan Codes: Q: U x G - * - Default VLAN, G - GVRP VLANs Untagged, T - Tagged Dot1x untagged, X - Dot1x tagged GVRP tagged, M - Vlan-stack NUM * 1 100 101 103 Status Inactive Inactive Inactive Inactive Description Q Ports U Te 0/1 T Te 0/1 M Te 0/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. ● Debug the internal state and membership of a VLAN and its ports.
For example, if you configure TPID 0x9100, the system treats 0x8100 and untagged traffic the same and maps both types to the default VLAN, as shown by the frame originating from Building C. For the same traffic types, if you configure TPID 0x8100, the system is able to differentiate between 0x8100 and untagged traffic and maps each to the appropriate VLAN, as shown by the packet originating from Building A.
Figure 109.
Figure 110. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Table 60. Drop Eligibility Behavior (continued) Ingress Egress DEI Disabled DEI Enabled Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI. Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 Access Port Trunk Port To enable drop eligibility globally, use the following command. ● Make packets eligible for dropping based on their DEI value.
To display the DEI-marking configuration, use the show interface dei-mark [interface slot/port | linecard number port-set number] in EXEC Privilege mode. Dell#show interface dei-mark Default CFI/DEI Marking: 0 Interface Drop precedence CFI/DEI -------------------------------Te 0/1 Green 0 Te 0/1 Yellow 1 Te 1/9 Yellow 0 Te 1/40 Yellow 0 Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.
Examples of QoS Interface Configuration and Rate Policing policy-map-input in layer2 service-queue 3 class-map a qos-policy 3 ! class-map match-any a layer2 match mac access-group a ! mac access-list standard a seq 5 permit any ! qos-policy-input 3 layer2 rate-police 40 Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3.
Layer 2 Protocol Tunneling Spanning tree bridge protocol data units (BPDUs) use a reserved destination MAC address called the bridge group address, which is 01-80-C2-00-00-00. Only spanning-tree bridges on the local area network (LAN) recognize this address and process the BPDU.
Figure 113. VLAN Stacking with L2PT Implementation Information ● L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. ● No protocol packets are tunneled when you enable VLAN stacking. ● L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2.
INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, the system uses a Dell Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command. ● Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network.
originally specified in 802.1Q. Only bridges in the service provider network use this destination MAC address so these bridges treat BPDUs originating from the customer network as normal data frames, rather than consuming them. The same is true for GARP VLAN registration protocol (GVRP). 802.
49 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
Important Points to Remember ● The Dell Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. ● By default, sFlow collection is supported only on data ports. If you want to enable sFlow collection through management ports, use the management egress-interface-selection and application sflow-collector commands in Configuration and EIS modes respectively. ● Dell Networking OS exports all sFlow packets to the collector. A small sampling rate can equate to many exported packets.
● View the maximum header size of a packet. show running-config sflow Example of the show sflow command when the sflow max-header-size extended is configured globally Dell(conf-if-te-1/10)#show sflow sFlow services are enabled Egress Management Interface sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 86400 Global default extended maximum header size: 256 bytes Global extended information enabled: none 1 collectors configured Collector IP addr: 100.1.
The first bold line indicates sFlow is globally enabled. The second bold lines indicate sFlow is enabled on linecards Te 1/16 and Te 1/17. Dell#show sflow sFlow services are enabled Global default sampling rate: 32768 Global default counter polling interval: 20 1 collectors configured Collector IP addr: 133.33.33.53, Agent IP addr: 133.33.33.
UDP packets exported via RP UDP packets dropped :77 : Configuring Specify Collectors The sflow collector command allows identification of sFlow collectors to which sFlow datagrams are forwarded. You can specify up to two sFlow collectors. If you specify two collectors, the samples are sent to both. ● Identify sFlow collectors to which sFlow datagrams are forwarded.
sFlow on LAG ports When a physical port becomes a member of a LAG, it inherits the sFlow configuration from the LAG port. Enabling Extended sFlow Extended sFlow packs additional information in the sFlow datagram depending on the type of sampled packet. You can enable the following options: ● extended-switch — 802.1Q VLAN ID and 802.1p priority information. ● extended-router — Next-hop and source and destination mask length. ● extended-gateway — Source and destination AS number and the BGP next-hop.
Table 61. Extended Gateway Summary IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS Description static/connected/IGP static/connected/IGP — — Extended gateway data is not exported because there is no AS information. static/connected/IGP BGP 0 Exported src_as and src_peer_as are zero because there is no AS information for IGP.
50 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
Configuration Task List for SNMP Configuring SNMP version 1 or version 2 requires a single step. NOTE: The configurations in this chapter use a UNIX environment with net-snmp version 5.4. This environment is only one of many RFC-compliant SNMP utilities you can use to manage your Dell Networking system using SNMP. Also, these configurations use SNMP version 2c. ● Creating a Community Configuring SNMP version 3 requires configuring SNMP users in one of three methods.
The system enables SNMP automatically when you create an SNMP community and displays the following message. You must specify whether members of the community may only retrieve values (read), or retrieve and alter values (read-write). 22:31:23: %SYSTEM-P:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP WARM_START. To choose a name for the community you create, use the following command. ● Choose a name for the community.
snmp-server group group-name {oid-tree} priv read name write name ● Configure the user with a secure authorization password and privacy password. CONFIGURATION mode snmp-server user name group-name {oid-tree} auth md5 auth-password priv des56 priv password ● Configure an SNMPv3 view. CONFIGURATION mode snmp-server view view-name oid-tree {included | excluded} Dell(conf)#snmp-server host 1.1.1.
Writing Managed Object Values You may only alter (write) a managed object value if your management station is a member of the same community as the SNMP agent, and the object is writable. Use the following command to write or write-over the value of a managed object. ● To write or write-over the value of a managed object. snmpset -v version -c community agent-ip {identifier.instance | descriptor.instance}syntax value > snmpset -v 2c -c mycommunity 10.11.131.161 sysName.0 s "R5" SNMPv2-MIB::sysName.
Subscribing to Managed Object Value Updates using SNMP By default, the system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system. The following sets of traps are supported: ● RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss.
CARD_MISMATCH: Mismatch: line card %d is type %s - type %s required. TASK SUSPENDED: SUSPENDED - svce:%d - inst:%d - task:%s SYSTEM-P:CP %CHMGR-2-CARD_PARITY_ERR ABNORMAL_TASK_TERMINATION: CRASH - task:%s %s CPU_THRESHOLD: Cpu %s usage above threshold. Cpu5SecUsage (%d) CPU_THRESHOLD_CLR: Cpu %s usage drops below threshold. Cpu5SecUsage (%d) MEM_THRESHOLD: Memory %s usage above threshold. MemUsage (%d) MEM_THRESHOLD_CLR: Memory %s usage drops below threshold.
