Dell EMC Networking Configuration Guide for the C9010 Series Version 9.14.2.8 September 2020 Rev.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. NOTE: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: About this Guide.........................................................................................................32 Audience.............................................................................................................................................................................. 32 Conventions........................................................................................................................................................................
Applying a Privilege Level to a Username..............................................................................................................57 Applying a Privilege Level to a Terminal Line........................................................................................................57 Configuring Logging..........................................................................................................................................................57 Audit and Security Logs........
The Port-Authentication Process................................................................................................................................. 85 EAP over RADIUS........................................................................................................................................................86 Configuring 802.1X............................................................................................................................................................
Applying Egress ACLs................................................................................................................................................121 Applying Layer 3 Egress ACLs on Control-Plane Traffic.................................................................................. 121 Counting ACL Hits..................................................................................................................................................... 122 IP Prefix Lists..................
Origin.............................................................................................................................................................................173 AS Path.........................................................................................................................................................................173 Next Hop.............................................................................................................................................
Storing Last and Bad PDUs.....................................................................................................................................210 Capturing PDUs...........................................................................................................................................................211 PDU Counters.............................................................................................................................................................
DCB Configuration Exchange................................................................................................................................. 261 Configuration Source Election................................................................................................................................261 Propagation of DCB Information...........................................................................................................................
Configuring the Server for Automatic Address Allocation.............................................................................. 328 Specifying a Default Gateway................................................................................................................................329 Configure a Method of Hostname Resolution....................................................................................................330 Using DNS for Address Resolution.....................................
FIP Snooping in a Switch Stack.................................................................................................................................. 355 Using FIP Snooping........................................................................................................................................................ 356 FIP Snooping Prerequisites.....................................................................................................................................
Sample Configuration and Topology...........................................................................................................................383 FRRP Support on VLT................................................................................................................................................... 384 Chapter 19: GARP VLAN Registration Protocol (GVRP)............................................................. 387 Configure GVRP...................................................
Interface Types................................................................................................................................................................. 411 View Basic Interface Information.................................................................................................................................412 Resetting an Interface to its Factory Default State................................................................................................
Non Dell-Qualified Transceivers.................................................................................................................................. 440 Splitting QSFP Ports to SFP+ Ports.......................................................................................................................... 440 Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port......................................................................... 441 Configuring wavelength for 10–Gigabit SFP+ optics....
Chapter 25: IPv6 Routing.......................................................................................................... 467 Protocol Overview.......................................................................................................................................................... 467 Extended Address Space.........................................................................................................................................467 Stateless Autoconfiguration...........
Configuring Authentication Passwords............................................................................................................... 500 Setting the Overload Bit.......................................................................................................................................... 501 Debugging IS-IS......................................................................................................................................................... 501 IS-IS Metric Styles.
mac learning-limit mac-address-sticky................................................................................................................ 534 mac learning-limit station-move............................................................................................................................ 534 mac learning-limit no-station-move......................................................................................................................534 Learning Limit Violation Actions..........
Limiting the Source-Active Cache........................................................................................................................ 573 Clearing the Source-Active Cache........................................................................................................................574 Enabling the Rejected Source-Active Cache.....................................................................................................
MLD timers....................................................................................................................................................................... 623 Reducing Host Response Burstiness....................................................................................................................623 Configuring MLD Version..............................................................................................................................................
OSPF ACK Packing...................................................................................................................................................645 Setting OSPF Adjacency with Cisco Routers.................................................................................................... 645 Configuration Information.............................................................................................................................................
Electing an RP using the BSR Mechanism............................................................................................................... 684 Creating Multicast Boundaries and Domains........................................................................................................... 685 Enabling PIM-SM Graceful Restart............................................................................................................................
Important Points to Remember................................................................................................................................... 730 PE Stack Configuration................................................................................................................................................. 730 Configuring a PE Stack............................................................................................................................................
Upgrading the PoE Controller................................................................................................................................ 767 Suspending Power Delivery on the Port Extender............................................................................................767 Restoring Power Delivery on the Port Extender............................................................................................... 767 Monitor the Power Budget........................................
Configuring a Weight for WRED and ECN Operation...................................................................................... 803 Pre-Calculating Available QoS CAM Space.............................................................................................................. 804 SNMP Support for Buffer Statistics Tracking.........................................................................................................804 Chapter 47: Routing Information Protocol (RIP)......................
Privilege Levels Overview.......................................................................................................................................850 Configuration Task List for Privilege Levels........................................................................................................851 RADIUS..............................................................................................................................................................................
Marking Egress Packets with a DEI Value.......................................................................................................... 895 Dynamic Mode CoS for VLAN Stacking.................................................................................................................... 896 Mapping C-Tag to S-Tag dot1p Values................................................................................................................897 Layer 2 Protocol Tunneling..............................
Copying the Startup-Config Files to the Server via TFTP..............................................................................922 Copy a Binary File to the Startup-Configuration...............................................................................................923 Additional MIB Objects to View Copy Statistics............................................................................................... 923 Obtaining a Value for MIB Objects..................................................
Enabling Spanning Tree Protocol Globally................................................................................................................ 953 Adding an Interface to the Spanning Tree Group...................................................................................................954 Modifying Global Parameters.......................................................................................................................................955 Modifying Interface STP Parameters......
Configuring Tunnel source anylocal Decapsulation................................................................................................ 983 Multipoint Receive-Only Tunnels................................................................................................................................ 983 Guidelines for Configuring Multipoint Receive-Only Tunnels.........................................................................984 Chapter 59: Upgrade Procedures..................................
Dynamic Route Leaking................................................................................................................................................ 1018 Configuring Route Leaking with Filtering........................................................................................................... 1019 Configuring Route Leaking without Filtering Criteria..................................................................................... 1020 Chapter 64: Virtual Link Trunking (VLT)......
Sample BFD configuration in VLT domain......................................................................................................... 1062 Chapter 65: Virtual Router Redundancy Protocol (VRRP)........................................................ 1066 VRRP Overview............................................................................................................................................................. 1066 VRRP Benefits...........................................................
1 About this Guide This Configuration guide provides information about how to use and configure the software features supported in the Dell Networking operating system (OS) on a C9010 console to configure a C9010 switch, C1048P, N20xx, and N30xx port extenders. The C9010 switch is also referred to as network director or control bridge. The port extenders are also referred to as rapid access nodes. Though this guide contains information on protocols, it is not intended to be a complete reference.
2 Configuration Fundamentals The Dell Networking OS command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. After you enter a command, the command is added to the running configuration file.
The Dell Networking OS CLI is divided into three major mode levels: ● EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information. ● EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted.
GRUB PROTOCOL GVRP QOS POLICY RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP Navigating CLI Modes The Dell Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode.
Table 1.
Table 1.
Interface TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet IP-Address unassigned unassigned unassigned unassigned unassigned unassigned unassigned 0/0 0/1 0/2 0/3 0/4 0/5 0/6 OK NO NO NO NO NO NO NO Method Manual Manual Manual Manual Manual Manual Manual Status administratively administratively administratively administratively administratively administratively administratively down down down down down down down Proto
Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree. Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command: ● To list the keywords available in the current mode, enter ? at the prompt or after a keyword. ● Enter ? after a command prompt lists all of the available keywords.
Short-Cut Key Action Combination CNTL-I Completes a keyword. CNTL-K Deletes all characters from the cursor to the end of the command line. CNTL-L Re-enters the previous command. CNTL-N Return to more recent commands in the history buffer after recalling commands with CTRL-P or the UP arrow key. CNTL-P Recalls commands, beginning with the last command. CNTL-R Re-enters the previous command. CNTL-U Deletes the line. CNTL-W Deletes the previous word. CNTL-X Deletes the line.
Example of the except Keyword Dell#show processes cpu cp | except system CPU utilization for five seconds: 28%/1%; one minute: 28%; five minutes: 28% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 538 43770 4377 10000 6.50% 7.59% 8.68% 0 sys 535 51140 5114 10000 3.54% 3.53% 3.83% 0 sysdlp 614 300 30 10000 0.59% 0.06% 0.07% 0 ssMgr 557 190 19 10000 0.20% 0.00% 0.03% 0 ipm 615 130 13 10000 0.00% 0.02% 0.03% 0 ipSecMgr 508 290 29 10000 0.00% 0.02% 0.04% 0 confdMgr 720 330 33 10000 0.00% 0.13% 0.
NOTE: You can filter a single command output multiple times. The save option must be the last option entered. For example: Dell# command | grep regular-expression | except regular-expression | grep otherregular-expression | find regular-expression | save. Multiple Users in Configuration Mode The switch operating system notifies all users when there are multiple users logged in to CONFIGURATION mode.
3 Getting Started This chapter describes how you start configuring your operating software. When you power up the chassis, the system performs a power-on self test (POST) and loads the Dell Networking operating software. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LED remains online (green) and the console monitor displays the EXEC mode prompt.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the switch console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
The foreign file system remains mounted as long as the device is up and does not reboot. You can run the file system commands without having to mount or un-mount the file system each time you run a command. When you save the configuration using the write command, the mount command is saved to the startup configuration. As a result, each time the device re-boots, the NFS file system is mounted during start up. Table 4.
225 bytes successfully copied Dell# Default Configuration Although a version of the Dell Networking OS is pre-loaded on the switch, the system is not configured when you power up the first time (except for the default hostname, which is Dell). You must configure the system using the CLI. Configuring a Host Name The host name appears in the prompt. The default host name is Dell. ● Host names must start with a letter and end with a letter or digit.
● ip-address: an address in dotted-decimal format (A.B.C.D). ● mask: a subnet mask in /prefix-length format (/ xx). 3. Enable the interface. INTERFACE mode no shutdown Configure a Management Route Define a path from the switch to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the switch through the management port. ● Configure a management route to the network from which you are accessing the system.
NOTE: dynamic-salt option is shown only with secret and password options. In dynamic-salt configuration, the length of type 5 secret and type 7 password is 32 and 16 characters more compared to the secret and password length without dynamic-salt configuration. An error message appears if the username command reaches the maximum length, which is 256 characters. The dynamic-salt support for the user configuration is added in REST API.
The output of the show file-systems command in the following example shows the total capacity, amount of free memory, file structure, media type, read/write privileges for each storage device in use.
Example of Importing a File to the Local System core1#$//copy ftp://myusername:mypassword@10.10.10.10//Dell/ Dell-EF-8.2.1.0.bin flash:// Destination file name [Dell-EF-8.2.1.0.bin.bin]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 26292881 bytes successfully copied Save the Running-Configuration The running-configuration contains the current system configuration. Dell Networking recommends coping your runningconfiguration to the startup-configuration.
EXEC Privilege mode dir usbflash: ● View the running-configuration. EXEC Privilege mode show running-config ● View the startup-configuration. EXEC Privilege mode show startup-config The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.
Viewing Command History The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer. The system generates a trace message for each executed command. No password information is saved to the file. NOTE: The timestamps display format of the show command history output changes based on the service timestamps log datetime configuration. The time format can be in uptime, local time zone time or UTC time.
[1d0h24m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: CMD-(CLI):[no shutdown]by default from console CMD-(CLI):[end]by default from console CMD-(CLI):[write memory]by default from console Repeated 1 time.
4 Switch Management This chapter describes the switch management tasks supported on the switch.
● restricting access to an EXEC mode command ● moving commands from EXEC Privilege to EXEC mode ● restricting access A user can access all commands at his privilege level and below. Removing a Command from EXEC Mode To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode.
● Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...|| command} The configuration in the following example creates privilege level 3.
Dell(config-line-vty)#? exit Exit from line configuration mode Dell(config-line-vty)# Applying a Privilege Level to a Username To set the user privilege level, use the following command. ● Configure a privilege level for a user. CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command. ● Configure privilege level for a terminal line.
● Displaying Audit and Security Logs ● Clearing Audit Logs Enabling Audit and Security Logs You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode. This command is available with or without RBAC enabled. For information about RBAC, see Role-Based Access Control.
Example of the show logging auditlog Command Dell#show logging auditlog May 12 12:20:25: Dell#: %CLI-6-logging extended by admin from vty0 (10.14.1.98) May 12 12:20:42: Dell#: %CLI-6-configure terminal by admin from vty0 (10.14.1.98) May 12 12:20:42: Dell#: %CLI-6-service timestamps log datetime by admin from vty0 (10.14.1.
Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server Dell(conf)#ip ssh server enable 2. On the syslog server, create a reverse SSH tunnel from the syslog server to the switch, using following syntax: ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is 10.16.131.
Track Login Activity Dell Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events. When you log in using the console or VTY line, the system displays the last successful login details of the current user and the number of unsuccessful login attempts since your last successful login to the system, and whether the current user’s permissions have changed since the last login.
Example of the show login statistics all command The show login statistics all command displays the successful and failed login details of all users in the last 30 days or the custom defined time period. Dell#show login statistics all -----------------------------------------------------------------User: admin Last login time: 08:54:28 UTC Wed Mar 23 2016 Last login location: Line vty0 ( 10.16.127.
The following is sample output of the show login statistics unsuccessful-attempts user login-id command. Dell# show login statistics unsuccessful-attempts user admin There were 3 unsuccessful login attempt(s) for user admin in last 12 day(s). The following is sample output of the show login statistics successful-attempts command. Dell#show login statistics successful-attempts There were 4 successful login attempt(s) for user admin in last 30 day(s).
Connected to 10.11.178.14. Escape character is '^]'. Login: admin Password: Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 Clear existing session? [line number/Enter to cancel]: When you try to create more than the permitted number of sessions, the following message appears, prompting you to close one of the existing sessions. If you close any of the existing sessions, you are allowed to login. $ telnet 10.11.178.17 Trying 10.11.178.17... Connected to 10.11.178.17.
● Configuring Logging Format ● Secure Connection to a Syslog Server Disabling System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the console, and the syslog servers. To disable system logging, use the following commands. ● Disable all logging except on the console. CONFIGURATION mode no logging on ● Disable logging to the logging buffer. CONFIGURATION mode no logging buffer ● Disable logging to terminal lines.
Display the Logging Buffer and the Logging Configuration To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered based on the user roles. Only the security administrator and system administrator can view the security logs.
CONFIGURATION mode logging trap level ● Specify the minimum severity level for logging to the syslog history table. CONFIGURATION mode logging history level ● Specify the size of the logging buffer. CONFIGURATION mode logging buffered size NOTE: When you decrease the buffer size, the operating system deletes all messages stored in the buffer. Increasing the buffer size does not affect messages in the buffer. ● Specify the number of messages that the operating system saves to its logging history table.
To view non-default settings, use the show running-config logging command in EXEC mode. Dell#show running-config logging ! logging buffered 524288 debugging service timestamps log datetime msec service timestamps debug datetime msec ! logging trap debugging logging facility user logging source-interface Loopback 0 logging 10.10.10.4 Dell# Synchronizing Log Messages You can configure the Dell Networking OS to filter and consolidate the system messages for a specific line by synchronizing the message output.
○ utc: Enter the keyword utc to view timestamp in UTC time that excludes the local time zone. If you do not specify a parameter, Dell EMC Networking OS configures datetime as localtime by default. To view the configuration, use the show running-config logging command in EXEC privilege mode. To disable time stamping on syslog messages, use the no service timestamps [log | debug] command.
File Transfer Services You can configure the system to transfer files over the network using the file transfer protocol (FTP). You can use the FTP application to copy system image files over an interface on to the system. However, FTP is not supported on virtual local area network (VLAN) interfaces. For more information about FTP, refer to RFC 959, File Transfer Protocol. NOTE: To transmit large files, Dell Networking recommends configuring the switch as an FTP server.
Configuring FTP Client Parameters To configure FTP client parameters, use the following commands. ● Specify an FTP interface source. CONFIGURATION mode ip ftp source-interface interface Enter the following keywords and slot/port or number information: ○ For a loopback interface, enter the keyword loopback then a number between 0 and 16383. ○ For a port channel interface, enter the keywords port-channel then a number from 1 to 255.
Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user on a terminal line.A combination of authentication methods is called a method list. If the user fails the first authentication method, the system prompts the next method until all methods are exhausted, at which point the connection is terminated. The available authentication methods are: enable Prompt for the enable password.
LINE mode no exec-timeout The following example shows how to set the time-out period and how to view the configuration using the show config command from LINE mode. Dell(conf)#line console 0 Dell(config-line-console)#exec-timeout 0 Dell(config-line-console)#show config line console 0 exec-timeout 0 0 Dell(config-line-console)# Using Telnet to Access Another Network Device To Telnet to another device, use the following commands.
NOTE: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is unconfigured. Viewing the Configuration Lock Status If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which user has control of CONFIGURATION mode using the show configuration lock command from EXEC Privilege mode. You can then send any user a message using the send command from EXEC Privilege mode.
Command History Usage Information This guide is platform-specific. For command information about other platforms, see the relevant Dell Networking OS Command Line Reference Guide. Version Description 9.11(2.0) Introduced on the C9010, S3048–ON, S6100–ON and Z9100–ON. Enables Intel CPU LPC (Low Pin Count) clock-failure monitoring and issues a warning syslog to the user to take appropriate action if signal degradation is seen.
Ignoring the Startup Configuration and Booting from the Factory-Default Configuration If you do not want to do not want to boot up with your current startup configuration and do not want to delete it, you can interrupt the boot process and boot up with the C9000 series factory-default configuration. To boot up with the factory-default configuration: 1. Log onto the system using the console. 2. Power-cycle the chassis by disconnecting and then reconnecting the power cord. 3.
Important Point to Remember ● After the restore is complete, a switch reloads immediately. The following example shows how the restore factory-defaults command restores a switch to its factory default settings. Dell# restore factory-defaults chassis nvram *********************************************************************** * Warning - Restoring factory defaults will delete the existing * * persistent settings (stacking, fanout, etc.) * * After restoration the unit(s) will be powercycled immediately.
You are placed in the boot-line interface (BLI) at the BOOT_USER # prompt. Press any key 3. Assign the new location of the image to be used when the system reloads.
2. Go on to the Dell Networking system and copy the software image to the flash drive, using the copy command. 3. Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256 flash://FTOSSE-9.5.0.0.bin 4. Compare the generated hash value to the expected hash value published on the iSupport page.
○ RPM1 line-card processor: linecard 11 ● The rows linecard 0 through linecard 9 list the system images for each line card installed in chassis slots 0 to 9.
You are prompted to enter boot variables by specifying a path (for example, using FTP or TFTP) or system filename for the Dell Networking OS image that you want to load. Enter the component’s boot parameters displayed in the show bootvar output. 4. Reload the C9010 component by entering the reload command at the BOOT_USER# prompt. 5. Log out of the virtual console of the C9010 component and log back in to the RPM CP (C9010 console) as described in Logging in to the Virtual Console of a C9010 Component.
username password : f10agent : imagereq BOOT_USER# show bootvar RPM (LP10) ***** Welcome to Dell Networking OS Boot Interface ***** PRIMARY OPERATING SYSTEM BOOT PARAMETERS: ======================================== boot device : ftp file name : force10/rd/tgtimg/runtime/LP.bin Management Etherenet IP address : 127.10.10.113 Mask : 255.240.0.0 Server IP address : 127.10.10.10 Default Gateway IP address : 127.10.10.
5 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: ● The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. ● The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
• Dynamic CoS with 802.1X The Port-Authentication Process The authentication process begins when the authenticator senses that a link status has changed from down to up: 1. When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request frame. 2. The supplicant responds with its identity in an EAP Response Identity frame. 3.
EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 5. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.
● All platforms support only RADIUS as the authentication server. ● If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if configured. ● 802.1X is not supported on port-channels or port-channel members. ● 802.1X is not supported on a port when you configure the port as cascaded. ● The NAS-Port-Type attribute indicates the type of the physical port of the NAS which is authenticating the user. It is used in Access-Request packets.
NOTE: You must enabled dot1x authentication globaly as well as in interface mode on which supplicant is connected. Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. The bold text show that 802.1x has been enabled. By default, ports are not authorized.
Pluggable media not present Interface index is 804258823 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :3417eb00aa12 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit, Mode auto Auto-mdix enabled, ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 20:06:07 Queueing strategy: fifo Input Statistics: 10760802379 packets, 688691353132 bytes 10760802177 64-byte pkts, 203 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-b
The following example configures 2 MAC addresses and then displays these addresses. Dell(conf-dot1x-profile)#mac 00:50:56:AA:01:10 00:50:56:AA:01:11 Dell(conf-dot1x-profile)#show config dot1x profile sample mac 00:50:56:aa:01:10 mac 00:50:56:aa:01:11 Dell(conf-dot1x-profile)# Dell(conf-dot1x-profile)#exit Dell(conf)# Configuring the Static MAB and MAB Profile Enable MAB (mac-auth-bypass) before using the dot1x static-mab command to enable static mab.
Configuring Critical VLAN By default, critical-VLAN is not configured. If authentication fails because of a server which is not reachable, user session is authenticated under critical-VLAN. To configure a critical-VLAN for users or devices when authenticating server is not reachable, use the following command. ● Enable critical VLAN for users or devices INTERFACE mode dot1x critical-vlan [{vlan-id}] Specify a VLAN interface identifier to be configured as a critical VLAN. The VLAN ID range is 1– 4094.
The range is from 1 to 65535 (1 year) The default is 30. ● Configure a maximum number of times the authenticator re-transmits a Request Identity frame. INTERFACE mode dot1x max-eap-req number The range is from 1 to 10. The default is 2. The example in Configuring a Quiet Period after a Failed Authentication shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits a maximum of 10 times.
Forcibly Authorizing or Unauthorizing a Port IEEE 802.1X requires that a port can be manually placed into any of three states: ● ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network. Placing the port in this state is same as disabling 802.1X on the port. ● ForceUnauthorized — an unauthorized state.
INTERFACE mode dot1x reauth-max number The range is from 1 to 10. The default is 2. The bold lines show that re-authentication is enabled and the new maximum and re-authentication time period. Dell(conf-if-Te-0/0)#dot1x reauthentication Dell(conf-if-Te-0/0)#dot1x reauthentication interval 7200 Dell(conf-if-Te-0/0)#dot1x reauth-max 10 Dell(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0 802.
Figure 7. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2. Make the interface a switchport so that it can be assigned to a VLAN. 3. Create the VLAN to which the interface will be assigned. 4. Connect the supplicant to the port configured for 802.1X. 5.
● If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of the Guest VLAN and the authentication process begins. Configuring a Guest VLAN If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN. NOTE: For more information about configuring timeouts, see Configuring Timeouts.
Example of Configuring Maximum Authentication Attempts Dell(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 Dell(conf-if-Te-2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown Dell(conf-if-Te-2/1)# Dell#show int TenGigabitEthernet 2/1 TenGigabitEthernet 2/1 is up, line protocol is down(802.
Auth PAE State: Backend State: Initialize Initialize Configuring Timeouts If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default. You can configure the amount of time the authenticator waits for a response. To terminate the authentication process, use the following commands. ● Terminate the authentication process due to an unresponsive supplicant.
Figure 8. Single-Host Authentication Mode When multiple end users are connected to a single authenticator port, single-host mode authentication does not authenticate all end users, and all but one are denied access to the network. For these cases, the Dell Networking OS supports multi-host mode authentication. Figure 9.
If you change the host mode on a port that is already authenticated: ● From single-host to multi-host — All devices connected to the port that were previously blocked may access the network; the supplicant does not re-authenticate. ● From multi-host to single-host — The port restarts the authentication process. The first end user to respond is authenticated and allowed access.
Mac-Auth-Bypass Only: Disable Static-MAB: Disable Static-MAB Profile: NONE Tx Period: 30 seconds Quiet Period: 60 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 2 Host Mode: SINGLE_HOST Auth PAE State: Connecting Backend State: Idle Multi-Supplicant Authentication 802.1X multi-supplicant authentication enables multiple devices on a single authenticator port to access the network by authenticating each device.
Port status and State info for Supplicant: 7a:d9:d9:7d:00:00 Port Auth Status: Untagged VLAN id: Auth PAE State: Backend State: AUTHORIZED 400 Authenticated Idle Port status and State info for Supplicant: 7a:d9:d9:7d:00:01 Port Auth Status: Untagged VLAN id: Auth PAE State: Backend State: AUTHORIZED 400 Authenticated Idle Restricting Multi-Supplicant Authentication To restrict the number of devices that 802.
NOTE: If the switch is in multi-host mode, a MAC address that was MAB-authenticated but later was disabled from MAB authentication, is not denied access but moved to the guest VLAN. If the switch is in single-host mode, the MAC address is disallowed access. MAB in Multi-Supplicant Authentication Mode Multi-supplicant authentication (multi-auth) mode is similar to other 802.1X modes in that the switch first attempts to authenticate a supplicant using 802.1X. 802.
Critical VLAN id: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: NONE Enable Disable Disable NONE 30 seconds 60 seconds 2 30 seconds 30 seconds 3600 seconds 2 SINGLE_HOST Authenticated Idle Dynamic CoS with 802.
Dot1p Remapped Dot1p 0 2 1 6 2 5 3 4 4 3 5 2 6 1 7 0 ● After being re-tagged by dynamic CoS for 802.1X, packets are forwarded in the switch according to their new CoS priority. ● When a supplicant logs off from an 802.1X authentication session, the dynamic CoS table is deleted or reset. When an 802.1x session is re-authenticated, the previously assigned CoS table is retained through the re-authentication process. If the reauthentication fails, the CoS table is deleted.
6 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. ● Access control lists (ACLs), Ingress IP and MAC ACLs , and Egress IP and MAC ACLs are supported on the system. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
When creating an access list, the sequence of the filters is important. You have a choice of assigning sequence numbers to the filters as you enter them, or the system assigns numbers in the order the filters are created. The sequence numbers are listed in the display output of the show config and show ip accounting access-list commands. Ingress and egress Hot Lock ACLs allow you to append or delete new rules into an existing ACL (already written into CAM) without disrupting traffic flow.
Example of the test cam-usage Command DELL#test cam-usage service-policy input L3 linecard 0 port-set 0 Linecard|Portpipe|CAM Partition|Available CAM|Estimated CAM per Port|Status --------------------------------------------------------------------------0 | 0 |L3QOS | 488 | 0 Allowed DELL#test cam-usage service-policy input L3 pe-unit 0 stack-unit 0 port-set 0 PE Unit|Stack-unit|Portpipe|CAM Partition|Available CAM|Estimated CAM per Port|Status ---------------------------------------------------------------
1. Enter a CAM allocation action to perform on ingress ACLs. Enter the number of FP blocks for each region. Separate each keyword and number with a blank space. The total CAM space allocated must equal 12. When configuring space foripv6acl, the total number of Blocks must be in multiples of 2. CONFIGURATION mode cam-acl-pe [default| l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number ipmacacl number ipv4pbr number] NOTE: Selecting default resets the CAM entries to the default settings.
CONFIGURATION mode cam-acl-pe [default| l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number ipmacacl number ipv4pbr number] NOTE: Selecting default resets the CAM entries to the default settings. Select l2acl to re-allocate memory space for egress ACL and QoS regions 2. Verify the details of CAM ACL egress profiles configured globally on the PE. It does not display CAM ACL egress profiles for each PE. The new settings will be written to CAM on the next reload.
Processor (RP) is unaffected. This option is typically useful when debugging some problem related to control traffic. We have used this option numerous times in the field and have not encountered problems so far. ACL Optimization If an access list contains duplicate entries, the system deletes one entry to conserve CAM space. Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM entries whether it is identified as a standard or extended ACL.
● PIM VLT ● Filtering noninitial fragments of a datagram If your ACL rules contain the following keywords, the system accepts the configuration and shows a message stating that these features are not supported and ignores the configuration. ● ● ● ● ● ttl fragments no-drop dscp ecn Optimizing ACL for More Number of IPv4 ACL Rules To optimize ACL for more number of IPv4 ACL rules, follow these steps: 1. Carve the vlanaclopt CAM region.
IP Fragments ACL Examples The following examples show how you can use ACL commands with the fragment keyword to filter fragmented packets. The following configuration permits all packets (both fragmented and non-fragmented) with destination IP 10.1.1.1. The second rule does not get hit at all. Example of Permitting All Packets on an Interface Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32Dell(conf-ext-nacl)#deny ip any 10.1.1.1.
Example of Logging Denied Packets Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit tcp any any fragment Dell(conf-ext-nacl)#permit udp any any fragment Dell(conf-ext-nacl)#deny ip any any log Dell(conf-ext-nacl) When configuring ACLs with the fragments keyword, be aware of the following. When an ACL filters packets, it looks at the fragment offset (FO) to determine whether it is a fragment. ● FO = 0 means it is either the first fragment or the packet is a non-fragment.
seq 25 deny ip host 10.5.0.0 any log Dell(config-std-nacl)# To delete a filter, use the no seq sequence-number command in IP ACCESS LIST mode. Configuring a Standard IP ACL Filter If you are creating a standard ACL with only one or two filters, you can let the system assign a sequence number based on the order in which the filters are configured. The software assigns filters in multiples of five. 1. Configure a standard IP ACL and assign it a unique name.
Configuring Filters with a Sequence Number To configure filters with a sequence number, use the following commands. 1. Enter IP ACCESS LIST mode by creating an extended IP ACL. CONFIGURATION mode ip access-list extended access-list-name 2. Configure a drop or forward filter.
Configuring Filters Without a Sequence Number If you are creating an extended ACL with only one or two filters, you can let the system assign a sequence number based on the order in which the filters are configured. Filters are assigned in multiples of five. To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the following commands: ● Configure a deny or permit filter to examine IP packets.
Table 6. L2 and L3 Filtering on Switched Packets (continued) L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Permit Deny L3 ACL denies. Permit Permit L3 ACL permits. NOTE: If you configure an interface as a vlan-stack access port, only the L2 ACL filters the packets. The L3 ACL applied to such a port does not affect traffic. That is, existing rules for other features (such as trace-list, policy-based routing [PBR], and QoS) are applied to the permitted traffic.
NOTE: Port-based CAM Optimization is supported only on LM/LP front panel interfaces and is not available on PeGigE interfaces. Configuring an ACL VLAN Group Configure an ACL VLAN group to optimize ACL CAM use. NOTE: After you configure an ACL VLAN group, you must allocate CAM memory for ACL VLAN services to enable CAM optimization. See Allocating ACL VLAN CAM for more information. 1. Create an ACL VLAN group CONFIGURATION mode acl-vlan-group group-name 2. Add a description.
To display the number of FP blocks currently allocated to different ACL VLAN services, enter the show cam-acl-vlan command. To display the amount of CAM space currently used and available for Layer 2 and Layer 3 ACLs on the switch, enter the show cam-usage command. Applying an IP ACL To apply an IP ACL (standard or extended) to a physical or port channel interface, use the following commands. 1. Enter the interface number. CONFIGURATION mode interface interface slot/port 2.
Dell(config-ext-nacl)#permit tcp any any Dell(config-ext-nacl)#deny icmp any any Dell(config-ext-nacl)#permit 1.1.1.2 Dell(config-ext-nacl)#end Dell#show ip accounting access-list ! Extended Ingress IP access list abcd on pegigE 1/0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.2 Applying Egress ACLs Egress ACLs are supported on interfaces and affect the traffic leaving the system.
ipv6 control-plane [egress filter] 3. Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic. CONFIG-NACL mode permit ip {source mask | any | host ip-address} {destination mask | any | host ipaddress} count Dell Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group management protocol (IGMP) packets are not affected when you enable egress ACL filtering for CPU traffic.
Configuration Task List for Prefix Lists To configure a prefix list, use commands in PREFIX LIST, ROUTER RIP, ROUTER OSPF, and ROUTER BGP modes. Create the prefix list in PREFIX LIST mode and assign that list to commands in ROUTER RIP, ROUTER OSPF and ROUTER BGP modes. The following list includes the configuration tasks for prefix lists, as described in the following sections.
CONFIGURATION mode ip prefix-list prefix-name 2. Create a prefix list filter with a deny or permit action. CONFIG-NPREFIXL mode {deny | permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] The optional parameters are: ● ge min-prefix-length: is the minimum prefix length to be matched (0 to 32). ● le max-prefix-length: is the maximum prefix length to be matched (0 to 32). The example shows a prefix list in which the sequence numbers were assigned by the software.
count: 4, range entries: 1, sequences: 5 - 10 Dell> Applying a Prefix List for Route Redistribution To pass traffic through a configured prefix list, use the prefix list in a route redistribution command. Apply the prefix list to all traffic redistributed into the routing process. The traffic is either forwarded or dropped, depending on the criteria and actions specified in the prefix list. To apply a filter to routes in RIP, use the following commands. ● Enter RIP mode.
distribute-list prefix awe in Dell(conf-router_ospf)# ACL Remarks While defining ACL rules, you can optionally include a remark to make the ACLs more descriptive. You can include a remark with a maximum of 80 characters in length. The remark command is available in each ACL mode. You can configure up to 4294967291 remarks for a given IP ACL and 65536 remarks for a given MAC ACL. You can include a remark with or without a remark number.
The following is an example of removing a remark.
resequence prefix-list {ipv4 | ipv6} {prefix-list-name StartingSeqNum Step-to-Increment} The example shows the resequencing of an IPv4 access-list beginning with the number 2 and incrementing by 2. Remarks and rules that originally have the same sequence number have the same sequence number after you apply the resequence command. The following example shows resequencing ACLs when the remarks and rules have the same number.
Route Maps Although route maps are similar to ACLs and prefix lists in that they consist of a series of commands that contain a matching criterion and an action, route maps can modify parameters in matching packets. ACLs and prefix lists can only drop or forward the packet or traffic. Route maps process routes for route redistribution. For example, a route map can be called to filter only specific routes and to add a metric. Route maps also have an “implicit deny.
The default action is permit and the default sequence number starts at 10. When you use the keyword deny in configuring a route map, routes that meet the match filters are not redistributed. To view the configuration, use the show config command in ROUTE-MAP mode. The following example shows viewing a configured route-map.
When there are multiple match commands with the same parameter under one instance of route-map, the system does a match between all of those match commands. If there are multiple match commands with different parameters, the system does a match ONLY if there is a match among ALL the match commands. In the following example, there is a match if a route has any of the tag values specified in the match commands.
match ip address prefix-list-name ● Match destination routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode match ipv6 address prefix-list-name ● Match next-hop routes specified in a prefix list (IPv4). CONFIG-ROUTE-MAP mode match ip next-hop {access-list-name | prefix-list prefix-list-name} ● Match next-hop routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode match ipv6 next-hop {access-list-name | prefix-list prefix-list-name} ● Match source routes specified in a prefix list (IPv4).
set metric {+ | - | metric-value} ● Specify an OSPF or ISIS type for redistributed routes. CONFIG-ROUTE-MAP mode set metric-type {external | internal | type-1 | type-2} ● Assign an IP address as the route’s next hop. CONFIG-ROUTE-MAP mode set next-hop ip-address ● Assign an IPv6 address as the route’s next hop. CONFIG-ROUTE-MAP mode set ipv6 next-hop ip-address ● Assign an ORIGIN attribute. CONFIG-ROUTE-MAP mode set origin {egp | igp | incomplete} ● Specify a tag for the redistributed routes.
Configure a Route Map for Route Tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol. As the route enters a different routing domain, it is tagged. The tag is passed along with the route as it passes through different routing protocols. You can use this tag when the route leaves a routing domain to redistribute those routes again.
EXEC mode EXEC Privilege mode show cam-acl 4. Create a UDF packet format in the UDF TCAM table. CONFIGURATION mode udf-tcam name seq number Dell(conf)#udf-tcam ipnip seq 1 5. Configure a UDF ID to parse packet headers using the specified number of offset and required bytes. CONFIGURATION-UDF TCAM mode key description udf-id id packetbase PacketBase offset bytes length bytes Dell(conf-udf-tcam)#key innerL3header udf-id 6 packetbase innerL3Header offset 0 length 2 6. View the UDF TCAM configuration.
CONFIGURATION-EXTENDED-ACCESS-LIST mode permit ip {source mask | any | host ip-address} {destination mask | any | host ipaddress} udf-pkt-format name udf-qualifier-value name Dell(config-ext-nacl)#permit ip any any udf-pkt-format ipinip udf-qualifier-value ipnip_val1 12. View the UDF TCAM configuration.
7 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 10. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
Up Both systems are exchanging control packets. The session is declared down if: ● A control packet is not received within the detection time. ● Sufficient echo packets are lost. ● Demand mode is active and a control packet is not received in response to a poll packet. BFD Three-Way Handshake A three-way handshake must take place between the systems that participate in the BFD session.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 12.
Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet. When you enable BFD, the local system removes the route as soon as it stops receiving periodic control packets from the remote system.
Actual parameters: TX: 100ms, RX: 100ms, Multiplier: 4 Role: Passive Delete session on Down: False Client Registered: CLI Uptime: 00:09:06 Statistics: Number of packets received from neighbor: 4092 Number of packets sent to neighbor: 4093 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 7 Disabling and Re-Enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configur
Establishing Sessions for Static Routes Sessions are established for all neighbors that are the next hop of a static route. Figure 13. Establishing Sessions for Static Routes To establish a BFD session, use the following command. ● Establish BFD sessions for all neighbors that are the next hop of a static route. CONFIGURATION mode ip route bfd To verify that sessions have been created for static routes, use the show bfd neighbors command. R1(conf)#ip route 2.2.3.0/24 2.2.2.
Example Configuration and Verification The following example contains static routes for both default and nondefault VRFs. Dell#sh run | grep bfd bfd enable ip route bfd prefix-list p4_le ip route bfd vrf vrf1 ip route bfd vrf vrf2 ip route bfd vrf vrf1 prefix-list p4_le The following example shows that sessions are created for static routes for the default VRF. The following example shows that sessions are created for static routes for the nondefault VRFs.
Changing Static Route Session Parameters BFD sessions are configured with default intervals and a default role. The parameters you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all static routes. If you change a parameter, the change affects all sessions for static routes. To change parameters for static route sessions, use the following command . ● Change parameters for all static route sessions.
Establishing Sessions for IPv6 Static Routes for Nondefault VRF You can also create nondefault VRFs and establish sessions for all neighbors that are the next hop of a static route. To establish a BFD session for nondefault VRFs, use the following command. ● Establish BFD sessions for all IPv6 neighbors that are the next hop of a static route.
Configuring BFD for OSPF is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPF neighbors. Related Configuration Tasks ● Changing OSPF Session Parameters ● Disabling BFD for OSPF Changing OSPF Session Parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 14. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. ● Establish sessions with all OSPF neighbors.
I O R - ISIS - OSPF - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Te 2/1 Up 200 200 3 O * 2.2.3.1 2.2.3.2 Te 2/2 Up 200 200 3 O Establishing Sessions with OSPF Neighbors for nondefault VRFs To configure BFD in a nondefault VRF, follow this procedure: ● Enable BFD globally. CONFIGURATION mode bfd enable ● Establish sessions with all OSPF neighbors in a specific VRF.
R M V VT - Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 5.1.1.1 RemoteAddr 5.1.1.2 Interface Po 30 State Rx-int Tx-int Mult VRF Clients Up 200 200 3 255 O * 6.1.1.1 6.1.1.2 Vl 30 Up 200 200 3 255 O Dell# show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 10.1.3.2 Local MAC Addr: 00:01:e8:02:15:0e Remote Addr: 10.1.3.
Int: Vlan 30 State: Up Configured parameters: TX: 200ms, RX: 200ms, Multiplier: 3 Neighbor parameters: TX: 200ms, RX: 200ms, Multiplier: 3 Actual parameters: TX: 200ms, RX: 200ms, Multiplier: 3 Role: Active Delete session on Down: True VRF: VRF_blue Client Registered: OSPF Uptime: 00:00:15 Statistics: Number of packets received from neighbor: 78 Number of packets sent to neighbor: 78 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager
To view session parameters, use the show bfd neighbors detail command, as shown in the example in Displaying BFD for BGP Information. ● Change parameters for all OSPFv3 sessions. ROUTER-OSPFv3 mode bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] ● Change parameters for OSPFv3 sessions on a single interface.
* 11.1.1.1 3 511 O 11.1.1.2 Vl 101 Up 150 150 * 12.1.1.1 3 511 O 12.1.1.2 Vl 102 Up 150 150 * 13.1.1.1 3 511 O 13.1.1.
1. Enable BFD globally. 2. Establish sessions for all or particular IS-IS neighbors. Related Configuration Tasks ● Changing IS-IS Session Parameters ● Disabling BFD for IS-IS Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 15.
The bold line shows that IS-IS BFD sessions are enabled. R2(conf-router_isis)#bfd all-neighbors R2(conf-router_isis)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 200 200 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role.
Prerequisites Before configuring BFD for BGP, you must first configure the following settings: 1. Configure BGP on the routers that you want to interconnect, as described in Border Gateway Protocol IPv4 (BGPv4). 2. Enable fast fall-over for BGP neighbors to reduce convergence time (the neighbor fall-over command), as described in BGP Fast Fall-Over. Establishing Sessions with BGP Neighbors Before configuring BFD for BGP, you must first configure BGP on the routers that you want to interconnect.
within the detection interval, the router informs any clients of the BFD session (other routing protocols) about the failure. It then depends on the individual routing protocols that uses the BGP link to determine the appropriate response to the failure condition. The typical response is to terminate the peering session for the routing protocol and reconverge by bypassing the failed neighboring router. A log message is generated whenever BFD detects a failure condition. 1. Enable BFD globally.
