Dell Networking Configuration Guide for the C9010 Series Version 9.11(2.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2016 Dell Inc. or its subsidiaries. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents 1 About this Guide...........................................................................................................................................35 Audience........................................................................................................................................................................... 35 Conventions.....................................................................................................................................................
Creating a Custom Privilege Level........................................................................................................................... 57 Removing a Command from EXEC Mode.............................................................................................................. 57 Moving a Command from EXEC Privilege Mode to EXEC Mode........................................................................57 Allowing Access to CONFIGURATION Mode Commands..............................
Ignoring the Startup Configuration and Booting from the Factory-Default Configuration.....................................79 Recovering from a Failed Start...................................................................................................................................... 80 Restoring Factory-Default Settings...............................................................................................................................80 Important Point to Remember............................
User-Configurable CAM Allocation......................................................................................................................... 114 Allocating CAM for Ingress ACLs on the Port Extender...................................................................................... 114 Allocating CAM for Egress ACLs on the Port Extender....................................................................................... 116 Implementing ACLs ..................................................
Configure BFD................................................................................................................................................................ 149 Configure BFD for Physical Ports.......................................................................................................................... 150 Configure BFD for Static Routes.............................................................................................................................
Redistributing Routes..............................................................................................................................................205 Enabling Additional Paths....................................................................................................................................... 206 Configuring IP Community Lists............................................................................................................................
Queue-based Control Plane Policing......................................................................................................................241 CoPP Example................................................................................................................................................................243 Configure Control Plane Policing.................................................................................................................................
Configuration Source Election................................................................................................................................275 Propagation of DCB Information............................................................................................................................276 Auto-Detection and Manual Configuration of the DCBx Version.......................................................................276 Behavior of Tagged Packets.................................
13 Dynamic Host Configuration Protocol (DHCP)......................................................................................... 342 DHCP Packet Format and Options............................................................................................................................. 342 Assign an IP Address using DHCP............................................................................................................................... 344 Implementation Information........................
Ensure Robustness in a Converged Ethernet Network............................................................................................ 367 FIP Snooping on Ethernet Bridges.............................................................................................................................. 369 FIP Snooping in a Switch Stack.................................................................................................................................... 371 Using FIP Snooping..................
Configuring the Control VLAN...............................................................................................................................396 Configuring and Adding the Member VLANs.......................................................................................................397 Setting the FRRP Timers........................................................................................................................................398 Clearing the FRRP Counters..................
IGMP Implementation Information............................................................................................................................... 415 IGMP Protocol Overview...............................................................................................................................................415 IGMP Version 2.........................................................................................................................................................
Null Interfaces................................................................................................................................................................ 445 Port Channel Interfaces................................................................................................................................................ 446 Port Channel Definition and Standards.................................................................................................................
Configuring the Traffic Sampling Size Globally........................................................................................................... 471 Dynamic Counters..........................................................................................................................................................472 Clearing Interface Counters....................................................................................................................................
IPv6 Neighbor Discovery.............................................................................................................................................. 496 IPv6 Neighbor Discovery of MTU Packets...........................................................................................................497 Configuring the IPv6 Recursive DNS Server........................................................................................................497 Secure Shell (SSH) Over an IPv6 Transport...
27 iSCSI Optimization...................................................................................................................................533 iSCSI Optimization Overview....................................................................................................................................... 533 Default iSCSI Optimization Values...............................................................................................................................
Disabling MAC Address Learning on the System................................................................................................. 561 NIC Teaming................................................................................................................................................................... 562 Configure Redundant Pairs..........................................................................................................................................
Enabling the Rejected Source-Active Cache....................................................................................................... 600 Accept Source-Active Messages that Fail the RFP Check..................................................................................... 600 Specifying Source-Active Messages...........................................................................................................................604 Limiting the Source-Active Messages from a Peer.............
Printing Multicast Traceroute (mtrace) Paths........................................................................................................... 640 Supported Error Codes..................................................................................................................................................641 mtrace Scenarios...........................................................................................................................................................
Assigning Area ID on an Interface..........................................................................................................................682 Assigning OSPFv3 Process ID and Router ID Globally........................................................................................683 Assigning OSPFv3 Process ID and Router ID to a VRF...................................................................................... 683 Configuring the Cost of OSPFv3 Routes.................................
Related Configuration Tasks.....................................................................................................................................711 Enabling PIM-SSM..........................................................................................................................................................711 Use PIM-SSM with IGMP Version 2 Hosts..................................................................................................................
Stack Management Roles.............................................................................................................................................758 Stack Master Election................................................................................................................................................... 759 Important Points to Remember....................................................................................................................................
Advertising Extended Power Though dot3–TLVs.......................................................................................................791 Detecting Legacy Devices and Allocating Power ......................................................................................................792 Deploying Voice Over IP (VoIP)...................................................................................................................................
Displaying Default and Configured WRED Profiles.............................................................................................. 833 Displaying WRED Drop Statistics...........................................................................................................................833 Displaying egress-queue Statistics........................................................................................................................ 834 Explicit Congestion Notification.................
Configuring Fast Hellos for Link State Detection...................................................................................................... 866 49 Security...................................................................................................................................................868 Role-Based Access Control..........................................................................................................................................868 Overview of RBAC............
50 Service Provider Bridging.........................................................................................................................912 VLAN Stacking................................................................................................................................................................912 Important Points to Remember..............................................................................................................................
Related Configuration Tasks...................................................................................................................................936 Important Points to Remember................................................................................................................................... 936 Set up SNMP.................................................................................................................................................................
Configure Storm Control.............................................................................................................................................. 968 Configuring Storm Control from INTERFACE Mode...........................................................................................968 Configuring Storm Control from CONFIGURATION Mode................................................................................969 54 Spanning Tree Protocol (STP)......................................
Setting the Timezone..............................................................................................................................................999 Set Daylight Saving Time...................................................................................................................................... 1000 Setting Daylight Saving Time Once.....................................................................................................................
Sample Configurations for LLDP VLT Proxy Gateway.......................................................................................1027 Sample Configurations for Static VLT Proxy Gateway...................................................................................... 1027 Sample Scenario for VLT Proxy Gateway............................................................................................................1028 Configuring a Static VLT Proxy Gateway..........................................
RSTP Configuration..................................................................................................................................................... 1057 Preventing Forwarding Loops in a VLT Domain..................................................................................................1058 Sample RSTP Configuration................................................................................................................................. 1058 Configuring VLT..................
65 Standards Compliance.............................................................................................................................1110 IEEE Compliance............................................................................................................................................................1110 RFC and I-D Compliance...............................................................................................................................................
1 About this Guide This Configuration guide provides information about how to use and configure the software features supported in the Dell Networking operating system (OS) on a C9010 console to configure a C9010 switch, C1048P, N20xx, and N30xx port extenders. The C9010 switch is also referred to as network director or control bridge. The port extenders are also referred to as rapid access nodes. Though this guide contains information on protocols, it is not intended to be a complete reference.
2 Configuration Fundamentals The Dell Networking OS command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. After you enter a command, the command is added to the running configuration file.
You can set user access rights to commands and command modes using privilege levels. For more information about privilege levels and security options, refer to the Privilege Levels Overview section in the Security chapter. The Dell Networking OS CLI is divided into three major mode levels: • EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level.
LLDP LLDP MANAGEMENT INTERFACE MONITOR SESSION MULTIPLE SPANNING TREE OPENFLOW INSTANCE PVST PORT-CHANNEL FAILOVER-GROUP PREFIX-LIST PRIORITY-GROUP PROTOCOL GVRP QOS POLICY RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP GRUB Navigating CLI Modes The Dell Networking OS prompt changes to indicate the CLI mode.
CLI Command Mode Prompt Access Command Configuration Terminal Batch Dell(conf-b)# config terminal batch DOT1X PROFILE dell(conf-dot1x-profile)# dot1x AS-PATH ACL Dell(config-as-path)# ip as-path access-list 10 Gigabit Ethernet Interface Dell(conf-if-te-0/0)# interface (INTERFACE modes) 40 Gigabit Ethernet Interface Dell(conf-if-fo-0/0)# interface (INTERFACE modes) Interface Range Dell(conf-if-range)# interface (INTERFACE modes) Loopback Interface Dell(conf-if-lo-0)# interface (INTERFA
CLI Command Mode Prompt Access Command Dell(conf-routerZ_bgpv6_af)# (for IPv6) ROUTER ISIS Dell(conf-router_isis)# ISIS ADDRESS-FAMILY Dell(conf-router_isis-af_ipv6)# address-family ipv6 unicast (ROUTER ISIS Mode) ROUTER OSPF Dell(conf-router_ospf)# router ospf ROUTER OSPFV3 Dell(conf-ipv6router_ospf)# ipv6 router ospf ROUTER RIP Dell(conf-router_rip)# router rip SPANNING TREE Dell(config-span)# protocol spanning-tree 0 TRACE-LIST Dell(conf-trace-acl)# ip trace-list CLASS-MAP Dell(con
CLI Command Mode Prompt Access Command UPLINK STATE GROUP Dell(conf-uplink-state-groupgroupID)# uplink-state-group The following example shows how to change the command mode from CONFIGURATION mode to PROTOCOL SPANNING TREE. Example of Changing Command Modes Dell(conf)#protocol spanning-tree 0 Dell(config-span)# The do Command Use the do command to enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode.
Undoing Commands When you enter a command, the command line is added to the running configuration file (running-config). To disable a command and remove it from the running-config, enter the no command, then the original command. For example, to delete an IP address configured on an interface, use the no ip address ip-address command. NOTE: Use the help or ? command as described in Obtaining Help.
• • • • • You can enter partial CLI keywords. • Enter the minimum number of letters to uniquely identify a command. For example, you cannot enter cl as a partial keyword because both the clock and class-map commands begin with the letters “cl.” You can enter clo, however, as a partial keyword because only one command begins with those three letters. The TAB key auto-completes keywords in commands. Enter the minimum number of letters to uniquely identify a command.
The grep command accepts an ignore-case sub-option that forces the search to case-insensitive. For example, the commands: • show run | grep Ethernet returns a search result with instances containing a capitalized “Ethernet,” such as interface TengigabitEthernet 0/0. • show run | grep ethernet does not return that search result because it only searches for instances containing a noncapitalized “ethernet.” • show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and “ethernet.
19 22 533 12 2 1 529 523 646 445 329 244 74 30 25 410 0 0 0 10 0 0 10 0 0 0 30 30 60 1720 41 0 0 0 1 0 0 1 0 0 0 3 3 6 172 10000 0 0 0 10000 0 0 10000 0 0 0 10000 10000 10000 10000 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.
3 Getting Started This chapter describes how you start configuring your operating software. When you power up the chassis, the system performs a power-on self test (POST) and loads the Dell Networking operating software. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LED remains online (green) and the console monitor displays the EXEC mode prompt.
Serial Console The RJ-45 network management port is located on the left side of the RPM as you face the chassis. Use a supported RJ-45 cable for a network connection. Figure 1. RJ-45 Console Port 1 RJ-45 Console Port Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1 Install an RJ-45 copper cable into the console port.
Console Port RJ-45 to RJ-45 Rollover RJ-45 to RJ-45 Rollover RJ-45 to DB-9 Adapter Cable Cable Terminal Server Device Signal RJ-45 Pinout RJ-45 Pinout DB-9 Pin Signal TxD 3 6 2 RxD GND 4 5 5 GND GND 5 4 5 GND RxD 6 3 3 TxD NC 7 2 4 DTR CTS 8 1 7 RTS Mounting an NFS File System This feature enables you to quickly access data on an NFS mounted file system. You can perform file operations on an NFS mounted file system using supported file commands.
Example of Copying a File to current File System Dell#copy tftp://10.16.127.35/username/dv-maa-C9010-test nfsmount:// Destination file name [dv-maa-sC9010-test]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!.! 44250499 bytes successfully copied Dell# Dell#copy ftp://10.16.127.35 nfsmount: Source file name []: test.
Example of the hostname Command Dell(conf)#hostname R1 R1(conf)# Accessing the System Remotely You can configure the system to access it remotely by Telnet or SSH. • The switch has a dedicated management port and a management routing table that is separate from the IP routing table. • You can manage all Dell Networking products in-band via the front-end data ports through interfaces assigned an IP address as well.
management route ip-address/mask gateway • ip-address: the network address in dotted-decimal format (A.B.C.D). • mask: a subnet mask in /prefix-length format (/ xx). • gateway: the next hop for network traffic originating from the management port. Configuring a Username and Password To access the system remotely, you must configure a system username and password. • Configure a username and password to access the system remotely.
File Storage The Dell Networking OS can use the internal Flash, external Flash, or remote devices to store files. The system stores files on the internal Flash by default, but can be configured to store files elsewhere. To view file system information, use the following command. • View information about each file system.
Location source-file-url Syntax For a remote file location: copy scp://{hostip | hostname}/ scp://{hostip | hostname}/ filepath/ filename filepath/filename SCP server destination-file-url Syntax Important Points to Remember • You may not copy a file from one remote system to another. • You may not copy a file from one location to the same location. • When copying to a server, you can only use a hostname if a domain name server (DNS) server is configured.
NOTE: When you load the startup configuration or a configuration file from a network server such as TFTP to the running configuration, the configuration is added to the running configuration. This does not replace the existing running configuration. Commands in the configuration file has precedence over commands in the running configuration.
Changes in Configuration Files Configuration files have three commented lines at the beginning of the file, as shown in the following example, to help you track the last time any user made a change to the file, which user made the changes, and when the file was last saved to the startup-configuration.
• 56 Using Hashes to Validate Software Images Getting Started
4 Switch Management This chapter describes the switch management tasks supported on the switch. Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1. Level Description Level 0 Access to the system begins at EXEC mode, and EXEC mode commands are limited to enable, disable, and exit.
Allowing Access to CONFIGURATION Mode Commands To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode. A user that enters CONFIGURATION mode remains at his privilege level and has access to only two commands, end and exit. You must individually specify each CONFIGURATION mode command you want to allow access to using the privilege configure level level command.
privilege exec level 3 capture privilege exec level 3 configure privilege exec level 4 resequence privilege exec level 3 capture bgp-pdu privilege exec level 3 capture bgp-pdu max-buffer-size privilege configure level 3 line privilege configure level 3 interface Dell(conf)#do telnet 10.11.80.201 [telnet output omitted] Dell#show priv Current privilege level is 3.
CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command. • Configure privilege level for a terminal line. LINE mode privilege level level NOTE: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode, but the prompt is hostname#, rather than hostname>.
Enabling Audit and Security Logs You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode. This command is available with or without RBAC enabled. For information about RBAC, see Role-Based Access Control. Audit Logs The audit log contains configuration events and information.
Example of the show logging auditlog Command For information about the logging extended command, see Enabling Audit and Security Logs Dell#show logging auditlog May 12 12:20:25: Dell#: %CLI-6-logging extended by admin from vty0 (10.14.1.98) May 12 12:20:42: Dell#: %CLI-6-configure terminal by admin from vty0 (10.14.1.98) May 12 12:20:42: Dell#: %CLI-6-service timestamps log datetime by admin from vty0 (10.14.1.
Pre-requisites To configure a secure connection from the switch to the syslog server: 1 On the switch, enable the SSH server Dell(conf)#ip ssh server enable 2 On the syslog server, create a reverse SSH tunnel from the syslog server to the switch, using following syntax: ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is 10.16.131.
Track Login Activity Dell Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events. When you log in using the console or VTY line, the system displays the last successful login details of the current user and the number of unsuccessful login attempts since your last successful login to the system, and whether the current user’s permissions have changed since the last login.
-----------------------------------------------------------------User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.
The following is sample output of the show login statistics unsuccessful-attempts command. Dell# show login statistics unsuccessful-attempts There were 3 unsuccessful login attempt(s) for user admin in last 30 day(s). The following is sample output of the show login statistics unsuccessful-attempts time-period days command. Dell# show login statistics unsuccessful-attempts time-period 15 There were 0 unsuccessful login attempt(s) for user admin in last 15 day(s).
Enabling the System to Clear Existing Sessions To enable the system to clear existing login sessions, follow this procedure: • Use the following command. CONFIGURATION mode login concurrent-session clear-line enable Example of Enabling the System to Clear Existing Sessions The following example enables you to clear your existing login sessions.
If you do not want to enter the secured mode, do not save the running-configuration. Once saved, to disable the secured CLI mode, you need to manually edit the startup-configuration file and reboot the system. Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are logged in the internal buffer.
• Specify the server to which you want to send system messages. You can configure up to eight syslog servers. CONFIGURATION mode logging {ip-address | ipv6-address | hostname} {{udp {port}} | {tcp {port}}} Configuring a UNIX System as a Syslog Server To configure a UNIX System as a syslog server, use the following command. • Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the UNIX system and assigning write permissions to the file. • Add line on a 4.
Changing System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands, you control the number of system messages logged. To specify the system logging settings, use the following commands. • Specify the minimum severity level for logging to the logging buffer.
logging facility [facility-type] • auth (for authorization messages) • cron (for system scheduler messages) • daemon (for system daemons) • kern (for kernel messages) • local0 (for local use) • local1 (for local use) • local2 (for local use) • local3 (for local use) • local4 (for local use) • local5 (for local use) • local6 (for local use) • local7 (for local use) • lpr (for line printer system messages) • mail (for mail system messages) • news (for USENET news messages) • sys
Configure the following parameters for the virtual terminal lines: • number: the range is from zero (0) to 8. • end-number: the range is from 1 to 8. You can configure multiple virtual terminals at one time by entering a number and an end-number. 2 Configure a level and set the maximum number of messages to print. LINE mode logging synchronous [level severity-level | all] [limit] Configure the following optional parameters: • level severity-level: the range is from 0 to 7. The default is 2.
• • Configure FTP Server Parameters (optional) Configure FTP Client Parameters (optional) Enabling the FTP Server To enable the system as an FTP server, use the following command. To view FTP configuration, use the show running-config ftp command in EXEC privilege mode. • Enable FTP on the system.
Enter the following keywords and slot/port or number information: • • For a loopback interface, enter the keyword loopback then a number between 0 and 16383. • For a port channel interface, enter the keywords port-channel then a number from 1 to 255. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user on a terminal line.A combination of authentication methods is called a method list. If the user fails the first authentication method, the system prompts the next method until all methods are exhausted, at which point the connection is terminated. The available authentication methods are: enable Prompt for the enable password.
• Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the time-out period to 0. LINE mode exec-timeout minutes [seconds] • Return to the default time-out values. LINE mode no exec-timeout Example of Setting the Time Out Period for EXEC Privilege Mode The following example shows how to set the time-out period and how to view the configuration using the show config command from LINE mode.
Lock CONFIGURATION Mode The system allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2). You can set two types of locks: auto and manual. • • Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set autolock, every time a user is in CONFIGURATION mode, all other users are denied access.
the text would be “CPU Clock signal has degraded below acceptable threshold on Line card with service tag . Please contact Technical Support". This syslog continues to be emitted every 30 minutes. An SNMP trap with this information will also be generated once every hour.
Recovering from a Forgotten Password If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter. If you forget your password, follow these steps: 1 Log onto the system using the console. 2 Power-cycle the chassis by disconnecting and then reconnecting the power cord. 3 During bootup, press Esc when prompted to abort the boot process. You enter Boot-Line Interface (BLI) mode at the BOOT_USER# prompt.
Recovering from a Failed Start A switch that does not start correctly might be trying to boot from a corrupted Dell Networking OS image or from a mis-specified location. In this case, you can restart the system and interrupt the boot process to point the system to another boot location. 1 Power-cycle the chassis (pull the power cord and reinsert it). 2 During bootup, press the ESC key when this message appears: Press Esc to stop autoboot...
Power-cycling the unit(s). .... Restoring Factory-Default Boot Environment Variables The Boot line determines the location of the image that is used to boot up the switch after restoring factory-default settings. Ideally, these locations contain valid images, which the switch uses to boot up. When you restore factory-default settings, you can either use a flash boot procedure or a network boot procedure to boot the switch.
file name BOOT_USER # : systemb To boot from the network: BOOT_USER # boot change primary boot device : file name : Server IP address : BOOT_USER # 4 tftp FTOS-SI-9-5-0-169.bin 10.16.127.35 Assign an IP address and network mask to the Management Ethernet interface. BOOT_USER # interface management ethernet ip address ip_address_with_mask For example, 10.16.150.106/16. 5 Assign an IP address as the default gateway for the system. default-gateway gateway_ip_address For example, 10.16.150.254.
• hash-value: (Optional). Specify the relevant hash published on i-Support. • img-file: Enter the name of the Dell Networking software image file to validate Examples: Without Entering the Hash Value for Verification MD5 Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin MD5 hash for FTOS-SE-9.5.0.0.bin: 275ceb73a4f3118e1d6bcf7d75753459 SHA256 Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin SHA256 hash for FTOS-SE-9.5.0.0.
linecard linecard linecard linecard linecard linecard linecard linecard linecard linecard linecard 1 2 3 is 4 is 5 is 6 is 7 is 8 is 9 is 10 11 FLASH BOOT FLASH BOOT not present. not present. not present. not present. not present. not present. not present.
Logging in to the Virtual Console of a C9010 Component You must log in to the virtual console of a C9010 component in order to re-configure its boot variables. By default, you log in to a C9010 console port, which is identified as RPM0 CP or RPM1 CP. • To log in to the RPM RP: Hold down the Ctrl key and type geo. Then release the Ctrl key and type r. • To log in to the RPM LP: Hold down the Ctrl key and type geo. Then release the Ctrl key and type l.
***** Welcome to Dell Networking OS Boot Interface ***** PRIMARY OPERATING SYSTEM BOOT PARAMETERS: ======================================== boot device : ftp file name : force10/rd/tgtimg/runtime/LP.bin Management Etherenet IP address : 127.10.10.113 Mask : 255.240.0.0 Server IP address : 127.10.10.10 Default Gateway IP address : 127.10.10.
5 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
• Re-Authenticating a Port • Configuring Dynamic VLAN Assignment with Port Authentication • Guest and Authentication-Fail VLANs • Multi-Host Authentication • Multi-Supplicant Authentication • MAC Authentication Bypass • Dynamic CoS with 802.
Figure 4. EAP Port-Authentication EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 5. EAP Over RADIUS 90 802.
RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Enabling 802.1X Enable 802.1X globally. Figure 6. 802.1X Enabled 1 Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2 Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3 Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication NOTE: You must enabled dot1x authentication globaly as well as in interface mode on which supplicant is connected. 92 802.
Examples of Verifying that 802.1X is Enabled Globally or on an Interface Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. The bold text show that 802.1x has been enabled. By default, ports are not authorized. Dell#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface TenGigabitEthernet 2/1 no ip address dot1x authentication no shutdown ! Dell# View 802.
Hardware is DellEth, address is 34:17:eb:00:aa:12 Current address is 34:17:eb:00:aa:12 Pluggable media not present Interface index is 804258823 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :3417eb00aa12 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit, Mode auto Auto-mdix enabled, ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 20:06:07 Queueing strategy: fifo Input Statistics: 10760802379 packets, 688691353132 bytes 10760802177 64-by
mac-address — Enter the keyword mac and type up to the 48– bit MAC addresses using the nn:nn:nn:nn:nn:nn format. A maximum of 6 MAC addresses are allowed. Example of Configuring a List of MAC Addresses for a dot1x Profile The following example configures 2 MAC addresses and then displays these addresses.
Auth Type: Auth PAE State: Backend State: SINGLE_HOST Authenticated Idle Configuring Critical VLAN By default, critical-VLAN is not configured. If authentication fails because of a server which is not reachable, user session is authenticated under critical-VLAN. To configure a critical-VLAN for users or devices when authenticating server is not reachable, use the following command.
NOTE: There are several reasons why the supplicant might fail to respond; for example, the supplicant might have been booting when the request arrived or there might be a physical layer failure. To configure re-transmissions, use the following commands. • Configure the amount of time that the authenticator waits before re-transmitting an EAP Request Identity frame. INTERFACE mode dot1x tx-period number The range is from 1 to 65535 (1 year) • The default is 30.
Port Control: Port Auth Status: Re-Authentication: Untagged VLAN id: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: AUTO UNAUTHORIZED Disable None 90 seconds 120 seconds 2 30 seconds 30 seconds 3600 seconds 10 SINGLE_HOST Initialize Initialize Forcibly Authorizing or Unauthorizing a Port IEEE 802.
Re-Authenticating a Port You can configure the authenticator for periodic re-authentication. After the supplicant has been authenticated, and the port has been authorized, you can configure the authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the supplicant is required to re-authenticate every 3600 seconds, but you can configure this interval. You can configure a maximum number of re-authentications as well.
1 The host sends a dot1x packet to the Dell Networking system 2 The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number 3 The RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the VLAN assignment using TunnelPrivate-Group-ID The illustration shows the configuration before connecting the end user device in black and blue text, and after connecting the device in red text.
If the supplicant fails to authenticate for a specified number of times, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves.
Configuring an Authentication-Fail VLAN If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time. NOTE: For more information about authenticator re-attempts, refer to Configuring a Quiet Period after a Failed Authentication. You can configure the maximum number of times the authenticator re-attempts authentication after a failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
Example of Viewing Configured Authentication 802.
Re-Authentication: Untagged VLAN id: Guest VLAN: Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Disable None Disable NONE Disable NONE NONE 90 seconds 120 seconds 10 15 seconds 15 seconds 7200 seconds 10 Auth Type: Auth PAE State: Backend State: SINGLE_HOST Initialize Initialize Enter the tasks the user should do after finishing this task (optional).
Figure 9. Multi-Host Authentication Mode When you configure multi-host mode authentication, the first client to respond to an identity request is authenticated and subsequent responses are still ignored. However, because the authenticator expects the possibility of multiple responses, no system log is generated. After the first supplicant is authenticated, all end users connected to the authorized port are allowed to access the network.
Port Auth Status: Re-Authentication: Untagged VLAN id: Guest VLAN: Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Critical VLAN: Critical VLAN id: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: UNAUTHORIZED Disable None Disable NONE Disable NONE NONE Disable NONE Disable Disable Disable NONE 30 seconds 60 seconds
feature is different from multi-host authentication in which multiple devices connected to a single authenticator port can access the network after only the one device is authenticated, and all hosts are placed in the same VLAN as the authenticated device. Multi-supplicant authentication is needed, for example, in the case of a workstation at which a VoIP phone and PC are connected to a single authenticator port.
Restricting Multi-Supplicant Authentication To restrict the number of devices that 802.1X can authenticate on a port in multi-supplicant (multi-auth) mode, enter the dot1x maxsupplicants number command in Interface mode. By default, the maximum number of multi-supplicant devices is 128.
MAB in Multi-Supplicant Authentication Mode Multi-supplicant authentication (multi-auth) mode is similar to other 802.1X modes in that the switch first attempts to authenticate a supplicant using 802.1X. 802.1X times out if the supplicant does not respond to the Request Identity frame. Then, if MAB authentication is enabled, the switch tries to authenticate every MAC it learns on the port, up to 128 MACs, which is the maximum number of supplicants that 802.
Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Critical VLAN: Critical VLAN id: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: NONE Disable NONE NONE Disable NONE Enable Disable Disable NONE 30 seconds 60 seconds 2 30 seconds 30 seconds 3600 seconds 2 SINGLE_HOST Authenticated Idle Dynamic CoS with 802.
4 5 6 7 • 3 1 2 4 4 5 2 4 0 0 0 2 The priority of untagged packets is assigned according to the remapped value of priority 0 traffic in the RADIUS-based table. For example, in the following remapping table, untagged packets are tagged with priority 2: Dell#show dot1x cos-mapping interface TenGigabitethernet 2/3 802.1Xp CoS remap table on Te 2/3: ----------------------------Dot1p Remapped Dot1p 0 2 1 6 2 5 3 4 4 3 5 2 6 1 7 0 • After being re-tagged by dynamic CoS for 802.
6 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. • Access control lists (ACLs), Ingress IP and MAC ACLs , and Egress IP and MAC ACLs are supported on the system. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
• Source TCP port number • Destination TCP port number • Source UDP port number • Destination UDP port number For more information about ACL options, refer to the Dell Networking OS Command Reference Guide. For extended ACL, TCP, and UDP filters, you can match criteria on specific or ranges of TCP or UDP ports. For extended ACL TCP filters, you can also match criteria on established TCP sessions. When creating an access list, the sequence of the filters is important.
To determine whether sufficient ACL CAM space is available to enable a service-policy, use this command. To verify the actual CAM space required, create a class map with all the required ACL rules, then run the test cam-usage command in EXEC and EXEC Privilege mode. The following example shows the output when running this command. The status column indicates whether you can enable the policy.
The default CAM allocation settings for ingress ACL and QoS regions are the following: L2Acl : Ipv4Acl : Ipv6Acl : Ipv4Qos : L2Qos : L2PT : IpMacAcl : VmanQos : EcfmAcl : FcoeAcl : iscsiOptAcl : ipv4pbr : vrfv4Acl : Openflow : fedgovacl : nlbclusteracl: 5 4 0 2 1 0 0 0 0 0 0 0 0 0 0 0 Select the CAM allocation for Layer 2, IPv4, and IPv6 ACLs, Layer 2 and Layer 3 (IPv4) QoS, Layer 2 Protocol Tunneling (L2PT), IP and MAC source address validation for DHCP, and Policy-based Routing (PBR).
Dell(conf)#cam-acl-pe ? default Reset PE CAM ACL entries to default setting l2acl Set L2-ACL entries Dell(conf)#cam-acl-pe l2acl 3 ipv4acl 2 ipv6acl 2 ipv4qos 2 l2qos 1 ipmacacl 2 Allocating CAM for Egress ACLs on the Port Extender To allocate Content Addressable Memory (CAM) for egress ACLs on the port extender. You can re-allocate memory space for egress ACLs on the port extender by using the cam-acl-egress-pe command in CONFIGURATION mode.
Ipv6Acl : 2 Dell(conf)#cam-acl-egress-pe l2acl 2 ipv4acl 2 ipv6acl 0 The following example displays the running configuration for the configured CAM ACLs. Dell(conf)#do show running-config | grep cam-acl cam-acl l2acl 3 ipv4acl 4 ipv6acl 0 ipv4qos 2 l2qos 1 l2pt 0 ipmacacl 0 vman-qos 0 ecfmacl 0 ipv4pbr 2 cam-acl-pe l2acl 3 ipv4acl 2 ipv6acl 2 ipv4qos 2 l2qos 1 ipmacacl 2 cam-acl-egress-pe l2acl 2 ipv4acl 2 ipv6acl 0 Implementing ACLs You can assign one IP ACL per physical or VLAN interface.
In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use the order keyword to specify the order in which you want to apply ACL rules. The order can range from 0 to 254. The system writes to the CAM ACL rules with lowerorder numbers (order numbers closer to 0) before rules with higher-order numbers so that packets are matched as you intended. By default, all ACL rules have an order of 254.
Example of Denying Second and Subsequent Fragments To deny the second/subsequent fragments, use the same rules in a different order. These ACLs deny all second and subsequent fragments with destination IP 10.1.1.1 but permit the first fragment and non-fragmented packets with destination IP 10.1.1.1. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments Dell(conf-ext-nacl)#permit ip any 10.1.1.
• FO > 0 means it is dealing with the fragments of the original packet. Configure a Standard IP ACL To configure an ACL, use commands in IP ACCESS LIST mode and INTERFACE mode. For a complete list of all the commands related to IP ACLs, refer to the Dell Networking OS Command Line Interface Reference Guide. To set up extended ACLs, refer to Configure an Extended IP ACL. A standard IP ACL uses the source IP address as its match criterion. 1 Enter IP ACCESS LIST mode by naming a standard IP access list.
Configuring a Standard IP ACL Filter If you are creating a standard ACL with only one or two filters, you can let the system assign a sequence number based on the order in which the filters are configured. The software assigns filters in multiples of five. 1 Configure a standard IP ACL and assign it a unique name. CONFIGURATION mode ip access-list standard access-list-name 2 Configure a drop or forward IP ACL filter.
Configuring Filters with a Sequence Number To configure filters with a sequence number, use the following commands. 1 Enter IP ACCESS LIST mode by creating an extended IP ACL. CONFIGURATION mode ip access-list extended access-list-name 2 Configure a drop or forward filter.
NOTE: When assigning sequence numbers to filters, you may have to insert a new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or another number. The example below shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 15 was configured before filter 5, but the show config command displays the filters in the correct order. Dell(config-ext-nacl)#seq 15 deny ip host 112.45.0.
• When the system routes the packets, only the L3 ACL governs them because they are not filtered against an L2 ACL. • When the system switches the packets, first the L3 ACL filters them, then the L2 ACL filters them. • When the system switches the packets, the egress L3 ACL filters the packet.
• The maximum number of VLAN groups that you can configure also depends on the hardware specifications of the switch. Each VLAN group is mapped to a unique ID in the hardware. The maximum number of ACL VLAN groups supported is 31. Only a maximum of two components (iSCSI counters, Open Flow, ACL optimization) can be allocated virtual flow processing slices at a time. • Port ACL optimization is applicable only for ACLs that are applied without the VLAN range.
100,200,300 Group Name : CustomerNumberIdentificationEleven Egress IP Acl : AnyEmployeeCustomerElevenGrantedAccess Vlan Members : 2-10,99 Group Name : HostGroup Egress IP Acl : Group5 Vlan Members : 1,1000 Dell# Allocating ACL VLAN CAM CAM optimization for ACL VLAN groups is not enabled by default. You must allocate blocks of ACL VLAN CAM to enable ACL CAM optimization by using the cam-acl-vlan command.
3 Apply an IP ACL to traffic entering or exiting an interface. INTERFACE mode ip access-group access-list-name {in} [implicit-permit] [vlan vlan-range] NOTE: The number of entries allowed per ACL is hardware-dependent. For detailed specification about entries allowed per ACL, refer to your line card documentation. 4 Apply rules to the new ACL.
Applying Egress ACLs Egress ACLs are supported on interfaces and affect the traffic leaving the system. Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack — malicious and incidental — by explicitly allowing only authorized traffic. These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation. To restrict egress traffic, use an egress ACL.
CONFIG-NACL mode permit ip {source mask | any | host ip-address} {destination mask | any | host ip-address} count Dell Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group management protocol (IGMP) packets are not affected when you enable egress ACL filtering for CPU traffic. Packets sent by the CPU with the source address as the VRRP virtual IP address have the interface MAC address instead of VRRP virtual MAC address.
NOTE: It is important to know which protocol your system supports prior to implementing prefix-lists. Configuration Task List for Prefix Lists To configure a prefix list, use commands in PREFIX LIST, ROUTER RIP, ROUTER OSPF, and ROUTER BGP modes. Create the prefix list in PREFIX LIST mode and assign that list to commands in ROUTER RIP, ROUTER OSPF and ROUTER BGP modes. The following list includes the configuration tasks for prefix lists, as described in the following sections.
If you are creating a standard prefix list with only one or two filters, you can let the system assign a sequence number based on the order in which the filters are configured. The system assigns filters in multiples of five. Creating a Prefix List Without a Sequence Number To create a filter without a specified sequence number, use the following commands. 1 Create a prefix list and assign it a unique name.
seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 seq 5 deny 100.100.1.0/24 (hit count: 0) seq 6 deny 200.200.1.0/24 (hit count: 0) seq 7 deny 200.200.2.0/24 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) The following example shows the show ip prefix-list summary command.
• Enter OSPF mode. CONFIGURATION mode router ospf • Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded. CONFIG-ROUTER-OSPF mode distribute-list prefix-list-name in [interface] • Apply a configured prefix list to incoming routes. You can specify which type of routes are affected. If you enter the name of a non-existent prefix list, all routes are forwarded.
Rules Resquencing seq 20 permit any host 1.1.1.4 Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs, prefix lists, and MAC ACLs. To resequence an ACL or prefix list, use the following commands. You must specify the list name, starting number, and increment when using these commands.
remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4 Dell# end Dell# resequence access-list ipv4 test 2 2 Dell# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.1 remark 6 this remark has no corresponding rule remark 8 this remark corresponds to permit ip any host 1.1.1.
• Configure a route map for route tagging (optional) Creating a Route Map Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route map filters do not contain the permit and deny actions found in ACLs and prefix lists. Route map filters match certain routes and set or specify values. To create a route map, use the following command. • Create a route map and assign it a unique name. The optional permit and deny keywords are the action of the route map.
The following example shows a route map with multiple instances. The show config command displays only the configuration of the current route map instance. To view all instances of a specific route map, use the show route-map command.
Configuring Match Routes To configure match criterion for a route map, use the following commands. • Match routes with the same AS-PATH numbers. CONFIG-ROUTE-MAP mode match as-path as-path-name • Match routes with COMMUNITY list attributes in their path. CONFIG-ROUTE-MAP mode match community community-list-name [exact] • Match routes whose next hop is a specific interface.
• Match BGP routes based on the ORIGIN attribute. CONFIG-ROUTE-MAP mode • match origin {egp | igp | incomplete} Match routes specified as internal or external to OSPF, ISIS level-1, ISIS level-2, or locally generated. CONFIG-ROUTE-MAP mode • match route-type {external [type-1 | type-2] | internal | level-1 | level-2 | local } Match routes with a specific tag. CONFIG-ROUTE-MAP mode match tag tag-value To create route map instances, use these commands.
• set origin {egp | igp | incomplete} Specify a tag for the redistributed routes. CONFIG-ROUTE-MAP mode • set tag tag-value Specify a value as the route’s weight. CONFIG-ROUTE-MAP mode set weight value To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the number of set filters in a route map low. Set commands do not require a corresponding match command.
! route-map torip permit 10 match route-type internal set tag 34 ! Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed. If you configure the continue command at the end of a module, the next module (or a specified module) is processed even after a match is found. The following example shows a continue clause at the end of a route-map module.
udf-tcam name seq number Dell(conf)#udf-tcam ipnip seq 1 5 Configure a UDF ID to parse packet headers using the specified number of offset and required bytes. CONFIGURATION-UDF TCAM mode key description udf-id id packetbase PacketBase offset bytes length bytes Dell(conf-udf-tcam)#key innerL3header udf-id 6 packetbase innerL3Header offset 0 length 2 6 View the UDF TCAM configuration.
CONFIGURATION-UDF TCAM mode show config Dell(config-ext-nacl)#show config ! ip access-list extended aa seq 5 permit ip any any udf-pkt-format ipnip udf-qualifier-value ipnip_val1 Dell(config-ext-nacl)# Hot-Lock Behavior Dell Networking OS hot-lock features allow you to append and delete their corresponding content addressable memory (CAM) entries dynamically without disrupting traffic. Existing entries are simply shuffled to accommodate new entries.
7 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 10. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Detection Multiplier The number of packets that must be missed in order to declare a session down. Length The entire length of the BFD packet. My Discriminator A random number generated by the local system to identify the session. Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface.
Demand mode If one system requests Demand mode, the other system stops sending periodic control packets; it only sends a response to status inquiries from the Demand mode initiator. Either system (but not both) can request Demand mode at any time. NOTE: The Dell Networking OS supports Asynchronous mode only. A session can have four states: Administratively Down, Down, Init, and Up. Administratively Down The local system does not participate in a particular session.
Figure 11.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 12.
• Configure BFD for OSPF • Configure BFD for OSPFv3 • Configure BFD for IS-IS • Configure BFD for BGP • Configure BFD for VRRP • Configuring Protocol Liveness Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol.
Example of Viewing Session Parameters R1(conf-if-te-4/24)#bfd interval 100 min_rx 100 multiplier 4 role passive R1(conf-if-te-4/24)#do show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.
Configuring BFD for static routes is a three-step process: 1 Enable BFD globally. 2 Configure static routes on both routers on the system (either local or remote). 3 Configure an IP route to connect BFD on the static routes using the ip route bfd command. Related Configuration Tasks • • Changing Static Route Session Parameters Disabling BFD for Static Routes Establishing Sessions for Static Routes Sessions are established for all neighbors that are the next hop of a static route. Figure 13.
Establishing Static Route Sessions on Specific Neighbors You can selectively enable BFD sessions on specific neighbors based on a destination prefix-list. When you establish a BFD session using the ip route bfd command, all the next-hop neighbors in the static route become part of the BFD session. Starting with Dell Networking OS release 9.11.0.0, you can enable BFD sessions on specific next-hop neighbors. You can specify the next-hop neighbors to be part of a BFD session by including them in a prefix-list.