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 6 Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1489568) 4:08:15.68,SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.
Table 62. MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object copyDestFileLocation OID .1.3.6.1.4.1.6027.3.5.1.1.1.1.6 Object Values Description 3 = startup-config ● If copySourceFileType is running-config or startupconfig, the default copyDestFileLocation is flash. ● If copyDestFileType is a binary, you must specify copyDestFileLocation and copyDestFileName. 1 = flash Specifies the location of destination file.
● index must be unique to all previously executed snmpset commands. If an index value has been used previously, a message like the following appears. In this case, increment the index value and enter the command again. Error in packet. Reason: notWritable (that object does not support modification) Failed object: FTOS-COPY-CONFIG-MIB::copySrcFileType.101 ● To complete the command, use as many MIB objects in the command as required by the MIB object descriptions shown in the previous table.
The following example shows copying configuration files from a UNIX machine using the object name. > snmpset -c public -v 2c -m ./f10-copy-config.mib 10.11.131.162 copySrcFileType.7 i 3 copyDestFileType.7 i 2 FTOS-COPY-CONFIG-MIB::copySrcFileType.7 = INTEGER: runningConfig(3) FTOS-COPY-CONFIG-MIB::copyDestFileType.7 = INTEGER: startupConfig(2) The following example shows copying configuration files from a UNIX machine using the OID. >snmpset -c public -v 2c 10.11.131.162 .1.3.6.1.4.1.6027.3.5.1.1.1.1.2.
Copy a Binary File to the Startup-Configuration To copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP, use the following command. ● Copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.index i 4 copySrcFileName.index s filepath/ filename copyDestFileType.index i 3 copyServerAddress.
index: the index value used in the snmpset command used to complete the copy operation. NOTE: You can use the entire OID rather than the object name. Use the form: OID.index. The following examples show the snmpget command to obtain a MIB object value. These examples assume that: ● ● ● ● the server OS is UNIX you are using SNMP version 2c the community name is public the file f10-copy-config.mib is in the current directory NOTE: In UNIX, enter the snmpset command for help using this command.
MIB Support to Display the Software Core Files Generated by the System Dell Networking provides MIB objects to display the software core files generated by the system. The chSysSwCoresTable contains the list of software core files generated by the system. The following table lists the related MIB objects. Table 65. MIB Objects for Displaying the Software Core Files Generated by the System MIB Object OID Description chSysSwCoresTable 1.3.6.1.4.1.6027.3.25.1.2.
Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object. The snmpset operation shown in the following example creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. > snmpset -v2c -c mycommunity 123.45.6.78 .1.3.6.1.2.1.17.7.1.4.3.1.5.10 i 4 SNMPv2-SMI::mib-2.17.7.1.4.3.1.5.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" .1.3.6.1.2.1.17.7.1.4.3.1.4.1107787786 x "40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.
To set time to wait set 1.3.6.1.4.1.6027.3.18.1.2 and 1.3.6.1.4.1.6027.3.18.1.5 respectively To set time to wait till bgp session are up set 1.3.6.1.4.1.6027.3.18.1.3 and 1.3.6.1.4.1.6027.3.18.1.6 Enabling and Disabling a Port using SNMP To enable and disable a port using SNMP, use the following commands. 1. Create an SNMP community on the Dell system. CONFIGURATION mode snmp-server community 2.
For example, the decimal equivalent of E8 is 232, and so the instance number for MAC address 00:01:e8:06:95:ac is.0.1.232.6.149.172. The value of dot1dTpFdbPort is the port number of the port off which the system learns the MAC address. In this case, of TenGigabitEthernet 1/21, the manager returns the integer 118.
Starting from the least significant bit (LSB) in the preceding figure: ● ● ● ● ● The The The The The first 14 bits represent the card type of a physical interface or the interface number of a logical interface. next 4 bits represent the interface type. next 12 bits represent the slot and port numbers. next bit is 0 for a physical interface and 1 for a logical interface. last next is unused.
SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.5.1 = Hex-STRING: 00 00 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.5.2 = Hex-STRING: 00 00 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.6.1 = STRING: "Te 5/84 " << Channel member for Po1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.6.2 = STRING: "Te 5/85 " << Channel member for Po2 dot3aCommonAggFdbIndex SNMPv2-SMI::enterprises.6027.3.2.1.1.6.1.1.1107755009.1 = INTEGER: 1107755009 dot3aCommonAggFdbVlanId SNMPv2-SMI::enterprises.6027.3.2.1.1.6.1.2.1107755009.
● When you query an icmpStatsInErrors object in the icmpStats table by using the snmpget or snmpwalk command, the output for IPv4 addresses may be incorrectly displayed. To correctly display this information under IP and ICMP statistics, use the show ip traffic command. ● When you query an IPv4 icmpMsgStatsInPkts object in the ICMP table by using the snmpwalk command, the echo response output may not be displayed. To correctly display ICMP statistics, such as echo response, use the show ip traffic command.
51 Storm Control Storm control allows you to control unknown-unicast and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking OS Behavior: The switch supports broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. Topics: • Configure Storm Control Configure Storm Control Storm control is supported in INTERFACE mode and CONFIGURATION mode. Configuring Storm Control from INTERFACE Mode To configure storm control, use the following command.
52 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network.
● ● ● ● ● Modifying Interface STP Parameters Enabling PortFast Prevent Network Disruptions with BPDU Guard STP Root Guard Enabling SNMP Traps for Root Elections and Topology Changes Important Points to Remember ● STP is disabled by default. ● The Dell Networking OS supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+). You may only enable one flavor of spanning tree at any one time.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 114. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface.
no shutdown Dell(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default. When you enable STP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the Spanning Tree topology. ● Only one path from any bridge to any other bridge participating in STP is enabled. ● Bridges block a redundant path by disabling one of the link ports. Figure 115.
To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP. NOTE: Dell Networking recommends that only experienced network administrators change the spanning tree parameters. Poorly planned modification of the spanning tree parameters can negatively affect network performance. The following table displays the default values for STP. Table 68.
Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. ● Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. ● Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost. The default values are listed in Modifying Global Parameters.
Preventing Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
Figure 116. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: ● is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. ● drops the BPDU after it reaches the Route Processor and generates a console message.
Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. ● Assign a number as the bridge priority or designate it as the root or secondary root.
Figure 117. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: ● Root guard is supported on any STP-enabled port or port-channel interface.
To disable STP root guard on a port or port-channel interface, use the no spanning-tree 0 rootguard command in an interface configuration mode. To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps individually or collectively, use the following commands.
Figure 118. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. The following conditions apply to a port enabled with loop guard: ● Loop guard is supported on any STP-enabled port or port-channel interface.