6. Add an IPv6 BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ipv6-address | peer-group name} remote-as as-number 7. Enable the BGP neighbor. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor { ipv6-address | peer-group-name} no shutdown 8. Specify the address family as IPv6. CONFIG-ROUTERBGP_ADDRESSFAMILY mode address-family ipv6 unicast vrf vrf-name NOTE: Before performing this step, create the required VRF. 9. Activate the neighbor in IPv6 address family.
ROUTER BGP mode no neighbor {ip-address | peer-group-name} bfd disable Displaying BFD for BGP Information You can display related information for BFD for BGP. To display information about BFD for BGP sessions on a router, use the following commands and refer to the following examples. ● Verify a BFD for BGP configuration. EXEC Privilege mode show running-config bgp ● Verify that a BFD for BGP session has been successfully established with a BGP neighbor.
● Message displays when you enable a BFD session with a BGP neighbor that inherits the global BFD session settings configured with the global bfd all-neighbors command. ● Message displays when you enable a BFD session with a BGP neighbor using the neighbor ip-address bfd command. ● Message displays when you enable a BGP neighbor in a peer group for which you enabled a BFD session using the neighbor peer-group-name bfd command R2# show ip bgp neighbors 2.2.2.2 BGP neighbor is 2.2.2.
Configure BFD for VRRP When using BFD with VRRP, the VRRP protocol registers with the BFD manager. BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred. Configuring BFD for VRRP is a three-step process: 1. Enable BFD globally. 2. Establish VRRP BFD sessions with all VRRP-participating neighbors. 3.
Establishing VRRP Sessions on VRRP Neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. VRRP BFD sessions on the backup router cannot change to the UP state. Configure the master router to establish an individual VRRP session the backup router. To establish a session with a particular VRRP neighbor, use the following command. ● Establish a session with a particular VRRP neighbor.
To view session parameters, use the show bfd neighbors detail command, as shown in the example in Verifying BFD Sessions with BGP Neighbors Using the show bfd neighbors command example in Displaying BFD for BGP Information. Disabling BFD for VRRP If you disable any or all VRRP sessions, the sessions are torn down. A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to the Down state.
8 Border Gateway Protocol IPv4 (BGPv4) This chapter provides a general description of BGPv4 as it is supported in the Dell Networking OS. BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
Figure 18. Interior BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 19. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor. Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies.
State Description Idle BGP initializes all resources, refuses all inbound BGP connection attempts, and initiates a TCP connection to the peer. Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state.
Figure 20. BGP Router Rules 1. Router B receives an advertisement from Router A through eBGP. Because the route is learned through eBGP, Router B advertises it to all its iBGP peers: Routers C and D. 2. Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B. 3.
order in which they were received from the neighbors because MED may or may not get compared between the adjacent paths. In deterministic mode, the system compares MED between the adjacent paths within an AS group because all paths in the AS group are from the same AS. The following illustration shows that the decisions BGP goes through to select the best path. The list following the illustration details the path selection criteria. Figure 21. BGP Best Path Selection Best Path Selection Details 1.
9. The system deems the paths as equal and does not perform steps 9 through 11, if the following criteria is met: a. the IBGP multipath or EBGP multipath are configured (the maximum-path command). b. the paths being compared were received from the same AS with the same number of ASs in the AS Path but with different NextHops. c. the paths were received from IBGP or EBGP neighbor respectively. 10. If the bgp bestpath router-id ignore command is enabled and: a.
Figure 22. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 23. Multi-Exit Discriminators Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE. Origin Type Description IGP Indicates the prefix originated from information learned through an interior gateway protocol. EGP Indicates the prefix originated from information learned from an EGP protocol, which NGP replaced. INCOMPLETE Indicates that the prefix originated from an unknown source.
0x4014154 0x4013914 0x5166d6c 0x5e62df4 0x3a1814c 0x567ea9c 0x6cc1294 0x6cc18d4 0x5982e44 0x67d4a14 0x559972c 0x59cd3b4 0x7128114 0x536a914 0x2ffe884 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 2 26 75 2 1 162 2 31 2 10 3 1 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 701 3549 19421 i 701 7018 14990 i 209 4637 1221 9249 9249 i 701 17302 i 209 22291 i 209 3356 2529 i 209 1239 19265 i 701 2914 4713 17935 i 209 i 701 19878 ? 209 18756 i 209 7018 15227 i 209 3356 13845 i
Advertise IGP Cost as MED for Redistributed Routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value. Use the set metric-type internal command in a route-map to advertise the IGP cost as the MED to outbound EBGP peers when redistributing routes.
Traditional Format DOT Format 100000 1.34464 4294967295 65535.65535 When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte identified routers. You cannot mix them. Configure 4-byte AS numbers with the four-octet-support command. AS4 Number Representation Multiple representations of 4-byte AS numbers (asplain, asdot+, and asdot) are supported. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature.
bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
Figure 24. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH.
Important Points to Remember ● Because eBGP packets are not controlled by the ACL, packets from BGP neighbors cannot be blocked using the deny ip command. ● The f10BgpM2AsPathTableEntry table, f10BgpM2AsPathSegmentIndex, and f10BgpM2AsPathElementIndex are used to retrieve a particular ASN from the AS path. These indices are assigned to the AS segments and individual ASN in each segment starting from 0.
● ● ● ● deterministic multi-exit discriminator (MED) (default) a path with a missing MED is treated as worst path and assigned an MED value of (0xffffffff) the community format follows RFC 1998 delayed configuration (the software at system boot reads the entire configuration file prior to sending messages to start BGP peer sessions) The following are not yet supported: ● auto-summarization (the default is no auto-summary) ● synchronization (the default is no synchronization) BGP Configuration To enable t
In BGP, routers with an established TCP connection are called neighbors or peers. After a connection is established, the neighbors exchange full BGP routing tables with incremental updates afterward. In addition, neighbors exchange KEEPALIVE messages to maintain the connection. In BGP, neighbor routers or peers can be classified as internal or external.
number displayed (in bold); the second example shows that the summary with a 4-byte AS number using the show ip bgp summary command (displays a 4–byte AS number in bold). R2#show ip bgp summary BGP router identifier 192.168.10.
For address family: IPv4 Unicast BGP table version 216613, neighbor version 201190 130195 accepted prefixes consume 520780 bytes Prefix advertised 49304, rejected 0, withdrawn 36143 Connections established 1; dropped 0 Last reset never Local host: 10.114.8.39, Local port: 1037 Foreign host: 10.114.8.60, Foreign port: 179 BGP neighbor is 10.1.1.1, remote AS 65535, internal link Administratively shut down BGP version 4, remote router ID 10.0.0.
Term Description ASDOT A representation that combines the ASPLAIN and ASDOT+ representations. AS numbers less than 65536 appear in integer format (asplain); AS numbers equal to or greater than 65536 appear using the decimal method (asdot+). For example, the AS number 65526 appears as 65526 and the AS number 65546 appears as 1.10. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature.
neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.250 no shutdown 5332332 9911991 65057 18508 12182 7018 46164 i Configuring Peer Groups To configure multiple BGP neighbors at one time, create and populate a BGP peer group. An advantage of peer groups is that members of a peer group inherit the configuration properties of the group and share same update policy. A maximum of 256 peer groups are allowed on the system.
● neighbor route-map out ● neighbor route-reflector-client ● neighbor send-community A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates. NOTE: When you configure a new set of BGP policies for a peer group, always reset the peer group by entering the clear ip bgp peer-group peer-group-name command in EXEC Privilege mode.
10.68.169.1 10.68.170.1 10.68.171.1 10.68.172.1 10.68.173.1 10.68.174.1 10.68.175.1 10.68.176.1 10.68.177.1 10.68.178.1 10.68.179.1 10.68.180.1 10.68.181.1 10.68.182.1 10.68.183.1 10.68.184.1 10.68.185.1 Dell> Configuring BGP Fast Fail-Over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fail-over feature reduces the convergence time while maintaining stability.
fail-over enabled Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dropped 5 Last reset 00:19:37, due to Reset by peer Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 200.200.200.200, Local port: 65519 Foreign host: 100.100.100.
CONFIG-ROUTER-BGP mode neighbor peer-group-name subnet subnet-number mask The peer group responds to OPEN messages sent on this subnet. 3. Enable the peer group. CONFIG-ROUTER-BGP mode neighbor peer-group-name no shutdown 4. Create and specify a remote peer for BGP neighbor. CONFIG-ROUTER-BGP mode neighbor peer-group-name remote-as as-number Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED.
Allowing an AS Number to Appear in its Own AS Path This command allows you to set the number of times a particular AS number can occur in the AS path. The allow-as feature permits a BGP speaker to allow the ASN to be present for a specified number of times in the update received from the peer, even if that ASN matches its own. The AS-PATH loop is detected if the local ASN is present more than the specified number of times in the command.
{deny | permit} filter parameter This is the filter that is used to match the AS-path. The entries can be any format, letters, numbers, or regular expressions. You can enter this command multiple times if multiple filters are desired. For accepted expressions, refer to Regular Expressions as Filters. 3. Return to CONFIGURATION mode. AS-PATH ACL mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Use a configured AS-PATH ACL for route filtering and manipulation.
Regular Expression Definition * (asterisk) Matches 0 or more sequences of the immediately previous character or pattern. + (plus) Matches 1 or more sequences of the immediately previous character or pattern. ? (question) Matches 0 or 1 sequence of the immediately previous character or pattern.
Redistributing Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the BGP process. With the redistribute command, you can include ISIS, OSPF, static, or directly connected routes in the BGP process. To add routes from other routing instances or protocols, use any of the following commands in ROUTER BGP mode. ● Include, directly connected or user-configured (static) routes in BGP.
Configuring IP Community Lists Mmultiple methods of manipulating routing attributes are supported in the Dell Networking OS. One attribute you can manipulate is the COMMUNITY attribute. This attribute is an optional attribute that is defined for a group of destinations. You can assign a COMMUNITY attribute to BGP routers by using an IP community list. After you create an IP community list, you can apply routing decisions to all routers meeting the criteria in the IP community list.
Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1. Create a extended community list and enter the EXTCOMMUNITY-LIST mode. CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2. Two types of extended communities are supported.
exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number AS-number: 0 to 65535 (2-Byte) or 1 to 4294967295 (4-Byte) or 0.1 to 65535.65535 (Dotted format) 5. Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode. To view BGP routes matching a certain community number or a pre-defined BGP community, use the show ip bgp community command in EXEC Privilege mode. Dell>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.
bgp default local-preference value ○ value: the range is from 0 to 4294967295. The default is 100. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. A more flexible method for manipulating the LOCAL_PREF attribute value is to use a route map. 1. Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2.
Changing the WEIGHT Attribute To change how the WEIGHT attribute is used, enter the first command. You can also use route maps to change this and other BGP attributes. For example, you can include the second command in a route map to specify the next hop address. ● Assign a weight to the neighbor connection. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} weight weight ○ weight: the range is from 0 to 65535. The default is 0. ● Sets weight for the route.
To filter routes using prefix lists, use the following commands. 1. Create a prefix list and assign it a name. CONFIGURATION mode ip prefix-list prefix-name 2. Create multiple prefix list filters with a deny or permit action. CONFIG-PREFIX LIST mode seq sequence-number {deny | permit} {any | ip-prefix [ge | le] } ● ge: minimum prefix length to be matched. ● le: maximum prefix length to me matched. For information about configuring prefix lists, refer to Access Control Lists (ACLs). 3.
router bgp as-number 5. Filter routes based on the criteria in the configured route map. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} Configure the following parameters: ● ● ● ● ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. map-name: enter the name of a configured route map. in: apply the route map to inbound routes. out: apply the route map to outbound routes.
● Assign an ID to a router reflector cluster. CONFIG-ROUTER-BGP mode bgp cluster-id cluster-id You can have multiple clusters in an AS. ● Configure the local router as a route reflector and the neighbor or peer group identified is the route reflector client. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-reflector-client When you enable a route reflector, the system automatically enables route reflection to all clients.
● Specifies which confederation sub-AS are peers. CONFIG-ROUTER-BGP mode bgp confederation peers as-number [... as-number] ○ as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). All Confederation routers must be either 4 Byte or 2 Byte. You cannot have a mix of router ASN support. To view the configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
○ reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is less than the reuse value, the flapping route is once again advertised (or no longer suppressed). The default is 750. ○ suppress: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is greater than the suppress value, the flapping route is no longer advertised (that is, it is suppressed). The default is 2000.
Neighbor AS MsgRcvd MsgSent TblVer 10.114.8.34 18508 82883 79977 780266 10.114.8.33 18508 117265 25069 780266 Dell> InQ OutQ Up/Down State/PfxRcd 0 2 00:38:51 118904 0 20 00:38:50 102759 To view which routes are dampened (non-active), use the show ip bgp dampened-routes command in EXEC Privilege mode. Changing BGP Timers To configure BGP timers, use either or both of the following commands.
CONFIG-ROUTER-BGP mode timers bgp extended idle holdtime idle-holdtime: the range is from 1 to 32767. Time interval, in seconds, during which the peer remains in idle state. The default is 15 seconds. Enabling BGP Neighbor Soft-Reconfiguration BGP soft-reconfiguration allows for faster and easier route changing. Changing routing policies typically requires a reset of BGP sessions (the TCP connection) for the policies to take effect.
Enabling or disabling BGP neighbors You can enable or disable all the configured BGP neighbors using the shutdown all command in ROUTER BGP mode. To disable all the configured BGP neighbors: 1. Enter the router bgp mode using the following command: CONFIGURATION Mode router bgp as-number 2. In ROUTER BGP mode, enter the following command: ROUTER BGP Mode shutdown all You can use the no shutdown all command in the ROUTER BGP mode to re-enable all the BGP interface.
address-family-ipv6-unicast commands. Irrespective of whether the BGP neighbors are disabled earlier, the shutdown all command brings down all the configured BGP neighbors. When you issue the no shutdown all command, all the BGP neighbor neighbors are enabled. However, when you re-enable all the BGP neighbors in global configuration mode, only the neighbors that were not in disabled state before the global shutdown come up.
● Send a capacity advertisement to the peer in the BGP Open message specifying IPv4 multicast as a supported AFI/SAFI (Subsequent Address Family Identifier). ● If the corresponding capability is received in the peer’s Open message, BGP marks the peer as supporting the AFI/SAFI. ● When exchanging updates with the peer, BGP sends and receives IPv4 multicast routes if the peer is marked as supporting that AFI/SAFI.
debug ip bgp dampening [in | out] ● View information about local BGP state changes and other BGP events. EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] events [in | out] ● View information about BGP KEEPALIVE messages. EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] keepalive [in | out] ● View information about BGP notifications received from or sent to neighbors.
ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) For address family: IPv4 Unicast BGP table version 1395, neighbor version 1394 Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by peer Prefixes advertised 0, rejected 0, 0 withdrawn from peer Connections established 3; dropped 2 Last reset 00:00:12, due to Missing well known attribute Notification History 'UPDATE error/Missing well-known attr' Sent : 1 Recv: 0 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:26:02 ago ffffffff ffffffff fffff
PDU[1] : len 41, captured 00:34:52 ago ffffffff ffffffff ffffffff ffffffff 00290104 000100b4 14141401 0c020a01 04000100 01020080 00000000 PDU[2] : len 19, captured 00:34:51 ago ffffffff ffffffff ffffffff ffffffff 00130400 PDU[3] : len 19, captured 00:34:50 ago ffffffff ffffffff ffffffff ffffffff 00130400 PDU[4] : len 19, captured 00:34:20 ago ffffffff ffffffff ffffffff ffffffff 00130400 [. . .] With full internet feed (205K) captured, approximately 11.8MB is required to store all of the PDUs.
Figure 25. Sample Configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int tengig 1/21 R1(conf-if-te-1/21)#ip address 10.0.1.21/24 R1(conf-if-te-1/21)#no shutdown R1(conf-if-te-1/21)#show config ! interface TenGigabitEthernet 1/21 ip address 10.0.1.
R1(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0 R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown R1(conf-router_bgp)#end R1# R1#show ip bgp summary BGP router identifier 192.168.128.
neighbor 192.168.128.1 neighbor 192.168.128.3 neighbor 192.168.128.3 neighbor 192.168.128.3 R2(conf-router_bgp)#end no shutdown remote-as 100 update-source Loopback 0 no shutdown R2#show ip bgp summary BGP router identifier 192.168.128.
R3(conf)#end R3#show ip bgp summary BGP router identifier 192.168.128.3, local AS number 100 BGP table version is 1, main routing table version 1 1 network entrie(s) using 132 bytes of memory 3 paths using 204 bytes of memory BGP-RIB over all using 207 bytes of memory 2 BGP path attribute entrie(s) using 128 bytes of memory 2 BGP AS-PATH entrie(s) using 90 bytes of memory 2 neighbor(s) using 9216 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.
Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 1, neighbor version 1 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes adverti
neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 peer-group CCC neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 peer-group BBB neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown R2(conf-router_bgp)#end R2# R2#show ip bgp summary BGP router identifier 192.168.128.
192.168.128.1 99 93 192.168.128.2 99 122 R3#show ip bgp neighbor 99 120 1 1 0 0 (0) (0) 00:00:15 00:00:11 1 1 BGP neighbor is 192.168.128.1, remote AS 99, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
Received 138 messages, 0 in queue 7 opens, 2 notifications, 7 updates 122 keepalives, 0 route refresh requests Sent 140 messages, 0 in queue 7 opens, 4 notifications, 7 updates 122 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128
9 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On the switch, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. On a line card, there are one or two CAM (Dual-CAM) modules per port-pipe.
L2Acl Ipv4Acl Ipv6Acl Ipv4Qos L2Qos L2PT IpMacAcl VmanQos EcfmAcl Openflow : : : : : : : : : : 1 block = 256 entries 5 4 0 2 1 0 0 0 0 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 5 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges.
Example of the test cam-usage Command View CAM-ACL Settings View the current cam-acl settings using the show cam-acl command.
View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL subpartitions) using the show cam-usage command from EXEC Privilege mode.
cam-threshold threshold {default | threshold-percent} silence-period {default | silenceperiod-value} The range of silence period is from 0 to 65535. The default is 0 seconds. NOTE: If you delete a FP in a CAM region that is assigned with threshold, a syslog warning appears even during the silence period.
lag-hash-mpls Enable microcode with LAG hash MPLS Dell(conf)#cam-profile default microcode default Dell(conf)#cam-ipv4flow ? default Reset IPv4flow CAM entries to default setting multicast-fib Set multicast FIB entries Dell(conf)#cam-l2acl ? default Reset L2-ACL CAM entries to default setting system-flow Set system flow entries CAM Optimization The cam-optimization command allows you to optimize CAM utilization for QoS entries by minimizing the amount of required policy-map CAM space.
Table 11. UFT Modes —Table Size (continued) UFT Mode L2 MAC Table Size L3 Host Table Size L3 LPM Table Size Scaled-l3-routes 32K 16K 128K NOTE: On the C9010, OpenFlow supports only the scaled-l3-hosts hardware forwarding-table mode (UFT mode 3), providing a unified forwarding table (UFT) of: ● L2 MAC entries: 160K ● L3 host entries: 144K ● L3 route entries: 16K OpenFlow does not support the scaled-l3-routes forwarding-table mode (UFT mode 4) on the C9010.
10 Control Plane Policing (CoPP) Control plane policing (CoPP) protects the switch’s routing, control, and line-card processors from undesired or malicious traffic and Denial of Service (DoS) attacks by filtering control-plane flows. CoPP uses a dedicated control-plane service policy that consists of ACLs and QoS policies, which provide filtering and ratelimiting capabilities for control-plane packets.
Table 12. Default Rate Limit for CPU queues CPU Queue Protocols Mapped to Control Processor Queues Rate Limit (in kbps) 0 TTL0, IP options, L3 Broadcast MAC destination address 1000 1 L3 MTU Fail 200 2 ARP request, NS, RS 1800 3 ARP reply, NA, RA 1800 4 FTP, Telnet, SSH, Local terminated, NTP, VLT IPM PDU, VLT ARPM 2800 5 ICMPv6 300 6 ICMP 300 7 DHCP, LLDP, FEFD, 8021x 3200 Table 13.
CoPP Example The illustrations in this section show the benefit of using CoPP compared to not using CoPP on a switch. The following illustration shows how CoPP rate limits protocol traffic destined to the control-plane CPU. Figure 26. Control Plane Policing NOTE: On the system, CoPP does not convert the input rate of control-plane traffic from kilobits per second (kbps) to packets per second (pps) as on other Dell Networking switches.
Figure 27. CoPP Versus Non-CoPP Operation Configure Control Plane Policing You can create a CoPP service policy on a per-protocol and/or a per-queue basis that serves as the system-wide configuration for filtering and rate limiting control-plane traffic. Configuring CoPP for Protocols This section describes how to create a protocol-based CoPP service policy and apply it to control plane traffic.
2. Create a Layer 3 extended ACL for specified protocol traffic. CONFIGURATION mode ip access-list extended name cpu-qos permit {bgp | dhcp | dhcp-relay | ftp | icmp | igmp | msdp | ntp | ospf | pim | rip | ssh | telnet | vrrp} 3. Create an IPv6 ACL for specified protocol traffic. CONFIGURATION mode ipv6 access-list name cpu-qos permit {bgp | icmp | icmp-nd-na | icmp-nd-ns | icmp-rd-ra | icmp-rd-rs | ospf | vrrp} 4. Create a QoS input policy to rate limit input traffic.
Dell(conf-ipv6-acl-cpuqos)#permit vrrp Dell(conf-ipv6-acl-cpuqos)#exit Example of Creating a QoS Rate-Limiting Input Policy Dell(conf)#qos-policy-in rate_limit_200k cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 200 40 peak 500 40 Dell(conf-in-qos-policy-cpuqos)#exit Dell(conf)#qos-policy-in rate_limit_400k cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 400 50 peak 600 50 Dell(conf-in-qos-policy-cpuqos)#exit Dell(conf)#qos-policy-in rate_limit_500k cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-poli
policy-map-input name cpu-qos service-queue queue-number qos-policy name On the switch, the range of queue-number values is from 0 to 20. The twenty-four control–plane queues are divided into groups of seven queues for the Route Processor, Control Processor, and line-card CPUs as follows: ● Queues 0 to 6 process packets destined to the Control Processor CPU. ● Queues 7 to 13 process packets destined to the Route Processor CPU. ● Queues 14 to 20 process packets destined to the line-card CPU.
Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 2000 300 300 1200 800 600 600 3200 2600 2300 1800 1 1 1200 1200 7000 800 5000 Dell#show cpu-queue rate queue-id 8 Service-Queue Rate (kbps) -----------------------Q8 600 Dell#show cpu-queue rate range 8 12 Service-Queue Rate (kbps) -----------------------Q8 600 Q9 600 Q10 3200 Q11 2600 Q12 2300 5000 2000 2000 3000 1000 1000 1000 1000 6000 3000 3000 4000 100 100 1000 1000 7000 1000 Burst (kb) ---------1000 Burst (kb) ---------1000 1000 100
ICMP IGMP TCP (MSDP) UDP (NTP) OSPF PIM UDP (RIP) TCP (SSH) TCP (TELNET) VRRP any any any/639 any any any any any any any any any 639/any 123 any any 520 22 23 any _ _ _ _ _ _ _ _ _ _ Q5 Q12 Q12 Q3 Q13 Q12 Q13 Q3 Q3 Q13 CP RP RP CP RP RP RP CP CP RP 300 300 100 200 2500 300 200 400 400 400 Viewing IPv6 Protocol-Queue Mapping To view the queues to which IPv6 protocol traffic is assigned, use the show ipv6 protocol-queue-mapping command.
L2PT Q13 v6 BGP Q13 v6 OSPF Q13 v6 VRRP Q13 MLD Q12 v6 MULTICAST CATCH ALL Q7 IPv6 DHCP Q6 v6 RAGUARD Q16 v6 ICMP NA Q2/Q9 v6 ICMP RA Q2/Q9 v6 ICMP NS Q1/Q8 v6 ICMP RS Q1/Q8 v6 ICMP Q4 BGP Q13 OSPF Q13 RIP Q13 VRRP Q13 ICMP Q5 IGMP Q12 PIM Q12 MSDP Q12 BFD Q11/Q17 802.
The following message is displayed when the collection of CPU traffic statistics is enabled. Use the show cpu-trafficstats command to view the statistics. Excessive traffic is received by CPU and traffic will be rate controlled. NOTE: You must manually enable the collection of CPU traffic statistics with the debug cpu-traffic-stats command before the statistics display in show cpu-traffic-stats output.
################ FP Entry for redirecting LLDP BPDU to RSM ################ EID 0x000002ff: gid=0xa, slice=9, slice_idx=0x2, part =0 prio=0x2ff, flags=0x10202, Installed, Enabled tcam: color_indep=0, Stage InPorts DATA=0x0000000000000000000000000000000000000000000000000000222222222222 MASK=0x0000000000000000000000000000000000000000000000000000222222222223 DstMac Offset: 88 Width: 48 DATA=0x00000180 c200000e MASK=0x0000ffff ffffffff action={act=DropPrecedence, param0=1(0x1), param1=0(0), param2=0(0), param3=
In the show output, Rx Counters displays the number of bytes of control-plane traffic received, on which protocol-based rate limiting is applied. Tx Counters displays the number of bytes transmitted to a control-plane CPU after protocol-based rate limiting is applied. Drop Counters displays the number of bytes of control-plane traffic that have been dropped as a result of protocol-based rate limiting.
Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 21673 0 0 0 0 0 0 0 0 0 0 0 0 0 0 21673 0 0 0 0 0 0 0 0 0 0 0 0 0 Dell#show control-traffic protocol cp-switch counters Protocol RxBytes TxBytes -------------------STP 0 0 0 LLDP 13835 13835 0 PVST 0 0 0 LACP 0 0 0 ARP REQ 0 0 0 ARP RESP 0 0 0 GVRP 0 0 0 FRRP 0 0 0 ECFM 0 0 0 ISIS 0 0 0 L2PT 0 0 0 v6 BGP 0 0 0 v6 OSPF 0 0 0 v6 VRRP 0 0 0 MLD 0 0 0 v6 MULTICAST CATCH ALL 0 0 0 IPv6 DHCP 0 0 0 v6 RAGUARD 0 0 0 v6 ICMP NA 0 0 0 v6 ICMP RA 0 0 0 v6 ICMP
VRRP 0 ICMP 0 IGMP 0 PIM 0 MSDP 0 BFD ON PHYSICAL PORTS 0 BFD ON LOGICAL PORTS 0 802.
0 Physical L3 MTU FAIL 0 SOURCE MISS 0 STATION MOVE 0 TX UNICAST ENTRY 0 TX MULTICAST ENTRY 0 TX INTER SPINE ENTRY 0 DROP ENTRY 0 CP bound IPC 0 RP bound IPC 0 ECP bound IPC 0 SFLOW_EGRESS 0 SFLOW_INGRESS 0 0 0 0 0 0 0 0 0 0 0 0 0 0 847344 847344 9180 9180 34484 34484 0 0 0 0 0 To clear the per-protocol counters of rate-limited control-plane traffic at the aggregated (switch) or line card and port set level, use the clear control-traffic protocol [cp—switch | linecard {0–2} portset
Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 To clear the per-queue counters of rate-limited traffic at the aggregated (switch) or individual queue level, use the clear control-traffic queue {all | queue-id queue-number} counters command; for example: Dell#show control-traffic queue queue-id 6 counters Queue-ID RxBytes TxBytes Drops ------------------------Q6 24016 24016 0 Dell#clear control-traffic queue queue-id 6 counters Dell#
11 Data Center Bridging (DCB) Topics: • • • • • • • • • • • • • • • • Enabling Data Center Bridging Ethernet Enhancements in Data Center Bridging QoS dot1p Traffic Classification and Queue Assignment SNMP Support for PFC and Buffer Statistics Tracking DCB Maps and its Attributes Data Center Bridging: Default Configuration Configuration Notes: PFC and ETS in a DCB Map Configuring Priority-Based Flow Control Configuring Enhanced Transmission Selection Configure a DCBx Operation Verifying the DCB Configuratio
Ethernet Enhancements in Data Center Bridging The following section describes DCB. The device supports the following DCB features: ● Data center bridging exchange protocol (DCBx) ● Priority-based flow control (PFC) ● Enhanced transmission selection (ETS) NOTE: DCB is not supported on the Port Extender ports and Cascade ports.
pauses traffic on a link according to the 802.1p priority set on a traffic type. You can create lossless flows for storage and server traffic while allowing for loss in case of LAN traffic congestion on the same physical interface. The following illustration shows how PFC handles traffic congestion by pausing the transmission of incoming traffic with dot1p priority 4. Figure 28. Illustration of Traffic Congestion The system supports loading two DCB_Config files: ● FCoE converged traffic with priority 3.
Figure 29. Enhanced Transmission Selection The following table lists the traffic groupings ETS uses to select multiprotocol traffic for transmission. Table 15. ETS Traffic Groupings Traffic Groupings Description Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7 configurable; 8 - 14 reservation and 15.0 - 15.7 is strict priority group.. Group bandwidth Percentage of available bandwidth allocated to a priority group.
Data Center Bridging in a Traffic Flow The following figure shows how DCB handles a traffic flow on an interface. Figure 30. DCB PFC and ETS Traffic Handling QoS dot1p Traffic Classification and Queue Assignment The following section describes QoS dot1P traffic classification and assignments.
dot1p Value in Egress Queue Assignment the Incoming Frame 1 0 2 2 3 3 4 4 5 5 6 6 7 7 Dell#show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 7 Queue : 1 0 2 3 4 5 6 7 SNMP Support for PFC and Buffer Statistics Tracking Buffer Statistics Tracking (BST) feature provides a mechanism to aid in Resource Monitoring and Tuning of Buffer Allocation. Max Use Count mode in Buffer Statistics is supported.
DCB Maps and its Attributes This topic contains the following sections that describe how to configure a DCB map, apply the configured DCB map to a port, configure PFC without a DCB map, and configure lossless queues. DCB Map: Configuration Procedure A DCB map consists of PFC and ETS parameters. By default, PFC is not enabled on any 802.1p priority and ETS allocates equal bandwidth to each priority. To configure user-defined PFC and ETS settings, you must create a DCB map.
Table 16. Applying a DCB map to an Ethernet port Step Task Command Command Mode 1 Enter interface configuration mode on an Ethernet port.
Table 17. Configuring PFC without a DCB Map (continued) Step Task Command Command Mode lossless queues (pfc nodrop queues command). Configuring Lossless Queues DCB also supports the manual configuration of lossless queues on an interface after you disable PFC mode in a DCB map and apply the map on the interface. The configuration of no-drop queues provides flexibility for ports on which PFC is not needed, but lossless traffic should egress from the interface.
Table 18. Configuring Lossless Queues (continued) Step Task Command Command Mode on which a DCB map with PFC enabled has been applied, or which is already configured for PFC using the pfc priority command. Range: 0-3. Separate queue values with a comma; specify a priority range with a dash; for example: pfc no-drop queues 1,3 or pfc no-drop queues 2-3 Default: No lossless queues are configured. Applying a DCB Map on a Line Card On the C9010, DCB is supported per-line card.
To configure PFC and ETS parameters on an interface, you must specify the PFC mode, the ETS bandwidth allocation for a priority group, and the 802.1p priority-to-priority group mapping in a DCB map. No default PFC and ETS settings are applied to Ethernet interfaces. Configuration Notes: PFC and ETS in a DCB Map The switch supports the use of a DCB map in which you configure priority-based flow control (PFC) and enhanced transmission selection (ETS) settings.
ETS Configuration Notes ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic. Different traffic types have different service needs. Using ETS, you can create groups within an 802.1p priority class to configure different treatment for traffics with different bandwidth, latency, and best-effort needs.
● If you configure more than one priority group as strict priority, the higher numbered priority queue is given preference when scheduling data traffic. Configuring Priority-Based Flow Control Priority-Based Flow Control (PFC) provides a flow control mechanism based on the 802.1p priorities in converged Ethernet traffic received on an interface and is enabled by default when you enable DCB.
Lossless traffic egresses out the no-drop queues. Ingress dot1p traffic from PFC-enabled interfaces is automatically mapped to the no-drop egress queues. 1. Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port 2. Configure the port queues that will still function as no-drop queues for lossless traffic. INTERFACE mode pfc no-drop queues queue-range For the dot1p-queue assignments, refer to the dot1p Priority-Queue Assignment table.
priority-pgid dot1p0_group_num dot1p1_group_num ...dot1p7_group_num Priority group range is from 0 to 7. All priorities that map to the same queue must be in the same priority group. Leave a space between each priority group number. For example: priority-pgid 0 0 0 1 2 4 4 4 in which priority group 0 maps to dot1p priorities 0, 1, and 2; priority group 1 maps to dot1p priority 3; priority group 2 maps to dot1p priority 4; priority group 4 maps to dot1p priorities 5, 6, and 7.
DCBx is not supported on PE ports and C9010 cascade ports (member ports in the C9010 LAG created to connect to an attached C1048P). Prerequisite: For DCBx, enable LLDP on all DCB devices. DCBx Operation DCBx performs the following operations: ● Discovers DCB configuration (such as PFC and ETS) in a peer device. ● Detects DCB mis-configuration in a peer device; that is, when DCB features are not compatibly configured on a peer device and the local switch.
Configuration source The port is configured to serve as a source of configuration information on the switch. Peer DCB configurations received on the port are propagated to other DCBx auto-configured ports. If the peer configuration is compatible with a port configuration, DCBx is enabled on the port. On a configuration-source port, the link with a DCBx peer is enabled when the port receives a DCB configuration that can be internally propagated to other auto-configured ports.
is not compatible, a warning message is logged and the DCBx frame error counter is incremented. Although DCBx is operationally disabled, the port keeps the peer link up and continues to exchange DCBx packets. If a compatible peer configuration is later received, DCBx is enabled on the port. ● If there is no configuration source, a port may elect itself as the configuration source.
Behavior of Tagged Packets The below is example for enabling PFC for priority 2 for tagged packets. Priority (Packet Dot1p) 2 will be mapped to PG6 on PRIO2PG setting. All other Priorities for which PFC is not enabled are mapped to default PG – PG7. Classification rules on ingress (Ingress FP CAM region) matches incoming packet-dot1p and assigns an internal priority (to select queue as per Table 1 and Table 2).
4. Interface Configurations on server connected ports. a. Enable DCB globally. DellEMC(conf)#dcb enable b. Apply PFC Priority configuration. Configure priorities on which PFC is enabled. DCBx Example The following figure shows how to use DCBx. The device is connected to third-party, top-of-rack (ToR) switches through 40GbE or 10GBE uplinks. The ToR switches are part of a Fibre Channel storage network. The ports connected to the server with CNA are configured as auto-downstream ports. Figure 31.
● For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
NOTE: You can configure the transmission of more than one TLV type at a time; for example, advertise DCBx-tlv ets-conf ets-reco. You can enable ETS recommend TLVs (ets-reco) only if you enable ETS configuration TLVs (ets-conf). To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-tlv pfc ets-reco. 6. On manual ports only: Configure the Application Priority TLVs advertised on the interface to DCBx peers.
PROTOCOL LLDP mode [no] advertise DCBx-appln-tlv {fcoe | iscsi} ● fcoe: enables the advertisement of FCoE in Application Priority TLVs. ● iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled and advertise FCoE and iSCSI. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-applntlv iscsi. 6. Configure the FCoE priority advertised for the FCoE protocol in Application Priority TLVs.
○ all: enables all DCBx debugging operations. ○ auto-detect-timer: enables traces for DCBx auto-detect timers. ○ config-exchng: enables traces for DCBx configuration exchanges. ○ fail: enables traces for DCBx failures. ○ mgmt: enables traces for DCBx management frames. ○ resource: enables traces for DCBx system resource frames. ○ sem: enables traces for the DCBx state machine. ○ tlv: enables traces for DCBx TLVs.
The following example shows the show dcb command. Dell#show dcb linecard 2 port-set 0 DCB Status: Enabled, PFC Queue Count: 2 linecard Total Buffer PFC Total Buffer PFC Shared Buffer PFC Available Buffer PP (KB) (KB) (KB) (KB) ----------------------------------------------------------------------------2 0 11210 7488 2496 4992 The following example shows the output of the show qos dcb-map test command.
The following table describes the show interface pfc summary command fields. Table 21. show interface pfc summary Command Description Fields Description Interface Interface type with stack-unit, linecard, and port number. Admin mode is on; Admin is enabled PFC Admin mode is on or off with a list of the configured PFC priorities . When PFC admin mode is on, PFC advertisements are enabled to be sent and received from peers; received PFC configuration takes effect.
Table 21. show interface pfc summary Command Description (continued) Fields Description PFC TLV Statistics: Error pkts Number of PFC error packets received. PFC TLV Statistics: Pause Tx pkts Number of PFC pause frames transmitted. PFC TLV Statistics: Pause Rx pkts Number of PFC pause frames received The following example shows the show interface pfc statistics command.
State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 0 Input Conf TLV Pkts, 1955 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 0 Input Reco TLV Pkts, 1955 Output Reco TLV Pkts, 0 Error Reco TLV Pkts Dell(conf)# show interfaces tengigabitethernet 1/1/1 ets detail Interface TenGigabitEthernet 1/1 Max Supported TC Groups is 3 Number of Traffic Classes is 8 Admin mode is on Admin Parameters : -----------------Admin is enabled TC-grp Priority# Bandwidth TSA 0 0,1,2,3,4,5,6,7
TC-grp 0 1 2 3 4 5 6 7 Priority# 0,1,2,3,4,5,6,7 Priority# Bandwidth TSA 0 1 2 3 4 5 6 7 Remote Parameters: ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# 0 0,1,2,3,4,5,6,7 1 2 3 4 5 6 7 Bandwidth 100% 0% 0% 0% 0% 0% 0% 0% TSA ETS ETS ETS ETS ETS ETS ETS ETS 13% 13% 13% 13% 12% 12% 12% 12% ETS ETS ETS ETS ETS ETS ETS ETS Bandwidth 100% 0% 0% 0% 0% 0% 0% 0% TSA ETS ETS ETS ETS ETS ETS ETS ETS Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12
7 - - - - - - Remote Parameters : ------------------Remote is disabled Local Parameters : -----------------Local is enabled PG-grp Priority# BW-% BW-COMMITTED BW-PEAK TSA % Rate(Mbps) Burst(KB) Rate(Mpbs) Burst(KB) ---------------------------------------------------------0 0,1,2,4,5,6,7 50 400 100 4000 400 ETS 1 3 50 - - ETS 2 - - - - 3 - - - - 4 - - - - 5 - - - - 6 - - - - 7 - - - - Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output
Table 22. show interface ets detail Command Description (continued) Field Description State Machine Type Type of state machine used for DCBx exchanges of ETS parameters: ● Feature: for legacy DCBx versions ● Asymmetric: for an IEEE version Conf TLV Tx Status Status of ETS Configuration TLV advertisements: enabled or disabled. ETS TLV Statistic: Input Conf TLV pkts Number of ETS Configuration TLVs received. ETS TLV Statistic: Output Conf TLV pkts Number of ETS Configuration TLVs transmitted.
1 0 1 1 Input PFC PFC Pause Input ETS Input ETS TLV pkts, 2 Output PFC TLV pkts, 0 Error PFC pkts Tx pkts, 0 Pause Rx pkts Conf TLV Pkts, 1 Output ETS Conf TLV Pkts, 0 Error ETS Conf TLV Pkts Reco TLV pkts, 1 Output ETS Reco TLV pkts, 0 Error ETS Reco TLV Pkts The following example shows the show interface DCBx detail command (legacy CEE).
Table 23. show interface DCBx detail Command Description (continued) Field Description Peer Operating version DCBx version that the peer uses to exchange DCB parameters. Local DCBx TLVs Transmitted Transmission status (enabled or disabled) of advertised DCB TLVs (see TLV code at the top of the show command output). Local DCBx Status: DCBx Operational Version DCBx version advertised in Control TLVs. Local DCBx Status: DCBx Max Version Supported Highest DCBx version supported in Control TLVs.
Packet is assigned an internal priority on the ingress pipeline based on the queue to which it is destined. This Internal-priority to Queue mapping has been modified and enhanced as follows for the device: PFC and ETS Configuration Examples This section contains examples of how to configure and apply DCB policies on an interface. Using PFC and ETS to Manage Data Center Traffic The following shows examples of using PFC and ETS to manage your data center traffic.
QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
Hierarchical Scheduling in ETS Output Policies ETS supports up to three levels of hierarchical scheduling. For example, you can apply ETS output policies with the following configurations: Priority group 1 Assigns traffic to one priority queue with 20% of the link bandwidth and strict-priority scheduling. Priority group 2 Assigns traffic to one priority queue with 30% of the link bandwidth.
Buffer Sizes for Lossless or PFC Packets You can configure up to a maximum of 4 lossless (PFC) queues. By configuring 4 lossless queues, you can configure 4 different priorities and assign a particular priority to each application that your network is used to process. For example, you can assign a higher priority for time-sensitive applications and a lower priority for other services, such as file transfers.
7. Assign the DCB policy to the DCB buffer threshold profile on interfaces. This setting takes precedence over the default buffer-threshold setting. INTERFACE mode (conf-if-te) dcb-policy buffer-threshold buffer-threshold 8. Configuring Global total buffer size on linecards. CONFIGURATION mode dcb pfc-total-buffer-size buffer-size linecard {linecard-number | all} Line card number range is from 0 to 2. 9. Configuring global shared buffer size on linecards.
