Dell EMC Networking Configuration Guide for the C9010 Series Version 9.13.0.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Copyright © 2018 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents 1 About this Guide...........................................................................................................................................36 Audience........................................................................................................................................................................... 36 Conventions.....................................................................................................................................................
Creating a Custom Privilege Level........................................................................................................................... 58 Removing a Command from EXEC Mode.............................................................................................................. 58 Moving a Command from EXEC Privilege Mode to EXEC Mode........................................................................58 Allowing Access to CONFIGURATION Mode Commands..............................
Ignoring the Startup Configuration and Booting from the Factory-Default Configuration.....................................80 Recovering from a Failed Start....................................................................................................................................... 81 Restoring Factory-Default Settings................................................................................................................................81 Important Point to Remember..........................
CAM Usage................................................................................................................................................................ 114 User-Configurable CAM Allocation......................................................................................................................... 115 Allocating CAM for Ingress ACLs on the Port Extender......................................................................................
BFD Sessions............................................................................................................................................................ 148 BFD Three-Way Handshake.................................................................................................................................... 149 Session State Changes.............................................................................................................................................
Maintaining Existing AS Numbers During an AS Migration................................................................................ 202 Allowing an AS Number to Appear in its Own AS Path...................................................................................... 203 Enabling Neighbor Graceful Restart......................................................................................................................204 Filtering on an AS-Path Attribute...........................................
LAG HashingLAG Hashing Based on Bidirectional Flow..................................................................................... 242 Unified Forwarding Table (UFT) Modes......................................................................................................................243 Configuring UFT Modes..........................................................................................................................................243 10 Control Plane Policing (CoPP)...................
Configuring Enhanced Transmission Selection...........................................................................................................275 Creating an ETS Priority Group..............................................................................................................................276 ETS Operation with DCBx.......................................................................................................................................277 Configure a DCBx Operation..........
Displaying Line-Card Counters............................................................................................................................... 342 Accessing Application Core Dumps............................................................................................................................. 342 Mini Core Dumps...........................................................................................................................................................
Dynamic Re-calculation of Link Bankwidth................................................................................................................ 369 Weighted ECMP for Static Routes..............................................................................................................................370 ECMP Support in L3 Host and LPM Tables............................................................................................................... 370 15 FCoE Transit.........................
Multiple FRRP Rings................................................................................................................................................397 Important FRRP Points........................................................................................................................................... 398 Implementing FRRP.................................................................................................................................................
RPM Synchronization...............................................................................................................................................417 Forcing an RPM Failover..........................................................................................................................................417 Specifying an Auto-Failover Limit...........................................................................................................................
Management Interfaces................................................................................................................................................446 Configuring a Dedicated Management Interface ................................................................................................446 Configuring a Management Interface on an Ethernet Port................................................................................447 Port Extender Interfaces....................................
Configure the MTU Size on an Interface.....................................................................................................................471 Auto-Negotiation on Ethernet Interfaces.................................................................................................................... 471 Set Auto-Negotiation Options................................................................................................................................472 Provisioning Combo Ports.........
Extension Header Fields......................................................................................................................................... 496 IPv6 Addressing....................................................................................................................................................... 497 IPv6 Implementation on the Dell Networking OS......................................................................................................
Configure Metric Values................................................................................................................................................ 531 Maximum Values in the Routing Table.................................................................................................................. 532 Change the IS-IS Metric Style in One Level Only................................................................................................532 Leaks from One Level to Another........
mac learning-limit station-move............................................................................................................................ 564 mac learning-limit no-station-move...................................................................................................................... 564 Learning Limit Violation Actions.............................................................................................................................
31 Multicast Source Discovery Protocol (MSDP)..........................................................................................598 Protocol Overview.........................................................................................................................................................598 Anycast RP.....................................................................................................................................................................
Router 1 Running-ConfigurationRouter 2 Running-ConfigurationRouter 3 RunningConfigurationExample Running-Configuration.....................................................................................................632 Debugging and Verifying MSTP Configurations........................................................................................................ 635 33 Multicast Features....................................................................................................................
OSPF ACK Packing..................................................................................................................................................672 Setting OSPF Adjacency with Cisco Routers.......................................................................................................672 Configuration Information.............................................................................................................................................