○ If no BPDU is received from a remote device, loop guard places the port in a Loop-Inconsistent Blocking state and no traffic is forwarded on the port. ● When used in a PVST+ network, STP loop guard is performed per-port or per-port channel at a VLAN level. If no BPDUs are received on a VLAN interface, the port or port-channel transitions to a Loop-Inconsistent (Blocking) state only for this VLAN. To enable a loop guard on an STP-enabled port or port-channel interface, use the following command.
53 System Time and Date System time and date settings are user-configurable and maintained through the network time protocol (NTP). System times and dates are also set in hardware settings using the Dell Networking OS CLI. Topics: • • Network Time Protocol Time and Date Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients. The protocol also coordinates time distribution in a large, diverse network with various interfaces.
Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks.
To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. R6(conf)#do show ntp status Clock is synchronized, stratum 2, reference is 192.168.1.1 frequency is -369.623 ppm, stability is 53.319 ppm, precision is 4294967279 reference time is CD63BCC2.0CBBD000 (16:54:26.049 UTC Thu Mar 12 2009) clock offset is 997.529984 msec, root delay is 0.00098 sec root dispersion is 10.04271 sec, peer dispersion is 10032.
○ For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. ○ For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. ○ For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. To view the configuration, use the show running-config ntp command in EXEC privilege mode (refer to the example in Configuring NTP Authentication).
ntp master To configure the switch as NTP Server use the ntp master command. stratum number identifies the NTP Server's hierarchy. The following example shows configuring an NTP server. R6_E300(conf)#1w6d23h : NTP: xmit packet to 192.168.1.1: leap 0, mode 3, version 3, stratum 2, ppoll 1024 rtdel 0219 (8.193970), rtdsp AF928 (10973.266602), refid C0A80101 (192.168.1.1) ref CD7F4F63.6BE8F000 (14:51:15.421 UTC Thu Apr 2 2009) org CD7F4F63.68000000 (14:51:15.
● Receive Timestamp — the arrival time on the client of the last NTP message from the server. If the server becomes unreachable, the value is set to zero. ● Transmit Timestamp — the departure time on the server of the current NTP message from the sender. ● Filter dispersion — the error in calculating the minimum delay from a set of sample data from a peer. To view the NTP configuration, use the show running-config ntp command in EXEC privilege mode.
Setting the Timezone Universal time coordinated (UTC) is the time standard based on the International Atomic Time standard, commonly known as Greenwich Mean time. When determining system time, include the differentiator between UTC and your local timezone. For example, San Jose, CA is the Pacific Timezone with a UTC offset of -8. To set the clock timezone, use the following command. ● Set the clock to the appropriate timezone.
from "none" to "Summer time starts 00:00:00 Pacific Sat Mar 14 2009;Summer time ends 00:00:00 pacific Sat Nov 7 2009" Setting Recurring Daylight Saving Time Set a date (and time zone) on which to convert the switch to daylight saving time on a specific day every year. If you have already set daylight saving for a one-time setting, you can set that date and time as the recurring setting with the clock summer-time time-zone recurring command.
last Week number to start Dell(conf)#clock summer-time pacific recurring Dell(conf)#02:10:57: %SYSTEM-P:CP %CLOCK-6-TIME CHANGE: Summertime configuration changed from "Summer time starts 00:00:00 Pacific Sat Mar 14 2009 ; Summer time ends 00:00:00 pacific Sat Nov 7 2009" to "Summer time starts 02:00:00 Pacific Sun Mar 8 2009;Summer time ends 02:00:00 pacific Sun Nov 1 2009" System Time and Date 751
54 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported.
tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.1/24 Dell(conf-if-tu-3)#ipv6 address 3::1/64 Dell(conf-if-tu-3)#no shutdown Dell(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
The following sample configuration shows how to use the tunnel interface configuration commands. Dell(conf-if-te-0/0)#show config ! interface TenGigabitEthernet 0/0 ip address 20.1.1.1/24 ipv6 address 20:1::1/64 no shutdown Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#ip unnumbered tengigabitethernet 0/0 Dell(conf-if-tu-1)#ipv6 unnumbered tengigabitethernet 0/0 Dell(conf-if-tu-1)#tunnel source 40.1.1.
Dell(conf-if-tu-1)#no shutdown Dell(conf-if-tu-1)#show config ! interface Tunnel 1 ip address 1.1.1.1/24 ipv6 address 1abd::1/64 tunnel source anylocal tunnel allow-remote 40.1.1.2 tunnel mode ipip decapsulate-any no shutdown Multipoint Receive-Only Tunnels A multipoint receive-only IP tunnel decapsulates packets from remote end-points and never forwards packets on the tunnel.
55 Upgrade Procedures For detailed upgrade procedures, refer to the Dell Networking OS Release Notes for your switch. The release notes describe the requirements and steps to follow to upgrade to a desired OS version. Upgrade Overview To upgrade system software on the switch, follow these general steps: 1. Identify the boot and system images currently stored on the Z9500 (Control Processor, Route Processor, and line-card CPUs) using the show boot system all command. 2.
56 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link.
Figure 120. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 121. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
● If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
4. (Optional) Enable auto-recovery so that UFD-disabled downstream ports in the uplink-state group come up when a disabled upstream port in the group comes back up. UPLINK-STATE-GROUP mode downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5. (Optional) Enters a text description of the uplink-state group.
02:37:29: %SYSTEM-P:CP 0/47 02:37:29: %SYSTEM-P:CP 02:37:29 : UFD: Group:3, 02:37:29: %SYSTEM-P:CP 02:37:29: %SYSTEM-P:CP 02:37:29: %SYSTEM-P:CP 02:38:31 : UFD: Group:3, 02:38:31: %SYSTEM-P:CP 02:38:53: %SYSTEM-P:CP Fo 1/0 02:38:53: %SYSTEM-P:CP Fo 1/4 02:38:53: %SYSTEM-P:CP Fo 1/8 02:38:53: %SYSTEM-P:CP Fo 1/12 02:38:53: %SYSTEM-P:CP Fo 1/16 02:38:53: %SYSTEM-P:CP 02:38:53: %SYSTEM-P:CP 02:38:53: %SYSTEM-P:CP 02:38:53: %SYSTEM-P:CP 02:38:53: %SYSTEM-P:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state t
Uplink State Group: 16 Status: Disabled, Up Dell# show uplink-state-group 16 Uplink State Group: 16 Status: Disabled, Up Dell#show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 1 Upstream Interfaces : Downstream Interfaces : Status: Enabled, Up Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Te 0/46(Up) Te 0/47(Up) Downstream Interfaces : Te 1/0(Up) Te 1/1(Up) Te 1/3(Up) Te 1/5(Up) Te 1/6(Up) Uplink State Group : 5 Status
upstream TengigabitEthernet 0/48, 52 upstream PortChannel 1 ! uplink state track 2 downstream TengigabitEthernet 0/1, 3, 5, 7-10 upstream TengigabitEthernet 0/56, 60 Dell(conf-uplink-state-group-16)# show configuration ! uplink-state-group 16 no enable description test downstream disable links all downstream TengigabitEthernet 0/40 upstream TengigabitEthernet 0/41 upstream Port-channel 8 Sample Configuration: Uplink Failure Detection The following example shows a sample configuration of UFD on a switch/rou
Uplink State Group: 3 Status: Enabled, Up Dell# show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Te 0/3(Up) Te 0/4(Dwn) Downstream Interfaces : Te 0/1(Dis) Te 0/2(Dwn) Te 0/5(Dwn) Te 0/9(Dwn) Te 0/11(Dwn) Te 0/12(Dwn) Uplink Failure Detection (UFD) 765
57 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 portbased VLANs and one default VLAN, as specified in IEEE 802.1Q.
NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN. For more information about assigning IP addresses, refer to Assigning an IP Address to a VLAN. ● Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN.
The tag header contains some key information that the system uses: ● The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). ● Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard.
Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands. To place an interface in Layer 2 mode, use the switchport command. You can further designate these Layer 2 interfaces as tagged or untagged. For more information, refer to the Interfaces chapter and Configuring Layer 2 (Data Link) Mode.
4 Active Dell# T Po1(Te 0/0-1) When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN. If the tagged interface is removed from the only VLAN to which it belongs, the interface is placed in the Default VLAN as an untagged interface. Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1.
Assigning an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces. The shutdown command in INTERFACE mode does not affect Layer 2 traffic on the interface; the shutdown command only prevents Layer 3 traffic from traversing over the interface. NOTE: You cannot assign an IP address to the Default VLAN (VLAN 1).
Enabling Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured. This presents a vulnerability because both interfaces are initially placed in the native VLAN, VLAN 1, and for that period customers are able to access each other's networks.
58 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time.
Figure 123. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
Table 69. Feature/Capability Support Status for Default VRF Support Status for Non-default VRF Configuration rollback for commands introduced or modified Yes No LLDP protocol on the port Yes No 802.
Table 69. (continued) Feature/Capability Support Status for Default VRF Support Status for Non-default VRF Basic Yes No OSPFv3 Yes Yes IS-IS Yes Yes BGP Yes Yes ACL Yes No Multicast Yes No NDP Yes Yes RAD Yes Yes Ingress/Egress Storm-Control (perinterface/global) Yes No DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance. VRF Configuration The VRF configuration tasks are: 1.
Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface. NOTE: You can configure an IP address or subnet on a physical or VLAN interface that overlaps the same IP address or subnet configured on another interface only if the interfaces are assigned to different VRFs. If two interfaces are assigned to the same VRF, you cannot configure overlapping IP subnets or the same IP address on them.
Assign an OSPF process to a VRF instance . Return to CONFIGURATION mode to enable the OSPF process. The OSPF Process ID is the identifying number assigned to the OSPF process, and the Router ID is the IP address associated with the OSPF process. Task Command Syntax Command Mode Enable the OSPFv2 process globally for a VRF instance. Enter the VRF key word and instance name to tie the OSPF instance to the VRF. All network commands under this OSPF instance are subsequently tied to the VRF instance.
Configuring Management VRF You can assign a management interface to a management VRF. Task Command Syntax Command Mode Create a management VRF. ip vrf management CONFIGURATION Assign a management port to a management VRF. interface management VRF MODE Configuring a Static Route To configure a static route, perform the following steps: Task Command Syntax Command Mode Configure a static route that points to a management interface.
Figure 124.
Figure 125. Setup VRF Interfaces The following example relates to the configuration shown in Figure1 and Figure 2. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface TenGigabitEthernet no ip address switchport no shutdown ! interface TenGigabitEthernet ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding green ip address 30.0.0.
ip vrf forwarding blue ip address 1.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.0/24 area 0 ! router ospf 2 vrf orange router-id 2.0.0.1 network 2.0.0.0/24 area 0 network 20.0.0.
ip address 3.0.0.2/24 tagged TenGigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/2 ! ip route vrf green30.0.0.0/24 3.0.0.
L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Change Destination --------------------C 2.0.0.0/24 C 20.0.0.0/24 O 21.0.0.0/24 00:10:41 Gateway Dist/Metric ------- ----------- Direct, Vl 192 Direct, Te 1/2 via 2.0.0.
Change Destination --------------------C 1.0.0.0/24 00:27:21 O 10.0.0.0/24 00:14:24 C 11.0.0.0/24 Gateway Dist/Metric ------- ----------- Direct, Vl 128 via 1.0.0.
ip route vrf VRF1 20.0.0.0/16 140.0.0.2 vrf VRF2 ip route vrf VRF2 40.0.0.0/16 120.0.0.2 vrf VRF1 Dynamic Route Leaking Route Leaking is a powerful feature that enables communication between isolated (virtual) routing domains by segregating and sharing a set of services such as VOIP, Video, and so on that are available on one routing domain with other virtual domains. Inter-VRF Route Leaking enables a VRF to leak or export routes that are present in its RTM to one or more VRFs.
8. Configure the export target in VRF-blue.ip route-export 3:3 9. Configure VRF-green.ip vrf vrf-green interface tengigabitethernet 1/13ip vrf forwarding VRFgreen ip address x.x.x.x 255.x.x.x A non-default VRF named VRF-green is created and the interface 1/13 is assigned to it. 10. Configure the import target in the source VRF VRF-Shared for reverse communication with VRF-red and VRF-blue.
O 33.3.3.3/32 00:00:11 via 133.3.3.3 C Direct, Te 1/13 0/0 133.3.3.0/24 110/0 22:39:61 Dell# show ip route vrf VRF-Shared O 11.1.1.1/32 via VRF-Red:111.1.1.1 110/0 C 111.1.1.0/24 Direct, VRF-Red:Te 1/11 0/0 O 22.2.2.2/32 via VRF-Blue:122.2.2.2 110/0 C 122.2.2.0/24 Direct, VRF-Blue:Te 1/22 0/0 O 44.4.4.4/32 via 144.4.4.4 110/0 00:00:11 C 144.4.4.
2. Define a route-map export_ospfbgp_protocol.Dell(config)route-map export_ospfbgp_protocol permit 10 3. Define the matching criteria for the exported routes.Dell(config-route-map)match source-protocol ospfDell(config-route-map)match source-protocol bgp This action specifies that the route-map contains OSPF and BGP as the matching criteria for exporting routes from vrf-red. 4. Configure the export target in the source VRF with route-map export_ospfbgp_protocol.ip route-export 1:1 export_ospfbgp_protocol 5.