12 Debugging and Diagnostics This chapter describes the debugging and diagnostics tasks you can perform on the switch.
A warning is displayed with a CLI prompt asking you to click Yes or No. Dell#diag pe 0 stack-unit 0 level0 ? Warning - PE-Unit 0 at PEID 0 will go offline to run the diagnostics. Offline of system will bring down all the protocols and the system will be operationally down, except for running Diagnostics. PE unit will be automatically reloaded once the diagnostics tests are completed.
Jul 30 12:59:38: %PE255-UNIT1-S:CP %IFMGR-1-DEL_PORT: Removed port: !!!!! Jul 30 13:11:06: Jul 30 13:11:07: 2 is down Jul 30 13:11:07: the full speed Jul 30 13:11:07: 2/1 Jul 30 13:11:54: the full speed Jul 30 13:11:54: state changed to %PE255-UNIT3-M:CP %CHMGR-0-PS_UP: Power supply 0 in unit 2 is up %PE255-UNIT3-M:CP %CHMGR-0-PS_DOWN: Major alarm: Power supply 1 in unit %PE255-C1048P:2 %CHMGR-2-FAN_SPEED_CHANGE: Fan speed changed to 60 % of %PE255-UNIT3-M:CP %IFMGR-5-OSTATE_UP: Changed interface state to
001 - One Gig PHY Access Test ...................................... PASS 002 - One Gig PHY Access Test ...................................... PASS 003 - One Gig PHY Access Test ...................................... PASS 004 - One Gig PHY Access Test ...................................... PASS 005 - One Gig PHY Access Test ...................................... PASS 006 - One Gig PHY Access Test ...................................... PASS 007 - One Gig PHY Access Test ......................................
038 - One Gig PHY Access Test ...................................... PASS 039 - One Gig PHY Access Test ...................................... PASS 040 - One Gig PHY Access Test ...................................... PASS 041 - One Gig PHY Access Test ...................................... PASS 042 - One Gig PHY Access Test ...................................... PASS 043 - One Gig PHY Access Test ...................................... PASS 044 - One Gig PHY Access Test ......................................
usbAccess ................................................... FAIL usbPowerEnable .............................................. PASS usbStatus ................................................... PASS LEVEL 1 DIAGNOSTIC flashRW ..................................................... PASS Starting test: oneGPhyExtLink ...... 001 - One Gig PHY Link Test ........................................ PASS 002 - One Gig PHY Link Test ........................................ PASS 003 - One Gig PHY Link Test ............
Passed : 49 Failed : 4 Aborted : 0 Elapsed time : 00H:09M:18S Stop reason : after completion ------ Failed tests (level, times) -----usbAccess (0, 1) sfpPlusPhyExtLink (1, 1) sfpPlusPhyExtSpeed (1, 1) usbRW (1, 1) The following example shows how to run offline diagnostics for PE in Debug mode. NOTE: Dell Networking highly recommends reloading the system after running the offline diagnostics in Debug mode on the switch.
3. Confirm offline status. EXEC Privilege mode show chassis brief 4. Start diagnostics on the unit or particular linecard. EXEC Privilege Mode diag system diag linecard linecard_number A warning is displayed with a CLI prompt asking you to click Yes or No Dell#diag system Warning - diagnostic execution will cause multiple link flaps on the peer side advisable to shut directly connected ports Proceed with Diags [confirm yes/no]: 5. View the results of the diagnostic tests.
7 8 9 10 11 Linecard Linecard Linecard Linecard Linecard not present not present not present card problem C9000-RPM-2.56T C9000-RPM-2.
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 drwx d--drwx drwx drwx drwx -r-x drwx drwx drwx drwx -rwx -rwx -rwx -rwx drwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx drwx -rwx -rwx -rwx 2280 4096 12288 4096 4096 4096 0 8192 4096 4096 4096 570957 333841 2185 3448 4096 570957 3160 484734 569421 265208 569421 262890 569677 251098 11518 4096 52186974 10918 17134 Apr Aug Aug Sep Aug Sep Nov Sep Sep Dec Sep Jan Dec Feb Apr Mar Feb Apr Feb Feb Feb Feb Feb Feb Feb Apr
Starting test: hgLinkStatusTest ...... ERROR: Unit 0 hg port 30 is DOWN ERROR: Unit 0 hg port 31 is DOWN ERROR: Unit 0 hg port 32 is DOWN hgLinkStatusTest ............................................ FAIL Starting test: i2cTest ......
opticPhyTest ................................................ rtcTest ..................................................... sataSsdTest ................................................. Starting test: ssdFlashFileSystemStressTest ......
Iteration 35 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 36 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 37 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 38 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 39 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 40 - File System Check passed /dev/rwd0k: 3 files, 20398
RPM CPLD RPM extended CPLD SW Version -- 33 -- 32 -- 1-0(0-4854) Available free memory: 1,357,742,080 bytes LEVEL 0 DIAGNOSTIC biosVerGetTest .............................................. PASS boardRevisionTest ........................................... PASS Starting test: cpldAccessTest ......CPLD Major Ver 3 Minor Ver 3 cpldAccessTest .............................................. PASS Starting test: cpuGELinkStatusTest ......
PSU[0] Fan Speed Test FAIL PSU[1] Fan Speed Test FAIL PSU[2] Fan Speed Test FAIL psuFanSpeedTest ............................................. FAIL Starting test: psuFanStatusTest ...... PSU[0] Fan Status Test FAIL PSU[1] Fan Status Test FAIL PSU[2] Fan Status Test FAIL psuFanStatusTest ............................................ FAIL psuPresenceTest ............................................. FAIL Starting test: psuShowTempTest ......
ERROR: Fan speed variation failed for tray[1] FAN TRAY[1] FAN 0 Controller Speed Test FAIL ERROR: Tray[1] fan[1] speed 57% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[1] FAN TRAY[1] FAN 1 Controller Speed Test FAIL ERROR: Tray[1] fan[2] speed 56% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[1] FAN TRAY[1] FAN 2 Controller Speed Test FAIL ERROR: Tray[1] fan[3] speed 57% is out of expected range [80-100%] ERROR: Fan speed variation failed for
/dev/rwd0k: 3 files, 20398 Iteration 14 - File System /dev/rwd0k: 3 files, 20398 Iteration 15 - File System /dev/rwd0k: 3 files, 20398 Iteration 16 - File System /dev/rwd0k: 3 files, 20398 Iteration 17 - File System /dev/rwd0k: 3 files, 20398 Iteration 18 - File System /dev/rwd0k: 3 files, 20398 Iteration 19 - File System /dev/rwd0k: 3 files, 20398 Iteration 20 - File System /dev/rwd0k: 3 files, 20398 Iteration 21 - File System /dev/rwd0k: 3 files, 20398 Iteration 22 - File System /dev/rwd0k: 3 files, 20398
Iteration 50 - File System Check passed Completed 50 iterations No issues found in SD Flash (/dev/wd0k) SD Flash File System Stress Test is Passed ssdFlashFileSystemStressTest ................................ PASS Starting test: udfLinkStatusTest ......
DELL DIAGNOSTICS-C9000-CP00 CpuType PPID PPID Rev Service Tag Part Number Part Number Revision LM CPLD LM extended CPLD SW Version ---------- [0] LM CN0CYFF2779314A60021 X00 15YQG02 0CYFF2 X00 31 30 1-0(0-4854) Available free memory: 1,664,086,016 bytes LEVEL 0 DIAGNOSTIC Starting test: bcm56854AccessTest ...... + Access Test for unit 0 : PASSED bcm56854AccessTest .......................................... PASS biosVerGetTest .............................................. PASS boardRevisionTest ......
+Board First Thermal Monitor Sensor[2] is 36.0 C +Board First Thermal Monitor Sensor[3] is 37.0 C CPU Temp 31 c DDR Temperature 35 c showTemperature ............................................. PASS slotInfoTest ................................................ PASS Starting test: spiFlashAccessTest ......temperature monitor 0: current= 49.8, peak= 86.1 temperature monitor 1: current= 50.9, peak= 86.1 temperature monitor 2: current= 51.4, peak= 87.8 temperature monitor 3: current= 52.0, peak= 87.
/dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 18 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 19 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 20 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 21 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 22 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 23 - Fil
ipcTrafficTest ..............................................
cpuSdramPresenceTest ........................................ PASS cpuSdramSizeTest ............................................ PASS eepromTest .................................................. PASS Starting test: extendedCPLDAccessTest ......extended CPLD Major Ver 2 Minor Ver 3 extendedCPLDAccessTest ...................................... PASS fanAirFlowDirection ......................................... PASS fanPresenceTest ............................................. PASS fpgaAccessTest .............
Starting test: psuVoltageTest ...... PSU[0] Voltage Test FAIL PSU[1] Voltage Test FAIL PSU[2] Voltage Test FAIL psuVoltageTest .............................................. FAIL rtcTest ..................................................... PASS sataSsdTest ................................................. PASS Starting test: showTemperature ...... +Board First Thermal Monitor Sensor[0] is 38.0 C +Board First Thermal Monitor Sensor[1] is 33.0 C +Board First Thermal Monitor Sensor[2] is 31.
ERROR: Tray[2] fan[3] speed 56% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[2] FAN TRAY[2] FAN 3 Controller Speed Test FAIL fanCntrlSpeedTest ........................................... FAIL fanTrayEepromAccessTest ..................................... PASS Starting test: i2cTest ......
/dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 24 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 25 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 26 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 27 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 28 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 29 - Fil
LEVEL 2 DIAGNOSTIC ipcPingTrafficTest ..........................................
● pe pe–id — Enter the keyword pe and port extender ID. Range is 0– 255. ● stack-unit number — Enter the keyword stack-unit and a stack unit number. Stack unit range is 0 –7. ● Upload a trace-log file from a switch CPU.
show hardware linecard slot—id buffer unit unit-number} total-buffer ● Display the forwarding plane statistics containing the packet buffer usage per port per line card. show hardware linecard slot—id buffer unit unit-number port {port-number | all} bufferinfo ● Display the forwarding plane statistics containing the packet buffer statistics per CoS per port.
Show hardware system-flow pe pe—id stack-unit unit—number port-set number { counters | } NOTE: You can also clear the system-flow statistics from the specified port extender hardware component by using the clear hardware system-flow pe pe—id stack-unit unit—number port-set number { counters | } command. ● Display the operational status or the internal ports that are dynamically mapped to a backplane link or control-plane trunk group that is down.
Displaying Port Extender Environment Information To display environment details for each port extender, use the show environment pe pe-id command. Dell#show environment pe pe-id To display information of hardware components of control bridge only, use the show environment all command. Dell#show environment all Display Power Supply Status To monitor the operational status of a power supply, use the show environment pem command. Use the command output to verify the operation of installed power supplies.
Display Fan Status To monitor the status of fan operation, use the show environment fan command. The command output displays the operational status of each fan, including tray status, and speed of each fan.
Wavelength is 850nm QSFP receive power reading is 0.3145dBm Interface index is 155337218 Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 40000 Mbit Flowcontrol rx off tx off To display more diagnostic data when troubleshooting a transceiver, use the show interfaces tranceiver command. Additional information about QSFP temperature, voltage, and current alarm thresholds are displayed.
Recognize an Over-Temperature Condition An alarm message is generated and displayed when an over-temperature condition on a system component occurs. Either a minor or a major alarm is triggered. ● When the minor temperature alarm condition is met on the linecard or RPM, the fan speed is increased from 70% to 80%. ● When the major temperature alarm condition is met on the linecard or RPM, the fan speed is increased from 90% to 100%. Over-temperature alarms are logged.
When the system experiences a high temperature on any temperature sensor that exceeds the Critical threshold, a shutdown log event is generated as show in the following examples: Dell#Jun 18 01:57:03: %RPM1-P:CP %CHMGR-2-TEMP_SHUTDOWN_WARN: WARNING! linecard 11 temperature is 110C; approaching shutdown threshold of 110C) Dell#Jun 18 01:57:04: %RPM1-P:CP %CHMGR-0-TEMP_SHUTDOWN_WARN: linecard 11 temperature exceeded or equal to shutdown temperature 110C; Unit will shutdown now.
Auto reboot : Enabled When a temperature threshold is crossed (either below or above the pre-configured value), the system logs an event that contains information about the time when the event occurred, the type of event (minor, major, or shutdown), the current temperature of the sensor, and the identity of the sensor. The system also logs events when the fan speeds change (increase or decrease) as a result of changes in sensor temperature. To display the event log, use the show logging command.
● clear hardware rp cpu {data-plane | i2c | sata-interface} statistics ● clear hardware sfm sfm-unit-num counters ● clear hardware cp-switch counters Displaying Drop Counters To display drop counters, use the show hardware linecard drops commands. ● Identify the line card, port pipe, and port that is experiencing internal drops. show hardware linecard {0–2} drops [unit {0–3} [port {1–104}]] ● Display drop counters.
0 0 0 0 0 0 0 0 Internal 54 0 0 0 0 Internal 55 0 0 0 0 Internal 56 0 0 0 0 Internal 57 0 0 0 0 Internal 58 0 0 0 0 Internal 59 0 0 0 0 Internal 60 0 0 0 0 Internal 61 0 0 0 0 Displaying Dataplane Statistics The show hardware linecard {0–2} cpu data-plane statistics command provides information about the packet types entering a line-card CPU.
Dropped Frames = 0 Under/oversized frames = 0 FLR frames = 0 RCDE frames = 0 RCSE frames = 0 Dell#show hardware party-bus port 0 statistics Party Bus Transmit Counters for port 0: Tx Octets = 350320163 Tx Drop Packets = 0 tx_q0_pkts = 597876 tx_q1_pkts = 0 tx_q2_pkts = 0 tx_q3_pkts = 0 tx_q4_pkts = 0 tx_q5_pkts = 0 tx_broad_pkts = 114500 tx_multi_pkts = 7422 tx_uni_pkts = 475954 tx_pause_pkts = 0 tx_cols = 0 tx_single_cols = 0 tx_multi_cols = 0 tx_late_cols = 0 tx_excess_cols = 0 tx_deferred = 0 tx_discarde
PERQ_DROP_PKT(41).cpu0 PERQ_DROP_BYTE(0).cpu0 PERQ_DROP_BYTE(41).cpu0 QUEUE_PEAK(0).cpu0 QUEUE_PEAK(41).cpu0 RUC.xe0 RDBGC0.xe0 RDBGC5.xe0 ING_NIV_RX_FRAMES.xe0 TDBGC3.xe0 TDBGC6.xe0 TDBGC10.xe0 R127.xe0 RPKT.
Mini Core Dumps Dell Networking OS supports mini core dumps for kernel crashes. The mini core dump applies to Master units. Kernel mini core dumps are always enabled. The mini core dumps contain the stack space and some other very minimal information that can be used to debug a crash. These files are small files and are written into flash until space is exhausted. When the flash is full, the write process is stopped. A mini core dump contains critical information in the event of a crash.
● Kernel full core dump from RP application f10Ch_rpm<0/1>_rp_.kcore.gz ● Kernel full core dump from LP application f10Ch_lp_.kcore.gz Enabling TCP Dumps A TCP dump captures CPU-bound control-plane traffic to improve troubleshooting and system manageability. You can perform a TCP dump on the Control Processor (CP) and Route Processor (RP) CPUs. When you enable TCP dumps, a dump captures all the packets on the local CPU, as specified in the CLI.
13 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network endstations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters. Multiple servers might respond to a single DHCPDISCOVER; the client might wait a period of time and then act on the most preferred offer.
● The system provides 40K dhcp binding entries that can be divided between leased addresses and excluded addresses. By extension, the maximum number of pools you can configure depends on the subnet mask that you give to each pool. For example, if all pools were configured for a /24 mask, the total would be 40000/253 (approximately 158). If the subnet is increased, more pools can be configured. The maximum subnet that can be configured for a single pool is /17.
DHCP mode network network/prefix-length ● network: the subnet address. ● prefix-length: specifies the number of bits used for the network portion of the address you specify. The prefix-length range is from 17 to 31. 4. Display the current pool configuration.
default-router address Configure a Method of Hostname Resolution Dell Networking systems are capable of providing DHCP clients with parameters for two methods of hostname resolution— using DNS or NetBIOS WINS. Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1. Create a domain. DHCP Mode domain-name name 2. Specify in order of preference the DNS servers that are available to a DHCP client.
● type: the protocol of the hardware platform. The default protocol is Ethernet. Debugging the DHCP Server To debug the DHCP server, use the following command. ● Display debug information for DHCP server. EXEC Privilege mode debug ip dhcp server [events | packets] Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. ● Clear DHCP binding entries for the entire binding table. EXEC Privilege mode.
Figure 35. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: ● The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (OS version and a configuration file). BMP is enabled as a factory-default setting on a switch.
DHCP Snooping A DHCP client can run on a switch simultaneously with the DHCP snooping feature as follows: ● If you enable DHCP snooping globally on a switch and you enable a DHCP client on an interface, the trust port, source MAC address, and snooping table validations are not performed on the interface by DHCP snooping for packets destined to the DHCP client daemon. The following criteria determine packets destined for the DHCP client: ○ DHCP is enabled on the interface.
! ip vrf VRF_2 ip route-import 2:2 ip route-export 1:1 ! route-map rmap1 permit 10 match source-protocol connected ! route-map map2 permit 20 match source-protocol connected Route Leaking for Complete Routing Table ! ip vrf VRF_1 ip route-import 1:1 ip route-export 2:2 ! ip vrf VRF_2 ip route-import 2:2 ip route-export 1:1 Route Leaking for Selective Routes ! ip vrf VRF_1 ip route-import 1:1 map1 ip route-export 2:2 map2 ! ip vrf VRF_2 ip route-import 2:2 ip route-export 1:1 ! ! route-map map1 permit 10 m
INTERFACE mode ipv6 helper-address [vrf vrf-name] ipv6-address Configuring DHCP relay source interface The following section explains how to configure global and interface level DHCP relay source IPv4 or IPv6 configuration to forward all the DHCP packets from the DHCP client to DHCP server through the configured source interface. This feature is applicable only for L3 interface with relay configuration and L3 DHCP snooping enabled VLANs.
1. Configuring L3 interface with IPv4 or IPv6 address. Following are the steps to configure a L3 interface (loopback) with IPv4 and IPv6 address in INTERFACE MODE. Dell(conf)# interface loopback 2 Dell(conf-if-lo-1)# ip vrf forwarding vrf1 Dell(conf-if-lo-1)# ip address 2.2.2.2/32 Dell(conf-if-lo-1)# ipv6 address 2::2/128 Dell(conf-if-lo-1)# no shutdown Dell(conf)# interface loopback 3 Dell(conf-if-lo-1)# ip vrf forwarding vrf2 Dell(conf-if-lo-1)# ip address 3.3.3.
Option 82 (DHCPv4 relay options) RFC 3046 (the relay agent information option, or Option 82) is used for class-based IP address assignment. The code for the relay agent information option is 82, and includes two suboptions, circuit ID and remote ID. Circuit ID This is the interface on which the client-originated message is received. Remote ID This identifies the host from which the message is received. The value of this suboption is the MAC address of the relay agent that adds Option 82.
● Default Agent Interface ID is constructed in the format VLANID:LagID:SlotID:PortStr. When the port is fanned-out, the PortStr is represented as mainPort:subPort (all in ASCII format). ● Default Agent Remote ID is the system MAC address of the relay agent that adds Option 37 (in binary format). DHCP Snooping DHCP snooping is a feature that protects networks from spoofing. It acts as a firewall between the DHCP server and DHCP clients. DHCP snooping places the ports either in trusted or non-trusted mode.
Enabling DHCP Snooping To enable DHCP snooping, use the following commands. 1. Enable DHCP snooping globally. CONFIGURATION mode ip dhcp snooping 2. Specify ports connected to DHCP servers as trusted. INTERFACE mode ip dhcp snooping trust 3. Enable DHCP snooping on a VLAN. CONFIGURATION mode ip dhcp snooping vlan name Adding a Static Entry in the Binding Table To add a static entry in the binding table, use the following command. ● Add a static entry in the binding table.
10.1.1.10 10.1.1.11 10.1.1.25 00:00:a0:00:00:00 00:00:a0:00:00:00 00:00:a0:00:00:00 39735 39736 162 S S D Vl 200 Vl 200 Vl 200 Po 10 Po 10 Po 10 The following example shows a sample output of the show ip dhcp snooping binding command for a device connected to one of the VLT peers only (orphaned). The physical interface is the one that is directly connected to the VLT peer.
Broadcast An attacker can broadcast an ARP reply that specifies FF:FF:FF:FF:FF:FF as the gateway’s MAC address, resulting in all clients broadcasting all internet-bound packets. MAC flooding An attacker can send fraudulent ARP messages to the gateway until the ARP cache is exhausted, after which, traffic from the gateway is broadcast.
Bypassing the ARP Inspection You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in multi-switch environments. ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by default. To bypass the ARP inspection, use the following command. ● Specify an interface as trusted so that ARPs are not validated against the binding table. INTERFACE mode arp inspection-trust DAI is supported on Layer 2 and Layer 3.
NOTE: Before enabling SAV With VLAN option, allocate at least one FP block to the ipmacacl CAM region. DHCP MAC Source Address Validation DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against the client hardware address field (CHADDR) in the payload. The system ensures that the packet’s source MAC address is checked against the CHADDR field in the DHCP header only for packets from snooped VLANs. ● Enable DHCP MAC SAV.
The following output of the show ip dhcp snooping source-address-validation discard-counters interface interface command displays the number of SAV dropped packets on a particular interface.
14 Equal Cost Multi-Path (ECMP) Equal cost multi-path (ECMP) supports multiple paths in next-hop packet forwarding to a destination device.
NOTE: You cannot separate LAG and ECMP, but you can use different algorithms across the chassis with the same seed. If LAG member ports span multiple port-pipes and line cards, set the seed to the same value on each port-pipe to achieve deterministic behavior. NOTE: If you remove the hash algorithm configuration, the hash seed does not return to the original factory default setting. To configure the hash algorithm seed, use the following command. ● Specify the hash algorithm seed. CONFIGURATION mode.
Creating an ECMP Group Bundle Within each ECMP group, you can specify an interface. If you enable monitoring for the ECMP group, the utilization calculation is performed when the average utilization of the linkbundle (as opposed to a single link within the bundle) exceeds 60%. 1. Create a user-defined ECMP group bundle. CONFIGURATION mode ecmp-group ecmp-group-id The range is from 1 to 64. 2. Add interfaces to the ECMP group bundle.
The following network diagram depicts a scenario where a 10Gbps link connects the routers R2 and R4 and a 40Gbps link connects the routers R3 and R5: Figure 36. Sample BGP Link Bandwidth Configuration In this scenario, there is an additional 40Gbps link that is sometimes activated between the routers R2 and R5.
ip address 3.3.3.1/24 no shut router bgp 1 maximum-paths ebgp 2 bgp dmzlink-bw neighbor 1.1.1.1 remote-as 1 neighbor 1.1.1.1 no shutdown neighbor 3.3.3.2 remote-as 2 neighbor 3.3.3.2 dmzlink-bw neighbor 3.3.3.2 no shutdown R4# interface tengigbitethernet 1/1 ip address 4.4.4.2/24 no shut router bgp 2 maximum-paths ebgp 2 bgp dmzlink-bw neighbor 4.4.4.1 remote-as 1 neighbor 4.4.4.1 dmzlink-bw neighbor 4.4.4.1 no shutdown R5# interface tengigbitethernet 1/1 Ip address 5.5.5.
The following example shows weighted ECMP configuration for Static Routes: Dell(conf)#ip route 1.1.1.0/24 4.4.4.2 weight 100 Dell(conf)#ip route 1.1.1.0/24 6.6.6.2 weight 200 Dell#show running-config | grep route ip route 1.1.1.0/24 4.4.4.2 weight 100 ip route 1.1.1.0/24 6.6.6.2 weight 200 Dell(conf)#ip route vrf test 1.1.1.0/24 4.4.4.2 weight 100 Dell(conf)#ip route vrf test 1.1.1.0/24 6.6.6.2 weight 200 Dell(conf)# Dell(conf)# Dell#show running-config | grep route ip route vrf test 1.1.1.0/24 4.4.4.
15 FCoE Transit The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces.
FIP provides functionality for discovering and logging into an FCF. After discovering and logging in, FIP allows FCoE traffic to be sent and received between FCoE end-devices (ENodes) and the FCF. FIP uses its own EtherType and frame format. The following illustration shows the communication that occurs between an ENode server and an FCoE switch (FCF). The following table lists the FIP functions. Table 29.
FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF. An Ethernet bridge that provides these functions is called a FIP snooping bridge (FSB). On a FIP snooping bridge, ACLs are created dynamically as FIP login frames are processed.
Figure 38. FIP Snooping on an Core Switch The following sections describe how to configure the FIP snooping feature on a switch that functions as a FIP snooping bridge so that it can perform the following functions: ● Allocate CAM resources for FCoE. ● Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis.
● A switch stack configuration is synchronized with the standby stack unit. ● Dynamic population of the FCoE database (ENode, Session, and FCF tables) is synchronized with the standby stack unit. The FCoE database is maintained by snooping FIP keep-alive messages. ● In case of a failover, the new master switch starts the required timers for the FCoE database tables. Timers run only on the master stack unit. Using FIP Snooping There are four steps to configure FCoE transit. 1. 2. 3. 4.
● You must apply the CAM-ACL space for the FCoE region before enabling the FIP-Snooping feature. If you do not apply CAM-ACL space the following error message is displayed: Dell(conf)#feature fip-snooping % Error: Cannot enable fip snooping. CAM Region not allocated for Fcoe. Dell(conf)# NOTE: You must manually add the CAM-ACL space to the FCoE region, as it is not applied by default. Enabling the FCoE Transit Feature The following sections describe how to enable FCoE transit.
Configure a Port for a Bridge-to-FCF Link If a port is directly connected to an FCF, configure the port mode as FCF. Initially, all FCoE traffic is blocked; only FIP frames are allowed to pass. FCoE traffic is allowed on the port only after a successful fabric login (FLOGI) request/response and confirmed use of the configured FC-MAP value for the VLAN. FLOGI and fabric discovery (FDISC) request/response packets are trapped to the CPU. They are forwarded after the necessary ACLs are installed.
1. Configure FCoE. To configure FCoE transit, refer to the FCoE Transit Configuration Example NOTE: DCB/DCBx is enabled when either of these configurations is applied. 2. Save the configuration on the switch. EXEC Privilege mode. write memory 3. Reload the switch to enable the configuration. EXEC Privilege mode. reload After the switch is reloaded, DCB/DCBx is enabled. 4. Enable the FCoE transit feature on a switch. CONFIGURATION mode. feature fip-snooping 5.
Table 31. Displaying FIP Snooping Information (continued) Command Output clear fip-snooping statistics [interface vlan vlan-id | interface port-type port/slot | interface port-channel port-channelnumber] Clears the statistics on the FIP packets snooped on all VLANs, a specified VLAN, or a specified port interface.
The following example shows the show fip-snooping enode command. Dell# show fip-snooping enode Enode MAC Enode Interface FCF MAC VLAN ----------------------- ---------d4:ae:52:1b:e3:cd Te 0/11 54:7f:ee:37:34:40 100 FC-ID ----62:00:11 The following table describes the show fip-snooping enode command fields. Table 33. show fip-snooping enode Command Description Field Description ENode MAC MAC address of the ENode. ENode Interface Slot/ port number of the interface connected to the ENode.
Number of FLOGO Accepts Number of FLOGO Rejects Number of CVL Number of FCF Discovery Timeouts Number of VN Port Session Timeouts Number of Session failures due to Hardware Config Dell(conf)# :0 :0 :0 :0 :0 :0 Dell# show fip-snooping statistics int tengigabitethernet 0/11 Number of Vlan Requests :1 Number of Vlan Notifications :0 Number of Multicast Discovery Solicits :1 Number of Unicast Discovery Solicits :0 Number of FLOGI :1 Number of FDISC :16 Number of FLOGO :0 Number of Enode Keep Alive :4416 Numbe
Table 35. show fip-snooping statistics Command Descriptions (continued) Field Description Number of Unicast Discovery Solicits Number of FIP-snooped unicast discovery solicit frames received on the interface. Number of FLOGI Number of FIP-snooped FLOGI request frames received on the interface. Number of FDISC Number of FIP-snooped FDISC request frames received on the interface. Number of FLOGO Number of FIP-snooped FLOGO frames received on the interface.
*1 100 0X0EFC00 1 2 17 FCoE Transit Configuration Example The following illustration shows an core switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 39. Configuration Example: FIP Snooping on an Core Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
Example of Enabling FIP Snooping on the FCoE VLAN Dell(conf)# interface vlan 10 Dell(conf-if-vl-10)# fip-snooping enable Example of Enabling an FC-MAP Value on a VLAN Dell(conf-if-vl-10)# fip-snooping fc-map 0xOEFC01 NOTE: Configuring an FC-MAP value is only required if you do not use the default FC-MAP value (0x0EFC00).
16 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a softwarebased cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms.
Enabling FIPS Mode To enable or disable FIPS mode, use the console port. Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. When you enable FIPS mode, the following actions are taken: ● ● ● ● If enabled, the SSH server is disabled. All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.
-- Unit 0 -Unit Type Status Next Boot Required Type Current Type Master priority Hardware Rev Num Ports Up Time Dell Version Jumbo Capable POE Capable FIPS Mode Burned In MAC No Of MACs ... : : : : : : : : : : : : : : : Management Unit online online C9010 - 48-port GE/TE/FG (SE) C9010 - 48-port GE/TE/FG (SE) 0 3.0 64 7 hr, 3 min C9010-8-3-7-1061 yes no enabled 00:01:e8:8a:ff:0c 3 Disabling FIPS Mode The following describes disabling FIPS mode.
17 Flex Hash and Optimized Boot-Up This chapter describes the Flex Hash and fast-boot enhancements. Topics: • • • • • • • • Flex Hash Capability Overview Configuring the Flex Hash Mechanism LACP Fast Switchover Configuring LACP Fast Switchover LACP RDMA Over Converged Ethernet (RoCE) Overview Sample Configurations Preserving 802.
Flex hash APIs do not mask out unwanted byte values after extraction of the data from the Layer 4 headers for the offset value. 2. Use the load-balance flexhash command to specify whether IPv4 or IPv6 packets must be subjected to the flex hash functionality, a unique protocol number, the offset of hash fields from the start of the L4 header to be used for hash calculation, and a meaningful description to associate the protocol number with the name.
RRoCE packets are received and transmitted on specific interfaces called lite-subinterfaces. These interfaces are similar to the normal Layer 3 physical interfaces except for the extra provisioning that they offer to enable the VLAN ID for encapsulation. You can configure a physical interface or a Layer 3 Port Channel interface as a lite subinterface. When you configure a lite subinterface, only tagged IP packets with VLAN encapsulation are processed and routed. All other data packets are discarded.
Sample Configurations Figure 40.
no shutdown ! interface fortyGigE 0/33 Description “To C9010s” no ip address mtu 9216 ! port-channel-protocol LACP port-channel 1 mode active ! protocol lldp no advertise dcbx-tlv ets-reco dcbx port-role auto-upstream no shutdown C9010 1 and C9010 2, VLT, RoCE, and iSCSI ! dcb-map converged Description DCB map for C9010 interlinks priority-group 0 bandwidth 30 pfc off priority-group 1 bandwidth 40 pfc on priority-group 2 bandwidth 30 pfc on priority-pgid 0 0 0 1 2 0 0 0 ! dcb-map RoCE Description DCB map fo
vlt domain 2 peer-link port-channel 128 back-up destination interface Port-channel 128 no ip address mtu 9216 channel-member fortyGigE 1/4 no shutdown interface fortyGigE 1/4 no ip address mtu 9216 dcb-map Converged protocol lldp no shutdown Description from MXL B1 Switch no ip address mtu 9216 dcb-map RoCE ! port-channel-protocol LACP port-channel 50 mode active ! protocol lldp no shutdown ! interface TenGigabitEthernet 0/28 Description EQL Array - iSCSI no ip address mtu 9216 portmode
protocol lldp no shutdown Preserving 802.1Q VLAN Tag Value for Lite Subinterfaces All the frames in a Layer 2 VLAN are identified using a tag defined in the IEEE 802.1Q standard to determine the VLAN to which the frames or traffic are relevant or associated. Such frames are encapsulated with the 802.1Q tags. If a single VLAN is configured in a network topology, all the traffic packets contain the same do1q tag, which is the tag value of the 802.1Q header.
18 Force10 Resilient Ring Protocol (FRRP) Force10 resilient ring protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. ● ● ● ● ● ● ● ● ● ● The Master node transmits ring status check frames at specified intervals. You can run multiple physical rings on the same switch. One Master node per ring — all other nodes are Transit.
Concept Explanation ● Pre-Forwarding State — A transition state before moving to the Forward state. Control traffic is forwarded but data traffic is blocked. The Master node Secondary port transitions through this state during ring bring-up. All ports transition through this state when a port comes up. ● Disabled State — When the port is disabled or down, or is not on the VLAN.
Configuring the Control VLAN Control and member VLANS are configured normally for Layer 2. Their status as control or member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to Layer 2. Be sure to follow these guidelines: ● ● ● ● ● ● ● ● All VLANS must be in Layer 2 mode. You can only add ring nodes to the VLAN. A control VLAN can belong to one FRRP group only. Tag control VLAN ports.
Configuring and Adding the Member VLANs Control and member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to the Layer 2 chapter. Be sure to follow these guidelines: ● All VLANS must be in Layer 2 mode. ● Tag control VLAN ports. Member VLAN ports, except the Primary/Secondary interface, can be tagged or untagged.
timer {hello-interval|dead-interval} milliseconds ○ Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500). ○ Dead-Interval: the range is from 50 to 6000, in increments of 50 (default is 1500). Clearing the FRRP Counters To clear the FRRP counters, use one of the following commands. ● Clear the counters associated with this Ring ID. EXEC PRIVELEGED mode. clear frrp ring-id Ring ID: the range is from 1 to 255. ● Clear the counters associated with all FRRP groups.
○ When the interface ceases to be a part of any FRRP process, if you enable Spanning Tree globally, also enable it explicitly for the interface. ● The maximum number of rings allowed on a chassis is 255. Sample Configuration and Topology The following example shows a basic FRRP topology.
Example of R3 TRANSIT interface TengigabitEthernet 3/14 no ip address switchport no shutdown ! interface TengigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TengigabitEthernet 3/14,21 no shutdown ! interface Vlan 201 no ip address tagged TengigabitEthernet 3/14,21 no shutdown ! protocol frrp 101 interface primary TengigabitEthernet 3/21 secondary TengigabitEthernet 3/14 control-vlan 101 member-vlan 201 mode transit no disable FRRP Support on VLT Using FRRP
This active-active FRRP configuration blocks the FRRP ring on a per VLAN or VLAN group basis enabling the configuration to spawn across different set of VLANs. The FRRP configuration where VLTi nodes act as the primary or secondary interfaces ensure that all the optics used to connect VLT domains across data centers are fully utilized.
Figure 42. FRRP Ring using VLTi links Important Points to Remember ● VLTi can be configured only as the primary interface for the primary interface of any FRRP ring. ● Only RSTP and PVST are supported in the VLT environment. Enabling either RSTP or PVST effects FRRP functionality even though these features are disabled on FRRP enabled interfaces. ● Dell Networking OS does not support coexistence of xSTP and FRRP configurations.
19 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. GVRP configuration is per interface on a switch-byswitch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 43. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
gvrp enable Dell(conf)#protocol gvrp Dell(config-gvrp)#no disable Dell(config-gvrp)#show config ! protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. ● Enable GVRP on a Layer 2 interface.
no shutdown Dell(conf-if-te-1/21)# Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings. ● Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The default is 200ms.
20 High Availability (HA) High availability (HA) is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions.
RPM Online Insertion Dell Networking systems can function with only one RPM. If you insert a second RPM, it comes online as the standby RPM. To display the status of installed RPMs, enter the show rpm all command.
Replacing a Line Card To replace a line card with a line card of the same type, you can remove the old card and insert a new card without any additional configuration. To replace a line card with a different card type, remove the card and then remove the existing line-card configuration for the slot using the command no linecard slot-id provision.
Graceful Restart Graceful restart (also known as non-stop forwarding) is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change.
System Log Event messages provide system administrators diagnostics and auditing information. The Dell Networking OS sends event messages to the internal buffer, all terminal lines, the console, and optionally to a syslog server. For more information about event messages and configurable options, see Switch Management. Control Plane Redundancy The switch eliminates single points of failure by providing dedicated or load-balanced redundancy for various components.
Failover Type: Auto reboot RPM: Auto failover limit: Hot Failover Enabled 3 times in 60 minutes -- Control Plane Failover Record ------------------------------------------------Failover Count: 0 Last failover timestamp: None Last failover Reason: None Last failover type: None -- Last Data Block Sync Record: ------------------------------------------------linecard Config: succeeded Jun 26 2015 Start-up Config: succeeded Jun 26 2015 Runtime Event Log: succeeded Jun 26 2015 Running Config: succeeded Jun 26 2
Disabling Auto-Reboot To disable auto-reboot, use the following command. ● Prevent a failed stack unit from rebooting after a failover.
21 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 44. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. ● Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. ● To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1. Include messages prevents traffic from all other sources in the group from reaching the subnet.
Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
● ● ● ● ● ● ● Adjusting Timers Configuring a Static IGMP Group Preventing a Host from Joining a Group Enabling IGMP Immediate-Leave IGMP Snooping Fast Convergence after MSTP Topology Changes Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. ● View IGMP-enabled interfaces.
Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command. ● View both learned and statically configured IGMP groups. EXEC Privilege mode show ip igmp groups Dell#show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface 225.1.1.1 TenGigabitEthernet 1/0 225.1.1.2 TenGigabitEthernet 1/0 Mode Uptime IGMPv2-Compat 00:00:06 IGMPv2-Compat 00:00:06 Expires 00:02:03 00:02:03 Last Reporter 1.1.1.2 1.1.1.
Configuring IGMP Snooping Configuring IGMP snooping is a one-step process. To enable, view, or disable IGMP snooping, use the following commands. There is no specific configuration needed for IGMP snooping with virtual link trunking (VLT). For information about VLT configurations, refer to Virtual Link Trunking (VLT). ● Enable IGMP snooping on a switch. CONFIGURATION mode ip igmp snooping enable ● View the configuration. CONFIGURATION mode show running-config ● Disable snooping on a VLAN.
no ip igmp snooping flood Specifying a Port as Connected to a Multicast Router To statically specify or view a port in a VLAN, use the following commands. ● Statically specify a port in a VLAN as connected to a multicast router. INTERFACE VLAN mode ip igmp snooping mrouter interface interface ○ For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. ○ For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
Fast Convergence after MSTP Topology Changes When a port transitions to the Forwarding state as a result of an STP or MSTP topology change, the system sends a general query out of all ports except the multicast router ports. The host sends a response to the general query and the forwarding database is updated without having to wait for the query interval to expire.
22 Interfaces This chapter describes interface types, both physical and logical, and how to configure them on the switch. ● 1-Gigabit Ethernet, 10-Gigabit Ethernet and 40-Gigabit Ethernet interfaces are supported on the C9010 switch and 1-Gigabit Ethernet C1048P port extender.
• • • • • • • • • • • • • • • • Defining Interface Range Macros Monitoring and Maintaining Interfaces Displaying Traffic Statistics on HiGig Ports Link Bundle Monitoring Monitoring HiGig Link Bundles Non Dell-Qualified Transceivers Splitting QSFP Ports to SFP+ Ports Configuring wavelength for 10–Gigabit SFP+ optics Link Dampening Using Ethernet Pause Frames for Flow Control Configure the MTU Size on an Interface Auto-Negotiation on Ethernet Interfaces Provisioning Combo Ports View Advanced Interface Inform
On the C9010, port interface numbers are written above the ports. The following examples show port numbering on C9010 line cards (40GbE QSFP+, 1/10GbE SFP+, and 1/10GbE RJ-45). Figure 50. 40GbE QSFP+ Port Numbering On the 6-Port 40GbE QSFP+ line card, ports are numbered from 0 to 5 and operate by default in 40GbE mode. If you use a breakout cable, each port can operate in 10G mode. 40GbE ports are numbered in multiples of four, starting with zero; for example, 0, 4, 8, 12, and so on.
Figure 53. C1048P Port Numbering On a C1048P port extender, 10/100/1000BASE-T ports on the front panel are numbered from 1 to 48. ● Odd-numbered ports 1-47 are on top; even-numbered ports 2-48 are on the bottom. ● A yellow PE port number indicates that the port is PoE-enabled. ● The two 10GbE SFP+ ports, which are used only for uplinks to an attached C9010, are numbered 1 and 2.
Table 37. Types of Interfaces (continued) Interface Type Modes Possible Default Mode Requires Creation VLAN 4093 are reserved VLANs. You cannot configure these VLANs. Default State L3 - No Shutdown (enabled) View Basic Interface Information To view basic interface information, use the following command. You have several options for viewing interface status and configuration parameters. ● Lists all configurable interfaces on the chassis.
The following example shows information about port extender interfaces. For more information about the show port extender commands, see Displaying Information About PE Stacks.