CONFIGURATION mode ip route bfd interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information. Disabling BFD for Static Routes If you disable BFD, all static route BFD sessions are torn down. A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change to the Down state.
parameter globally, the change affects all OSPF neighbors sessions. If you change a parameter at the interface level, the change affects all OSPF sessions on that interface. To change parameters for all OSPF sessions or for OSPF sessions on a single interface, use the following commands. • Change parameters for OSPF sessions. ROUTER-OSPF mode bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] • Change parameters for all OSPF sessions on an interface.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 14. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Establish sessions with all OSPF neighbors.
The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 * 2.2.3.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 200 200 3 O 2.2.3.2 Te 2/2 Up 200 200 3 O Establishing Sessions with OSPF Neighbors for nondefault VRFs To configure BFD in a nondefault VRF, follow this procedure: • Enable BFD globally.
LocalAddr * 10.1.3.2 RemoteAddr 10.1.3.1 Interface State Rx-int Tx-int Mult Clients vlan 10 Up 300 250 3 C show bfd vrf VRF_blue neighbors * Ad Dn B C I O O3 R M V VT - Active session role Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 5.1.1.1 RemoteAddr 5.1.1.2 Interface Po 30 State Rx-int Tx-int Mult VRF Clients Up 200 200 3 255 O * 6.1.1.1 6.1.1.
Uptime: 00:00:15 Statistics: Number of packets received from neighbor: 78 Number of packets sent to neighbor: 78 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 Session Discriminator: 7 Neighbor Discriminator: 2 Local Addr: 6.1.1.1 Local MAC Addr: 00:a0:c9:00:00:02 Remote Addr: 6.1.1.
Related Configuration Tasks • Changing OSPFv3 Session Parameters • Disabling BFD for OSPFv3 Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role. Configure these parameters for all OSPFv3 sessions or all OSPFv3 sessions on a particular interface. If you change a parameter globally, the change affects all OSPFv3 neighbors sessions.
The following example shows the configuration to establish sessions with all OSPFv3 neighbors in a specific VRF: ipv6 router ospf 20 vrf vrf1 bfd all-neighbors ! The following example shows the configuration to establish sessions with all OSPFv3 neighbors on a single interface in a specific VRF: interface vlan 102 ip vrf forwarding vrf vrf1 ipv6 ospf bfd all-neighbors The following example shows the show bfd vrf neighbors command output for nondefault VRF: Dell#show * Ad Dn B C I O O3 R M V VT - bfd vrf vr
• Disable BFD sessions with OSPFv3 neighbors on a single interface. INTERFACE mode ipv6 ospf bfd all-neighbors disable Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface. Sessions are only established when the OSPFv3 adjacency is in the Full state. To establish BFD with all OSPFv3 neighbors or with OSPFv3 neighbors on a single interface, use the following commands.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 15. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. ROUTER-ISIS mode • bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 200 200 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface.
Configure BFD for BGP In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces. BFD for BGP does not support IPv6 and the BGP multihop feature.
• By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). • By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peer-group-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
Disabling BFD for BGP You can disable BFD for BGP. To disable a BFD for BGP session with a specified neighbor, use the first command. To remove the disabled state of a BFD for BGP session with a specified neighbor, use the second command. The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the bfd allneighbors command or configured for the peer group to which the neighbor belongs. • Disable a BFD for BGP session with a specified neighbor.
• show bfd neighbors [interface] [detail] Check to see if BFD is enabled for BGP connections. EXEC Privilege mode • show ip bgp summary Displays routing information exchanged with BGP neighbors, including BFD for BGP sessions. EXEC Privilege mode show ip bgp neighbors [ip-address] Examples of the BFD show Commands The following example shows verifying a BGP configuration. R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.
Client Registered: BGP Uptime: 00:07:55 Statistics: Number of packets received from neighbor: 4762 Number of packets sent to neighbor: 4490 Number of state changes: 2 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 5 Session Discriminator: 10 Neighbor Discriminator: 11 Local Addr: 2.2.2.3 Local MAC Addr: 00:01:e8:66:da:34 Remote Addr: 2.2.2.
Down Admin Down : 0 : 2 The following example shows viewing BFD summary information. The bold line shows the message displayed when you enable BFD for BGP connections. R2# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 2 BGP table version is 0, main routing table version 0 BFD is enabled, Interval 200 Min_rx 200 Multiplier 3 Role Active 3 neighbor(s) using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 1.1.1.2 2.2.2.2 3.3.3.
R2# show ip bgp neighbors 2.2.2.3 BGP neighbor is 2.2.2.3, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP neighbor mode BFD configuration Peer active in peer-group outbound optimization ... R2# show ip bgp neighbors 2.2.2.4 BGP neighbor is 2.2.2.4, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 17. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. • Establish sessions with all VRRP neighbors.
* - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) V - VRRP LocalAddr * 2.2.5.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.5.2 Te 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command. The following example shows viewing VRRP session state information. The bold line shows the VRRP BFD session. R1(conf-if-te-4/25)#do show vrrp -----------------TenGigabitEthernet 4/1, VRID: 1, Net: 2.2.5.
• Disable all VRRP sessions on an interface. INTERFACE mode no vrrp bfd all-neighbors • Disable all VRRP sessions in a VRRP group. VRRP mode bfd disable • Disable a particular VRRP session on an interface. INTERFACE mode no vrrp bfd neighbor ip-address Configuring Protocol Liveness Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled. When you disable a client, all BFD sessions for that protocol are torn down.
8 Border Gateway Protocol IPv4 (BGPv4) This chapter provides a general description of BGPv4 as it is supported in the Dell Networking OS. BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
IBGP provides routers inside the AS with the knowledge to reach routers external to the AS. EBGP routers exchange information with other EBGP routers as well as IBGP routers to maintain connectivity and accessibility. Figure 18. Interior BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network.
Figure 19. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor. Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies.
State Description Idle BGP initializes all resources, refuses all inbound BGP connection attempts, and initiates a TCP connection to the peer. Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state.
Figure 20. BGP Router Rules 1 Router B receives an advertisement from Router A through eBGP. Because the route is learned through eBGP, Router B advertises it to all its iBGP peers: Routers C and D. 2 Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B.
preferences. BGP sees that the Weight criteria results in two potential “best paths” and moves to local preference to reduce the options. If a number of best paths is determined, this selection criteria is applied to group’s best to determine the ultimate best path. In non-deterministic mode (the bgp non-deterministic-med command is applied), paths are compared in the order in which they arrive.
6 Prefer the path with the lowest multi-exit discriminator (MED) attribute. The following criteria apply: a This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs are compared only if the first AS in the AS_SEQUENCE is the same for both paths. b If you entered the bgp always-compare-med command, MEDs are compared for all paths. c Paths with no MED are treated as “worst” and assigned a MED of 4294967295.
Figure 22. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 23. Multi-Exit Discriminators Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE. Origin Type Description IGP Indicates the prefix originated from information learned through an interior gateway protocol. EGP Indicates the prefix originated from information learned from an EGP protocol, which NGP replaced. INCOMPLETE Indicates that the prefix originated from an unknown source.
Example of Viewing AS Paths Dell#show ip bgp paths Total 30655 Paths Address Hash Refcount Metric 0x4014154 0 3 18508 0x4013914 0 3 18508 0x5166d6c 0 3 18508 0x5e62df4 0 2 18508 0x3a1814c 0 26 18508 0x567ea9c 0 75 18508 0x6cc1294 0 2 18508 0x6cc18d4 0 1 18508 0x5982e44 0 162 18508 0x67d4a14 0 2 18508 0x559972c 0 31 18508 0x59cd3b4 0 2 18508 0x7128114 0 10 18508 0x536a914 0 3 18508 0x2ffe884 0 1 18508 Path 701 3549 19421 i 701 7018 14990 i 209 4637 1221 9249 9249 i 701 17302 i 209 22291 i 209 3356 2529 i 20
Advertise IGP Cost as MED for Redistributed Routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value. Use the set metric-type internal command in a route-map to advertise the IGP cost as the MED to outbound EBGP peers when redistributing routes.
Traditional Format DOT Format 65001 0.65501 65536 1.0 100000 1.34464 4294967295 65535.65535 When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte identified routers. You cannot mix them. Configure 4-byte AS numbers with the four-octet-support command. AS4 Number Representation Multiple representations of 4-byte AS numbers (asplain, asdot+, and asdot) are supported.
ASDOT+ Dell(conf-router_bgp)#bgp asnotation asdot+ Dell(conf-router_bgp)#show conf ! router bgp 100 bgp asnotation asdot+ bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
Figure 24. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances support for the BGP management information base (MIB) with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
• Carrying MPLS labels in BGP is not supported. The f10BgpM2NlriOpaqueType and f10BgpM2NlriOpaquePointer fields are set to zero. • 4-byte ASN is supported. The f10BgpM2AsPath4byteEntry table contains 4-byte ASN-related parameters based on the configuration. Traps (notifications) specified in the BGP4 MIB draft are not supported. Such traps (bgpM2Established and bgpM2BackwardTransition) are supported as part of RFC 1657.
Item Default internal distance = 200 local distance = 200 keepalive = 60 seconds Timers holdtime = 180 seconds Add-path Disabled Enabling BGP By default, BGP is not enabled on the system. The Dell Networking OS supports one autonomous system (AS) and assigns the AS number (ASN). To establish BGP sessions and route traffic, configure at least one BGP neighbor or peer. In BGP, routers with an established TCP connection are called neighbors or peers.
b Enable IPv4 multicast or IPv6 mode. CONFIG-ROUTER-BGP mode address-family [ipv4 | ipv6} Use this command to enter BGP for IPv6 mode (CONF-ROUTER_BGPv6_AF). 2 Add a neighbor as a remote AS. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group name} remote-as as-number • peer-group name: 16 characters • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format) Formats: IP Address A.B.C.
10.10.21.1 10.10.32.3 100.10.92.9 192.168.10.1 192.168.12.2 R2# 65123 65123 65192 65123 65123 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 never never never never never Active Active Active Active Active For the router’s identifier, the system uses the highest IP address of the Loopback interfaces configured. Because Loopback interfaces are virtual, they cannot go down, thus preventing changes in the router ID.
The following example shows verifying the BGP configuration. R2#show running-config bgp ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown neighbor 192.
bgp asnotation asdot+ Examples of the bgp asnotation Commands The following example shows the bgp asnotation asplain command. Dell(conf-router_bgp)#bgp asnotation asplain Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.
neighbor peer-group-name peer-group 2 Enable the peer group. CONFIG-ROUTERBGP mode neighbor peer-group-name no shutdown By default, all peer groups are disabled. 3 Create a BGP neighbor. CONFIG-ROUTERBGP mode neighbor ip-address remote-as as-number 4 Enable the neighbor. CONFIG-ROUTERBGP mode neighbor ip-address no shutdown 5 Add an enabled neighbor to the peer group. CONFIG-ROUTERBGP mode neighbor ip-address peer-group peer-group-name 6 Add a neighbor as a remote AS.
NOTE: When you configure a new set of BGP policies for a peer group, always reset the peer group by entering the clear ip bgp peer-group peer-group-name command in EXEC Privilege mode. To view the configuration, use the show config command in CONFIGURATION ROUTER BGP mode. When you create a peer group, it is disabled (shutdown). The following example shows the creation of a peer group (zanzibar) (in bold).
10.68.173.1 10.68.174.1 10.68.175.1 10.68.176.1 10.68.177.1 10.68.178.1 10.68.179.1 10.68.180.1 10.68.181.1 10.68.182.1 10.68.183.1 10.68.184.1 10.68.185.1 Dell> Configuring BGP Fast Fail-Over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fail-over feature reduces the convergence time while maintaining stability.
MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) fail-over enabled Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dropped 5 Last reset 00:19:37, due to Reset by peer Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 200.200.200.
You can constrain the number of passive sessions accepted by the neighbor. The limit keyword allows you to set the total number of sessions the neighbor will accept, between 2 and 265. The default is 256 sessions. 1 Configure a peer group that does not initiate TCP connections with other peers. CONFIG-ROUTER-BGP mode neighbor peer-group-name peer-group passive limit Enter the limit keyword to restrict the number of sessions accepted. 2 Assign a subnet to the peer group.
bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.
neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 allowas-in 9 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.2 no shutdown R2(conf-router_bgp)#R2(conf-router_bgp)# Enabling Neighbor Graceful Restart BGP graceful restart is active only when the neighbor becomes established. Otherwise, it is disabled. Graceful-restart applies to all neighbors with established adjacency.
ip as-path access-list as-path-name 2 Enter the parameter to match BGP AS-PATH for filtering. CONFIG-AS-PATH mode {deny | permit} filter parameter This is the filter that is used to match the AS-path. The entries can be any format, letters, numbers, or regular expressions. You can enter this command multiple times if multiple filters are desired. For accepted expressions, refer to Regular Expressions as Filters. 3 Return to CONFIGURATION mode. AS-PATH ACL mode exit 4 Enter ROUTER BGP mode.
Regular Expressions as Filters Regular expressions are used to filter AS paths or community lists. A regular expression is a special character used to define a pattern that is then compared with an input string. For an AS-path access list, as shown in the previous commands, if the AS path matches the regular expression in the access list, the route matches the access list. The following lists the regular expressions accepted in the Dell Networking OS.
Dell(config-as-path)#ex Dell(conf)#router bgp 99 Dell(conf-router_bgp)#neighbor AAA filter-list Eagle in Dell(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA filter-list Eaglein neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 filter-list 1 in neighbor 10.155.15.
Enabling Additional Paths The add-path feature is disabled by default. NOTE: Dell Networking recommends not using multipath and add path simultaneously in a route reflector. To allow multiple paths sent to peers, use the following commands. 1 Allow the advertisement of multiple paths for the same address prefix without the new paths replacing any previous ones. CONFIG-ROUTER-BGP mode bgp add-path {send | both} path-count count bgp add-path receive The range is from 2 to 64.
• • • • • local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED. no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE. no-export: routes with the COMMUNITY attribute of NO_EXPORT. quote-regexp: then any number of regular expressions. The software applies all regular expressions in the list. regexp: then a regular expression.
deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny Dell# 701:20 702:20 703:20 704:20 705:20 14551:20 701:112 702:112 703:112 704:112 705:112 14551:112 701:667 702:667 703:667 704:666 705:666 14551:666 Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group.
Manipulating the COMMUNITY Attribute In addition to permitting or denying routes based on the values of the COMMUNITY attributes, you can manipulate the COMMUNITY attribute value and send the COMMUNITY attribute with the route information. By default, the system does not send the COMMUNITY attribute. To send the COMMUNITY attribute to BGP neighbors, use the following command. • Enable the software to send the router’s COMMUNITY attribute to the BGP neighbor or peer group specified.
Example of the show ip bgp community Command To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode. To view BGP routes matching a certain community number or a pre-defined BGP community, use the show ip bgp community command in EXEC Privilege mode. Dell>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.
• Change the LOCAL_PREF value. CONFIG-ROUTER-BGP mode bgp default local-preference value • value: the range is from 0 to 4294967295. The default is 100. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show runningconfig bgp command in EXEC Privilege mode. A more flexible method for manipulating the LOCAL_PREF attribute value is to use a route map. 1 Enter the ROUTE-MAP mode and assign a name to a route map.
• If you do not use the all keyword, the next hop of only eBGP-learned routes is updated by the route reflector. If you use the all keyword, the next hop of both eBGP- and iBGP-learned routes are updated by the route reflector. Sets the next hop address. CONFIG-ROUTE-MAP mode set next-hop ip-address If the set next-hop command is applied on the out-bound interface using a route map, it takes precedence over the neighbor next-hop-self command.
NOTE: The system supports up to 255 characters in a set community statement inside a route map. NOTE: You can create inbound and outbound policies. Each of the commands used for filtering has in and out parameters that you must apply. The order of preference varies depending on whether the attributes are applied for inbound updates or outbound updates.
• If none of the routes match any of the filters in the prefix list, the route is denied. This action is called an implicit deny. (If you want to forward all routes that do not match the prefix list criteria, you must configure a prefix list filter to permit all routes. For example, you could have the following filter as the last filter in your prefix list permit 0.0.0.0/0 le 32). • After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route.
ip as-path access-list as-path-name 2 Create a AS-PATH ACL filter with a deny or permit action. AS-PATH ACL mode {deny | permit} as-regular-expression 3 Return to CONFIGURATION mode. AS-PATH ACL exit 4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Filter routes based on the criteria in the configured route map.
To view a route reflector configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp in EXEC Privilege mode. Aggregating Routes The system provides multiple ways to aggregate routes in the BGP routing table. At least one specific route of the aggregate must be in the routing table for the configured aggregate to become active. To aggregate routes, use the following command.
To view the configuration, use the show config command in CONFIGURATION ROUTER BGP mode. Enabling Route Flap Dampening When EBGP routes become unavailable, they “flap” and the router issues both WITHDRAWN and UPDATE notices. A flap is when a route: • is withdrawn • is readvertised after being withdrawn • has an attribute change The constant router reaction to the WITHDRAWN and UPDATE notices causes instability in the BGP process.
• • reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is less than the reuse value, the flapping route is once again advertised (or no longer suppressed). The default is 750. • suppress: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is greater than the suppress value, the flapping route is no longer advertised (that is, it is suppressed). The default is 2000.
BGP table version is 855562, main routing table version 780266 122836 network entrie(s) and 221664 paths using 29697640 bytes of memory 34298 BGP path attribute entrie(s) using 1920688 bytes of memory 29577 BGP AS-PATH entrie(s) using 1384403 bytes of memory 184 BGP community entrie(s) using 7616 bytes of memory Dampening enabled. 0 history paths, 0 dampened paths, 0 penalized paths Neighbor AS MsgRcvd MsgSent TblVer 10.114.8.34 18508 82883 79977 780266 10.114.8.
To reset a BGP connection using BGP soft reconfiguration, use the clear ip bgp command in EXEC Privilege mode at the system prompt. When you enable soft-reconfiguration for a neighbor and you execute the clear ip bgp soft in command, the update database stored in the router is replayed and updates are reevaluated. With this command, the replay and update process is triggered only if a routerefresh request is not negotiated with the peer.
2 In ROUTER BGP mode, enter the following command: ROUTER BGP Mode shutdown all You can use the no shutdown all command in the ROUTER BGP mode to re-enable all the BGP interface. You can also enable or disable BGP neighbors corresponding to the IPv4 unicast or multicast groups and the IPv6 unicast groups.
NOTE: This behavior applies to all BGP neighbors. Meaning, BGP neighbors that were explicitly disabled before global shutdown also remain in disabled state. Enable these neighbors individually using the no shutdown command. Route Map Continue The BGP route map continue feature, continue [sequence-number], (in ROUTE-MAP mode) allows movement from one routemap entry to a specific route-map entry (the sequence number).
• Exchange of IPv4 multicast route information occurs through the use of two new attributes called MP_REACH_NLRI and MP_UNREACH_NLRI, for feasible and withdrawn routes, respectively. • If the peer has not been activated in any AFI/SAFI, the peer remains in Idle state. Most BGP IPv4 unicast commands are extended to support the IPv4 multicast RIB using extra options to the command. For a detailed description of the MBGP commands, refer to the Dell Networking OS Command Line Interface Reference Guide.
• debug ip bgp dampening [in | out] View information about local BGP state changes and other BGP events. EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] events [in | out] View information about BGP KEEPALIVE messages. EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] keepalive [in | out] View information about BGP notifications received from or sent to neighbors.
Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) For address family: IPv4 Unicast BGP table version 1395, neighbor version 1394 Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by peer Prefixes advertised 0, rejected 0, 0 withdrawn from peer Connections established 3; droppe
PDU[2] : len 19, captured 00:34:51 ago ffffffff ffffffff ffffffff ffffffff 00130400 PDU[3] : len 19, captured 00:34:51 ago ffffffff ffffffff ffffffff ffffffff 00130400 PDU[4] : len 19, captured 00:34:22 ago ffffffff ffffffff ffffffff ffffffff 00130400 [. . .] Outgoing packet capture enabled for BGP neighbor 20.20.20.
Figure 25. Sample Configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int tengig 1/21 R1(conf-if-te-1/21)#ip address 10.0.1.21/24 R1(conf-if-te-1/21)#no shutdown R1(conf-if-te-1/21)#show config ! interface TenGigabitEthernet 1/21 ip address 10.0.1.
R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 R1(conf-router_bgp)#neighbor 192.168.128.3 remote 100 R1(conf-router_bgp)#neighbor 192.168.128.3 no shut R1(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0 R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.
router bgp 99 bgp router-id 192.168.128.2 network 192.168.128.0/24 bgp graceful-restart neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown R2(conf-router_bgp)#end R2#show ip bgp summary BGP router identifier 192.168.128.
! router bgp 100 network 192.168.128.0/24 neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown R3(conf)#end R3#show ip bgp summary BGP router identifier 192.168.128.
Member of peer-group AAA for session parameters BGP version 4, remote router ID 192.168.128.
Example of Enabling Peer Groups (Router 2) R2#conf R2(conf)#router bgp 99 R2(conf-router_bgp)# neighbor CCC peer-group R2(conf-router_bgp)# neighbor CC no shutdown R2(conf-router_bgp)# neighbor BBB peer-group R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.
R3(conf-router_bgp)# neighbor 192.168.128.2 no shutdown R3(conf-router_bgp)# neighbor 192.168.128.1 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.1 no shutdown R3(conf-router_bgp)# R3(conf-router_bgp)#end R3#show ip bgp summary BGP router identifier 192.168.128.
BGP table version 2, neighbor version 2 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Connections established 6; dropped 5 Last reset 00:12:01, due to Closed by neighbor Notification History 'HOLD error/Timer expired' Sent : 1 Recv: 0 'Connection Reset' Sent : 2 Recv: 2 Last notification (len 21) received 00:12:01 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Local host: 192.168.128.2, Local port: 65464 Foreign host: 192.168.
9 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On the switch, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. On a line card, there are one or two CAM (Dual-CAM) modules per port-pipe.
IpMacAcl VmanQos EcfmAcl Openflow : : : : 0 0 0 0 -- linecard 1 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 5 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 5 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 1
Test CAM Usage The test cam-usage command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs. Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy. Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege mode to verify the actual CAM space required. The Status column in the command output indicates whether or not the policy can be enabled.
Ipv4Acl Ipv6Acl Ipv4Qos L2Qos L2PT IpMacAcl VmanQos EcfmAcl Openflow : : : : : : : : : 4 0 2 1 0 0 0 0 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub-partitions) using the show cam-usage command from EXEC Privilege mode.
ipv4-320k Enable 320K CAM profile ipv4-egacl-16k Enable CAM profile with 16K IPv4 egress ACL ipv6-extacl Enable CAM profile with extended ACL l2-ipv4-inacl Enable CAM profile with 32K L2 and 28K IPv4 ingress ACL unified-default Enable default unified CAM profile Dell(conf)#cam-profile default microcode ? default Enable default microcode lag-hash-align Enable microcode with LAG hash align lag-hash-mpls Enable microcode with LAG hash MPLS Dell(conf)#cam-profile default microcode default Dell(conf)#cam-ipv4flo
Table 10.
10 Control Plane Policing (CoPP) Control plane policing (CoPP) protects the switch’s routing, control, and line-card processors from undesired or malicious traffic and Denial of Service (DoS) attacks by filtering control-plane flows. CoPP uses a dedicated control-plane service policy that consists of ACLs and QoS policies, which provide filtering and rate-limiting capabilities for control-plane packets.
• Queues 14 to 20 process packets destined to the line-card CPU.
15 LP/LM — 1 100 16 LP/LM Trace Flow, Station Move, Source Miss 1200 100 17 LP/LM BFD, ACL LOGGING 1200 1000 18 LP/LM — 7000 1000 19 LP/LM FRRP, Hyperpull 800 7000 20 LP/LM LP/LM SFLOW 5000 1000 NOTE: In the line-card CPU, some queues have no protocol traffic mapped to them. These rows appear blank in the preceding table. CoPP Example The illustrations in this section show the benefit of using CoPP compared to not using CoPP on a switch.
Figure 27. CoPP Versus Non-CoPP Operation Configure Control Plane Policing You can create a CoPP service policy on a per-protocol and/or a per-queue basis that serves as the system-wide configuration for filtering and rate limiting control-plane traffic. Configuring CoPP for Protocols This section describes how to create a protocol-based CoPP service policy and apply it to control plane traffic.
mac access-list extended name cpu-qos permit {arp | frrp | gvrp | isis | lacp | lldp | stp} 2 Create a Layer 3 extended ACL for specified protocol traffic. CONFIGURATION mode ip access-list extended name cpu-qos permit {bgp | dhcp | dhcp-relay | ftp | icmp | igmp | msdp | ntp | ospf | pim | rip | ssh | telnet | vrrp} 3 Create an IPv6 ACL for specified protocol traffic.
Dell(conf-ipv6-acl-cpuqos)#exit Dell(conf)#ipv6 access-list ipv6-vrrp cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit vrrp Dell(conf-ipv6-acl-cpuqos)#exit Example of Creating a QoS Rate-Limiting Input Policy Dell(conf)#qos-policy-in rate_limit_200k cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 200 40 peak 500 40 Dell(conf-in-qos-policy-cpuqos)#exit Dell(conf)#qos-policy-in rate_limit_400k cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 400 50 peak 600 50 Dell(conf-in-qos-policy-cpuqos)#exit Dell(conf)#q
rate-police [rate-kbps] [burst-kbytes] peak [rate-kbps] [burst-kbytes] 2 Create an input policy-map to assign the QoS rate-limit policy to a control-plane queue. CONFIGURATION mode policy-map-input name cpu-qos service-queue queue-number qos-policy name On the switch, the range of queue-number values is from 0 to 20.
Displaying CoPP Configuration The CLI provides show commands to display the protocol traffic assigned to each control-plane queue and the current rate-limit applied to each queue. Other show commands display statistical information for trouble shooting CoPP operation. Viewing Queue Rates To view the rates that are currently applied on each control-plane queue, use the show cpu-queue rate [all | queue-id id | range from-queue to-queue] command.
Dell# Dell#show mac protocol-queue-mapping Protocol Destination Mac EtherType -----------------------------ARP any 0x0806 FRRP 01:01:e8:00:00:10/11 any LACP 01:80:c2:00:00:02 0x8809 LLDP any 0x88cc GVRP 01:80:c2:00:00:21 any STP 01:80:c2:00:00:00 any ISIS 01:80:c2:00:00:14/15 any 09:00:2b:00:00:04/05 any Queue ----Q1/Q8/Q2/Q9 Q19 Q13 Q6 Q12 Q13 Q13 Q13 EgPort -----CP/RP LP RP CP RP RP RP RP Rate (kbps) ----------100 300 500 500 200 150 500 500 Viewing IPv4 Protocol-Queue Mapping To view the queues to wh
FTP TELNET SSH VLT GARP VLT CTRL - CP CPU VLT CTRL - CP & RP CPU VLT IPM PDU L3 LOCAL TERMINATED Dell# Q3 Q3 Q3 Q3/Q10 Q3 Q3/Q10 Q3/Q10 Q3 CP CP CP CP/RP CP CP/RP CP/RP CP 400 400 400 500 2000 2000 500 400 400 400 400 500 2000 2000 500 400 3000 2000 2000 3000 3000 3000 3000 5000 3000 2000 2000 3000 3000 3000 3000 5000 Viewing Complete Protocol-Queue Mapping To view the queues to which all protocol traffic is assigned, use the show protocol-queue-mapping command.
FEFD Q6 TRACEFLOW Q16 FCoE Q12 L3 LOCAL TERMINATED Q3 L3 UNKNOWN/UNRESOLVED ARP Q7 L2 DST HIT/BROADCAST Q1/Q8 MULTICAST CATCH ALL Q7 ACL LOGGING Q17 L3 HEADER ERROR/TTL0 Q0 IP OPTION/TTL1 Q0 VLAN L3 MTU FAIL Q0 Physical L3 MTU FAIL Q0 SOURCE MISS Q16 STATION MOVE Q16 SFLOW_EGRESS Q20 SFLOW_INGRESS Q20 CP LP RP CP RP CP/RP RP LP CP CP CP CP LP LP LP LP 150 200 300 400 200 200 200 200 200 100 200 200 200 200 5000 5000 150 200 300 400 200 200 200 200 200 100 200 200 200 200 5000 5000 1000 500 2000 5000 300
NOTE: When you finish troubleshooting CoPP operation, disable the collection of CPU traffic statistics by entering the no debug cpu-traffic-stats command. Troubleshooting CPU Packet Loss To troubleshoot the reason for CPU packet loss, you can display statistics about system flows on the central switch (aggregated CoPP) or on a specified set of switch ports by entering the show hardware system-flow[cp-switch | linecard slot-id portset port-pipe] command.
policer= statistics={stat id 3 slice = 9 idx=1 entries=1}{Packets} --More-################# FP Entry for redirecting GVRP traffic to RSM ########### EID 0x000002fc: gid=0xa, slice=9, slice_idx=0x4, part =0 prio=0x2fc, flags=0x10202, Installed, Enabled tcam: color_indep=0, Stage InPorts DATA=0x0000000000000000000000000000000000000000000000000000222222222222 MASK=0x0000000000000000000000000000000000000000000000000000222222222223 DstMac Offset: 88 Width: 48 DATA=0x00000180 c2000021 MASK=0x0000ffff ffffffff ac
v6 ICMP/ICMP MLD MSDP FTP/TELNET/SSH/L3 LOCAL TERMINATED L3 UNKNOWN/UNRESOLVED ARP iSCSI FCoE SFLOW HYPERPULL OPENFLOW L2 DST HIT/BROADCAST VLT TTL1/TRACEFLOW/TTL0/STATION MOVE/TTL1 /IP OPTION/L3 MTU FAIL/SOURCE MISS v6 ICMP NS 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Dell#show control-traffic protocol pe 0 stack-unit 0 portset 0 counters Protocol RxBytes TxBytes ------------------STP/ARP/ICMP(v4/v6)/IGMP/MLD/NTP/FTP/TELNET/SSH 0 0 PE CSP/PE-CB LLDP 26157 26157 LL
v6 MULTICAST CATCH ALL IPv6 DHCP v6 RAGUARD v6 ICMP NA v6 ICMP RA v6 ICMP NS v6 ICMP RS v6 ICMP BGP OSPF RIP VRRP ICMP IGMP PIM MSDP BFD ON PHYSICAL PORTS BFD ON LOGICAL PORTS 802.
Viewing Per-Queue CoPP Counters To view per-queue counters of CoPP rate-limited traffic, use the show control-traffic queue {all | queue-id queuenumber} counters command. The range of queue-number values is from 0 to 20. The twenty-one control–plane queues are divided into groups of seven queues for the Route Processor, Control Processor, and line-card CPUs as follows: • Queues 0 to 6 process packets destined to the Control Processor CPU .
11 Data Center Bridging (DCB) Topics: • • • • • • • • • • • • • • • • Enabling Data Center Bridging Ethernet Enhancements in Data Center Bridging QoS dot1p Traffic Classification and Queue Assignment SNMP Support for PFC and Buffer Statistics Tracking DCB Maps and its Attributes Data Center Bridging: Default Configuration Configuration Notes: PFC and ETS in a DCB Map Configuring Priority-Based Flow Control Configuring Enhanced Transmission Selection Configure a DCBx Operation Verifying the DCB Configuratio
dcb-map linecard 0 backplane all dcb-map linecard all backplane all NOTE: Dell Networking OS Behavior: DCB is not supported if you enable link-level flow control on one or more interfaces. For more information, refer to Ethernet Pause Frames. Ethernet Enhancements in Data Center Bridging The following section describes DCB.
• Data Center Bridging Exchange (DCBx) protocol NOTE: Dell Networking OS supports only the PFC, ETS, and DCBx features in data center bridging. Priority-Based Flow Control In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion. When PFC detects congestion on a queue for a specified priority, it sends a pause frame for the 802.
• PFC uses DCB MIB IEEE 802.1azd2.5 and PFC MIB IEEE 802.1bb-d2.2. • A dynamic threshold handles intermittent traffic bursts and varies based on the number of PFC priorities contending for buffers, while a static threshold places an upper limit on the transmit time of a queue after receiving a message to pause a specified priority. PFC traffic is paused only after surpassing both static and dynamic thresholds for the priority specified for the port. • By default, PFC is enabled when you enable DCB.
• • PFC enabled or disabled • No bandwidth limit or no ETS processing ETS uses the DCB MIB IEEE 802.1azd2.5. Data Center Bridging Exchange Protocol (DCBx) By default, the data center bridging exchange (DCBx) protocol is disabled; ETS is also disabled. DCBx allows a switch to automatically discover DCB-enabled peers and exchange configuration information. PFC and ETS use DCBx to exchange and negotiate parameters with peer devices.
QoS dot1p Traffic Classification and Queue Assignment The following section describes QoS dot1P traffic classification and assignments. DCB supports PFC, ETS, and DCBx to handle converged Ethernet traffic that is assigned to an egress queue according to the following QoS methods: Honor dot1p You can honor dot1p priorities in ingress traffic at the port or global switch level (refer to Default dot1p to Queue Mapping) using the service-class dynamic dot1p command in INTERFACE configuration mode.
The SNMP support for monitoring PFC and BST counters and statistics is supported. The enhancement is made on F10-FPSTATS MIB with additional tables to display the PFC and BST counters and statistics. The following new tables are supported in F10-FPSTATS MIB • fpEgrQBuffSnapshotTable • fpIngPgBuffSnapshotTable • fpStatsPerPgTable • pfcPerPrioTable fpEgrQBuffSnapshot This table fetches the BST statistics at Egress Port with respect to the buffer used.
Important Points to Remember • If you remove a dot1p priority-to-priority group mapping from a DCB map (no priority pgid command), the PFC and ETS parameters revert to their default values on the interfaces on which the DCB map is applied. By default, PFC is not applied on specific 802.1p priorities; ETS assigns equal bandwidth to each 802.1p priority. As a result, PFC and lossless port queues are disabled on 802.
Step Task Command Command Mode You cannot apply a DCB map on an interface that has been already configured for PFC using thepfc priority command or which is already configured for lossless queues (pfc no-drop queues command). Configuring PFC without a DCB Map In a network topology that uses the default ETS bandwidth allocation (assigns equal bandwidth to each priority), you can also enable PFC for specific dot1p-priorities on individual interfaces without using a DCB map.
• A limit of 4 lossless queues are supported on a port. If the number of lossless queues configured exceeds the maximum supported limit per port (two), an error message is displayed. You must re-configure the value to a smaller number of queues. • If you configure lossless queues on an interface that already has a DCB map with PFC enabled (pfc on), an error message is displayed. Table 17. Configuring Lossless Queues Step Task Command Command Mode 1 Enter INTERFACE Configuration mode.
Applying a DCB Map on a Line Card On the C9010, DCB is supported per-line card. If the traffic handled by a DCB map is transmitted on ports on different line cards, you must manually configure the DCB map on the backplane ports of the C9010 line cards on which the ports reside. • Apply a DCB map with PFC and ETS settings on the backplane ports of C9010 line cards.
Configuration Notes: PFC and ETS in a DCB Map The switch supports the use of a DCB map in which you configure priority-based flow control (PFC) and enhanced transmission selection (ETS) settings. To configure PFC and ETS parameters, you must apply a DCB map on the interface. PFC Configuration Notes PFC provides flow control based on the 802.1p priorities in a converged Ethernet traffic that is received on an interface and is enabled when you enable DCB.
ETS Configuration Notes ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic. Different traffic types have different service needs. Using ETS, you can create groups within an 802.1p priority class to configure different treatment for traffics with different bandwidth, latency, and best-effort needs.
Priority-Group Configuration Notes When you configure priority groups in a DCB map: • A priority group consists of 802.1p priority values that are grouped together for similar bandwidth allocation and scheduling, and that share the same latency and loss requirements. All 802.1p priorities mapped to the same queue must be in the same priority group. • In a DCB map, each 802.1p priority must map to a priority group.
Dell Networking OS Behavior: As soon as you apply a DCB policy with PFC enabled on an interface, DCBx starts exchanging information with PFC-enabled peers. The IEEE802.1Qbb, CEE, and CIN versions of PFC Type, Length, Value (TLV) are supported. DCBx also validates PFC configurations that are received in TLVs from peer devices. NOTE: You cannot enable PFC and link-level flow control at the same time on an interface. Dell Networking OS does not support MACsec Bypass Capability (MBC).
For example, storage traffic is sensitive to frame loss; interprocess communication (IPC) traffic is latency-sensitive. ETS allows different traffic types to coexist without interruption in the same converged link by: • Allocating a guaranteed share of bandwidth to each priority group. • Allowing each group to exceed its minimum guaranteed bandwidth if another group is not fully using its allotted bandwidth. Creating an ETS Priority Group An ETS priority group specifies the range of 802.
ETS Operation with DCBx The following section describes DCBx negotiation with peer ETS devices. In DCBx negotiation with peer ETS devices, ETS configuration is handled as follows: • ETS TLVs are supported in DCBx versions CIN, CEE, and IEEE2.5. • The DCBx port-role configurations determine the ETS operational parameters (refer to Configure a DCBx Operation). • ETS configurations received from TLVs from a peer are validated.
• Accepts the DCB configuration from a peer if a DCBx port is in “willing” mode to accept a peer’s DCB settings and then internally propagates the received DCB configuration to its peer ports. DCBx Port Roles To enable the auto-configuration of DCBx-enabled ports and propagate DCB configurations learned from peer DCBx devices internally to other switch ports, use the following DCBx port roles.
source. If you enable DCBx, ports in Manual mode advertise their configurations to peer devices but do not accept or propagate internal or external configurations. Unlike other user-configured ports, the configuration of DCBx ports in Manual mode is saved in the running configuration. On a DCBx port in a manual role, all PFC, application priority, ETS recommend, and ETS configuration TLVs are enabled.
• The port role is auto-upstream. • The port is enabled with link up and DCBx enabled. • The port has performed a DCBx exchange with a DCBx peer. • The switch is capable of supporting the received DCB configuration values through either a symmetric or asymmetric parameter exchange. A newly elected configuration source propagates configuration changes received from a peer to the other auto-configuration ports.
Behavior of Tagged Packets The below is example for enabling PFC for priority 2 for tagged packets. Priority (Packet Dot1p) 2 will be mapped to PG6 on PRIO2PG setting. All other Priorities for which PFC is not enabled are mapped to default PG – PG7. Classification rules on ingress (Ingress FP CAM region) matches incoming packet-dot1p and assigns an internal priority (to select queue as per Table 1 and Table 2).
a Enable DCB globally. Dell(conf)#dcb enable b Apply PFC Priority configuration. Configure priorities on which PFC is enabled. DCBx Example The following figure shows how to use DCBx. The device is connected to third-party, top-of-rack (ToR) switches through 40GbE or 10GBE uplinks. The ToR switches are part of a Fibre Channel storage network. The ports connected to the server with CNA are configured as auto-downstream ports. Figure 31.
DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
• manual: configures the port to operate only on administer-configured DCB parameters. The port does not accept a DCB configuration received from a peer or a local configuration source. The default is Manual. 5 On manual ports only: Configure the PFC and ETS TLVs advertised to DCBx peers. PROTOCOL LLDP mode [no] advertise DCBx-tlv {ets-conf | ets-reco | pfc} [ets-conf | ets-reco | pfc] [ets-conf | ets-reco | pfc] • ets-conf: enables the advertisement of ETS Configuration TLVs.
• auto: configures all ports to operate using the DCBx version received from a peer. • cee: configures a port to use CEE (Intel 1.01). cin configures a port to use Cisco-Intel-Nuova (DCBx 1.0). • ieee-v2.5: configures a port to use IEEE 802.1Qaz (Draft 2.5). The default is Auto. NOTE: To configure the DCBx port role the interfaces use to exchange DCB information, use the DCBx port-role command in INTERFACE Configuration mode (Step 3).
DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs. LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface. DSM_DCBx_PEER_VERSION_CONFLICT: A local port expected to receive the IEEE, CIN, or CEE version in a DCBx TLV from a remote peer but received a different, conflicting DCBx version.
Command Output To clear PFC TLV counters, use the clear pfc counters interface port-type slot/port command. show interface port-type slot/port pfc statistics Displays counters for the PFC frames received and transmitted (by dot1p priority class) on an interface. You can use the show interface pfc statistics command even without enabling DCB on the system.