59 Virtual Link Trunking (VLT) Virtual link trunking (VLT) allows physical links between two chassis to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR).
The following example shows how VLT is deployed. The switches appear as a single virtual switch from the point of view of the switch or server supporting link aggregation control protocol (LACP). Figure 126. Example of VLT Deployment VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-toend Layer 2 multipathing.
Figure 127. Enhanced VLT VLT Terminology The following are key VLT terms. ● Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. ● VLT backup link — The backup link monitors the vitality of VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. ● VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches. Both ends must be on 10G or 40G interfaces.
● Dell Networking strongly recommends that the VLTi (VLT interconnect) be a static LAG and that you disable LACP on the VLTi. ● Ensure that the spanning tree root bridge is at the Aggregation layer. If you enable RSTP on the VLT device, refer to RSTP and VLT for guidelines to avoid traffic loss. ● If you reboot both VLT peers in BMP mode and the VLT LAGs are static, the DHCP server reply to the DHCP discover offer may not be forwarded by the ToR to the correct node.
are mismatch errors, then use the show vlt brief command on each VLT peer to view the VLT version on the peer switch. If the VLT version is more than one release different from the current version in use, the VLTi does not activate. ○ The chassis members in a VLT domain support connection to orphan hosts and switches that are not connected to both switches in the VLT core. ● VLT interconnect (VLTi) ○ The VLT interconnect must consist of either 10G or 40G ports.
○ The discovery protocol running between VLT peers automatically generates the ID number of the port channel that connects an access device and a VLT switch. The discovery protocol uses LACP properties to identify connectivity to a common client device and automatically generates a VLT number for port channels on VLT peers that connects to the device. The discovery protocol requires that an attached device always runs LACP over the port-channel interface.
○ On a link failover, when a VLT port channel fails, the traffic destined for that VLT port channel is redirected to the VLTi to avoid flooding. ○ When a VLT switch determines that a VLT port channel has failed (and that no other local port channels are available), the peer with the failed port channel notifies the remote peer that it no longer has an active port channel for a link.
VLT Bandwidth Monitoring When bandwidth usage of the VLTi (ICL) exceeds 80%, a syslog error message (shown in the following message) and an SNMP trap are generated. %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (portchannel 25) crosses threshold. Bandwidth usage (80 ) When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (shown in the following message) and an SNMP trap.
PIM-Sparse Mode Support on VLT The designated router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. Figure 128.
Each VLT peer runs its own PIM protocol independently of other VLT peers. To ensure the PIM protocol states or multicast routing information base (MRIB) on the VLT peers are synced, if the incoming interface (IIF) and outgoing interface (OIF) are Spanned, the multicast route table is synced between the VLT peers. To verify the PIM neighbors on the VLT VLAN and on the multicast port, use the show ip pim neighbor, show ip igmp snooping mrouter, and show running config commands.
2. Enable peer-routing. VLT DOMAIN mode peer-routing 3. Configure the peer-routing timeout. VLT DOMAIN mode peer-routing—timeout value value: Specify a value (in seconds) from 1 to 65535. VLT Multicast Routing VLT Multicast Routing provides resiliency to multicast routed traffic during the multicast routing protocol convergence period after a VLT link or VLT peer fails using the least intrusive method (PIM) and does not alter current protocol behavior.
4. Configure a PIM-SM compatible VLT node as a designated router (DR). For more information, refer to Configuring a Designated Router. 5. Configure a PIM-enabled external neighboring router as a rendezvous point (RP). For more information, refer to Configuring a Static Rendezvous Point. 6. Configure the VLT VLAN routing metrics to prefer VLT VLAN interfaces over non-VLT VLAN interfaces. For more information, refer to Classify Traffic. 7.
VLT interconnect. Only the primary VLT switch determines the RSTP roles and states on VLT ports and ensures that the VLT interconnect link is never blocked. In the case of a primary VLT switch failure, the secondary switch starts sending BPDUs with its own bridge ID and inherits all the port states from the last synchronization with the primary switch. An access device never detects the change in primary/ secondary roles and does not see it as a topology change.
● 1-Gigabit Ethernet: Enter gigabitethernet slot/port. ● 10-Gigabit Ethernet: Enter tengigabitethernet slot/port. ● 40-Gigabit Ethernet: Enter fortyGigE slot/port. 4. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 5. Repeat Steps 1 to 4 on the VLT peer switch to configure the VLT interconnect. Enabling VLT and Creating a VLT Domain To enable VLT and create a VLT domain, use the following steps. 1.
MANAGEMENT INTERFACE mode no shutdown 4. Repeat Steps 1 to 3 on the VLT peer switch. To set an amount of time, in seconds, to delay the system from restoring the VLT port, use the delay-restore command at any time. For more information, refer to VLT Port Delayed Restoration. Configuring a VLT Port Delay Period To configure a VLT port delay period, use the following commands. 1. Enter VLT-domain configuration mode for a specified VLT domain.
Use this command to minimize the time required for the VLT system to determine the unit ID assigned to each peer switch when one peer switch reboots. Connecting a VLT Domain to an Attached Access Device (Switch or Server) To connect a VLT domain to an attached access device, use the following commands. On a VLT peer switch: To connect to an attached device, configure the same port channel ID number on each peer switch in the VLT domain. 1.
The range is from 1 to 128. 3. Enter the VLAN ID number of the VLAN where the VLT forwards packets received on the VLTi from an adjacent peer that is down. VLT DOMAIN CONFIGURATION mode peer-down-vlan vlan interface number The range is from 1 to 4094. Configuring Enhanced VLT (eVLT) (Optional) To configure enhanced VLT (eVLT) between two VLT domains on your network, use the following procedure. For a sample configuration, refer to eVLT Configuration Example.
To explicitly configure the default values on each peer switch, use the unit-id command. Configure a different unit ID (0 or 1) on each peer switch. Use this command to minimize the time required for the VLT system to determine the unit ID assigned to each peer switch when one peer switch reboots. 8. Configure enhanced VLT. Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode.
4. Configure the peer-link port-channel in the VLT domains of each peer unit. INTERFACE PORTCHANNEL mode channel-member 5. Configure the backup link between the VLT peer units (shown in the following example). 6. Configure the peer 2 management ip/ interface ip for which connectivity is present in VLT peer 1. EXEC Privilege mode show running-config vlt 7. Configure the peer 1 management ip/ interface ip for which connectivity is present in VLT peer 1.
peer-link port-channel 1 back-up destination 10.11.206.58 Dell-2# show interfaces managementethernet 0/0 Internet address is 10.11.206.43/16 Dell-4#show running-config vlt ! vlt domain 5 peer-link port-channel 1 back-up destination 10.11.206.43 Dell-4#show running-config interface managementethernet 0/0 ip address 10.11.206.58/16 no shutdown Configure the VLT links between VLT peer 1 and VLT peer 2 to the Top of Rack unit.
no ip address switchport no shutdown Dell-1#show interfaces port-channel 100 brief Codes: L - LACP Port-channel L LAG 100 Mode L2 Status up Uptime 03:33:48 Ports Te 0/48 (Up) Te 0/50 (Up) Verify VLT is up. Verify that the VLTi (ICL) link, backup link connectivity (heartbeat status), and VLT peer link (peer chassis) are all up.