Te 2/10 Te 2/11 Te 2/12 Te 2/13 Te 2/14 Te 2/15 Te 2/16 Te 2/17 Te 2/18 Te 2/19 Te 2/20 Te 2/21 Te 2/22 Te 2/23 Fo 5/0 Fo 5/4 Fo 5/8 Fo 5/12 Fo 5/16 Fo 5/20 Te 6/0 Te 6/1 Te 6/2 Te 6/3 Te 6/4 Te 6/5 Te 6/6 Te 6/7 Te 6/8 Te 6/9 Te 6/10 Te 6/11 Te 6/12 Te 6/13 Te 6/14 Te 6/15 Te 6/16 Te 6/17 Te 6/18 Te 6/19 Te 6/20 Te 6/21 Te 6/22 Te 6/23 Fo 9/0 Fo 9/4 Fo 9/8 Fo 9/12 Fo 9/16 Fo 9/20 Te 10/0 Te 10/1 Te 10/2 Te 10/3 Te 11/0 Te 11/1 Te 11/2 Te 11/3 PeGi 255/1/1 PeGi 255/1/2 PeGi 255/1/3 PeGi 255/1/4 PeGi 255/1/5
PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi 255/1/16 255/1/17 255/1/18 255/1/19 255/1/20 255/1/21 255/1/22 255/1/23 255/1/24 255/1/25 255/1/26 255/1/27 255/1/28 255/1/29 255/1/30 255/1/31 25
PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi 255/2/41 255/2/42 255/2/43 255/2/44 255/2/45 255/2/46 255/2/47 255/2/48 255/3/1 255/3/2 255/3/3 255/3/4 255/3/5 255/3/6 255/3/7 255/3/8 255/3/9 255/3/10 255/3/11 255/3/12 255/3/13 255/3/14 255/3/15 255/3/16 255/3/17 255/3/18 255/3/
To view only configured interfaces, use the show interfaces configured command in the EXEC Privilege mode. To determine which physical interfaces are available, use the show running-config command in EXEC mode. This command displays all physical interfaces available on the line cards. Dell#show running Current Configuration ...
All the applied configurations are removed and the interface is set to the factory default state. Enabling a Physical Interface After determining the type of physical interfaces available, to enable and configure the interfaces, enter INTERFACE mode by using the interface interface {slot/port | pe-id/stack-unit/port} command. 1. Enter the keyword interface then the type of interface and slot/port information.
EXEC mode or EXEC Privilege mode [Use the command on the remote system that is equivalent to the first command.] 3. Access CONFIGURATION mode. EXEC Privilege mode config 4. Access the port. CONFIGURATION mode interface interface-type 5. Set the local port speed. INTERFACE mode speed {10 | 100 | 1000 | 10000 | auto} NOTE: If you use an active optical cable (AOC), you can convert the QSFP+ port to a 10 Gigabit SFP+ port or 1 Gigabit SFP port. You can use the speed command to enable the required speed. 6.
Table 38. Layer Modes (continued) Type of Interface Possible Modes Requires Creation Default State Yes, except for the default VLAN. No shutdown (active for Layer 2) Layer 3 VLAN Layer 2 Layer 3 Shutdown (disabled for Layer 3) Configuring Layer 2 (Data Link) Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface unless the interface has been set to Layer 2 mode.
no shutdown If an interface is in the incorrect layer mode for a given command, an error message is displayed (shown in bold). In the following example, the ip address command triggered an error message because the interface is in Layer 2 mode and the ip address command is a Layer 3 command only. Dell(conf-if)#show config ! interface TengigabitEthernet 1/2 no ip address switchport no shutdown Dell(conf-if)#ip address 10.10.1.1 /24 % Error: Port is in Layer 2 mode Te 1/2.
When you enable this feature, all management routes (connected, static, and default) are copied to the management EIS routing table. Use the management route command to add new management routes to the default and EIS routing tables. Use the show ip management-eis-route command to view the EIS routes. Important Points to Remember ● Deleting a management route removes the route from both the EIS routing table and the default routing table.
You can configure two global IPv6 addresses on the switch in EXEC Privilege mode. To view the addresses, use the show interface managementethernet command, as shown in the following example. If you try to configure a third IPv6 address, an error message displays. If you enable auto-configuration, all IPv6 addresses on that management interface are autoconfigured. The first IPv6 address that you configure on the management interface is the primary address.
INTERFACE mode no shutdown ● The interface is the management interface. INTEFACE mode description To display the configuration for a given port, use the show interface command in EXEC Privilege mode, as shown in the following example. To display the routing table, use the show ip route command in EXEC Privilege mode.
● port-id is from 25 to 28 or 49 to 52 depending on the PE. Dell(conf)#interface peGigE ? PE-ID/UNIT/PORT PE Gigabit Ethernet interface number Dell(conf)#interface peGigE 2/0/1 Dell(conf)#interface peTenGigE ? PE-ID/UNIT/PORT PE TenGigabit Ethernet interface number Dell(conf)#interface peTenGigE 21/0/49 For more information on how to configure and use port extenders with C9000 Series switches, see Port Extenders (PEs) and Port Extender (PE) Stacking.
Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Because this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability. You can place Loopback interfaces in default Layer 3 mode. To configure, view, or delete a Loopback interface, use the following commands. ● Enter a number as the Loopback interface.
● With line cards, the port-delay-restore timer kicks in for each individual line card separately as it boots up. Port Channel Interfaces Port channel interfaces support link aggregation, as described in IEEE Standard 802.3ad. This section covers the following topics: ● ● ● ● Port Channel Definition and Standards Port Channel Benefits Port Channel Implementation Configuration Tasks for Port Channel Interfaces Port Channel Definition and Standards Link aggregation is defined by IEEE 802.
10/40 Gbps Interfaces in Port Channels When both 10/40 interfaces GigE interfaces are added to a port channel, the interfaces must share a common speed. When interfaces have a configured speed different from the port channel speed, the software disables those interfaces. The common speed is determined when the port channel is first enabled. At that time, the software checks the first interface listed in the port channel configuration.
NOTE: The switch supports jumbo frames by default (the default maximum transmission unit (MTU) is 9216 bytes). To configure the MTU, use the mtu command from INTERFACE mode. To view the interface’s configuration, enter INTERFACE mode for that interface and use the show config command or from EXEC Privilege mode, use the show running-config interface interface command. When an interface is added to a port channel, the system recalculates the hash algorithm.
119637 Multicasts, 0 Broadcasts, 729549906 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 126213191 packets, 100268791824 bytes, 0 underruns 3933 64-byte pkts, 5197951 over 64-byte pkts, 11205314 over 127-byte pkts 22179400 over 255-byte pkts, 44378893 over 511-byte pkts, 43247700 over 1023-byte pkts 114254 Multicasts, 0 Broadcasts, 126098937 Unicasts 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 135.
Dell(conf-if-portch)#channel te 1/8 Dell(conf-if-portch)#show conf ! interface Port-channel 5 no ip address channel-member TengigabitEthernet 1/8 shutdown Dell(conf-if-portch)# Configuring the Minimum Oper Up Links in a Port Channel You can configure the minimum links in a port channel (LAG) that must be in “oper up” status to consider the port channel to be in “oper up” status. To set the “oper up” status of your links, use the following command.
INTERFACE mode ip address ip-address mask [secondary] ○ ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in slash format (/24). ○ secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Deleting or Disabling a Port Channel To delete or disable a port channel, use the following commands. ● Delete a port channel. CONFIGURATION mode no interface portchannel channel-number ● Disable a port channel.
hash-algorithm ecmp {crc-upper} | {dest-ip} | {lsb} Dell(conf)#hash-algorithm ecmp xor1 lag crc16 Dell(conf)# The hash-algorithm command is specific to ECMP group. The default ECMP hash configuration is crc-lower. This command takes the lower 32 bits of the hash key to compute the egress port. Other options for ECMP hash-algorithms are: ● crc-upper — uses the upper 32 bits of the hash key to compute the egress port. ● dest-ip — uses destination IP address as part of the hash key.
The following is an example of single range on PE ports. Dell(config)#interface range peGigE 1/0/4-47 Dell(conf-if-range-pegi-1/0/4-47)# no shut Dell(conf-if-range-pegi-1/0/4-47)# Create a Multiple-Range The following is an example of multiple range.
Interface Range Enhancements Inserting a space between comma-separated interfaces and interface ranges in interface range command syntax is no longer required. For example, you can enter the following valid interface range: interface range fo 2/0-16,te 1/0,te 0/0–3,fo 0/4. Also, you can associate a static multicast MAC address with one or more VLANs and port interfaces by using the macaddress-table static multicast-mac-address vlan vlan-id output-range interface command.
○ For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. ○ For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. ○ For a port extender (PE) Gigabit Ethernet interface, enter the keyword peGigE then the pe-id/pe-stack—unit-id/portnumber information. ○ For a port extender 10-Gigabit Ethernet interface, enter the keyword peTenGigE then the pe-id/stack-unit/port-id information.
NOTE: TDR is an intrusive test. Do not run TDR on a link that is up and passing traffic. To test and display TDR results, use the following commands. 1. To test for cable faults on the TenGigabitEthernet EXEC Privilege mode tdr-cable-test tengigabitethernet slot/port Between two ports, do not start the test on both ends of the cable. Enable the interface before starting the test. Enable the port to run the test or the test prints an error message. 2. Displays TDR test results.
no shutdown link-bundle-monitor enable To view the links that are being monitored, use the show link-bundle-distribution command.
● Each line-card NPU uses two HiGig link bundle for its backplane links to connect each SFM (spine) NPU. The convention used to identify a HiGig link-bundle interface is: hg-port-channel slot/npu-id/0, where slot specifies the line-card slot number (0–11), npu-id specifies the NPU ID number (0), and HiGig port-channel ID which is in the range (0-2) for a line-card NPU ● Each SFM NPU uses a separate HiGig link bundle to connect to each line-card (leaf) NPU.
Non Dell-Qualified Transceivers The system supports Dell-qualified transceivers and only some of the non Dell-qualified transceivers. The system supports the following cables and adapters: ● DAC cables ● AOC cables ● AOC fan-out cables ● DAC fan-out cables ● 40G fiber breakout cables ● 10G AOC and DAC cables ● 1G optics ● QSA If you use any of the cables or adapters in the preceding list that is not Dell-qualified, the Dell Networking OS detects it and makes it operational.
● Split a single 40G port into 4-10G ports. CONFIGURATION mode linecard {0–11} port {0–20} portmode quad ○ The range of switch line-card numbers is 0 to 11. ○ The range of port numbers on a 40G port to be split is 0 to 20. To verify port splitting, use the show system linecard {0–11} fanout {count | configure} command. ● The quad port must be in a default configuration before you can split it into 4x10G ports.
● QSFP port 0 is connected to a QSA with SFP+ optical cables plugged in. ● QSFP port 4 is connected to a QSA with SFP optical cables plugged in. ● QSFP port 8 in fanned-out mode is plugged in with QSFP optical cables. ● QSFP port 12 in 40 G mode is plugged in with QSFP optical cables.
Enabling Link Dampening To enable link dampening, use the following command. ● Enable link dampening. INTERFACE mode dampening R1(conf-if-te-1/1)#show config ! interface TengigabitEthernet 1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown R1(conf-if-te-1/1)#exit To view the link dampening configuration on an interface, use the show config command. To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode.
Port Pipes A port pipe is a Dell Networking-specific term for the hardware packet-processing elements that handle network traffic to and from a set of front-end I/O ports. The physical, front-end I/O ports are referred to as a port set. The system has 10 switch cards and each card has only one port pipe and 48 ports in each. ● For ports connected through the port extender, you can have a maximum of 4 sessions system.
Changes in the flow-control values may not be reflected automatically in show interface output. To display the change, apply the new flow-control setting, perform a shutdown followed by a no shutdown on the interface, and then check re-display the show interface output for the port. Threshold Settings When the transmission pause is set (tx on), you can set three thresholds to define the controls more closely.
Configure the MTU Size on an Interface If a packet includes a Layer 2 header, the difference in bytes between the link MTU and IP MTU must be enough to include the Layer 2 header. For example, for VLAN packets, if the IP MTU is 1400, the Link MTU must be no less than 1422: 1400-byte IP MTU + 22-byte VLAN Tag = 1422-byte link MTU The MTU range is from 594 to 9216, with a default of 1554 IP MTU automatically configures.
Set Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/ forced slave once auto-negotiation is enabled. CAUTION: Ensure that only one end of the node is configured as forced-master and the other is configured as forced-slave. If both are configured the same (that is, both as forced-master or both as forced-slave), the show interface command flaps between an auto-neg-error and forced-master/slave states.
NOTE: When the port is provisioned as fiber and a copper cable is inserted, it is not detected by the device and hence no syslog message is displayed. If SFP is present when the port is being provisioned as copper, the system displays a syslog message. NOTE: When the port is provisioned as fiber, the presence of copper cable is not detected by the device and hence no syslog message is displayed.
● Configure the number of seconds of traffic statistics to display in the show interfaces output. INTERFACE mode rate-interval The bold lines shows the default value of 299 seconds, the change-rate interval of 100, and the new rate interval set to 100.
● Configure the number of seconds of traffic statistics to display in the show interfaces output. CONFIGURATION Mode rate-interval The bold lines shows the default value of 299 seconds, the change-rate interval of 100, and the new rate interval set to 100.
13727 Multicasts, 5 Broadcasts, 176 Unicasts 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 150 seconds): Input 300.00 Mbits/sec, 1534517 packets/sec, 30.00% of line-rate Output 100.00 Mbits/sec, 4636111 packets/sec, 10.00% of line-rate Time since last interface status change: 21:00:43 Dynamic Counters By default, counting is enabled for IPFLOW, IPACL, L2ACL, L2FIB.
○ (OPTIONAL) To clear statistics for all VRRP groups configured, enter the keyword vrrp. Enter a number from 1 to 255 as the vrid. ○ (OPTIONAL) To clear unknown source address (SA) drop counters when you configure the MAC learning limit on the interface, enter the keywords learning-limit. When you enter this command, confirm that you want Dell EMC Networking OS to clear the interface counters for that interface.
23 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. ● Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3. Apply the crypto policy to management traffic.
24 IPv4 Routing IPv4 routing and various IP addressing features are supported. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
Configuration Tasks for IP Addresses The following describes the tasks associated with IP address configuration. Configuration tasks for IP addresses includes: ● Assigning IP Addresses to an Interface (mandatory) ● Configuring Static Routes (optional) ● Configure Static Routes for the Management Interface (optional) For a complete listing of all commands related to IP addressing, refer to the Dell Networking OS Command Line Reference Guide.
ip address 10.11.1.1/24 no shutdown ! Dell(conf-if)# Configuring Static Routes A static route is an IP address that you manually configure and that the routing protocol does not learn, such as open shortest path first (OSPF). Often, static routes are used as backup routes in case other dynamically learned routes are unreachable. You can enter as many static IP addresses as necessary. To configure a static route, use the following command. ● Configure a static IP address.
The system also installs a next hop that is not on the directly connected subnet but which recursively resolves to a next hop on the interface's configured subnet. For example, if gig 0/0 has ip address on subnet 2.2.2.0 and if 172.31.5.43 recursively resolves to 2.2.2.0, the system installs the static route. ● ● ● ● When When When When the the the the interface goes down, the system withdraws the route. interface comes up, the system re-installs the route.
To view the configured static routes for the management port, use the show ip management-route command in EXEC privilege mode. Dell#show ip management-route Destination ----------10.11.0.0/16 172.16.1.0/24 Gateway ------ManagementEthernet 0/0 10.11.198.4 State ----Connected Active Route Source -----------Connected Static Enabling Directed Broadcast By default, the system drops directed broadcast packets destined for an interface.
gxr f00-3 Dell> (perm, OK) (perm, OK) - IP IP 192.71.18.2 192.71.23.1 To view the current configuration, use the show running-config resolve command. Specifying the Local System Domain and a List of Domains If you enter a partial domain, the system can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. The system searches the host table first to resolve the partial domain.
2 gwegress-sjc-02.force10networks.com (10.11.30.126) 005.000 ms 001.000 ms 001.000 ms 3 fw-sjc-01.force10networks.com (10.11.127.254) 000.000 ms 000.000 ms 000.000 ms 4 www.dell.com (10.11.84.18) 000.000 ms 000.000 ms 000.000 ms Dell# ARP The system uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network.
■ For a port extender (PE) Gigabit Ethernet interface, enter the keyword peGigE then the pe-id/stack-unit /port-id information. The pe-id is a port-extender ID number from 0 to 255; the stack-unit unit-number is from 0 to 7; and the port-id range is from 1 to 48. ■ For a port extender 10-Gigabit Ethernet interface, enter the keyword peTenGigE then the pe-id / stack-unit / portid information.
To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output. Clearing ARP Cache To clear the ARP cache of dynamically learnt ARP information, use the following command. ● Clear the ARP caches for all interfaces or for a specific interface by entering the following information.
Figure 54. ARP Learning via ARP Request When you enable ARP learning via gratuitous ARP, the system installs a new ARP entry, or updates an existing entry for all received ARP requests. Figure 55. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP. It only updates the ARP entry for the Layer 3 interface with the source IP of the request.
EXEC Privilege mode show arp retries ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP error messages inform the router of problems in a particular packet. These messages are sent only on unicast traffic. Configuration Tasks for ICMP The following lists the configuration tasks for ICMP.
Figure 56. ICMP Redirect Host H is connected to the same Ethernet segment as SW1 and SW2. SW1 and SW2 are multi-layer switches which can route packets. The default gateway of Host H is configured as SW1. Although the best route to the remote branch office host may be through SW2, Host H sends a packet destined for Host R to its default gateway — SW1.
25 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration. NOTE: The system provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS). By default, RA response messages are sent when an RS message is received. The manipulation of IPv6 stateless autoconfiguration supports the router side only.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 57. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Value Description 0 Hop-by-Hop option header 4 IPv4 6 TCP 8 Exterior Gateway Protocol (EGP) 41 IPv6 43 Routing header 44 Fragmentation header 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current listing, refer to the Internet Assigned Numbers Authority (IANA) web page.
Hop-by-Hop Options Header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path. It follows the IPv6 header and is designated by the Next Header value 0 (zero). When a Hop-by-Hop Options header is not included, the router knows that it does not have to process any router specific information and immediately processes the packet to its final destination.
Link-local Addresses Link-local addresses, starting with fe80:, are assigned only in the local link area. The addresses are generated usually automatically by the operating system's IP layer for each network interface. This provides instant automatic network connectivity for any IPv6 host and means that if several hosts connect to a common hub or switch, they have an instant communication path via their link-local IPv6 address. Link-local addresses cannot be routed to the public Internet.
Table 41. Dell Networking OS versions and platforms with IPv6 support (continued) Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location IPv6 BGP MD5 Authentication 8.3.11 IPv6 BGP in the Dell Networking OS Command Line Reference Guide. IS-IS for IPv6 8.3.11 Intermediate System to Intermediate System IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide. IS-IS for IPv6 support for redistribution 8.3.
partition. The valid values are 1024, 2048 or 3072 prefixes. You must save the configuration and reload the switch for the change to take effect. ● The number of entries in Partition II is reduced as the number of entries in Partition I increases. ● To disable LPM CAM partitioning and return the number of the IPv6 /65-/128 route prefixes stored in Partition 1 to 0, enter the no cam-ipv6 extended-prefix command.
IPv6 Neighbor Discovery The IPv6 neighbor discovery protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In place of address resolution protocol (ARP), NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes. Using these messages, an IPv6 device learns the link-layer addresses for neighbors known to reside on attached links, quickly purging cached values that become invalid.
● link local addresses ● loopback addresses ● prefix addresses ● multicast addresses ● invalid host addresses If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed. Example for Configuring an IPv6 Recursive DNS Server The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
Joined Group address(es): ff02::1 ff02::2 ff02::1:ff00:12 ff02::1:ff8b:7570 ND MTU is 0 ICMP redirects are not sent DAD is enabled, number of DAD attempts: 3 ND reachable time is 20120 milliseconds ND base reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 198 to 600 seconds ND router advertisements live for 1800 seconds ND advertised hop limit is 64 IPv6 hop limit for originated pack
Adjusting Your CAM Profile Although adjusting your CAM profile is not a mandatory step, if you plan to implement IPv6 ACLs, Dell Networking recommends that you adjust your CAM settings. The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. There are 16 FP blocks, but the System Flow requires three blocks that cannot be reallocated. You must enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10).
Assigning a Static IPv6 Route To configure IPv6 static routes, use the ipv6 route command. NOTE: After you configure a static IPv6 route (the ipv6 route command) and configure the forwarding router’s address (specified in the ipv6 route command) on a neighbor’s interface, the IPv6 neighbor does not display in the show ipv6 route command output. ● Set up IPv6 static routes.
Displaying IPv6 Information To view a specified IPv6 configuration, use the show ipv6command. ● List the IPv6 show options.
Joined Group address(es): ff02::1 ff02::1:ff8b:386e ND MTU is 0 ICMP redirects are not sent DAD is enabled, number of DAD attempts: 3 ND reachable time is 32000 milliseconds ND base reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND hop limit is 64 Displaying IPv6 Routes To view the global IPv6 routing information, use the following command. ● Display IPv6 routing information for the specified route type.
Direct, Lo 2, 00:02:33 IA 999::1/128 [110/2] via fe80::201:e8ff:fe8b:3166, Te 0/24, 00:01:30 fe80::/10 [0/0] Direct, Nu 0, 00:34:42 O L Dell#show ipv6 route static Destination Dist/Metric, Gateway, Last Change ----------------------------------------------------S 8888:9999:5555:6666:1111:2222::/96 [1/0] via 2222:2222:3333:3333::1, Te 9/1, 00:03:16 S 9999:9999:9999:9999::/64 [1/0] via 8888:9999:5555:6666:1111:2222:3333:4444, 00:03:16 Displaying the Running Configuration for an Interface To view the config
INTERFACE ipv6 nd disable-reachable-timer ● To reenable the ND timer, use the no form of the command: INTERFACE no ipv6 nd disable-reachable-timer The following example shows how to disable the ND timer. Dell(conf-if-fo-1/1/1)#ipv6 nd disable-reachable-timer Configuring IPv6 RA Guard The IPv6 Router Advertisement (RA) guard allows you to block or reject the unwanted router advertisement guard messages that arrive at the network device platform.
The router lifetime range is from 0 to 9,000 seconds. 11. Apply the policy to trusted ports. POLICY LIST CONFIGURATION mode trusted-port 12. Set the maximum transmission unit (MTU) value. POLICY LIST CONFIGURATION mode mtu value 13. Set the advertised reachability time. POLICY LIST CONFIGURATION mode reachable—time value The reachability time range is from 0 to 3,600,000 milliseconds. 14. Set the advertised retransmission time.
device-role router hop-limit maximum 1 match ra ipv6-access-list access other-config-flag on router-preference maximum medium trusted-port Interfaces : Te 1/1 Dell# Monitoring IPv6 RA Guard To debug IPv6 RA guard, use the following command. EXEC Privilege mode debug ipv6 nd ra-guard [interface slot/port | count value] The count range is from 1 to 65534. The default is infinity. For a complete listing of all commands related to IPv6 RA Guard, see the Dell Networking OS Command Line Reference Guide.
26 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter.
The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.0001) are the area address. The system portion is 000c.000a.4321 and the last byte is always 0. Figure 60. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases.
Interface Support MT IS-IS is supported on physical Ethernet interfaces, physical synchronous optical network technologies (SONET) interfaces, port-channel interfaces (static and dynamic using LACP), and virtual local area network (VLAN) interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions.
Multi-topology IS-IS adds TLVs: ● MT TLV — contains one or more Multi-Topology IDs in which the router participates. This TLV is included in IIH and the first fragment of an LSP. ● MT Intermediate Systems TLV — appears for every topology a node supports. An MT ID is added to the extended IS reachability TLV type 22. ● MT Reachable IPv4 Prefixes TLV — appears for each IPv4 an IS announces for a given MT ID. Its structure is aligned with the extended IS Reachability TLV Type 236 and it adds an MT ID.
● ● ● ● ● ● ● Configuring the IS-IS Metric Style Configuring IS-IS Cost Changing the IS-Type Controlling Routing Updates Configuring Authentication Passwords Setting the Overload Bit Debuging IS-IS Enabling IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process and assign a NET address. To exchange protocol information with neighbors, enable IS-IS on an interface, instead of on a network as with other routing protocols.
● mask: The prefix length is from 0 to 128. The IPv6 address must be on the same subnet as other IS-IS neighbors, but the IP address does not need to relate to the NET address. 6. Enable IS-IS on the IPv4 interface. ROUTER ISIS mode ip router isis [tag] If you configure a tag variable, it must be the same as the tag variable assigned in step 1. 7. Enable IS-IS on the IPv6 interface.
● A Level 2 router becomes a neighbor with another Level 2 router regardless of the area address configured. However, if the area addresses are different, the link between the Level 2 routers is only at Level 2. Configuring Multi-Topology IS-IS (MT IS-IS) To configure multi-topology IS-IS (MT IS-IS), use the following commands. 1. Enable multi-topology IS-IS for IPv6.
graceful-restart t1 {interval seconds | retry-times value} ○ interval: wait time (the range is from 5 to 120. The default is 5.) ○ retry-times: number of times an unacknowledged restart request is sent before the restarting router gives up the graceful restart engagement with the neighbor. (The range is from 1 to 10 attempts. The default is 1.) ● Configure the time for the graceful restart timer T2 that a restarting router uses as the wait time for each database to synchronize.
To view all interfaces configured with IS-IS routing along with the defaults, use the show isis interface command in EXEC Privilege mode. Dell#show isis interface G1/34 GigabitEthernet 2/10 is up, line protocol is up MTU 1497, Encapsulation SAP Routing Protocol: IS-IS Circuit Type: Level-1-2 Interface Index 0x62cc03a, Local circuit ID 1 Level-1 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.
To view the configuration, use the show config command in ROUTER ISIS mode or the show running-config isis command in EXEC Privilege mode. Dell#show running-config isis ! router isis lsp-refresh-interval 902 net 47.0005.0001.000C.000A.4321.00 net 51.0005.0001.000C.000A.4321.00 Dell# Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported.
Vlan 2 GigabitEthernet 4/22 Loopback 0 Redistributing: Distance: 115 Generate narrow metrics: level-1-2 Accept narrow metrics: level-1-2 Generate wide metrics: none Accept wide metrics: none Dell# Configuring the IS-IS Cost When you change from one IS-IS metric style to another, the IS-IS metric value could be affected. For each interface with IS-IS enabled, you can assign a cost or metric that is used in the link state calculation. To change the metric or cost of the interface, use the following commands.
Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. ● Configure IS-IS operating level for a router. ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2-only} Default is level-1-2. ● Change the IS-type for the IS-IS process.
Configure the prefix list in PREFIX LIST mode prior to assigning it to the IS-IS process. For configuration information on prefix lists, refer to Access Control Lists (ACLs). Applying IPv4 Routes To apply prefix lists to incoming or outgoing IPv4 routes, use the following commands. NOTE: These commands apply to IPv4 IS-IS only. To apply prefix lists to IPv6 routes, use ADDRESS-FAMILY IPV6 mode, shown later. ● Apply a configured prefix list to all incoming IPv4 IS-IS routes.
● Apply a configured prefix list to all outgoing IPv6 IS-IS routes. ROUTER ISIS-AF IPV6 mode distribute-list prefix-list-name out [bgp as-number | connected | ospf process-id | rip | static] You can configure one of the optional parameters: ○ connected: for directly connected routes. ○ ospf process-id: for OSPF routes only. ○ rip: for RIP routes only. ○ static: for user-configured routes. ○ bgp: for BGP routes only. ● Deny RTM download for pre-existing redistributed IPv6 routes.
Redistributing IPv6 Routes To add routes from other routing instances or protocols, use the following commands. NOTE: These commands apply to IPv6 IS-IS only. To apply prefix lists to IPv4 routes, use the ROUTER ISIS mode previously shown. ● Include BGP, directly connected, RIP, or user-configured (static) routes in IS-IS.
To view the passwords, use the show config command in ROUTER ISIS mode or the show running-config isis command in EXEC Privilege mode. To remove a password, use either the no area-password or no domain-password commands in ROUTER ISIS mode. Setting the Overload Bit Another use for the overload bit is to prevent other routers from using this router as an intermediate hop in their shortest path first (SPF) calculations.
○ interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. ● View IS-IS SNP packets, include CSNPs and PSNPs. EXEC Privilege mode debug isis snp-packets [interface] To view specific information, enter the following optional parameter: ○ interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. ● View the events that triggered IS-IS shortest path first (SPF) events for debugging purposes.
Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow. When you change from one IS-IS metric style to another, the IS-IS metric value (configured with the isis metric command) could be affected.
Table 44. Metric Value When the Metric Style Changes (continued) Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value wide transition narrow transition default value (10) if the original value is greater than 63. A message is sent to the console. wide transition transition truncated value (the truncated value appears in the LSP only).
Table 46.
Figure 61. IPv6 IS-IS Sample Topography The following is a sample configuration for enabling IPv6 IS-IS. IS-IS Sample Configuration — Congruent Topology Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ip address 24.3.1.1/24 ipv6 address 24:3::1/76 ip router isis ipv6 router isis no shutdown Dell (conf-if-te-3/17)# Dell(conf-router_isis)#show config ! router isis metric-style wide level-1 metric-style wide level-2 net 34.0000.0000.AAAA.
IS-IS Sample Configuration — Multi-topology Transition Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell(conf-if-te-3/17)# Dell(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
27 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables qualityof-service (QoS) treatment for iSCSI traffic.
● iSCSI DCBx TLVs are supported. NOTE: After a switch is reloaded, powercycled, or upgraded, any information exchanged during the initial handshake is not available. If the switch establishes communication after reloading, it detects that a session was in progress but could not obtain complete information for it. Any incomplete information is not available in the show commands.
Default iSCSI Optimization Values The following table lists the default values for the iSCSI optimization feature. Table 47. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization global setting Disabled. iSCSI CoS mode (802.1p priority queue mapping) dot1p priority 4 without the remark setting when you enable iSCSI. If you do not enable iSCSI, this feature is disabled.
4. Save the configuration on the switch. EXEC Privilege mode write memory 5. Reload the switch. EXEC Privilege mode reload After the switch is reloaded, DCB/ DCBx and iSCSI monitoring are enabled. 6. (Optional) Configure the iSCSI target ports and optionally the IP addresses on which iSCSI communication is monitored. CONFIGURATION mode [no] iscsi target port tcp-port-1 [tcp-port-2...
LLDP CONFIGURATION mode [no] iscsi priority-bits. The default is 4 (0x10 in the bitmap). 11. (Optional) Configures the auto-detection of Compellent arrays on a port. INTERFACE mode [no] iscsi profile-compellent. The default is: Compellent disk arrays are not detected. NOTE: The [no] iscsi profile-compellent. command is not supported on cascade interfaces or extended ports Displaying iSCSI Optimization Information To display information on iSCSI optimization, use the following show commands.
iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 VLT PEER2 Session 0: ----------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0f60c2002-0360018428d48c94-iom011 iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 The following example shows the show iscsi session detailed command. VLT PEER1 Dell# show iscsi session detailed Session 0: -------------------------------------------------------Target:iqn.2010-11.com.
NOTE: By default, CAM allocation for iSCSI is set to 0. This disables session monitoring. Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer The following behavior occurs during synchronization of iSCSI sessions. ● If the iSCSI login request packet is received on a port belonging to a VLT lag, the information is synced to the VLT peer and the connection is associated with this interface.
After a switch is reloaded, any information exchanged during the initial handshake is not available. If the switch picks up the communication after reloading, it would detect a session was in progress but could not obtain complete information for it. Any incomplete information of this type would not be available in the show commands.
Application of Quality of Service to iSCSI Traffic Flows You can configure iSCSI CoS mode. This mode controls whether CoS (dot1p priority) queue assignment and/or packet marking is performed on iSCSI traffic. When you enable iSCSI CoS mode, the CoS policy is applied to iSCSI traffic. When you disable iSCSI CoS mode, iSCSI sessions and connections are still detected and displayed in the status tables, but no CoS policy is applied to iSCSI traffic.
28 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. Topics: • • • • Introduction to Dynamic LAGs and LACP LACP Configuration Tasks Shared LAG State Tracking LACP Basic Configuration Example Introduction to Dynamic LAGs and LACP The Dell Networking OS uses LACP to create dynamic LAGs.
LACP Modes Three LACP configuration modes are supported — Off, Active, and Passive. ● Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. ● Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state. A port in Active state also automatically initiates negotiations with other ports by initiating LACP packets.
Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. ● Create a dynamic port channel (LAG). CONFIGURATION mode interface port-channel ● Create a dynamic port channel (LAG). CONFIGURATION mode switchport The following example shows configuring a LAG interface. Dell(conf)#interface port-channel 32 Dell(conf-if-po-32)#no shutdown Dell(conf-if-po-32)#switchport The LAG is in the default VLAN.
might prevent the LAG from flapping if the remote system is up but temporarily unable to transmit PDUs due to a system interruption. NOTE: The 30-second timeout is available for dynamic LAG interfaces only. You can enter the lacp long-timeout command for static LAGs, but it has no effect. To configure LACP long timeout, use the following command. ● Set the LACP timeout value to 30 seconds.
Figure 63. Shared LAG State Tracking To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). the system has the ability to bring LAG 2 down if LAG 1 fails, so that traffic can be redirected. This redirection is what is meant by shared LAG state tracking. To achieve this functionality, you must group LAG 1 and LAG 2 into a single entity, called a failover group. Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group.
Figure 64. Configuring Shared LAG State Tracking The following are shared LAG state tracking console messages: ● 2d1h45m: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 1 ● 2d1h45m: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 To view the status of a failover group member, use the show interface port-channel command.
LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 65. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
Example of Configuring a LAG Alpha(conf)#interface port-channel 10 Alpha(conf-if-po-10)#no ip address Alpha(conf-if-po-10)#switchport Alpha(conf-if-po-10)#no shutdown Alpha(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Alpha(conf-if-po-10)# Example of Viewing a LAG Port Configuration The following example inspects a LAG port configuration on ALPHA.
Figure 66.
Figure 67.
Figure 68.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-te-3/21-lacp)#port-channel 10 mode active Bravo(conf-if-te-3/21-lacp)#no shut Bravo(conf-if-te-3/21)#end ! interface TengigabitEthernet 3/21 no ip address ! port-ch
Figure 69. Inspecting a LAG Port on BRAVO Using the show interface Command The following figure illustrates inspecting LAG 10 Using the show interfaces port-channel Command.
Figure 70. Inspecting LAG 10 Using the show interfaces port-channel Command The following figure illustrates inspecting the LAG Status Using the show lacp command.
Figure 71. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
29 Layer 2 This chapter describes the Layer 2 features supported on the switch. Topics: • • • • • Manage the MAC Address Table MAC Learning Limit NIC Teaming Configure Redundant Pairs Far-End Failure Detection Manage the MAC Address Table You can perform the following management tasks inr the MAC address table.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. ● Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. ● Display the contents of the MAC address table.
INTERFACE mode mac learning-limit address_limit Three options are available with the mac learning-limit command: ○ dynamic ○ no-station-move ○ station-move NOTE: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations. mac learning-limit Dynamic The MAC address table is stored on the Layer 2 forwarding information base (FIB) region of the CAM.
To display a list of all interfaces with a MAC learning limit, use the following command. Display a list of all interfaces with a MAC learning limit. EXEC Privilege mode show mac learning-limit Learning Limit Violation Actions Learning limit violation actions are user-configurable. To configure the system to take an action when the MAC learning limit is reached on an interface and a new address is received using one the following options with the mac learning-limit command, use the following commands.
● Reset interfaces in the ERR_Disabled state caused by a learning limit violation. EXEC Privilege mode mac learning-limit reset learn-limit-violation [interface | all] ● Reset interfaces in the ERR_Disabled state caused by a station move violation. EXEC Privilege mode mac learning-limit reset station-move-violation [interface | all] Disabling MAC Address Learning on the System You can configure the system to not learn MAC addresses from LACP and LLDP BPDUs.
Figure 72. Redundant NICs with NIC Teaming When you use NIC teaming, consider that the server MAC address is originally learned on Port 0/1 of the switch (shown in the following) and Port 0/5 is the failover port. When the NIC fails, the system automatically sends an ARP request for the gateway or host NIC to resolve the ARP and refresh the egress interface.
NOTE: For more information about STP, refer to Spanning Tree Protocol (STP). Assign a backup interface to an interface using the switchport backup command. The backup interface remains in a Down state until the primary fails, at which point it transitions to Up state. If the primary interface fails, and later comes up, it becomes the backup interface for the redundant pair. The system supports 10 Gigabit and 40-Gigabit interfaces as backup interfaces.
Important Points about Configuring Redundant Pairs ● You may not configure any interface to be a backup for more than one interface, no interface can have more than one backup, and a backup interface may not have a backup interface. ● The active or backup interface may not be a member of a LAG. ● The active and standby do not have to be of the same type (1G, 10G, and so on). ● You may not enable any Layer 2 protocol on any interface of a redundant pair or to ports connected to them.
Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-STATE_ACT_STBY: Changed interface state to standby: Po 2 Dell(conf-if-po-1)# Dell# Dell#show interfaces switchport backup Interface Status Paired Interface Status Port-channel 1 Active Port-chato mannel 2 Standby Port-channel 2 Standby Port-channel 1 Active Dell# Dell(conf-if-po-1)#switchport backup interface tengigabitethernet 0/2 Apr 9 00:16:29: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Te 0/2 Dell(conf-if-po-1)# Far-End Failu
FEFD State Changes FEFD has two operational modes: Normal and Aggressive. When a far-end failure is detected on an FEFD-enabled interface: ● If the interface is in normal FEFD mode, no user intervention is required to reset the interface; it automatically resets to an FEFD operational state. ● If the interface is in aggressive FEFD mode, manual intervention is required to reset the interface.
fefd-global To report interval frequency and mode adjustments, use the following commands. 1. Configure two or more connected interfaces for Layer 2 or Layer 3 traffic. INTERFACE mode switchport ip address ip address 2. Activate the ports. INTEFACE mode no shutdown 3. Enable FEFD globally on the switch. CONFIGURATION mode fefd-global {interval | mode} To display information about the state of each interface, use the show fefd command in EXEC privilege mode.
3. INTERFACE mode fefd {disable | interval | mode} Dell(conf-if-te-1/0)#show config ! interface TengigabitEthernet 1/0 no ip address switchport fefd mode normal no shutdown Dell(conf-if-te-1/0)#do show fefd | grep 1/0 Te 1/0 Normal 3 Unknown Debugging FEFD To debug FEFD, use the first command. To provide output for each packet transmission over the FEFD enabled connection, use the second command. ● Display output whenever events occur that initiate or disrupt an FEFD enabled connection.
30 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). Topics: • • • • • • • • • • • • • • • • • 802.
Figure 76. Type, Length, Value (TLV) Segment TLVs are encapsulated in a frame called an LLDP data unit (LLDPDU) (shown in the following table), which is transmitted from one LLDP-enabled device to its LLDP-enabled neighbors. LLDP is a one-way protocol. LLDP-enabled devices (LLDP agents) can transmit and/or receive advertisements, but they cannot solicit and do not respond to advertisements. There are five types of TLVs. All types are mandatory in the construction of an LLDPDU except Optional TLVs.
Optional TLVs The Dell Networking OS) upports these optional TLVs: management TLVs, IEEE 802.1 and 802.3 organizationally specific TLVs, and TIA-1057 organizationally specific TLVs. Management TLVs A management TLV is an optional TLVs sub-type. This kind of TLV contains essential management information about the sender. Organizationally Specific TLVs A professional organization or a vendor can define organizationally specific TLVs.
Table 50. Optional TLV Types (continued) Type TLV Description belongs (and the untagged VLAN to which a port belongs if the port is in Hybrid mode). 127 Protocol Identity Indicates the protocols that the port can process. The Dell Networking OS does not currently support this TLV. 127 MAC/PHY Configuration/Status Indicates the capability and current setting of the duplex status and bit rate, and whether the current settings are the result of auto-negotiation.
● transmitting an LLDP-MED capability TLV to endpoint devices ● storing the information that endpoint devices advertise The following table describes the five types of TIA-1057 Organizationally Specific TLVs. Table 51.
LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV. ● The value of the LLDP-MED capabilities field in the TLV is a 2–octet bitmap, each bit represents an LLDP-MED capability (as shown in the following table). ● The possible values of the LLDP-MED device type are shown in the following.
NOTE: As shown in the following table, signaling is a series of control packets that are exchanged between an endpoint device and a network connectivity device to establish and maintain a connection. These signal packets might require a different network policy than the media packets for which a connection is made. In this case, configure the signaling application. Table 54.
● Power Value — Dell Networking advertises the maximum amount of power that can be supplied on the port. By default the power is 15.4W, which corresponds to a power value of 130, based on the TIA-1057 specification. You can advertise a different power value using the max-milliwatts option with the power inline command. Dell Networking also honors the power value (power requirement) the powered device sends when the PE is configured with power inline mode class. Figure 81.
Example of the protocol lldp Command (CONFIGURATION Level) R1(conf)#protocol lldp R1(conf-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol globally end Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode configuration (default = rx and tx) multiplier LLDP multiplier configuration no Negate a command or set its defaults show Show LLDP configuration R1(conf-lldp)#exit R1(conf)#interface tengigabitethernet 1/31 R1(conf-if-te-1/31)#prot
Enabling LLDP on Management Ports LLDP on management ports is enabled by default. To enable LLDP on management ports, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION mode protocol lldp 2. Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP on Management Ports To disable or undo LLDP on management ports, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION mode. protocol lldp 2. Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode.