Local is enabled Oper status is Recommended PFC DCBx Oper status is Up State Machine Type is Feature TLV Tx Status is enabled PFC Link Delay 45556 pause quantams Application Priority TLV Parameters : -------------------------------------FCOE TLV Tx Status is disabled ISCSI TLV Tx Status is disabled Local FCOE PriorityMap is 0x8 Local ISCSI PriorityMap is 0x10 Remote FCOE PriorityMap is 0x8 Remote ISCSI PriorityMap is 0x8 Dell# show interfaces tengigabitethernet 1/4 pfc detail Interface TenGigabitEthernet 1/
Fields Description • • • Init: Local PFC configuration parameters were exchanged with peer. Recommend: Remote PFC configuration parameters were received from peer. Internally propagated: PFC configuration parameters were received from configuration source. PFC DCBx Oper status Operational status for exchange of PFC configuration on local port: match (up) or mismatch (down).
The following example shows the show interface ets summary command.
0 13% ETS 1 13% ETS 2 13% ETS 3 13% ETS 4 12% ETS 5 12% ETS 6 12% ETS 7 12% ETS Remote Parameters: ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# Bandwidth TSA 0 0,1,2,3,4,5,6,7 100% ETS 1 0% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Priority# Bandwidth TSA 0 13% ETS 1 13% ETS 2 13% ETS 3 13% ETS 4 12% ETS 5 12% ETS 6 12% ETS 7 12% ETS Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input
------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# 0 0,1,2,3,4,5,6,7 1 2 3 4 5 6 7 Bandwidth 100% 0% 0% 0% 0% 0% 0% 0% Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Pkts TSA ETS ETS ETS ETS ETS ETS ETS ETS TSA ETS ETS ETS ETS ETS ETS ETS ETS Pkts, 0 Error C
5 - - - - 6 - - - - 7 - - - - Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 0 Input Traffic Class TLV Pkts, 0 Output Traffic Class TLV Pkts, 0 Error Traffic Class TLV Pkts The following table describes the show interface ets detail command fields. Table 21. show interface ets detail Command Description Field Description Interface Interface type with stack-unit, linecard, and port number.
Field Description ETS TLV Statistic: Error Conf TLV pkts Number of ETS Error Configuration TLVs received. The following example shows the show linecard 2 port-set 0 backplane all pfc details command.
I-Application priority for iSCSI enabled i-Application Priority for iSCSI disabled ------------------------------------------------------------------------------------Interface TenGigabitEthernet 1/14 Remote Mac Address 00:01:e8:8a:df:a0 Port Role is Auto-Upstream DCBx Operational Status is Enabled Is Configuration Source? FALSE Local DCBx Compatibility mode is CEE Local DCBx Configured mode is CEE Peer Operating version is CEE Local DCBx TLVs Transmitted: ErPFi Local DCBx Status ----------------DCBx Operat
Field Description Local DCBx Status: DCBx Max Version Supported Highest DCBx version supported in Control TLVs. Local DCBx Status: Sequence Number Sequence number transmitted in Control TLVs. Local DCBx Status: Acknowledgment Number Acknowledgement number transmitted in Control TLVs. Local DCBx Status: Protocol State Current operational state of DCBx protocol: ACK or IN-SYNC. Peer DCBx Status: DCBx Operational Version DCBx version advertised in Control TLVs received from peer device.
Using PFC and ETS to Manage Data Center Traffic The following shows examples of using PFC and ETS to manage your data center traffic. In the following example: • • • Incoming SAN traffic is configured for priority-based flow control. Outbound LAN, IPC, and SAN traffic is mapped into three ETS priority groups and configured for enhanced traffic selection (bandwidth allocation and scheduling). One lossless queue is used. Figure 32.
dot1p Value in the Incoming Frame Priority Group Assignment 0 LAN 1 LAN 2 LAN 3 SAN 4 IPC 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment. PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic.
Hierarchical Scheduling in ETS Output Policies ETS supports up to three levels of hierarchical scheduling. For example, you can apply ETS output policies with the following configurations: Priority group 1 Assigns traffic to one priority queue with 20% of the link bandwidth and strict-priority scheduling. Priority group 2 Assigns traffic to one priority queue with 30% of the link bandwidth.
Dynamic ingress buffering enables the sending of pause frames at different thresholds based on the number of ports that experience congestion at a time. This behavior impacts the total buffer size used by a particular lossless priority on an interface. The pause and resume thresholds can also be configured dynamically.
The number of ports supported based on lossless queues configured will depend on the buffer. The default number of PFC queues in the system is two. For each priority, you can specify the shared buffer threshold limit, the ingress buffer size, buffer limit for pausing the acceptance of packets, and the buffer offset limit for resuming the acceptance of received packets.
12 Debugging and Diagnostics This chapter describes the debugging and diagnostics tasks you can perform on the switch.
Specify the port extender ID and stack unit ID. • where pe-id is a port-extender group ID number from 0 to 255 • stack-unitunit-number is a PE stack-unit number from 0 to 7 Dell#diag pe 0 stack-unit 0 A warning is displayed with a CLI prompt asking you to click Yes or No. Dell#diag pe 0 stack-unit 0 level0 ? Warning - PE-Unit 0 at PEID 0 will go offline to run the diagnostics. Offline of system will bring down all the protocols and the system will be operationally down, except for running Diagnostics.
PE unit will be automatically reloaded once the diagnostics tests are completed. Warning - The diagnostic execution will cause multiple link flaps on the peer side - advisable to shut directly connected ports Proceed with PE diag [confirm yes/no]:yes Dell# Jul 30 12:59:39: %RPM0-P:CP %BRM-5-PE_UNIT_DOWN: PE:255 Unit:2 Unit MAC:f8:b1:56:00:02:d1 is operationally down.
boardRevision ............................................... PASS cpldAccess .................................................. PASS cpuType ..................................................... PASS Starting test: fanControllerSpeedGet ...... 000 - FAN Controller Get Speed Test ................................ PASS 001 - FAN Controller Get Speed Test ................................ PASS fanControllerSpeedGet ....................................... PASS fanStatusMonitor ...................................
029 - One Gig PHY Access Test ...................................... PASS 030 - One Gig PHY Access Test ...................................... PASS 031 - One Gig PHY Access Test ...................................... PASS 032 - One Gig PHY Access Test ...................................... PASS 033 - One Gig PHY Access Test ...................................... PASS 034 - One Gig PHY Access Test ...................................... PASS 035 - One Gig PHY Access Test ......................................
poeManagerVolt .............................................. PASS poeUARTStress ............................................... PASS powerRailStatus ............................................. PASS psuEepromAccess ............................................. PASS psuEpsPresence .............................................. PASS psuEpsStatusMonitor ......................................... PASS psuFanAirFlowType ........................................... PASS psuFanStatus ..............................
020 - One Gig PHY Link Test ........................................ PASS 021 - One Gig PHY Link Test ........................................ PASS 022 - One Gig PHY Link Test ........................................ PASS 023 - One Gig PHY Link Test ........................................ PASS !!!!!! LEVEL 2 DIAGNOSTIC snakeOneGMac ................................................ snakeOneGPhy ................................................ snakeSfpPlusMac .............................................
Running Offline Diagnostics on a Standalone Switch To run offline diagnostics on a Standalone Switch: 1 Shut down the directly connected port extender ports before you run offline diagnostics. 2 Place the entire system or particular linecard in offline state. EXEC Privilege mode offline system offline linecard linecard_number The following message displays. Warning - offline of system will bring down all the protocols and the system will be operationally down, except for running Diagnostics.
% Error: linecard 11 is not present.
% Error: Invalid command - card is not present. % Error: Invalid command - card is not present. % Error: Invalid command - card is not present. Dell#Apr 26 22:32:01: %C9000LC0640:4 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on linecard 4 2d3h3m : Approximate time to complete the Diags (all levels)... 10 Mins Apr 26 22:32:01: %C9000LC0640:5 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on linecard 5 2d3h3m : Approximate time to complete the Diags (all levels)... 10 Mins Apr 26 22:32:01: %C9000-RPM-2.
PPID PPID Rev Service Tag Part Number Part Number Revision LM CPLD LM extended CPLD SW Version --------- CN0CYFF2779314A60021 X00 15YQG02 0CYFF2 X00 31 30 1-0(0-4854) Available free memory: 1,664,086,016 bytes LEVEL 0 DIAGNOSTIC Starting test: bcm56854AccessTest ...... + Access Test for unit 0 : PASSED bcm56854AccessTest .......................................... PASS biosVerGetTest .............................................. PASS boardRevisionTest ...........................................
+Board First Thermal Monitor Sensor[3] is 37.0 C CPU Temp 31 c DDR Temperature 35 c showTemperature ............................................. PASS slotInfoTest ................................................ PASS Starting test: spiFlashAccessTest ......temperature monitor 0: current= 49.8, peak= 86.1 temperature monitor 1: current= 50.9, peak= 86.1 temperature monitor 2: current= 51.4, peak= 87.8 temperature monitor 3: current= 52.0, peak= 87.8 temperature monitor 4: current= 50.3, peak= 87.
Iteration 16 - File System /dev/rwd0k: 3 files, 20398 Iteration 17 - File System /dev/rwd0k: 3 files, 20398 Iteration 18 - File System /dev/rwd0k: 3 files, 20398 Iteration 19 - File System /dev/rwd0k: 3 files, 20398 Iteration 20 - File System /dev/rwd0k: 3 files, 20398 Iteration 21 - File System /dev/rwd0k: 3 files, 20398 Iteration 22 - File System /dev/rwd0k: 3 files, 20398 Iteration 23 - File System /dev/rwd0k: 3 files, 20398 Iteration 24 - File System /dev/rwd0k: 3 files, 20398 Iteration 25 - File System
Completed 50 iterations No issues found in SD Flash (/dev/wd0k) SD Flash File System Stress Test is Passed ssdFlashFileSystemStressTest ................................ PASS LEVEL 2 DIAGNOSTIC ipcTrafficTest ..............................................
fpgaAccessTest .............................................. PASS Starting test: i2cTest ......
PSU[2] Voltage Test FAIL psuVoltageTest .............................................. FAIL rtcTest ..................................................... PASS sataSsdTest ................................................. PASS Starting test: showTemperature ...... +Board First Thermal Monitor Sensor[0] is 38.0 C +Board First Thermal Monitor Sensor[1] is 33.0 C +Board First Thermal Monitor Sensor[2] is 31.0 C +Board First Thermal Monitor Sensor[3] is 38.0 C +Board First Thermal Monitor Sensor[4] is 34.
FAN TRAY[2] FAN 2 Controller Speed Test FAIL ERROR: Tray[2] fan[3] speed 56% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[2] FAN TRAY[2] FAN 3 Controller Speed Test FAIL fanCntrlSpeedTest ........................................... FAIL fanTrayEepromAccessTest ..................................... PASS Starting test: i2cTest ......
Iteration 21 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 22 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 23 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 24 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 25 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 26 - File System Check passed /dev/rwd0k: 3 files, 20398
Link Status for Port: 27 -> Peer Slot7 on unit: 0 is Link Status for Port: 2 -> Peer Slot8 on unit: 0 is Link Status for Port: 29 -> Peer Slot9 on unit: 0 is Link Status for Port: 6 -> Peer pRPM on unit: 0 is udfLinkStatusTest ........................................... FAIL Starting test: usbTest ...... -USB "/dev/rsd0d" is not plugged/mounted/formatted; test SKIPPED usbTest ..................................................... FAIL LEVEL 2 DIAGNOSTIC ipcPingTrafficTest ........
Service Tag Part Number Part Number Revision LM CPLD LM extended CPLD SW Version ------- 15YQG02 0CYFF2 X00 31 30 1-0(0-4854) Available free memory: 1,664,086,016 bytes LEVEL 0 DIAGNOSTIC Starting test: bcm56854AccessTest ...... + Access Test for unit 0 : PASSED bcm56854AccessTest .......................................... PASS biosVerGetTest .............................................. PASS boardRevisionTest ........................................... PASS cpldAccessTest ..............................
DDR Temperature 35 c showTemperature ............................................. PASS slotInfoTest ................................................ PASS Starting test: spiFlashAccessTest ......temperature monitor 0: current= 49.8, peak= 86.1 temperature monitor 1: current= 50.9, peak= 86.1 temperature monitor 2: current= 51.4, peak= 87.8 temperature monitor 3: current= 52.0, peak= 87.8 temperature monitor 4: current= 50.3, peak= 87.8 temperature monitor 5: current= 49.8, peak= 87.
Iteration 17 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 18 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 19 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 20 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 21 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 22 - File System Check passed /dev/rwd0k: 3 files, 20398
SD Flash File System Stress Test is Passed ssdFlashFileSystemStressTest ................................ PASS LEVEL 2 DIAGNOSTIC ipcTrafficTest ..............................................
boardRevisionTest ........................................... PASS Starting test: cpldAccessTest ......CPLD Major Ver 3 Minor Ver 3 cpldAccessTest .............................................. PASS Starting test: cpuGELinkStatusTest ...... + GbE1 Link Status UP + GbE2 Link Status DOWN + GbE3 Link Status UP cpuGELinkStatusTest ......................................... FAIL cpuRevisionTest ............................................. PASS cpuSdramPresenceTest ........................................
PSU[2] Fan Status Test FAIL psuFanStatusTest ............................................ FAIL psuPresenceTest ............................................. FAIL Starting test: psuShowTempTest ...... PSU[0] Show Temparature Test FAIL PSU[1] Show Temparature Test FAIL PSU[2] Show Temparature Test FAIL psuShowTempTest ............................................. FAIL Starting test: psuStatusTest ...... PSU[0] Status Test FAIL PSU[1] Status Test FAIL PSU[2] Status Test FAIL psuStatusTest .....................
ERROR: Fan speed variation failed for tray[1] FAN TRAY[1] FAN 1 Controller Speed Test FAIL ERROR: Tray[1] fan[2] speed 56% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[1] FAN TRAY[1] FAN 2 Controller Speed Test FAIL ERROR: Tray[1] fan[3] speed 57% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[1] FAN TRAY[1] FAN 3 Controller Speed Test FAIL ERROR: Tray[2] fan[0] speed 57% is out of expected range [80-100%] ERROR: Fan speed variation failed for
Iteration 13 - File System /dev/rwd0k: 3 files, 20398 Iteration 14 - File System /dev/rwd0k: 3 files, 20398 Iteration 15 - File System /dev/rwd0k: 3 files, 20398 Iteration 16 - File System /dev/rwd0k: 3 files, 20398 Iteration 17 - File System /dev/rwd0k: 3 files, 20398 Iteration 18 - File System /dev/rwd0k: 3 files, 20398 Iteration 19 - File System /dev/rwd0k: 3 files, 20398 Iteration 20 - File System /dev/rwd0k: 3 files, 20398 Iteration 21 - File System /dev/rwd0k: 3 files, 20398 Iteration 22 - File System
/dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 48 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 49 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 50 - File System Check passed Completed 50 iterations No issues found in SD Flash (/dev/wd0k) SD Flash File System Stress Test is Passed ssdFlashFileSystemStressTest ................................ PASS Starting test: udfLinkStatusTest ......
Auto Save on Reload, Crash, or Rollover Exception information for the switch is stored in the flash:/TRACE_LOG_DIR directory. This directory contains files that save trace information when there has been a task crash or timeout and trace information from the Route Processor and Control Processor CPUs. You can access the TRACE_LOG_DIR files by FTP or by using the show file command from the flash://TRACE_LOG_DIR directory.
show hardware Commands Use the show hardware commands to troubleshoot error conditions by displaying information about a hardware subcomponent and details from hardware-based feature tables. NOTE: Use the show hardware commands only under the guidance of the Dell Networking Technical Assistance Center (TAC). • Display internal interface status of the line-card CPU port which connects to the external management interface.
• Display the internal statistics for each port-pipe (unit) on per port basis. show hardware linecard slot—id unit unit-number port-stats [detail] • Display the line-card internal registers for each port-pipe. show hardware linecard slot—id unit unit-number register • Display the tables from the bShell through the CLI without going into the bShell. show hardware linecard slot—id unit unit-number table-dump {table-name} • Display hardware statistics from the specified port extender and stack-unit.
Environmental Monitoring The system components use environmental monitoring hardware to detect transmit power readings, receive power readings, and temperature updates. To receive periodic power updates, enable the enable optic-info-update interval command. The output in the following example displays the environment status of the RPM.
----------------------------------------------------------------------------0 0 down AC up 1376 0.0 0 1 up AC up 18848 666.0 0 2 down AC up 1312 0.0 0 3 up AC up 18880 643.0 When an under-voltage condition occurs on a power supply (for example, a power cable is removed): • A Syslog message is displayed to inform you that the power supply is down.
When you configure a 40GbE QSFP+ port to operate in quad (4x10GbE) mode as four 10GbE SFP+ ports, a Syslog message is displayed for each 10GbE port.
QSFP QSFP QSFP QSFP 168 168 168 168 BR min Vendor SN Datecode CheckCodeExt = = = = 0 Z12I00005 130117 0xe8 QSFP 168 Diagnostic Information =================================== QSFP 168 Rx Power measurement type =================================== QSFP 168 Temp High Alarm threshold QSFP 168 Voltage High Alarm threshold QSFP 168 Bias High Alarm threshold QSFP 168 RX Power High Alarm threshold QSFP 168 Temp Low Alarm threshold QSFP 168 Voltage Low Alarm threshold QSFP 168 Bias Low Alarm threshold QSFP 168
Troubleshoot an Over-Temperature Condition To troubleshoot an over-temperature condition, determine the sensor(s) that triggered the over-temperature alarm by displaying the current temperature levels and the historical logs of the temperature threshold-crossing events. The RPM has CP and LP card whose sensor temperature are monitored. Similarly the Linecard’s sensor is monitored as well. The “show alarm threshold” provides the temperature threshold values for Linecards and RPM.
PEid100/Stack0 60 65 72 75 105 To display current temperature of line sensors, use the show environment thermal-sensors command. Minor threshold crossings do not cause alarms, but are used to trigger increases in the speed of the system fans as needed to keep the component temperature within the desired range.
When the system experiences a high temperature on any temperature sensor that exceeds the Critical threshold, a shutdown log event is generated; for example: Dell#Jun 18 01:57:03: %RPM1-P:CP %CHMGR-2-TEMP_SHUTDOWN_WARN: WARNING! linecard 11 temperature is 110C; approaching shutdown threshold of 110C) Dell#Jun 18 01:57:04: %RPM1-P:CP %CHMGR-0-TEMP_SHUTDOWN_WARN: linecard 11 temperature exceeded or equal to shutdown temperature 110C; Unit will shutdown now.Power cycle the unit to power it on.
show hardware linecard {0–2} drops unit {0–3} Dell#show hardware linecard 2 drops UNIT No: 0 Total Ingress Drops Total IngMac Drops Total Mmu Drops Total EgMac Drops Total Egress Drops : : : : : 41694 0 0 0 0 Dell#show hardware linecard 2 drops unit 0 UserPort 0 4 8 12 16 17 18 19 20 21 22 23 24 28 32 36 40 44 Internal Internal Internal Internal Internal Internal Internal Internal Internal Internal Internal Internal PortNumber 1 5 9 13 17 18 19 20 21 22 23 24 25 29 33 37 41 45 50 51 52 53 54 55 56 57 58
TR MGV Frames = 0 Bytes Transmitted = 0 Frames Transmitted = 125183 Mcast Frames Transmitted = 0 Bcast Frames Transmitted = 4 Pause Frames Transmitted = 0 Deferred Transmits = 0 Excessive Deferred Transmits = 0 TX single collisions = 0 TX multiple collisions = 0 TX late collisions = 0 TX Excessive collisions = 0 TX total collisions = 0 TX Drops = 0 TX Jabber = 0 TX FCS errors = 0 TX Control frames = 0 TX oversize frames = 0 TX undersize frames = 0 TX fragments = 0 Bytes received = 0 Frames received = 2868 B
Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx 128to255octets Packets = 441 256to511octets Packets = 3816 512to1023octets Packets = 3247 1024toMaxoctets Packets = 150599 Jabbers = 0 align errors = 0 fcs errors = 0 good octets = 251640594 Drop pkts = 0 Unicast Packets = 333370 Multicast Packets = 193621 Broadcast Packets = 45 Source Address Changes = 3 Fragments = 0 Jumbo Packets = 0 Symbol Errros = 0 In Range Errors = 0 OutofRange Errors = 0 Displaying Line-Card Counters The show hardware linecard
f10Ch_lp__.acore.gz • An application core dump generated from LM: f10Ch_lp__.acore.
0035d60c : 00274f8c : 0024e2b0 : 0024dee8 : 0024d9c4 : 002522b0 : 0026a8d0 : 0026a00c : ------------------------STACK TRACE END------------------------------------------FREE MEMORY--------------uvmexp.free = 0x2312 Full Kernel Core Dumps The system supports full core dumps for kernel crashes. The kernel core dump applies to all switch CPUs and is not enabled by default.
tcpdump {cp | rp} [capture-duration time | filter expression | max-file-count value | packetcount value | snap-length value | write-to path] Accessing Port Extender Core and Mini Core Dumps For port extenders (PE), the application core dump and the mini core dump of the port extenders are uploaded to the controller bridge’s flash inside directory /flash/CORE_DUMP_DIR. The format of a PE application core uploaded to CB are as follows: f10pe___Stk.acore.
13 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Option Number and Description End Option 255 Signals the last option in the DHCP packet. Assign an IP Address using DHCP The following section describes DHCP and the client in a network. When a client joins a network: 1 The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters.
Implementation Information The following describes DHCP implementation. • Dell Networking implements DHCP based on RFC 2131 and RFC 3046. • IP source address validation is a sub-feature of DHCP Snooping; the Dell Networking OS uses access control lists (ACLs) internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP source address validation.
Configuring the Server for Automatic Address Allocation Automatic address allocation is an address assignment method by which the DHCP server leases an IP address to a client from a pool of available addresses. An address pool is a range of IP addresses that the DHCP server may assign. The subnet number indexes the address pools. To create an address pool, follow these steps. 1 Access the DHCP server CLI context. CONFIGURATION mode ip dhcp server 2 Create an address pool and give it a name.
To exclude an address, follow this step. • Exclude an address range from DHCP assignment. The exclusion applies to all configured pools. DHCP mode excluded-address Specifying an Address Lease Time To specify an address lease time, use the following command. • Specify an address lease time for the addresses in a pool. DHCP Mode lease {days [hours] [minutes] | infinite} The default is 24 hours.
Using NetBIOS WINS for Address Resolution Windows internet naming service (WINS) is a name resolution service that Microsoft DHCP clients use to correlate host names to IP addresses within a group of networks. Microsoft DHCP clients can be one of four types of NetBIOS nodes: broadcast, peer-to-peer, mixed, or hybrid. 1 Specify the NetBIOS WINS name servers, in order of preference, that are available to Microsoft Dynamic Host Configuration Protocol (DHCP) clients.
Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. • Clear DHCP binding entries for the entire binding table. EXEC Privilege mode. clear ip dhcp binding • Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode. clear ip dhcp binding ip address Configure the System to be a Relay Agent DHCP clients and servers request and offer configuration information via broadcast DHCP messages.
Figure 35. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (OS version and a configuration file). BMP is enabled as a factory-default setting on a switch.
VLAN and Port Channels DHCP client configuration and behavior are the same on Virtual LAN (VLAN) and port-channel (LAG) interfaces as on a physical interface.
The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server. The server can use this information to: • track the number of address requests per relay agent. Restricting the number of addresses available per relay agent can harden a server against address exhaustion attacks. • associate client MAC addresses with a relay agent to prevent offering an IP address to a client spoofing the same MAC address on a different relay agent. • assign IP addresses according to the relay agent.
• Source address validation is not supported for VPLAG interfaces on VLT. • Port Extender does not support DHCP server. Prerequisites for DHCP Snooping • DHCP Snooping should be enabled globally on both VLT peers. • The same Remote ID string and Remote ID host name should be configured on both VLT peers. • To enable DHCP Secondary subnet feature in VLT, ensure that the secondary IP address subnet is the same in both VLT peers.
Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping Example of the show ip dhcp snooping Command View the DHCP snooping statistics with the show ip dhcp snooping command. Dell#show ip dhcp snooping IP IP IP IP DHCP DHCP DHCP DHCP Snooping Snooping Mac Verification Relay Information-option Relay Trust Downstream : : : : Enabled. Disabled. Disabled.
Dynamic ARP Inspection Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism. Network devices accept ARP requests and replies from any device. ARP replies are accepted even when no request was sent.
Configuring Dynamic ARP Inspection To enable dynamic ARP inspection, use the following commands. 1 Enable DHCP snooping. 2 Validate ARP frames against the DHCP snooping binding table. INTERFACE VLAN mode arp inspection Examples of Viewing the ARP Information To view entries in the ARP database, use the show arp inspection database command.
Source Address Validation Using the DHCP binding table, Dell Networking OS can perform three types of source address validation (SAV). Table 26. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table.
DHCP MAC Source Address Validation DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against the client hardware address field (CHADDR) in the payload. The system ensures that the packet’s source MAC address is checked against the CHADDR field in the DHCP header only for packets from snooped VLANs. • Enable DHCP MAC SAV.
deny count (0 packets) deny access-list on TenGigabitEthernet 0/1 Total cam count 2 deny vlan 10 count (0 packets) deny vlan 20 count (0 packets) The following output of the show ip dhcp snooping source-address-validation discard-counters interface interface command displays the number of SAV dropped packets on a particular interface.
14 Equal Cost Multi-Path (ECMP) Equal cost multi-path (ECMP) supports multiple paths in next-hop packet forwarding to a destination device. ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Enabling Deterministic ECMP Next Hop Deterministic ECMP next hop arranges all ECMPs in order before writing them into the content addressable memory (CAM). For example, suppose the RTM learns eight ECMPs in the order that the protocols and interfaces came up.
• Specify the hash algorithm seed. CONFIGURATION mode. hash-algorithm seed value [linecard slot-id] [port-set number] The range is from 0 to 4095. Link Bundle Monitoring Link bundle monitoring allows the system to monitor the use of multiple links for an uneven distribution. A global default threshold of 60% is the usage percentage for the bundle; when the system reaches this threshold, it begins monitoring the configured ECMP groups for uneven distribution.
Creating an ECMP Group Bundle Within each ECMP group, you can specify an interface. If you enable monitoring for the ECMP group, the utilization calculation is performed when the average utilization of the link-bundle (as opposed to a single link within the bundle) exceeds 60%. 1 Create a user-defined ECMP group bundle. CONFIGURATION mode ecmp-group ecmp-group-id The range is from 1 to 64. 2 Add interfaces to the ECMP group bundle.
BGP Multipath Operation with Link Bankwidth BGP Link Bandwidth (LB) is a way to tell BGP to load-share in an unequal or weighted fashion. LB is an optional, non-transitive Extended Community that indicates the cost of the (external) link in bytes per second. LB is similar to the MED attribute and cannot extend beyond the neighboring AS. The following network diagram depicts a scenario where a 10Gbps link connects the routers R2 and R4 and a 40Gbps link connects the routers R3 and R5: Figure 36.
bgp dmzlink-bw neighbor 1.1.1.1 remote-as 1 neighbor 1.1.1.1 no shutdown neighbor 4.4.4.2 remote-as 2 neighbor 4.4.4.2 dmzlink-bw neighbor 4.4.4.2 no shutdown neighbor 5.5.5.2 remote-as 2 neighbor 5.5.5.2 dmzlink-bw neighbor 5.5.5.2 no shutdown R3# interface tengigbitethernet 1/1 ip address 1.1.1.3/24 no shutdown interface fortyGigE 1/48 ip address 3.3.3.1/24 no shut router bgp 1 maximum-paths ebgp 2 bgp dmzlink-bw neighbor 1.1.1.1 remote-as 1 neighbor 1.1.1.1 no shutdown neighbor 3.3.3.
Weighted ECMP for Static Routes Dell Networking OS also supports Weighted ECMP for static routes. You can configure weights corresponding to the paths for a static destination. If all configured paths have weights, traffic distribution is performed using the Weighted ECMP method with the RTM these passing weights to the FIB. If all configured paths do not have weights, regular ECMP is used to determine traffic paths.
15 FCoE Transit The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces.
FIP enables FCoE devices to discover one another, initialize and maintain virtual links over an Ethernet network, and access storage devices in a storage area network (SAN). FIP satisfies the Fibre Channel requirement for point-to-point connections by creating a unique virtual link for each connection between an FCoE end-device and an FCF via a transit switch. FIP provides functionality for discovering and logging into an FCF.
Figure 37. FIP Discovery and Login Between an ENode and an FCF FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF. An Ethernet bridge that provides these functions is called a FIP snooping bridge (FSB).
Figure 38. FIP Snooping on an Core Switch The following sections describe how to configure the FIP snooping feature on a switch that functions as a FIP snooping bridge so that it can perform the following functions: • Allocate CAM resources for FCoE. • Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis.
FIP Snooping in a Switch Stack FIP snooping supports switch stacking as follows: • A switch stack configuration is synchronized with the standby stack unit. • Dynamic population of the FCoE database (ENode, Session, and FCF tables) is synchronized with the standby stack unit. The FCoE database is maintained by snooping FIP keep-alive messages. • In case of a failover, the new master switch starts the required timers for the FCoE database tables. Timers run only on the master stack unit.
• To allow FIP frames to pass through the switch on all VLANs, enable FIP snooping globally on a switch. • A switch can support a maximum eight FIP snooping VLANs. Configure at least one FCF/bridge-to-bridge port mode interface for any FIP snooping-enabled VLAN. • You can configure multiple FCF-trusted interfaces in a VLAN. • When you disable FIP snooping: • • ACLs are not installed, FIP and FCoE traffic is not blocked, and FIP packets are not processed.
Configure a Port for a Bridge-to-Bridge Link If a switch port is connected to another FIP snooping bridge, configure the FCoE-Trusted Port mode for bridge-bridge links. Initially, all FCoE traffic is blocked. Only FIP frames with the ALL_FCF_MAC and ALL_ENODE_MAC values in their headers are allowed to pass. After the switch learns the MAC address of a connected FCF, it allows FIP frames destined to or received from the FCF MAC address.
• The maximum number of FIP snooping sessions supported per ENode server is 32 by default and the maximum number of sessions you can configure is 64. To increase the maximum number of sessions to 64, use the fip-snooping max-sessions-per-enodemac command. • The maximum number of FCFs supported per FIP snooping-enabled VLAN is twelve. • The maximum number of FCoE VLANs supported on the switch is eight.
Displaying FIP Snooping Information Use the following show commands to display information on FIP snooping, . Table 29. Displaying FIP Snooping Information Command Output show fip-snooping sessions [interface vlan vlan-id] Displays information on FIP-snooped sessions on all VLANs or a specified VLAN, including the ENode interface and MAC address, the FCF interface and MAC address, VLAN ID, FCoE MAC address and FCoE session ID number (FC-ID), worldwide node name (WWNN) and the worldwide port name (WWPN).
Table 30. show fip-snooping sessions Command Description Field Description ENode MAC MAC address of the ENode. ENode Interface Slot/ port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. FCF Interface Slot/ port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FCoE MAC MAC address of the FCoE session assigned by the FCF. FC-ID Fibre Channel ID assigned by the FCF. Port WWPN Worldwide port name of the CNA port.
Table 32. show fip-snooping fcf Command Description Field Description FCF MAC MAC address of the FCF. FCF Interface Slot/port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FC-MAP FC-Map value advertised by the FCF. ENode Interface Slot/number of the interface connected to the ENode. FKA_ADV_PERIOD Period of time (in milliseconds) during which FIP keep-alive advertisements are transmitted. No of ENodes Number of ENodes connected to the FCF.
The following example shows the show fip-snooping statistics port-channel command.
Field Description Number of FDISC Accepts Number of FIP FDISC accept frames received on the interface. Number of FDISC Rejects Number of FIP FDISC reject frames received on the interface. Number of FLOGO Accepts Number of FIP FLOGO accept frames received on the interface. Number of FLOGO Rejects Number of FIP FLOGO reject frames received on the interface. Number of CVLs Number of FIP clear virtual link frames received on the interface.
FCoE Transit Configuration Example The following illustration shows an core switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 39. Configuration Example: FIP Snooping on an Core Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
Example of Enabling an FC-MAP Value on a VLAN Dell(conf-if-vl-10)# fip-snooping fc-map 0xOEFC01 NOTE: Configuring an FC-MAP value is only required if you do not use the default FC-MAP value (0x0EFC00).
16 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms.
Enabling FIPS Mode To enable or disable FIPS mode, use the console port. Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. When you enable FIPS mode, the following actions are taken: • • • • If enabled, the SSH server is disabled. All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.
System MAC : 00:01:e8:8a:ff:0c Reload Type : normal-reload [Next boot : normal-reload] -- Unit 0 -Unit Type Status Next Boot Required Type Current Type Master priority Hardware Rev Num Ports Up Time Dell Version Jumbo Capable POE Capable FIPS Mode Burned In MAC No Of MACs ... : : : : : : : : : : : : : : : Management Unit online online C9010 - 48-port GE/TE/FG (SE) C9010 - 48-port GE/TE/FG (SE) 0 3.
17 Flex Hash and Optimized Boot-Up This chapter describes the Flex Hash and fast-boot enhancements. Topics: • Flex Hash Capability Overview • Configuring the Flex Hash Mechanism • LACP Fast Switchover • Configuring LACP Fast Switchover • LACP • RDMA Over Converged Ethernet (RoCE) Overview • Sample Configurations • Preserving 802.
When load balancing RRoCE packets using flex hash is enabled, the show ip flow command is disabled. Similarly, when the show ip flow command is in use (ingress port-based load balancing is disabled), the hashing of RRoCE packets is disabled. Flex hash APIs do not mask out unwanted byte values after extraction of the data from the Layer 4 headers for the offset value.
RRoCE packets are received and transmitted on specific interfaces called lite-subinterfaces. These interfaces are similar to the normal Layer 3 physical interfaces except for the extra provisioning that they offer to enable the VLAN ID for encapsulation. You can configure a physical interface or a Layer 3 Port Channel interface as a lite subinterface. When you configure a lite subinterface, only tagged IP packets with VLAN encapsulation are processed and routed. All other data packets are discarded.
Sample Configurations Figure 40.
Description Link to RoCE Adapter no ip address mtu 9216 portmode hybrid switchport no spanning-tree ! protocol lldp dcbx port-role auto-downstream no shutdown ! interface fortyGigE 0/33 Description “To C9010s” no ip address mtu 9216 ! port-channel-protocol LACP port-channel 1 mode active ! protocol lldp no advertise dcbx-tlv ets-reco dcbx port-role auto-upstream no shutdown C9010 1 and C9010 2, VLT, RoCE, and iSCSI ! dcb-map converged Description DCB map for C9010 interlinks priority-group 0 bandwidth 30 pf
interface fortyGigE 1/4 no ip address mtu 9216 dcb-map Converged protocol lldp no shutdown C9010 2 vlt domain 2 peer-link port-channel 128 back-up destination interface Port-channel 128 no ip address mtu 9216 channel-member fortyGigE 1/4 no shutdown interface fortyGigE 1/4 no ip address mtu 9216 dcb-map Converged protocol lldp no shutdown Description from MXL B1 Switch no ip address mtu 9216 dcb-map RoCE ! port-channel-protocol LACP port-channel 50 mode active ! protocol lldp no shutdown
Description SOFS- iSCSI no ip address mtu 9216 portmode hybrid switchport spanning-tree rstp edge-port spanning-tree 0 portfast dcb-map iSCSI ! protocol lldp no shutdown Preserving 802.1Q VLAN Tag Value for Lite Subinterfaces All the frames in a Layer 2 VLAN are identified using a tag defined in the IEEE 802.1Q standard to determine the VLAN to which the frames or traffic are relevant or associated. Such frames are encapsulated with the 802.1Q tags.
18 Force10 Resilient Ring Protocol (FRRP) Force10 resilient ring protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass through all ports in the ring, including the secondary port of the Master node. Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring.
Member VLAN Spanning Two Rings Connected by One Switch A member VLAN can span two rings interconnected by a common switch, in a figure-eight style topology. A switch can act as a Master node for one FRRP group and a Transit for another FRRP group, or it can be a Transit node for both rings. In the following example, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both FRRP groups.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202, as shown in the illustration in Member VLAN Spanning Two Rings Connected by One Switch. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose.
FRRP Configuration These are the tasks to configure FRRP. • Creating the FRRP Group • Configuring the Control VLAN • • Configure Primary and Secondary ports Configuring and Adding the Member VLANs • Configure Primary and Secondary ports Other FRRP related commands are: • Clearing the FRRP Counters • Viewing the FRRP Configuration • Viewing the FRRP Information Creating the FRRP Group Create the FRRP group on each switch in the ring. To create the FRRP group, use the command.
VLAN ID: from 1 to 4094. 2 Tag the specified interface or range of interfaces to this VLAN. CONFIG-INT-VLAN mode. tagged interface slot/ port {range} Interface: • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Slot/Port, Range: Slot and Port ID for the interface. Range is entered Slot/Port-Port.
interface vlan vlan-id VLAN ID: the range is from 1 to 4094. 2 Tag the specified interface or range of interfaces to this VLAN. CONFIG-INT-VLAN mode. tagged interface slot/port {range} Interface: 3 • Slot/Port, range: Slot and Port ID for the interface. The range is entered Slot/Port-Port. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
Clearing the FRRP Counters To clear the FRRP counters, use one of the following commands. • Clear the counters associated with this Ring ID. EXEC PRIVELEGED mode. clear frrp ring-id • Ring ID: the range is from 1 to 255. Clear the counters associated with all FRRP groups. EXEC PRIVELEGED mode. clear frrp Viewing the FRRP Configuration To view the configuration for the FRRP group, use the following command. • Show the configuration for this FRRP group. CONFIG-FRRP mode.
• • • • There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only. Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP. • When the interface ceases to be a part of any FRRP process, if you enable Spanning Tree globally, also enable it explicitly for the interface. The maximum number of rings allowed on a chassis is 255.
Example of R3 TRANSIT interface TengigabitEthernet 3/14 no ip address switchport no shutdown ! interface TengigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TengigabitEthernet 3/14,21 no shutdown ! interface Vlan 201 no ip address tagged TengigabitEthernet 3/14,21 no shutdown ! protocol frrp 101 interface primary TengigabitEthernet 3/21 secondary TengigabitEthernet 3/14 control-vlan 101 member-vlan 201 mode transit no disable FRRP Support on VLT Using FRRP
This active-active FRRP configuration blocks the FRRP ring on a per VLAN or VLAN group basis enabling the configuration to spawn across different set of VLANs. The FRRP configuration where VLTi nodes act as the primary or secondary interfaces ensure that all the optics used to connect VLT domains across data centers are fully utilized.
Figure 42. FRRP Ring using VLTi links Important Points to Remember • VLTi can be configured only as the primary interface for the primary interface of any FRRP ring. • Only RSTP and PVST are supported in the VLT environment. Enabling either RSTP or PVST effects FRRP functionality even though these features are disabled on FRRP enabled interfaces. • Dell Networking OS does not support coexistence of xSTP and FRRP configurations.
19 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 43.
Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch. CONFIGURATION mode gvrp enable Example of Configuring GVRP Dell(conf)#protocol gvrp Dell(config-gvrp)#no disable Dell(config-gvrp)#show config ! protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command.
Based on the configuration in the following example, the interface 1/21 is not removed from VLAN 34 or VLAN 35 despite receiving a GVRP Leave message. Additionally, the interface is not dynamically added to VLAN 45 or VLAN 46, even if a GVRP Join message is received.
20 High Availability (HA) High availability (HA) is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions.
Online Insertion and Removal You can add, replace, or remove chassis components (RPMs, line cards, fan modules, power supplies) while the switch is operating. C9010 RPMs and line cards are hot-swappable. Use the information in this section when inserting an RPM or line card in the C9010 chassis. For more information about how to install an RPM or line card in the C9010, see the C9010 Getting Started Guide or C9010 Installation Guide.
Dell# show linecard 3 -- Linecard 3 -Status Required Type : not present : C9000LC2410G - 24-port TE/GE Replacing a Line Card To replace a line card with a line card of the same type, you can remove the old card and insert a new card without any additional configuration. To replace a line card with a different card type, remove the card and then remove the existing line-card configuration for the slot using the command no linecard slot-id provision.
The following protocols are hitless: • 802.1X (802.