Configuring PIM-SSM....................................................................................................................................................712 Related Configuration Tasks....................................................................................................................................712 Enable PIM-SM...............................................................................................................................................................
Upgrading a Port Extender........................................................................................................................................... 746 Auto-Upgrade of the OS Image............................................................................................................................. 746 Manually Upgrading the OS Image........................................................................................................................
Configuring Remote Port Monitoring.................................................................................................................... 787 Encapsulated Remote-Port Monitoring...................................................................................................................... 790 Port Monitoring on VLT.................................................................................................................................................792 VLT Non-fail over Scenario..
Implementation Information..........................................................................................................................................825 Port-Based QoS Configurations.................................................................................................................................. 825 Setting dot1p Priorities for Incoming Traffic.........................................................................................................
Setting the RMON Alarm........................................................................................................................................867 Configuring an RMON Event................................................................................................................................. 868 Configuring RMON Collection Statistics..............................................................................................................
Removing the RSA Host Keys and Zeroizing Storage ....................................................................................... 920 Configuring When to Re-generate an SSH Key ..................................................................................................920 Configuring the SSH Server Cipher List................................................................................................................921 Configuring DNS in the SSH Server.......................................
Debugging Layer 2 Protocol Tunneling................................................................................................................. 950 Provider Backbone Bridging.........................................................................................................................................950 51 sFlow........................................................................................................................................................ 951 Overview..................
MIB Support to Display Reason for Last System Reboot......................................................................................... 974 Viewing the Reason for Last System Reboot Using SNMP...............................................................................975 MIB Support to Display the Available Partitions on Flash......................................................................................... 975 Viewing the Available Partitions on Flash........................................
Selecting STP Root..................................................................................................................................................... 1005 STP Root Guard........................................................................................................................................................... 1005 Root Guard Scenario.............................................................................................................................................
Upgrade OverviewGet Help with Upgrades............................................................................................................. 1033 Bootup and Upgrades..................................................................................................................................................1033 59 Uplink Failure Detection (UFD)...............................................................................................................1034 Feature Description.....................
Assigning an OSPF Process to a VRF Instance................................................................................................. 1062 Configuring VRRP on a VRF Instance................................................................................................................. 1062 Configuring Management VRF.............................................................................................................................1063 Configuring a Static Route...............................
Verifying a VLT Configuration.....................................................................................................................................1098 Additional VLT Sample Configurations........................................................................................................................ 1101 Configuring Virtual Link Trunking (VLT Peer 1)Configuring Virtual Link Trunking (VLT Peer 2)Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access Switch).......
Introduction to X.509v3 certification......................................................................................................................... 1145 X.509v3 certificates............................................................................................................................................... 1145 Certificate authority (CA)......................................................................................................................................
1 About this Guide This Configuration guide provides information about how to use and configure the software features supported in the Dell Networking operating system (OS) on a C9010 console to configure a C9010 switch, C1048P, N20xx, and N30xx port extenders. The C9010 switch is also referred to as network director or control bridge. The port extenders are also referred to as rapid access nodes. Though this guide contains information on protocols, it is not intended to be a complete reference.
2 Configuration Fundamentals The Dell Networking OS command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. After you enter a command, the command is added to the running configuration file.
You can set user access rights to commands and command modes using privilege levels. For more information about privilege levels and security options, refer to the Privilege Levels Overview section in the Security chapter. The Dell Networking OS CLI is divided into three major mode levels: • EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level.
GRUB LLDP LLDP MANAGEMENT INTERFACE MONITOR SESSION MULTIPLE SPANNING TREE OPENFLOW INSTANCE PVST PORT-CHANNEL FAILOVER-GROUP PREFIX-LIST PRIORITY-GROUP PROTOCOL GVRP QOS POLICY RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP Navigating CLI Modes The Dell Networking OS prompt changes to indicate the CLI mode.