○ ○ ○ ○ ○ streaming-video video-conferencing video-signaling voice voice-signaling In the following example, LLDP is enabled globally. R1 and R2 are transmitting periodic LLDPDUs that contain management, 802.1, and 802.3 TLVs. Figure 82. Configuring LLDP Storing and Viewing Unrecognized LLDP TLVs Dell EMC Networking OS provides support to store unrecognized (reserved and organizational specific) LLDP TLVs. Also, support is extended to retrieve the stored unrecognized TLVs using SNMP.
The system increments the TLV discard counter and does not store unrecognized LLDP TLV information in following scenarios: ● If there are multiple TLVs with the same information is received ● If DCBX is down on the receiving interface The organizational specific TLV list is limited to store 256 entries per neighbor. If TLV entries are more than 256, then the oldest entry (of that neighbor) in the list is replaced.
Viewing Information Advertised by Adjacent LLDP Neighbors To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands. ● Display brief information about adjacent devices. show lldp neighbors ● Display all of the information that neighbors are advertising.
( 9, 4) ( 10, 4) ( 11, 4) ( 12, 4) ( 13, 4) ( 14, 4) ( 15, 4) ( 19, 4) ( 20, 4) ( 21, 4) ( 22, 4) ( 23, 4) ( 24, 4) ( 25, 4) ( 29, 4) ( 30, 4) ( 31, 4) ( 32, 4) ( 33, 4) ( 34, 4) ( 35, 4) ( 39, 4) ( 40, 4) ( 41, 4) ( 42, 4) ( 43, 4) ( 44, 4) ( 45, 4) ( 49, 4) ( 50, 4) ( 51, 4) ( 52, 4) ( 53, 4) ( 54, 4) ( 55, 4) ( 59, 4) ( 60, 4) ( 61, 4) ( 62, 4) ( 63, 4) ( 64, 4) ( 65, 4) ( 69, 4) ( 70, 4) ( 71, 4) ( 72, 4) ( 73, 4) ( 74, 4) ( 75, 4) ( 79, 4) ( 80, 4) ( 81, 4) ( 82, 4) ( 83, 4) ( 84, 4) ( 85, 4) ( 89, 4)
● Configure a non-default transmit interval.
mode rx ● Return to the default setting.
multiplier 5 no disable R1(conf-lldp)#no multiplier R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Debugging LLDP You can view the TLVs that your system is sending and receiving. To view the TLVs, use the following commands. ● View a readable version of the TLVs.
Dec 4 22:38:27 : Dec 4 22:38:27 : Dec 4 22:38:28 : Dec 4 22:38:28 : 00:a0:c9:00:00:01 Dec 4 22:38:29 : Dec 4 22:38:29 : Dec 4 22:38:29 : Dec 4 22:38:29 : Dec 4 22:38:29 : Dec 4 22:38:29 : Dec 4 22:38:29 : 88 cc 02 07 02 01 2c fe 00 00 00 00 TLV: Chassis 04 00 a0 05 aa bb 00 00 00 ID, Len: c9 cc 00 7, 00 00 01 04 61 fa c6 0f ba Subtype: 04 02 05 54 06 01 40 00 00 00 27 Mac address (4) Value: TLV: Port ID, Len: 2, Subtype: Interface name (5) Value: T TLV: TTL, Len: 2, Value: 300 TLV: UNKNOWN TLV, ORG_SP
Table 55. LLDP Configuration MIB Objects (continued) MIB Object Category LLDP Variable LLDP MIB Object Description statsTLVsUnrecognizedTotal lldpStatsRxPortTLVsUnrecognized Total number of all TLVs the local Total agent does not recognize. Table 56.
Table 57. LLDP 802.
Table 58.
Table 58.
31 Multicast Source Discovery Protocol (MSDP) This chapter describes how to configure and use the multicast source discovery protocol (MSDP). Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 85.
Implementation Information The Dell Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process. 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Refer to the following figures. The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP.
Figure 86.
Figure 87.
Figure 88.
Figure 89. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
Clearing the Source-Active Cache To clear the source-active cache, use the following command. ● Clear the SA cache of all, local, or rejected entries, or entries for a specific group. CONFIGURATION mode clear ip msdp sa-cache [group-address | local | rejected-sa] Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error.
Figure 90.
Figure 91.
Figure 92.
Figure 93. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. ● Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check. Dell(conf)#ip msdp peer 10.0.50.
Dell#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Reason Rpf-Fail Rpf-Fail Rpf-Fail Limiting the Source-Active Messages from a Peer To limit the source-active messages from a peer, use the following commands. 1.
Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1. OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache. CONFIGURATION mode ip msdp cache-rejected-sa 2. Prevent the system from caching remote sources learned from a specific peer based on source and group. CONFIGURATION mode ip msdp sa-filter list out peer list ext-acl As shown in the following example, R1 is advertising source 10.11.4.2.
MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 local R1(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 192.168.0.1 Expire 70 UpTime 00:27:20 Expire 1 UpTime 00:10:29 [Router 3] R3(conf)#do show ip msdp sa-cache R3(conf)# To display the configured SA filters for a peer, use the show ip msdp peer command from EXEC Privilege mode.
CONFIGURATION mode clear ip msdp peer peer-address R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.3(639) Connect Source: Lo 0 State: Established Up/Down Time: 00:04:26 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 5/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none R3(conf)#do clear ip msdp peer 192.168.0.1 R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.
Anycast RP relieves these limitations by allowing multiple RPs per group, which can be distributed in a topologically significant manner according to the locations of the sources and receivers. 1. All the RPs serving a given group are configured with an identical anycast address. 2. Sources then register with the topologically closest RP. 3. RPs use MSDP to peer with each other using a unique address. Figure 94. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP: 1.
4. Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5. Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP.
ip ip ip ip msdp msdp msdp msdp peer 192.168.0.3 connect-source Loopback 1 peer 192.168.0.22 connect-source Loopback 1 mesh-group AS100 192.168.0.22 originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 The following shows an R2 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.
! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.11 connect-source Loopback 0 ip msdp peer 192.168.0.
! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R2 Running-Config ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.
redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.23 MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface TenGigabitEthernet 0/21 ip pim sparse-mode ip address 10.11.5.
redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 update-source Loopback 0 neighbor 192.168.0.3 no shutdown ! ip route 192.168.0.3/32 10.11.0.32 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R3 Running-Config ip multicast-routing ! interface TenGigabitEthernet 0/21 ip pim sparse-mode ip address 10.11.0.
no shutdown ! interface Loopback 0 ip address 192.168.0.4/32 no shutdown ! router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.168.0.4/32 area 0 ! ip pim rp-address 192.168.0.3 group-address 224.0.0.
32 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview In contrast, PVST+ allows a spanning tree instance for each VLAN.
• • • Flush MAC Addresses after a Topology Change MSTP Sample Configurations Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell Networking OS supports four variations of spanning tree, as shown in the following table. Table 59. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. ● Within an MSTI, only one path from any bridge to any other bridge is enabled. ● Bridges block a redundant path by disabling one of the link ports. 1. Enter PROTOCOL MSTP mode. CONFIGURATION mode protocol spanning-tree mstp 2. Enable MSTP.
All bridges in the MSTP region must have the same VLAN-to-instance mapping. To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode. Dell(conf-mstp)#name my-mstp-region Dell(conf-mstp)#exit Dell(conf)#do show spanning-tree mst config MST region name: my-mstp-region Revision: 0 MSTI VID 1 100 2 200-300 To view the forwarding/discarding state of the ports participating in an MSTI, use the show spanning-tree msti command from EXEC Privilege mode.
R3(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 MSTI 2 bridge-priority 0 Interoperate with Non-Dell Bridges The Dell Networking OS supports only one MSTP region. A region is a combination of three unique qualities: ● Name is a mnemonic string you assign to the region. The default region name is null. ● Revision is a 2-byte number. The default revision number is 0. ● VLAN-to-instance mapping is the placement of a VLAN in an MSTI.
NOTE: Dell Networking recommends that only experienced network administrators change MSTP parameters. Poorly planned modification of MSTP parameters can negatively affect network performance. To change the MSTP parameters, use the following commands on the root bridge. 1. Change the forward-delay parameter. PROTOCOL MSTP mode forward-delay seconds The range is from 4 to 30. The default is 15 seconds. 2. Change the hello-time parameter.
Table 60. Default Values for Port Costs by Interface Port Cost Default Value 100-Mb/s Ethernet interfaces 200000 1-Gigabit Ethernet interfaces 20000 10-Gigabit Ethernet interfaces 2000 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 To change the port cost or priority of an interface, use the following commands. 1. Change the port cost of an interface.
■ ■ Disable spanning tree on the interface (using the no spanning-tree command in INTERFACE mode). Disabling global spanning tree (using the no spanning-tree command in CONFIGURATION mode). To verify that EdgePort is enabled, use the show config command from INTERFACE mode.
2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 2/11,31 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 2/11,31 no shutdown Router 3 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
spanning-tree spanning-tree spanning-tree spanning-tree spanning-tree spanning-tree configuration revision 123 MSTi instance 1 MSTi vlan 1 100 MSTi instance 2 MSTi vlan 2 200 MSTi vlan 2 300 (Step 2) interface 1/0/31 no shutdown spanning-tree port mode enable switchport protected 0 exit interface 1/0/32 no shutdown spanning-tree port mode enable switchport protected 0 exit (Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 ta
● MSTP Instances. ○ To verify the VLAN to MSTP instance mapping, use the show commands. ○ Are there “extra” MSTP instances in the Sending or Received logs? This may mean that an additional MSTP instance was configured on one router but not the others. The following example shows viewing an MSTP configuration.
33 Multicast Features The Dell Networking OS supports the following multicast protocols: ● PIM Sparse-Mode (PIM-SM) ● Internet Group Management Protocol (IGMP) ● Multicast Source Discovery Protocol (MSDP) Topics: • • • • • • • • Enabling IP Multicast Implementation Information First Packet Forwarding for Lossless Multicast Multicast Policies Understanding Multicast Traceroute (mtrace) Printing Multicast Traceroute (mtrace) Paths Supported Error Codes mtrace Scenarios Enabling IP Multicast Before enabling
● Multicast is not supported on secondary IP addresses. ● If you enable multicast routing, egress Layer 3 ACL is not applied to multicast data traffic. ● Multicast traffic can be forwarded to a maximum of 15 VLANs with the same outgoing interface. Dell EMC Networking OS does not support multicast routing in the following VLT scenarios: ● In a VLT enabled PIM router, multicast routing is not supported when there are multiple PIM spanned paths to reach source or RP.
When the multicast route limit is reached, Dell Networking OS displays the following: 3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB limit reached. No new routes will be learnt until TIB level falls below low watermark. 3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB below low watermark. Route learning will begin. To limit the number of multicast routes, use the following command. ● Limit the total number of multicast routes on the system.
Figure 97. Preventing a Host from Joining a Group Table 61. Preventing a Host from Joining a Group — Description Location Description 1/21 ● ● ● ● Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 ● ● ● ● Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 ● ● ● ● Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.
Table 61. Preventing a Host from Joining a Group — Description (continued) Location Description 2/11 ● ● ● ● Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 ● ● ● ● Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 ● ● ● ● Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 ● ● ● ● Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
Preventing a PIM Router from Forming an Adjacency To prevent a router from participating in PIM (for example, to configure stub multicast routing), use the following command. ● Prevent a router from participating in protocol independent multicast (PIM). INTERFACE mode ip pim neighbor-filter Preventing a Source from Registering with the RP To prevent the PIM source DR from sending register packets to RP for the specified multicast source and group, use the following command.
Figure 98. Preventing a Source from Transmitting to a Group Table 62. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 ● ● ● ● Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 ● ● ● ● Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 ● ● ● ● Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.
Table 62. Preventing a Source from Transmitting to a Group — Description (continued) Location Description 2/11 ● ● ● ● Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 ● ● ● ● Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 ● ● ● ● Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 ● ● ● ● Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
Understanding Multicast Traceroute (mtrace) Multicast Traceroute (mtrace) is a multicast diagnostic facility used for tracing multicast paths. Mtrace enables you to trace the path that a multicast packet takes from its source to the destination. When you initiate mtrace from a source to a destination, an mtrace Query packet with IGMP type 0x1F is sent to the last-hop multicast router for the given destination. The mtrace query packet is forwarded hop-by-hop untill it reaches the last-hop router.
● MTRACE Transit — when a Dell Networking system is an intermediate router between the source and destination in an MTRACE query, Dell Networking OS computes the RPF neighbor for the source, fills in the request, and forwards the request to the RPF neighbor. When a Dell Networking system is the last hop to the destination, Dell Networking OS sends a response to the query. To print the network path, use the following command.
Table 63. mtrace Command Output — Explained (continued) Command Output Description From source (?) to destination (?) In case the provided source or destination IP can be resolved to a hostname the corresponding name will be displayed. In cases where the IP cannot be resolved, it is displayed as (?) 0 1.1.1.1 --> Destination The first row in the table corresponds to the destination provided by the user. -1 1.1.1.1 PIM Reached RP/Core 103.103.103.
Table 64. Supported Error Codes (continued) Error Code Error Name Description 0x81 NO_SPACE There is not enough room to insert another response data block in the packet. mtrace Scenarios This section describes various scenarios that may result when an mtrace command is issued. The following table describes various scenarios when the mtrace command is issued: Table 65.
Table 65. Mtrace Scenarios (continued) Scenario You invoke a weak mtrace request by specifying only the source without specifying the mulicast tree or multicast group information for the source. Mtrace traces a path towards the source by using the RPF neighbor at each node. Output R1>mtrace 103.103.103.3 Type Ctrl-C to abort. Querying reverse path for source 103.103.103.
Table 65. Mtrace Scenarios (continued) Scenario When you issue the mtrace command with the source and multicast group information, if a multicast route is not present on a particular node, then the NO ROUTE error code is displayed on the node. In this scenario, the Source Network/Mask column for that particular node displays the the value as default.
Table 65. Mtrace Scenarios (continued) Scenario Output ----------------------------------------------------------------- If the destination provided in the command is not a valid receiver for the multicast group, the last hop router for the destination provides the WRONG LAST HOP error code. If the last-hop router contains a path to the source, the path is traced irrespective of the incorrect destination.
Table 65. Mtrace Scenarios (continued) Scenario Output 0 1.1.1.1 --> Destination -1 * * * * ----------------------------------------------------------------Timed out receiving responses Perhaps no local router has a route for source, the receiver is not a member of the multicast group or the multicast ttl is too low. While traversing the path from source to destination, if the mtrace packet exhausts the maximum buffer size of the packet, then NO SPACE error is displayed in the output.
Table 65. Mtrace Scenarios (continued) Scenario Output Querying reverse path for source 6.6.6.6 to destination 4.4.4.5 via RPF From source (?) to destination (?) ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/Mask| ---------------------------------------------------------------0 4.4.4.5 --> Destination -1 4.4.4.4 PIM 6.6.6.0/24 -2 20.20.20.2 PIM 6.6.6.0/24 -3 10.10.10.1 PIM RPF Interface 6.6.6.
34 Multicast Listener Discovery Protocol Dell Networking OS Supports Multicast Listener Discovery (MLD) protocol. Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
Joining a Multicast Group The Querier periodically sends a General Query to the all-nodes multicast address FF02::1. A host that wants to join a multicast group responds to the general query with a report that contains the group address; the report is also addressed to the group (in the IPv6 Destination Address field). To avoid duplicate reporting, any host that hears a report from another host for the same group in which it itself is interested cancels its report for that group.
| | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +. -+ . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version 2 multicast listener reports are sent by IP nodes to report (to neighboring routers) the current multicast listening state, or changes in the multicast listening state, of their interfaces.
| | * Source Address [1] * | | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +-+ . . . . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Auxiliary Data . . .
report when the timer expires. Increasing this value spreads host responses over a greater period of time, and so reduces response burstiness. To adjust the query response time, use the following command: INTERFACE Mode ipv6 mld query-max-resp-time Configuring MLD Version To configure MLD version on the system, follow this procedure: Select the MLD version INTERFACE Mode ipv6 mld version {1 | 2} If you do not configure the MLD version, the system defaults to version 2.
retransmissions. Lowering the Last Listener Query Interval reduces the time to detect that there are no remaining receivers for a group, and so can reduce the amount of unnecessarily forwarded traffic. To adjust the last-member query interval, use the following command: INTERFACE Mode ipv6 mld last-member-query-interval Displaying MLD groups table Display MLD groups. Group information can be filtered.
ipv6 mld snooping enable Disable MLD Snooping When MLD is enabled globally, it is by default enabled on all the VLANs. To disable MLD snooping on a VLAN, use the following command: INTERFACE VLAN Mode no ipv6 mld snooping NOTE: Under the default configuration, there is no need to configure ipv6 mld snooping for any VLAN. Configure the switch as a querier Hosts that do not support unsolicited reporting wait for a general query before sending a membership report.
Display the MLD Snooping Table 1. To display the MLD snooping table, use the following command: EXEC Privilege show ipv6 mroute snooping vlan 2.
35 Object Tracking IPv4 or IPv6 object tracking is available on Dell Networking OS. Object tracking allows the Dell Networking operating system (OS) client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes.
Figure 99. Object Tracking Example When you configure a tracked object, such as an IPv4 or IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: ● UP and DOWN thresholds used to report changes in a route metric. ● A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table. Specify a tracked route by its IPv4 or IPv6 address and prefix-length. Optionally specify a tracked route by a virtual routing and forwarding (VRF) instance name if the tracked route is part of a VRF. The next-hop address is not part of the definition of the tracked object.
2. Configure object tracking on the metric of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} metric threshold [vrf vrf-name] Valid object IDs are from 1 to 65535. Enter an IPv4 address in dotted decimal format. Valid IPv4 prefix lengths are from /0 to /32. Enter an IPv6 address in X:X:X:X::X format. Valid IPv6 prefix lengths are from /0 to /128. (Optional) E-Series only: For an IPv4 route, you can enter a VRF name. 3.
Tracking Route Reachability Use the following commands to configure object tracking on the reachability of an IPv4 or IPv6 route. To remove object tracking, use the no track object-id command. 1. Configure object tracking on the reachability of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} reachability [vrf vrf-name] Valid object IDs are from 1 to 65535.
Configuring track reachability refresh interval If there is no entry in ARP table or if the next-hop address in the ARP cache ages out for a route tracked for its reachability, an attempt is made to check if the next-hop address is reachable after a certain refresh interval to see if the next-hop address appear in the ARP cache before considering it as DOWN. You can change the refresh interval for which the next-hop address is checked. The default refresh interval is 60 seconds.
For a complete listing of all commands related to object tracking, refer to the Dell Networking OS Command Line Interface Reference Guide. Tracking a Layer 2 Interface You can create an object that tracks the line-protocol state of a Layer 2 interface and monitors its operational status (UP or DOWN). You can track the status of any of the following Layer 2 interfaces: ● 1 Gigabit Ethernet: Enter gigabitethernet slot/port in the track interface interface command (see Step 1).
● For a port channel interface, enter the keywords port-channel then a number. ● For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. For an IPv4 interface, a routing object only tracks the UP/DOWN status of the specified IPv4 interface (the track interface ip-routing command). ● The status of an IPv4 interface is UP only if the Layer 2 status of the interface is UP and the interface has a valid IP address.
Configuring track reachability refresh interval If there is no entry in ARP table or if the next-hop address in the ARP cache ages out for a route tracked for its reachability, an attempt is made to check if the next-hop address is reachable after a certain refresh interval to see if the next-hop address appear in the ARP cache before considering it as DOWN. You can change the refresh interval for which the next-hop address is checked. The default refresh interval is 60 seconds.
IPv6 route 2050::/64 reachability Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is GigabitEthernet 13/2 Tracked by: VRRP GigabitEthernet 7/30 IPv6 VRID 1 Track 4 Interface GigabitEthernet 13/4 ip routing IP routing is Up 3 changes, last change 00:03:30 Tracked by: Example of the show track brief command. Router# show track brief ResId State 1 Resource LastChange IP route reachability Parameter 10.16.0.0/16 Example of the show track resolution command.
36 Open Shortest Path First (OSPFv2 and OSPFv3) This chapter describes how to configure and use Open Shortest Path First (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3. This chapter identifies and clarifies the differences between the two versions of OSPF. Except where identified, the information in this chapter applies to both protocol versions.
Figure 100. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. The backbone is the only area with a default area number.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
● Type 3: Summary LSA (OSPFv2), Inter-Area-Prefix LSA (OSPFv3) — An ABR takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to. The link-state ID of the Type 3 LSA is the destination network number. ● Type 4: AS Border Router Summary LSA (OSPFv2), Inter-Area-Router LSA (OSPFv3) — In some cases, Type 5 External LSAs are flooded to areas where the detailed next-hop information may not be available.
Router Priority and Cost Router priority and cost is the method the system uses to “rate” the routers. For example, if not assigned, the system selects the router with the highest priority as the DR. The second highest priority is the BDR. ● Priority is a numbered rating 0 to 255. The higher the number, the higher the priority. ● Cost is a numbered rating 1 to 65535. The higher the number, the greater the cost. The cost assigned reflects the cost should the router fail.
Fast Convergence (OSPFv2, IPv4 Only) Fast convergence allows you to define the speeds at which LSAs are originated and accepted, and reduce OSPFv2 end-to-end convergence time. The system allows you to accept and originate LSAs as soon as they are available to speed up route information propagation. NOTE: The faster the convergence, the more frequent the route calculations and updates. This impacts CPU utilization and may impact adjacency stability in larger topologies.
00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.2 aid:1500 chk:0xdbee aut:0 auk: keyid:0 from:Vl 100 LSType:Type-5 AS External id:160.1.1.0 adv:6.1.0.0 seq:0x8000000c LSType:Type-5 AS External id:160.1.2.0 adv:6.1.0.0 seq:0x8000000c 00:10:41 : OSPF(1000:00): Rcv. v:2 t:4(LSUpd) l:100 rid:6.1.0.0 aid:0 chk:0xccbd aut:0 auk: keyid:0 from:Te 10/21 Number of LSA:2 LSType:Type-5 AS External(5) Age:1 Seq:0x8000000c id:170.1.1.0 Adv:6.1.0.0 Netmask:255.255.255.0 fwd:0.0.0.
Hello due in 00:00:04 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 1.1.1.1 (Backup Designated Router) Dell(conf-if-te-2/2)# Configuration Information The interfaces must be in Layer 3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode.
If you are using a Loopback interface, refer to Loopback Interfaces. 2. Enable the interface. CONFIG-INTERFACE mode no shutdown 3. Return to CONFIGURATION mode to enable the OSPFv2 process globally. CONFIGURATION mode router ospf process-id [vrf {vrf name}] ● vrf name: enter the keyword VRF and the instance name to tie the OSPF instance to the VRF. All network commands under this OSPF instance are later tied to the VRF instance. The range is from 0 to 65535.
CONFIG-INTERFACE mode ip address ip-address mask Format: A.B.C.D/M. If you are using a Loopback interface, refer to Loopback Interfaces. 2. Enable the interface. CONFIG-INTERFACE mode no shutdown 3. Return to CONFIGURATION mode to enable the OSPFv2 process globally. CONFIGURATION mode router ospf process-id [vrf] The range is from 0 to 65535. After the OSPF process and the VRF are tied together, the OSPF process ID cannot be used again in the system.
Example of Enabling OSPFv2 and Assigning an Area to an Interface Dell#(conf)#int te 4/44 Dell(conf-if-te-4/44)#ip address 10.10.10.10/24 Dell(conf-if-te-4/44)#no shutdown Dell(conf-if-te-4/44)#ex Dell(conf)#router ospf 1 Dell(conf-router_ospf-1)#network 1.2.3.4/24 area 0 Dell(conf-router_ospf-1)#network 10.10.10.10/24 area 1 Dell(conf-router_ospf-1)#network 20.20.20.
Loopback interface is treated as a stub Host. Dell# Configuring Stub Areas OSPF supports different types of LSAs to help reduce the amount of router processing within the areas. Type 5 LSAs are not flooded into stub areas; the ABR advertises a default route into the stub area to which it is attached. Stub area routers use the default route to reach external destinations. To ensure connectivity in your OSPFv2 network, never configure the backbone area as a stub area.
2. Specify the interval for LSA acceptance. CONFIG-ROUTER-OSPF-id mode. timers throttle lsa all arrivaltime Enabling Passive Interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface. Although the passive interface does not send or receive routing updates, the network on that interface is still included in OSPF updates sent via other interfaces.
Enabling Fast-Convergence The fast-convergence CLI sets the minimum origination and arrival LSA parameters to zero (0), allowing rapid route calculation. When you disable fast-convergence, origination and arrival LSA parameters are set to 5 seconds and 1 second, respectively. Setting the convergence parameter (from 1 to 4) indicates the actual convergence level.
○ cost: The range is from 1 to 65535 (the default depends on the interface speed). ● Change the time interval the router waits before declaring a neighbor dead. CONFIG-INTERFACE mode ip ospf dead-interval seconds ○ seconds: the range is from 1 to 65535 (the default is 40 seconds). The dead interval must be four times the hello interval. The dead interval must be the same on all routers in the OSPF network. ● Change the time interval between hello-packet transmission.
Dell(conf-if)#end Dell#show ip ospf 34 interface TengigabitEthernet 0/0 is up, line protocol is up Internet Address 10.1.2.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 45 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 10.1.2.100 Backup Designated Router (ID) 10.1.2.100, Interface address 0.0.0.
CONFIG-ROUTEROSPF-id mode distribute-list prefix-list-name in [interface] ● Assign a configured prefix list to outgoing OSPF routes. CONFIG-ROUTEROSPF-id distribute-list prefix-list-name out [connected | isis | rip | static] Redistributing Routes You can add routes from other routing instances or protocols to the OSPF process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process.
To help troubleshoot OSPFv2, use the following commands. ● View the summary of all OSPF process IDs enables on the router. EXEC Privilege mode show running-config ospf ● View the summary information of the IP routes. EXEC Privilege mode show ip route summary ● View the summary information for the OSPF database. EXEC Privilege mode show ip ospf database ● View the configuration of OSPF neighbors connected to the local router. EXEC Privilege mode show ip ospf neighbor ● View the LSAs currently in the queue.
Basic OSPFv2 Router Topology The following illustration is a sample basic OSPFv2 topology. Figure 103. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Te 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface TengigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface TengigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.
ip address 10.2.13.3/24 no shutdown OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface TengigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface TengigabitEthernet 2/2 ip address 10.2.22.
NOTE: The OSPFv2 network area command enables OSPF on multiple interfaces with the single command. Use the OSPFv3 ipv6 ospf area command on each interface that runs OSPFv3. All IPv6 addresses on an interface are included in the OSPFv3 process that is created on the interface. Enable OSPFv3 for IPv6 by specifying an OSPF process ID and an area in INTERFACE mode. If you have not created an OSPFv3 process, it is created automatically.
NOTE: The OSPFv2 network area command enables OSPFv2 on multiple interfaces with the single command. Use the OSPFv3 ipv6 ospf area command on each interface that runs OSPFv3. ● Assign the OSPFv3 process and an OSPFv3 area to this interface. CONF-INT-type slot/port mode ipv6 ospf process-id area area-id ○ process-id: the process ID number assigned. ○ area-id: the area ID for this interface.
CONFIGURATION mode no ipv6 router ospf process-id} ● Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Configuring the Cost of OSPFv3 Routes Change in bandwidth directly affects the cost of OSPF routes. ● Explicitly specify the cost of sending a packet on an interface. INTERFACE mode ipv6 ospf interface-cost ○ interface-cost:The range is from 1 to 65535. Default cost is based on the bandwidth. ● Specify how the OSPF interface cost is calculated based on the reference bandwidth method.
To enable both receiving and sending routing updates, use the no passive-interface interface command. To indicate that hello packets are not transmitted on that interface, when you configure a passive interface, the show ipv6 ospf interface command adds the words passive interface. Redistributing Routes You can add routes from other routing instances or protocols to the OSPFv3 process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process.
To ensure integrity, data origin authentication, detection and rejection of replays, and confidentiality of the packet, RFC 4302 and RFC 4303 propose using two security protocols — authentication header (AH) and encapsulating security payload (ESP). For OSPFv3, these two IPsec protocols provide interoperable, high-quality cryptographically-based security.
○ Configuring IPsec Encryption for an OSPFv3 Area ○ Displaying OSPFv3 IPsec Security Policies Configuring IPsec Authentication on an Interface To configure, remove, or display IPsec authentication on an interface, use the following commands.
○ key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information. Required lengths of a non-encrypted or encrypted key are: 3DES - 48 or 96 hex digits; DES - 16 or 32 hex digits; AES-CBC - 32 or 64 hex digits for AES-128 and 48 or 96 hex digits for AES-192. ○ key-encryption-type: (optional) specifies if the key is encrypted. The valid values are 0 (key is not encrypted) or 7 (key is encrypted).
Configuring IPsec Encryption for an OSPFv3 Area To configure, remove, or display IPsec encryption in an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec encryption in an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)). The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router.
To display information on the SAs used on a specific interface, enter interface interface, where interface is one of the following values: ○ ○ ○ ○ For For For For a a a a 10-Gigabit Ethernet interface, enter TenGigabitEthernet slot/port. Port Channel interface, enter port-channel number. 40-Gigabit Ethernet interface, enter FortyGigabitEthernet slot/port. VLAN interface, enter vlan vlan-id. The valid VLAN IDs are from 1 to 4094. In the first example, the keys are not encrypted (shown in bold).
replay detection support : N STATUS : ACTIVE inbound esp sas outbound esp sas Interface: TenGigabitEthernet 0/1 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE
● View the configuration of OSPFv3 neighbors. EXEC Privilege mode show ipv6 ospf neighbor ● View debug messages for all OSPFv3 interfaces. EXEC Privilege mode debug ipv6 ospf [event | packet] {type slot/port} ○ event: View OSPF event messages. ○ packet: View OSPF packets. ○ For a 10–Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information (for example, passive-interface te 2/1). ○ For a port channel, enter the keywords port-channel then a number from 1 to 255.
SNMPv2-SMI::mib-2.191.1.1.5.0 = INTEGER: 2 SNMPv2-SMI::mib-2.191.1.1.6.0 = Gauge32: 0 SNMPv2-SMI::mib-2.191.1.1.7.0 = Gauge32: 0 SNMPv2-SMI::mib-2.191.1.1.8.0 = Counter32: 10088 SNMPv2-SMI::mib-2.191.1.1.9.0 = Counter32: 10076 SNMPv2-SMI::mib-2.191.1.1.10.0 = Gauge32: 7 SNMPv2-SMI::mib-2.191.1.1.11.0 = INTEGER: -1 SNMPv2-SMI::mib-2.191.1.1.12.0 = Gauge32: 0 SNMPv2-SMI::mib-2.191.1.1.13.0 = INTEGER: 2 SNMPv2-SMI::mib-2.191.1.1.14.0 = Gauge32: 100000 SNMPv2-SMI::mib-2.191.1.1.15.
37 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN).
Figure 104. Per-VLAN Spanning Tree The Dell Networking OS supports three other versions of spanning tree, as shown in the following table. Table 67. Spanning Tree Versions Supported Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
4. Optionally, for load balancing, select a nondefault bridge-priority for a VLAN.
Figure 105. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. ● Assign a bridge priority.
The port is not in the Edge port mode Port 385 (TengigabitEthernet 1/32) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.385 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.385 , designated path cost 0 Modifying Global PVST+ Parameters The root bridge sets the values for forward-delay and hello-time, and overwrites the values set on other PVST+ bridges.
Table 68. Default Values for Port Cost (continued) Port Cost Default Value 1-Gigabit Ethernet interfaces 20000 10-Gigabit Ethernet interfaces 2000 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 NOTE: The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs. Other implementations use IEEE 802.1w costs as the default costs.
● The reset linecard command does not clear the Error Disabled state of the port or the hardware Disabled state. The interface continues to be disables in the hardware. ● You can clear the Error Disabled state with any of the following methods: ○ Perform a shutdown command on the interface. ○ Disable the shutdown-on-violation command on the interface (the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command).
extend system-id Dell(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
no ip address tagged TengigabitEthernet 2/12,32 no shutdown ! interface Vlan 300 no ip address tagged TengigabitEthernet 2/12,32 no shutdown ! protocol spanning-tree pvst no disable vlan 200 bridge-priority 4096 Example of PVST+ Configuration (R3) interface TengigabitEthernet 3/12 no ip address switchport no shutdown ! interface TengigabitEthernet 3/22 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TengigabitEthernet 3/12,22 no shutdown ! interface Vlan 200 no ip address tag
38 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message. This behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
2. The last-hop DR sends a PIM Join message to the RP. All routers along the way, including the RP, create an (*,G) entry in their multicast routing table, and the interface on which the message was received becomes the outgoing interface associated with the (*,G) entry. This process constructs an RPT branch to the RP. 3. If a host on the same subnet as another multicast receiver sends an IGMP report for the same multicast group, the gateway takes no action.
CONFIGURATION mode ip multicast-routing Related Configuration Tasks The following are related PIM-SM configuration tasks. ● ● ● ● Configuring S,G Expiry Timers Configuring a Static Rendezvous Point Configuring a Designated Router Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1. Enable multicast routing on the system. CONFIGURATION mode ip multicast-routing 2. Enable PIM-Sparse mode.
(10.87.31.5, 192.1.2.1), uptime 00:01:24, expires 00:02:26, flags: FT Incoming interface: TenGigabitEthernet 1/11, RPF neighbor 0.0.0.0 Outgoing interface list: TenGigabitEthernet 0/11 TenGigabitEthernet 0/12 TenGigabitEthernet 1/13 --More-- Configuring S,G Expiry Timers By default, S, G entries expire in 210 seconds. You can configure a global expiry time (for all [S,G]). When you create, delete, or update an expiry time, the changes are applied when the keep alive timer refreshes.
225.0.1.40 226.1.1.1 165.87.50.5 165.87.50.5 To display the assigned RP for a group range (group-to-RP mapping), use the show ip pim rp mapping command in EXEC privilege mode. Dell#show ip pim rp mapping PIM Group-to-RP Mappings Group(s): 224.0.0.0/4, Static RP: 165.87.50.5, v2 Configuring a Designated Router Multiple PIM-SM routers might be connected to a single local area network (LAN) segment. One of these routers is elected to act on behalf of directly connected hosts.
To enable BSR election for IPv4 or IPv6, perform the following steps: 1. Enter the following IPv4 or IPv6 command to make a PIM router a BSR candidate: CONFIGURATION ip pim bsr-candidate ipv6 pim bsr-candidate 2. Enter the following IPv4 or IPv6 command to make a PIM router a RP candidate: CONFIGURATION ip pim rp-candidate ipv6 pim rp-candidate 3. Display IPv4 or IPv6 Bootstrap Router information.
Enabling PIM-SM Graceful Restart To enable PIM-SM graceful restart, use the following commands. ● Enable PIM-SM graceful restart (non-stop forwarding capability). CONFIGURATION mode ip pim graceful-restart nsf ○ (option) restart-time: the time the Dell Networking system requires to restart. The default value is 180 seconds. ○ (option) stale-entry-time: the maximum amount of time that the Dell Networking system preserves entries from a restarting neighbor. The default value is 60 seconds.
39 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Related Configuration Tasks ● Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode.
Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.
1. C-BSRs flood their candidacy throughout the domain in a BSM. Each message contains a BSR priority value, and the C-BSR with the highest priority value becomes the BSR. 2. Each C-RP unicasts periodic Candidate-RP-Advertisements to the BSR. Each message contains an RP priority value and the group ranges for which it is a C-RP. 3. The BSR collects the most efficient group-to-RP mappings and periodically updates it to all PIM routes in the network. 4.
Enabling RP to Server Specific Multicast Groups When you configure an RP candidate, its advertisement is sent to the entire multicast address range and the group-to-RP mapping is advertised for the entire range of multicast address. Starting with Dell Networking OS 9.11.0.0, you can configure an RP candidate for a specified range of multicast group address. The Configured multicast group ranges are used by the BSR protocol to advertise the candidate RPs in the bootstrap messages.
40 Policy-based Routing (PBR) Policy-based Routing (PBR) allows a switch to make routing decisions based on policies applied to an interface.
To enable a PBR, you create a redirect list. Redirect lists are defined by rules, or routing policies.
Implementing Policy-based Routing with Dell Networking OS ● Non-contiguous bitmasks for PBR ● Hot-Lock PBR Non-contiguous bitmasks for PBR Non-contiguous bitmasks for PBR allows more granular and flexible control over routing policies. Network addresses that are in the middle of a subnet can be included or excluded. Specific bitmasks can be entered using the dotted decimal format. Non-contiguous bitmask example Dell#show ip redirect-list IP redirect-list rcl0: Defined as: seq 5 permit ip 200.200.200.
To apply a redirect list to an interface, use the following command. You can apply multiple redirect-lists can be applied to a redirect-group. It is also possible to create two or more redirect-groups on one interface for backup purposes. Apply a redirect list (policy-based routing) to an interface. INTERFACE mode ip redirect-group redirect-list-name test l2–switch ● redirect-list-name is the name of a redirect list to apply to this interface.
● description Route Gold traffic to the DS3. ● seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any “ Redirect to next-hop router IP 10.99.99.254 any traffic originating in 192.168.1.0/24” ● seq 10 redirect 10.99.99.254 ip 192.168.2.0/24 any “ Redirect to next-hop router IP 10.99.99.254 any traffic originating in 192.168.2.
EDGE_ROUTER(conf-if-Te-2/11/1)#end EDGE_ROUTER(conf-redirect-list)#end EDGE_ROUTER# View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23/1), ARP resolved seq 10 redirect 10.99.99.254 ip 192.168.2.
seq 5 redirect 42.1.1.2 track 3 tcp 155.55.2.0/24 222.22.2.0/24, Track 3 [up], Nexthop reachable (via Vl 20) seq 10 redirect 42.1.1.2 track 3 tcp any any, Track 3 [up], Next-hop reachable (via Vl 20) seq 15 redirect 42.1.1.2 track 3 udp 155.55.0.0/16 host 144.144.144.144, Track 3 [up], Next-hop reachable (via Vl 20) seq 20 redirect 42.1.1.2 track 3 udp any host 144.144.144.144, Track 3 [up], Next-hop reachable (via Vl 20) seq 25 redirect 43.1.1.2 track 4 ip host 7.7.7.7 host 144.144.144.
Apply the Redirect Rule to an Interface: Dell#configure terminal Dell(conf)#interface TenGigabitEthernet 2/28 Dell(conf-if-te-2/28)#ip redirect-group explicit_tunnel Dell(conf-if-te-2/28)#exit Dell(conf)#end Verify the Applied Redirect Rules: Dell#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.
41 Port Extenders (PEs) The C9010 switch supports the IEEE 802.1BR fabric protocol to expand the port density of the chassis, using C1048P, N20xx and N30xx port extenders. In this deployment, the C9010 operates as a controlling bridge for the port extenders. The C1048P, N20xx or N30xx function as a remote line card that is physically connected to, and provisioned by, a C9010 over 10GbE links according to the IEEE 802.1BR standard. Topics: • • • • • • • • • • • • • IEEE 802.1BR 802.
Figure 107. Controlling Bridge with Port Extenders 1. Controlling Bridge (C9010) 3. 10GbE uplink ports on PEs 5. PE stack 2. Cascade ports on controlling bridge 4. Standalone PE 6. Cable connections in a ring topology 802.1BR Terms and Definitions The 802.1BR protocol uses the following terms to describe the operation of a controlling bridge and attached port extenders. 802.1BR Term Definition Cascade port A port on a controlling bridge or bridge port extender that connects to an upstream port.
Enabling the Port Extender Feature To use and configure a PE attached to a controlling bridge, such as the C9010, you must first enable the port-extender feature by entering the feature extended-bridge command. You only need to enter this command once to enable PE support on a controlling bridge. Before you enable the PE feature, ensure that LLDP is enabled on the controlling bridge. LLDP is enabled by default.
Dell(conf-pe-0)# cascade interface interface-type slot/port-range ● interface interface-type specifies a C9010 10-Gigabit Ethernet interface. The only supported value is TenGigabitEthernet slot/port-range. ● slot/port-range specifies a C9010 10GbE port, including slot number and either a single port number, a port range, or a combination of both for auto-LAG configuration. ○ The range of slot numbers is from 0 to 11.
NOTE: In the User-Configured Cascade Ports field, A (active) indicates that a C9010 port is up (no shutdown) and configured as a cascade port; I (inactive) indicates that a port is down and configured as a cascade port. Dell# show interface port-channel brief Codes: L - LACP Port-channel O - OpenFlow Controller Port-channel A - Auto Port-channel A LAG 258 Mode N/A Status up Uptime 14:45:26 Ports Te 0/1,2 (up) Port Extender Limit You can connect a maximum of 80 PE units to the C9010 control bridge.
PE Selection Logic After you provision port extenders and power them on, the PEs come online according to the selection logic in the scenarios described in this section. ● You may provision cascade ports for different PEs but connect the cascade ports to the same PE. In this case, only the PE with lowest PE ID comes online. In the following example, both cascade ports 1/0 and 1/12 are cabled to the same PE. However, port 1/0 is provisioned for PE 10; port 1/12 is provisioned for PE 20.
PE Discovery Status: Provisioned PE User Configured Cascade Ports: Te 1/0(A),Te 1/8(I),Te 1/12(A) Cascade LAG: Po 268(Up) --------------------------------------------------------------------Stack-id Status Reason Type UnitMac No.