Core Dumps A core dump is the contents of RAM a program uses at the time of a software exception and identifies the cause of the exception. There are two types of core dumps: application and kernel. • Kernel core dump — the central component of an OS that manages system processors and memory allocation and makes these facilities available to applications. A kernel core dump is the contents of the memory the kernel uses at the time of an exception.
To display the reason for the last control-plane failover on the chassis, enter the show redundancy command in EXEC Privilege mode.
NOTE: You can also force the port extender to failover from the RPM, using the redundancy force-failover pe pe-id command in EXEC Privilege mode. Example of the redundancy force-failover rpm Command Dell#redundancy force-failover rpm Dell#redundancy force-failover pe pe-id Specifying an Auto-Failover Limit When a non-recoverable fatal error is detected, an automatic failover occurs. However, the Dell Networking OS is configured to auto-failover only three times within any 60-minute period.
21 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 44. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1 One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. • Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. • To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
Figure 46. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1 The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2 The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 47. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1 Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary.
Figure 48. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1 Enable multicast routing using the ip multicast-routing command. 2 Enable a multicast routing protocol.
Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. • View IGMP-enabled interfaces. EXEC Privilege mode show ip igmp interface Example of the show ip igmp interface Command Dell(conf-if-te-1/0)#show ip igmp interface tengigabitethernet 1/0 TenGigabitEthernet 1/0 Inbound IGMP access group is not set Internet address is 1.1.1.
• View both learned and statically configured IGMP groups. EXEC Privilege mode show ip igmp groups Example of the show ip igmp groups Command Dell#show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface 225.1.1.1 TenGigabitEthernet 1/0 225.1.1.2 TenGigabitEthernet 1/0 Mode Uptime IGMPv2-Compat 00:00:06 IGMPv2-Compat 00:00:06 Expires 00:02:03 00:02:03 Last Reporter 1.1.1.2 1.1.1.
• Enable IGMP snooping on a switch. CONFIGURATION mode ip igmp snooping enable • View the configuration. CONFIGURATION mode show running-config • Disable snooping on a VLAN.
Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. When you configure the no ip igmp snooping flood command, the system drops the packets immediately. The system does not forward the frames on mrouter ports, even if they are present. Disable Layer 3 multicast (no ip multicast-routing) in order to disable multicast flooding.
Adjusting the Last Member Query Interval To adjust the last member query interval, use the following command. When the querier receives a Leave message from a receiver, it sends a group-specific query out of the ports specified in the forwarding table. If no response is received, it sends another. The amount of time that the querier waits to receive a response to the initial query before sending a second one is the last member query interval (LMQI).
22 Interfaces This chapter describes interface types, both physical and logical, and how to configure them on the switch. • 1-Gigabit Ethernet, 10-Gigabit Ethernet and 40-Gigabit Ethernet interfaces are supported on the C9010 switch and 1-Gigabit Ethernet C1048P port extender.
• Management Interfaces • Port Extender Interfaces • VLAN Interfaces • Loopback Interfaces • Null Interfaces • Port Channel Interfaces • Bulk Configuration • Defining Interface Range Macros • Monitoring and Maintaining Interfaces • Displaying Traffic Statistics on HiGig Ports • Link Bundle Monitoring • Monitoring HiGig Link Bundles • Non Dell-Qualified Transceivers • Splitting QSFP Ports to SFP+ Ports • Configuring wavelength for 10–Gigabit SFP+ optics • Link Dampening • Usi
Figure 49. C9010 Slot Numbering To configure a C9010 port, specify the interface with the command syntax: interface {TenGigabitEthernet | fortyGigE} slot/port-number • • The slot is a chassis slot number from 0 to 11. port-number is a linecard port number from 0 to 23 or an RPM port number from 0 to 3. NOTE: For slots 10 and 11, the port number is from 0 to 3 only. On the C9010, port interface numbers are written above the ports.
NOTE: To locate a 4x10G port, enter the system location-led interface {fortyGigE | tengigabitethernet} slot/port on command. The 4x10G port LED turns solid blue. Figure 51. 1/10GbE SFP+ Port Numbering On the 1/10GbE SFP+ line card, ports are numbered from 0 to 23 and operate in 1/10G mode. Figure 52. 1/10GbE RJ-45 Port Numbering On the 1/10GbE RJ-45 line card, ports are numbered from 0 to 23 and operate in 1/10G mode. Figure 53.
interface peGigE pe-id/pe-stack—unit-id/port-number • pe-id is a port-extender ID number from 0 to 255. • pe-stack-unit-id is a PE stack-unit number from 0 to 7 • port-number is a port number from 1 to 48. NOTE: PE configuration commands are only available after you enable the extended-bridge feature. See Enabling the Port Extender Feature. NOTE: To locate a C1048P, enter the location-led pe pe-id stack-unit unit-number command in EXEC Privilege mode to toggle the location LED for the PE on and off.
NOTE: To end output from the system, such as the output from the show interfaces command, enter CTRL+C. The system returns you to the command prompt. NOTE: The CLI output may be incorrectly displayed as 0 (zero) for the Rx/Tx power values. To obtain the correct power information, perform a simple network management protocol (SNMP) query. Examples of Using the Show Commands The following example shows the configuration and status information for one interface.
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 0 packets, 0 bytes, 0 underruns 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.
Te 6/2 Te 6/3 Te 6/4 Te 6/5 Te 6/6 Te 6/7 Te 6/8 Te 6/9 Te 6/10 Te 6/11 Te 6/12 Te 6/13 Te 6/14 Te 6/15 Te 6/16 Te 6/17 Te 6/18 Te 6/19 Te 6/20 Te 6/21 Te 6/22 Te 6/23 Fo 9/0 Fo 9/4 Fo 9/8 Fo 9/12 Fo 9/16 Fo 9/20 Te 10/0 Te 10/1 Te 10/2 Te 10/3 Te 11/0 Te 11/1 Te 11/2 Te 11/3 PeGi 255/1/1 PeGi 255/1/2 PeGi 255/1/3 PeGi 255/1/4 PeGi 255/1/5 PeGi 255/1/6 PeGi 255/1/7 PeGi 255/1/8 PeGi 255/1/9 PeGi 255/1/10 PeGi 255/1/11 PeGi 255/1/12 PeGi 255/1/13 PeGi 255/1/14 PeGi 255/1/15 PeGi 255/1/16 PeGi 255/1/17 PeGi 2
PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi 434 255/1/34 255/1/35 255/1/36 255/1/37 255/1/38 255/1/39 255/1/40 255/1/41 255/1/42 255/1/43 255/1/44 255/1/45 255/1/46 255/1/47 255/1/48 255/2/1 255/2/2 255/2/3 25
PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi 255/3/7 255/3/8 255/3/9 255/3/10 255/3/11 255/3/12 255/3/13 255/3/14 255/3/15 255/3/16 255/3/17 255/3/18 255/3/19 255/3/20 255/3/21 255/3/22 255/3/23 255/3/24 255/3/25 255/3/26 255/3/27 255/3/28 255/3/29 255/3/30 255/3/31 255/3/32 255/3/33 255/3/34 255/3/35 255/3/36 255/3/37 255/3/38 255/3/39 255/3/4
no ip address shutdown ! interface TengigabitEthernet 9/7 no ip address shutdown ! interface TengigabitEthernet 9/8 no ip address shutdown ! interface TengigabitEthernet 9/9 no ip address shutdown Resetting an Interface to its Factory Default State You can reset any configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1 View the configurations applied on an interface.
CONFIGURATION mode interface interface 2 • For the Management interface, enter the keyword ManagementEthernet then the slot/port information. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a port extender (PE) Gigabit Ethernet interface, enter the keyword peGigE then the pe-id/stack-unit /port-id information. Enable the interface.
4 Access the port. CONFIGURATION mode interface interface-type 5 Set the local port speed. INTERFACE mode speed {10 | 100 | 1000 | 10000 | auto} NOTE: If you use an active optical cable (AOC), you can convert the QSFP+ port to a 10 Gigabit SFP+ port or 1 Gigabit SFP port. You can use the speed command to enable the required speed. 6 Disable auto-negotiation on the port. INTERFACE mode no negotiation auto If the speed was set to 1000, do not disable auto-negotiation. 7 Verify configuration changes.
Type of Interface Possible Modes Requires Creation Default State Null interface N/A No Enabled Port Channel Layer 2 Yes Shutdown (disabled) Yes, except for the default VLAN. No shutdown (active for Layer 2) Layer 3 VLAN Layer 2 Layer 3 Shutdown (disabled for Layer 3) Configuring Layer 2 (Data Link) Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface unless the interface has been set to Layer 2 mode.
through the interface. Layer 2 traffic is unaffected by the shutdown command. One of the interfaces in the system must be in Layer 3 mode before you configure or enter a Layer 3 protocol mode (for example, OSPF). • Enable Layer 3 on an individual interface INTERFACE mode • ip address Enable the interface.
MTU is 1554 bytes Inbound access list is not set Proxy ARP is enabled Split Horizon is enabled Poison Reverse is disabled ICMP redirects are not sent ICMP unreachables are not sent IP unicast RPF check is not supported Egress Interface Selection (EIS) EIS allows you to isolate the management and front-end port domains by preventing switch-initiated traffic routing between the two domains. This feature provides additional security by preventing flooding attacks on front-end ports.
Management Interfaces The switch supports the Management Ethernet interface as well as the standard interface on any port. You can use either method to connect to the system. Configuring a Dedicated Management Interface The dedicated Management interface provides management access to the system. You can configure this interface using the CLI, but the configuration options on this interface are limited.
Input 791 packets, 62913 bytes, 775 multicast Received 0 errors, 0 discarded Output 21 packets, 3300 bytes, 20 multicast Output 0 errors, 0 invalid protocol Time since last interface status change: 00:06:03 Unless you configure the management route command, you can only access the Management interface from the local LAN. To access the Management interface from another LAN, configure the management route command to point to the Management interface.
B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination ----------C 6.1.1.0/24 C 10.1.1.0/24 *S 0.0.0.
NOTE: You cannot assign an IP address to the default VLAN, which is VLAN 1 (by default). To assign another VLAN ID to the default VLAN, use the default vlan-id vlan-id command. To assign an IP address to an interface, use the following command. • Configure an IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] • ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in slash format (/24).
The only configurable command in INTERFACE mode of the Null interface is the ip unreachable command. Port Channel Interfaces Port channel interfaces support link aggregation, as described in IEEE Standard 802.3ad. This section covers the following topics: • Port Channel Definition and Standards • Port Channel Benefits • Port Channel Implementation • Configuration Tasks for Port Channel Interfaces Port Channel Definition and Standards Link aggregation is defined by IEEE 802.
Port channels can contain a mix of 10 or 40 Gigabit Ethernet interfaces. The interface speed (10, 40 Gbps) the port channel uses is determined by the first port channel member that is physically up. The system disables the interfaces that do match the interface speed that the first channel member sets. That first interface may be the first interface that is physically brought up or was physically operating when interfaces were added to the port channel.
You can configure a port channel as you would a physical interface by enabling or configuring protocols or assigning access control lists. Adding a Physical Interface to a Port Channel The physical interfaces in a port channel can be on any line card in the chassis, but must be the same physical type. You can add any physical interface to a port channel if the interface configuration is minimal.
I - Internally Lagged LAG 1 Mode L2 Status up Uptime 00:15:36 Ports Te 0/0 Te 0/1 Te 1/12 Te 1/13 (Up) (Up) (Up) (Up) The following example is for a L2 port channel with port extender interfaces.
Reassigning an Interface to a New Port Channel An interface can be a member of only one port channel. If the interface is a member of a port channel, remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, the system recalculates the hash algorithm for the port channel. To reassign an interface to a new port channel, use the following commands. 1 Remove the interface from the first port channel.
Dell(conf-if-po-1)#minimum-links 5 Dell(conf-if-po-1)# Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to a VLAN, place the port channel in Layer 2 mode (by using the switchport command). To add or remove a VLAN port channel and to view VLAN port channel members, use the following commands. • Add the port channel to the VLAN as a tagged interface.
no interface portchannel channel-number • Disable a port channel. shutdown When you disable a port channel, all interfaces within the port channel are operationally down also. Load Balancing Through Port Channels The system uses hash algorithms for distributing traffic evenly over channel members in a port channel (LAG). The hash algorithm distributes traffic among electronic commerce messaging protocol (ECMP) paths and LAG members. The distribution is based on a flow, except for packet-based hashing.
Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range. Bulk configuration excludes from configuration any non-existing interfaces from an interface range.
Create a Multiple-Range The following is an example of multiple range. Dell(conf)#interface range tengigabitethernet 0/5 - 10 , tengigabitethernet 0/1 , vlan 1 Dell(conf-if-range-te-0/5-10,te-0/1,vl-1)# Exclude Duplicate Entries The following is an example showing how duplicate entries are omitted from the interface-range prompt.
Interface Range Enhancements Inserting a space between comma-separated interfaces and interface ranges in interface range command syntax is no longer required. For example, you can enter the following valid interface range: interface range fo 2/0-16,te 1/0,te 0/0–3,fo 0/4. Also, you can associate a static multicast MAC address with one or more VLANs and port interfaces by using the mac-address-table static multicast-mac-address vlan vlan-id output-range interface command.
Enter the type of interface and slot/port information: • For the Management interface, enter the keyword ManagementEthernet then the slot/port information. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a port extender (PE) Gigabit Ethernet interface, enter the keyword peGigE then the pe-id/pe-stack—unit-id/port-number information.
TDR is useful for troubleshooting an interface that is not establishing a link; that is, when the link is flapping or not coming up. TDR is not intended to be used on an interface that is passing traffic. When a TDR test is run on a physical cable, it is important to shut down the port on the far end of the cable. Otherwise, it may lead to incorrect test results. NOTE: TDR is an intrusive test. Do not run TDR on a link that is up and passing traffic.
• View all LAG link bundles being monitored. show running-config ecmp-group Link bundle monitoring can be also enable on port-channels, here it is the way it can be configured: interface Port-channel 111 no ip address switchport no shutdown link-bundle-monitor enable To view the links that are being monitored, use the show link-bundle-distribution command.
• %STKUNIT0-M:CP %SWMGR-5-HG-BUNDLE_UNEVEN_DISTRIBUTION: Found uneven distribution in hg-port-channel 0/5/0 • %STKUNIT0-M:CP %SWMGR-5-HG-BUNDLE_UNEVEN_DISTRIBUTION_ALARM_CLEAR: Uneven distribution in hg-portchannel 0/5/0 got cleared Guidelines for Monitoring HiGig Link-Bundles When configuring HiGig link-bundle monitoring on the backplane, follow these guidelines: • By default, the capability to monitor the traffic distribution in a HiGig link bundle on a line-card or SFM NPU is disabled.
3 Specify the interval (in seconds) when HiGig link-bundle monitoring is performed. CONFIGURATION mode Dell(conf)#hg-link-bundle-monitor rate-interval seconds 4 Enable SNMP trap generation for HiGig link-bundle monitoring. CONFIGURATION mode Dell(conf)#snmp-server enable traps hg-lbm 5 Display the traffic utilization of member links in a HiGig link bundle (port channel).
No power Interface index is 2103813 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :3417ebf225c6 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 40000 Mbit Splitting QSFP Ports to SFP+ Ports The switch supports splitting a single 40G QSFP port into four 10G SFP+ ports using a supported breakout cable. (For the link to a list of supported cables, refer to the C9000 Installation Guide or the C9000 Release Notes).
NOTE: You can use the QSA adaptor to establish connectivity between a high-density 100 Gigabit platform and a relatively lower-end 1 Gigabit switch or a server. The QSA acts as an interface between the QSFP28 ports (that support 100 Gigabit speeds) and SPF optics with a maximum speed of 1 Gigabit per second. Depending on the type of optics you plug into the QSA connected to a 100 Gigabit port, the system automatically detects the supported speed of the optics and sets the interface speed accordingly.
Link Dampening Interface state changes occur when interfaces are administratively brought up or down or if an interface state changes. Every time an interface changes a state or flaps, routing protocols are notified of the status of the routes that are affected by the change in state. These protocols go through the momentous task of re-converging. Flapping; therefore, puts the status of entire network at risk of transient loops and black holes.
To view link dampening on a port extender interface. Dell(conf-if-range-pegi-255/1/36-37)#do show interface Interface PeGi 255/1/36 PeGi 255/1/37 Supp State Up Up Flaps Penalty Half-Life Reuse Suppress Max-Sup 0 0 0 0 200 200 800 800 100 100 20 20 To view a dampening summary for the entire system, use the show interfaces dampening summary command from EXEC Privilege mode. Dell# show interfaces dampening summary 20 interfaces are configured with dampening. 3 interfaces are currently suppressed.
Transmission Media MTU Range (in bytes) Ethernet The MTU range is from 594 to 9216, with a default of 1554. The IP MTU automatically configures. Using Ethernet Pause Frames for Flow Control Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it. The destination sends a PAUSE frame back to the source, stopping the sender’s transmission for a period of time.
• Flow-control discard threshold in KB: from 1-2013 (default= 75KB) The pause is started when either the packet pointer or the buffer threshold is met (whichever is met first). When the discard threshold is met, packets are dropped. The pause ends when both the packet pointer and the buffer threshold fall below 50% of the threshold settings. The discard threshold defines when the interface starts dropping the packet on the interface.
The following table lists the various Layer 2 overheads in the Dell Networking OS and the number of bytes. Table 37. Layer 2 Overhead Layer 2 Overhead Difference Between Link MTU and IP MTU Ethernet (untagged) 18 bytes VLAN Tag 22 bytes Untagged Packet with VLAN-Stack Header 22 bytes Tagged Packet with VLAN-Stack Header 26 bytes Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: • All members must have the same link MTU value and the same IP MTU value.
Set Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/ forced slave once autonegotiation is enabled. CAUTION: Ensure that only one end of the node is configured as forced-master and the other is configured as forced-slave. If both are configured the same (that is, both as forced-master or both as forced-slave), the show interface command flaps between an auto-neg-error and forced-master/slave states.
Fiber Cannot be configured. Cannot be configured. When SFP is inserted on copper-provisioned combo port, the system displays a syslog message. NOTE: When the port is provisioned as fiber and a copper cable is inserted, it is not detected by the device and hence no syslog message is displayed. If SFP is present when the port is being provisioned as copper, the system displays a syslog message.
Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG. The following example shows how to configure rate interval when changing the default value.
Rate info (interval 100 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Time since last interface status change: 1d23h42m Configuring the Traffic Sampling Size Globally You can configure the traffic sampling size for an interface in the global configuration mode. All LAG members inherit the rate interval configuration from the LAG.
Dell#show int po 20 Port-channel 20 is up, line protocol is up Hardware address is 4c:76:25:f4:ab:02, Current address is 4c:76:25:f4:ab:02 Interface index is 1258301440 Minimum number of links to bring Port-channel up is 1 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :4c7625f4ab02 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 80000 Mbit Members in this channel: Fo 1/1/7/1(U) Fo 1/1/8/1(U) ARP type: ARPA, ARP Timeout 04:00:00 Queueing strategy: fifo Input Statistics: 13932
• Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones. Without an interface specified, the command clears all interface counters. EXEC Privilege mode clear counters [interface] [vrrp [vrid] | learning-limit] (OPTIONAL) Enter the following interface keywords and slot/port or number information: • For a loopback interface, enter the keyword loopback then a number from 0 to 16383.
23 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
CONFIGURATION mode crypto ipsec policy myCryptoPolicy 10 ipsec-manual transform-set myXform-set session-key inbound esp 256 auth encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.
24 IPv4 Routing IPv4 routing and various IP addressing features are supported. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
NOTE: 31-bit subnet masks (/31, or 255.255.255.254), as defined by RFC 3021, are supported. This feature allows you to save two more IP addresses on point-to-point links than 30-bit masks. The system also supports RFC 3021 with ARP. Configuration Tasks for IP Addresses The following describes the tasks associated with IP address configuration.
ip address 10.11.1.1/24 no shutdown ! Dell(conf-if)# Dell(conf-if)#show conf ! interface TengigabitEthernet 0/0 ip address 10.11.1.1/24 no shutdown ! Dell(conf-if)# Configuring Static Routes A static route is an IP address that you manually configure and that the routing protocol does not learn, such as open shortest path first (OSPF). Often, static routes are used as backup routes in case other dynamically learned routes are unreachable. You can enter as many static IP addresses as necessary.
Direct, Lo 0 --More-The system installs a next hop that is on the directly connected subnet of current IP address on the interface (for example, if interface gig 0/0 is on 172.31.5.0 subnet, the system installs the static route). The system also installs a next hop that is not on the directly connected subnet but which recursively resolves to a next hop on the interface's configured subnet. For example, if gig 0/0 has ip address on subnet 2.2.2.0 and if 172.31.5.43 recursively resolves to 2.2.2.
Resolution of Host Names Domain name service (DNS) maps host names to IP addresses. This feature simplifies commands such as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default. Unless you enable the feature, the system resolves only host names entered into the host table with the ip host command.
• Enter up to 63 characters to configure one domain name. CONFIGURATION mode ip domain-name name • Enter up to 63 characters to configure names to complete unqualified host names. CONFIGURATION mode ip domain-list name Configure this command up to six times to specify a list of possible domain names. The system searches the domain names in the order they were configured until a match is found or the list is exhausted.
ARP The system uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, the system creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time.
• For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
Enabling Proxy ARP By default, Proxy ARP is enabled. To disable Proxy ARP, use the no ip proxy-arp command in the interface mode. To re-enable Proxy ARP, use the following command. • Re-enable Proxy ARP. INTERFACE mode ip proxy-arp To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output.
Enabling ARP Learning via Gratuitous ARP To enable ARP learning via gratuitous ARP, use the following command. • Enable ARP learning via gratuitous ARP. CONFIGURATION mode arp learn-enable ARP Learning via ARP Request The system learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address. If the target IP does not match the incoming interface, the packet is dropped.
Configuring ARP Retries The number of ARP retries is user-configurable. The default backoff interval remains at 20 seconds. To set and display ARP retries, use the following commands. • Set the number of ARP retries. CONFIGURATION mode arp retries number The default is 5. • The range is from 1 to 20. Set the exponential timer for resending unresolved ARPs. CONFIGURATION mode arp backoff-time The default is 30. The range is from 1 to 3600.
no ip unreachable • Set the system to create and send ICMP unreachable messages on the interface. INTERFACE mode ip unreachable To view if ICMP unreachable messages are sent on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output.
25 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
Extended Address Space The address format is extended from 32 bits to 128 bits. This not only provides room for all anticipated needs, it allows for the use of a hierarchical address space structure to optimize global addressing. Stateless Autoconfiguration When a booting device comes up in IPv6 and asks for its network prefix, the device can get the prefix (or prefixes) from an IPv6 router on its link.
• Flow Label (20 bits) • Payload Length (16 bits) • Next Header (8 bits) • Hop Limit (8 bits) • Source Address (128 bits) • Destination Address (128 bits) IPv6 provides for extension headers. Extension headers are used only if necessary. There can be no extension headers, one extension header or more than one extension header in an IPv6 packet. Extension headers are defined in the Next Header field of the preceding IPv6 header.
Payload Length (16 bits) The Payload Length field specifies the packet payload. This is the length of the data following the IPv6 header. IPv6 Payload Length only includes the data following the header, not the header itself. The Payload Length limit of 2 bytes requires that the maximum packet payload be 64 KB. However, the Jumbogram option type Extension header supports larger packet sizes when required. Next Header (8 bits) The Next Header field identifies the next header’s type.
Source Address (128 bits) The Source Address field contains the IPv6 address for the packet originator. Destination Address (128 bits) The Destination Address field contains the intended recipient’s IPv6 address. This can be either the ultimate destination or the address of the next hop router. Extension Header Fields Extension headers are used only when necessary. Due to the streamlined nature of the IPv6 header, adding extension headers do not severely impact performance.
10 Discard the packet and send an ICMP Parameter Problem Code 2 message to the packet’s Source IP Address identifying the unknown option type. 11 Discard the packet and send an ICMP Parameter Problem, Code 2 message to the packet’s Source IP Address only if the Destination IP Address is not a multicast address. The second byte contains the Option Data Length. The third byte specifies whether the information can change en route to the destination.
the same IPv6 address to a particular computer, and never to assign that IP address to another computer. This allows static IPv6 addresses to be configured in one place, without having to specifically configure each computer on the network in a different way. In IPv6, every interface, whether using static or dynamic address assignments, also receives a local-link address automatically in the fe80::/64 subnet.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location OSPF for IPv6 (OSPFv3) 8.3.11 OSPFv3 in the Dell Networking OS Command Line Reference Guide. Equal Cost Multipath for IPv6 8.3.11 IPv6 Services and Management Telnet client over IPv6 (outbound Telnet) 8.3.11 Configuring Telnet with IPv6 Control and Monitoring in the Dell Networking OS Command Line Reference Guide. Telnet server over IPv6 (inbound Telnet) 8.3.
• Informational messages provide diagnostic functions and additional host functions, such as Neighbor Discovery and Multicast Listener Discovery. These messages also include Echo Request and Echo Reply messages. The ping and traceroute commands extend to support IPv6 addresses. These commands use ICMPv6 Type-2 messages.
Figure 58. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
Dell(conf-if-te-0/1)#ipv6 nd dns-server 1000::1 ? <0-4294967295> Max lifetime (sec) which RDNSS address may be used for name resolution infinite Infinite lifetime (sec) which RDNSS address may be used for name resolution Dell(conf-if-te-0/1)#ipv6 nd dns-server 1000::1 1 Debugging IPv6 RDNSS Information Sent to the Host To verify that you configured the IPv6 RDNSS information sent to the host correctly, use the debug ipv6 nd command in EXEC Privilege mode.
ND dns-server address is 2000::1 with lifetime of 0 seconds IP unicast RPF check is not supported To display IPv6 RDNSS information, use the show configuration command in INTERFACE CONFIG mode. Dell(conf-if-te-1/1)#show configuration The following example uses the show configuration command to display IPv6 RDNSS information.
To have the changes take effect, save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings. • Allocate space for IPV6 ACLs. Enter the CAM profile name then the allocated amount. CONFIGURATION mode cam-acl { ipv6acl } When not selecting the default option, enter all of the profiles listed and a range for each. The total space allocated must equal 13. The ipv6acl range must be a factor of 2. • Show the current CAM settings.
Assigning a Static IPv6 Route To configure IPv6 static routes, use the ipv6 route command. NOTE: After you configure a static IPv6 route (the ipv6 route command) and configure the forwarding router’s address (specified in the ipv6 route command) on a neighbor’s interface, the IPv6 neighbor does not display in the show ipv6 route command output. • Set up IPv6 static routes.
• snmp-server user ipv6 • snmp-server community ipv6 • snmp-server community access-list-name ipv6 • snmp-server group ipv6 • snmp-server group access-list-name ipv6 Displaying IPv6 Information To view a specified IPv6 configuration, use the show ipv6command. • List the IPv6 show options.
IPV6 is enabled Stateless address autoconfiguration is enabled Link Local address: fe80::201:e8ff:fe8b:386e Global Unicast address(es): Actual address is 400::201:e8ff:fe8b:386e, subnet is 400::/64 Actual address is 412::201:e8ff:fe8b:386e, subnet is 412::/64 Virtual-IP IPv6 address is not set Received Prefix(es): 400::/64 onlink autoconfig Valid lifetime: 2592000, Preferred lifetime: 604800 Advertised by: fe80::201:e8ff:fe8b:3166 412::/64 onlink autoconfig Valid lifetime: 2592000, Preferred lifetime: 60480
static 0 0 Total 5 0 Dell#show ipv6 route Codes: C - connected, L - local, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, Gateway of last resort is not set Destination Dist/Metric, Gateway, Last Change ------------------
• Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} • *: all routes. • ipv6 address: the format is x:x:x:x::x. • mask: the prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing.
Use the keyword router to set the device role as router. 5 Set the hop count limit. POLICY LIST CONFIGURATION mode hop-limit {maximum | minimum limit} The hop limit range is from 0 to 254. 6 Set the managed address configuration flag. POLICY LIST CONFIGURATION mode managed-config-flag {on | off} 7 Enable verification of the sender IPv6 address in inspected messages from the authorized device source access list.
show config NOTE: IPv6 RA Guard is not supported on Port Extender.
debug ipv6 nd ra-guard [interface slot/port | count value] The count range is from 1 to 65534. The default is infinity. For a complete listing of all commands related to IPv6 RA Guard, see the Dell Networking OS Command Line Reference Guide.
26 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter.
The NET length is variable, with a maximum of 20 bytes and a minimum of 8 bytes. It is composed of the following: • area address — within your routing domain or area, each area must have a unique area value. The first byte is called the authority and format indicator (AFI). • system address — the router’s MAC address. • N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.
Interface Support MT IS-IS is supported on physical Ethernet interfaces, physical synchronous optical network technologies (SONET) interfaces, portchannel interfaces (static and dynamic using LACP), and virtual local area network (VLAN) interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions.
IPv6 Reachability and IPv6 Interface Address. Also, a new IPv6 protocol identifier has also been included in the supported TLVs. The new TLVs use the extended metrics and up/down bit semantics. Multi-topology IS-IS adds TLVs: • MT TLV — contains one or more Multi-Topology IDs in which the router participates. This TLV is included in IIH and the first fragment of an LSP. • MT Intermediate Systems TLV — appears for every topology a node supports.
Configuration Tasks for IS-IS The following describes the configuration tasks for IS-IS. • Enabling IS-IS • Configure Multi-Topology IS-IS (MT IS-IS) • Configuring IS-IS Graceful Restart • Changing LSP Attributes • Configuring the IS-IS Metric Style • Configuring IS-IS Cost • Changing the IS-Type • Controlling Routing Updates • Configuring Authentication Passwords • Setting the Overload Bit • Debuging IS-IS Enabling IS-IS By default, IS-IS is not enabled.
4 • For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. • For a port channel, enter the keywords port-channel then a number. • For a SONET interface, enter the keyword sonet then the slot/port information. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a VLAN, enter the keyword vlan then a number from 1 to 4094. Enter an IPv4 Address.
Accept wide metrics: Dell# none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
4 Implement a wide metric-style globally. ROUTER ISIS AF IPV6 mode isis ipv6 metric metric-value [level-1 | level-2 | level-1-2] To configure wide or wide transition metric style, the cost can be between 0 and 16,777,215. Configuring IS-IS Graceful Restart To enable IS-IS graceful restart globally, use the following commands. Also, you can implement optional commands to enable the graceful restart settings. • Enable graceful restart on ISIS processes.
• • adjacency: the restarting router receives the remaining time value from its peer and adjusts its T3 value so if user has configured this option. manual: allows you to specify a fixed value that the restarting router should use. The range is from 50 to 120 seconds. The default is 30 seconds. Example of the show isis graceful-restart detail and show isis interface Commands NOTE: If this timer expires before the synchronization has completed, the restarting router sends the overload bit in the LSP.
Restart Capable Neighbors: 2, In Start: 0, In Restart: 0 Dell# Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary. To change the defaults, use any or all of the following commands. • Set interval between LSP generation.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
Distance: 115 Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: Dell# level-1-2 level-1-2 none none Configuring the IS-IS Cost When you change from one IS-IS metric style to another, the IS-IS metric value could be affected. For each interface with IS-IS enabled, you can assign a cost or metric that is used in the link state calculation. To change the metric or cost of the interface, use the following commands. • Assign an IS-IS metric.
Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router. ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2-only} • Default is level-1-2. Change the IS-type for the IS-IS process.
• For a SONET interface, enter the keyword sonet then the slot/port information. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/ port information. • For a VLAN, enter the keyword vlan then a number from 1 to 4094. Distribute Routes Another method of controlling routing information is to filter the information through a prefix list.
Applying IPv6 Routes To apply prefix lists to incoming or outgoing IPv6 routes, use the following commands. NOTE: These commands apply to IPv6 IS-IS only. To apply prefix lists to IPv4 routes, use ROUTER ISIS mode, previously shown. • Apply a configured prefix list to all incoming IPv6 IS-IS routes.
redistribute {bgp as-number | connected | rip | static} [level-1 level-1-2 | level-2] [metric metric-value] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: • • level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. • metric-value the range is from 0 to 16777215. The default is 0. • metric-type: choose either external or internal. The default is internal. • map-name: enter the name of a configured route map.
• match external: the range is 1 or 2. • match internal • metric-type: external or internal. • map-name: name of a configured route map. To view the IS-IS configuration globally (including both IPv4 and IPv6 settings), use the show running-config isis command in EXEC Privilege mode. To view the current IPv4 IS-IS configuration, use the show config command in ROUTER ISIS mode. To view the current IPv6 IS-IS configuration, use the show config command in ROUTER ISIS-ADDRESS FAMILY IPV6 mode.
no set-overload-bit Example of Viewing the Overload Bit Setting When the bit is set, a 1 is placed in the OL column in the show isis database command output. The overload bit is set in both the Level-1 and Level-2 database because the IS type for the router is Level-1-2. Dell#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000003 0x07BF eljefe.00-00 * 0x0000000A 0xF963 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
EXEC Privilege mode debug isis update-packets [interface] To view specific information, enter the following optional parameter: • interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. The system displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode. To disable a specific debug command, enter the keyword no then the debug command.
Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow. When you change from one IS-IS metric style to another, the IS-IS metric value (configured with the isis metric command) could be affected.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value narrow transition transition original value wide transition wide original value wide transition narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition narrow transition default value (10) if the original value is greater than 63. A message is sent to the console. wide transition transition truncated value (the truncated value appears in the LSP only).
Level-1 Metric Style Level-2 Metric Style Resulting Metric Value wide transition truncated value narrow transition wide original value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value transition wide original value transition narrow original value transition wide transition original value transition narrow transition original value wide transition wide original value wide transition narrow
Figure 60. IPv6 IS-IS Sample Topography IS-IS Sample Configuration — Congruent Topology IS-IS Sample Configuration — Multi-topology IS-IS Sample Configuration — Multi-topology Transition The following is a sample configuration for enabling IPv6 IS-IS. Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ip address 24.3.1.
exit-address-family Dell (conf-router_isis)# Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell(conf-if-te-3/17)# Dell(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
27 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
• Auto-detection of EqualLogic storage arrays — the switch detects any active EqualLogic array directly attached to its ports. • Manual configuration to detect Compellent storage arrays where auto-detection is not supported. • Automatic configuration of switch ports after detection of storage arrays. • If you configure flow-control, iSCSI uses the current configuration.
Figure 61. iSCSI Optimization Example Default iSCSI Optimization Values The following table lists the default values for the iSCSI optimization feature. Table 45. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization global setting Disabled. iSCSI CoS mode (802.1p priority queue mapping) dot1p priority 4 without the remark setting when you enable iSCSI. If you do not enable iSCSI, this feature is disabled.
Parameter Default Value Remark Not configured. iSCSI session aging time 10 minutes iSCSI optimization target ports iSCSI well-known ports 3260 and 860 are configured as default (with no IP address or name) but can be removed as any other configured target. iSCSI session monitoring Disabled. The CAM allocation for iSCSI is set to zero (0). iSCSI Optimization Prerequisites The following are iSCSI optimization prerequisites. • • iSCSI optimization requires LLDP on the switch.
• tcp-port-n is the TCP port number or a list of TCP port numbers on which the iSCSI target listens to requests. You can configure up to 16 target TCP ports on the switch in one command or multiple commands. The default is 860, 3260. Separate port numbers with a comma. If multiple IP addresses are mapped to a single TCP port, use the no iscsi target port tcp-port-n command to remove all IP addresses assigned to the TCP number.
The default is: Compellent disk arrays are not detected. NOTE: The [no] iscsi profile-compellent. command is not supported on cascade interfaces or extended ports Displaying iSCSI Optimization Information To display information on iSCSI optimization, use the following show commands. • • • • Display the currently configured iSCSI settings. show iscsi Display information on active iSCSI sessions on the switch. show iscsi session Display detailed information on active iSCSI sessions on the switch.
iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 The following example shows the show iscsi session detailed command. VLT PEER1 Dell# show iscsi session detailed Session 0: -------------------------------------------------------Target:iqn.2010-11.com.ixia:ixload:iscsi-TG1 Initiator:iqn.2010-11.com.ixia.
Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer The following behavior occurs during synchronization of iSCSI sessions. • If the iSCSI login request packet is received on a port belonging to a VLT lag, the information is synced to the VLT peer and the connection is associated with this interface. • Additional updates to connections (including aging updates) that are learnt on VLT lag members are synced to the peer.
Only sessions the switch observes are learned; sessions flowing through an adjacent switch are not learned. Session monitoring learns sessions that actually flow through the switch, it does not learn all sessions in the entire topology. After a switch is reloaded, any information exchanged during the initial handshake is not available. If the switch picks up the communication after reloading, it would detect a session was in progress but could not obtain complete information for it.
Enter the iscsi profile-compellent command in INTERFACE Configuration mode; for example: Dell(conf-if-te-o/50)# iscsi profile-compellent Application of Quality of Service to iSCSI Traffic Flows You can configure iSCSI CoS mode. This mode controls whether CoS (dot1p priority) queue assignment and/or packet marking is performed on iSCSI traffic. When you enable iSCSI CoS mode, the CoS policy is applied to iSCSI traffic.
28 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. Introduction to Dynamic LAGs and LACP The Dell Networking OS uses LACP to create dynamic LAGs. LACP provides a standardized means of exchanging information between two systems (also called Partner Systems) and automatically establishes the LAG between the systems.
LACP Modes Three LACP configuration modes are supported — Off, Active, and Passive. • Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. • Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state. A port in Active state also automatically initiates negotiations with other ports by initiating LACP packets.
The default is 32768. LACP Configuration Tasks The following configuration tasks apply to LACP. • Creating a LAG • Configuring the LAG Interfaces as Dynamic • Setting the LACP Long Timeout • Monitoring and Debugging LACP • Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. • Create a dynamic port channel (LAG).
Dell(conf-if-te-3/16-lacp)#port-channel 32 mode active ... Dell(conf)#interface Tengigabitethernet 4/15 Dell(conf-if-te-4/15)#no shutdown Dell(conf-if-te-4/15)#port-channel-protocol lacp Dell(conf-if-te-4/15-lacp)#port-channel 32 mode active ...
• Debug LACP, including configuration and events. EXEC mode [no] debug lacp [config | events | pdu [in | out | [interface [in | out]]]] Shared LAG State Tracking Shared LAG state tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG.
Examples of Configuring and Viewing LAGs In the following example, LAGs 1 and 2 have been placed into to the same failover group. R2#config R2(conf)#port-channel failover-group R2(conf-po-failover-grp)#group 1 port-channel 1 port-channel 2 To view the failover group configuration, use the show running-configuration po-failover-group command.
Important Points about Shared LAG State Tracking The following is more information about shared LAG state tracking. • • • • • This feature is available for static and dynamic LAGs. Only a LAG can be a member of a failover group. You can configure shared LAG state tracking on one side of a link or on both sides. If a LAG that is part of a failover group is deleted, the failover group is deleted. If a LAG moves to the Down state due to this feature, its members may still be in the Up state.
Port is part of Port-channel 10 Hardware is Dell Force10Eth, address is 00:01:e8:06:95:c0 Current address is 00:01:e8:06:95:c0 Interface Index is 109101113 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit, Mode full duplex, Slave Flowcontrol rx on tx on ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:02:11 Queueing strategy: fifo Input statistics: 132 packets, 163668 bytes 0 Vlans 0 64-byte p
Figure 66.
Figure 67.
Summary of the LAG Configuration on Bravo Bravo(conf-if-te-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-te-3/21-lacp)#port-channel 10 mode active Bravo(
Figure 68. Inspecting a LAG Port on BRAVO Using the show interface Command The following figure illustrates inspecting LAG 10 Using the show interfaces port-channel Command.
Figure 69. Inspecting LAG 10 Using the show interfaces port-channel Command The following figure illustrates inspecting the LAG Status Using the show lacp command.
Figure 70. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
29 Layer 2 This chapter describes the Layer 2 features supported on the switch. Manage the MAC Address Table You can perform the following management tasks inr the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
In this case, the configuration is still present in the running-config and show output. Remove the configuration before re-applying a MAC learning limit with a lower value. Also, ensure that you can view the Syslog messages on your session. Setting the MAC Learning Limit To set a MAC learning limit on an interface, use the following command. • Specify the number of MAC addresses that the system can learn off a Layer 2 interface.
mac learning-limit station-move The mac learning-limit station-move command allows a MAC address already in the table to be learned from another interface. For example, if you disconnect a network device from one interface and reconnect it to another interface, the MAC address is learned on the new interface. When the system detects this “station move,” the system clears the entry learned on the original interface and installs a new entry on the new interface.