CLI Command Mode Prompt Access Command Configuration Terminal Batch Dell(conf-b)# config terminal batch DOT1X PROFILE dell(conf-dot1x-profile)# dot1x AS-PATH ACL Dell(config-as-path)# ip as-path access-list 10 Gigabit Ethernet Interface Dell(conf-if-te-0/0)# interface (INTERFACE modes) 40 Gigabit Ethernet Interface Dell(conf-if-fo-0/0)# interface (INTERFACE modes) Interface Range Dell(conf-if-range)# interface (INTERFACE modes) Loopback Interface Dell(conf-if-lo-0)# interface (INTERFA
CLI Command Mode Prompt Access Command Dell(conf-routerZ_bgpv6_af)# (for IPv6) ROUTER ISIS Dell(conf-router_isis)# ISIS ADDRESS-FAMILY Dell(conf-router_isis-af_ipv6)# address-family ipv6 unicast (ROUTER ISIS Mode) ROUTER OSPF Dell(conf-router_ospf)# router ospf ROUTER OSPFV3 Dell(conf-ipv6router_ospf)# ipv6 router ospf ROUTER RIP Dell(conf-router_rip)# router rip SPANNING TREE Dell(config-span)# protocol spanning-tree 0 TRACE-LIST Dell(conf-trace-acl)# ip trace-list CLASS-MAP Dell(con
CLI Command Mode Prompt Access Command UPLINK STATE GROUP Dell(conf-uplink-state-groupgroupID)# uplink-state-group The following example shows how to change the command mode from CONFIGURATION mode to PROTOCOL SPANNING TREE. Example of Changing Command Modes Dell(conf)#protocol spanning-tree 0 Dell(config-span)# The do Command Use the do command to enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode.
Undoing Commands When you enter a command, the command line is added to the running configuration file (running-config). To disable a command and remove it from the running-config, enter the no command, then the original command. For example, to delete an IP address configured on an interface, use the no ip address ip-address command. NOTE: Use the help or ? command as described in Obtaining Help.
• • • • • You can enter partial CLI keywords. – Enter the minimum number of letters to uniquely identify a command. For example, you cannot enter cl as a partial keyword because both the clock and class-map commands begin with the letters “cl.” You can enter clo, however, as a partial keyword because only one command begins with those three letters. The TAB key auto-completes keywords in commands. Enter the minimum number of letters to uniquely identify a command.
The grep command accepts an ignore-case sub-option that forces the search to case-insensitive. For example, the commands: • show run | grep Ethernet returns a search result with instances containing a capitalized “Ethernet,” such as interface TengigabitEthernet 0/0. • show run | grep ethernet does not return that search result because it only searches for instances containing a noncapitalized “ethernet.” • show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and “ethernet.
19 22 533 12 2 1 529 523 646 445 329 244 74 30 25 410 0 0 0 10 0 0 10 0 0 0 30 30 60 1720 41 0 0 0 1 0 0 1 0 0 0 3 3 6 172 10000 0 0 0 10000 0 0 10000 0 0 0 10000 10000 10000 10000 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.
3 Getting Started This chapter describes how you start configuring your operating software. When you power up the chassis, the system performs a power-on self test (POST) and loads the Dell Networking operating software. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LED remains online (green) and the console monitor displays the EXEC mode prompt.
Serial Console The RJ-45 network management port is located on the left side of the RPM as you face the chassis. Use a supported RJ-45 cable for a network connection. Figure 1. RJ-45 Console Port 1 RJ-45 Console Port Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1 Install an RJ-45 copper cable into the console port.
Console Port RJ-45 to RJ-45 Rollover RJ-45 to RJ-45 Rollover RJ-45 to DB-9 Adapter Cable Cable Terminal Server Device Signal RJ-45 Pinout RJ-45 Pinout DB-9 Pin Signal TxD 3 6 2 RxD GND 4 5 5 GND GND 5 4 5 GND RxD 6 3 3 TxD NC 7 2 4 DTR CTS 8 1 7 RTS Mounting an NFS File System This feature enables you to quickly access data on an NFS mounted file system. You can perform file operations on an NFS mounted file system using supported file commands.
Example of Copying a File to current File System Dell#copy tftp://10.16.127.35/username/dv-maa-C9010-test nfsmount:// Destination file name [dv-maa-sC9010-test]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!.! 44250499 bytes successfully copied Dell# Dell#copy ftp://10.16.127.35 nfsmount: Source file name []: test.
Example of the hostname Command Dell(conf)#hostname R1 R1(conf)# Accessing the System Remotely You can configure the system to access it remotely by Telnet or SSH. • The switch has a dedicated management port and a management routing table that is separate from the IP routing table. • You can manage all Dell Networking products in-band via the front-end data ports through interfaces assigned an IP address as well.
management route ip-address/mask gateway – ip-address: the network address in dotted-decimal format (A.B.C.D). – mask: a subnet mask in /prefix-length format (/ xx). – gateway: the next hop for network traffic originating from the management port. Configuring a Username and Password To access the system remotely, configure a system username and password. To configure a system username and password, use the following command. • Configure a username and password to access the system remotely.