Managing a Port Extender Manage the PEs connected to a parent C9010 through a Telnet session. You can display PE operational status and current stack configuration or rest the PE. Starting a Telnet Session To manage a standalone port extender or a PE stack, start a Telnet session with the PE or the master unit in the stack using the connect pe command. ● connect pe pe-id EXEC Privilege ○ pe-id is a port-extender ID number from 0 to 255.
PE-ID: 0 PE-CSP Tx Message: 0 PE-CSP Rx Message: 0 ECP Tx: 0 ECP Rx Ack: 0 ECP Dropped: 0 ECP Rx: 0 ECP Tx Ack: 0 PE-ID: 1 PE-CSP Tx Message: 10 PE-CSP Rx Message: 5 ECP Tx: 11 ECP Rx Ack: 11 ECP Dropped: 0 ECP Rx: 6 ECP Tx Ack: 6 PE-ID: 255 PE-CSP Tx Message: 9 PE-CSP Rx Message: 5 ECP Tx: 10 ECP Rx Ack: 10 ECP Dropped: 0 ECP Rx: 6 ECP Tx Ack: 6 Dell#show pe 10 system brief Stack MAC : a0:68:00:3f:92:bc -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports --------------------------------------
○ pe-stack-unit-id is a PE stack-unit ID number from 0 to 7. Dell# reset pe 0 stack-unit 1 Preventing Loops on Port Extender Ports The existing behavior of Loop detection module is a simple loop detection mechanism in L2 to detect loops between PE interfaces and break the loop. This mechanism is purely based on the data traffic sent towards PE interfaces causing continuous MAC movements between PE interfaces.
This section covers the enhancements to this feature based on scenarios in Dell Networking OS 9.11.2.0: Loop caused due to mis-cabling across PEs or within a PE ● Two PE interfaces PEX1 and PEX2 are looped back wrongly due to mis-cabling. ● Both the interfaces are assigned to a VLAN which is assigned an IP address. A simple ping for an IP address in the subnet will result in a continuous loop without being detected.
The first recommendation is to enable xSTP on the un-managed switch. The uplink port connected to the PE must be made as an edge port in the L2 switch. This would ensure the local loop in the L2 switch is cut by itself without having to bring down any of the PE interfaces. Bringing down the PE interface would still keep the loop active in the switch which affects all the hosts connected to the L2 switch.
EXEC Privilege mode upgrade system-image pe [{0-255} stack-unit [{0-7} | all] [rpmA: | rpmB:]] | [all [rpmA: | rpmB:]] Where: ● upgrade system-image pe {0-255} stack-unit {0-7} upgrades a standalone PE. ● upgrade system-image pe {0-255} stack-unit all upgrades all the units in a PE stack. The PE ID (0–255) specifies the stack master unit. ● upgrade system-image pe all upgrades all PEs discovered by the controlling bridge.
linecard linecard linecard linecard linecard RPM RPM RPM RPM RPM RPM RPM RPM RPM RPM 5 5 6 6 6 0 0 0 0 0 1 1 1 1 1 CPLD IAP FPGA CPLD IAP FPGA 1 CPLD FPGA 2 Backup FPGA IAP FPGA 1 CPLD FPGA 2 Backup FPGA IAP 3.2 2.5 2.1 3.2 2.14 2.6 2.0 2.0 3.2 2.14 2.6 2.0 2.0 3.2 PE RELEASE IMAGE INFORMATION : --------------------------------------------------------------------Platform Version Size ReleaseTime C-Series:C1048P 9.9(0.
When ever the controlling bridge (CB) is upgraded to a new version of Dell Networking OS, the CB reloads and boots up with the new version of the Dell Networking OS. The CB checks for the version compatibility of the checked-in PEs; incase the CB detects a version mismatch, it automatically upgrades the PEs to the version that the CB is currently using. This behavior may cause traffic disruptions in case a large number of PEs are found to have a version mismatch.
Supported Features ● Because PE interfaces only support Layer 2 mode, you cannot configure an IP address configuration and Layer 3 protocol features. NOTE: The only Layer 3 feature supported on PE ports is L3 VLANs ● A port extender supports the following L2 protocols on PE ports: ○ ○ ○ ○ ○ ○ ● A 802.
System A is the primary controlling bridge and System B is the secondary. When the primary system goes down, the secondary system acts as primary and controls the PEs. The common PE configurations are synchronized between the systems when configured using the Configuration Terminal Batch mode. NOTE: When multiple PEs are connected in a dual homing setup, ensure that each PE has an unique ID so that the IDs do not overlap during the configuration.
Systems with Port Extender The following diagram illustrates PE 1 connected to System A and PE 2 connected to System B. Figure 109. Systems with Port Extender — Before setting up Dual Homing You can connect System A and System B and configure them as VLT peers as follows: 1. Ensure that PE IDs of PE 1 and PE 2 are different. The IDs should be unique and cannot overlap during the configuration. 2. Ensure that System A and System B are upgraded to OS 9.10(0.) or later. 3.
Dell#import peer-config 10. The secondary PE comes online once the peer configurations are imported. Once configured, the system starts functioning as a dual homing setup as shown in the following diagram: Figure 110. Systems with Port Extender — After setting up Dual Homing You can configure PE 1 and PE 2 from both the systems.
SVC - Software Version Compatible Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, PVE - Port Validation Error ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setup Error, CVE - Card Validation Error PE-ID assigned: 1 Status: online System Mac: f8:b1:56:6e:20:07 PE Up Time: 00:17:15 PE Discovery Status: Provisioned PE User Configured Cascade Ports: Te 1/4(A) Cascade LAG: Po 258, Local Status: Up, Remote Stat
Dell(conf-b-pe-1)# cascade interface TenGigabitEthernet 1/4 peer Once the cascade interfaces are configured, the PE starts functioning in a dual homing setup as shown in the following diagram: Figure 112. Standalone System and System with PE — After setting up Dual Homing You can configure PE 1 from both System A and System B. Systems without Port Extender You can connect two standalone systems in a VLT domain and then connect a PE to the systems to setup a dual homed environment.
PE CONFIGURATION (BATCH mode) cascade interface interface slot/port peer Dell# cascade interface TenGigabitEthernet 1/4 peer Once the cascade interfaces are configured, the PE starts functioning in a dual homing setup as shown in the following diagram: Figure 114. Systems without Port Extender — After setting up Dual Homing You can configure PE 1 from both System A and System B. Upgrading to OS 9.10(0.0) To upgrade the Dell Networking OS 9.9(0.0) to OS 9.10(0.
Dell#show running-config pe ! feature extended-bridge ! pe provision 200 cascade interface TenGigabitEthernet 0/22-23 stack-unit 2 type C1048P Dell#show pe brief -- Port Extenders Information ----------------------------------------------------------PE-id Status Stack-size Type System-MAC ---------------------------------------------------------200 online 1 C1048P f8:b1:56:00:02:8a Dell#show pe 200 Codes: A - Active, I - Inactive SVC - Software Version Compatible Reason: CTM - Card Type Mismatch, CAM - CAM
!!!!!!Sep 7 19:20:23: %RPM0-P:CP %DOWNLOAD-6-UPGRADE: PE 0 manual upgrade result upgrade success. !!!!! Bootflash image upgrade for all cards completed successfully. Warning: Kindly save the system configuration before reloading. Dell# 2. Use the upgrade system-image all command to upgrade the image in both the CB and the PE. Dell#upgrade system-image all ftp: B: Address or name of remote host []: 10.16.127.141 Source file name []: $w/Releases/E9.9.0/E9.9.0.0/FTOS-C9000-9.9.0.0.
PE-ID assigned: 200 Status: offline System Mac: f8:b1:56:00:02:8a PE Up Time: 00:00:00 PE Discovery Status: Provisioned PE User Configured Cascade Ports: Te 0/22(A),Te 0/23(A) Cascade LAG: Po 458(Up) -----------------------------------------------------------------------Stack-id Status Reason Type UnitMac No.
Apr 3 00:41:02: %PE200-UNIT2-M:CP %CHMGR-0-PS_UP: Power supply 0 in unit 2 is up Apr 3 00:41:02: %PE200-UNIT2-M:CP %CHMGR-5-PEM_REMOVED: Power entry module 1 of unit 2 is absent Apr 3 00:41:02: %PE200-UNIT2-M:CP %CHMGR-5-FANTRAY_INSERTED: Fan tray 0 of Unit 2 is inserted Apr 3 00:41:02: %PE200-UNIT2-M:CP %CHMGR-2-SYSTEM_READY: System ready Apr 3 00:41:02: %PE200-UNIT2-M:CP %CHMGR-4-TEMP_STATUS_CHANGE: Unit 2 temperature state changed to 1 (Current temperature 36C).
146025615 bytes successfully copied Image upgraded to CP. !!!!!!!!!!!!!!!!!!!!!!!! Image upgraded to RP and Standby RPM. C9010-2# C9010-2#upgrade system-image linecard all rpmB: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Image upgraded to all linecards C9010-2# 2. Change the boot parameters to boot from the upgraded partition. Save and reload the secondary VLT peer.
Image upgraded to RP, Standby RPM and all linecards. C9010-1# 6. Change boot parameters to boot from upgraded partition. Save and reload the primary system along with the PEs. C9010-1#configure terminal C9010-1(conf)#boot system rpm0 primary system: B: C9010-1(conf)#boot system rpm1 primary system: B: C9010-1(conf)#end C9010-1#reload pe System configuration has been modified.
<> 10. Both the VLT peers along with the PEs are online with the new software image. Supported Features on Dual Homing In a dual homing setup, the following configurations are supported: ● ● ● ● 802.
42 Port Extender (PE) Stacking You can stack up to eight port extenders using the mini-SAS stack ports on the back panel. The C1048P supports stacking only with other C1048P port extenders. The N20xx series devices support stacking only with other N20xx series port extenders. The N30xx series devices support stacking only with other N30xx series port extenders. Stacking is not supported on C9010 switches.
● You disconnect the master switch from the stack. NOTE: If a stack unit does not boot up at the same time as the other units, it does not participate in the election process. Units that boot up late do not participate in the election process because the master and standby have already been elected. The unit that boots up late (even if they have a higher priority configured) joins as a member. To display the PE stack master, enter the show pe pe—id system brief command.
2. Enter Port-Extender Configuration mode to provision a PE stack by using the PE ID. A Cascade LAG (port channel) is automatically created, once PE is provisioned or created. CONFIGURATION mode pe provision pe-id ● pe-id is a port-extender ID number from 0 to 255. 3. Configure the cascade ports on the C9010 which are attached to PE stack units. The cascade ports must be operationally up (the no shutdown command) and have a default port configuration with no L2 and L3 configuration.
Example of Dual Homed PE Stack Dell(conf-b)#pe provision 2 Dell(conf-b-pe-2)#cascade interface TenGigabitEthernet 0/0 Dell(conf-b-pe-2)#cascade interface TenGigabitEthernet 1/4 peer Dell(conf-b)#commit Dell(conf-b)#end Dell# show pe 2 Codes: A - Active, I - Inactive SVC - Software Version Compatible Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, PVE - Port Validation Error ICE - IPC CP Error, IRE - IPC RP E
Renumbering a Stack Unit By default, the number of a PE stack unit is 0. After you create and power on a PE stack, the units automatically number from 0 to 7, starting at 0. To change the default or automatically assigned stack unit number, use the pe renumber command. NOTE: You can renumber a unit only when it is online and if no unit with the new stack-unit number is online. ● Configure a stack-unit number.
pe-id — port extender identifier. The range is 0 through 255. The following example shows the redundancy force-failover pe command. Dell#redundancy force-failover pe 3 A new standby is elected. When the former stack master comes back online, it becomes a member unit. ● Reset redundancy counters on a PE. EXEC Privilege mode redundancy reset-counter pe pe-id ○ pe-id — port extender identifier. The range is from 0 to 255. The following example shows the redundancy reset-counter pe command.
Removing a Unit from a PE Stack In a PE stack, the parent C9010 synchronizes the software configuration on all stack units. A stack member that is disconnected from the stack maintains this configuration. To remove a stack member from the stack, disconnect the stacking cables from the unit. You may disconnect the cable at any time, whether the unit is powered or unpowered, online or offline. The following example shows the status of stack-unit 1 before it is removed from the PE stack.
SVC - Software Version Compatible Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, PVE - Port Validation Error ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setup Error, CVE - Card Validation Error PE-ID assigned: 10 Status: online System Mac: 00:01:02:03:11:01 PE Up Time: 00:02:14 PE Discovery Status: Provisioned PE User Configured Cascade Ports: Te 1/0(A),Te 1/8(I),Te 1/12(A) Cascade LAG: Po 268(Up) ----
Required Type : C1048P - 48-port GE Current Type : C1048P - 48-port GE Master priority : 0 Hardware Rev : 5.0 Num Ports : 52 Up Time : 1 hr, 36 min Dell Networking OS Version : 9-9(0-8) Jumbo Capable : yes POE Capable : yes FIPS Mode : disabled Boot Flash : 3.3.1.
Configuring the Unused PE Uplink Ports as Front-End Ports In a stacked PE setup, you can configure an unused uplink port as front-end (access) ports. If there are unused uplink ports in the stacked PE setup, it can be converted as access port. This configuration is done using the following command: stack-unit unit-id access—ports port-range CAUTION: You should use caution while configuring an uplink port as access port. The conversion of the uplink port that is connected to CB causes disconnection of PE.
Table 69.
The following example shows the show configuration output: Dell(conf-pe-2)# show config ! pe provision 2 stack-unit 1 type C1048P stack-unit 1 access-ports 1 stack-unit 3 type N2024P-PE cascade interface TenGigabitEthernet 1/2 The following example shows the show interfaces petenGigE 2/1/49 output: DellEMC#show interfaces petenGigE 2/1/49 peTenGigE 2/1/49 is down, line protocol is down Hardware is DellEMCEth, address is 00:00:00:00:00:00 Current address is 00:00:00:00:00:00 Pluggable media not present No tr
The following example turns on the green blinking light on the main PSU LED on port extender 0 stack unit 5. Dell#location-led pe 0 stack-unit 5 on The following example disables the location-led feature on the PE stack-unit 5 Dell#location-led pe 0 stack-unit 5 off Troubleshooting a PE Stack To troubleshoot the operation of a PE stack, use the following tasks.
43 Port Monitoring Port monitoring (also referred to as mirroring) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. The Dell Networking OS supports the following mirroring techniques: ● Port monitoring — Monitors network traffic by forwarding a copy of incoming and outgoing packets from a source port to a destination port on the same network router.
Figure 116. Port Monitoring Configurations Dell Networking OS Behavior: All monitored frames are tagged if the configured monitoring direction is egress (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port. If the MD port is a Layer 2 port, the frames are tagged with the VLAN ID of the VLAN to which the MD belongs. If the MD port is a Layer 3 port, the frames are tagged with VLAN ID 4095.
300 Te 0/17 Te 0/1 Dell(conf-mon-sess-300)# tx interface Port-based Example of Configuring Another Monitoring Session with a Previously Used Destination Port Dell(conf)#mon ses 300 Dell(conf-mon-sess-300)#source tengig 0/17 destination tengig 0/4 direction tx %Unable to create MTP entry for MD tenG 0/17 MG tenG 0/4 in stack-unit 0 port-pipe 0.
NOTE: VLAN 4092 and VLAN 4093 are reserved VLANs. You cannot configure these VLANs. ● For a port channel interface, enter the keyword port-channel then the port-channel ID. destination — Enter the keyword destination to specify the destination interface monitor ingress/egress or both ingress and egress packets on the specified port Enter the keyword direction then one of the packet directional indicators. ● rx: to monitor receiving packets only. ● tx: to monitor transmitting packets only.
Figure 117. Port Monitoring Example Remote Port Mirroring Local port monitoring allows you to monitor traffic from one or more source ports by directing it to a destination port on the same switch/router. Remote port mirroring allows you to monitor Layer 2 and Layer 3 ingress and/or egress traffic on multiple source ports on different switches and forward the mirrored traffic to multiple destination ports on different switches.
The reserved VLANs transport the mirrored traffic in sessions (blue pipes) to the destination analyzers in the local network. Two destination sessions are shown: one for the reserved VLAN that transports orange-circle traffic; one for the reserved VLAN that transports green-circle traffic. Figure 118.
● To associate with a destination session, the reserved VLAN can have multiple member ports. ● The reserved VLAN cannot have untagged ports. In the reserved L2 VLAN used for remote port mirroring: ● MAC address learning in the reserved VLAN is automatically disabled. ● The reserved VLAN for remote port mirroring can be automatically configured in intermediate switches by using GVRP. ● There is no restriction on the VLAN IDs used for the reserved remote-mirroring VLAN. Valid VLAN IDs are from 2 to 4094.
To display the currently configured source and destination sessions for remote port mirroring on a switch, enter the show monitor session command in EXEC Privilege mode.
Following is a sample configuration of RPM on an a destination switch. Encapsulated Remote Port Monitoring Encapsulated Remote Port Monitoring (ERPM) copies traffic from source ports/port-channels or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the destination IP address specified in the session. NOTE: When configuring ERPM, follow these guidelines ● The Dell EMC Networking OS supports ERPM source session only.
Port Monitoring on VLT Devices on which VLT is configured are seen as a single device in the network. You can apply port monitoring function on the VLT devices in the network. Port monitoring enables ingress or egress traffic traversing on a port to be sent to another port so that the traffic can be analyzed. The port to which traffic is sent for analysis is called the mirroring port. This port is connect to a port analyzer, which performs the traffic analysis function.
Table 71. RPM over VLT Scenarios (continued) Scenario RPM Restriction Recommended Solution Mirroring an ICL LAG to Orphan Port — No restrictions apply. In this scenario, the ICL LAG is mirrored to any orphan port on the same VLT device. The packet analyzer is connected to the local VLT device through the orphan port. If the packet analyzer is directly connected to the VLT device, use local Port mirroring session instead of RPM. Mirroring an ICL LAG to the VLT LAG — No restrictions apply.
Table 71. RPM over VLT Scenarios (continued) Scenario RPM Restriction Recommended Solution VLT LAG on the same VLT device. The mirrored traffic if max rate limit value is packet analyzer is connected to the TOR configured in the RPM mirror session. switch. Mirroring with a VLAN as source and destination — If the members of the source and destination VLANs are same in a single monitoring session. No restrictions apply. None.
44 Power over Ethernet (PoE) The PoE feature supports electrical power and transmission of data on Ethernet cabling. A single cable can provide both a data connection and electrical power to the attached devices such as wireless access points or IP cameras. The PoE feature is supported on a C1048P, N2024P, N2048P , N3024P, or N3048P port-extender (PE); PoE is not supported on the C9010 switches. PoE, as described by IEEE 802.3af, specifies that a maximum of 15.
Configuring PoE or PoE+ Configuring PoE or PoE+ is a two-step process: 1. Connect the IEEE 802.3af/802.3at-compliant powered device directly to a port. 2. Enable PoE or PoE+ on the port extender. Enabling PoE or PoE+ on a Port By default, PoE or PoE+ are disabled. Configuration tasks for PoE include: ● Enabling PoE and managing the inline power supplied to the port extender ports using the power inline mode command. To manage inline power in a port extender, use Configure Class or Static mode.
1. Power-inline mode: Class or Static NOTE: Static ports have a higher weight than Class mode ports, so all static ports always stay on top of all class ports, regardless of the other three parameters. 2. Power inline priority configuration 3. Link layer discovery protocol-media endpoint discovery (LLDP-MED) priority the power device (PD) sends in the Extended Power-via-medium dependent interface (MDI) type, length, value (TLV) or the priority the PD sends in the IEEE 802.3at power-via-MDI TLV 4.
Configuring Power Management on the PE — Class and Static Mode By default, PoE or PoE+ are disabled. To manage the inline power supplied to the port extender ports, use the power inline mode command in Configuration mode. The mode configuration applies to all the ports on the port extender. To manage the inline power in a port extender, you can configure Class or Static mode. This command has the following parameters.
Allocate PoE Power to Powered Devices to a Connected PE Interface To enable inline power and configure the maximum power allocation and priority for the powered device connected to a port extender interface, use the power inline {[max_milliwatts] | priority {critical | high | low}} command in Interface mode. By default, power inline is disabled. Port Prioritization To specify the priority on a particular interface on the port extender, use the power inline priority command.
Dell(conf-if-pegi-255/0/1)#power inline ? <440-30000> Max milliwatts (default = 30000) priority Configure poe priority Dell(conf-if-pegi-0/0/1)#power inline 30000 Example of Setting the Priority to Critical The following example sets the priority on interface peGigE 255/0/1 to critical.
Figure 120.
Advertising the Extended Power through MDI The power device sends the following information in the LLDP-MED extended power-via-MDI TLV. 1. Power Requirement: Dell Networking OS uses it for power allocation 2. Power Priority — Critical, High, or Low: Dell Networking OS uses it for power priority calculation. 3. External Power Source: Dell Networking OS does not use this information. IEEE 802.3at power-via-mdi TLV To configure the system or an interface to advertise IEEE 802.
● Configure the system or an interface to advertise IEEE 802.3 power-via-mdi TLV to advertise its power negotiation capabilities with the powered devices using LLDP. LLDP CONFIGURATION or INTERFACE LLDP CONFIGURATION mode advertise dot3-tlv power-via-mdi Example of Advertising in LLDP Configuration Mode The following example configures all the interfaces to advertise extended power though dot3–TLVs in configuration mode.
Figure 121. PoE VoIP Creating VLANs for an Office VoIP Deployment The phone in the previous figure requires one tagged VLAN for VoIP service and one untagged VLAN for PC data, as shown in the following example. You can configure voice signaling on the voice VLAN but some implementations may need an extra tagged VLAN for this traffic.
no disable Dell#show lldp neighbors Loc PortID Rem Chassis Id Rem Port Id -------------------------------------Gi 0/6/10 0.0.0.0 001B0CDBA109:P1 Gi 0/6/11 0.0.0.0 001AA2197992:P1 Gi 0/6/22 0.0.0.0 08:00:0f:22:7f:83 Gi 0/6/23 0.0.0.0 08:00:0f:23:de:a9 Configuring QoS for an Office VoIP Deployment There are several ways you can use quality of service (QoS) to map ingress phone and PC traffic to give them each a different quality of service.
Classifying VoIP Traffic and Applying QoS Policies You can avoid congestion and give precedence to voice and signaling traffic by classifying traffic based on the subnet and using strict priority and bandwidth weights on egress, as outlined in the following steps. The following figure depicts the topology and configuration for a C9000 system. Figure 122. PoE VoIP Traffic To classify VoIP traffic and apply QoS policies for an office VoIP deployment, use the following commands: 1.
Example of the sh run acl command. Dell#sh run acl ! ip access-list extended pc-subnet seq 5 permit ip 201.1.1.0/24 any ! ip access-list extended phone-signalling seq 5 permit ip 192.1.1.0/24 host 192.1.1.1 ! ip access-list extended phone-subnet seq 5 permit ip 192.1.1.
Upgrading the PoE Controller To upgrade the PoE controller firmware on a port extender, use the following command. You can upgrade the PoE controller firmware using the firmware packaged with the Dell Networking OS. After the upgrade is successful, the port extender reloads automatically. NOTE: You cannot upgrade the PoE controller when any other upgrade is in progress. Upgrading the PoE controller may take a few minutes to complete. Also, the CLI is blocked until the upgrade is complete. 1.
● Restore inline power on the port extender. EXEC privilege mode power inline restore pe pe-id stack-unit unit-number ○ pe pe-id — Specify the port extender ID. The range is from 0 to 255. ○ stack-unit unit-number — Specify the stack unit number of the port extender. The range is from 0 to 7. Example of Restoring Power Delivery on the Port Extender The following example disable power delivery on the port extender.
Table 73. Power Budgeting for the PE (continued) PoE or PoE+ Power Budget Limit Model Name Maximum PSU Output Ability (1 PSU) Maximum PSUs Output Ability (2 PSUs) System Power Consumed Redundancy Power Consumed Threshold Max In-line Power Available Upto 2200 W 150 W 150 W 99% 1881 W by default. Supports up to two 1100 W PSUs. N3048P 1100 W FRU power supplies by default. Supports up to two 1100 W PSUs.
Displaying Power Allocated to Power Devices To display PoE allocation to power devices by the port extender or port extender interface, use the following command. For more information on PoE power allocation, see Allocating PoE Power on an Interface. ● Display PoE allocation on a port extender or port extender interface. Exec and EXEC Privilege mode show power inline {pe pe-id stack-unit unit-number | {interface interface} ● pe pe-id — Enter the keyword pe and the port extender ID.
Table 75. show power inline Field Description (continued) Field Description NOTE: You can configure priority or it is received via 802.3 Power via MDI. The user-configured priority always takes precedence. See the power inline priority command in the Power Over Ethernet (PoE) chapter of the Dell Networking OS Command Reference Guide. LLDP Support Displays whether the power requested is via LLDP-MED extended power-via-mdi TLV (displays as “LLDP-MED”) or IEEE 802.
45 Private VLANs (PVLAN) Private VLANs (PVLANs) extend Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN). A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports or trunk ports.
PVLAN port types include: ● Host port — in the context of a private VLAN, is a port in a secondary VLAN. The port must first be assigned that role in INTERFACE mode. ○ Host port that belongs to a community VLAN is allowed to communicate with other ports in the same community VLAN and with promiscuous ports & Trunk Port in Same PVLAN ○ Host port can be part of either community VLAN or isolated VLAN. The bhavior of host port will change with respect to its presence in community and isolated VLAN.
Configuration Task List The following sections contain the procedures that configure a private VLAN. ● ● ● ● Creating Creating Creating Creating PVLAN Ports a Primary VLAN a Community VLAN an Isolated VLAN Creating PVLAN ports PVLAN ports are those that will be assigned to the PVLAN. 1. Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2. Enable the port. INTERFACE mode no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4.
1. Access INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 4. Map secondary VLANs to the selected primary VLAN.
You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add host (isolated) ports to the VLAN. Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make an isolated VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 123. Sample Private VLAN Topology The following configuration is based on the example diagram: ● ● ● ● ● Te Te Te Te Te 0/0 and Te 23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. 0/24 and Te 0/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
● The S50V ports would have the same intra-switch communication characteristics as described for the C300. ● For transmission between switches, tagged packets originating from host PVLAN ports in one secondary VLAN and destined for host PVLAN ports in the other switch travel through the promiscuous ports in the local VLAN 4000 and then through the trunk ports (0/25 in each switch). Inspecting the Private VLAN Configuration The standard methods of inspecting configurations also apply in PVLANs.
NOTE: In the following example, notice the addition of the PVLAN codes – P, I, and C – in the left column. The following example shows the VLAN status.
46 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Figure 124.
Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
Honoring dot1p Priorities on Ingress Traffic By default, the system does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries.
rate shape ● Apply rate shaping to a queue. QoS Policy mode rate shape Dell#config Dell(conf)#interface tengigabitethernet 1/2 Dell(conf-if)#rate shape 500 50 Dell(conf-if)#end Dell# Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 125. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic.
Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value, IP precedence, VLANs, or characteristics defined in an IP ACL. You can also use VLAN IDs and VRF IDs to classify the traffic using layer 3 class-maps. You can specify more than one DSCP and IP precedence value, but only one value must match to trigger a positive match for the class map. NOTE: IPv6 and IP-any class maps cannot match on ACLs or VLANs.
Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the class-map command. A Layer 2 class map differentiates traffic according to 802.1p value and/or characteristics defined in a MAC ACL. Use Step 1 or Step 2 to start creating a Layer 2 class map. 1. Create a match-any class map. CONFIGURATION mode class-map match-any 2. Create a match-all class map. CONFIGURATION mode class-map match-all 3.
To configure IP VLAN and DSCP match criteria in a Layer 3 class map, and apply the class and policy maps to a service queue: 1. Create a match-any or a match-all Layer 3 class map, depending on whether you want the packets to meet all or any of the match criteria. By default, a Layer 3 class map is created if you do not enter the layer2 option with the class-map command. When you create a class map, you enter the class-map configuration mode. CONFIGURATION mode Dell(conf)#class-map match-all pp_classmap 2.
The following example shows incorrect traffic classifications.
2. After you create an input QoS policy, do one or more of the following: Configuring Policy-Based Rate Policing Setting a DSCP Value for Egress Packets Setting a dot1p Value for Egress Packets Configuring Policy-Based Rate Policing To configure policy-based rate policing, use the following command. ● Configure rate police ingress traffic.
Strict-Priority Queuing You can configure strict-priority queueing in an output QoS policy. Strict-priority means that the system de-queues all packets from the assigned queue before servicing any other queues. Strict-priority queueing is performed using the Scheduler Strict feature. When scheduler strict is applied to multiple queues, the higher queue number takes precedence. For more information, see Enabling Strict-Priority Queueing. NOTE: Strict priority on a a global level is not supported.
● Allocate bandwidth to queues. bandwidth-percentage Assign each queue a bandwidth percentage ranging from 1 to 100%, in increments of 1%. Specifying WRED Drop Precedence You can configure the WRED drop precedence in an output QoS policy. ● Specify a WRED profile to yellow and/or green traffic. QOS-POLICY-OUT mode wred For more information, refer to Applying a WRED Profile to Traffic. Create Policy Maps There are two types of policy maps: input and output.
Honoring DSCP Values on Ingress Packets You can configure the ability to honor DSCP values on ingress packets by using the Trust DSCP feature. The following table lists the standard DSCP definitions and indicates how DSCP values are mapped to queues. When you configure trust DSCP, the matched packets and matched bytes counters are not incremented in the show qos statistics. Table 79.
Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets. You may apply this queuing strategy globally by entering the following command from CONFIGURATION mode. ● All dot1p traffic is mapped to Queue 0 unless you enable service-class dynamic dot1p on an interface or globally.
Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. ● Apply an output QoS policy to queues. INTERFACE mode service-queue Specifying an Aggregate QoS Policy To specify an aggregate QoS policy, use the following command. ● Specify an aggregate QoS policy. POLICY-MAP-OUT mode policy-aggregate Applying an Output Policy Map to an Interface To apply an output policy map to an interface, use the following command.
To create a DSCP color map: 1. Create the color-aware map QoS DSCP color map. CONFIGURATION mode qos dscp-color-map color-map-name 2. Create the color aware map profile. DSCP-COLOR-MAP dscp {yellow | red} {list-dscp-values} 3. Apply the map profile to the interface. CONFIG-INTERFACE mode qos dscp-color-policy color-map-name Example: Create a DSCP Color Map The following example creates a DSCP color map profile, color-awareness policy, and applies it to interface te 0/11.
Display summary information about a color policy for one or more interfaces. Dell# show qos dscp-color-policy summary Interface dscp-color-map TE 0/10 mapONE TE0/11 mapTWO Display summary information about a color policy for a specific interface.
NOTE: Assigning strict priority scheduling to a unicast queue on all ports using a global command is not supported. However, you can configure both unicast and multicast queue belonging to a dot1p to use strict priority scheduling using policy maps and then associate the policy map to the egress interface. Weighted Random Early Detection Weighted random early detection (WRED) is a congestion avoidance mechanism that drops packets to prevent buffering resources from being consumed.
Table 81. Pre-Defined WRED Profiles (continued) Wred-profile-name min-threshold max-threshold max-drop-rate wred_fortyg_g 594 5941 25 wred_oneg_y_pe 154 1538 100 wred_oneg_g_pe 154 1538 50 wred_teng_y_pe 154 1538 50 wred_teng_g_pe 154 1538 25 Creating WRED Profiles To create WRED profiles, use the following commands. 1. Create a WRED profile. CONFIGURATION mode wred 2. Specify the minimum and maximum threshold values.
Displaying WRED Drop Statistics To display WRED drop statistics, use the following command. ● Display the number of packets that the WRED profile drops. EXEC Privilege mode show qos statistics The following shows the show qos statistics output. Dell# show qos statitstics wred-profile WInterface Te 0/49 Drop-statistic Green Yellow Out of Profile Dropped Pkts 51624 51300 0 The following shows the show qos statistics output on the port extender.
● If the WRED drop precedence determines that the packet should be dropped but the ECN field in the packet header indicates that the endpoints are ECN-capable, the packet is marked with a congestion-experienced (CE) bit and transmitted. ● If the ECN field indicates that both endpoints are not ECN-capable, the packet can be dropped according to the configured WRED drop precedence.
class-map match-any ecn_0_cmap match ip access-group ecn_0 set-color yellow policy-map-input ecn_0_pmap service-queue 0 class-map ecn_0_cmap Applying the policy map “ecn_0_pmap” marks all incoming packets with the ECN field set to 0 for “yellow” handling on queue 0 (default queue).
match ip access-group dscp_50_ecn policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Using A Configurable Weight for WRED and ECN The switch supports a user-configurable weight that determines the average queue size used in WRED and Explicit Congestion Notification (ECN) operation on front-end I/O and backplane interfaces.
Global Service-Pools for WRED with ECN You can enable WRED with ECN to work with global service-pools. Global service pools that function as shared buffers are accessed by multiple queues when the minimum guaranteed buffers for a queue are consumed. The switch supports four global service-pools in the egress direction. Two types of service-pools are used: one for lossy queues and the other for lossless (priority-based flow control (PFC)) queues.
Table 82. Scenarios for WRED and ECN Configuration (continued) Queue Configuration Service-Pool Configuration WRED Threshold Relationship Expected Functionality Q threshold = QT Service-pool threshold = SP-T SP-T < Q-T Same as above but ECN marking starts above SP-T. Configuring a Weight for WRED and ECN Operation You can configure a WRED weight to customize WRED and ECN operation on a front-end or backplane interface.
Pre-Calculating Available QoS CAM Space Pre-calculating available QoS CAM space allows you to measure the number of CAM entries a policy-map consumes. This feature allows you to avoid applying a policy-map on an interface that requires more CAM entries than are available and receive a CAM full error message (shown in the following example). The partial policy-map configuration might cause unintentional system behavior.
● fpEgrQBuffSnapshotTable: Retrieves BST statistics from the egress port used in a buffer. This table displays a snapshot of the buffer cells used by unicast and multicast data and control queues. ● fpIngPgBuffSnapshotTable: Retrieves BST statistics from the ingress port for the shared and headroom cells used in a priority group. The snapshot of the ingress shared cells and the ingress headroom cells used for each priority group are displayed in this table when PFC is enabled.
47 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP protocol standards are listed in the Standards Compliance chapter. Topics: • • • Protocol Overview Implementation Information Configuration Information Protocol Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2).
Table 83. RIP Defaults Feature Default Interfaces running RIP ● Listen to RIPv1 and RIPv2 ● Transmit RIPv1 RIP timers ● ● ● ● Auto summarization Enabled ECMP paths supported 16 update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Configuration Information By default, RIP is disabled on the switch. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
To view the global RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. Dell(conf-router_rip)#show config ! router rip network 10.0.0.0 Dell(conf-router_rip)# When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes. Dell#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 0/0 160.160.0.0/16 auto-summary 2.0.0.
● Define a specific router to exchange RIP information between it and the Dell Networking system. ROUTER RIP mode neighbor ip-address You can use this command multiple times to exchange RIP information with as many RIP networks as you want. ● Disable a specific interface from sending or receiving RIP routing information.
Setting the Send and Receive Version To change the RIP version globally or on an interface, use the following command. To specify the RIP version, use the version command in ROUTER RIP mode. To set an interface to receive only one or the other version, use the ip rip send version or the ip rip receive version commands in INTERFACE mode. You can set one RIP version globally on the system using system.
Default redistribution metric is 1 Default version control: receive version 2, send version 2 Interface Recv Send FastEthernet 0/0 2 1 2 Routing for Networks: 10.0.0.0 Routing Information Sources: Gateway Distance Last Update Distance: (default is 120) Dell# Generating a Default Route Traffic is forwarded to the default route when the traffic’s network is not explicitly listed in the routing table. Default routes are not enabled in RIP unless specified.
ROUTER RIP mode distance weight [ip-address mask [access-list-name]] Configure the following parameters: ○ weight: the range is from 1 to 255. The default is 120. ○ ip-address mask: the IP address in dotted decimal format (A.B.C.D), and the mask in slash format (/x). ○ access-list-name: the name of a configured IP ACL. ● Apply an additional number to the incoming or outgoing route metrics.
Figure 127. RIP Topology Example RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Core2(conf-if-te-2/31)# Core2(conf-if-te-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change ----------- ------- ----------- ----------C 10.11.10.
version 2 Core3(conf-router_rip)# Core 3 RIP Output The examples in this section show the core 2 RIP output. ● To display Core 3 RIP database, use the show ip rip database command. ● To display Core 3 RIP setup, use the show ip route command. ● To display Core 3 RIP activity, use the show ip protocols command. To view learned RIP routes on Core 3, use the show ip rip database command. Core3#show ip rip database Total number of routes in RIP database: 7 10.11.10.0/24 [120/1] via 10.11.20.
TenGigabitEthernet 3/11 2 2 TenGigabitEthernet 3/44 2 2 TenGigabitEthernet 3/43 2 2 Routing for Networks: 10.11.20.0 10.11.30.0 192.168.2.0 192.168.1.0 Routing Information Sources: Gateway Distance Last Update 10.11.20.2 120 00:00:22 Distance: (default is 120) Core3# RIP Configuration Summary The following example shows viewing the RIP configuration on Core 2. ! interface TengigabitEthernet ip address 10.11.10.1/24 no shutdown ! interface TengigabitEthernet ip address 10.11.20.
network 10.11.30.0 network 192.168.1.0 network 192.168.2.
48 Remote Monitoring (RMON) Remote monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment.
[no] rmon alarm number variable interval {delta | absolute} rising-threshold [value event-number] falling-threshold value event-number [owner string] OR [no] rmon hc-alarm number variable interval {delta | absolute} rising-threshold value event-number falling-threshold value event-number [owner string] Configure the alarm using the following optional parameters: ○ number: alarm number, an integer from 1 to 65,535, the value must be unique in the RMON Alarm Table.
In the following example, the configuration creates RMON event number 1, with the description “High ifOutErrors”, and generates a log entry when an alarm triggers the event. The user nms1 owns the row that is created in the event table by this command. This configuration also generates an SNMP trap when the event is triggered using the SNMP community string “eventtrap”.
The following command example enables an RMON MIB collection history group of statistics with an ID number of 20 and an owner of john, both the sampling interval and the number of buckets use their respective defaults.
49 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP)..
● Flush MAC Addresses after a Topology Change Important Points to Remember ● RSTP is disabled by default on the switch. ● The system supports only one Rapid Spanning Tree (RST) instance. ● All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. ● Adding a group of ports to a range of VLANs sends multiple messages to the RSTP task, avoid using the range command.
switchport no shutdown Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. ● Only one path from any bridge to any other bridge is enabled. ● Bridges block a redundant path by disabling one of the link ports. To enable RSTP globally for all Layer 2 interfaces, use the following commands. 1.
To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Te 3/4 R3# Altr 128.684 128 20000 BLK 20000 P2P No Adding and Removing Interfaces To add and remove interfaces, use the following commands. To add an interface to the Rapid Spanning Tree topology, configure it for Layer 2 and it is automatically added. If you previously disabled RSTP on the interface using the command no spanning-tree 0 command, re-enable it using the spanningtree 0 command. ● Remove an interface from the Rapid Spanning Tree topology.
The range is from 1 to 10. The default is 2 seconds. ● Change the max-age parameter. PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps, use the following command. ● Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
A console message appears when a new root bridge has been assigned. The following example example shows the console message after the bridge-priority command is used to make R2 the root bridge (shown in bold). Dell(conf-rstp)#bridge-priority 4096 04:27:59: %SYSTEM-P:RP2 %SPANMGR-5-STP_ROOT_CHANGE: RSTP root changed. My Bridge ID: 4096:0001.e80b.88bd Old Root: 32768:0001.e801.cbb4 New Root: 4096:0001.e80b.
Configuring Fast Hellos for Link State Detection Use RSTP fast hellos to achieve sub-second link-down detection so that convergence is triggered faster. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed. RSTP fast hellos decrease the hello interval to the order of milliseconds and all timers derived from the hello timer are adjusted accordingly. This feature does not inter-operate with other vendors, and is available only for RSTP.
50 Security This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
to administer user rights. If a user’s role matches one of the allowed user roles for that command, then command authorization is granted. A constrained RBAC model provides for separation of duty and as a result, provides greater security than the hierarchical RBAC model. Essentially, a constrained model puts some limitations around each role’s permissions to allow you to partition of tasks. However, some inheritance is possible.
5. Verify the configuration has been applied to the console or VTY line. Dell (conf)#do show running-config line ! line console 0 login authentication test authorization exec test exec-timeout 0 0 line vty 0 login authentication test authorization exec test line vty 1 login authentication test authorization exec test To enable role-based only AAA authorization: Dell(conf)#aaa authorization role-only System-Defined RBAC User Roles By default, the Dell Networking OS provides 4 system defined user roles.
Creating a New User Role Instead of using the system defined user roles, you can create a new user role that best matches your organization. When you create a new user role, you can first inherit permissions from one of the system defined roles. Otherwise you would have to create a user role’s command permissions from scratch. You then restrict commands or add commands to that role. For more information about this topic, see Modifying Command Permissions for Roles.