• Shut down the second port to learn the MAC address. INTERFACE mode station-move-violation shutdown-offending • Shut down both the first and second port to learn the MAC address. INTERFACE mode station-move-violation shutdown-both • Display a list of all of the interfaces configured with MAC learning limit or station move violation.
If you don’t use any option, the mac-address-table disable-learning command disables source MAC address learning from both LACP and LLDP BPDUs. NIC Teaming NIC teaming is a feature that allows multiple network interface cards in a server to be represented by one MAC address and one IP address in order to provide transparent redundancy, balancing, and to fully utilize network adapter resources. The following illustration shows a topology where two NICs have been teamed together.
Figure 72. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 73. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
Important Points about Configuring Redundant Pairs • • • • You may not configure any interface to be a backup for more than one interface, no interface can have more than one backup, and a backup interface may not have a backup interface. The active or backup interface may not be a member of a LAG. The active and standby do not have to be of the same type (1G, 10G, and so on). You may not enable any Layer 2 protocol on any interface of a redundant pair or to ports connected to them.
and Po 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-STATE_ACT_STBY: Changed interface state to standby: Po 2 Dell(conf-if-po-1)# Dell# Dell#show interfaces switchport backup Interface Status Paired Interface Status Port-channel 1 Active Port-chato mannel 2 Standby Port-channel 2 Standby Port-channel 1 Active Dell# Dell(conf-if-po-1)#switchport backup interface tengigabitethernet 0/2 Apr 9 00:16:29: %STKUNIT0-M:CP %IFMGR-5-
FEFD State Changes FEFD has two operational modes: Normal and Aggressive. When a far-end failure is detected on an FEFD-enabled interface: • If the interface is in normal FEFD mode, no user intervention is required to reset the interface; it automatically resets to an FEFD operational state. • If the interface is in aggressive FEFD mode, manual intervention is required to reset the interface.
Configuring FEFD You can configure FEFD on all interfaces from CONFIGURATION mode or on individual interfaces from INTERFACE mode. To enable FEFD globally on all interfaces, use the following command. • CONFIGURATION mode fefd-global To report interval frequency and mode adjustments, use the following commands. 1 Configure two or more connected interfaces for Layer 2 or Layer 3 traffic. INTERFACE mode switchport ip address ip address 2 Activate the ports.
• Disable FEFD protocol on one interface. INTERFACE mode fefd disable Disabling an interface shuts down all protocols working on that interface’s connected line. It does not delete your previous FEFD configuration which you can enable again at any time. To set up and activate two or more connected interfaces, use the following commands. 1 Setup two or more connected interfaces for Layer 2 or Layer 3. INTERFACE mode ip address ip address, switchport 2 Activate the necessary ports administratively.
2w1d22h: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 4/0 2w1d22h: %SYSTEM-P:CP %IFMGR-5-INACTIVE: Changed Vlan interface state to inactive: Vl 1 2w1d22h : FEFD state on Te 4/0 changed from Bi-directional to Unknown The following example shows the debug fefd packets command.
30 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Table 47. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live An administratively assigned name that identifies a port through which TLVs are sent and received.
Figure 77. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Networking system to advertise any or all of these TLVs. Table 48. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. The Dell Networking OS does not currently support this TLV.
Type TLV Description LLDP, but is available and mandatory (nonconfigurable) in the LLDP-MED implementation. 127 Power via MDI Dell Networking supports the LLDP-MED protocol, which recommends that Power via MDI TLV be not implemented, and therefore Dell Networking implements Extended Power via MDI TLV only. 127 Link Aggregation Indicates whether the link is capable of being aggregated, whether it is currently in a LAG, and the port identification of the LAG.
Type SubType TLV Description • • • whether the transmitting device supports LLDP-MED what LLDP-MED TLVs it supports LLDP device class 127 2 Network Policy Indicates the application type, VLAN ID, Layer 2 Priority, and DSCP value. 127 3 Location Identification Indicates that the physical location of the device expressed in one of three possible formats: • • • 127 4 Inventory Management TLVs Implementation of this set of TLVs is optional in LLDP-MED devices. None or all TLVs must be supported.
LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV. • The value of the LLDP-MED capabilities field in the TLV is a 2–octet bitmap, each bit represents an LLDP-MED capability (as shown in the following table). • The possible values of the LLDP-MED device type are shown in the following.
• VLAN ID • VLAN tagged or untagged status • Layer 2 priority • DSCP value An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED network policy TLV is generated for each application type that you specify with the CLI (Advertising TLVs).
Extended Power via MDI TLV The extended power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices. Advertise the extended power via MDI on all ports that are connected to an 802.3af powered, LLDP-MED endpoint device. • Power Type — there are two possible power types: power source entity (PSE) or power device (PD). The Dell Networking system is a PSE, which corresponds to a value of 0, based on the TIA-1057 specification.
LLDP Compatibility • Spanning tree and force10 ring protocol “blocked” ports allow LLDPDUs. • 802.1X controlled ports do not allow LLDPDUs until the connected device is authenticated. CONFIGURATION versus INTERFACE Configurations All LLDP configuration commands are available in PROTOCOL LLDP mode, which is a sub-mode of the CONFIGURATION mode and INTERFACE mode. • Configurations made at the CONFIGURATION level are global; that is, they affect all interfaces on the system.
Enabling LLDP LLDP is disabled by default. Enable and disable LLDP globally or per interface. If you enable LLDP globally, all UP interfaces send periodic LLDPDUs. To enable LLDP, use the following command. 1 Enter Protocol LLDP mode. CONFIGURATION or INTERFACE mode protocol lldp 2 Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP To disable or undo LLDP, use the following command. • Disable LLDP globally or for an interface.
LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no. Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces. • If you configure the system globally, all interfaces send LLDPDUs with the specified TLVs. • If you configure an interface, only the interface sends LLDPDUs with the specified TLVs.
Figure 81. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration. CONFIGURATION or INTERFACE mode show config Examples of Viewing LLDP Configurations The following example shows viewing an LLDP global configuration.
Viewing Information Advertised by Adjacent LLDP Agents To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands. • Display brief information about adjacent devices. show lldp neighbors • Display all of the information that neighbors are advertising.
Configuring LLDPDU Intervals LLDPDUs are transmitted periodically; the default interval is 30 seconds. To configure LLDPDU intervals, use the following command. • Configure a non-default transmit interval.
Example of Configuring a Single Mode R1(conf)#protocol lldp R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#mode ? rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-
R1(conf-lldp)#no multiplier R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Debugging LLDP You can view the TLVs that your system is sending and receiving. To view the TLVs, use the following commands. • View a readable version of the TLVs.
• received and transmitted TLVs • the LLDP configuration on the local agent • IEEE 802.1AB Organizationally Specific TLVs • received and transmitted LLDP-MED TLVs Table 53. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value.
TLV Type TLV Name TLV Variable System LLDP MIB Object 2 Port ID port subtype Local lldpLocPortIdSubtype Remote lldpRemPortIdSubtype Local lldpLocPortId Remote lldpRemPortId Local lldpLocPortDesc Remote lldpRemPortDesc Local lldpLocSysName Remote lldpRemSysName Local lldpLocSysDesc Remote lldpRemSysDesc Local lldpLocSysCapSupported Remote lldpRemSysCapSupported Local lldpLocSysCapEnabled Remote lldpRemSysCapEnabled Local lldpLocManAddrLen Remote lldpRemManAddrLen Local
TLV Type TLV Name TLV Variable port and protocol VLAN enabled PPVID 127 VLAN Name VID VLAN name length VLAN name System LLDP MIB Object Remote lldpXdot1RemProtoVlanSup ported Local lldpXdot1LocProtoVlanEnabl ed Remote lldpXdot1RemProtoVlanEna bled Local lldpXdot1LocProtoVlanId Remote lldpXdot1RemProtoVlanId Local lldpXdot1LocVlanId Remote lldpXdot1RemVlanId Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Table 56
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object VLAN ID Local lldpXMedLocMediaPolicyVl anID Remote lldpXMedRemMediaPolicyV lanID Local lldpXMedLocMediaPolicyPri ority Remote lldpXMedRemMediaPolicyP riority Local lldpXMedLocMediaPolicyDs cp Remote lldpXMedRemMediaPolicyD scp Local lldpXMedLocLocationSubty pe Remote lldpXMedRemLocationSubt ype Local lldpXMedLocLocationInfo Remote lldpXMedRemLocationInfo Local lldpXMedLocXPoEDeviceTy pe Remote lldpXMedRemXPoEDeviceT y
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object lldpXMedLocXPoEPDPowe rReq Remote lldpXMedRemXPoEPSEPo werAv lldpXMedRemXPoEPDPow erReq Link Layer Discovery Protocol (LLDP) 591
31 Multicast Source Discovery Protocol (MSDP) This chapter describes how to configure and use the multicast source discovery protocol (MSDP). Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 84.
With Anycast RP, all the RPs are configured to be MSDP peers of each other. When a source registers with one RP, an SA message is sent to the other RPs informing them that there is an active source for a particular multicast group. The result is that each RP is aware of the active sources in the area of the other RPs. If any of the RPs fail, IP routing converges and one of the RPs becomes the active RP in more than one area. New sources register with the backup RP.
Figure 85.
Figure 86.
Figure 87.
Figure 88. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1 Enable MSDP. CONFIGURATION mode ip multicast-msdp 2 Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source Example of Configuring and Viewing MSDP R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
R3(conf)#do show ip msdp summary Peer Addr Description Local Addr State Source SA Up/Down To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
show ip msdp sa-limit If the total number of active sources is already larger than the limit when limiting is applied, the sources that are already in the OS are not discarded. To enforce the limit in such a situation, use the clear ip msdp sa-cache command to clear all existing entries. Clearing the Source-Active Cache To clear the source-active cache, use the following command. • Clear the SA cache of all, local, or rejected entries, or entries for a specific group.
Figure 89.
Figure 90.
Figure 91.
Figure 92. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
GroupAddr 229.0.50.2 229.0.50.3 229.0.50.4 SourceAddr 24.0.50.2 24.0.50.3 24.0.50.4 RPAddr 200.0.0.50 200.0.0.50 200.0.0.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Dell#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 Expire 73 73 73 UpTime 00:13:49 00:13:49 00:13:49 LearnedFrom 10.0.50.2 10.
R1_E600(conf)#do show ip msdp sa-cache R1_E600(conf)#do show ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 1 rejected SAs received, cache-size 1000 UpTime GroupAddr SourceAddr RPAddr LearnedFrom 00:02:20 239.0.0.1 10.11.4.2 192.168.0.1 local Reason Redistribute Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1 OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache.
Example of Verifying the System is not Advertising Local Sources In the following example, R1 stops advertising source 10.11.4.2. Because it is already in the SA cache of R3, the entry remains there until it expires. [Router 1] R1(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.3 list mylocalfilter R1(conf)#do show run acl ! ip access-list extended mylocalfilter seq 5 deny ip host 239.0.0.1 host 10.11.4.
Output (S,G) filter: none [Router 1] R1(conf)#do show ip msdp peer Peer Addr: 192.168.0.3 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:03 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Clearing Peer Statistics To clear the peer statistics, use the following command. • Reset the TCP connection to the peer and clear all peer statistics.
03:17:10 : MSDP-0: Peer 192.168.0.3, 03:17:27 : MSDP-0: Peer 192.168.0.3, Input (S,G) filter: none Output (S,G) filter: none rcvd Keepalive msg sent Source Active msg MSDP with Anycast RP Anycast RP uses MSDP with PIM-SM to allow more than one active group to use RP mapping.
Figure 93. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP: 1 In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2 Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3 In each routing domain that has multiple RPs serving a group, create another Loopback interface on each RP serving the group with a unique IP address.
4 Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5 Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP.
no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.22 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.22 ip msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 The following shows an R2 configuration for MSDP with Anycast RP.
The following shows an R3 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 0/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface TenGigabitEthernet 0/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.0.1/32 area 0 network 10.11.3.0/24 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R2 Running-Config ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.
ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface ManagementEthernet 0/0 ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.
! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.2/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.
neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.23 MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface TenGigabitEthernet 0/21 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface TenGigabitEthernet 0/22 ip address 10.10.42.1/24 no shutdown ! interface TenGigabitEthernet 0/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.
32 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview In contrast, PVST+ allows a spanning tree instance for each VLAN.
• Influencing MSTP Root Selection • Interoperate with Non-Dell Bridges • Changing the Region Name or Revision • Modifying Global Parameters • Modifying the Interface Parameters • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • MSTP Sample Configurations • Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell Networking OS supports four variations of spanning tree, as shown in the following table. Table 57.
• Interoperate with Non-Dell Networking OS Bridges • Changing the Region Name or Revision • Modifying Global Parameters • Modifying the Interface Parameters • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • Debugging and Verifying MSTP Configurations • Prevent Network Disruptions with BPDU Guard • Enabling SNMP Traps for Root Elections and Topology Changes Enable Multiple Spanning Tree Globally MSTP is not enabled by default.
msti Specify the keyword vlan then the VLANs that you want to participate in the MSTI. Examples of Creating and Viewing MSTP Instances The following example shows using the msti command. Dell(conf)#protocol spanning-tree mstp Dell(conf-mstp)#msti 1 vlan 100 Dell(conf-mstp)#msti 2 vlan 200-300 Dell(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping.
• Assign a number as the bridge priority. PROTOCOL MSTP mode msti instance bridge-priority priority A lower number increases the probability that the bridge becomes the root bridge. The range is from 0 to 61440, in increments of 4096. The default is 32768. Example of Assigning and Verifying the Root Bridge Priority By default, the simple configuration shown previously yields the same forwarding path for both MSTIs.
Example of the name Command To view the current region name and revision, use the show spanning-tree mst configuration command from EXEC Privilege mode. Dell(conf-mstp)#name my-mstp-region Dell(conf-mstp)#exit Dell(conf)#do show spanning-tree mst config MST region name: my-mstp-region Revision: 0 MSTI VID 1 100 2 200-300 Modifying Global Parameters The root bridge sets the values for forward-delay, hello-time, max-age, and max-hops and overwrites the values set on other MSTP bridges.
PROTOCOL MSTP mode max-hops number The range is from 1 to 40. The default is 20. Example of the forward-delay Parameter To view the current values for MSTP parameters, use the show running-config spanning-tree mstp command from EXEC privilege mode.
spanning-tree msti number priority priority The range is from 0 to 240, in increments of 16. The default is 128. To view the current values for these interface parameters, use the show config command from INTERFACE mode. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner.
Flush MAC Addresses after a Topology Change The system has an optimized MAC address flush mechanism for RSTP, MSTP, and PVST+ that flushes addresses only when necessary, which allows for faster convergence during topology changes. However, you may activate the flushing mechanism defined by 802.1Q-2003 using the tc-flush-standard command, which flushes MAC addresses after every topology change notification.
no ip address switchport no shutdown ! interface TenGigabitEthernet 1/31 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instance
tagged TenGigabitEthernet 2/11,31 no shutdown Router 3 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology. 3 Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
spanning-tree MSTi vlan 2 300 (Step 2) interface 1/0/31 no shutdown spanning-tree port mode enable switchport protected 0 exit interface 1/0/32 no shutdown spanning-tree port mode enable switchport protected 0 exit (Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs.
• • Is the Region name blank? That may mean that a name was configured on one router and but was not configured or was configured differently on another router (spelling and capitalization counts). MSTP Instances. • To verify the VLAN to MSTP instance mapping, use the show commands. • Are there “extra” MSTP instances in the Sending or Received logs? This may mean that an additional MSTP instance was configured on one router but not the others. The following example shows viewing an MSTP configuration.
33 Multicast Features The Dell Networking OS supports the following multicast protocols: • PIM Sparse-Mode (PIM-SM) • Internet Group Management Protocol (IGMP) • Multicast Source Discovery Protocol (MSDP) Topics: • Enabling IP Multicast • Implementation Information • First Packet Forwarding for Lossless Multicast • Multicast Policies • Understanding Multicast Traceroute (mtrace) • Printing Multicast Traceroute (mtrace) Paths • Supported Error Codes • mtrace Scenarios Enabling IP Multic
Protocol Ethernet Address NTP 01:00:5e:00:01:01 VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d • The Dell Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. • Multicast is not supported on secondary IP addresses. • Egress L3 ACL is not applied to multicast data traffic if you enable multicast routing. First Packet Forwarding for Lossless Multicast All initial multicast packets are forwarded to receivers to achieve lossless multicast.
When the multicast route limit is reached, Dell Networking OS displays the following: 3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB limit reached. No new routes will be learnt until TIB level falls below low watermark. 3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB below low watermark. Route learning will begin. To limit the number of multicast routes, use the following command. • Limit the total number of multicast routes on the system.
Figure 96. Preventing a Host from Joining a Group Table 59. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • • • ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
• Limit the rate at which new groups can be joined. INTERFACE mode ip igmp group-join-limit To view the enable status of this feature, use the show ip igmp interface command from EXEC Privilege mode. Preventing a PIM Router from Forming an Adjacency To prevent a router from participating in PIM (for example, to configure stub multicast routing), use the following command. • Prevent a router from participating in protocol independent multicast (PIM).
Figure 97. Preventing a Source from Transmitting to a Group Table 60. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • • • ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
Important Points to Remember • Destination address of the mtrace query message can be either a unicast or a multicast address. NOTE: When you use mtrace to trace a specific multicast group, the query is sent with the group's address as the destination. Retries of the query use the unicast address of the receiver. • When you issue an mtrace without specifying a group address (weak mtrace), the destination address is considered as the unicast address of the receiver.
• Source Network/Mask — source mask Example of the mtrace Command to View the Network Path The following is an example of tracing a multicast route. R1>mtrace 103.103.103.3 1.1.1.1 226.0.0.3 Type Ctrl-C to abort. Querying reverse path for source 103.103.103.3 to destination 1.1.1.1 via group 226.0.0.
The response data block filled in by the last-hop router contains a Forwarding code field. Forwarding code can be added at any node and is not restricted to the last hop router. This field is used to record error codes before forwarding the response to the next neighbor in the path towards the source. In a response data packet, the following error codes are supported: Table 62.
Scenario Output -4 103.103.103.3 --> Source ----------------------------------------------------------------- You can issue the mtrace command specifying the source multicast tree and multicast group without specifying the destination. Mtrace traces the complete path traversing through the multicast group to reach the source. The output displays the destination and the first hop (-1) as 0 to indicate any PIM enabled interface on the node. R1>mtrace 103.103.103.3 1.1.1.1 226.0.0.3 Type Ctrl-C to abort.
Scenario Output 103.103.103.0/24 -3 2.2.2.1 PIM 103.103.103.0/24 -4 103.103.103.3 --> Source ----------------------------------------------------------------- You can issue the mtrace command by providing the source and multicast information. However, if the multicast group is a shared group (*,G), then mtrace traces the path of the shared tree until it reaches the RP. The source mask field reflects the shared tree that is being used to trace the path.
Scenario Output -3 10.10.10.1 PIM No route default ----------------------------------------------------------------- If a multicast tree is not formed due to a configuration issue (for example, PIM is not enabled on one of the interfaces on the path), you can invoke a weak mtrace to identify the location in the network where the error has originated. R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort.
Scenario Output -3 2.2.2.1 PIM 99.99.0.0/16 -4 * * * * ----------------------------------------------------------------- If there is no response for mtrace even after switching to expanded hop search, the command displays an error message. R1>mtrace 99.99.99.99 1.1.1.1 Type Ctrl-C to abort. While traversing the path from source to destination, if the mtrace packet exhausts the maximum buffer size of the packet, then NO SPACE error is displayed in the output.
Scenario Output scenario, a corresponding error message is displayed. ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 4.4.4.5 --> Destination -1 4.4.4.4 PIM 6.6.6.0/24 -2 20.20.20.2 PIM 6.6.6.0/24 -3 10.10.10.1 PIM Wrong interface 6.6.6.0/24 ----------------------------------------------------------------R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort.
34 Object Tracking IPv4 or IPv6 object tracking is available on Dell Networking OS. Object tracking allows the Dell Networking operating system (OS) client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes.
Figure 98. Object Tracking Example When you configure a tracked object, such as an IPv4 or IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • UP and DOWN thresholds used to report changes in a route metric. • A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table. Specify a tracked route by its IPv4 or IPv6 address and prefix-length. Optionally specify a tracked route by a virtual routing and forwarding (VRF) instance name if the tracked route is part of a VRF. The next-hop address is not part of the definition of the tracked object.
• 2 ISIS routes - 1 to 1000. The default is 1. • OSPF routes - 1 to 1592. The efault is 1. Configure object tracking on the metric of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} metric threshold [vrf vrf-name] Valid object IDs are from 1 to 65535. Enter an IPv4 address in dotted decimal format. Valid IPv4 prefix lengths are from /0 to /32. Enter an IPv6 address in X:X:X:X::X format.
The following example configures object tracking on the metric threshold of an IPv6 route. Dell(conf)#track 8 ipv6 route 2::/64 metric threshold Dell(conf-track-8)#threshold metric up 30 Dell(conf-track-8)#threshold metric down 40 Track Route Reachability If you configure the reachability of an IP route entry as a tracked object, the UP/DOWN state of the route is determined by the entry of the next-hop address in the ARP cache.
Examples of IPv4 and IPv6 Tracking Route Reachability The following example configures object tracking on the reachability of an IPv4 route. Dell(conf)#track 104 ip route 10.0.0.0/8 reachability Dell(conf-track-104)#delay up 20 down 10 Dell(conf-track-104)#end Dell#show track 104 Track 104 IP route 10.0.0.0/8 reachability Reachability is Down (route not in route table) 2 changes, last change 00:02:49 Tracked by: Dell#configure Dell(conf)#track 4 ip route 3.1.1.
Object Tracking Configuration You can configure three types of object tracking for a client. • Track Layer 2 Interfaces • Track Layer 3 Interfaces • Track IPv4 and IPv6 Routes For a complete listing of all commands related to object tracking, refer to the Dell Networking OS Command Line Interface Reference Guide. Tracking a Layer 2 Interface You can create an object that tracks the line-protocol state of a Layer 2 interface and monitors its operational status (UP or DOWN).
Example of Configuring Object Tracking Dell(conf)#track 100 interface tengigabitethernet 7/1/1 line-protocol Dell(conf-track-100)#delay up 20 Dell(conf-track-100)#description San Jose data center Dell(conf-track-100)#end Dell#show track 100 Track 100 Interface TenGigabitEthernet 7/1/1 line-protocol Description: San Jose data center Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface.
The text string can be up to 80 characters. 4 (Optional) Display the tracking configuration and the tracked object’s status. EXEC Privilege mode show track object-id Examples of Configuring Object Tracking for an IPv4 or IPv6 Interface Example of configuring object tracking for an IPv4 interface.
Track 3 IPv6 route 2050::/64 reachability Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is GigabitEthernet 13/2 Tracked by: VRRP GigabitEthernet 7/30 IPv6 VRID 1 Track 4 Interface GigabitEthernet 13/4 ip routing IP routing is Up 3 changes, last change 00:03:30 Tracked by: Example of the show track brief command. Router# show track brief ResId State 1 Resource LastChange IP route reachability Parameter 10.16.0.0/16 Example of the show track resolution command.
35 Open Shortest Path First (OSPFv2 and OSPFv3) This chapter describes how to configure and use Open Shortest Path First (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3. This chapter identifies and clarifies the differences between the two versions of OSPF. Except where identified, the information in this chapter applies to both protocol versions.
Figure 99. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. The backbone is the only area with a default area number.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Figure 100. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
An ABR can connect to many areas in an AS, and is considered a member of each area it connects to. Autonomous System Border Router (ASBR) The autonomous system border area router (ASBR) connects to more than one AS and exchanges information with the routers in other ASs. Generally, the ASBR connects to a non-interior gate protocol (IGP) such as BGP or uses static routes.
• Type 7: External LSA — Routers in an NSSA do not receive external LSAs from ABRs, but are allowed to send external routing information for redistribution. They use Type 7 LSAs to tell the ABRs about these external routes, which the ABR then translates to Type 5 external LSAs and floods as normal to the rest of the OSPF network. • Type 8: Link LSA (OSPFv3) — This LSA carries the IPv6 address information of the local links.
• Priority is a numbered rating 0 to 255. The higher the number, the higher the priority. • Cost is a numbered rating 1 to 65535. The higher the number, the greater the cost. The cost assigned reflects the cost should the router fail. When a router fails and the cost is assessed, a new priority number results. Figure 101. Priority and Cost Examples OSPF Implementation The Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2.
• Grace LSA, OSPFv3 only (type 11) Fast Convergence (OSPFv2, IPv4 Only) Fast convergence allows you to define the speeds at which LSAs are originated and accepted, and reduce OSPFv2 end-to-end convergence time. The system allows you to accept and originate LSAs as soon as they are available to speed up route information propagation. NOTE: The faster the convergence, the more frequent the route calculations and updates. This impacts CPU utilization and may impact adjacency stability in larger topologies.
Examples of OSPF Flooding Behavior To confirm RFC 2328 flooding behavior, use the debug ip ospf packet command. The following example shows no change in the updated packets (shown in bold). ACKs 2 (shown in bold) is printed only for ACK packets. 00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.2 aid:1500 chk:0xdbee aut:0 auk: keyid:0 from:Vl 1000 LSType:Type-5 AS External id:160.1.1.0 adv:6.1.0.0 seq:0x8000000c LSType:Type-5 AS External id:160.1.2.0 adv:6.1.0.
Examples of Setting and Viewing a Dead Interval In the following example, the dead interval is set at 4x the hello interval (shown in bold). Dell(conf)#int te 2/2 Dell(conf-if-te-2/2)#ip ospf hello-interval 20 Dell(conf-if-te-2/2)#ip ospf dead-interval 80 Dell(conf-if-te-2/2)# In the following example, the dead interval is set at 4x the hello interval (shown in bold).
• Troubleshooting OSPFv2 1 Configure a physical interface. Assign an IP address, physical or Loopback, to the interface to enable Layer 3 routing. 2 Enable OSPF globally. Assign network area and neighbors. 3 Add interfaces or configure other attributes. For a complete list of the OSPF commands, refer to the OSPF section in the Dell Networking OS Command Line Reference Guide document. Enabling OSPFv2 To enable Layer 3 routing, assign an IP address to an interface (physical or Loopback).
CONFIG-ROUTER-OSPF-id mode router-id ip address • Disable OSPF. CONFIGURATION mode no router ospf process-id • Reset the OSPFv2 process. EXEC Privilege mode clear ip ospf process-id • View the current OSPFv2 status. EXEC mode show ip ospf process-id Example of Viewing the Current OSPFv2 Status Dell#show ip ospf 55555 Routing Process ospf 55555 with ID 10.10.10.
If you try to enable more OSPF processes than available Layer 3 interfaces, the following message displays: Dell(conf)#router ospf 1 % Error: No router ID available. Assigning an OSPFv2 Area After you enable OSPFv2, assign the interface to an OSPF area. Set up OSPF areas and enable OSPFv2 on an interface with the network command. You must have at least one AS area: Area 0. This is the backbone area. If your OSPF network contains more than one area, configure a backbone area (Area ID 0.0.0.0).
Dell Networking recommends using the interface IP addresses for the OSPFv2 router ID for easier management and troubleshooting. To view the configuration, use the show config command in CONFIGURATION ROUTER OSPF mode. OSPF, by default, sends hello packets out to all physical interfaces assigned an IP address that is a subset of a network on which OSPF is enabled. To view currently active interfaces and the areas assigned to them, use the show ip ospf interface command.
To ensure connectivity in your OSPFv2 network, never configure the backbone area as a stub area. To configure a stub area, use the following commands. 1 Review all areas after they were configured to determine which areas are NOT receiving type 5 LSAs. EXEC Privilege mode show ip ospf process-id [vrf] database database-summary 2 Enter CONFIGURATION mode. EXEC Privilege mode configure 3 Enter ROUTER OSPF mode.
2 Specify the interval for LSA acceptance. CONFIG-ROUTER-OSPF-id mode. timers throttle lsa all arrival-time Enabling Passive Interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface. Although the passive interface does not send or receive routing updates, the network on that interface is still included in OSPF updates sent via other interfaces.
Enabling Fast-Convergence The fast-convergence CLI sets the minimum origination and arrival LSA parameters to zero (0), allowing rapid route calculation. When you disable fast-convergence, origination and arrival LSA parameters are set to 5 seconds and 1 second, respectively. Setting the convergence parameter (from 1 to 4) indicates the actual convergence level.
Changing OSPFv2 Parameters on Interfaces You can modify the OSPF configuration on switch interfaces. Some interface parameter values must be consistent across all interfaces to avoid routing errors. For example, set the same time interval for the hello packets on all routers in the OSPF network to prevent misconfiguration of OSPF neighbors. To change OSPFv2 parameters on the interfaces, use any or all of the following commands. • Change the cost associated with OSPF traffic on the interface.
• • seconds: the range is from 1 to 65535 (the default is 5 seconds). The retransmit interval must be the same on all routers in the OSPF network. Change the wait period between link state update packets sent out the interface. CONFIG-INTERFACE mode ip ospf transmit-delay seconds • seconds: the range is from 1 to 65535 (the default is 1 second). The transmit delay must be the same on all routers in the OSPF network.
The default is 0 seconds. Creating Filter Routes To filter routes, use prefix lists. OSPF applies prefix lists to incoming or outgoing routes. Incoming routes must meet the conditions of the prefix lists. If they do not, OSPF does not add the route to the routing table. Configure the prefix list in CONFIGURATION PREFIX LIST mode prior to assigning it to the OSPF process. • Create a prefix list and assign it a unique name. CONFIGURATION mode ip prefix-list prefix-name • You are in PREFIX LIST mode.
• bgp, connected, isis, rip, static: enter one of the keywords to redistribute those routes. • metric metric-value: the range is from 0 to 4294967295. • metric-type metric-type: 1 for OSPF external route type 1. 2 for OSPF external route type 2. • route-map map-name: enter a name of a configured route map. • tag tag-value: the range is from 0 to 4294967295.
• View the configuration of OSPF neighbors connected to the local router. EXEC Privilege mode • show ip ospf neighbor View the LSAs currently in the queue. EXEC Privilege mode • show ip ospf timers rate-limit View debug messages. EXEC Privilege mode debug ip ospf process-id [event | packet | spf | database-timers rate-limit] To view debug messages for a specific OSPF process ID, use the debug ip ospf process-id command. If you do not enter a process ID, the command applies to the first OSPF process.
Figure 102. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Te 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface TengigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface TengigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.
OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface TengigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface TengigabitEthernet 2/2 ip address 10.2.22.2/24 no shutdown Configuration Task List for OSPFv3 (OSPF for IPv6) This section describes the configuration tasks for Open Shortest Path First version 3 (OSPF for IPv6) on the switch.
timers spf 2 5 msec Dell(conf-ipv6-router_ospf)# Dell(conf-ipv6-router_ospf)#end Dell# Enabling IPv6 Unicast Routing To enable IPv6 unicast routing, use the following command. • Enable IPv6 unicast routing globally. CONFIGURATION mode ipv6 unicast routing Assigning IPv6 Addresses on an Interface To assign IPv6 addresses to an interface, use the following commands. 1 Assign an IPv6 address to the interface.
Assigning OSPFv3 Process ID and Router ID Globally To assign, disable, or reset OSPFv3 globally, use the following commands. • Enable the OSPFv3 process globally and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID} • The range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} • number: the IPv4 address. The format is A.B.C.D. NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. • Disable OSPF.
CONFIGURATION mode no ipv6 router ospf process-id} • Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Configuring the Cost of OSPFv3 Routes Change in bandwidth directly affects the cost of OSPF routes. • Explicitly specify the cost of sending a packet on an interface. INTERFACE mode ipv6 ospf interface-cost • • interface-cost:The range is from 1 to 65535. Default cost is based on the bandwidth.
• For a port channel, enter the keywords port-channel then a number from 1 to 255 (for example, passive-interface po 100) • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information (for example, passive-interface ten 2/3). • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information (for example, passiveinterface ten 2/4).
OSPFv3 Authentication Using IPsec OSPFv3 uses OSPFv3 authentication using IP security (IPsec) to provide authentication for OSPFv3 packets. IPsec authentication ensures security in the transmission of OSPFv3 packets between IPsec-enabled routers. IPsec is a set of protocols developed by the internet engineering task force (IETF) to support secure exchange of packets at the IP layer. IPsec supports two encryption modes: transport and tunnel.
• Manual key configuration is supported in an authentication or encryption policy (dynamic key configuration using the internet key exchange [IKE] protocol is not supported). • In an OSPFv3 authentication policy: • • AH is used to authenticate OSPFv3 headers and certain fields in IPv6 headers and extension headers. • MD5 and SHA1 authentication types are supported; encrypted and unencrypted keys are supported. In an OSPFv3 encryption policy: • Both encryption and authentication are used.
• show crypto ipsec policy Display the security associations set up for OSPFv3 interfaces in authentication policies. show crypto ipsec sa ipv6 Configuring IPsec Encryption on an Interface To configure, remove, or display IPsec encryption on an interface, use the following commands.
If you have enabled IPSec encryption in an OSPFv3 area using the area encryption command, you cannot use the area authentication command in the area at the same time. The configuration of IPSec authentication on an interface-level takes precedence over an area-level configuration. If you remove an interface configuration, an area authentication policy that has been configured is applied to the interface. • Enable IPSec authentication for OSPFv3 packets in an area.
• • • key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information. The required lengths of a non-encrypted or encrypted key are: 3DES - 48 or 96 hex digits; DES - 16 or 32 hex digits; AES-CBC - 32 or 64 hex digits for AES-128 and 48 or 96 hex digits for AES-192. • key-encryption-type: (optional) specifies if the key is encrypted. Valid values: 0 (key is not encrypted) or 7 (key is encrypted).
Policy refcount Inbound AH SPI Outbound AH SPI Inbound AH Key Outbound AH Key Transform set : : : : : : 2 500 (0x1F4) 500 (0x1F4) bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e ah-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-0-501 Policy refcount : 1 Inbound ESP SPI : 501 (0x1F5) Outbound ESP SPI : 501 (0x1F5) Inbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb
Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3 operation on the switch. This section describes typical, OSPFv3 troubleshooting scenarios. NOTE: The following troubleshooting section is not meant to be a comprehensive list, but only to provide examples of typical troubleshooting checks.
• For a 40-Gigabit Ethernet interface, enter the keyword FortyGigabitEthernet then the slot/port information (for example, passive-interface fo 2/3). • For a VLAN, enter the keyword vlan then a number from 1 to 4094 (for example, passive-interface vlan 2222). The system supports up to 4094 VLANs.
36 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). Protocol Overview A sample PVST+ topology is shown below. For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 103.
Table 64. Spanning Tree Versions Supported Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table).
Disabling PVST+ To disable PVST+ globally or on an interface, use the following commands. • Disable PVST+ globally. PROTOCOL PVST mode disable • Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst Example of Viewing PVST+ Configuration To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
Figure 104. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. • Assign a bridge priority.
Number of topology changes 5, last change occurred 00:34:37 ago on Te 1/32 Port 375 (TengigabitEthernet 1/22) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.375 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.
Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
This feature is the same as PortFast mode in spanning tree. CAUTION: Configure EdgePort only on links connecting to an end station. EdgePort can cause loops if you enable it on an interface connected to a network. To enable EdgePort on an interface, use the following command. • Enable EdgePort on an interface.
Figure 105. PVST+ with Extend System ID • Augment the bridge ID with the VLAN ID. PROTOCOL PVST mode extend system-id Example of Viewing the Extend System ID in a PVST+ Configuration Dell(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
interface Vlan 200 no ip address tagged TengigabitEthernet 1/22,32 no shutdown ! interface Vlan 300 no ip address tagged TengigabitEthernet 1/22,32 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface TengigabitEthernet 2/12 no ip address switchport no shutdown ! interface TengigabitEthernet 2/32 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TengigabitEthernet 2/12,32 no shutdown ! interface Vlan 200
! protocol spanning-tree pvst no disable vlan 300 bridge-priority 4096 Per-VLAN Spanning Tree Plus (PVST+) 703
37 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message. This behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
1 After receiving an IGMP Join message, the receiver gateway router (last-hop DR) creates a (*,G) entry in its multicast routing table for the requested group. The interface on which the join message was received becomes the outgoing interface associated with the (*,G) entry. 2 The last-hop DR sends a PIM Join message to the RP.
Configuring PIM-SSM Configuring PIM-SM is a three-step process. 1 Enable multicast routing (refer to the following step). 2 Select a rendezvous point. 3 Enable PIM-SM on an interface. Enable multicast routing. CONFIGURATION mode ip multicast-routing Related Configuration Tasks The following are related PIM-SM configuration tasks.
127.87.50.5 Dell# Te 1/13 00:03:08/00:01:37 v2 1 / S To display the PIM routing table, use the show ip pim tib command from EXEC privilege mode. Dell#show ip pim tib PIM Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 192.1.2.1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.
Dell#sh run pim ! ip pim rp-address 1.1.1.1 group-address 224.0.0.0/4 Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. Use the following command if you have configured a static RP for a group.
Create multicast boundaries and domains by filtering inbound and outbound bootstrap router (BSR) messages per interface. The following command is applied to the subsequent inbound and outbound updates. Timeout removes existing BSR advertisements. • Create multicast boundaries and domains by filtering inbound and outbound BSR messages per interface. ip pim bsr-border • Remove candidate RP advertisements.
38 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Configure PIM-SMM Configuring PIM-SSM is a two-step process. 1 Configure PIM-SMM. 2 Enable PIM-SSM for a range of addresses. Related Configuration Tasks • Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1 Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2 Enter the ip pim ssm-range command and specify the ACL you created.
To display the source to which a group is mapped, use the show ip igmp ssm-map [group] command. If you use the group option, the command displays the group-to-source mapping even if the group is not currently in the IGMP group table. If you do not specify the group option, the display is a list of groups currently in the IGMP group table that has a group-to-source mapping. To display the list of sources mapped to a group currently in the IGMP group table, use the show ip igmp groups group detail command.
Electing an RP using the BSR Mechanism Every PIM router within a domain must map a particular multicast group address to the same RP. The group-to-RP mapping may be statically or dynamically configured. RFC 5059 specifies a dynamic, self-configuring method called the Bootstrap Router (BSR) mechanism, by which an RP is elected from a pool of RP candidates (C-RPs). Some routers within the domain are configured to be C-RPs.
ip pim [vrf vrf-name] rp-Candidate interface [priority] [acl-name] The specified acl-list is associated to the rp-candidate. NOTE: You can create the ACL list of multicast prefix using the ip access-list standard command.
39 Policy-based Routing (PBR) Policy-based Routing (PBR) allows a switch to make routing decisions based on policies applied to an interface.
To enable a PBR, you create a redirect list. Redirect lists are defined by rules, or routing policies.
Interfaces in this case).
Create a Rule for a Redirect-list The following example creates a redirect list by the name of “xyz.” Dell(conf)#ip redirect-list ? WORD Redirect-list name (max 16 chars) Dell(conf)#ip redirect-list xyz Use the following command in CONFIGURATION REDIRECT-LIST mode to set the rules for the redirect list. You can enter the command multiple times and create a sequence of redirect rules. Use the seq nn redirect version of the command to organize your rules. Table 67.
• urg = urgent field operators — For TCP and UDP parameters only. Enter one of the following logical operand: • • • • • eq = equal to neq = not equal to gt = greater than lt = less than range = inclusive range of ports (you must specify two ports for the port command parameter.) source ip-address or any or host ip-address (Optional) — Source’s IP address or host from which they packets were sent. mask (Optional) — network mask /prefix format (/x).
Creating a Rule Example: The below step shows a step-by-step example of how to create a rule for a redirect list by configuring: • IP address of the next-hop router in the forwarding route • IP protocol number • Source address with mask information • Destination address with mask information Dell(conf-redirect-list)#redirect ? A.B.C.D Forwarding router's address Dell(conf-redirect-list)#redirect 3.3.3.
A recursive route is a route for which the immediate next-hop address is learned dynamically through a routing protocol and acquired through a route lookup in the routing table. The user can configure multiple recursive routes in a redirect list by entering multiple seq redirect statements with the same source and destination address and specify a different next-hop IP address. In this way, the recursive routes are used as different forwarding routes for dynamic failover.
interface TenGigabitEthernet 1/1/1 no ip address ip redirect-group test ip redirect-group xyz shutdown Dell(conf-if-te-1/1/1)# In addition to supporting multiple redirect-lists in a redirect-group, multiple redirect-groups are supported on a single interface. Dell Networking OS has the capability to support multiple groups on an interface for backup purposes. Show Redirect List Configuration To view the redirect list configuration, use the following command in EXEC mode: Table 69.