Configuring the Enable Password Access EXEC Privilege mode using the enable command. EXEC Privilege mode is unrestricted by default. Configure a password as a basic security measure. There are three types of enable passwords: • enable password is stored in the running/startup configuration using a DES encryption method. • enable secret is stored in the running/startup configuration using MD5 encryption method.
- - - network network rw rw tftp: scp: You can change the default file system so that file management commands apply to a particular device or memory. To change the default directory, use the following command. • Change the default directory. EXEC Privilege mode cd directory Copy Files to and from the System The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 26292881 bytes successfully copied Save the Running-Configuration The running-configuration contains the current system configuration. Dell Networking recommends coping your running-configuration to the startup-configuration. The system uses the startup-configuration during boot-up to configure the system.
show file flash://filename • View a list of files on an external flash. EXEC Privilege mode dir usbflash: • View the running-configuration. EXEC Privilege mode show running-config • View the startup-configuration. EXEC Privilege mode show startup-config Example of the dir Command The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.
Viewing Command History The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer. The system generates a trace message for each executed command. No password information is saved to the file. To view the command-history trace, use the show command-history command.
4 Switch Management This chapter describes the switch management tasks supported on the switch. Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1. Level Description Level 0 Access to the system begins at EXEC mode, and EXEC mode commands are limited to enable, disable, and exit.
Allowing Access to CONFIGURATION Mode Commands To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode. A user that enters CONFIGURATION mode remains at his privilege level and has access to only two commands, end and exit. You must individually specify each CONFIGURATION mode command you want to allow access to using the privilege configure level level command.
privilege exec level 3 capture privilege exec level 3 configure privilege exec level 4 resequence privilege exec level 3 capture bgp-pdu privilege exec level 3 capture bgp-pdu max-buffer-size privilege configure level 3 line privilege configure level 3 interface Dell(conf)#do telnet 10.11.80.201 [telnet output omitted] Dell#show priv Current privilege level is 3.
CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command. • Configure privilege level for a terminal line. LINE mode privilege level level NOTE: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode, but the prompt is hostname#, rather than hostname>.
Enabling Audit and Security Logs You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode. This command is available with or without RBAC enabled. For information about RBAC, see Role-Based Access Control. Audit Logs The audit log contains configuration events and information.
Example of the show logging auditlog Command For information about the logging extended command, see Enabling Audit and Security Logs Dell#show logging auditlog May 12 12:20:25: Dell#: %CLI-6-logging extended by admin from vty0 (10.14.1.98) May 12 12:20:42: Dell#: %CLI-6-configure terminal by admin from vty0 (10.14.1.98) May 12 12:20:42: Dell#: %CLI-6-service timestamps log datetime by admin from vty0 (10.14.1.
Pre-requisites To configure a secure connection from the switch to the syslog server: 1 On the switch, enable the SSH server Dell(conf)#ip ssh server enable 2 On the syslog server, create a reverse SSH tunnel from the syslog server to the switch, using following syntax: ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is 10.16.131.
Track Login Activity Dell Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events. When you log in using the console or VTY line, the system displays the last successful login details of the current user and the number of unsuccessful login attempts since your last successful login to the system, and whether the current user’s permissions have changed since the last login.
-----------------------------------------------------------------User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.
The following is sample output of the show login statistics unsuccessful-attempts command. Dell# show login statistics unsuccessful-attempts There were 3 unsuccessful login attempt(s) for user admin in last 30 day(s). The following is sample output of the show login statistics unsuccessful-attempts time-period days command. Dell# show login statistics unsuccessful-attempts time-period 15 There were 0 unsuccessful login attempt(s) for user admin in last 15 day(s).
Enabling the System to Clear Existing Sessions To enable the system to clear existing login sessions, follow this procedure: • Use the following command. CONFIGURATION mode login concurrent-session clear-line enable Example of Enabling the System to Clear Existing Sessions The following example enables you to clear your existing login sessions.