Configure PVST+ on VLT Peers to Prevent Forwarding Loops (VLT Peer 1) Dell_VLTpeer1(conf)#protocol spanning-tree pvst Dell_VLTpeer1(conf-pvst)#no disable Dell_VLTpeer1(conf-pvst)#vlan 1000 bridge-priority 0 Configure PVST+ on VLT Peers to Prevent Forwarding Loops (VLT Peer 2) Dell_VLTpeer2(conf)#protocol spanning-tree pvst Dell_VLTpeer2(conf-pvst)#no disable Dell_VLTpeer2(conf-pvst)#vlan 1000 bridge-priority 4096 Configure both ends of the VLT interconnect trunk with identical PVST+ configurations.
Figure 129. eVLT Configuration Example eVLT Configuration Step Examples In Domain 1, configure the VLT domain and VLTi on Peer 1. Domain_1_Peer1#configure Domain_1_Peer1(conf)#interface port-channel 1 Domain_1_Peer1(conf-if-po-1)# channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.
Configure eVLT on Peer 2. Domain_1_Peer2(conf)#interface port-channel 100 Domain_1_Peer2(conf-if-po-100)# switchport Domain_1_Peer2(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer2(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 2.
Domain_2_Peer4(conf-if-range-te-0/16-17)# port-channel 100 mode active Domain_2_Peer4(conf-if-range-te-0/16-17)# no shutdown PIM-Sparse Mode Configuration Example The following sample configuration shows how to configure the PIM Sparse mode designated router functionality on the VLT domain with two VLT port-channels that are members of VLAN 4001. For more information, refer to PIM-Sparse Mode Support on VLT. Example of Configuring PIM-Sparse Mode Enable PIM Multicast Routing on the VLT node globally.
EXEC mode show vlt detail ● Display the VLT peer status, role of the local VLT switch, VLT system MAC address and system priority, and the MAC address and priority of the locally-attached VLT device. EXEC mode show vlt role ● Display the current configuration of all VLT domains or a specified group on the switch. EXEC mode show running-config vlt ● Display statistics on VLT operation.
VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: Up 0 5(1) 00:01:e8:8a:e9:70 00:01:e8:8a:e7:e7 00:0a:0a:01:01:0a 5(1) 90 seconds Dell_VLTpeer2# show vlt brief VLT Domain Brief -----------------Domain ID: Role: Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remot
Dell_VLTpeer2# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.20 The following example shows the show vlt statistics command.
Additional VLT Sample Configurations To configure VLT, configure a backup link and interconnect trunk, create a VLT domain, configure a backup link and interconnect trunk, and connect the peer switches in a VLT domain to an attached access device (switch or server). Review the following examples of VLT configurations. Configuring Virtual Link Trunking (VLT Peer 1) Enable VLT and create a VLT domain with a backup-link and interconnect trunk (VLTi).
Dell_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.23 Dell_VLTpeer2(conf-vlt-domain)#exit Configure the backup link. Dell_VLTpeer2(conf)#interface ManagementEthernet 0/0 Dell_VLTpeer2(conf-if-ma-0/0)#ip address 10.11.206.35/ Dell_VLTpeer2(conf-if-ma-0/0)#no shutdown Dell_VLTpeer2(conf-if-ma-0/0)#exit Configure the VLT interconnect (VLTi).
Table 70. Troubleshooting VLT Description Behavior at Peer Up Behavior During Run Time Action to Take Bandwidth monitoring A syslog error message and an SNMP trap is generated when the VLTi bandwidth usage goes above the 80% threshold and when it drops below 80%. A syslog error message and an Depending on the traffic that SNMP trap is generated when is received, the traffic can be the VLTi bandwidth usage offloaded inVLTi. goes above its threshold. Domain ID mismatch The VLT peer does not boot up.
Reconfiguring Stacked Switches as VLT To convert switches that have been stacked to VLT peers, use the following procedure. 1. Remove the current configuration from the switches. You will need to split the configuration up for each switch. 2. Copy the files to the flash memory of the appropriate switch. 3. Copy the files on the flash drive to the startup-config. 4. Reset the stacking ports to user ports for both switches. 5. Reload the stack and confirm the new configurations have been applied. 6.
Association of VLTi as a Member of a PVLAN If a VLAN is configured as a non-VLT VLAN on both the peers, the VLTi link is made a member of that VLAN if the VLTi link is configured as a PVLAN or normal VLAN on both the peers. If a PVLAN is configured as a VLT VLAN on one peer and a non-VLT VLAN on another peer, the VLTi is added as a member of that VLAN by verifying the PVLAN parity on both the peers.
● Layer 3 communication between secondary VLANs in a private VLAN is enabled by using the ip local-proxy-arp command in INTERFACE VLAN configuration mode. ● The ARP request is not received on the ICL Under such conditions, the IP stack performs the following operations: ● The ARP reply is sent with the MAC address of the primary VLAN. ● The ARP request packet originates on the primary VLAN for the intended destination IP address.
Table 71.
● 40-Gigabit Ethernet: Enter fortyGigE slot/port. 4. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 5. To configure the VLT interconnect, repeat Steps 1–4 on the VLT peer switch. 6. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 7. Enter the port-channel number that acts as the interconnect trunk.
private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: ● Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). ● Specified with this command even before they have been created. ● Amended by specifying the new secondary VLAN to be added to the list. Proxy ARP Capability on VLT Peer Nodes The proxy ARP functionality is supported on VLT peer nodes. A proxy ARP-enabled device answers the ARP requests that are destined for another host or router.
Proxy ARP is enabled only if peer routing is enabled on both the VLT peers. If you disable peer routing by using the no peerroutingcommand in VLT DOMAIN node, a notification is sent to the VLT peer to disable the proxy ARP. If peer routing is disabled when ICL link is down, a notification is not sent to the VLT peer and in such a case, the VLT peer does not disable the proxy ARP operation.
INTERFACE VLAN mode member port-channel port—channel ID 4. Verify the VLAN-stack configurations. EXEC Privilege show running-config Sample configuration of VLAN-stack over VLT (Peer 1) Configure VLT domain Dell(conf)#vlt domain 1 Dell(conf-vlt-domain)#peer-link port-channel 1 Dell(conf-vlt-domain)#back-up destination 10.16.151.