Applied interfaces: Te 2/2/1 NOTE: If, the redirect-list is applied to an interface, the output of show ip redirect-list redirect-list-name command displays reachability status for the specified next-hop.
In addition to supporting multiple redirect-lists in a redirect-group, multiple redirect-groups are supported on a single interface. Dell Networking OS has the capability to support multiple groups on an interface for backup purposes. Show Redirect List Configuration To view the configuration redirect list configuration, use the following commands. 1 View the redirect list configuration and the associated interfaces.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23/1)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.
View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23/1), ARP resolved seq 10 redirect 10.99.99.254 ip 192.168.2.
seq 15 redirect 42.1.1.2 track 3 udp 155.55.0.0/16 host 144.144.144.144, Track 3 [up], Nexthop reachable (via Vl 20) seq 20 redirect 42.1.1.2 track 3 udp any host 144.144.144.144, Track 3 [up], Next-hop reachable (via Vl 20) seq 25 redirect 43.1.1.2 track 4 ip host 7.7.7.7 host 144.144.144.
Apply the Redirect Rule to an Interface: Dell#configure terminal Dell(conf)#interface TenGigabitEthernet 2/28 Dell(conf-if-te-2/28)#ip redirect-group explicit_tunnel Dell(conf-if-te-2/28)#exit Dell(conf)#end Verify the Applied Redirect Rules: Dell#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.
40 Port Extenders (PEs) The C9010 switch supports the IEEE 802.1BR fabric protocol to expand the port density of the chassis, using C1048P, N20xx and N30xx port extenders. In this deployment, the C9010 operates as a controlling bridge for the port extenders. The C1048P, N20xx or N30xx function as a remote line card that is physically connected to, and provisioned by, a C9010 over 10GbE links according to the IEEE 802.1BR standard. IEEE 802.1BR The IEEE 802.
802.1BR Terms and Definitions The 802.1BR protocol uses the following terms to describe the operation of a controlling bridge and attached port extenders. 802.1BR Term Definition Cascade port A port on a controlling bridge or bridge port extender that connects to an upstream port. In the case of the connection between two bridge port extenders, the cascade port is the port closest to the controlling bridge. Controlling bridge A bridge that supports one or more bridge port extenders.
• pe-id is a port-extender ID number from 0 to 255. You must enter a pe-id value; there is no default. After you provision a PE, you can manage the PE by entering the pe pe-id command; for example: Dell(conf)# pe 0 Dell(conf-pe-0)# show config NOTE: Dell Networking OS recommends that before you configure the cascade ports on the parent control bridge, ensure that the cascade ports have a default port configuration with no L2 and L3 configuration.
Dell(conf)# pe provision 10 Dell(conf-pe-10)# cascade interface tengigabitethernet 1/0,12 Dell(conf-pe-10)# show config pe provision 10 cascade interface TenGigabitEthernet 1/0,12 stack-unit 0 type C1048P NOTE: If the status of a port extender is not online, communication with the attached C9010 was unsuccessful, possibly due to a mismatch in software version (SVM) or another communication error. Wait five minutes for an auto-upgrade of the port extender to be performed.
provisioned for PE 10; port 1/12 is provisioned for PE 20. As a result, only PE 10 comes online. PE 20 remains offline and its configured cascade port is placed in an error state.
Dell#show pe errors PE-id: Not Assigned PE MAC: 00:01:02:03:22:02 Interface Errors: TenGigabitEthernet 1/8 - Error State • You may connect a PE to a parent C9010 using both uplink ports but provision the PE with only the cascade port attached to one of the uplink ports. In this case, the auto-LAG is created with only the provisioned cascade port when the PE comes online. In the following example, PE 10 is provisioned to connect only to cascade port 1/12.
EXEC Privilege • pe-id is a port-extender ID number from 0 to 255. Dell# connect pe 254 Login: peadmin Password: calvin Displaying PE Status To verify the operational status of a port extender attached to a C9010, enter any of the show commands in this section. In the command output, online indicates that a port extender is up; offline indicates that a port extender is down.
5 6 7 Member Member Member not present not present not present -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) ------------------------------------------------------------------------0 0 up AC NA NA 0 1 absent NA NA -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -----------------------------------------------------------------------------------0 0 up up 8888 up 9056 Speed in RPM For more information about verifying the PE configuration, see Displaying PE Stack Information.
NOTE: Dell Networking OS recommends that you use the command because xSTP protocols are not supported on PEs. 2 If a station move for a MAC address is detected above the configured threshold and within the specified time, a syslog message is triggered with the port information. All ports on which the station move was detected are shut down, except the old interface.
• If there is a match, the kernel notifies L2Mgr about the loop detection and L2Mgr would in turn, bring down the appropriate PE interface and show an appropriate syslog to the user to correct the loop. Loop caused due to mis-cabling in an un-managed L2 switch • An un-managed layer 2 switch is connected to a PE. • There is some mis-cabling in the L2 switch. This can result in loops.
This loop will be broken based on the data traffic or control PDUs received at the PE. In the event of data traffic at the PE and continuous station moves between the PE and LM interface, the PE interface will be brought down. In case there is no data traffic on the LAN, control PDUs received at the PE will be used to break the loop.
• upgrade system-image pe {0-255} stack-unit {0-7} upgrades a standalone PE. • upgrade system-image pe {0-255} stack-unit all upgrades all the units in a PE stack. The PE ID (0–255) specifies the stack master unit. • upgrade system-image pe all upgrades all PEs discovered by the controlling bridge. • rpmA: or rpmB: specifies the flash partition (A: or B:) on the controlling bridge where the OS version to use for the PE upgrade is stored.
linecard linecard RPM RPM RPM RPM RPM RPM RPM RPM RPM RPM 6 6 0 0 0 0 0 1 1 1 1 1 CPLD IAP FPGA 1 CPLD FPGA 2 Backup FPGA IAP FPGA 1 CPLD FPGA 2 Backup FPGA IAP 2.1 3.2 2.14 2.6 2.0 2.0 3.2 2.14 2.6 2.0 2.0 3.2 PE RELEASE IMAGE INFORMATION : --------------------------------------------------------------------Platform Version Size ReleaseTime C-Series:C1048P 9.9(0.
exit format hostname no offline online power-cycle pwd reload rename reset show telnet-peer-stack-unit upgrade Exit from the EXEC Format a filesystem Set system's network name Reset a command Take a PE stack unit offline Bring a PE stack unit online Power-cycle the unit(s) Display current working directory PE Halt and perform a cold restart Rename a file Reset selected PE PE Show running system information Open a telnet connection to the peer stack-unit Upgrade subcommands Supported Features • Because PE
Dual Homing Dual homing provides support to manage and control the PEs from both the primary and the secondary chassis in a VLT setup. The C9010 switch supports dual homing using port extenders. You can also stack the port extenders in a dual homing setup. The following figure shows PE dual homing, where the port extenders are dual-homed to a pair of C9010 switches. Figure 107.
Setting up Dual Homing You can setup dual homing when: 1 There are two systems (CBs) and both have PEs connected to them. You can physically connect the CBs and then configure them as VLT peers to convert the system into dual homing setup. Refer to Systems with Port Extender. 2 There is a CB connected to PE and a standalone CB. You can physically connect the CBs and then configure them as VLT peers. Then physically connect the uplink ports of the PE to each of the VLT peers.
4 Configure the default MAC address for the domain by entering a new MAC address. VLT DOMAIN CONFIGURATION mode system-mac mac-address mac-address The mac-address format is nn:nn:nn:nn:nn:nn. 5 Configure the unique unit ID (0 or 1) to each peer switch. VLT DOMAIN CONFIGURATION mode unit-id {0 | 1} Configure a different unit ID (0 or 1) on each peer switch. NOTE: The system MAC and unit ID are the mandatory configurations to be done so that the dual homing functions properly.
Example of Configuring PE Dual Homing Dell#configure terminal batch Dell(conf-b)#pe provision 1 Dell(conf-b-pe-1)#cascade interface TenGigabitEthernet 0/0 Dell(conf-b-pe-1)#cascade interface TenGigabitEthernet 1/4 peer Dell(conf-b)#commit Dell(conf-b)#end Dell# Aug 11 22:54:36: %RPM0-P:CP %CLIBATCH-6-CLI_BATCH_CONFIG_COMPLETE_TRAP: Batch configuration commit is success Dell#show pe 1 Codes: A - Active, I - Inactive Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE
Standalone System You can connect a standalone system to a system that already has a PE to make it dual homed. In the following illustration, PE 1 is connected to System A and System B is a standalone. Figure 110. Standalone System and System with PE — Before setting up Dual Homing To convert the above system into a dual homing setup, perform the following: 1 Repeat the steps 2 to 7 from Systems with Port Extender.
Figure 111. Standalone System and System with PE — After setting up Dual Homing You can configure PE 1 from both System A and System B. Systems without Port Extender You can connect two standalone systems in a VLT domain and then connect a PE to the systems to setup a dual homed environment. In the following illustration, System A and System B are standalone systems. Figure 112.
4 Configure the cascade interface of the System B through the batch mode of System A and commit the configuration. PE CONFIGURATION (BATCH mode) cascade interface interface slot/port peer Dell# cascade interface TenGigabitEthernet 1/4 peer Once the cascade interfaces are configured, the PE starts functioning in a dual homing setup as shown in the following diagram: Figure 113. Systems without Port Extender — After setting up Dual Homing You can configure PE 1 from both System A and System B.
16G bytes of boot flash memory. 2 Route Processor Module. 1 24-port TE/GE 2 4-port TE/GE 32 Ten GigabitEthernet/IEEE 802.
Linecard10 Linecard11 PE (0/0) PE (0/1) Boot Boot Boot Boot Flash Flash Flash Flash 3.3.1.16 3.3.1.16 3.3.1.7 3.3.1.7 3.3.1.18 3.3.1.18 3.3.1.7 3.3.1.7 *********************************************************************** * Warning - Upgrading boot flash is inherently risky and should only * * be attempted when necessary. A failure at this upgrade may cause * * a board RMA.
SW and CAM ACL Validation error state.
52 ports) Apr 3 00:41:01: %PE200-C1048P:2 %CHMGR-2-FAN_SPEED_CHANGE: Fan speed changed to 60 % of the full speed Apr 3 00:41:01: %PE200-C1048P:2 %CHMGR-2-FAN_SPEED_CHANGE: Fan speed changed to 75 % of the full speed Apr 3 00:41:01: %PE200-UNIT2-M:CP %RAM-5-STACKUNIT_STATE: Stack-unit 2 is in Active State.
Upgrading from OS 9.10(0.0) To upgrade a dual homing setup with Dell Networking OS 9.10(0.0) to later versions, perform the following steps: In the following example, C9010–1 is the primary system and C9010–2 is secondary. The VLT peers and the PEs in the setup are upgraded from Dell Networking OS 9.10(0.1) to 9.11(0.0). After the upgrade is completed, the VLT peers exchange the roles. C9010–2 becomes the secondary VLT peer and C9010–1 takes up the secondary role.
5 Upgrade boot partition in primary VLT peer with the new software image. C9010-1#upgrade system-image all tftp://10.11.8.184/users/dellnetworking/FTOSC9000-9.11.0.0.bin B: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!............................................ .....! 146025615 bytes successfully copied Image upgraded to CP. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!! PE (0) Image upgraded successfully. PE (1) Image upgraded successfully.
8 The PEs reboot with the new software image and traffic is affected till the PEs come up. The PEs reload with the new software image and become online with the new primary system. The traffic flow starts once the PEs come up. 9 The peer system comes up and takes up the secondary role. C9010-1#show version Dell Real Time Operating System Software Dell Operating System Version: 2.0 Dell Application Software Version: 9.11(0.0) Copyright (c) 1999-2016 by Dell Inc. All Rights Reserved.
• upgrade system-image pe pe-id stack-unit unit-number {rpmA:|rpmB:} • upgrade poe-controller pe pe-id stack-unit unit-number • upload trace-log pe pe-id stack-unit unit-number [sw-trace | hw-trace] • show link-bundle-distribution port-channel port-number • show logging kernellog pe-id stack-unit unit-number • show processes {cpu|memory} pe pe-id summary • show qos statistics Port Extenders (PEs) 757
41 Port Extender (PE) Stacking You can stack up to eight port extenders using the mini-SAS stack ports on the back panel. The C1048P supports stacking only with other C1048P port extenders. The N20xx series devices support stacking only with other N20xx series port extenders. The N30xx series devices support stacking only with other N30xx series port extenders. Stacking is not supported on C9010 switches.
Stack Master Election When a PE stack reloads and all stack units come up, all units participate in the stack master election. The master and standby units are chosen based on the priority or MAC address. The stack takes the MAC address of the master unit. • Unit priority — The range is from 1 to 14. The unit with the highest priority is elected the master management unit; the unit with the second highest priority is elected the standby unit. The default is 0.
PE Stack Configuration You can perform the following configuration tasks for PE stacking. NOTE: The recommended mode for PE dual homed stack configuration is Configuration Terminal Batch mode. Configuring a PE Stack Before you start, ensure that the PE stack units are cabled in a ring topology, powered on, and that one or more stack units are attached to a 10GbE port on the parent C9010.
Dell(conf-pe-2)# cascade interface tengigabitethernet 0/0-1 Dell(conf-pe-2)# exit Dell(conf)# interface range tengigabitethernet 0/0-1 Dell(conf-if-range-te-0/0-1)# no shutdown Dell(conf-if-range-te-0/0-1)# end Dell# show pe 2 Codes: A - Active, I - Inactive Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setup Error, CVE - CHM Validation Error PE-ID assigned:
Status: online System Mac: a0:68:00:3f:92:bc PE Up Time: 14:06:37 PE Discovery Status: Provisioned PE User Configured Cascade Ports: Te 1/4(A) Cascade LAG: Po 258, Local Status: Up, Remote Status: Up PE Configuration: Local Status: Present, Remote Status: Present --------------------------------------------------------------Stack-id Status Reason Type UnitMac No.
Prioritizing Stack Units In a PE stack, by default, the stack unit with the highest MAC address is elected master; the stack unit with the second highest MAC address is elected standby. To change the default master and standby assignment, you can assign stack-unit priorities. If multiple units tie for the highest priority, the unit with the highest MAC address is elected master. NOTE: You can configure a stack-unit priority only when the unit is online. 1 Enter Port-Extender Configuration mode.
pe-id — Port-extender identifier of the master stack unit. The range is from to 255. The following example shows the show redundancy pe command.
6 7 Member Member not present not present The following example displays the status of stack-unit 1 after it is removed from the PE stack.
• 6 online C1048P 62:74:00:41:54:01 52 7 online C1048P 6c:c0:00:43:11:11 52 Display summary information about the PE stack units attached to the master PE. Enter the PE ID of the master unit.
Service Tag Expr Svc Code Auto Reboot Burned In MAC No Of MACs : : : : : CL73Z01 274 031 203 69 enabled f8:b1:56:00:02:d1 66 -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) ------------------------------------------------------------2 0 up AC NA NA 2 1 up DC NA NA -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -----------------------------------------------------------2 0 up up 9056 up 9056 Speed in RPM • Display the type of stack topology (ring or daisy chain) with a list of a
Troubleshooting a PE Stack To troubleshoot the operation of a PE stack, use the following tasks. Diagnosing an Error Condition For debugging purposes, you can prevent the stack master from rebooting after a failover to allow you to gather information on stack operation. CONFIGURATION mode redundancy disable-auto-reboot pe pe-id stack-unit unit-number • pe-id — port-extender identifier of the master unit. The range is 0 through 255.
42 Port Monitoring Port monitoring (also referred to as mirroring) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. The Dell Networking OS supports the following mirroring techniques: • Port monitoring — Monitors network traffic by forwarding a copy of incoming and outgoing packets from a source port to a destination port on the same network router.
Figure 114. Port Monitoring Configurations Dell Networking OS Behavior: All monitored frames are tagged if the configured monitoring direction is egress (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port. If the MD port is a Layer 2 port, the frames are tagged with the VLAN ID of the VLAN to which the MD belongs. If the MD port is a Layer 3 port, the frames are tagged with VLAN ID 4095.
10 Te 0/14 Te 0/2 20 Te 0/15 Te 0/3 30 Te 0/16 Te 0/37 300 Te 0/17 Te 0/1 Dell(conf-mon-sess-300)# rx rx rx tx interface interface interface interface Port-based Port-based Port-based Port-based Example of Configuring Another Monitoring Session with a Previously Used Destination Port Dell(conf)#mon ses 300 Dell(conf-mon-sess-300)#source tengig 0/17 destination tengig 0/4 direction tx %Unable to create MTP entry for MD tenG 0/17 MG tenG 0/4 in stack-unit 0 port-pipe 0.
Enter the one of the following keywords and slot/port information: • For a 10–Gigabit Ethernet interface, enter the keyword TenGigabitEthernet, then the slot/port information. • For a 40–Gigabit Ethernet interface, enter the keyword fortyGigE, then the slot/port information. • For a port extender (PE) Gigabit Ethernet interface, enter the keyword peGigE then the PEID/Unit/Port/ information. • For a VLAN interface, enter the keyword VLAN then a vlan-id number. The range is from 1 to 4094.
Figure 115. Port Monitoring Example Remote Port Mirroring Local port monitoring allows you to monitor traffic from one or more source ports by directing it to a destination port on the same switch/ router. Remote port mirroring allows you to monitor Layer 2 and Layer 3 ingress and/or egress traffic on multiple source ports on different switches and forward the mirrored traffic to multiple destination ports on different switches.
Remote Port Mirroring Example Remote port mirroring uses the analyzers shown in the aggregation network in Site A. The VLAN traffic on monitored links from the access network is tagged and assigned to a dedicated L2 VLAN. Monitored links are configured in two source sessions shown with orange and green circles. Each source session uses a separate reserved VLAN to transmit mirrored packets (mirrored source-session traffic is shown with an orange or green circle with a blue border).
• You can configure any switch in the network with source ports and destination ports, and allow it to function in an intermediate transport session for a reserved VLAN at the same time for multiple remote-port mirroring sessions. You can enable and disable individual mirroring sessions. • BPDU monitoring is not required to use remote port mirroring.
• You can configure the same source port to be used in multiple source sessions. • You cannot configure a source port channel or source VLAN in a source session if the port channel or VLAN has a member port that is configured as a destination port in a remote-port mirroring session. • A destination port for remote port mirroring cannot be used as a source port, including the session in which the port functions as the destination port. • A destination port cannot be used in any spanning tree instance.
Table 70. Configuring Remote Port Monitoring Session Step Command Description 1 configure terminal Enter global configuration mode. 2 monitor session id type rpm Specify a unique session ID number and RPM as the session type, and enter Monitoring-Session configuration mode. 3 source {interface | range} destination interface direction {rx | tx | both} Enter a source port or a range of source port interfaces to be monitored. Enter the destination port interface.
Dell(conf-mon-sess-3)#exit Dell(conf)#end Dell# Dell#show monitor session SessID Source Destination ------ ---------------1 Te 0/5 remote-vlan 10 2 Vl 100 remote-vlan 20 3 Po 10 remote-vlan 30 Dell# Dir --rx rx both Mode ---Port Port Port Source IP --------N/A N/A N/A Dest IP -------N/A N/A N/A Dell(conf)#interface te 0/0 Dell(conf-if-te-0/0)#switchport Dell(conf-if-te-0/0)#no shutdown Dell(conf-if-te-0/0)#exit Dell(conf)#interface te 0/1 Dell(conf-if-te-0/1)#switchport Dell(conf-if-te-0/1)#no shutdown
1 Enable the MAC control-plane egress ACL. 2 Create an extended MAC access list and add a deny rule for (0x0180c2xxxxxx) packets using the following commands: mac control-plane egress-acl mac access-list extended mac2 seq 5 deny any 01:80:c2:00:00:00 00:00:00:ff:ff:ff count 3 Apply the extended MAC ACL on the RPM VLAN (VLAN 10 in the following example).
Table 71. Configuring ERMP Sessions Step Command Description 1 configure terminal Enter global configuration mode. 2 monitor session id type erpm Specify a session ID and ERPM as the type of monitoring session, and enter Monitoring-Session configuration mode. The session number needs to be unique and not already defined. 3 source {interface | range } direction {rx | tx | both} Specify the source port or range of ports.
tagged TenGigabitEthernet 0/1-3 mac access-group flow in shutdown Dell# The following example shows you how to configures a source as a physical interface only for ERPM. Dell(conf)#monitor session 3 type erpm Dell(conf-mon-sess-3)#)source vlan 100 dir rx Dell(conf-mon-sess-3)# erpm source-ip 1.1.1.1 dest-ip 100.1.1.2 Dell(conf-mon-sess-3)# flow-based enable Dell(conf-mon-sess-3)# no disable The following example configures the port extender ports so that they are tagged and untagged members of VLAN 100.
VLTi link is added as an implicit member of the RPM vlan. As a result, the mirrored traffic also reaches the peer VLT device effecting VLTi link's bandwidth usage. To mitigate this issue, the L2 VLT egress mask drops the duplicate packets that egress out of the VLT port. If the LAG status of the peer VLT device is OPER-UP, then the other VLT peer blocks the transmission of packets received through VLTi to its port or LAG.
Scenario RPM Restriction Recommended Solution Mirroring Orphan Ports across VLT Devices — In this scenario, an orphan port on the primary VLT device is mirrored to another orphan port on the secondary VLT device through the ICL LAG. The port analyzer is connected to the secondary VLT device. No restrictions apply to the RPM session. The following example shows the configuration on the primary VLT device:source orphan port destination remote vlan direction rx/tx/both.
43 Power over Ethernet (PoE) The PoE feature supports electrical power and transmission of data on Ethernet cabling. A single cable can provide both a data connection and electrical power to the attached devices such as wireless access points or IP cameras. The PoE feature is supported on a C1048P, N2024P, N2048P , N3024P, or N3048P port-extender (PE); PoE is not supported on the C9010 switches. PoE, as described by IEEE 802.3af, specifies that a maximum of 15.
• Configuring PoE or PoE+ • Manage Ports using Power Priority and the Power Budget • Setting the Threshold Limit for the PoE Power Budget • Advertising the Extended Power through MDI • Advertising Extended Power Though dot3–TLVs • Detecting Legacy Devices and Allocating Power • Deploying Voice Over IP (VoIP) • Managing PoE on the Port Extender Configuring PoE or PoE+ Configuring PoE or PoE+ is a two-step process: 1 Connect the IEEE 802.3af/802.
For a complete listing of all PoE commands, see the Dell Networking OS Command Line Reference Guide. Manage Ports using Power Priority and the Power Budget The allocation and return of power-on ports depends on the total inline power available in the system and the power priority calculation.
Managing Power Priorities PoE or PoE+ enabled port extender ports have power access priorities based first on the priority configured and then on their port number. The default priority is with respect to the port numbers, the lower port numbers have higher priorities when compared with higher port numbers You can augment the default prioritization using the [no] power inline {[max_milliwatts] | priority {critical | high | low}} command, where critical is the highest priority and low is the lowest priority.
Example: Configuring Power Management Static Mode on the Port Extender The following example configures the power management to Static mode on the port extender 0 on stack unit 0. Dell(conf)#power inline mode pe 0 stack-unit 0 static Example: Displaying PoE Power Allocation on a Port Extender The following example displays the PoE power allocation on a specified port extender, using the show power inline {pe pe-id stack—unit unit number | interface interface } command in EXEC and EXEC Privilege mode.
NOTE: Avoid allocating more power than necessary to a port because allocated power is made unavailable to other ports regardless of whether it is consumed when using the power inline max_milliwatts command. Typical IP phones use 3 to 10 Watts. The power inline command has the following parameters: • max_milliwatts — (OPTIONAL) Specify the maximum inline power that is allocated to a powered device connected to the interface. The range if from 440 to 30000 mW.
Interface ------------PeGi 255/0/1 Inline Power Max / Alloc (Watts) -----------30.00/21.40 Inline Power Consumed (Watts) -----------21.50 Class Device Type PoE Port Priority LLDP Support ------4 -----2 -------low -----0 Example of Configuring Port Extender Interfaces with a Maximum Power of 15000 and 5000 mW The following example sets the maximum allocated power to 15000 mW on interface peGigE 0/0/1 and 5000 mW on interface peGigE 0/0/2 interface peGigE 0/0/3 is not configured.
Example of Setting the Global Threshold Limit for the PoE Power Budget The following example sets the global threshold limit for the PoE power budget to 99 percent on port extender 0 on stack unit 0.
3 Priority — Dell Networking OS uses priority for priority calculation. 4 PD requested power value — Dell Networking OS uses this value for power allocation. 5 PSE allocated power value — Dell Networking OS uses this value to check whether the PD is in sync with the PSE. To enable the system or interface to advertise IEEE 802.3 power-via-mdi TLV to advertise its power negotiation capabilities with the powered devices using LLDP, use the advertise dot3–tlv power—via—mdi command.
Deploying Voice Over IP (VoIP) For a complete list of all PoE commands, see the Dell Networking OS Command Line Reference Guide. Current VoIP phones follow the same basic boot and operations process: 1 Wait for an LLDP from the Ethernet switch. 2 Obtain an IP address from a dynamic host configuration protocol (DHCP) server. 3 Send an LLDP-MED frame to the switch. 4 Wait for an LLDP-MED frame from the switch and read the Network Policy TLV to get the VLAN ID, Layer 2 priority, and DSCP value.
description "Voice VLAN" no ip address tagged PeGigGE 0/6/10-11,22-23,46-47 shutdown ! interface Vlan 300 description "Voice Signaling VLAN" no ip address tagged PeGigGE 0/6/10-11,22-23,46-47 shutdown Configuring LLDP-MED for an Office VoIP Deployment VoIP deployments may optionally use LLDP-MED. LLDP-MED advertises VLAN, dot1P, and DSCP configurations on the switch so that you do not need to manually configure every phone with this information.
service-queue 5 qos-policy VoIP_Q Dell#show run qos-policy-output ! qos-policy-output VoIP_Q scheduler strict Honoring the Incoming dot1p Value If you know that traffic originating from the phone is tagged with a dot1p value of 5, you can make the associated queue a strict-priority queue, as shown in the following example.
To classify VoIP traffic and apply QoS policies for an office VoIP deployment, use the following commands: 1 Create three standard or extended access-lists, one each for voice, voice signaling, and PC data, and place each in its own match-any class-map. CONFIGURATION mode or CLASS-MAP mode ip access-list or class-map match-any 2 Create an input policy-map containing all three class-maps and assign each class-map a different service queue.
bandwidth-weight 8 ! qos-policy-output signalling bandwidth-weight 64 Dell#sh run policy-map-output ! policy-map-output BW service-queue 1 qos-policy data service-queue 2 qos-policy signalling Dell#sh run | grep strict-p strict-priority unicast 3 Dell#sh run int gi 0/6/10 ! interface GigabitEthernet 0/6/10 description "IP Phone X” no ip address portmode hybrid switchport service-policy input phone-pc power inline no shutdown Dell#sh run int gi 0/6/2 ! interface GigabitEthernet 0/6/2 description "Uplink to C
Suspending Power Delivery on the Port Extender You can temporarily disable and then restore power on the port extender. For information about how to restore power to the port extender, see Restoring Power Delivery on the PE. To disable inline power on the port extender, use the following command. When you use this command, the inline power to all the ports on the port extender are disabled. • Disable inline power on the port extender.
Remaining inline power Available:841W Power Management Mode: Static Interface Inline Power Inline Power Class Device PoE Port LLDP Max / Alloc Consumed Type Priority Support (Watts) (Watts) ----------------------- ------------ ------- ------ -------- -----PeGi 0/0/0 30.00/0.00 0.00 NO_PD critical 0 Monitor the Power Budget The power budget is the amount of power available from the installed PSUs minus the power required to operate the port extender.
Table 75.
Global inline power Threshold : Power Reserved for inline Power: Total Inline Power Consumed: Remaining inline power Available: 90% 1530W 15W 1515W Power Management Mode: Static Interface Inline Power Class Consumed (Watts) ------------ ----15.00 4 --------PeGi 2/1/2 Inline Power Max / Alloc Watts) ------------30.00 / 15.00 Device Type PoE Port Priority LLDP Support -----2 -------- ------Low PowViaMDI Table 76.
show power detail {pe pe-id stack-unit unit-number} • pe pe-id — Enter the keyword pe and the port extender ID. The range is from 0 to 255. • stack-unit unit-number — Enter the keyword stack-unit and the stack unit number. The range is from 0 to 7.
44 Private VLANs (PVLAN) Private VLANs (PVLANs) extend Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN). A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports or trunk ports.
• • A switch can have one or more primary VLANs, and it can have none. • A primary VLAN has one or more secondary VLANs. • A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs in the switch. • A primary VLAN has one or more promiscuous ports. • A primary VLAN might have one or more trunk ports, or none. Secondary VLAN — a subdomain of the primary VLAN. • There are two types of secondary VLAN — community VLAN and isolated VLAN.
show vlan private-vlan [community | interface | isolated | primary | primary_vlan | interface interface] • Display primary-secondary VLAN mapping. EXEC mode or EXEC Privilege mode show vlan private-vlan mapping • Set the PVLAN mode of the selected port. INTERFACE switchport mode private-vlan {host | promiscuous | trunk} NOTE: Secondary VLANs are Layer 2 VLANs, so even if they are operationally down while primary VLANs are operationally up, Layer 3 traffic is still transmitted across secondary VLANs.
NOTE: You cannot add interfaces that are configured as PVLAN ports to regular VLANs. Conversely, you cannot add “regular” ports (ports not configured as PVLAN ports) to PVLANs. The example below shows the switchport mode private-vlan command on a port and on a port channel.
You can only add promiscuous ports or PVLAN trunk ports to the PVLAN (no host or regular ports). 6 (OPTIONAL) Assign an IP address to the VLAN. INTERFACE VLAN mode ip address ip address 7 (OPTIONAL) Enable/disable Layer 3 communication between secondary VLANs. INTERFACE VLAN mode ip local-proxy-arp NOTE: If a promiscuous or host port is untagged in a VLAN and it receives a tagged packet in the same VLAN, the packet is NOT dropped.
no shutdown 3 Set the PVLAN mode of the selected VLAN to isolated. INTERFACE VLAN mode private-vlan mode isolated 4 Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add ports defined as host to the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 120. Sample Private VLAN Topology The following configuration is based on the example diagram: • Te 0/0 and Te 23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • Te 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. • Te 0/24 and Te 0/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
In parallel, on S50-1: • Te 0/3 is a promiscuous port and Te 0/25 is a PVLAN trunk port, assigned to the primary VLAN 4000. • Te 0/4-6 are host ports. Te 0/4 and Te 0/5 are assigned to the community VLAN 4001, while Te 0/6 is assigned to the isolated VLAN 4003. The result is that: • The S50V ports would have the same intra-switch communication characteristics as described for the C300.
The following example shows viewing a private VLAN for a S50V system. Dell#show vlan private-vlan Primary Secondary Type ------- --------- --------4000 Primary 4001 Community 4003 Isolated Active -----Yes Yes Yes Ports ----------Te 0/3,25 Te 0/4-5 Te 0/6 The following example shows the show vlan private-vlan mapping command.
private-vlan mapping secondary-vlan 4001-4003 no ip address tagged TengigabitEthernet 0/3,25 no shutdown ! interface Vlan 4001 private-vlan mode community 812 Private VLANs (PVLAN)
45 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Figure 121.
• • • Using A Configurable Weight for WRED and ECN Pre-Calculating Available QoS CAM Space SNMP Support for Buffer Statistics Tracking Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
Dell(conf)#interface tengigabitethernet 1/2 Dell(conf-if)#switchport Dell(conf-if)#dot1p-priority 1 Dell(conf-if)#end Dell# Honoring dot1p Priorities on Ingress Traffic By default, the system does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces.
Example of Configuring and Viewing Rate Policing The following example shows configuring rate policing. Dell#config t Dell(conf)#interface tengigabitethernet 1/2 Dell(conf-if)#rate police 100 40 peak 150 50 Dell(conf-if)#end Dell# Configuring Port-Based Rate Shaping Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 122. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, the system matches packets against match criteria in the order that you configure them.
Use step 1 or step 2 to start creating a Layer 3 class map. 1 Create a match-any class map. CONFIGURATION mode class-map match-any class-map-name 2 Create a match-all class map. CONFIGURATION mode class-map match-all class-map-name 3 Specify your match criteria. CLASS MAP mode match {ip | ipv6 | ip-any} After you create a class-map, you are placed in CLASS MAP mode. Match-any class maps allow up to five ACLs. Match-all class-maps allow only one ACL. 4 Link the class-map to a queue.
Use Step 1 or Step 2 to start creating a Layer 2 class map. 1 Create a match-any class map. CONFIGURATION mode class-map match-any 2 Create a match-all class map. CONFIGURATION mode class-map match-all 3 Specify your match criteria. CLASS MAP mode match mac After you create a class-map, you are placed in CLASS MAP mode. Match-any class maps allow up to five access-lists. Match-all class-maps allow only one. You can match against only one VLAN ID. 4 Link the class-map to a queue.
Applying DSCP and VLAN Match Criteria on a Service Queue You can configure Layer 3 class maps which contain both a Layer 3 Differentiated Services Code Point (DSCP) and IP VLAN IDs as match criteria to filter incoming packets on a service queue on the switch. To configure a Layer 3 class map to classify traffic according to both an IP VLAN ID and DSCP value, use the match ip vlan vlan-id command in class-map input configuration mode.
When class-maps with overlapping ACL rules are applied to different queues, use the keyword order to process ACL rules in the desired order. ACL rules with lower order numbers (order numbers closer to 0) are applied before rules with higher order numbers so that packets are matched as you intended. • Specify the order in which you want to apply ACL rules using the keyword order. order The order can range from 0 to 254. By default, all ACL rules have an order of 254.
Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. • Layer 3 — QoS input policies allow you to rate police and set a DSCP or dot1p value. In addition, you can configure a drop precedence for incoming packets based on their DSCP value by using a DSCP color map. For more information, see DSCP Color Maps.
Example of Setting a DSCP Value for Egress Packets Dell#config Dell(conf)#qos-policy-input my-input-qos-policy Dell(conf-qos-policy-in)#set ip-dscp 34 % Info: To set the specified DSCP value 34 (100-010 b) the QoS policy must be mapped to queue 4 (100 b). Dell(conf-qos-policy-in)#show config ! qos-policy-input my-input-qos-policy set ip-dscp 34 Dell(conf-qos-policy-in)#end Dell# Setting a dot1p Value for Egress Packets To set a dot1p value for egress packets, use the following command.
rate-shape {kbps | pps} peak-rate {burst-kbps | burst-packets} [committed {kbps | pps} committed-rate {burst-kbps | burst-packets}] In a QoS output policy, you can configure rate-shaping on egress traffic: • In either kilobits per second (kbps) or packets per second (pps) • By specifying peak rate and the peak burst, and (optionally) committed rate and committed burst size You must configure the peak rate and peak burst size using the same value: kilobits or packets per second.
QOS-POLICY-OUT mode wred For more information, refer to Applying a WRED Profile to Traffic. Create Policy Maps There are two types of policy maps: input and output. Creating Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2. 1 Create a Layer 3 input policy map. CONFIGURATION mode policy-map-input Create a Layer 2 input policy map by entering the policy-map-input layer2 command.
Honoring DSCP Values on Ingress Packets You can configure the ability to honor DSCP values on ingress packets by using the Trust DSCP feature. The following table lists the standard DSCP definitions and indicates how DSCP values are mapped to queues. When you configure trust DSCP, the matched packets and matched bytes counters are not incremented in the show qos statistics. Table 80.
trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets. You may apply this queuing strategy globally by entering the following command from CONFIGURATION mode. • All dot1p traffic is mapped to Queue 0 unless you enable service-class dynamic dot1p on an interface or globally.
Specifying an Aggregate QoS Policy Applying an Output Policy Map to an Interface 3 Apply the policy map to an interface. Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. • Apply an output QoS policy to queues. INTERFACE mode service-queue Specifying an Aggregate QoS Policy To specify an aggregate QoS policy, use the following command. • Specify an aggregate QoS policy.
• All DSCP values that are not specified as yellow or red are colored green (low drop precedence). • A DSCP value cannot be in both the yellow and red lists. Setting the red or yellow list with any DSCP value that is already in the other list results in an error and no update to that DSCP list is made. • Each color map can only have one list of DSCP values for each color; any DSCP values previously listed for that color that are not in the new DSCP list are colored green.
Display a specific DSCP color map. Dell# show qos dscp-color-map mapTWO Dscp-color-map mapTWO yellow 16,55 Displaying a DSCP Color Policy Configuration To display the DSCP color policy configuration for one or all interfaces, use the show qos dscp-color-policy {summary [interface] | detail {interface}} command in EXEC mode. summary: Displays summary information about a color policy on one or more interfaces.
• Include a specified number of bytes of packet overhead to include in rate limiting, policing, and shaping calculations. CONFIGURATION mode qos-rate-adjust overhead-bytes For example, to include the Preamble and SFD, enter qos-rate-adjust 8. For variable length overhead fields, know the number of bytes you want to include. The default is disabled. The range is from 1 to 31.
Figure 123. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Table 82.
Applying a WRED Profile to Traffic After you create a WRED profile, you must specify on which traffic the system applies the profile. The system assigns a color-coded drop precedence — red, yellow, or green — to each packet based on the fourth bit of the 6-bit DSCP field in the packet header before queuing it. • If the fourth DSCP bit is 0, packet is marked as green. • If the fourth DSCP bit is 1, the packet is marked as yellow (except for DSCP 63, which is marked as red).
Green Yellow Out of Profile 51624 51300 0 The following shows the show qos statistics output on the port extender.
• If queued packets fall below the minimum threshold, they are transmitted. • If queued packets exceed the maximum threshold, they are dropped. ECN Packet Classification When ECN for WRED is enabled on an interface, non-ECN-capable packets are marked as green-profiled traffic and are subject to early WRED drops. For example, TCP-acks, OAM, and ICMP ping packets are non-ECN-capable. However, it is not desirable for these packets to be WRED-dropped.
policy-map-input ecn_0_pmap service-queue 0 class-map ecn_0_cmap Applying the policy map “ecn_0_pmap” marks all incoming packets with the ECN field set to 0 for “yellow” handling on queue 0 (default queue). Example: Color-marking non-ECN Packets in Different Traffic Classes The following examples both show how to mark non-ECN packets for “yellow” handling when packets with DCSP 40 egress on queue 2 and packets with DSCP 50 egress on queue 3.
service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Using A Configurable Weight for WRED and ECN The switch supports a user-configurable weight that determines the average queue size used in WRED and Explicit Congestion Notification (ECN) operation on front-end I/O and backplane interfaces.
Global Service-Pools for WRED with ECN You can enable WRED with ECN to work with global service-pools. Global service pools that function as shared buffers are accessed by multiple queues when the minimum guaranteed buffers for a queue are consumed. The switch supports four global service-pools in the egress direction. Two types of service-pools are used: one for lossy queues and the other for lossless (priority-based flow control (PFC)) queues.
Configuring a Weight for WRED and ECN Operation You can configure a WRED weight to customize WRED and ECN operation on a front-end or backplane interface. In the configuration procedure, you must also configure the global service-pools of shared buffer memory that can be accessed by multiple queues when the minimum guaranteed buffers for a queue are consumed. 1 Configure the weight factor for computation of average-queue size. This weight value applies to front-end and backplane ports.
Use the test cam-usage command to verify that there are enough available CAM entries before applying a policy-map to an interface so that you avoid exceeding the QoS CAM space and partial configurations. This command measures the size of the specified policy-map and compares it to the available CAM space in a partition for a specified port-pipe.
group. The table returns a value of 0 if the allocation mode is static and a value of 1 if the allocation mode is dynamic. This table is indexed by stack-unit number, port number and priority-group number.
46 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP protocol standards are listed in the Standards Compliance chapter. Topics: • Protocol Overview • Implementation Information • Configuration Information Protocol Overview RIP is the oldest interior gateway protocol.