If you do not want to enter the secured mode, do not save the running-configuration. Once saved, to disable the secured CLI mode, you need to manually edit the startup-configuration file and reboot the system. Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are logged in the internal buffer.
• Specify the server to which you want to send system messages. You can configure up to eight syslog servers. CONFIGURATION mode logging {ip-address | ipv6-address | hostname} {{udp {port}} | {tcp {port}}} Configuring a UNIX System as a Syslog Server To configure a UNIX System as a syslog server, use the following command. • Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the UNIX system and assigning write permissions to the file. – Add line on a 4.
Changing System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands, you control the number of system messages logged. To specify the system logging settings, use the following commands. • Specify the minimum severity level for logging to the logging buffer.
logging facility [facility-type] – auth (for authorization messages) – cron (for system scheduler messages) – daemon (for system daemons) – kern (for kernel messages) – local0 (for local use) – local1 (for local use) – local2 (for local use) – local3 (for local use) – local4 (for local use) – local5 (for local use) – local6 (for local use) – local7 (for local use) – lpr (for line printer system messages) – mail (for mail system messages) – news (for USENET news messages) – sys9 (system use) – sys10 (system
Configure the following parameters for the virtual terminal lines: • number: the range is from zero (0) to 8. • end-number: the range is from 1 to 8. You can configure multiple virtual terminals at one time by entering a number and an end-number. 2 Configure a level and set the maximum number of messages to print. LINE mode logging synchronous [level severity-level | all] [limit] Configure the following optional parameters: • level severity-level: the range is from 0 to 7. The default is 2.
• Enable FTP Server (mandatory) • Configure FTP Server Parameters (optional) • Configure FTP Client Parameters (optional) Enabling the FTP Server To enable the system as an FTP server, use the following command. To view FTP configuration, use the show running-config ftp command in EXEC privilege mode. • Enable FTP on the system.
ip ftp source-interface interface Enter the following keywords and slot/port or number information: – For a loopback interface, enter the keyword loopback then a number between 0 and 16383. – For a port channel interface, enter the keywords port-channel then a number from 1 to 255. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user on a terminal line.A combination of authentication methods is called a method list. If the user fails the first authentication method, the system prompts the next method until all methods are exhausted, at which point the connection is terminated. The available authentication methods are: enable Prompt for the enable password.
• Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the time-out period to 0. LINE mode exec-timeout minutes [seconds] • Return to the default time-out values. LINE mode no exec-timeout Example of Setting the Time Out Period for EXEC Privilege Mode The following example shows how to set the time-out period and how to view the configuration using the show config command from LINE mode.
Lock CONFIGURATION Mode The system allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2). You can set two types of locks: auto and manual. • • Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set autolock, every time a user is in CONFIGURATION mode, all other users are denied access.
. Please contact Technical Support". This syslog continues to be emitted every 30 minutes. An SNMP trap with this information will also be generated once every hour. 2 If SupportAssist is enabled - it sends the event message to the global SupportAssist server immediately and there after once in two days, so Dell can assist in pro-actively notifying and assisting customers when this condition is hit.
Recovering from a Forgotten Password If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter. If you forget your password, follow these steps: 1 Log onto the system using the console. 2 Power-cycle the chassis by disconnecting and then reconnecting the power cord. 3 During bootup, press Esc when prompted to abort the boot process. You enter Boot-Line Interface (BLI) mode at the BOOT_USER# prompt.
Recovering from a Failed Start A switch that does not start correctly might be trying to boot from a corrupted Dell Networking OS image or from a mis-specified location. In this case, you can restart the system and interrupt the boot process to point the system to another boot location. 1 Power-cycle the chassis (pull the power cord and reinsert it). 2 During bootup, press the ESC key when this message appears: Press Esc to stop autoboot...
Power-cycling the unit(s). .... Restoring Factory-Default Boot Environment Variables The Boot line determines the location of the image that is used to boot up the switch after restoring factory-default settings. Ideally, these locations contain valid images, which the switch uses to boot up. When you restore factory-default settings, you can either use a flash boot procedure or a network boot procedure to boot the switch.
file name BOOT_USER # : systemb To boot from the network: BOOT_USER # boot change primary boot device : file name : Server IP address : BOOT_USER # 4 tftp FTOS-SI-9-5-0-169.bin 10.16.127.35 Assign an IP address and network mask to the Management Ethernet interface. BOOT_USER # interface management ethernet ip address ip_address_with_mask For example, 10.16.150.106/16. 5 Assign an IP address as the default gateway for the system. default-gateway gateway_ip_address For example, 10.16.150.254.