Dell#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown Dell# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN Dell#show vlan id 50 Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C - Community, I - Isolated O - Openflow Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack i - Inte
! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown Dell# Configure the VLAN as VLAN-Stack VLAN and add the VLT LAG as members to the VLAN Dell(conf)#interface vlan 50 Dell(conf-if-vl-50)#vlan-stack compatible Dell(conf-if-vl-50-stack)#member port-channel 10 Dell(conf-if-vl-50-stack)#member port-channel 20 Dell(conf-if-vl-50-stack)# Dell#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdow
60 VLT Proxy Gateway You can configure a proxy gateway in VLT domains. A proxy gateway enables you to locally route the packets that are destined to a L3 endpoint in another VLT domain. Topics: • • Proxy Gateway in VLT Domains Configuring an LLDP VLT Proxy Gateway Proxy Gateway in VLT Domains Using a proxy gateway, the VLT peers in a domain can route the L3 packets destined for VLT peers in another domain as long as they have L3 reachability of these IP destinations.
When the routing table across DCs is not symmetrical, there is a possibility of a routing miss by a DC that do not have the route for the L3 traffic. Since routing protocols will enabled and both the DC’s comes in same subnet there will not be route asymmetry dynamically. But if static route is configured on one DC and not on the other, it will result is asymmetry. Proxy routing can still be achieved locally by configuring a static route or default gateway.
● There are only a couple of MACs for each unit to be transmitted so that all current active MACs can definitely be carried on the newly defined TLV. ● This TLV is recognizable only by FTOS devices with this feature support. Other device will ignore this field and should still be able to process other standard TLVs. The LLDP organizational TLV passes local DA information to peer VLT domain devices so they can act as proxy gateway.
2. Trace route across VLT domains may show extra hops. 3. IP route symmetry must be maintained across the VLT domains. Assume if the route to a destination is not available at C2, though the packet hits the MY_STATION_TCAM and routing is enabled for that VLAN, if there is no entry for that prefix in the routing table it will dropped to CPU. By default, all route miss packets are given to CPU. To avoid this static entry must be configured. 4.
1. Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode Dell(conf)#vlt domain domain-id 2. Configure the LLDP proxy gateway VLT DOMAIN mode Dell(conf-vlt-domain)#proxy-gateway lldp 3. You can configure the port channel interface for an LLDP proxy gateway and exclude a VLAN or a range of VLANs from proxy routing. This parameter is for an LLDP proxy gateway configuration.
61 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. Topics: • • • • • VRRP Overview VRRP Benefits VRRP Implementation VRRP Configuration Sample Configurations VRRP Overview VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
Figure 130. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. Endstation connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
Table 72. Recommended VRRP Advertise Intervals on the Z9500 Recommended Advertise Interval Groups/Interface Total VRRP Groups Less than 250 1 second 12 Between 250 and 450 2–3 seconds 24 Between 450 and 600 3–4 seconds 36 Between 600 and 800 4 seconds 48 Between 800 and 1000 5 seconds 84 Between 1000 and 1200 7 seconds 100 Between 1200 and 1500 8 seconds 120 VRRP Configuration By default, VRRP is not configured.
The following example shows configuring a VRRP configuration. Dell(conf)#int te 1/1 Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)# The following example shows verifying a VRRP configuration. Dell(conf-if-te-1/1)#show conf ! interface TenGigabitEthernet 1/1 ip address 10.10.10.
3. Set the backup switches to version 3. Dell_backup_switch1(conf-if-te-0/1-vrid-100)#version 3 Dell_backup_switch2(conf-if-te-0/2-vrid-100)#version 3 Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID). A VRRP group does not transmit VRRP packets until you assign the Virtual IP address to the VRRP group. For more information, refer to VRRP Implementation.
priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 ! vrrp-group 222 no shutdown Dell(conf-if-te-1/1)# The following example shows the same VRRP group (VRID 111) configured on multiple interfaces on different subnets. Dellshow vrrp -----------------TenGigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.
00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------TenGigabitEthernet 1/2, VRID: 111, Net: 10.10.2.1 State: Master, Priority: 125, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 601, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.
● Prevent any BACKUP router with a higher priority from becoming the MASTER router. INTERFACE-VRID mode no preempt Re-enable preempt by entering the preempt command. When you enable preempt, it does not display in the show commands, because it is a default setting. To disable preempt, use the no preempt command. Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)#no preempt Dell(conf-if-te-1/1-vrid-111)# To verify the preempt status, use the show config command.
The following example shows the advertise-interval command configured in seconds. Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)#advertise-interval 10 Dell(conf-if-te-1/1-vrid-111)# The following example shows the advertise-interval command configured in 1000 centisecs.
Tracking an Interface To track an interface, use the following commands. NOTE: The sum of all the costs for all tracked interfaces must be less than the configured priority of the VRRP group. ● Monitor an interface and, optionally, set a value to be subtracted from the interface’s VRRP group priority. INTERFACE-VRID mode track interface [priority-cost cost] The cost range is from 1 to 254. The default is 10.
Tracked by: VRRP TenGigabitEthernet 2/30 IPv6 VRID 1 The following example shows verifying the VRRP status.
This time is the gap between system boot up completion and VRRP enabling. The seconds range is from 0 to 900. The default is 0. Sample Configurations Before you set up VRRP, review the following sample configurations. VRRP for an IPv4 Configuration The following configuration shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI.
Example of Configuring VRRP for IPv4 Router 2 R2(conf)#int te 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
Figure 132. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. Example of Configuring VRRP for IPv6 Router 2 and Router 3 Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-0/0)#end R2#show vrrp -----------------TenGigabitEthernet 0/0, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default-vrf State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 135 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP a
groups on each VRF instance in order that there is one MASTER and one backup router for each VRF. In VRF-1 and VRF-2, Switch-2 serves as owner-master of the VRRP group and Switch-1 serves as the backup. On VRF-3, Switch-1 is the ownermaster and Switch-2 is the backup. In VRF-1 and VRF-2 on Switch-2, the virtual IP and node IP address, subnet, and VRRP group are the same.
S1(conf-if-te-12/2)#no shutdown ! S1(conf)#interface TenGigabitEthernet 2/3 S1(conf-if-te-2/3)#ip vrf forwarding VRF-3 S1(conf-if-te-2/3)#ip address 20.1.1.5/24 S1(conf-if-te-2/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-2/3-vrid-105)#priority 255 S1(conf-if-te-2/3-vrid-105)#virtual-address 20.1.1.