Implementation Information The Dell Networking OS supports both versions of RIP and allows you to configure one version globally and the other version on interfaces or both versions on the interfaces. The following table lists the default values for RIP parameters on the switch. Table 84.
Enabling RIP Globally By default, RIP is disabled on the switch. To enable RIP globally, use the following commands. 1 Enter ROUTER RIP mode and enable the RIP process. CONFIGURATION mode router rip 2 Assign an IP network address as a RIP network to exchange routing information.
192.161.1.0/24 auto-summary 192.162.3.0/24 [120/1] via 29.10.10.12, 00:01:22, Fa 0/0 192.162.3.0/24 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes. By default, interfaces that you enable and configure with an IP address in the same subnet as the RIP network address receive RIPv1 and RIPv2 routes and send RIPv1 routes.
Adding RIP Routes from Other Instances In addition to filtering routes, you can add routes from other routing instances or protocols to the RIP process. With the redistribute command, you can include open shortest path first (OSPF), static, or directly connected routes in the RIP process. To add routes from other routing instances or protocols, use the following commands. • Include directly connected or user-configured (static) routes in RIP.
The following example shows the RIP configuration after the ROUTER RIP mode version command is set to RIPv2. When you set the ROUTER RIP mode version command, the interface (TengigabitEthernet 0/0) participating in the RIP process is also set to send and receive RIPv2 (shown in bold).
• Specify the generation of a default route in RIP. ROUTER RIP mode default-information originate [always] [metric value] [route-map route-map-name] • • • always: Enter the keyword always to always generate a default route. value The range is from 1 to 16. route-map-name: The name of a configured route map. To confirm that the default route configuration is completed, use the show config command in ROUTER RIP mode.
• prefix-list-name: the name of an established Prefix list to determine which incoming routes are modified • offset: the range is from 0 to 16. • interface: the type, slot, and number of an interface. To view the configuration changes, use the show config command in ROUTER RIP mode. Debugging RIP The debug ip rip command enables RIP debugging. When you enable debugging, you can view information on RIP protocol changes or RIP routes. To enable RIP debugging, use the following command.
RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Example of Configuring RIPv2 on Core 2 Core2(conf-if-te-2/31)# Core2(conf-if-te-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
Destination Gateway Dist/Metric Last Change ----------- ------- ----------- ----------C 10.11.10.0/24 Direct, Te 2/11 C 10.11.20.0/24 Direct, Te 2/31 R 10.11.30.0/24 via 10.11.20.1, Te 2/31 C 10.200.10.0/24 Direct, Te 2/41 C 10.300.10.0/24 Direct, Te 2/42 R 192.168.1.0/24 via 10.11.20.1, Te 2/31 R 192.168.2.0/24 via 10.11.20.1, Te 2/31 Core2# R 192.168.1.0/24 via 10.11.20.1, Te 2/31 R 192.168.2.0/24 via 10.11.20.
Core 3 RIP Output The examples in this section show the core 2 RIP output. • To display Core 3 RIP database, use the show ip rip database command. • To display Core 3 RIP setup, use the show ip route command. • To display Core 3 RIP activity, use the show ip protocols command. Examples of the show ip Command with Core 3 Output To view learned RIP routes on Core 3, use the show ip rip database command. Core3#show ip rip database Total number of routes in RIP database: 7 10.11.10.0/24 [120/1] via 10.11.
Default version control: receive version 2, send version 2 Interface Recv Send TenGigabitEthernet 3/21 2 2 TenGigabitEthernet 3/11 2 2 TenGigabitEthernet 3/44 2 2 TenGigabitEthernet 3/43 2 2 Routing for Networks: 10.11.20.0 10.11.30.0 192.168.2.0 192.168.1.0 Routing Information Sources: Gateway Distance Last Update 10.11.20.
ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
47 Remote Monitoring (RMON) Remote monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment.
Setting the RMON Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
Configuring an RMON Event To add an event in the RMON event table, use the rmon event command in GLOBAL CONFIGURATION mode. • Add an event in the RMON event table. CONFIGURATION mode [no] rmon event number [log] [trap community] [description string] [owner string] • number: assigned event number, which is identical to the eventIndex in the eventTable in the RMON MIB. The value must be an integer from 1 to 65,535 and be unique in the RMON Event Table.
Configuring the RMON Collection History To enable the RMON MIB history group of statistics collection on an interface, use the rmon collection history command in INTERFACE CONFIGURATION mode. • Configure the RMON MIB history group of statistics collection. CONFIGURATION INTERFACE (config-if) mode [no] rmon collection history {controlEntry integer} [owner ownername] [buckets bucket-number] [interval seconds] • controlEntry: specifies the RMON group of statistics using a value.
48 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanningtree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP).. Protocol Overview The Dell Networking OS supports three other versions of spanning tree, as shown in the following table. Table 85.
• Adding a group of ports to a range of VLANs sends multiple messages to the RSTP task, avoid using the range command. When using the range command, Dell Networking recommends limiting the range to five ports and 40 VLANs. RSTP and VLT Virtual link trunking (VLT) provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures.
Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • Only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports. To enable RSTP globally for all Layer 2 interfaces, use the following commands.
Figure 125. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.379, designated path cost 0 Number of transitions to forwarding state 1 BPDU : sent 121, received 5 The port is not in the Edge port mode Port 380 (TengigabitEthernet 2/4) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.380 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
The following table displays the default values for RSTP. Table 86. RSTP Default Values RSTP Parameter Default Value Forward Delay 15 seconds Hello Time 2 seconds Max Age 20 seconds Port Cost: Port Cost: • • • • 10-Gigabit Ethernet interfaces Port Channel with 10-Gigabit Ethernet interfaces Port Priority 2000 1800 128 To change these parameters, use the following commands. • Change the forward-delay parameter. PROTOCOL SPANNING TREE RSTP mode forward-delay seconds The range is from 4 to 30.
snmp-server enable traps xstp Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port. • Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states. The bpduguard shutdown-on-violation option causes the interface hardware to be shut down when it receives a BPDU.
• Configure a hello time on the order of milliseconds. PROTOCOL RSTP mode hello-time milli-second interval The range is from 50 to 950 milliseconds. Example of Verifying Hello-Time Interval Dell(conf-rstp)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e811.2233 Root Bridge hello time 50 ms, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e811.
49 Security This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
The Dell Networking OS supports the constrained RBAC model. With a constrained RBAC model, you can inherit permissions when you create a new user role, restrict or add commands a user can enter and the actions the user can perform. This allows for greater flexibility in assigning permissions for each command to each role and as a result, it is easier and much more efficient to administer user rights.
NOTE: The authentication method list should be in the same order as the authorization method list. For example, if you configure the authentication method list in the following order (TACACS+, local), Dell Networking recommends that authorization method list is configured in the same order (TACACS+, local). 4 Specify authorization method list (RADIUS, TACACS+, or Local). You must at least specify local authorization.
netadmin Exec Config Interface Router IP Route-map Protocol MAC secadmin Exec Config Line sysadmin Exec Config Interface Line Router IP Route-map Protocol MAC User Roles This section describes how to create a new user role and configure command permissions and contains the following topics.
Verify that the user role, myrole, has inherited the security administrator permissions. The output highlighted in bold indicates that the user role has successfully inherited the security administrator permissions.
The following example allows the security administrator (secadmin) to access Interface mode.
In the following example the command protocol permissions are reset to their original setting or one or more of the system-defined roles and any roles that inherited permissions from them. Dell(conf)#role configure reset protocol Adding and Deleting Users from a Role To create a user name that is authenticated based on a user role, use the username name password encryption-type password role role-name command in CONFIGURATION mode.
Configure AAA Authorization for Roles Authorization services determine if the user has permission to use a command in the CLI. Users with only privilege levels can use commands in privilege-or-role mode (the default) provided their privilege level is the same or greater than the privilege level of those commands. Users with defined roles can use commands provided their role is permitted to use those commands. Role inheritance is also used to determine authorization.
login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 5 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 6 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 7 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 8 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 9 login authenticat
Role Accounting This section describes how to configure role accounting and how to display active sessions for roles. This sections consists of the following topics: • Configuring AAA Accounting for Roles • Applying an Accounting Method to a Role • Displaying Active Accounting Sessions for Roles Configuring AAA Accounting for Roles To configure AAA accounting for roles, use the aaa accounting command in CONFIGURATION mode.
Display Information About User Roles This section describes how to display information about user roles. This sections consists of the following topics: • Displaying User Roles • Displaying Information About Roles Logged into the Switch • Displaying Active Accounting Sessions for Roles Displaying User Roles To display user roles using the show userrole command in EXEC Privilege mode, use the show userroles and show users commands in EXEC privilege mode.
Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the show users command in EXEC Privilege mode. The output displays privilege level and/or user role. The mode is displayed at the start of the output and both the privilege and roles for all users is also displayed. If the role is not defined, the system displays "unassigned" .
• exec: sends accounting information when a user has logged in to EXEC mode. • command level: sends accounting of commands executed at the specified privilege level. • default | name: enter the name of a list of accounting methods. • start-stop: use for more accounting information, to send a start-accounting notice at the beginning of the requested event and a stop-accounting notice at the end.
accounting commands 15 com15 accounting exec execAcct Example of Enabling AAA Accounting with a Named Method List Dell(config-line-vty)# accounting commands 15 com15 Dell(config-line-vty)# accounting exec execAcct Monitoring AAA Accounting The system does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting.
Configure Login Authentication for Terminal Lines You can assign up to five authentication methods to a method list. The system evaluates the methods in the order in which you enter them in each list. If the first method list does not respond or returns an error, the system applies the next method list until the user either passes or fails the authentication. If the user fails a method list, the system does not apply the next method list.
Enabling AAA Authentication To enable AAA authentication, use the following command. • Enable AAA authentication. CONFIGURATION mode aaa authentication enable {method-list-name | default} method1 [... method4] • default: uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. • method-list-name: character string used to name the list of enable authentication methods activated when a user logs in. • method1 [...
Server-Side Configuration Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or RADIUS server. • TACACS+ — When using TACACS+, the switch sends an initial packet with service type SVC_ENABLE, and then sends a second packet with just the password. The TACACS server must have an entry for username $enable$.
AAA Authorization The system enables AAA new-model by default. You can set authorization to be either local or remote. Different combinations of authentication and authorization yield different results. By default, the system sets both to local. Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network. However, at times, you might need to allow others access to the router and you can limit that access to a subset of commands.
Configuring a Username and Password In the Dell Networking OS, you can assign a specific username to limit user access to the system. To configure a username and password, use the following command. • Assign a user name and password. CONFIGURATION mode username name [access-class access-list-name] [nopassword | password [encryption-type] password] [privilege level] Configure the optional and required parameters: • name: Enter a text string up to 63 characters long.
router authentication strings, VRRP authentication by obscuring this information. Passwords and keys are stored encrypted in the configuration file and by default are displayed in the encrypted form when the configuration is displayed. Enabling the service obscure-passwords command displays asterisks instead of the encrypted passwords and keys. This command prevents a user from reading these passwords and keys by obscuring this information with asterisks.
• level level: specify a level from 0 to 15. Level 15 includes all levels. • encryption-type: enter 0 for plain text or 7 for encrypted text. • password: enter a string up to 25 characters long. To change only the password for the enable command, configure only the password parameter. 3 Configure level and commands for a mode or reset a command’s level.
Current privilege level is 8 Dell#? configure Configuring from terminal disable Turn off privileged commands enable Turn on privileged commands exit Exit from the EXEC no Negate a command show Show running system information terminal Set terminal line parameters traceroute Trace route to destination Dell#confi Dell(conf)#? end Exit from Configuration mode exit Exit from Configuration mode no Reset a command snmp-server Modify SNMP parameters Dell(conf)# Specifying LINE Mode Password and Privilege You can s
• level-number: The level-number you wish to set. If you enter disable without a level-number, your security level is 1. Resetting a Password To reset a password on the switch, follow the procedure in Recovering from a Forgotten Password on the switch. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol.
• The administrator changes the idle-time of the line on which the user has logged in. • The idle-time is lower than the RADIUS-returned idle-time. ACL Configuration Information The RADIUS server can specify an ACL. If an ACL is configured on the RADIUS server, and if that ACL is present, the user may be allowed access based on that ACL. If the ACL is absent, authorization fails, and a message is logged indicating this.
To view the configuration, use the show config in LINE mode or the show running-config command in EXEC Privilege mode. Defining a AAA Method List to be Used for RADIUS To configure RADIUS to authenticate or authorize users on the system, create a AAA method list. Default method lists do not need to be explicitly applied to the line, so they are not mandatory. To create a method list, use the following commands.
• auth-port port-number: the range is from 0 to 65335. Enter a UDP port number. The default is 1812. • retransmit retries: the range is from 0 to 100. Default is 3. • timeout seconds: the range is from 0 to 1000. Default is 5 seconds. • key [encryption-type] key: enter 0 for plain text or 7 for encrypted text, and a string for the key. The key can be up to 42 characters long. This key must match the key configured on the RADIUS server host.
Monitoring RADIUS To view information on RADIUS transactions, use the following command. • View RADIUS transactions to troubleshoot problems. EXEC Privilege mode debug radius Microsoft Challenge-Handshake Authentication Protocol Support for RADIUS Authentication Dell Networking OS supports Microsoft Challenge-Handshake Authentication Protocol (MS-CHAPv2) with RADIUS authentication. RADIUS is used to authenticate Telnet, SSH, console, REST, and OMI access to the switch based on the AAA configuration.
TACACS+ The system supports terminal access controller access control system (TACACS+ client, including support for login authentication. Configuration Task List for TACACS+ The following list includes the configuration task for TACACS+ functions.
If authentication fails using the primary method, the system employs the second method (or third method, if necessary) automatically. For example, if the TACACS+ server is reachable, but the server key is invalid, the system proceeds to the next authentication method. In the following example, the TACACS+ is incorrect, but the user is still authenticated by the secondary method. First bold line: Server key purposely changed to incorrect value. Second bold line: User authenticated using the secondary method.
user is found to be coming from the 10.0.0.0 subnet, the system also immediately closes the Telnet connection. Note, that no matter where the user is coming from, they see the login prompt. When configuring a TACACS+ server host, you can set different communication parameters, such as the key password. Example of Specifying a TACACS+ Server Host Dell# Dell(conf)# Dell(conf)#ip access-list standard deny10 Dell(conf-std-nacl)#permit 10.0.0.
Command Authorization The AAA command authorization feature configures the system to send each configuration command to a TACACS server for authorization before it is added to the running configuration. By default, the AAA authorization commands configure the system to check both EXEC mode and CONFIGURATION mode commands. Use the no aaa authorization config-commands command to enable only EXEC mode command checking.
Specifying an SSH Version The following example shows using the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. ell(conf)#ip ssh server version 2 Dell(conf)#do show ip ssh SSH server : enabled. SSH server version : v1 and v2. SSH server vrf : default. SSH server ciphers : aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc, 3des-cbc. SSH server macs : hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96.
• ip ssh rsa-authentication: add keys for the RSA authentication. • show crypto: display the public part of the SSH host-keys. • show ip ssh client-pub-keys: display the client public keys used in host-based authentication. • show ip ssh rsa-authentication: display the authorized-keys for the RSA authentication. The following example shows the use of SCP and SSH to copy a software image from one switch running SSH server on UDP port 99 to the local switch.
cipher-list-: Enter a space-delimited list of ciphers the SSH server will support. The following ciphers are available. • 3des-cbc • aes128-cbc • aes192-cbc • aes256-cbc • aes128-ctr • aes192-ctr • aes256-ctr The default cipher list is aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc. Example of Configuring a Cipher List The following example shows you how to configure a cipher list.
Configuring the HMAC Algorithm for the SSH Client To configure the HMAC algorithm for the SSH client, use the ip ssh mac hmac-algorithm command in CONFIGURATION mode. hmac-algorithm: Enter a space-delimited list of keyed-hash message authentication code (HMAC) algorithms supported by the SSH server.
Example of Configuring a Cipher List The following example shows you how to configure a cipher list. Dell(conf)#ip ssh server cipher 3des-cbc aes128-cbc aes128-ctr Configuring the SSH Client Cipher List To configure the cipher list supported by the SSH client, use the ip ssh cipher cipher-list command in CONFIGURATION mode. cipher-list-: Enter a space-delimited list of ciphers the SSH Client supports. The following ciphers are available.
Enabling SSH Authentication by Password Authenticate an SSH client by prompting for a password when attempting to connect to the Dell Networking system. This setup is the simplest method of authentication and uses SSH version 1. To enable SSH password authentication, use the following command. • Enable SSH password authentication.
Configuring Host-Based SSH Authentication Authenticate a particular host. This method uses SSH version 2. To configure host-based authentication, use the following commands. 1 Configure RSA Authentication. Refer to Using RSA Authentication of SSH. 2 Create shosts by copying the public RSA key to the file shosts in the directory .ssh, and write the IP address of the host to the file. cp /etc/ssh/ssh_host_rsa_key.pub /.ssh/shosts Refer to the first example.
Using Client-Based SSH Authentication To SSH from the chassis to the SSH client, use the following command. This method uses SSH version 1 or version 2. If the SSH port is a non-default value, use the ip ssh server port number command to change the default port number. You may only change the port number when SSH is disabled. Then use the -p option with the ssh command. • SSH from the chassis to the SSH client. ssh ip_address Example of Client-Based SSH Authentication Dell#ssh 10.16.127.
The system provides several ways to configure access classes for VTY lines, including: • VTY Line Local Authentication and Authorization • VTY Line Remote Authentication and Authorization VTY Line Local Authentication and Authorization The system retrieves the access class from the local database. To use this feature: 1 Create a username. 2 Enter a password. 3 Assign an access class. 4 Enter a privilege level.
Dell(conf)# Dell(conf)#aaa authentication login tacacsmethod tacacs+ Dell(conf)#tacacs-server host 256.1.1.2 key Force10 Dell(conf)# Dell(conf)#line vty 0 9 Dell(config-line-vty)#login authentication tacacsmethod Dell(config-line-vty)# Dell(config-line-vty)#access-class deny10 Dell(config-line-vty)#end (same applies for radius and line authentication) VTY MAC-SA Filter Support The system supports MAC access lists which permit or deny users based on their source MAC address.
• Access-Reject—NAS validates the OTP and if the OTP is invalid, the RADIUS server does not authenticate the user and sends an Access-Reject response to NAS. Configuring Challenge Response Authentication for SSHv2 To configure challenge response authentication for SSHv2, perform the following steps: 1 Enable challenge response authentication for SSHv2. CONFIGURATION mode ip ssh challenge-response-authentication enable 2 View the configuration.
You can configure the Dell Networking OS to suppress the following ICMPv4 and ICMP6 message types: Table 88.
NOTE: The Dell Networking OS does not suppress the following ICMPv6 message types: • Packet too big (2) • Echo request (128) • Multicast listener query (130) • Multicast listener report (131) • Multicast listener done (132) • Router solicitation (133) • Router advertisement (134) • Neighbor solicitation (135) • Neighbor advertisement (136) • Redirect (137) • Router renumbering (138) • MLD v2 listener report (143) • Duplicate Address Request (157) • Duplicate Address Confirmation (
50 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell Networking OS. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 126. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-stack-enabled VLAN. • Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-stack VLAN.
Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1 Creating Access and Trunk Ports 2 Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3 Enabling VLAN-Stacking for a VLAN.
switchport vlan-stack trunk no shutdown Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible Example of Viewing VLAN Stack Member Status To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLAN-Stackingenabled VLAN are marked with an M in column Q.
NOTE: You can add a trunk port to an 802.1Q VLAN as well as a Stacking VLAN only when the TPID 0x8100. 2 Add the port to a 802.1Q VLAN as tagged or untagged. INTERFACE VLAN mode [tagged | untagged] Example of Configuring a Trunk Port as a Hybrid Port and Adding it to Stacked VLANs In the following example, the TenGigabitEthernet 0/1 interface is a trunk port that is configured as a hybrid port and then added to VLAN 100 as untagged VLAN 101 as tagged, and VLAN 103, which is a stacking VLAN.
Dell#debug member port tengigabitethernet 1/47 vlan id : 603 (MT), 100(T), 101(NU) VLAN Stacking in Multi-Vendor Networks The first field in the VLAN tag is the tag protocol identifier (TPID), which is 2 bytes. In a VLAN-stacking network, after the frame is double tagged, the outer tag TPID must match the TPID of the next-hop system. While 802.1Q requires that the inner tag TPID is 0x8100, it does not require a specific value for the outer tag TPID. Systems may use any 2byte value.
Figure 127.
Figure 128.
Figure 129. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Table 90. Drop Eligibility Behavior Ingress Egress DEI Disabled DEI Enabled Normal Port Normal Port Retain CFI Set CFI to 0. Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI. Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 Access Port Trunk Port To enable drop eligibility globally, use the following command. • Make packets eligible for dropping based on their DEI value.
Marking Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress. For ingress information, refer to Honoring the Incoming DEI Value. To mark egress packets, use the following command. • Set the DEI value on egress according to the color currently assigned to the packet.
NOTE: The ability to map incoming C-Tag dot1p to any S-Tag dot1p requires installing up to eight entries in the Layer 2 QoS and Layer 2 ACL table for each configured customer VLAN. The scalability of this feature is limited by the impact of the 1:8 expansion in these content addressable memory (CAM) tables.
• vman-qos-dual-fp: mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p. This method requires twice as many CAM entries as vman-qos and FP blocks in multiples of 2. The default is: 0 FP blocks for vman-qos and vman-qos-dual-fp. 2 The new CAM configuration is stored in NVRAM and takes effect only after a save and reload. EXEC Privilege mode copy running-config startup-config reload 3 Map C-Tag dot1p values to a S-Tag dot1p value.
Figure 131. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 132. VLAN Stacking with L2PT Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. • No protocol packets are tunneled when you enable VLAN stacking. • L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1 Verify that the system is running the default CAM profile. Use this CAM profile for L2PT.
show cam-profile 2 Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3 Tunnel BPDUs the VLAN. INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, the system uses a Dell Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command.
Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. 802.
51 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
To avoid the back-off, either increase the global sampling rate or configure all the line card ports with the desired sampling rate even if some ports have no sFlow configured. Important Points to Remember • The Dell Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. • Dell Networking recommends the sFlow Collector be connected to the Dell Networking chassis through a line card port rather than the management Ethernet port. • Only egress sampling is supported.
Displaying Show sFlow Global To view sFlow statistics, use the following command. • Display sFlow configuration information and statistics. EXEC mode show sflow Example of Viewing sFlow Configuration (Global) The first bold line indicates sFlow is globally enabled. The second bold lines indicate sFlow is enabled on linecards Te 1/16 and Te 1/17.
Displaying Show sFlow on a Line Card To view sFlow statistics on a specified line card, use the following command. • Display sFlow configuration information and statistics on the specified interface.
Back-Off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the sampling-rate until the CPU condition is cleared. This is as per sFlow version 5 draft.
Global extended information enabled: none 0 collectors configured 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Important Points to Remember • If the IP source address is learned via IGP, srcAS and srcPeerAS are zero. • The srcAS and srcPeerAS might be zero even though the IP source address is learned via BGP.
52 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
MIBs are hierarchically structured and use object identifiers to address managed objects, but managed objects also have a textual name called an object descriptor. Implementation Information The following describes SNMP implementation information. • The Dell Networking OS supports SNMP version 1 as defined by RFC 1155, 1157, and 1212, SNMP version 2c as defined by RFC 1901, and SNMP version 3 as defined by RFC 2571. • The system supports up to 16 trap receivers.
SNMP version 3 (SNMPv3) is a user-based security model that provides password authentication for user security and encryption for data security and privacy. Three sets of configurations are available for SNMP read/write operations: no password or privacy, password privileges, password and privacy privileges. You can configure a maximum of 32 users even if they are in different groups. Creating a Community For SNMPv1 and SNMPv2, create a community to enable the community-based security on the switch.
snmp-server view view-name oid-tree {included | excluded} NOTE: To give a user read and write view privileges, repeat this step for each privilege type. • Configure the user with an authorization password (password privileges only). CONFIGURATION mode snmp-server user name group-name 3 noauth auth md5 auth-password • Configure an SNMP group (password privileges only). CONFIGURATION mode snmp-server group groupname {oid-tree} auth read name write name • Configure an SNMPv3 view.
Examples of Reading Managed Object Values In the following example, the value “4” displays in the OID before the IP address for IPv4. For an IPv6 IP address, a value of “16” displays. > snmpget -v 2c -c mycommunity 10.11.131.161 sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (32852616) 3 days, 19:15:26.16 > snmpget -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1.3.0 The following example shows reading the value of the next managed object. > snmpgetnext -v 2c -c mycommunity 10.11.131.161 .1.
• (From a Dell Networking system) Identify the physical location of the system (for example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1). CONFIGURATION mode snmp-server location text You may use up to 55 characters. • The default is None. (From a management station) Identify the system manager along with this person’s contact information (for example, an email address or phone number). CONFIGURATION mode snmpset -v version -c community agent-ip sysContact.
• all — Enter the keyword all to configure the CPU utilization time on all switch CPUs: Control Processor, Route Processor, PE, and line cards. • {{high | low} cpu-utilization-threshold-percentage} — Enter a percentage value to configure the high or low threshold level for the time in which a switch CPU can be used. The percentage of CPU use ranges from 0 to 100.
Parameters • cp — Enter the keyword cp to configure the memory utilization threshold for the Control Processor CPU. • rp — Enter the keyword rp to configure the memory utilization threshold time for the Route Processor CPU • lp — Enter the keyword lp to configure the linecard processor memory utilization threshold time. The range of switch slot IDs is from 0 to 2. • pe — Enter the keyword, pe to configure the CPU memory utilization time for of all PEs that are configured in the system.
Subscribing to Managed Object Value Updates using SNMP By default, the system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system. The following sets of traps are supported: • RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss.
• Enable a subset of SNMP traps. snmp-server enable traps NOTE: The envmon option enables all environment traps including those traps that are enabled with the envmon supply, envmon temperature, and envmon fan options. The following traps are available.
FAN_TRAY_BAD: Major alarm: fantray %d is missing or down FAN_TRAY_OK: Major alarm cleared: fan tray %d present FAN_BAD: Minor alarm: some fans in fan tray %d are down FAN_OK: Minor alarm cleared: all fans in fan tray %d are good vlt Enable VLT traps. vrrp Enable VRRP state change traps xstp %SPANMGR-5-STP_NEW_ROOT: New Spanning Tree Root, Bridge ID Priority 32768, Address 0001.e801.fc35. %SPANMGR-5-STP_TOPOLOGY_CHANGE: Bridge port TenGigabitEthernet 11/38 transitioned from Forwarding to Blocking state.
alarm from SNMP OID Copy config traps FILEMGR_COPY_CONFIG_TRAP: Copy-config from running-config to startup-config succeeded RMON traps %SYSTEM-P:CP %SNMP-4-RMON_RISING_THRESHOLD: RMON rising threshold alarm from SNMP OID %SYSTEM-P:CP %SNMP-4-RMON_FALLING_THRESHOLD: RMON falling threshold alarm from SNMP OID %SYSTEM-P:CP %SNMP-4-RMON_HC_RISING_THRESHOLD: RMON high-capacity rising threshold alarm from SNMP OID Enabling an SNMP Agent to Notify Syslog Server Failure You can configure a network device to s
Following is the sample audit log message that other syslog servers that are reachable receive: Oct 21 05:26:04: dv-fedgov-s4810-6: %EVL-6-REACHABLE:Syslog server 10.11.226.121 (port: 9140) is reachable Copy Configuration Files Using SNMP To do the following, use SNMP from a remote client.
MIB Object OID Object Values Description copyDestFileLocation and copyDestFileName. copyDestFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.6 1 = flash 2 = slot0 3 = tftp Specifies the location of destination file. • 4 = ftp If copyDestFileLocation is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. 5 = scp copyDestFileName .1.3.6.1.4.1.6027.3.5.1.1.1.1.7 Path (if the file is not in the default directory) and filename. Specifies the name of destination file.
• To complete the command, use as many MIB objects in the command as required by the MIB object descriptions shown in the previous table. NOTE: You can use the entire OID rather than the object name. Use the form: OID.index i object-value. To view more information, use the following options in the snmpset command. • -c: View the community, either public or private. • -m: View the MIB files for the SNMP command. • -r: Number of retries using the option • -t: View the timeout.
Examples of Copying Configuration Files from a UNIX Machine The following example shows copying configuration files from a UNIX machine using the object name. > snmpset -c public -v 2c -m ./f10-copy-config.mib 10.11.131.162 copySrcFileType.7 i 3 copyDestFileType.7 i 2 FTOS-COPY-CONFIG-MIB::copySrcFileType.7 = INTEGER: runningConfig(3) FTOS-COPY-CONFIG-MIB::copyDestFileType.7 = INTEGER: startupConfig(2) The following example shows copying configuration files from a UNIX machine using the OID.
Copy a Binary File to the Startup-Configuration To copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP, use the following command. • Copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.index i 4 copySrcFileName.index s filepath/ filename copyDestFileType.index i 3 copyServerAddress.
MIB Object OID Values Description copy. The state is set to active when the copy is completed. Obtaining a Value for MIB Objects To obtain a value for any of the MIB objects, use the following command. • Get a copy-config MIB object value. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address [OID.index | mibobject.index] index: the index value used in the snmpset command used to complete the copy operation. NOTE: You can use the entire OID rather than the object name.
MIB Object OID Description dellNetFlashPartitionUsed 1.3.6.1.4.1.6027.3.26.1.4.8.1.4 Contains the amount of space used by the files on the partition. dellNetFlashPartitionFree 1.3.6.1.4.1.6027.3.26.1.4.8.1.5 Contains the amount of free space available on the partition. dellNetFlashPartitionMountPoint 1.3.6.1.4.1.6027.3.26.1.4.8.1.6 Symbolic or Alias name for the partition.
MIB Support to Display Egress Queue Statistics Dell Networking OS provides MIB objects to display the information of the packets transmitted or dropped per unicast or multicast egress queue. The following table lists the related MIB objects: Table 96. MIB Objects to display egress queue statistics MIB Object OID Description dellNetFpEgrQTxPacketsRate 1.3.6.1.4.1.6027.3.27.1.20.1.6 Rate of Packets transmitted per Unicast/ Multicast Egress queue. dellNetFpEgrQTxBytesRate 1.3.6.1.4.1.6027.3.27.1.20.1.
INTEGER: 1275078656 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.30.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.70.70.70.0.24.0.0.0.0 = INTEGER: 2097157 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.70.70.70.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.70.70.70.2.32.1.4.70.70.70.2.1.4.70.70.70.2 = INTEGER: 2097157 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.80.80.80.0.24.1.4.10.1.1.1.1.4.10.1.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.0.24.0.0.0.0 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.1.32.1.4.30.1.1.1.1.4.30.1.1.1 = STRING: "Po 20" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.70.70.70.0.24.0.0.0.0 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.70.70.70.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.
MIB Support for entAliasMappingTable Dell Networking provides a method to map the physical interface to its corresponding ifindex value. The entAliasMappingTable table contains zero or more rows, representing the logical entity mapping and physical component to external MIB identifiers. The following table lists the related MIB objects: Table 98. MIB Objects for entAliasMappingTable MIB Object OID Description entAliasMappingTable 1.3.6.1.2.1.47.1.3.2 Contains information about entAliasMapping table.
SNMP Walk Example Output snmpwalk -v 2c -c public 10.16.151.246 1.3.6.1.4.1.6027.3.27.1.3 | grep 2107012 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.1.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.2.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.3.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.4.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.5.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.6.
MIB Object OID Description dot3adAggMACAddress 1.2.840.10006.300.43.1.1.1.1.1 Contains a six octet read–only value carrying the individual MAC address assigned to the Aggregator. dot3adAggActorSystemPriority 1.2.840.10006.300.43.1.1.1.1.2 Contains a two octet read–write value indicating the priority value associated with the Actor’s system ID. dot3adAggActorSystemID 1.2.840.10006.300.43.1.1.1.1.
snmpbulkget -v 2c -c LagMIB 10.16.148.157 1.2.840.10006.300.43.1.1.1.1.1 iso.2.840.10006.300.43.1.1.1.1.1.1258356224 iso.2.840.10006.300.43.1.1.1.1.1.1258356736 iso.2.840.10006.300.43.1.1.1.1.2.1258356224 iso.2.840.10006.300.43.1.1.1.1.2.1258356736 iso.2.840.10006.300.43.1.1.1.1.3.1258356224 iso.2.840.10006.300.43.1.1.1.1.3.1258356736 iso.2.840.10006.300.43.1.1.1.1.4.1258356224 iso.2.840.10006.300.43.1.1.1.1.4.1258356736 iso.2.840.10006.300.43.1.1.1.1.5.1258356224 iso.2.840.10006.300.43.1.1.1.1.5.
Displaying the Ports in a VLAN The system identifies VLAN interfaces using an interface index number that is displayed in the output of the show interface vlan command. Add Tagged and Untagged Ports to a VLAN The value dot1qVlanStaticEgressPorts object is an array of all VLAN members. The dot1qVlanStaticUntaggedPorts object is an array of only untagged VLAN members. All VLAN members that are not in dot1qVlanStaticUntaggedPorts are tagged.
Managing Overload on Startup If you are running IS-IS, you can set a specific amount of time to prevent ingress traffic from being received after a reload and allow the routing protocol upgrade process to complete. To prevent ingress traffic on a router while the IS reload is implemented, use the following command. • Set the amount of time after an IS-IS reload is performed before ingress traffic is allowed at startup.
Fetch Dynamic MAC Entries using SNMP Dell Networking supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. NOTE: The 802.1q Q-BRIDGE MIB defines VLANs regarding 802.1d, as 802.1d itself does not define them. As a switchport must belong a VLAN (the default VLAN or a configured VLAN), all MAC address learned on a switchport are associated with a VLAN. For this reason, the Q-Bridge MIB is used for MAC address query.
Example of Fetching MAC Addresses Learned on a Port-Channel Using SNMP Use dot3aCurAggFdbTable to fetch the learned MAC address of a port-channel. The instance number is the decimal conversion of the MAC address concatenated with the port-channel number.
For example, the interface index 51528196 for the FortyGigE 0/4 port is 0000 0011 0001 0010 0100 0010 0000 0100 in binary format as shown in the following figure. Figure 134. Interface Index Number Assigned to FortyGigE 0/4 Port In this example, if you start from the least significant bit on the right: • • • • • The first 14 bits (00001000000010) identify a line card. The next 4 bits (1001) identify a 40-Gigabit Ethernet interface. The next 12 bits (000011000100) identify slot 0 and port 4.
dot3aCurAggStatus SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.4.1.0.0.0.0.0.1.1 = INTEGER: 1 << Status active, 2 – status inactive Example of Viewing Changed Interface State for Monitored Ports Layer 3 LAG does not include this support. SNMP trap works for the Layer 2 / Layer 3 / default mode LAG. SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500842) 23:36:48.42 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkDown IF-MIB::ifIndex.33865785 = INTEGER: 33865785 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.
SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.7.2106373 = STRING: "0.0" SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.8.2106373 = STRING: "-2.273117" Table 102. SNMP OIDs for Transceiver Monitoring Field (OID) Description SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.1 Device Name SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.2 Port SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.3 Optics Type SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.4 Vendor Name SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.
53 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports unknown-unicast, muticast, and broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. To view the storm control broadcast configuration show storm-control broadcast | multicast | unknown-unicast | pfc-llfc[interface] command.
• Configure the packets per second of broadcast traffic allowed on an interface (ingress only). INTERFACE mode storm-control broadcast packets_per_second in • Configure the packets per second of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. INTERFACE mode storm-control multicast packets_per_second in • Shut down the port if it receives the PFC/LLFC packets more than the configured rate.
54 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network.
• Enabling Spanning Tree Protocol Globally Related Configuration Tasks • Adding an Interface to the Spanning Tree Group • Modifying Global Parameters • Modifying Interface STP Parameters • Enabling PortFast • Prevent Network Disruptions with BPDU Guard • STP Root Guard • Enabling SNMP Traps for Root Elections and Topology Changes Important Points to Remember • STP is disabled by default. • The Dell Networking OS supports only one spanning tree instance (0).
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 135. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1 If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2 Place the interface in Layer 2 mode. INTERFACE switchport 3 Enable the interface.
Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport no shutdown Dell(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default.
no disable Examples of Verifying and Viewing Spanning Tree To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 To remove a Layer 2 interface from the spanning tree topology, enter the no spanning-tree 0 command. Modifying Global Parameters You can modify the spanning tree parameters.
• the default is 2 seconds. Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology). PROTOCOL SPANNING TREE mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally.
To enable PortFast on an interface, use the following command. • Enable PortFast on an interface. INTERFACE mode spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] Example of Verifying PortFast is Enabled on an Interface To verify that PortFast is enabled on a port, use the show spanning-tree command from EXEC Privilege mode or the show config command from INTERFACE mode. Dell Networking recommends using the show config command.
Figure 137. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. • drops the BPDU after it reaches the Route Processor and generates a console message.
Dell(conf-if-te-0/7)#do show ip int br te 0/7 Interface IP-Address OK Method Status Protocol TenGigabitEthernet 0/7 unassigned YES Manual up up Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command.
the port on Switch C transitions from a forwarding to a root-inconsistent state (shown by the green X icon). As a result, Switch A becomes the root bridge. Figure 138. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface.
spanning-tree {0 | mstp | rstp | pvst} rootguard • 0: enables root guard on an STP-enabled port assigned to instance 0. • mstp: enables root guard on an MSTP-enabled port. • rstp: enables root guard on an RSTP-enabled port. • pvst: enables root guard on a PVST-enabled port. To disable STP root guard on a port or port-channel interface, use the no spanning-tree 0 rootguard command in an interface configuration mode.
Figure 139. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. The following conditions apply to a port enabled with loop guard: • Loop guard is supported on any STP-enabled port or port-channel interface.
• • Enabling Portfast BPDU guard and loop guard at the same time on a port results in a port that remains in a blocking state and prevents traffic from flowing through it. For example, when Portfast BPDU guard and loop guard are both configured: • If a BPDU is received from a remote device, BPDU guard places the port in an Err-Disabled Blocking state and no traffic is forwarded on the port.
55 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell Networking device. For more information on SmartScripts, see Dell Networking Open Automation guide. Figure 140.
• Configuring SupportAssist Company • Configuring SupportAssist Person • Configuring SupportAssist Server • Viewing SupportAssist Configuration Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist. The generated commands are added to the running configuration, including the DNS resolve commands, if configured. This command starts the configuration wizard for the SupportAssist. At any time, you can exit by entering Ctrl-C.
services from Dell,. You further agree to allow Dell to transmit and store the Collected Data from SupportAssist in accordance with these terms. You agree that the provision of SupportAssist may involve international transfers of data from you to Dell and/or to Dells affiliates, subcontractors or business partners. When making such transfers, Dell shall ensure appropriate protection is in place to safeguard the Collected Data being transferred in connection with SupportAssist.
enable all Dell(conf)#support-assist Dell(conf-supportassist)#enable all 7 Trigger an activity event immediately. EXEC Privilege mode support-assist activity {full-transfer | core-transfer} start now Dell#support-assist activity full-transfer start now Dell#support-assist activity core-transfer start now Configuring SupportAssist Activity SupportAssist Activity mode allows you to configure and view the action-manifest file for a specific activity.
action-manifest show {all} Dell(conf-supportassist-act-full-transfer)#action-manifest show all custom_file1.json Dell(conf-supportassist-act-full-transfer)# Dell(conf-supportassist-act-event-transfer)#action-manifest show all custom_event_file1.json [installed] Dell(conf-supportassist-act-event-transfer)# 5 Remove the action-manifest file for an activity. SUPPORTASSIST ACTIVITY mode action-manifest remove Dell(conf-supportassist-act-full-transfer)#action-manifest remove custom_file1.
[no] street-address {address1}[address2]…[address8] Dell(conf-supportassist-cmpy-test)#street-address 123 Main Street Dell(conf-supportassist-cmpy-test)# 4 Configure the territory and set the coverage for the company site.
Configuring SupportAssist Server SupportAssist Server mode allows you to configure server name and the means of reaching the server. By default, a SupportAssist server URL has been configured on the device. Configuring a URL to reach the SupportAssist remote server should be done only under the direction of Dell SupportChange. To configure SupportAssist server, use the following commands. 1 Configure the name of the remote SupportAssist Server and move to SupportAssist Server mode.