If you add or delete command permissions using the role command, those changes only apply to the specific user role. They do not apply to other roles that have inheritance from that role. Authorization and accounting only apply to the roles specified in that configuration. When you modify a command for a role, you specify the role, the mode, and whether you want to restrict access using the deleterole keyword or grant access using the addrole keyword followed by the command you are controlling access.
The following example removes the secadmin access to LINE mode and then verifies that the security administrator can no longer access LINE mode, using the show role mode configure line command in EXEC Privilege mode.
AAA Authentication and Authorization for Roles This section describes how to configure AAA Authentication and Authorization for Roles.
The following configuration example applies a method list: TACACS+, RADIUS and local: ! radius-server host 10.16.150.203 key ! tacacs-server host 10.16.150.203 key ! aaa authentication login ucraaa tacacs+ radius local aaa authorization exec ucraaa tacacs+ radius local aaa accounting commands role netadmin ucraaa start-stop tacacs+ ! The following configuration example applies a method list other than default to each VTY line.
“attribute” and “value” are an attribute-value (AV) pair defined in the Dell Network OS TACACS+ specification, and “sep” is “=”. These attributes allow the full set of features available for TACACS+ authorization and are authorized with the same attributes for RADIUS. Example for Configuring a VSA Attribute for a Privilege Level 15 The following example configures an AV pair which allows a user to login from a network access server with a privilege level of 15, to have access to EXEC commands.
The following example applies the accounting default method to the user role secadmin (security administrator). Dell(conf-vty-0)# accounting commands role secadmin default Displaying Active Accounting Sessions for Roles To display active accounting sessions for each user role, use the show accounting command in EXEC mode.
line route-map router Line Configuration mode Route map configuration mode Router configuration mode Dell#show role mode configure username Role access: sysadmin Dell##show role mode configure password-attributes Role access: secadmin,sysadmin Dell#show role mode configure interface Role access: netadmin, sysadmin Dell#show role mode configure line Role access: netadmin,sysadmin Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the
● Enable AAA accounting and create a record for monitoring the accounting function. CONFIGURATION mode aaa accounting {dot+x | system | exec | command level} {default | name} {start-stop | wait-start | stop-only} {tacacs+} The variables are: ○ ○ ○ ○ ○ ○ system: sends accounting information of any other AAA configuration. dot1x: Enter the keyword dot1x for dot1x events. exec: sends accounting information when a user has logged in to EXEC mode.
Configuring AAA Accounting for Terminal Lines To enable AAA accounting with a named method list for a specific terminal line (where com15 and execAcct are the method list names), use the following commands. ● Configure AAA accounting for terminal lines.
In the following sample configuration, AAA accounting is set to track all usage of EXEC commands and commands on privilege level 15. Dell(conf)# aaa accounting dot1x default start-stop radius Dell(conf)# aaa accounting exec default stop-only radius Sample dot1x accounting records The following lists the sample EAP and MAB accounting records EAP START accounting record: Fri May 10 12:20:43 2019 NAS-IP-Address = 10.16.133.
MAB STOP record: Fri May 10 23:30:42 2019 User-Name = "001122334455" Called-Station-Id = "00-11-33-44-77-88" Calling-Station-Id = "00-11-22-33-44-55" NAS-IP-Address = 10.16.133.
Table 87. RADIUS Accounting Stop Record Attributes for CLI user (continued) RADIUS Attribute code RADIUS Attribute Description 31 Calling-Station-Id Telnet/SSH client IP address. 40 Acct-Status-Type STOP 44 Acct-Session-Id CLI Session-Id - To match start and stop session requests. 46 Acct-Session Time Time the user has received the service. 49 Acct-Terminate-Cause Reason for session termination. 61 NAS-Port-Type ASYNC - for Console session.
Table 90. RADIUS Accounting Stop Record Attributes for dot1x supplicant RADIUS Attribute code RADIUS Attribute Description NAS Identification Attributes 4 NAS-IP-Address IPv4 address of the NAS. 95 NAS-IPv6–Address IPv6 address of the NAS. Session Identification Attributes 1 User-Name User name/ Supplicant MAC Address (for MAB). 5 NAS-Port Port on which session is terminated. 6 Service-Type Framed (2) for EAP /Call check (10) for MAB. 8 Framed-IP-Address IPv4 address of supplicant.
Table 91. Use cases for dot1x supplicant to trigger RADIUS Accounting Start/Stop records (continued) dot1x event Accounting type Attributes Configure Port control to force unauth Stop Stop record attributes with termination cause as port-reinitialized (21). Interface Host mode change (single/multihost/multiauth) Stop Stop record attributes with termination cause as port-reinitialized (21).
Configuring AAA Authentication Login Methods To configure an authentication method and method list, use the following commands. Dell Networking OS Behavior: If you use a method list on the console port in which RADIUS or TACACS is the last authentication method, and the server is not reachable, Dell Networking OS allows access even though the username and password credentials cannot be verified.
Enabling AAA Authentication — RADIUS To enable authentication from the RADIUS server, and use TACACS as a backup, use the following commands. 1. Enable RADIUS and set up TACACS as backup. CONFIGURATION mode aaa authentication enable default radius tacacs 2. Establish a host address and password. CONFIGURATION mode radius-server host x.x.x.x key some-password 3. Establish a host address and password. CONFIGURATION mode tacacs-server host x.x.x.
2. You are prompted to force the users to re-authenticate while adding or removing a RADIUS/TACACS+ server. CONFIGURATION mode aaa authentication login method-list-name Example: Dell(config)#aaa authentication login vty_auth_list radius Force all logged-in users to re-authenticate (y/n)? 3. You are prompted to force the users to re-authenticate whenever there is a change in the RADIUS server list.. CONFIGURATION mode radius-server host IP Address Example: Dell(config)#radius-server host 192.100.0.
Configuration Task List for Privilege Levels The following list has the configuration tasks for privilege levels and passwords.
Obscuring Passwords and Keys By default, the service password-encryption command stores encrypted passwords. For greater security, you can also use the service obscure-passwords command to prevent a user from reading the passwords and keys, including RADIUS, TACACS+ keys, router authentication strings, VRRP authentication by obscuring this information. Passwords and keys are stored encrypted in the configuration file and by default are displayed in the encrypted form when the configuration is displayed.
3. Configure level and commands for a mode or reset a command’s level. CONFIGURATION mode privilege mode {level level command | reset command} Configure the following required and optional parameters: ● mode: enter a keyword for the modes (exec, configure, interface, line, route-map, or router) ● level level: the range is from 0 to 15. Levels 0, 1, and 15 are pre-configured. Levels 2 to 14 are available for custom configuration. ● command: a CLI keyword (up to five keywords allowed).
no snmp-server Dell(conf)# Reset a command Modify SNMP parameters Specifying LINE Mode Password and Privilege You can specify a password authentication of all users on different terminal lines. The user’s privilege level is the same as the privilege level assigned to the terminal line, unless a more specific privilege level is assigned to the user. To specify a password for the terminal line, use the following commands. ● Configure a custom privilege level for the terminal lines.
● Access-Reject — the RADIUS server does not authenticate the user. If an error occurs in the transmission or reception of RADIUS packets, you can view the error by enabling the debug radius command. Transactions between the RADIUS server and the client are encrypted (the users’ passwords are not sent in plain text). RADIUS uses UDP as the transport protocol between the RADIUS server host and the client. For more information about RADIUS, refer to RFC 2865, Remote Authentication Dial-in User Service.
auto-command Privilege Levels Through the RADIUS server, you can configure a privilege level for the user to enter into when they connect to a session. This value is configured on the client system. ● Set a privilege level. privilege level Configuration Task List for RADIUS To authenticate users using RADIUS, you must specify at least one RADIUS server so that the system can communicate with and configure RADIUS as one of your authentication methods.
line {aux 0 | console 0 | vty number [end-number]} ● Enable AAA login authentication for the specified RADIUS method list. LINE mode login authentication {method-list-name | default} This procedure is mandatory if you are not using default lists. ● To use the method list.
○ encryption-type: enter 7 to encrypt the password. Enter 0 to keep the password as plain text. ○ key: enter a string. The key can be up to 42 characters long. You cannot use spaces in the key. ● Configure the number of times the system retransmits RADIUS requests. CONFIGURATION mode radius-server retransmit retries ○ retries: the range is from 0 to 100. Default is 3 retries. ● Configure the time interval the system waits for a RADIUS server host response.
4. Log in to switch using console or telnet or ssh with a valid user role. When 1-factor authentication is used, the authentication succeeds enabling you to access the switch. When two-factor authentication is used, the system prompts you to enter a one-time password as a second step of authentication. If a valid onetime password is supplied, the authentication succeeds enabling you to access the switch.
Table 92. NAS Identification Attributes Attribute code Attribute Description 4 NAS-IP-Address IPv4 address of the NAS. 95 NAS-IPv6–Address IPv6 address of the NAS. Table 93. Change of Authorization (CoA) Attribute Attribute code Attribute Description 5 NAS-Port Port associated with the session to be processed for EAP or MAB users or the VTY ID for AAA sessions. Table 94.
Table 97. CoA EAP/MAB Session(s) Re-authenticate (continued) Radius Attribute code Radius Attribute Description Mandatory 5 NAS-Port Port on which session is terminated Yes, If Calling-Station-Id attribute is not provided 31 Calling-Station-Id The link address from which session is connected.
Table 100. DM EAP/MAB Session(s) disconnect (continued) Radius Attribute code Radius Attribute Description Mandatory 31 Calling-Station-Id The link address from which session is connected. Yes, If NAS-Port attribute is not provided t=26(vendor-specific);l=length;vendoridentification-attribute;Length=value; Data=”cmd=terminate-session” Yes Authorization Attributes 26 Vendor-Specific Table 101.
Table 102. Error-cause Values (continued) Serial Number Error-cause Scenarios 5 Session Context Not Found(503) ● CoA or DM request containing session identification attributes that does not match any of the NAS user sessions. 6 Resource Unavailable(506) ● Internal CoA or DM message processing errors. 7 Missing Attribute(402) ● CoA or DM request without Vendor-specific attribute or invalid Vendorspecific attribute.
○ Source UDP port ○ Identifier ○ VRF ID ● discards the packets, if length of the packet is shorter than the length field value. ● discards the packets, if length of the packet is shorter than 20 or longer than 4096. ● discards the packets, if request authenticator does not match the calculated MD5 checksum.
Configuring the port number You can configure the port number on which the NAS receives CoA or DM requests. This setting enables you to specify an optional port number on which to receive CoA or DM requests. The default value is 3799. Enter the following command to configure the port number: port port-number The range for the port number value that you can specify is from 1 to 65535.
● Shared key is configured in NAS for DAC. ● NAS server listens on the Management IP UDP port 3799 (default) or the port configured through CLI. ● The user is logged-in through 802.1X enabled physical port and successfully authenticated with Radius Server. When DAC initiates a port bounce operation, the NAS server causes the links on the authentication port to flap. This incident in turn triggers re-negotiation on one of the ports that is flapped. 1.
● discards the packet, if simultaneous requests are received for the same calling-station-id or NAS-port or both. ● returns an error-cause value of 503 (session context not found), if it is not able to retrieve the session using the callingstation-id or NAS-port attribute or both. ● sends NAK if user is configured with forced-unauthorization. ● sends-ACK if user is configured with forced-authorization. Terminating the 802.
NAS administratively shuts down the 802.1x enabled port that is hosting the session. You can re-enable this port only through a non-RADIUS mechanism or through bounce-port request. Dell(conf#)radius dynamic-auth Dell(conf-dynamic-auth#)coa-disable-port NAS takes the following actions: ● validates the CoA request and the session identification attributes. ● sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain the NAS-port attribute.
Rate-limiting RADIUS packets NAS enables you to allow or reject RADIUS dynamic authorization packets based on the rate-limiting value that you specify. NAS lets you to configure number of RADIUS dynamic authorization packets allowed per minute. The default value is 30 packets per minute. NAS discards the packets, if the number of RADIUS dynamic authorization packets in the current interval cross the configured rate-limit value.
2. Enter a text string (up to 16 characters long) as the name of the method list you wish to use with the TACAS+ authentication method. CONFIGURATION mode aaa authentication login {method-list-name | default} tacacs+ [...method3] The TACACS+ method must not be the last method specified. 3. Enter LINE mode. CONFIGURATION mode line {aux 0 | console 0 | vty number [end-number]} 4. Assign the method-list to the terminal line.
TACACS+ Remote Authentication and Authorization The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet sizes. If you have configured remote authorization, the system ignores the access class you have configured for the VTY line and gets this access class information from the TACACS+ server. The system must know the username and password of the incoming user before it can fetch the access class from the server.
Command Authorization The AAA command authorization feature configures the system to send each configuration command to a TACACS server for authorization before it is added to the running configuration. By default, the AAA authorization commands configure the system to check both EXEC mode and CONFIGURATION mode commands. Use the no aaa authorization config-commands command to enable only EXEC mode command checking.
SSH server : enabled. SSH server version : v1 and v2. SSH server vrf : default. SSH server ciphers : aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128ctr,aes128-cbc,3des-cbc. SSH server macs : hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96. SSH server kex algorithms : diffie-hellman-group-exchange-sha1,diffie-hellman-group1sha1,diffie-hellman-group14-sha1. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled.
User name to login remote host: admin Password to login remote host: Removing the RSA Host Keys and Zeroizing Storage Use the crypto key zeroize rsa command to delete the host key pairs, both the public and private key information for RSA 1 and or RSA 2 types. Note that when FIPS mode is enabled there is no RSA 1 key pair. Any memory currently holding these keys is zeroized (written over with zeroes) and the NVRAM location where the keys are stored for persistence across reboots is also zeroized.
Example of Configuring a Cipher List The following example shows you how to configure a cipher list. Dell(conf)#ip ssh server cipher 3des-cbc aes128-cbc aes128-ctr Configuring DNS in the SSH Server Dell EMC Networking provides support to enable the DNS in SSH server configuration for host-based authentication. You can specify whether the SSH Server should look up the remote host name and check whether the resolved host name for the remote IP address maps to the same IP address.
The following example shows you how to configure a HMAC algorithm list. Dell(conf)# ip ssh server mac hmac-sha1-96 Configuring the HMAC Algorithm for the SSH Client To configure the HMAC algorithm for the SSH client, use the ip ssh mac hmac-algorithm command in CONFIGURATION mode. hmac-algorithm: Enter a space-delimited list of keyed-hash message authentication code (HMAC) algorithms supported by the SSH server.
The following example shows you how to configure a cipher list. Dell(conf)#ip ssh server cipher 3des-cbc aes128-cbc aes128-ctr Configuring the SSH Client Cipher List To configure the cipher list supported by the SSH client, use the ip ssh cipher cipher-list command in CONFIGURATION mode. cipher-list-: Enter a space-delimited list of ciphers the SSH Client supports. The following ciphers are available.
ip ssh password-authentication enable To view your SSH configuration, use the show ip ssh command from EXEC Privilege mode. Dell(conf)#ip ssh server enable % Please wait while SSH Daemon initializes ... done. Dell(conf)#ip ssh password-authentication enable Dell#sh ip ssh SSH server : enabled. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled.
CONFIGURATION mode ip ssh hostbased-authentication enable 7. Bind shosts and rhosts to host-based authentication. CONFIGURATION mode ip ssh pub-key-file flash://filename or ip ssh rhostsfile flash://filename The following example shows creating shosts. admin@Unix_client# cd /etc/ssh admin@Unix_client# ls moduli sshd_config ssh_host_dsa_key.pub ssh_host_key.pub ssh_host_rsa_key.pub ssh_config ssh_host_dsa_key ssh_host_key ssh_host_rsa_key admin@Unix_client# cat ssh_host_rsa_key.
authentication is set to “Yes” in the file ssh_config (root permission is required to edit this file): permission denied (host based). If the IP address in the RSA key does not match the IP address from which you attempt to log in, the following message appears. In this case, verify that the name and IP address of the client is contained in the file /etc/hosts: RSA Authentication Error. Telnet To use Telnet with SSH, first enable SSH, as previously described. By default, the Telnet daemon is enabled.
The following example shows how to allow or deny a Telnet connection to a user. Users see a login prompt even if they cannot log in. No access class is configured for the VTY line. It defaults from the local database. NOTE: For more information, refer to Access Control Lists (ACLs).
Two Factor Authentication (2FA) Two factor authentication also known as 2FA, strengthens the login security by providing one time password (OTP) in addition to username and password. 2FA supports RADIUS authentications with Console, Telnet, and SSHv2. To perform 2FA, follow these steps: ● When the Network access server (NAS) prompts for the username and password, provide the inputs.
* 5 Dell# aes128-cbc hmac-md5 10.16.127.141 SMS-OTP Mechanism A short message service one time password (SMS-OTP) is a free RADIUS module to implement two factor authentication. There are multiple 2FA mechanisms that can be deployed with the RADIUS. Mechanisms such as the Google authenticator do not rely on the Access-Challenge message and the SMS-OTP module rely on the Access-challenge message.
NOTE: The Dell Networking OS does not suppress the ICMP message type echo request (8). Table 105.
● The feature is not supported when the fastboot or the warmboot features are enabled on the system. ● If the startup configuration verification fails after a reload, the system does not load your startup configuration. ● After enabling the startup configuration verification feature, use the verified boot hash command to verify and store the hash value. If you don’t store the hash value, you cannot reboot the device until you verify the image hash.
When you configure the root access password, ensure that your password meets the following criteria: ○ ○ ○ ○ ○ A A A A A minimum minimum minimum minimum minimum of of of of of eight characters in length one lower case letter (a to z) one upper case letter (A to Z) one numeric character (0 to 9) one special character including a space (" !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~") DellEMC)# show running-config | g root root-access password 7 f4dc0cb9787722dd1084d17f417f164cc7f730d4f03d4f0215294cbd899614e3 Enabl
51 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell Networking OS. Topics: • • • • • VLAN Stacking VLAN Stacking Packet Drop Precedence Dynamic Mode CoS for VLAN Stacking Layer 2 Protocol Tunneling Provider Backbone Bridging VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.
Using only 802.1Q VLAN tagging all customers would have to use unique VLAN IDs to ensure that traffic is segregated, and customers and the service provider would have to coordinate to ensure that traffic mapped correctly across the provider network. Even under ideal conditions, customers and the provider would still share the 4094 available VLANs. Instead, 802.1ad allows service providers to add their own VLAN tag to frames traversing the provider network.
● This limitation becomes relevant if you enable the port as a multi-purpose port (carrying single-tagged and double-tagged traffic). ● When the LP ports are present in RPM 10 and 11, VLAN stacking is supported. ● VLAN stacking is supported on C9010 ports but not on peGigE ports. Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1. Creating Access and Trunk Ports 2. Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3. Enabling VLAN-Stacking for a VLAN.
Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. ● Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLANStacking-enabled VLAN are marked with an M in column Q.
Dell(conf-if-te-0/1)#switchport Dell(conf-if-te-0/1)#vlan-stack trunk Dell(conf-if-te-0/1)#show config ! interface TenGigabitEthernet 0/1 no ip address portmode hybrid switchport vlan-stack trunk shutdown Dell(conf-if-te-0/1)#interface vlan 100 Dell(conf-if-vl-100)#untagged tengigabitethernet 0/1 Dell(conf-if-vl-100)#interface vlan 101 Dell(conf-if-vl-101)#tagged tengigabitethernet 0/1 Dell(conf-if-vl-101)#interface vlan 103 Dell(conf-if-vl-103)#vlan-stack compatible Dell(conf-if-vl-103-stack)#member tengig
Given the matching-TPID requirement, there are limitations when you employ Dell Networking systems at network edges, at which, frames are either double tagged on ingress (R4) or the outer tag is removed on egress (R3). VLAN Stacking The default TPID for the outer VLAN tag is 0x9100. The system allows you to configure both bytes of the 2 byte TPID. Previous versions allowed you to configure the first byte only, and thus, the systems did not differentiate between TPIDs with a common first byte.
Figure 131.
Figure 132. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Table 106. Drop Eligibility Behavior (continued) Ingress Egress DEI Disabled DEI Enabled Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI. Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 Access Port Trunk Port To enable drop eligibility globally, use the following command. ● Make packets eligible for dropping based on their DEI value.
To display the DEI-marking configuration, use the show interface dei-mark [interface slot/port | linecard number port-set number] in EXEC Privilege mode. Dell#show interface dei-mark Default CFI/DEI Marking: 0 Interface Drop precedence CFI/DEI -------------------------------Te 0/1 Green 0 Te 0/1 Yellow 1 Te 1/9 Yellow 0 Te 1/40 Yellow 0 Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.
Examples of QoS Interface Configuration and Rate Policing policy-map-input in layer2 service-queue 3 class-map a qos-policy 3 ! class-map match-any a layer2 match mac access-group a ! mac access-list standard a seq 5 permit any ! qos-policy-input 3 layer2 rate-police 40 Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3.
Layer 2 Protocol Tunneling Spanning tree bridge protocol data units (BPDUs) use a reserved destination MAC address called the bridge group address, which is 01-80-C2-00-00-00. Only spanning-tree bridges on the local area network (LAN) recognize this address and process the BPDU.
Figure 135. VLAN Stacking with L2PT Implementation Information ● L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. ● No protocol packets are tunneled when you enable VLAN stacking. ● L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2.
INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, the system uses a Dell Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command. ● Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network.
originally specified in 802.1Q. Only bridges in the service provider network use this destination MAC address so these bridges treat BPDUs originating from the customer network as normal data frames, rather than consuming them. The same is true for GARP VLAN registration protocol (GVRP). 802.
52 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
● Dell Networking recommends the sFlow Collector be connected to the Dell Networking chassis through a line card port rather than the management Ethernet port. ● Only egress sampling is supported. ● The system exports all sFlow packets to the collector. A small sampling rate can equate to many exported packets. A backoff mechanism is automatically applied to reduce this amount.
Displaying Show sFlow Global To view sFlow statistics, use the following command. ● Display sFlow configuration information and statistics. EXEC mode show sflow The first bold line indicates sFlow is globally enabled. The second bold lines indicate sFlow is enabled on linecards Te 1/16 and Te 1/17. Dell#show sflow sFlow services are enabled Global default sampling rate: 32768 Global default counter polling interval: 20 1 collectors configured Collector IP addr: 133.33.33.53, Agent IP addr: 133.33.33.
show sflow linecard slot-number Dell#show sflow linecard 1 Linecard 1 Samples rcvd from h/w Samples dropped for sub-sampling Total UDP packets exported UDP packets exported via RP UDP packets dropped :165 :69 :77 :77 : Configuring Specify Collectors The sflow collector command allows identification of sFlow collectors to which sFlow datagrams are forwarded. You can specify up to two sFlow collectors. If you specify two collectors, the samples are sent to both.
sFlow on LAG ports When a physical port becomes a member of a LAG, it inherits the sFlow configuration from the LAG port. Enabling Extended sFlow Extended sFlow packs additional information in the sFlow datagram depending on the type of sampled packet. You can enable the following options: ● extended-switch — 802.1Q VLAN ID and 802.1p priority information. ● extended-router — Next-hop and source and destination mask length. ● extended-gateway — Source and destination AS number and the BGP next-hop.
Table 107. Extended Gateway Summary IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS Description static/connected/IGP static/connected/IGP — — Extended gateway data is not exported because there is no AS information. static/connected/IGP BGP 0 Exported src_as and src_peer_as are zero because there is no AS information for IGP.
53 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
MIBs are hierarchically structured and use object identifiers to address managed objects, but managed objects also have a textual name called an object descriptor. Implementation Information The following describes SNMP implementation information. ● The Dell Networking OS supports SNMP version 1 as defined by RFC 1155, 1157, and 1212, SNMP version 2c as defined by RFC 1901, and SNMP version 3 as defined by RFC 2571. ● The system supports up to 16 trap receivers.
SNMP version 3 (SNMPv3) is a user-based security model that provides password authentication for user security and encryption for data security and privacy. Three sets of configurations are available for SNMP read/write operations: no password or privacy, password privileges, password and privacy privileges. You can configure a maximum of 32 users even if they are in different groups. Creating a Community For SNMPv1 and SNMPv2, create a community to enable the community-based security on the switch.
snmp-server user name group-name 3 noauth auth md5 auth-password ● Configure an SNMP group (password privileges only). CONFIGURATION mode snmp-server group groupname {oid-tree} auth read name write name ● Configure an SNMPv3 view. CONFIGURATION mode snmp-server view view-name 3 noauth {included | excluded} NOTE: To give a user read and write privileges, repeat this step for each privilege type. ● Configure an SNMP group (with password or privacy privileges).
snmpwalk -v version -c community agent-ip {identifier.instance | descriptor.instance} In the following example, the value “4” displays in the OID before the IP address for IPv4. For an IPv6 IP address, a value of “16” displays. > snmpget -v 2c -c mycommunity 10.11.131.161 sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (32852616) 3 days, 19:15:26.16 > snmpget -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1.3.0 The following example shows reading the value of the next managed object.
● (From a Dell Networking system) Identify the physical location of the system (for example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1). CONFIGURATION mode snmp-server location text You may use up to 55 characters. The default is None. ● (From a management station) Identify the system manager along with this person’s contact information (for example, an email address or phone number). CONFIGURATION mode snmpset -v version -c community agent-ip sysContact.
NOTE: A threshold level of 0 disables Syslog and SNMP traps. ● Configure the high or low CPU utilization threshold for SNMP traps.
Defaults ○ High threshold: 92% ○ Low threshold: 82% NOTE: A threshold level of 0 disables Syslog and SNMP traps. ● Configure the high or low memory utilization thresholds for SNMP traps. CONFIGURATION mode util—threshold memory {5 sec | 1 min | 5 min} {cp |rp | lp | pe | all} {high {0-100} | low {0-100}} To display the configured values of memory utilization thresholds, use the show util-threshold memory command from CONFIGURATION mode.
To identify the SNMPv1 community string, enter the name of the community-string. 2. Specify which traps the Dell Networking system sends to the trap receiver. CONFIGURATION mode snmp-server enable traps Enable all Dell Networking enterprise-specific and RFC-defined traps using the snmp-server enable traps command from CONFIGURATION mode. Enable all of the RFC-defined traps using the snmp-server enable traps snmp command from CONFIGURATION mode. 3. Specify the interfaces which send SNMP traps.
snmp linkdown snmp linkup SNMP_WARM_START:Agent Initialized - SNMP WARM_START. PORT_LINKDN:changed interface state to down:%d PORT_LINKUP:changed interface state to up:% envmon LINECARDUP: %sLine card %d is up CARD_MISMATCH: Mismatch: line card %d is type %s - type %s required. TASK SUSPENDED: SUSPENDED - svce:%d - inst:%d - task:%s SYSTEM-P:CP %CHMGR-2-CARD_PARITY_ERR ABNORMAL_TASK_TERMINATION: CRASH - task:%s %s CPU_THRESHOLD: Cpu %s usage above threshold.
The following example applies when you have configured support for batch and auditing. CFG_SUBTASK_CONFIG_CONFLICT_TRAP: Configuration conflict is found during audit CFG_SUBTASK_CONFIG_CONFLICT_CLEAR_: Configuration conflict is resolved CLI_BATCH_CONFIG_IN_PROGRESS_TRAP: Batch configuration commit is in progress CLI_BATCH_CONFIG_COMPLETE_TRAP: Batch configuration commit is success entity Enable entity change traps Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1487406) 4:07:54.06, SNMPv2-MIB::snmpTrapOID.
Table 108. List of Syslog Server MIBS that have read access MIB Object OID Object Values Description dF10SysLogTraps 1.3.6.1.4.1.6027.3.30.1.1 1 = reachable2 = unreachable Specifies whether the syslog server is reachable or unreachable. The following example shows the SNMP trap that is sent when connectivity to the syslog server is lost: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (19738) 0:03:17.38 SNMPv2MIB::snmpTrapOID.0 = OID: SNMPv2SMI::enterprises.6027.3.30.1.1.1 SNMPv2-SMI::enterprises.
Table 109. MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Object Values Description copySrcFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.3 1 = flash Specifies the location of source file. 2 = slot0 3 = tftp 4 = ftp 5 = scp 6 = usbflash copySrcFileName copyDestFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.4 .1.3.6.1.4.1.6027.3.5.1.1.1.1.5 Path (if the file is not in the current directory) and filename.
Copying a Configuration File To copy a configuration file, use the following commands. NOTE: In UNIX, enter the snmpset command for help using the following commands. Place the f10-copy-config.mib file in the directory from which you are executing the snmpset command or in the snmpset tool path. 1. Create an SNMP community string with read/write privileges. CONFIGURATION mode snmp-server community community-name rw 2. Copy the f10-copy-config.
The following example shows copying configuration files using OIDs. > snmpset -v 2c -c public -m ./f10-copy-config.mib 10.10.10.10 .1.3.6.1.4.1.6027.3.5.1.1.1.1.2.100 i 2 .1.3.6.1.4.1.6027.3.5.1.1.1.1.5.100 i 3 FTOS-COPY-CONFIG-MIB::copySrcFileType.100 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileType.100 = INTEGER: startupConfig(3) Copying the Startup-Config Files to the Running-Config To copy the startup-config to the running-config from a UNIX machine, use the following command.
snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 3 copyDestFileType.index i 1 copyDestFileName.index s filepath/ filename copyDestFileLocation.index i 3 copyServerAddress.index a server-ip-address .snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.4 i 3 copyDestFileType.4 i 1 copyDestFileLocation.4 i 3 copyDestFileName.4 s /home/myfilename copyServerAddress.4 a 11.11.11.
Table 110. Additional MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Values Description state is set to active when the copy is completed. Obtaining a Value for MIB Objects To obtain a value for any of the MIB objects, use the following command. ● Get a copy-config MIB object value. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address [OID.index | mib-object.
The following example shows a sample output of the snmpwalk command to view the last reset reason. [apoosappan@login-maa-06 ~]$ snmpwalk -c public -v 2c 10.16.130.49 1.3.6.1.4.1.6027.3.26.1.4.3.1.7 DELL-NETWORKING-CHASSIS-MIB::dellNetProcessorResetReason.supervisor.1.1 = STRING: Reboot by Software DELL-NETWORKING-CHASSIS-MIB::dellNetProcessorResetReason.supervisor.1.2 = STRING: Reboot by Software DELL-NETWORKING-CHASSIS-MIB::dellNetProcessorResetReason.supervisor.1.
snmpwalk -v 2c -c public -On 10.16.150.97 1.3.6.1.4.1.6027.3.26.1.4.8 .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.4 .1.3.6.1.4.1.6027.3.
Table 113. MIB Objects to display egress queue statistics (continued) MIB Object OID Description dellNetFpEgrQDroppedPacketsRate 1.3.6.1.4.1.6027.3.27.1.20.1.8 Rate of Packets dropped per Unicast/ Multicast Egress queue. dellNetFpEgrQDroppedBytesRate 1.3.6.1.4.1.6027.3.27.1.20.1.9 Rate of Bytes dropped per Unicast/ Multicast Egress queue. MIB Support to Display Egress Queue Statistics Dell Networking OS provides MIB objects to display the information of the ECMP group count information.
INTEGER: 1258296320 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.80.80.80.0.24.1.4.30.1.1.1.1.4.30.1.1.1 = INTEGER: 1275078656 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.90.90.90.0.24.0.0.0.0 = INTEGER: 2097157 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.90.90.90.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.90.90.90.2.32.1.4.90.90.90.2.1.4.90.90.90.2 = INTEGER: 2097157 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.100.100.100.0.24.1.4.10.1.1.1.1.4.10.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.20.1.1.1.32.1.4.20.1.1.1.1.4.20.1.1.1 = STRING: "Po 10" SNMPv2SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.20.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.0.24.0.0.0.0 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.1.32.1.4.30.1.1.1.1.4.30.1.1.1 = STRING: "Po 20" SNMPv2SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.
Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.80.80.80.0.24.1.4.30.1.1.1.1.4.30.1.1.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.90.90.90.0.24.0.0.0.0 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.90.90.90.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.90.90.90.2.32.1.4.90.90.90.2.1.4.90.90.90.2 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.100.100.100.0.24.1.4.10.1.1.1.1.4.10.1.1.
.1.3.6.1.2.1.47.1.3.2.1.2.30.0 = OID: .1.3.6.1.2.1.2.2.1.1.2100356 .1.3.6.1.2.1.47.1.3.2.1.2.31.0 = OID: .1.3.6.1.2.1.2.2.1.1.2100484 SNMP Support for WRED Green/Yellow/Red Drop Counters Dell Networking provides MIB objects to display the information for WRED Green (Green Drops)/Yellow (Yellow Drops)/Red (Out of Profile Drops) Drop Counters. These statistics can also be obtained by using the CLI command: show qos statistics wred-profile .
MIB Support for LAG Dell Networking provides a method to retrieve the configured LACP information (Actor and Partner). Actor (local interface) is to designate the parameters and flags pertaining to the sending node, while the term Partner (remote interface) is to designate the sending node’s view of its peer parameters and flags. LACP provides a standardized means for exchanging information, with partner systems, to form a link aggregation group (LAG).
Table 117. MIB Objects for LAG (continued) MIB Object OID Description either delivering the frame to its MAC Client or discarding the frame. dot3adAggPortListTable 1.2.840.10006.300.43.1.1.2 Contains a list of all the ports associated with each Aggregator. Each LACP channel in a device occupies an entry in the table. dot3adAggPortListEntry 1.2.840.10006.300.43.1.1.2.1 Contains a list of ports associated with a given Aggregator and indexed by the ifIndex of the Aggregator. dot3adAggPortListPorts 1.
Table 118. MIB Objects for Displaying Reserved Unrecognized LLDP TLVs (continued) MIB Object OID Description lldpRemUnknownTLVInfo 1.0.8802.1.1.2.1.4.3.1.2 Contains value extracted from the value field of the TLV. Viewing the Details of Reserved Unrecognized LLDP TLVs ● To view the information of reserved unrecognized LLDP TLVs using SNMP, use the following commands. snmpwalk -v2c -c mycommunity 10.16.150.83 1.0.8802.1.1.2.1.4 iso.0.8802.1.1.2.1.4.1.1.6.0.2113029.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.
Table 119. MIB Objects for Displaying Organizational Specific Unrecognized LLDP TLVs (continued) MIB Object OID Description neighbor to identify a particular unrecognized organizationally defined information instance. lldpRemOrgDefInfo 1.0.8802.1.1.2.1.4.4.1.4 Contains the string value used to identify the organizationally defined information of the remote system.
MIB support for interface level port security The MIB table dellNetPortSecIfConfigTable is used to achieve port security feature (MAC address learning limit) on an interface. NOTE: Port Security is not supported in VLT port channels. The following table shows the MIB objects of the table dellNetPortSecIfConfigTable. The OID of the MIB table is 1.3.6.1.4.1.6027.3.31.1.2.1. Table 121.
snmpset –v 2c –c public 10.16.129.26 1.3.6.1.4.1.6027.3.31.1.2.1.1.3. 2101252 i 2147483647 To retrieve dellNetPortSecIfSecureMacLimit configured on an interface whose ifIndex is 2101252, use the following command. snmpwalk -v 2c -c public 10.16.129.26 1.3.6.1.4.1.6027.3.31.1.2.1.1.3. 2101252 SNMPv2-SMI::enterprises.6027.3.31.1.2.1.1.3.
● MAC Address (Octet string of length 6 and MAC address ( in decimal) as value ● VLAN ID Table 123. MIB Objects for configuring MAC addresses MIB Object OID Access or Permission Description dellNetSecureMacIfIndex 1.3.6.1.4.1.6027.3.31.1.3.1.1.3 read-only Shows in which interface the dellNetSecureMacAddress is configured or learnt. dellNetSecureMacAddrType 1.3.6.1.4.1.6027.3.31.1.3.1.1.4 read-only Indicates if the secure MAC address is configured as a static, dynamic, or sticky.
Displaying the Ports in a VLAN The system identifies VLAN interfaces using an interface index number that is displayed in the output of the show interface vlan command. Add Tagged and Untagged Ports to a VLAN The value dot1qVlanStaticEgressPorts object is an array of all VLAN members. The dot1qVlanStaticUntaggedPorts object is an array of only untagged VLAN members. All VLAN members that are not in dot1qVlanStaticUntaggedPorts are tagged.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Managing Overload on Startup If you are running IS-IS, you can set a specific amount of time to prevent ingress traffic from being received after a reload and allow the routing protocol upgrade process to complete. To prevent ingress traffic on a router while the IS reload is implemented, use the following command.
VLAN ID and MAC address — to allow for multiple forwarding databases and considering that the same MAC address is learned on multiple VLANs. The VLAN ID is added as the first index so that MAC addresses are read by the VLAN, sorted lexicographically. The MAC address is part of the OID instance, so in this case, lexicographic order is according to the most significant octet. Table 124.
SNMPv2-SMI::enterprises.6027.3.2.1.1.5.1.3.1000.0.1.232.6.149.172.1 = INTEGER: 1 SNMPv2-SMI::enterprises.6027.3.2.1.1.5.1.4.1000.0.1.232.6.149.172.1 = INTEGER: 1 Deriving Interface Indices The Dell Networking OS assigns an interface index to each (configured and unconfigured) physical or logical interface, and displays it in the output of the show interface command. The interface index is a binary number with bits that indicate the slot number, port number, interface type, and card type of the interface.
If you know the interface index, use the following commands to find the interface number. DellEMC ~ $ snmpwalk -v 2c -c public 10.16.206.127 .1.3.6.1.2.1.2.2.1.2 | grep 2097156 IF-MIB::ifDescr.2097156 = STRING: TenGigabitEthernet 1/1 DellEMC ~ $ snmpwalk -v 2c -c public 10.16.206.127 .1.3.6.1.2.1.31.1.1.1.1 | grep 2097156 IF-MIB::ifName.2097156 = STRING: TenGigabitEthernet 1/1 You can use the show interfaces command to view the interface index.
● snmp-server community VRF1 ro ● snmp-server community VRF2 ro ● snmp-server context cx1 ● snmp-server context cx2 ● snmp-server group admingroup 3 auth read readview write writeview ● snmp-server group admingroup 3 auth read readview context cx1 ● snmp-server group admingroup 3 auth read readview context cx2 ● snmp-server user admin admingroup 3 auth md5 helloworld ● snmp mib community-map VRF1 context cx1 ● snmp mib community-map VRF2 context cx2 ● snmp-server view readview .
Monitor Port-Channels To check the status of a Layer 2 port-channel, use f10LinkAggMib (.1.3.6.1.4.1.6027.3.2). In the following example, Po 1 is a switchport and Po 2 is in Layer 3 mode. Example of SNMP Trap for Monitored Port-Channels [senthilnathan@lithium ~]$ snmpwalk -v 2c -c public 10.11.1.1 .1.3.6.1.4.1.6027.3.2.1.1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.1 = INTEGER: 1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.2 = INTEGER: 2 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.2.
IF-MIB::linkUp IF-MIB::ifIndex.1107755009 = INTEGER: 1107755009 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_UP: Changed interface state to up: Po 1" Troubleshooting SNMP Operation When you use SNMP to retrieve management data from an SNMP agent on a Dell Networking router, take into account the following behavior. ● When you query an IPv4 icmpMsgStatsInPkts object in the ICMP table by using the snmpwalk command, the output for echo replies may be incorrectly displayed.
Configuring SNMP context name To configure the SNMP context name for OSPFv3 module, use the following command. ● Configure the SNMP context-name. CONF-IPV6-ROUTER-OSPF mode SNMP context {context-name} ● Verify SNMP context configuration. EXEC Privilege show running-config ospf Sample SNMP context configuration: DellEMC(conf-ipv6-router_ospf)#snmp context ospf1 DellEMC>show runnig-config ospf ! ipv6 router ospf 10 router-id 10.10.10.
54 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports unknown-unicast, muticast, and broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. To view the storm control broadcast configuration show storm-control broadcast | multicast | unknownunicast | pfc-llfc[interface] command.
INTERFACE mode storm-control multicast packets_per_second in ● Shut down the port if it receives the PFC/LLFC packets more than the configured rate. INTERFACE mode storm-control pfc-llfc pps in shutdown NOTE: PFC/LLFC storm control enabled interface disables the interfaces if it receives continuous PFC/LLFC packets. It can be a result of a faulty NIC/Switch that sends spurious PFC/LLFC packets.
55 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network.
● ● ● ● ● Modifying Interface STP Parameters Enabling PortFast Prevent Network Disruptions with BPDU Guard STP Root Guard Enabling SNMP Traps for Root Elections and Topology Changes Important Points to Remember ● STP is disabled by default. ● The Dell Networking OS supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+). You may only enable one flavor of spanning tree at any one time.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 138. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface.
no shutdown Dell(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default. When you enable STP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the Spanning Tree topology. ● Only one path from any bridge to any other bridge participating in STP is enabled. ● Bridges block a redundant path by disabling one of the link ports. Figure 139.
To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP. NOTE: Dell Networking recommends that only experienced network administrators change the spanning tree parameters. Poorly planned modification of the spanning tree parameters can negatively affect network performance. The following table displays the default values for STP. Table 127.
Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. ● Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. ● Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost. The default values are listed in Modifying Global Parameters.
Prevent Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
Figure 140. Enabling BPDU Guard Dell EMC Networking OS Behavior BPDU guard: ● is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. ● drops the BPDU after it reaches the RP and generates a console message. Example of Blocked BPDUs Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root.
Root Bridge hello time 2, max age 20, forward delay 15 Dell# STP Root Guard Use the STP root guard feature in a Layer 2 network to avoid bridging loops. In STP, the switch in the network with the lowest priority (as determined by STP or set with the bridge-priority command) is selected as the root bridge. If two switches have the same priority, the switch with the lower MAC address is selected as the root.
Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: ● Root guard is supported on any STP-enabled port or port-channel interface.
STP port on Switch C becomes unblocked and transitions to Forwarding state. A loop is created as both Switch A and Switch C transmit traffic to Switch B. As shown in the following illustration (STP topology 2, upper right), a loop can also be created if the forwarding port on Switch B becomes busy and does not forward BPDUs within the configured forward-delay time.
○ Spanning Tree Protocol (STP) ○ Rapid Spanning Tree Protocol (RSTP) ○ Multiple Spanning Tree Protocol (MSTP) ○ Per-VLAN Spanning Tree Plus (PVST+) ● You cannot enable root guard and loop guard at the same time on an STP port. For example, if you configure loop guard on a port on which root guard is already configured, the following error message is displayed: % Error: RootGuard is configured. Cannot configure LoopGuard.
56 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell Networking device. For more information on SmartScripts, see Dell Networking Open Automation guide. Figure 143.
Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist. The generated commands are added to the running configuration, including the DNS resolve commands, if configured. This command starts the configuration wizard for the SupportAssist. At any time, you can exit by entering Ctrl-C. If necessary, you can skip some data entry. Enable the SupportAssist service.
this consent on behalf of that entity. If you do not consent to the collection, transmission and/or use of the Collected Data, you may not download, install or otherwise use SupportAssist. NOTE: This step is not mandatory and you can configure SupportAssist manually without performing this step. Even before you accept or reject the EULA, the configuration data is sent to the default centrally deployed SupportAssist Server.
Configuring SupportAssist Activity SupportAssist Activity mode allows you to configure and view the action-manifest file for a specific activity. To configure SupportAssist activity, use the following commands. 1. Move to the SupportAssist Activity mode for an activity. Allows you to configure customized details for a specific activity.
action-manifest remove Dell(conf-supportassist-act-full-transfer)#action-manifest remove custom_file1.json Dell(conf-supportassist-act-full-transfer)# Dell(conf-supportassist-act-event-transfer)#action-manifest remove custom_event_file1.json Dell(conf-supportassist-act-event-transfer)# 6. Enable a specific SupportAssist activity. By default, the full transfer includes the core files. When you disable the core transfer activity, the full transfer excludes the core files.
Configuring SupportAssist Person SupportAssist Person mode allows you to configure name, email addresses, phone, method and time zone for contacting the person. SupportAssist Person configurations are optional for the SupportAssist service. To configure SupportAssist person, use the following commands. 1. Configure the contact name for an individual.
[no] proxy-ip-address {ipv4-address | ipv6-address}port port-number [ username userid password [encryption-type] password ] Dell(conf-supportassist-serv-default)#proxy-ip-address 10.0.0.1 port 1024 username test password 0 test1 Dell(conf-supportassist-serv-default)# 3. Enable communication with the SupportAssist server. SUPPORTASSIST SERVER mode [no] enable Dell(conf-supportassist-serv-default)#enable Dell(conf-supportassist-serv-default)# 4. Configure the URL to reach the SupportAssist remote server.
! contact-company name Dell street-address F lane , Sector 30 address city Brussels state HeadState country Belgium postalcode S328J3 ! contact-person first Fred last Nash email-address primary des@sed.com alternate sed@dol.com phone primary 123422 alternate 8395729 preferred-method email time-zone zone +05:30 start-time 12:23 end-time 15:23 ! server Dell enable url http://1.1.1.1:1337 Dell# 3. Display the EULA for the feature.
57 System Time and Date System time and date settings are user-configurable and maintained through the network time protocol (NTP). System times and dates are also set in hardware settings using the Dell Networking OS CLI. Topics: • • Network Time Protocol Time and Date Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients. The protocol also coordinates time distribution in a large, diverse network with various interfaces.
Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks.
ntp server ip-address To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. DellEMC#show ntp status Clock is synchronized, stratum 4, reference is 10.16.151.117, vrf-id is 0 frequency is -44.862 ppm, stability is 0.050 ppm, precision is -18 reference time deeef7ef.85eeaa10 Tue, Jul 10 2018 9:16:31.523 UTC clock offset is -0.167449 msec, root delay is 149.194 msec root dispersion is 54.557 msec, peer dispersion is 0.
Enter the following keywords and slot/port or number information: ○ ○ ○ ○ ○ ○ For For For For For For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. a Loopback interface, enter the keyword loopback then a number from 0 to 16383. the Management interface, enter the keyword ManagementEthernet then the slot/port information.
○ ○ ○ ○ prefer: Enter the keyword prefer to set this NTP server as the preferred server. version number : Enter a number as the NTP version. The range is from 1 to 4. minpoll polling-interval: Enter the minpoll value. The range is from 4 to 16. maxpoll polling-interval: Enter the maxpoll value. The range is from 4 to 16. 5. Configure the switch as NTP master. CONFIGURATION mode ntp master To configure the switch as NTP Server use the ntp master command.
● Reference Timestamp (sys.reftime, peer.reftime, pkt.reftime) — This is the local time, in timestamp format, when the local clock was last updated. If the local clock has never been synchronized, the value is zero. ● Originate Timestamp: The departure time on the server of its last NTP message. If the server becomes unreachable, the value is set to zero. ● Receive Timestamp — the arrival time on the client of the last NTP message from the server. If the server becomes unreachable, the value is set to zero.
● ● ● ● Setting Setting Setting Setting the Time and Date for the Switch Software Clock the Timezone Daylight Saving Time Once Recurring Daylight Saving Time Setting the Time and Date for the Switch Software Clock You can change the order of the month and day parameters to enter the time and date as time day month year. You cannot delete the software clock. The software clock runs only when the software is up. The clock restarts, based on the hardware clock, when the switch reboots.
Set Daylight Saving Time The system supports setting the system to daylight saving time once or on a recurring basis every year. Setting Daylight Saving Time Once Set a date (and time zone) on which to convert the switch to daylight saving time on a one-time basis. To set the clock for daylight savings time once, use the following command. ● Set the clock to the appropriate timezone and daylight saving time.
○ start-month: Enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. ○ start-day: Enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. ○ start-year: Enter a four-digit number as the year. The range is from 1993 to 2035. ○ start-time: Enter the time in hours:minutes.
The range for threshold-value is from 0 to 999.
58 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported.
tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.1/24 Dell(conf-if-tu-3)#ipv6 address 3::1/64 Dell(conf-if-tu-3)#no shutdown Dell(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
Configuring Tunnel allow-remote Decapsulation You can configure an IPv4 or IPV6 address or prefix whose tunneled packet will be accepted for decapsulation. ● If no allow-remote entries are configured, then tunneled packets from any remote peer address will be accepted. ● Upto eight allow-remote entries can be configured on any particular multipoint receive-only tunnel. The following sample configuration shows how to configure a tunnel allow-remote address.
Guidelines for Configuring Multipoint Receive-Only Tunnels ● You can configure up to eight remote end-points for a multipoint receive-only tunnel. The maximum number of remote endpoints supported for all multipoint receive-only tunnels on the switch depends on the hardware table size to setup termination. ● The IP MTU configured on the physical interface determines how multiple nested encapsulated packets are handled in a multipoint receive-only tunnel.
59 Upgrade Procedures To find the upgrade procedures, go to the Dell EMC Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell EMC Networking OS version. To upgrade your system type, follow the procedures in the Dell EMC Networking OS Release Notes. You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.
60 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link.
Figure 145. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 146. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
● If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
4. (Optional) Enable auto-recovery so that UFD-disabled downstream ports in the uplink-state group come up when a disabled upstream port in the group comes back up. UPLINK-STATE-GROUP mode downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5. (Optional) Enters a text description of the uplink-state group.
02:37:29: %SYSTEM-P:CP 0/47 02:37:29: %SYSTEM-P:CP 02:37:29 : UFD: Group:3, 02:37:29: %SYSTEM-P:CP 02:37:29: %SYSTEM-P:CP 02:37:29: %SYSTEM-P:CP 02:38:31 : UFD: Group:3, 02:38:31: %SYSTEM-P:CP 02:38:53: %SYSTEM-P:CP Fo 1/0 02:38:53: %SYSTEM-P:CP Fo 1/4 02:38:53: %SYSTEM-P:CP Fo 1/8 02:38:53: %SYSTEM-P:CP Fo 1/12 02:38:53: %SYSTEM-P:CP Fo 1/16 02:38:53: %SYSTEM-P:CP 02:38:53: %SYSTEM-P:CP 02:38:53: %SYSTEM-P:CP 02:38:53: %SYSTEM-P:CP 02:38:53: %SYSTEM-P:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state t
Uplink State Group: 16 Status: Disabled, Up Dell# show uplink-state-group 16 Uplink State Group: 16 Status: Disabled, Up Dell#show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 1 Upstream Interfaces : Downstream Interfaces : Status: Enabled, Up Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Te 0/46(Up) Te 0/47(Up) Downstream Interfaces : Te 1/0(Up) Te 1/1(Up) Te 1/3(Up) Te 1/5(Up) Te 1/6(Up) Uplink State Group : 5 Status
upstream TengigabitEthernet 0/48, 52 upstream PortChannel 1 ! uplink state track 2 downstream TengigabitEthernet 0/1, 3, 5, 7-10 upstream TengigabitEthernet 0/56, 60 Dell(conf-uplink-state-group-16)# show configuration ! uplink-state-group 16 no enable description test downstream disable links all downstream TengigabitEthernet 0/40 upstream TengigabitEthernet 0/41 upstream Port-channel 8 Sample Configuration: Uplink Failure Detection The following example shows a sample configuration of UFD on a switch/rou
Uplink State Group: 3 Status: Enabled, Up Dell# show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Te 0/3(Up) Te 0/4(Dwn) Downstream Interfaces : Te 0/1(Dis) Te 0/2(Dwn) Te 0/5(Dwn) Te 0/9(Dwn) Te 0/11(Dwn) Te 0/12(Dwn) 994 Uplink Failure Detection (UFD)
61 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 portbased VLANs and one default VLAN, as specified in IEEE 802.1Q.
● Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN. Alternatively, use the no switchport command, and the system removes the interface from the Default VLAN. ● A tagged interface requires an additional step to remove it from Layer 2 mode. Because tagged interfaces can belong to multiple VLANs, remove the tagged interface from all VLANs using the no tagged interface command.
NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard. Some devices that are not compliant with IEEE 802.3 may not support the larger frame size. Information contained in the tag header allows the system to prioritize traffic and to forward information to ports associated with a specific VLAN ID. Tagged interfaces can belong to multiple VLANs, while untagged interfaces can belong only to one VLAN.
Configuring Native VLANs Traditionally, ports can be either untagged for membership to one VLAN or tagged for membership to multiple VLANs. You must connect an untagged port to a VLAN-unaware station (one that does not understand VLAN tags), and you must connect a tagged port to a VLAN-aware station (one that generates and understands VLAN tags). Native VLAN support breaks this barrier so that you can connect a port to both VLAN-aware and VLAN-unaware stations. Such ports are referred to as hybrid ports.
To view the configured VLANs, use the show vlan command in EXEC Privilege mode. Dell#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 3 4 5 6 Status Inactive Active Active Active Active Active Dell# Q U U U T U U U Ports Te 1/4-11 Te 0/1,18 Te 0/2,19 Te 0/3,20 Po 1 Te 0/12 Te 2/0 Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands. To place an interface in Layer 2 mode, use the switchport command.
interface Vlan 4 no ip address tagged Port-channel 1 Dell(conf-if-vlan)#end Dell#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM Status Q * 1 Inactive 2 Active T T 3 Active T T 4 Active T Dell# Ports Po1(Te 0/0-1) Te 3/0 Po1(Te 0/0-1) Te 3/1 Po1(Te 0/0-1) When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN.
Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 3 4 Dell# Status Q Inactive Active T T Active T T Active U Ports Po1(Te 0/0-1) Te 2/0 Po1(Te 0/0-1) Te 2/1 Te 2/2 The only way to remove an interface from the Default VLAN is to place the interface in Default mode by using the no switchport command in INTERFACE mode.
62 VLT Proxy Gateway The Virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a L3 end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration.
Figure 148. VLT Proxy Gateway — Topology 1 Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable this functionality: 1. The proxy gateway is supported only for VLT; for example, across VLT domain. 2. To get full benefits out of proxy gateway, peer-routing is recommended 3.
13. When a VM moves from one VLT domain to the another VLT domain, the VM host sends the gratuitous GARP. The GARP triggers a mac movement from the previous VLT domain to the newer VLT domain. 14. After a station move, if a host sends a TTL1 packet destined to its gateway; for example, a previous VLT node, the packet may be dropped. 15. After a station move, if a host first PINGs its gateway; for example, a previous VLT node it results a 40 to 60% success rate considering it takes a longer path.
● No interface– level LLDP disable CLIs on the interfaces configured for proxy gateway, and you must enable both transmission and reception ● You must connect both units of the remote VLT domain by the port channel member.
Sample Scenario for VLT Proxy Gateway Figure 149. VLT Proxy Gateway — Topology 2 1. The above figure (Topology 2) shows a sample VLT Proxy gateway scenario. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This undergoes sub-optimal routing with the VLT Proxy Gateway LLDP method.
Static Proxy Configuration Method Dell(conf-vlt-domain)#proxy-gateway static Dell(conf-vlt-domain-pxy-gw-static)#remote-mac-address 01:23:45:67:89:ab excludevlan 10 Dynamic Proxy Configuration Method 10 Dell(conf-vlt-domain)#proxy-gateway lldp Dell(conf-vlt-domain-pxy-gw-lldp peer-domain-link port-channel 1 exclude-vlan 5.
Dell(conf-vlt-domain-proxy-gw-lldp)#peer-domain-link port-channel interface exclude-vlan vlan-range 4. Display the VLT proxy gateway configuration.
63 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time.
Figure 150. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
Table 128. Features Supported in VRF Feature/Capability Support Status for Default VRF Support Status for Non-default VRF Configuration rollback for commands introduced or modified Yes No LLDP protocol on the port Yes No 802.
Table 128. Features Supported in VRF (continued) Feature/Capability Support Status for Default VRF Support Status for Non-default VRF Secondary IP Addresses Yes No Following IPv6 capabilities No Basic Yes No OSPFv3 Yes No ISIS Yes No BGP Yes No ACL Yes Yes Multicast Yes No NDP Yes No RAD Yes No Ingress/Egress Storm-Control (perinterface/global) Yes No DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance.
Table 130. Creating a Non-Default VRF Instance Task Command Syntax Command Mode Create a non-default VRF instance by specifying a name and VRF ID number, and enter VRF configuration mode. ip vrf vrf-name vrf-id VRF ID range: 1 to 512 and 0 (default VRF) CONFIGURATION Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface.
Table 133. View VRF Instance Information Task Command Syntax Display the interfaces assigned to a VRF show ip vrf [vrf-name] instance. To display information on all VRF instances (including the default VRF 0), do not enter a value for vrf-name. Command Mode EXEC Assigning an OSPF Process to a VRF Instance OSPF routes are supported on all VRF instances. Refer to Open Shortest Path First (OSPFv2)for complete OSPF configuration information. Assign an OSPF process to a VRF instance .
Table 135. VRRP on VRF (continued) Task Command Syntax Command Mode virtual-address 10.1.1.100 no shutdown View VRRP command output for the VRF vrf1 show vrrp vrf vrf1 -----------------TenGigabitEthernet 0/13, IPv4 VRID: 10, Version: 2, Net: 10.1.1.1 VRF: 2 vrf1 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 43, Gratuitous ARP sent: 0 Virtual MAC address: 00:00:5e:00:01:0a Virtual IP address: 10.1.1.
Configuring a Static Route To configure a static route, perform the following steps: Table 136. Configuring a Static Route Task Command Syntax Command Mode Configure a static route that points to a management interface. management route ip-address mask managementethernet ormanagement route ipv6address prefix-length managementethernet NOTE: You can also have the management route to point to a front-end port in case of the management VRF. For example: management route 2::/64 te 0/0.
Figure 151.
Figure 152. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 Router 2 The following shows the output of the show commands on Router 1. Router 1 The following shows the output of the show commands on Router 2.
Configuring Route Leaking with Filtering When you initalize route leaking from one VRF to another, all the routes are exposed to the target VRF. If the size of the source VRF's RTM is considerablly large, an import operation results in the duplication of the target VRF's RTM with the source RTM entries. To mitigate this issue, you can use route-maps to filter the routes that are exported and imported into the route targets based on certain matching criteria.
When you import routes into VRF-blue using the route-map import_ospf_protocol, only OSPF routes are imported into VRFblue. Even though VRF-red has leaked both OSPF as well as BGP routes to be shared with other VRFs, this command imports only OSPF routes into VRF-blue. 9. Configure the import target in the source VRF for reverse communnication with the destination VRF.
1. Configure VRF-shared using the following command:ip vrf vrf-sharedip vrf forwarding vrf-sharedip address x.x.x.x 255.x.x.x A non-default VRF named VRF-Shared is created and the interface 1/4 is assigned to this VRF. 2. Configure the export target in the source VRF:.ip route-export 1:1 3. Configure VRF-red.ip vrf vrf-red ip vrf forwarding VRF-red ip address x.x.x.x 255.x.x.x A non-default VRF named VRF-red is created and the interface 1/11 is assigned to this VRF. 4.
64 Virtual Link Trunking (VLT) Virtual link trunking (VLT) is supported on Dell Networking OS.
Overview In a traditional switched topology as shown below, spanning tree protocols (STPs) are used to block one or more links to prevent loops in the network. Although loops are prevented, bandwidth of all links is not effectively utilized by the connected devices. Figure 153. Traditional switched topology VLT not only overcomes this caveat, but also provides a multipath to the connected devices.
L2/L3 control plane protocols and system management features function normally in VLT mode. Features such as VRRP and internet group management protocol (IGMP) snooping require state information coordination between the two VLT chassis. The IGMP and VLT configurations must be identical on both sides of the trunk to ensure the same behavior on both sides. The following example shows how VLT is deployed.
VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-toend Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode.
● If the DHCP server is located on the ToR and the VLTi (ICL) is down due to a failed link when a VLT node is rebooted in BMP mode, it is not able to reach the DHCP server, resulting in BMP failure. ● If the source is connected to an orphan (non-spanned, non-VLT) port in a VLT peer, the receiver is connected to a VLT (spanned) port-channel, and the VLT port-channel link between the VLT peer connected to the source and TOR is down, traffic is duplicated due to route inconsistency between peers.
○ MAC addresses for VLANs configured across VLT peer chassis are synchronized over the VLT interconnect on an egress port such as a VLT LAG. MAC addresses are the same on both VLT peer nodes. ○ ARP entries configured across the VLTi are the same on both VLT peer nodes. ○ If you shut down the port channel used in the VLT interconnect on a peer switch in a VLT domain in which you did not configure a backup link, the switch’s role displays in the show vlt brief command output as Primary instead of Standalone.
○ In a VLT domain, the following software features are supported on VLT port-channels: 802.1p, ingress and egress ACLs, BGP, DHCP relay, IS-IS, OSPF, active-active PIM-SM, PIM-SSM, VRRP, Layer 3 VLANs, LLDP, flow control, port monitoring, jumbo frames, IGMP snooping, sFlow, ingress and egress ACLs, and Layer 2 control protocols RSTP and PVST only. NOTE: Peer VLAN spanning tree plus (PVST+) passthrough is supported in a VLT domain. PVST+ BPDUs does not result in an interface shutdown.
peers resynchronize any MAC addresses learned while communication was interrupted and the VLT system continues normal data forwarding. ○ If the primary chassis fails, the secondary chassis takes on the operational role of the primary. ● The SNMP MIB reports VLT statistics. Primary and Secondary VLT Peers Primary and secondary VLT peers are supported to prevent issues when connectivity between peers is lost on the switch. You can elect or configure the Primary Peer.
VLT and High Availability High availability (HA) support on VLT ensures seamless and uninterrupted flow of VLT features during RPM failure (failover). When RPM failover happens, the new active RPM triggers a new VLT registration to its VLT peer. It ensures that the VLT node with new active RPM receives all the VLT information from its VLT peer.
PIM-Sparse Mode Support on VLT The designated router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. Figure 156.
Each VLT peer runs its own PIM protocol independently of other VLT peers. To ensure the PIM protocol states or multicast routing information base (MRIB) on the VLT peers are synced, if the incoming interface (IIF) and outgoing interface (OIF) are Spanned, the multicast route table is synced between the VLT peers. To verify the PIM neighbors on the VLT VLAN and on the multicast port, use the show ip pim neighbor, show ip igmp snooping mrouter, and show running config commands.
Configuring VLT Unicast To enable and configure VLT unicast, follow these steps. 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2. Enable peer-routing. VLT DOMAIN mode peer-routing 3. Configure the peer-routing timeout. VLT DOMAIN mode peer-routing—timeout value value: Specify a value (in seconds) from 1 to 65535.
VLT DOMAIN mode peer-routing 3. Configure the multicast peer-routing timeout. VLT DOMAIN mode multicast peer-routing—timeout value value: Specify a value (in seconds) from 1 to 1200. 4. Configure a PIM-SM compatible VLT node as a designated router (DR). For more information, refer to Configuring a Designated Router. 5. Configure a PIM-enabled external neighboring router as a rendezvous point (RP). For more information, refer to Configuring a Static Rendezvous Point. 6.
Sample RSTP Configuration The following is a sample of an RSTP configuration. Using the example shown in the Overview section as a sample VLT topology, the primary VLT switch sends BPDUs to an access device (switch or server) with its own RSTP bridge ID. BPDUs generated by an RSTP-enabled access device are only processed by the primary VLT switch. The secondary VLT switch tunnels the BPDUs that it receives to the primary VLT switch over the VLT interconnect.
2. Remove an IP address from the interface. INTERFACE PORT-CHANNEL mode no ip address 3. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: ● 1-Gigabit Ethernet: Enter gigabitethernet slot/port. ● 10-Gigabit Ethernet: Enter tengigabitethernet slot/port. ● 40-Gigabit Ethernet: Enter fortyGigE slot/port. 4. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 5.
NOTE: You must enable RSTP when you use this feature. 6. Repeat Steps 1 to 4 on the VLT peer switch to configure the IP address of this switch as the endpoint of the VLT backup link and to configure the same port channel for the VLT interconnect. Configuring a VLT Backup Link To configure a VLT backup link, use the following command. 1. Specify the management interface to be used for the backup link through an out-of-band management network.
CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2. (Optional) When you create a VLT domain on a switch, the system automatically creates a VLT-system MAC address used for internal system operations. VLT DOMAIN CONFIGURATION mode system-mac mac-address mac-address To explicitly configure the default MAC address for the domain by entering a new MAC address, use the system-mac command. The format is aaaa.bbbb.cccc.
INTERFACE PORT-CHANNEL mode vlt-peer-lag port-channel id-number The valid port-channel ID numbers are from 1 to 128. 7. Repeat Steps 1 to 6 on the VLT peer switch to configure the same port channel as part of the VLT domain. 8. On an attached switch or server: To connect to the VLT domain and add port channels to it, configure a port channel. For an example of how to verify the port-channel configuration, refer to VLT Sample Configuration.
4. Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number The range is from 1 to 128. 5. Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages. VLT DOMAIN CONFIGURATION mode back-up destination {ipv4–address] | ipv6 ipv6–address [interval seconds]} You can optionally specify the time interval used to send hello messages.
port-channel number mode [active] 15. Ensure that the interface is active. MANAGEMENT INTERFACE mode no shutdown 16. Repeat steps 1 through 15 for the VLT peer node in Domain 1. 17. Repeat steps 1 through 15 for the first VLT node in Domain 2. 18. Repeat steps 1 through 15 for the VLT peer node in Domain 2. To verify the configuration of a VLT domain, use any of the show commands described in Verifying a VLT Configuration.
NOTE: If you use a third-party ToR unit, Dell Networking recommends using static LAGs with VLT peers to avoid potential problems if you reboot the VLT peers. Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2. Dell-2(conf)#vlt domain 5 Dell-2(conf-vlt-domain)# Dell-4(conf)#vlt domain 5 Dell-4(conf-vlt-domain)# Configure the VLTi between VLT peer 1 and VLT peer 2. 1. You can configure the LACP/static LAG between the peer units (not shown). 2.
Dell-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel L LAG 2 Mode L2L3 Status up Uptime 03:33:14 Ports Te 0/40 (Up) In the ToR unit, configure LACP on the physical ports.
LAG L 2 Mode L2L3 Status up Uptime 03:33:31 Ports Te 0/18 (Up) eVLT Configuration Example The following example demonstrates the steps to configure enhanced VLT (eVLT) in a network. In this example, you are configuring two domains. Domain 1 consists of Peer 1 and Peer 2; Domain 2 consists of Peer 3 and Peer 4, as shown in the following example. In Domain 1, configure Peer 1 fist, then configure Peer 2. When that is complete, perform the same steps for the peer nodes in Domain 2.
Next, configure the VLT domain and VLTi on Peer 2. Domain_1_Peer2#configure Domain_1_Peer2(conf)#interface port-channel 1 Domain_1_Peer2(conf-if-po-1)# channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer2(conf) #vlt domain Domain_1_Peer2(conf-vlt-domain)# Domain_1_Peer2(conf-vlt-domain)# Domain_1_Peer2(conf-vlt-domain)# Domain_1_Peer2(conf-vlt-domain)# 1000 peer-link port-channel 1 back-up destination 10.16.130.12 system-mac mac-address 00:0a:00:0a:00:0a unit-id 1 Configure eVLT on Peer 2.
Domain_2_Peer4(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_2_Peer4(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 4.
show vlt brief ● Display detailed information about the VLT-domain configuration, including local and peer port-channel IDs, local VLT switch status, and number of active VLANs on each port channel. EXEC mode show vlt detail ● Display the VLT peer status, role of the local VLT switch, VLT system MAC address and system priority, and the MAC address and priority of the locally-attached VLT device.
Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: 32768 Up Up Up 0 5(1) 00:01:e8:8a:e9:70 00:01:e8:8a:e7:e7 00:0a:0a:01:01:0a 5(1) 90 seconds Dell_VLTpeer2# show vlt brief VLT Domain Brief -----------------Domain ID: Role: Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: R
vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.18 Dell_VLTpeer2# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.20 The following example shows the show vlt statistics command.
Po 111 128.112 128 200000 DIS(vlt) 0 Po 120 128.121 128 2000 FWD(vlt) 0 0 0 0001.e88a.dff8 128.112 0001.e88a.dff8 128.121 Additional VLT Sample Configurations To configure VLT, configure a backup link and interconnect trunk, create a VLT domain, configure a backup link and interconnect trunk, and connect the peer switches in a VLT domain to an attached access device (switch or server). Review the following examples of VLT configurations.
Dell_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.23 Dell_VLTpeer2(conf-vlt-domain)#exit Configure the backup link. Dell_VLTpeer2(conf)#interface ManagementEthernet 0/0 Dell_VLTpeer2(conf-if-ma-0/0)#ip address 10.11.206.35/ Dell_VLTpeer2(conf-if-ma-0/0)#no shutdown Dell_VLTpeer2(conf-if-ma-0/0)#exit Configure the VLT interconnect (VLTi).
Table 138. Troubleshooting VLT Description Behavior at Peer Up Behavior During Run Time Action to Take Bandwidth monitoring A syslog error message and an SNMP trap is generated when the VLTi bandwidth usage goes above the 80% threshold and when it drops below 80%. A syslog error message and an Depending on the traffic that SNMP trap is generated when is received, the traffic can be the VLTi bandwidth usage offloaded inVLTi. goes above its threshold. Domain ID mismatch The VLT peer does not boot up.
Table 138. Troubleshooting VLT (continued) Description Behavior at Peer Up Behavior During Run Time A syslog error message is generated. A syslog error message is generated. Action to Take Reconfiguring Stacked Switches as VLT To convert switches that have been stacked to VLT peers, use the following procedure. 1. Remove the current configuration from the switches. You will need to split the configuration up for each switch. 2. Copy the files to the flash memory of the appropriate switch. 3.
is tagged to any one of the primary or secondary VLANs of a PVLAN, then both the primary and secondary VLANs are considered as VLT VLANs. If you add an ICL or VLTi link as a member of a primary VLAN, the ICL becomes a part of the primary VLAN and its associated secondary VLANs, similar to the behavior for normal trunk ports. VLAN parity is not validated if you associate an ICL to a PVLAN. Similarly, if you dissociate an ICL from a PVLAN, although the PVLAN parity exists, ICL is removed from that PVLAN.
Interoperation of VLT Nodes in a PVLAN with ARP Requests When an ARP request is received, and the following conditions are applicable, the IP stack performs certain operations. ● The VLAN on which the ARP request is received is a secondary VLAN (community or isolated VLAN). ● Layer 3 communication between secondary VLANs in a private VLAN is enabled by using the ip local-proxy-arp command in INTERFACE VLAN configuration mode.
Table 139.
INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: ● 1-Gigabit Ethernet: Enter gigabitethernet slot/port. ● 10-Gigabit Ethernet: Enter tengigabitethernet slot/port. ● 40-Gigabit Ethernet: Enter fortyGigE slot/port. 4. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 5. To configure the VLT interconnect, repeat Steps 1–4 on the VLT peer switch. 6. Enter VLT-domain configuration mode for a specified VLT domain.
7. To obtain maximum VLT resiliency, configure the PVLAN IDs and mappings to be identical on both the VLT peer nodes. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 8. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: ● Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID).
for synchronization. When a VLAN state is down, the VLT peer might perform a proxy ARP operation for the IP addresses of that VLAN interface. VLT nodes start performing Proxy ARP when the ICL link goes down. When the VLT peer comes up, proxy ARP will be stopped for the peer VLT IP addresses. When the peer node is rebooted, the IP address synchronized with the peer is not flushed. Peer down events cause the proxy ARP to commence.
INTERFACE PORT-CHANNEL mode vlan-stack {access | trunk} 2. Configure VLAN as VLAN-stack compatible on both the peers. INTERFACE VLAN mode vlan-stack compatible 3. Add the VLT LAG as a member to the VLAN-stack on both the peers. INTERFACE VLAN mode member port-channel port—channel ID 4. Verify the VLAN-stack configurations.
no shutdown Dell# Configure VLAN as VLAN-Stack VLAN and add the VLT LAG as Members to the VLAN Dell(conf)#interface vlan 50 Dell(conf-if-vl-50)#vlan-stack compatible Dell(conf-if-vl-50-stack)#member port-channel 10 Dell(conf-if-vl-50-stack)#member port-channel 20 Dell#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown Dell# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLANSample Configuration of VLAN-Stack
Configure the VLAN as VLAN-Stack VLAN and add the VLT LAG as members to the VLAN Dell(conf)#interface vlan 50 Dell(conf-if-vl-50)#vlan-stack compatible Dell(conf-if-vl-50-stack)#member port-channel 10 Dell(conf-if-vl-50-stack)#member port-channel 20 Dell(conf-if-vl-50-stack)# Dell#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown Dell# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN Configure BFD in VL
3. Configure the port channel for the VLT interconnect on a ToR. TOR(conf)# interface TOR(conf-if-po-111)# TOR(conf-if-po-111)# TOR(conf-if-po-111)# port-channel 10 no ip address switchport no shutdown 4. Configure a VLAN. TOR(conf)#interface vlan 100 TOR(conf-if-vl-100)#ip address 100.1.1.3/24 TOR(conf-if-vl-100)#tagged port-channel 10 TOR(conf-if-vl-100)#arp timeout 1 TOR(conf-if-vl-100)#no shutdown TOR(conf-if-vl-100)#exit 5. Enable BFD over OSPF.
VLT Secondary 1. Enable BFD globally. VLT_Secondary(conf)# bfd enable 2. Configure port channel which is used as VLTi link. 3. Enable VLT and configure a VLT domain. VLT_Secondary(conf)# vlt domain VLT_Secondary(conf-vlt-domain)# VLT_Secondary(conf-vlt-domain)# VLT_Secondary(conf-vlt-domain)# 100 peer-link port-channel 100 back-up destination 10.16.206.80 peer-routing 4. Configure a VLT peer LAG.
● To verify the VLTi (ICL) link is up in the VLT secondary peer, use show vlt brief command.
65 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is supported on Dell Networking OS. Topics: • • • • • • VRRP Overview VRRP Benefits VRRP Implementation VRRP Configuration Sample Configurations Proxy Gateway with VRRP VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. Authentication is not supported on VRRPv3.
Figure 158. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. Endstation connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
Table 140. Recommended VRRP Advertise Intervals on the Switch Recommended Advertise Interval Groups/Interface Total VRRP Groups Less than 250 1 second 12 Between 250 and 450 2–3 seconds 24 Between 450 and 600 3–4 seconds 36 Between 600 and 800 4 seconds 48 Between 800 and 1000 5 seconds 84 Between 1000 and 1200 7 seconds 100 Between 1200 and 1500 8 seconds 120 VRRP Configuration By default, VRRP is not configured.
The following example shows configuring a VRRP configuration. Dell(conf)#int te 1/1 Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)# The following example shows verifying a VRRP configuration. Dell(conf-if-te-1/1)#show conf ! interface TenGigabitEthernet 1/1 ip address 10.10.10.
You can configure up to 12 virtual IP addresses on a single VRRP group (VRID). The following rules apply to virtual IP addresses: ● The virtual IP addresses must be in the same subnet as the primary or secondary IP addresses configured on the interface. Though a single VRRP group can contain virtual IP addresses belonging to multiple IP subnets configured on the interface, Dell Networking recommends configuring virtual IP addresses belonging to the same IP subnet for any one VRRP group.
10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------TenGigabitEthernet 1/2/1, VRID: 111, Net: 10.10.2.1 State: Master, Priority: 100, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 27, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.3 Authentication: When the VRRP process completes its initialization, the State field contains either Master or Backup.
Configuring VRRP Authentication Simple authentication of VRRP packets ensures that only trusted routers participate in VRRP processes. When you enable authentication, Dell Networking OS includes the password in its VRRP transmission. The receiving router uses that password to verify the transmission.\ NOTE: You must configure all virtual routers in the VRRP group the same: you must enable authentication with the same password or authentication is disabled.
vrrp-group 111 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 Changing the Advertisement Interval By default, the MASTER router transmits a VRRP advertisement to all members of the VRRP group every one second, indicating it is operational and is the MASTER router.
Setting VRRP Initialization Delay When configured, VRRP is enabled immediately upon system reload or boot. You can delay VRRP initialization to allow the IGP and EGP protocols to be enabled prior to selecting the VRRP Master. This delay ensures that VRRP initializes with no errors or conflicts. You can configure the delay for up to 15 minutes, after which VRRP enables normally.
NOTE: You can configure a tracked object for a VRRP group (using the track object-id command in INTERFACEVRID mode) before you actually create the tracked object (using a track object-id command in CONFIGURATION mode). However, no changes in the VRRP group’s priority occur until the tracked object is defined and determined to be down.
IPv6 route 2050::/64 reachability Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is GigabitEthernet 1/3 Tracked by: VRRP GigabitEthernet 1/8 IPv6 VRID 1 The following example shows verifying the VRRP status. ON the MASTER ========== Dell#show vrrp -----------------TenGigabitEthernet 0/1, IPv4 VRID: 1, Version: 2, Net: 1.1.1.1 VRF: 0 default State: Master, Priority: 100, Master: 1.1.1.
Sample Configurations Before you set up VRRP, review the following sample configurations. VRRP for an IPv4 Configuration The following configuration shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
Figure 160. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN. The following example shows a typical use case in which you create three virtualized overlay networks by configuring three VRFs in two switches. The default gateway to reach the Internet in each VRF is a static route with the next hop being the virtual IP address configured in VRRP. In this scenario, a single VLAN is associated with each VRF.
S1(conf-if-te-2/1-vrid-101)#priority 100 S1(conf-if-te-2/1-vrid-101)#virtual-address 10.10.1.2 S1(conf-if-te-2/1)#no shutdown ! S1(conf)#interface TenGigabitEthernet 2/2 S1(conf-if-te-2/2)#ip vrf forwarding VRF-2 S1(conf-if-te-2/2)#ip address 10.10.1.6/24 S1(conf-if-te-2/2)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 2 will be 178. S1(conf-if-te-12/2-vrid-101)#priority 100 S1(conf-if-te-12/2-vrid-101)#virtual-address 10.10.1.
This VLAN scenario often occurs in a service-provider network in which you configure VLAN tags for traffic from multiple customers on customer-premises equipment (CPE), and separate VRF instances associated with each VLAN are configured on the provider edge (PE) router in the point-of-presence (POP).
S2(conf-if-vl-200)#ip address 10.10.1.2/24 S2(conf-if-vl-200)#tagged tengigabitethernet 2/4 S2(conf-if-vl-200)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 2 will be 178. S2(conf-if-vl-200-vrid-101)#priority 255 S2(conf-if-vl-200-vrid-101)#virtual-address 10.10.1.2 S2(conf-if-vl-200)#no shutdown ! S2(conf-if-te-2/4)#interface vlan 300 S2(conf-if-vl-300)#ip vrf forwarding VRF-3 S2(conf-if-vl-300)#ip address 20.1.1.
● ● ● ● ● ● ● Server racks, Rack 1 and Rack 2, are part of data centers DC1 and DC2, respectively. Rack 1 is connected to devices A1 and B1 in a Layer 2 network segment. Rack 2 is connected to devices A2 and B2 in a Layer 2 network segment. A VLT link aggregation group (LAG) is present between A1 and B1 as well as A2 and B2. A1 and B1 are connected to core routers, C1 and D1 with VLT routing enabled. A2 and B2 are connected to core routers, C2 and D2, with VLT routing enabled.
interface port-channel 128 channel member ten 1/1/1 channel member ten 1/1/2 no shutdown int ten 1/5/1 port-channel-protocol lacp port-channel 10 mode active no shut int ten 1/4/1 port-channel-protocol lacp port-channel 20 mode active no shut interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.1/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.
no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.2/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.0/24 area 0 Sample configuration of C2: vlt domain 10 peer-link port-channel 128 back-up destination 10.16.140.
no shutdown router ospf 10 network 100.1.1.0/24 area 0 Sample configuration of D2: vlt domain 10 peer-link port-channel 128 back-up destination 10.16.140.
66 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance The C9000 series supports the following standards. The standards are grouped by related protocol. General Internet Protocols The following table lists the Dell Networking OS support on the C9000 Series for the general internet protocols. Table 141.
Table 142.
Table 144.
Table 146.
Table 146. Network Management (continued) RFC# Full Name 3416 Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) 3434 Remote Monitoring MIB Extensions for High Capacity Alarms, High-Capacity Alarm Table (64 bits) 3580 IEEE 802.
Table 146.
Table 147. Multicast (continued) RFC# Full Name S-Series C-Series E-Series TeraScale 3973 Protocol Independent Multicast - Dense Mode (PIM-DM): Protocol Specification (Revised) 4541 Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches 7.6.1 (IGMPv1/v2) 7.6.1 (IGMPv1/v2) √ IGMPv1/v2/v3, MLDv1 Snooping 8.2.
You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/csportal20/MIBs/MIB_OIDs.aspx Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/Support/AccountRequest.aspx If you have forgotten or lost your account information, contact Dell Technical Support for assistance.
67 X.509v3 Dell Networking OS supports X.509v3 standards. Topics: • • • • • • • • • Introduction to X.509v3 certification X.509v3 support in Dell Networking OS Information about installing CA certificates Information about Creating Certificate Signing Requests (CSR) Information about installing trusted certificates Transport layer security (TLS) Online certificate status protocol (OSCP) Verifying certificates Event logging Introduction to X.509v3 certification X.
Advantages of X.509v3 certificates Public key authentication is preferred over password-based authentication, although both may be used in conjunction, for various reasons. Public-key authentication provides the following advantages over normal password-based authentication: ● Public-key authentication avoids the human problems of low-entropy password selection and provides more resistance to brute-force attacks than password-based authentication.
NOTE: CA certificates may also be bundled together for ease of installation. Their .PEM files are concatenated in order from the “lowest” ranking CA certificate to the Root CA certificate. Dell Networking OS handles installation of bundled certificate files. The other hosts on the network, such as the SUT switch, syslog server, and OCSP server, generate private keys and create Certificate Signing Requests (CSRs).
the CA certificates file is kept in a root-last order. The file may contain multiple certificates in PEM format concatenated together. This file is stored in a private and persistent location on the device such as the flash://ADMIN_DIR folder. After the CA certificate is installed, the system can secure communications with TLS servers by verifying certificates that are signed by the CA.
● ● ● ● ● ● ● ● ● ● ● Private Key Country Name State or Province Name Locality Name Organization Name Organization Unit Name Common Name Email address Validity Length Alternate Name NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell Networking OS also enables you to install a trusted certificate.
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 When not operating in FIPS mode, the system may support TLS 1.0 up to 1.
NOTE: If you have an IPv6 address in the URL, then enclose this address in square brackets. For example, http:// [1100::203]:6514. Configuring OCSP behavior You can configure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders.
Verifying client certificates Verifying that client certificates are optional in the TLS protocol and is not explicitly required by Common Criteria. However, TLS-protected Syslog and RADIUS protocols mandate that certificate-based mutual authentication be performed. Event logging The system logs the following events: ● ● ● ● ● A CA certificate is installed or deleted. A self-signed certificate and private key are generated. An existing host certificate, a private key, or both are deleted.