! S1(conf)#interface TenGigabitEthernet 2/4 S1(conf-if-te-2/4)#no ip address S1(conf-if-te-2/4)#switchport S1(conf-if-te-2/4)#no shutdown ! S1(conf-if-te-2/4)#interface vlan 100 S1(conf-if-vl-100)#ip vrf forwarding VRF-1 S1(conf-if-vl-100)#ip address 10.10.1.5/24 S1(conf-if-vl-100)#tagged tengigabitethernet 12/4 S1(conf-if-vl-100)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177. S1(conf-if-vl-100-vrid-101)#priority 100 S1(conf-if-vl-100-vrid-101)#virtual-address 10.10.1.
S2(conf-if-vl-300)#ip address 20.1.1.6/24 S2(conf-if-vl-300)#tagged tengigabitethernet 12/4 S2(conf-if-vl-300)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S2(conf-if-vl-300-vrid-101)#priority 100 S2(conf-if-vl-300-vrid-101)#virtual-address 20.1.1.5 S2(conf-if-vl-300)#no shutdown Displaying VRRP in a VRF Configuration To display information on a VRRP group that is configured on an interface that belongs to a VRF instance, use the following commands.
62 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance The system supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of the Dell Networking OS first supports the standard. General Internet Protocols The following table lists the Dell Networking OS support per platform for general internet protocols. Table 73.
Border Gateway Protocol (BGP) The following table lists the Dell Networking OS support per platform for BGP protocols. Table 74. Border Gateway Protocol (BGP) RFC# Full Name S-Series/Z-Series 1997 BGP ComAmtturnibituitees 7.8.1 2385 Protection of BGP Sessions via the TCP MD5 Signature Option 7.8.1 2439 BGP Route Flap Damping 7.8.1 2545 Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing 2796 BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP) 7.8.
Table 75. General IPv4 Protocols (continued) RFC# Full Name S-Series/ZSeries C-Series E-Series TeraScale E-Series ExaScale 1191 Path MTU Discovery 7.6.1 7.5.1 √ 8.1.1 1305 Network Time Protocol (Version 3) Specification, Implementation and Analysis 7.6.1 7.5.1 √ 8.1.1 1519 Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy 7.6.1 7.5.1 √ 8.1.1 1542 Clarifications and Extensions for the Bootstrap Protocol 7.6.1 7.5.1 √ 8.1.
Table 76. General IPv6 Protocols (continued) RFC# Full Name S-Series/ZSeries C-Series E-Series TeraScale E-Series ExaScale 2464 Transmission of IPv6 Packets over Ethernet Networks 7.8.1 7.8.1 √ 8.2.1 2675 IPv6 Jumbograms 7.8.1 7.8.1 √ 8.2.1 2711 IPv6 Router Alert Option 8.3.12.0 3587 IPv6 Global Unicast Address Format 7.8.1 7.8.1 √ 8.2.1 4007 IPv6 Scoped Address Architecture 8.3.12.0 4291 Internet Protocol 7.8.1 Version 6 (IPv6) Addressing Architecture 7.8.1 √ 8.2.
Table 77. Intermediate System to Intermediate System (IS-IS) (continued) RFC# Full Name 3567 S-Series C-Series E-Series TeraScale E-Series ExaScale IS-IS ACruythpetongtircaapt hioicn √ 8.1.1 3784 Intermediate System to Intermediate System (IS-IS) Extensions in Support of Generalized Multi-Protocol Label Switching (GMPLS) √ 8.1.1 5120 MT-ISIS: Multi Topology (MT) Routing in Intermediate System to Intermediate Systems (IS-ISs) 7.8.1 8.2.1 5306 Restart Signaling for ISIS 8.3.1 8.3.
Table 78. Network Management (continued) RFC# Full Name S4810 1901 Introduction to Communitybased SNMPv2 7.6.1 2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2 7.6.1 2012 SNMPv2 Management Information Base for the Transmission Control Protocol using SMIv2 7.6.1 2013 SNMPv2 Management 7.6.1 Information Base for the User Datagram Protocol using SMIv2 2024 Definitions of Managed Objects for Data Link Switching using SMIv2 7.6.1 2096 IP Forwarding Table MIB 7.6.
Table 78. Network Management (continued) RFC# Full Name S4810 2618 RADIUS Authentication Client MIB, except the following four counters: 7.6.1 S4820T Z-Series 9.5.(0.0) 9.5.(0.0) radiusAuthClientInvalidServerAd dresses radiusAuthClientMalformedAcce ssResponses radiusAuthClientUnknownTypes radiusAuthClientPacketsDroppe d 2698 A Two Rate Three Color Marker 9.5.(0.0) 3635 Definitions of Managed Objects for the Ethernet-like Interface Types 2674 Definitions of Managed Objects 7.6.
Table 78. Network Management (continued) RFC# Full Name S4810 S4820T Z-Series 3815 Definitions of Managed Objects for the Multiprotocol Label Switching (MPLS), Label Distribution Protocol (LDP) 4001 Textual Conventions for Internet Network Addresses 8.3.12 4292 IP Forwarding Table MIB 9.5.(0.0) 9.5.(0.0) 9.5.(0.0) 4750 OSPF Version 2 Management Information Base 9.5.(0.0) 9.5.(0.0) 9.5.(0.0) 5060 Protocol Independent Multicast MIB 7.8.
Table 78. Network Management (continued) RFC# Full Name S4810 S4820T Z-Series 9.2.(0.0) 9.2.(0.0) DOT1 MIB and LLDP DOT3 MIB) ruzin-mstp-mib-0 2 (Traps) Definitions of Managed Objects for Bridges with Multiple Spanning Tree Protocol 7.6.1 sFlow.org sFlow Version 5 7.7.1 sFlow.org sFlow Version 5 MIB 7.7.1 FORCE10-BGP4-V2MIB Force10 BGP MIB (draft-ietfidr-bgp4-mibv2-05) 7.8.1 f10–bmp-mib Force10 Bare Metal Provisioning 9.2(0.
Multicast The following table lists the Dell Networking OS support per platform for Multicast protocol. Table 79. Multicast RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale 1112 Host Extensions for IP Multicasting 7.8.1 7.7.1 √ 8.1.1 2236 Internet Group Management Protocol, Version 2 7.8.1 7.7.1 √ 8.1.1 2710 Multicast Listener Discovery (MLD) for IPv6 √ 8.2.1 3376 Internet Group Management Protocol, Version 3 7.8.1 √ 8.1.
Table 80. Open Shortest Path First (OSPF) (continued) RFC# Full Name S-Series/Z-Series 2328 OSPF Version 2 7.6.1 2370 The OSPF Opaque LSA Option 7.6.1 2740 OSPF for IPv6 9.1(0.0) 3623 Graceful OSPF Restart 7.8.1 4222 Prioritized Treatment of Specific OSPF Version 2 Packets and Congestion Avoidance 7.6.1 Routing Information Protocol (RIP) The following table lists the Dell Networking OS support per platform for RIP protocol. Table 81.