Service status: Enabled Activity ----------------------core-transfer event-transfer full-transfer Dell# 2 State ------Success Success Success Last Start -----------------------Feb 15 2016 09:43:41 IST Feb 15 2016 09:47:43 IST Feb 15 2016 09:36:12 IST Last Success -----------------------Feb 15 2016 09:43:56 IST Feb 15 2016 09:48:21 IST Feb 15 2016 09:38:27 IST Display the current configuration and changes from the default values.
enable the performance of all of the various functions of SupportAssist during your entitlement to receive related repair services from Dell,. You further agree to allow Dell to transmit and store the Collected Data from SupportAssist in accordance with these terms. You agree that the provision of SupportAssist may involve international transfers of data from you to Dell and/or to Dells affiliates, subcontractors or business partners.
56 System Time and Date System time and date settings are user-configurable and maintained through the network time protocol (NTP). System times and dates are also set in hardware settings using the Dell Networking OS CLI. Topics: • • Network Time Protocol Time and Date Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients. The protocol also coordinates time distribution in a large, diverse network with various interfaces.
serve as a client to the NTP host. As soon as a host-client relationship is established, the networking device propagates the time information throughout its local network. Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately.
Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell Networking system synchronizes. To specify multiple servers, enter the command multiple times. You may specify an unlimited number of servers at the expense of CPU resources. • Specify the NTP server to which the Dell Networking system synchronizes.
To view whether NTP is configured on the interface, use the show config command in INTERFACE mode. If ntp disable is not listed in the show config command output, NTP is enabled. (The show config command displays only non-default configuration information.) Configuring a Source IP Address for NTP Packets By default, the source address of NTP packets is the IP address of the interface used to reach the network. You can configure one interface’s IP address include in all NTP packets.
• 3 key: enter a text string. This text string is encrypted. Define a trusted key. CONFIGURATION mode ntp trusted-key number Configure a number from 1 to 4294967295. The number must be the same as the number used in the ntp authentication-key command. 4 Configure an NTP server.
version - NTP version 3 leap NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
• Setting Recurring Daylight Saving Time Setting the Time and Date for the Switch Software Clock You can change the order of the month and day parameters to enter the time and date as time day month year. You cannot delete the software clock. The software clock runs only when the software is up. The clock restarts, based on the hardware clock, when the switch reboots. To set the software clock, use the following command. • Set the system software clock to the current time and date.
Set Daylight Saving Time The system supports setting the system to daylight saving time once or on a recurring basis every year. Setting Daylight Saving Time Once Set a date (and time zone) on which to convert the switch to daylight saving time on a one-time basis. To set the clock for daylight savings time once, use the following command. • Set the clock to the appropriate timezone and daylight saving time.
• time-zone: Enter the three-letter name for the time zone. This name displays in the show clock output. • start-week: (OPTIONAL) Enter one of the following as the week that daylight saving begins and then enter values for startday through end-time: • week-number: Enter a number from 1 to 4 as the number of the week in the month to start daylight saving time. • first: Enter the keyword first to start daylight saving time in the first week of the month.
Configuring a Custom-defined Period for NTP time Synchronization You can configure the system to send an audit log message to a syslog server if the time difference from the NTP server is greater than a threshold value (offset-threshold). However, time synchronization still occurs. To configure the offset-threshold, follow this procedure. • Specify the threshold time interval before which the system generates an NTP audit log message if the system time deviates from the NTP server.
57 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported.
interface Tunnel 2 no ip address ipv6 address 2::1/64 tunnel destination 90.1.1.1 tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.
Configuring Tunnel allow-remote Decapsulation You can configure an IPv4 or IPV6 address or prefix whose tunneled packet will be accepted for decapsulation. • If no allow-remote entries are configured, then tunneled packets from any remote peer address will be accepted. • Upto eight allow-remote entries can be configured on any particular multipoint receive-only tunnel. The following sample configuration shows how to configure a tunnel allow-remote address.
Guidelines for Configuring Multipoint Receive-Only Tunnels • You can configure up to eight remote end-points for a multipoint receive-only tunnel. The maximum number of remote end-points supported for all multipoint receive-only tunnels on the switch depends on the hardware table size to setup termination. • The IP MTU configured on the physical interface determines how multiple nested encapsulated packets are handled in a multipoint receive-only tunnel.
58 Upgrade Procedures For detailed upgrade procedures, refer to the Dell Networking OS Release Notes for your switch. The release notes describe the requirements and steps to follow to upgrade to a desired OS version. Upgrade Overview To upgrade system software on the switch, follow these general steps: 1 Identify the boot and system images currently stored on the switch (Control Processor, Route Processor, and line-card CPUs) using the show boot system all command.
59 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 142. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 143. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
To revert to the default setting, use the no downstream disable links command. 4 (Optional) Enable auto-recovery so that UFD-disabled downstream ports in the uplink-state group come up when a disabled upstream port in the group comes back up. UPLINK-STATE-GROUP mode downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5 (Optional) Enters a text description of the uplink-state group.
02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 1/4 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 1/8 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 1/12 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 02:37:29: %SYSTEM-P:CP %IFMGR-5-ASTATE_DN: 02:37:29: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 02:37:29 : UFD: Group:3, UplinkState: DOWN 02:37:29: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 02:37:29: %SYSTEM-P:CP %IF
(For UPLINK-STATE-GROUP mode) show configuration • group-id: The values are from 1 to 16. Examples of Viewing Uplink State Group Status The following example shows viewing the uplink state group status for an S50 system.
0 packets, 0 bytes, 0 underruns 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
Dell(conf-uplink-state-group-3)#exit Dell(conf)#exit Dell# 00:13:06: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from console by console Dell# show running-config uplink-state-group ! uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream TengigabitEthernet 0/1-2,5,9,11-12 upstream TengigabitEthernet 0/3-4 Dell# show uplink-state-group 3 Uplink State Group: 3 Status: Enabled, Up Dell# show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface
60 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
By default, VLAN 1 is the Default VLAN. To change that designation, use the default vlan-id command in CONFIGURATION mode. You cannot delete the Default VLAN. NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN. For more information about assigning IP addresses, refer to Assigning an IP Address to a VLAN. • Untagged interfaces must be part of a VLAN.
Figure 144. Tagged Frame Format The tag header contains some key information that the system uses: • The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). • Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard.
NOTE: You cannot assign an IP address to the Default VLAN (VLAN 1). To assign another VLAN ID to the Default VLAN, use the default vlan-id vlan-id command. You can place VLANs and other logical interfaces in Layer 3 mode to receive and send routed traffic. For more information, refer to Bulk Configuration. To assign an IP address, use the following command. • Configure an IP address and mask on the interface.
Creating a Port-Based VLAN To configure a port-based VLAN, create the VLAN and then add physical interfaces or port channel (LAG) interfaces to the VLAN. NOTE: The Default VLAN (VLAN 1) is part of the system startup configuration and does not require configuration. A VLAN is active only if the VLAN contains interfaces and those interfaces are operationally up. As shown in the following example, VLAN 1 is inactive because it does not contain any interfaces.
To tag frames leaving an interface in Layer 2 mode, assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, use the following commands. 1 Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2 Enable an interface to include the IEEE 802.1Q tag header.
Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1 Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2 Configure an interface as untagged. INTERFACE mode untagged interface This command is available only in VLAN interfaces.
61 VLT Proxy Gateway The Virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a L3 end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration.
Figure 145. VLT Proxy Gateway — Topology 1 Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable this functionality: 1 The proxy gateway is supported only for VLT; for example, across VLT domain.
8 If the port-channel specified in theproxy-gateway command is not a VLT LAG, the configuration is rejected by the CLI. The VLT LAG cannot be configured as a legacy LAG when it is part of a proxy-gateway 9 You cannot change the LLDP port channel interface to a legacy LAG when you enable the proxy gateway. 10 Dell recommends using thevlt-peer-mac transmit command only for square VLTs without diagonal links. 11 VRRP and IPv6 routing is not supported. 12 Private VLANs (PVLANs) are not supported.
The LLDP organizational TLV passes local destination MAC address information to peer VLT domain devices so they can act as the proxy gateway.
Sample Scenario for VLT Proxy Gateway Figure 146. VLT Proxy Gateway — Topology 2 1 The above figure (Topology 2) shows a sample VLT Proxy gateway scenario. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This undergoes sub-optimal routing with the VLT Proxy Gateway LLDP method.
4 You can disable the VLT Proxy Gateway for a particular VLAN using an "Exclude-VLAN" configuration. The configuration has to be done in both the VLT domains [C and D in VLT domain 1 and C1 and D1 in VLT domain 2].
3 You can configure the port channel interface for an LLDP proxy gateway and exclude a VLAN or a range of VLANs from proxy routing. This parameter is for an LLDP proxy gateway configuration. VLT DOMAIN PROXY GW LLDP mode Dell(conf-vlt-domain-proxy-gw-lldp)#peer-domain-link port-channel interface exclude-vlan vlan-range 4 Display the VLT proxy gateway configuration.
62 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time. VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices.
Figure 147. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
NOTE: To configure a router ID in a non-default VRF, configure at least one IP address in both the default as well as the nondefault VRF. Table 105. Features Supported in VRF Feature/Capability Support Status for Default VRF Support Status for Non-default VRF Configuration rollback for commands introduced or modified Yes No LLDP protocol on the port Yes No 802.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF Layer 2 ACLs on VLANs Yes No FEED Yes No Layer 2 QoS Yes Yes Support for storm-control (broadcast and unknown-unicast) Yes No sFlow Yes No VRRP on physical and logical interfaces Yes Yes Secondary IP Addresses Yes No Following IPv6 capabilities No Basic Yes No OSPFv3 Yes No ISIS Yes No BGP Yes No ACL Yes Yes Multicast Yes No NDP Yes No RAD Yes No Ingress/Egress Storm-Control
Table 106. Load VRF CAM Step Task Command Syntax Command Mode 1 Load CAM memory for the VRF feature. feature vrf CONFIGURATION After you load VRF CAM, CLI parameters that allow you to configure non-default VRFs are made available on the system. Creating a Non-Default VRF Instance VRF is enabled by default on the switch and supports up to 512 VRF instances: 1 to 512 and the default VRF (0). Table 107.
Task Command Syntax Command Mode Assign an IPv4 address to the interface. ip address 10.1.1.1/24 INTERFACE CONFIGURATION ipv6 address 1::1 INTERFACE CONFIGURATION NOTE: You can assign either an IPv4 or an IPv6 address but not both. Assign an IPv6 address to the interface. NOTE: You can also auto configure an IPv6 address using the ipv6 address autoconfig command. View VRF Instance Information To display information about VRF configuration, enter the show ip vrf command. Table 110.
Table 112. VRRP on VRF Task Command Syntax Command Mode Create VRF ip vrf vrf1 CONFIGURATION Assign the VRF to an interface ip vrf forwarding vrf1 Assign an IP address to the interface VRF CONFIGURATION ip address 10.1.1.1 /24 no shutdown Configure the VRRP group and vrrp-group 10 virtual-address 10.1.1.100 virtual IP address show config ----------------------------! interface TenGigabitEthernet 0/13 ip vrf forwarding vrf1 ip address 10.1.1.1/24 ! vrrp-group 10 virtual-address 10.1.1.
• ipv6 nd max-ra-interval — Set IPv6 Max Router Advertisement Interval • ipv6 nd mtu — Configure MTU advertisements in RA packets • ipv6 nd other-config-flag — Hosts should use DHCP for non-address config • ipv6 nd prefix — Configure IPv6 Routing Prefix Advertisement • ipv6 nd ra-guard — Configure IPv6 ra-guard • ipv6 nd ra-lifetime — Set IPv6 Router Advertisement Lifetime • ipv6 nd reachable-time — Set advertised reachability time • ipv6 nd retrans-timer — Set NS retransmit interval used and
This command indicates that packets that are destined to x.x.x.x/s.s.s.s are reachable through nh.nh.nh.nh in the default VRF table. Meaning, the routes to x.x.x.x/s.s.s.s are leaked from the default VRF routing table into the non-default VRF routing table. The following example illustrates how route leaking between two VRFs can be performed: interface TenGigabitEthernet 0/9 ip vrf forwarding VRF1 ip address 120.0.0.1/24 interface TenGigabitEthernet 0/10 ip vrf forwarding VRF2 ip address 140.0.0.
Figure 149. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 Router 2 The following shows the output of the show commands on Router 1. Router 1 The following shows the output of the show commands on Router 2.
Previous FTOS releases support static route leaking, which enables route leaking through static commands. Dynamic Route Leaking, introduced in the 9.7(0.0) release, enables a source VRF to share both its connected routes as well as dynamically learnt routes from various protocols, such as ISIS, OSPF, BGP, and so on, with other default or non-default VRFs. You can also leak global routes to be made available to VRFs.
4 Configure the export target in the source VRF with route-map export_ospfbgp_protocol. ip route-export 1:1 export_ospfbgp_protocol 5 Configure VRF-blue. ip vrf vrf-blue interface-type slot/port ip vrf forwarding VRF-blue ip address ip—address mask A non-default VRF named VRF-blue is created and the interface 1/22 is assigned to it. 6 Define the route-map import_ospf_protocol. Dell(config)route-map import_ospf_protocol permit 10 7 Define the matching criteria for importing routes into VRF-blue.
you use) to various other VRFs. The destinations or target VRFs then import these IPv4 or IPv6 routes using the ip route-import tag or the ipv6 route-import tag command respectively. NOTE: In Dell Networking OS, you can configure at most one route-export per VRF as only one set of routes can be exposed for leaking. However, you can configure multiple route-import targets because a VRF can accept routes from multiple VRFs.
ip route-import ip route-import 2:2 3:3 Show routing tables of all the VRFs (without any route-export and route-import tags being configured) Show routing tables of VRFs( after route-export and route-import tags are configured). Important Points to Remember • If the target VRF conatins the same prefix as either the sourced or Leaked route from some other VRF, then route Leaking for that particular prefix fails and the following error-log is thrown.
63 Virtual Link Trunking (VLT) Virtual link trunking (VLT) is supported on Dell Networking OS. Overview In a traditional switched topology as shown below, spanning tree protocols (STPs) are used to block one or more links to prevent loops in the network. Although loops are prevented, bandwidth of all links is not effectively utilized by the connected devices. Figure 150. Traditional switched topology VLT not only overcomes this caveat, but also provides a multipath to the connected devices.
Figure 151. VLT providing multipath VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches and supporting a loop-free topology. To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol. After VLT is established, you may use rapid spanning tree protocol (RSTP) to prevent loops from forming with new links that are incorrectly connected and outside the VLT domain.
Figure 152. Example of VLT Deployment VLT offers the following benefits: • Allows a single device to use a LAG across two upstream devices. • Eliminates STP-blocked ports. • Provides a loop-free topology. • Uses all available uplink bandwidth. • Provides fast convergence if either the link or a device fails. • Optimized forwarding with virtual router redundancy protocol (VRRP). • Provides link-level resiliency. • Assures high availability. • Active-Active load sharing with VRRP.
VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode.
• If the DHCP server is located on the ToR and the VLTi (ICL) is down due to a failed link when a VLT node is rebooted in BMP mode, it is not able to reach the DHCP server, resulting in BMP failure. • If the source is connected to an orphan (non-spanned, non-VLT) port in a VLT peer, the receiver is connected to a VLT (spanned) portchannel, and the VLT port-channel link between the VLT peer connected to the source and TOR is down, traffic is duplicated due to route inconsistency between peers.
• Unknown, multicast, and broadcast traffic can be flooded across the VLT interconnect. • MAC addresses for VLANs configured across VLT peer chassis are synchronized over the VLT interconnect on an egress port such as a VLT LAG. MAC addresses are the same on both VLT peer nodes. • ARP entries configured across the VLTi are the same on both VLT peer nodes.
• Software features supported on VLT port-channels • In a VLT domain, the following software features are supported on VLT port-channels: 802.1p, ingress and egress ACLs, BGP, DHCP relay, IS-IS, OSPF, active-active PIM-SM, PIM-SSM, VRRP, Layer 3 VLANs, LLDP, flow control, port monitoring, jumbo frames, IGMP snooping, sFlow, ingress and egress ACLs, and Layer 2 control protocols RSTP only). NOTE: PVST+ passthrough is supported in a VLT domain. PVST+ BPDUs does not result in an interface shutdown.
• • If the primary chassis fails, the secondary chassis takes on the operational role of the primary. The SNMP MIB reports VLT statistics. Primary and Secondary VLT Peers Primary and secondary VLT peers are supported to prevent issues when connectivity between peers is lost on the switch. You can elect or configure the Primary Peer. By default, the peer with the lowest MAC address is selected as the Primary Peer. You can configure another peer as the Primary Peer using the VLT primary-priority command.
VLT and High Availability High availability (HA) support on VLT ensures seamless and uninterrupted flow of VLT features during RPM failure (failover). When RPM failover happens, the new active RPM triggers a new VLT registration to its VLT peer. It ensures that the VLT node with new active RPM receives all the VLT information from its VLT peer.
This delay in bringing up the VLT ports also applies when the VLTi link recovers from a failure that caused the VLT ports on the secondary VLT peer node to be disabled. PIM-Sparse Mode Support on VLT The designated router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. Figure 153.
On a VLT-enabled PIM router, if any PIM neighbor is reachable through a Spanned Layer 3 (L3) VLAN interface, this must be the only PIMenabled interface to reach that neighbor. A Spanned L3 VLAN is any L3 VLAN configured on both peers in a VLT domain. This does not apply to server-side L2 VLT ports because they do not connect to any PIM routers. These VLT ports can be members of multiple PIMenabled L3 VLANs for compatibility with IGMP.
VLT unicast, VLAN configuration must be symmetrical on both peers. You cannot configure the same VLAN as Layer 2 on one node and as Layer 3 on the other node. Configuration mismatches are logged in the syslog and display in the show vlt mismatch command output. If you enable VLT unicast routing, the following actions occur: • • L3 routing is enabled on any new IP or IPv6 address configured for a VLAN interface that is up. L3 routing is enabled on any VLAN with an admin state of up.
• • • • • • You can only use one spanned VLAN from a PIM-enabled VLT node to an external neighboring PIM router. If you connect multiple spanned VLANs to a PIM neighbor, or if both spanned and non-spanned VLANs can access the PIM neighbor, ECMP can cause the PIM protocol running on each VLT peer node to choose a different VLAN or IP route to reach the PIM neighbor. This can result in issues with multicast route syncing between peers.
BPDUs use the MAC address of the primary VLT peer as the RSTP bridge ID in the designated bridge ID field. The primary VLT peer sends these BPDUs on VLT interfaces connected to access devices. The MAC address for a VLT domain is automatically selected on the peer switches when you create the domain (refer to Enabling VLT and Creating a VLT Domain). Configure both ends of the VLT interconnect trunk with identical RSTP configurations.
Configuring VLT VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. To configure VLT, use the following procedure. Prerequisites: Before you begin, make sure that both VLT peer switches are running the same Dell Networking OS version and are configured for RSTP as described in RSTP Configuration.
Enabling VLT and Creating a VLT Domain To enable VLT and create a VLT domain: 1 Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id The domain ID range is from 1 to 1000. Configure the same domain ID on the peer switch to allow for common peering. VLT uses the domain ID to automatically create a VLT MAC address for the domain.
Configuring a VLT Backup Link To configure a VLT backup link, use the following command. 1 Specify the management interface to be used for the backup link through an out-of-band management network. CONFIGURATION mode interface managementethernet slot/ port Enter the slot (0-1) and the port (0). 2 Configure an IPv4 address (A.B.C.D) or IPv6 address (X:X:X:X::X) and mask (/x) on the interface.
Reconfiguring the Default VLT Settings (Optional) To reconfigure the default VLT settings, use the following commands. 1 Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2 (Optional) When you create a VLT domain on a switch, the system automatically creates a VLT-system MAC address used for internal system operations.
3 Place the interface in Layer 2 mode. INTERFACE PORT-CHANNEL mode switchport 4 Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 5 • 1-Gigabit Ethernet: enter gigabitethernet slot/port. • 10-Gigabit Ethernet: enter tengigabitethernet slot/port. • 40-Gigabit Ethernet: Enter fortyGigE slot/port. Ensure that the port channel is active.
The range is from 1 to 4094. Configuring Enhanced VLT (eVLT) (Optional) To configure enhanced VLT (eVLT) between two VLT domains on your network, use the following procedure. For a sample configuration, refer to eVLT Configuration Example. To set up the VLT domain, use the following commands. 1 Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode.
Use this command to minimize the time required for the VLT system to synchronize the default MAC address of the VLT domain on both peer switches when one peer switch reboots. 7 When you create a VLT domain on a switch, the system automatically assigns a unique unit ID (0 or 1) to each peer switch. VLT DOMAIN CONFIGURATION mode unit-id {0 | 1} The unit IDs are used for internal system operations. To explicitly configure the default values on each peer switch, use the unit-id command.
17 Repeat steps 1 through 15 for the first VLT node in Domain 2. 18 Repeat steps 1 through 15 for the VLT peer node in Domain 2. To verify the configuration of a VLT domain, use any of the show commands described in Verifying a VLT Configuration. VLT Sample Configuration To review a sample VLT configuration setup, study these steps. 1 Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2. VLT DOMAIN mode vlt domain domain id 2 Configure the VLTi between VLT peer 1 and VLT peer 2.
EXEC mode or EXEC Privilege mode show interfaces interface Example of Configuring VLT In the following sample VLT configuration steps, VLT peer 1 is Dell-2, VLT peer 2 is Dell-4, and the ToR is S60-1. NOTE: If you use a third-party ToR unit, Dell Networking recommends using static LAGs with VLT peers to avoid potential problems if you reboot the VLT peers. Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2.
port-channel 2 mode active no shutdown Dell-2#show running-config interface port-channel 2 ! interface Port-channel 2 no ip address switchport vlt-peer-lag port-channel 2 no shutdown Dell-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel L LAG 2 Mode L2L3 Status up Uptime 03:33:14 Ports Te 0/40 (Up) In the ToR unit, configure LACP on the physical ports.
Verify that the VLT LAG is up in both VLT peer units. Dell-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG L 2 Mode L2L3 Status up Uptime 03:43:24 Ports Te 0/40 (Up) Dell-4#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG L 2 Mode L2L3 Status up Uptime 03:33:31 Ports Te 0/18 (Up) eVLT Configuration Example The following example demonstrates the steps to configure enhanced VLT (eVLT) in a network. In this example, you are configuring two domains.
Configure eVLT on Peer 1. Domain_1_Peer1(conf)#interface port-channel 100 Domain_1_Peer1(conf-if-po-100)# switchport Domain_1_Peer1(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer1(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 1.
Next, configure the VLT domain and VLTi on Peer 4. Domain_2_Peer4#configure Domain_2_Peer4(conf)#interface port-channel 1 Domain_2_Peer4(conf-if-po-1)# channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer4#no shutdown Domain_2_Peer4(conf)#vlt domain 200 Domain_2_Peer4(conf-vlt-domain)# peer-link port-channel 1 Domain_2_Peer4(conf-vlt-domain)# back-up destination 10.18.130.
VLT_Peer2(conf-if-vl-4001)#exit VLT_Peer2(conf)#end Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, use any of the following show commands on the primary and secondary VLT switches. • Display information on backup link operation. EXEC mode • show vlt backup-link Display general status information about VLT domains currently configured on the switch.
Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.18 Up 1 3 34998 1026 1025 Dell_VLTpeer2# show vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.20 Up 1 3 34998 1030 1014 The following example shows the show vlt brief command.
2 100 127 100 UP UP UP UP 20, 30 10, 20, 30 The following example shows the show vlt role command.
Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 4096, Address 0001.e88a.d656 Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- -------- ---- ------- --------- ------- -----------------Po 1 128.2 128 200000 DIS 800 4096 0001.e88a.d656 128.2 Po 3 128.4 128 200000 DIS 800 4096 0001.e88a.d656 128.4 Po 4 128.5 128 200000 DIS 800 4096 0001.e88a.d656 128.5 Po 100 128.101 128 800 FWD(VLTi) 800 0 0001.e88a.
Configure the port channel to an attached device. Dell_VLTpeer1(conf)#interface port-channel 110 Dell_VLTpeer1(conf-if-po-110)#no ip address Dell_VLTpeer1(conf-if-po-110)#switchport Dell_VLTpeer1(conf-if-po-110)#channel-member fortyGigE 0/52 Dell_VLTpeer1(conf-if-po-110)#no shutdown Dell_VLTpeer1(conf-if-po-110)#vlt-peer-lag port-channel 110 Dell_VLTpeer1(conf-if-po-110)#end Verify that the port channels used in the VLT domain are assigned to the same VLAN.
10 Active U Po110(Fo 0/48) T Po100(Fo 0/46,50) Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access Switch) On an access device, verify the port-channel connection to a VLT domain. Dell_TORswitch(conf)# show running-config interface port-channel 11 ! interface Port-channel 11 no ip address switchport channel-member fortyGigE 1/18,22 no shutdown Troubleshooting VLT To help troubleshoot different VLT issues that may occur, use the following information.
Description Behavior at Peer Up Behavior During Run Time Action to Take System MAC mismatch A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated. Verify that the unit ID of VLT peers is not the same on both units and that the MAC address is the same on both units. Unit ID mismatch The VLT peer does not boot up. The VLTi is forced to a down state. The VLT peer does not boot up. The VLTi is forced to a down state.
The association of PVLAN with the VLT LAG must also be identical. After the VLT LAG is configured to be a member of either the primary or secondary PVLAN (which is associated with the primary), ICL becomes an automatic member of that PVLAN on both switches. This association helps the PVLAN data flow received on one VLT peer for a VLT LAG to be transmitted on that VLT LAG from the peer. You can associate either a VLT VLAN or a VLT LAG to a PVLAN.
The PVLAN mode of VLT LAGs on one peer is validated against the PVLAN mode of VLT LAGs on the other peer. MAC addresses that are learned on that VLT LAG are synchronized between the peers only if the PVLAN mode on both the peers is identical. For example, if the MAC address is learned on a VLT LAG and the VLAN is a primary VLT VLAN on one peer and not a primary VLT VLAN on the other peer, MAC synchronization does not occur.
Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN The following table illustrates the association of the VLTi link and PVLANs, and the MAC synchronization of VLT nodes in a PVLAN (for various modes of operations of the VLT peers): Table 116.
VLT LAG Mode Peer1 PVLAN Mode of VLT VLAN Peer2 Access Access ICL VLAN Membership Mac Synchronization Peer1 Peer2 - Primary VLAN X - Primary VLAN Y No No Secondary (Community) Secondary (Community) No No - Primary VLAN Y - Primary VLAN X No No Promiscuous Access Primary Secondary No No Trunk Access Primary/Normal Secondary No No Configuring a VLT VLAN or LAG in a PVLAN You can configure the VLT peers or nodes in a private VLAN (PVLAN).
6 Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 7 Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number The range is from 1 to 128. 8 (Optional) To configure a VLT LAG, enter the VLAN ID number of the VLAN where the VLT forwards packets received on the VLTi from an adjacent peer that is down.
INTERFACE VLAN mode private-vlan mode primary 8 Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). • Specified with this command even before they have been created. • Amended by specifying the new secondary VLAN to be added to the list.
link or peer is down, and the ARP request for a private VLAN IP address reaches the wrong peer, then the wrong peer responds to the ARP request with the peer MAC address. The IP address of the VLT node VLAN interface is synchronized with the VLT peer over ICL when the VLT peers are up. Whenever an IP address is added or deleted, this updated information is synchronized with the VLT peer. IP address synchronization occurs regardless of the VLAN administrative state.
outgoing interface (OIF) maps after a peer node failure, use the timeout value that you configured through the multicast peerrouting timeout value command. You can configure an optimal time for a VLT node to retain synced multicast routes or synced multicast outgoing interface (OIF), after a VLT peer node failure, through the multicast peer-routing-timeout command in VLT DOMAIN mode.
no ip address switchport vlan-stack access vlt-peer-lag port-channel 10 no shutdown Dell# Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)#vlt-peer-lag port-channel 20 Dell(conf-if-po-20)#vlan-stack trunk Dell(conf-if-po-20)#no shutdown Dell#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown Dell# Configure VLAN as VLAN-Stack VLAN and add the VLT LAG as Members to
no shutdown Dell# Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)#vlt-peer-lag port-channel 20 Dell(conf-if-po-20)#vlan-stack trunk Dell(conf-if-po-20)#no shutdown Dell#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown Dell# Configure the VLAN as VLAN-Stack VLAN and add the VLT LAG as members to the VLAN Dell(conf)#interface vlan 50 Dell(conf-if-vl-50)#vlan-stack
64 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is supported on Dell Networking OS. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. Authentication is not supported on VRRPv3. VRRP is supported on “all types” of interfaces, including physical, VLAN, port-channel, and port extender interfaces. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
Figure 155. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
Table 117. Recommended VRRP Advertise Intervals on the Switch Recommended Advertise Interval Groups/Interface Total VRRP Groups Less than 250 1 second 12 Between 250 and 450 2–3 seconds 24 Between 450 and 600 3–4 seconds 36 Between 600 and 800 4 seconds 48 Between 800 and 1000 5 seconds 84 Between 1000 and 1200 7 seconds 100 Between 1200 and 1500 8 seconds 120 VRRP Configuration By default, VRRP is not configured.
• NOTE: The interface must already have a primary IP address defined and be enabled, as shown in the second example. Delete a VRRP group. INTERFACE mode no vrrp-group vrid Examples of Configuring Verifying a VRRP Configuration The following example shows configuring a VRRP configuration. Dell(conf)#int te 1/1 Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)# The following example shows verifying a VRRP configuration.
2 Set the master switch to VRRP protocol version 3. 3 Set the backup switches to version 3. Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID). A VRRP group does not transmit VRRP packets until you assign the Virtual IP address to the VRRP group. For more information, refer to VRRP Implementation.
interface TenGigabitEthernet 1/1/1 ip address 10.10.10.1/24 ! vrrp-group 111 priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 ! vrrp-group 222 no shutdown The following example shows the same VRRP group (VRID 111) configured on multiple interfaces on different subnets. Dell#show vrrp -----------------TenGigabitEthernet 1/1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.
To verify the VRRP group priority, use the show vrrp command. Dellshow vrrp -----------------TenGigabitEthernet 1/1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 2343, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------TenGigabitEthernet 1/2/1, VRID: 111, Net: 10.10.
Disabling Preempt The preempt command is enabled by default. The command forces the system to change the MASTER router if another router with a higher priority comes online. Prevent the BACKUP router with the higher priority from becoming the MASTER router by disabling preempt. NOTE: You must configure all virtual routers in the VRRP group the same: you must configure all with preempt enabled or configure all with preempt disabled.
• Change the advertisement interval setting. INTERFACE-VRID mode advertise-interval seconds The range is from 1 to 255 seconds. • The default is 1 second. For VRRPv3, change the advertisement centisecs interval setting. INTERFACE-VRID mode advertise-interval centisecs centisecs The range is from 25 to 4075 centisecs in units of 25 centisecs. The default is 100 centisecs.
• Set the delay time for VRRP initialization on an individual interface. INTERFACE mode vrrp delay minimum seconds This time is the gap between an interface coming up and being operational, and VRRP enabling. The seconds range is from 0 to 900. • The default is 0. Set the delay time for VRRP initialization on all the interfaces in the system configured for VRRP. INTERFACE mode vrrp delay reload seconds This time is the gap between system boot up completion and VRRP enabling.
Tracking an Interface To track an interface, use the following commands. NOTE: The sum of all the costs for all tracked interfaces must be less than the configured priority of the VRRP group. • Monitor an interface and, optionally, set a value to be subtracted from the interface’s VRRP group priority. INTERFACE-VRID mode track interface [priority-cost cost] The cost range is from 1 to 254. • The default is 10. (Optional) Display the configuration.
IPv6 route 2050::/64 reachability Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is GigabitEthernet 1/3 Tracked by: VRRP GigabitEthernet 1/8 IPv6 VRID 1 The following example shows verifying the VRRP status. ON the MASTER ========== Dell#show vrrp -----------------TenGigabitEthernet 0/1, IPv4 VRID: 1, Version: 2, Net: 1.1.1.1 VRF: 0 default State: Master, Priority: 100, Master: 1.1.1.
Sample Configurations Before you set up VRRP, review the following sample configurations. VRRP for an IPv4 Configuration The following configuration shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.3 no shutdown R2(conf-if-te-2/31)#end R2#show vrrp -----------------TenGigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 State: Master, Priority: 200, Master: 10.1.1.
Figure 157. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. Example of Configuring VRRP for IPv6 Router 2 and Router 3 Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
R2(conf-if-te-0/0-vrid-10)#virtual-address 1::10 R2(conf-if-te-0/0-vrid-10)#no shutdown R2(conf-if-te-0/0)#show config interface TenGigabitEthernet 0/0 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-0/0)#end ON MASTER ========== Dell#show vrrp -----------------TenGigabitEthernet 0/1, IPv4 VRID: 1, Version: 2, Net: 1.1.1.1 VRF: 0 default State: Master, Priority: 100, Master: 1.1.1.
Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 11, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:0a VRRP in a VRF Configuration The following example shows how to enable VRRP operation in a VRF virtualized network for the following scenarios. • Multiple VRFs on physical interfaces running VRRP. • Multiple VRFs on VLAN interfaces running VRRP. To view a VRRP in a VRF configuration, use the show commands described in Displaying VRRP in a VRF Configuration.
Figure 158. VRRP in a VRF: Non-VLAN Example Example of Configuring VRRP in a VRF on Switch-1 (Non-VLAN) Switch-1 S1(conf)#ip vrf default-vrf 0 ! S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 2/1 S1(conf-if-te-2/1)#ip vrf forwarding VRF-1 S1(conf-if-te-2/1)#ip address 10.10.1.5/24 S1(conf-if-te-12/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177.
% Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-2/3-vrid-105)#priority 255 S1(conf-if-te-2/3-vrid-105)#virtual-address 20.1.1.5 S1(conf-if-te-2/3)#no shutdown Example of Configuring VRRP in a VRF on Switch-2 (Non-VLAN Configuration) Switch-2 S2(conf)#ip vrf default-vrf 0 ! S2(conf)#ip vrf VRF-1 1 ! S2(conf)#ip vrf VRF-2 2 ! S2(conf)#ip vrf VRF-3 3 ! S2(conf)#interface TenGigabitEthernet 2/1 S2(conf-if-te-2/1)#ip vrf forwarding VRF-1 S2(conf-if-te-2/1)#ip address 10.10.1.
S1(conf-if-te-2/4)#no shutdown ! S1(conf-if-te-2/4)#interface vlan 100 S1(conf-if-vl-100)#ip vrf forwarding VRF-1 S1(conf-if-vl-100)#ip address 10.10.1.5/24 S1(conf-if-vl-100)#tagged tengigabitethernet 2/4 S1(conf-if-vl-100)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177. S1(conf-if-vl-100-vrid-101)#priority 100 S1(conf-if-vl-100-vrid-101)#virtual-address 10.10.1.
S2(conf-if-vl-300)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S2(conf-if-vl-300-vrid-101)#priority 100 S2(conf-if-vl-300-vrid-101)#virtual-address 20.1.1.5 S2(conf-if-vl-300)#no shutdown Displaying VRRP in a VRF Configuration To display information on a VRRP group that is configured on an interface that belongs to a VRF instance, use the following commands. • Display information on a VRRP group that is configured on an interface that belongs to a VRF instance.
65 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
SFF-8431 SFP+ Direct Attach Cable (10GSFP+Cu) MTU 9,252 bytes RFC and I-D Compliance The C9000 series supports the following standards. The standards are grouped by related protocol. General Internet Protocols The following table lists the Dell Networking OS support on the C9000 Series for the general internet protocols. Table 118.
RFC# Full Name 2439 BGP Route Flap Damping 2545 Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing 2796 BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP) 2842 Capabilities Advertisement with BGP-4 2858 Multiprotocol Extensions for BGP-4 2918 Route Refresh Capability for BGP-4 3065 Autonomous System Confederations for BGP 4360 BGP Extended Communities Attribute 4893 BGP Support for Four-octet AS Number Space 5396 Textual Representation of Autonomous S
General IPv6 Protocols The following table lists the Dell Networking OS support on the C9000 series for general IPv6 protocols. Table 121.
RFC# Full Name 5306 Restart Signaling for IS-IS 5308 Routing IPv6 with IS-IS draft-ietf-isis-igpp2p- over-lan-06 Point-to-point operation over LAN in link-state routing protocols draft-kaplan-isis-e xt-eth-02 Extended Ethernet Frame Size Support Network Management The following table lists the Dell Networking OS support on the C9000 Series for network management protocol. Table 123.
RFC# Full Name 2618 RADIUS Authentication Client MIB, except the following four counters: radiusAuthClientInvalidServerAddresses radiusAuthClientMalformedAccessResponses radiusAuthClientUnknownTypes radiusAuthClientPacketsDropped 2698 A Two Rate Three Color Marker 3635 Definitions of Managed Objects for the Ethernet-like Interface Types 2674 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions 2787 Definitions of Managed Objects for the V
RFC# Full Name draft-ietf-netmodinterfaces-cfg-03 Defines a YANG data model for the configuration of network interfaces. Used in the Programmatic Interface RESTAPI feature. IEEE 802.1AB Management Information Base module for LLDP configuration, statistics, local system data and remote systems data components. IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.1 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) IEEE 802.
Multicast The following table lists the Dell Networking OS support per platform for Multicast protocol. Table 124. Multicast RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale 1112 Host Extensions for IP Multicasting 7.8.1 7.7.1 √ 8.1.1 2236 Internet Group Management Protocol, Version 2 7.8.1 7.7.1 √ 8.1.1 2710 Multicast Listener Discovery (MLD) for IPv6 √ 8.2.1 3376 Internet Group Management Protocol, Version 3 7.8.1 7.7.1 √ 8.1.
Open Shortest Path First (OSPF) The following table lists the Dell Networking OS support on the C9000 Series for OSPF protocol. Table 125.
66 X.509v3 Dell Networking OS supports X.509v3 standards. Topics: • • • • • • • • • Introduction to X.509v3 certification X.509v3 support in Dell Networking OS Information about installing CA certificates Information about Creating Certificate Signing Requests (CSR) Information about installing trusted certificates Transport layer security (TLS) Online certificate status protocol (OSCP) Verifying certificates Event logging Introduction to X.509v3 certification X.
1 An entity or organization that wants a digital certificate requests one through a CSR. 2 To request a digital certificate through a CSR, a key pair is generated and the CSR is signed using the secret private key. The CSR contains information identifying the applicant and the applicant's public key. This public key is used to verify the signature of the CSR and the Distinguished Name (DN). 3 This CSR is sent to a Certificate Authority (CA).
The Root CA generates a private key and a self-signed CA certificate. The Intermediate CA generates a private key and a Certificate Signing Request (CSR). Using its private key, the root CA signs the intermediate CA’s CSR generating a CA certificate for the Intermediate CA. This intermediate CA can then sign certificates for hosts in the network and also for further intermediate CAs.
During the initial TLS protocol negotiation, both participating parties also check to see if the other’s certificate is revoked by the CA. To do this check, the devices query the CA’s designated OCSP responder on the network. The OCSP responder information is included in the presented certificate, the Intermediate CA inserts the info upon signing it, or it may be statically configured on the host. Information about installing CA certificates Dell Networking OS enables you to download and install X.
crypto ca-cert install {path} Information about Creating Certificate Signing Requests (CSR) Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA. In order for a device to get a X.509v3 certificate, the device first requests a certificate from a CA through a Certificate Signing Request (CSR). While creating a CSR, you need to provide the information about the certificate and the private key details.
• Organization Name • Organization Unit Name • Common Name • Email address • Validity • Length • Alternate Name NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS.
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 When not operating in FIPS mode, the system may support TLS 1.0 up to 1.
Configuring OCSP setting on CA You can configure the CA to contact multiple OCSP servers. To configure OCSP server for a CA, perform the following step: In the certificate mode, enter the following command: ocsp-server URL [nonce] [sign-requests] NOTE: If you have an IPv6 address in the URL, then enclose this address in square brackets. For example, http:// [1100::203]:6514.
NOTE: A CA certificate can also be revoked. Verifying Server certificates Verifying that server certificates are mandatory in the TLS protocol. As a result, all TLS-enabled applications require certificate verification, including Syslog servers. The system checks the Server certificates against installed CA certificates. Verifying client certificates Verifying that client certificates are optional in the TLS protocol and is not explicitly required by Common Criteria.