• hash-value: (Optional). Specify the relevant hash published on i-Support. • img-file: Enter the name of the Dell Networking software image file to validate Examples: Without Entering the Hash Value for Verification MD5 Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin MD5 hash for FTOS-SE-9.5.0.0.bin: 275ceb73a4f3118e1d6bcf7d75753459 SHA256 Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin SHA256 hash for FTOS-SE-9.5.0.0.
linecard linecard linecard linecard linecard linecard linecard linecard linecard linecard linecard 1 2 3 is 4 is 5 is 6 is 7 is 8 is 9 is 10 11 FLASH BOOT FLASH BOOT not present. not present. not present. not present. not present. not present. not present.
Logging in to the Virtual Console of a C9010 Component You must log in to the virtual console of a C9010 component in order to re-configure its boot variables. By default, you log in to a C9010 console port, which is identified as RPM0 CP or RPM1 CP. • To log in to the RPM RP: Hold down the Ctrl key and type geo. Then release the Ctrl key and type r. • To log in to the RPM LP: Hold down the Ctrl key and type geo. Then release the Ctrl key and type l.
***** Welcome to Dell Networking OS Boot Interface ***** PRIMARY OPERATING SYSTEM BOOT PARAMETERS: ======================================== boot device : ftp file name : force10/rd/tgtimg/runtime/LP.bin Management Etherenet IP address : 127.10.10.113 Mask : 255.240.0.0 Server IP address : 127.10.10.10 Default Gateway IP address : 127.10.10.
5 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
• Re-Authenticating a Port • Configuring Dynamic VLAN Assignment with Port Authentication • Guest and Authentication-Fail VLANs • Multi-Host Authentication • Multi-Supplicant Authentication • MAC Authentication Bypass • Dynamic CoS with 802.
Figure 4. EAP Port-Authentication EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 5. EAP Over RADIUS 802.
RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Enabling 802.1X Enable 802.1X globally. Figure 6. 802.1X Enabled 1 Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2 Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3 Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication NOTE: You must enabled dot1x authentication globaly as well as in interface mode on which supplicant is connected. 802.
Examples of Verifying that 802.1X is Enabled Globally or on an Interface Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. The bold text show that 802.1x has been enabled. By default, ports are not authorized. Dell#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface TenGigabitEthernet 2/1 no ip address dot1x authentication no shutdown ! Dell# View 802.
Hardware is DellEth, address is 34:17:eb:00:aa:12 Current address is 34:17:eb:00:aa:12 Pluggable media not present Interface index is 804258823 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :3417eb00aa12 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit, Mode auto Auto-mdix enabled, ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 20:06:07 Queueing strategy: fifo Input Statistics: 10760802379 packets, 688691353132 bytes 10760802177 64-by
mac-address — Enter the keyword mac and type up to the 48– bit MAC addresses using the nn:nn:nn:nn:nn:nn format. A maximum of 6 MAC addresses are allowed. Example of Configuring a List of MAC Addresses for a dot1x Profile The following example configures 2 MAC addresses and then displays these addresses.
Auth Type: Auth PAE State: Backend State: SINGLE_HOST Authenticated Idle Configuring Critical VLAN By default, critical-VLAN is not configured. If authentication fails because of a server which is not reachable, user session is authenticated under critical-VLAN. To configure a critical-VLAN for users or devices when authenticating server is not reachable, use the following command.
NOTE: There are several reasons why the supplicant might fail to respond; for example, the supplicant might have been booting when the request arrived or there might be a physical layer failure. To configure re-transmissions, use the following commands. • Configure the amount of time that the authenticator waits before re-transmitting an EAP Request Identity frame. INTERFACE mode dot1x tx-period number The range is from 1 to 65535 (1 year) • The default is 30.
Port Control: Port Auth Status: Re-Authentication: Untagged VLAN id: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: AUTO UNAUTHORIZED Disable None 90 seconds 120 seconds 2 30 seconds 30 seconds 3600 seconds 10 SINGLE_HOST Initialize Initialize Forcibly Authorizing or Unauthorizing a Port IEEE 802.
Re-Authenticating a Port You can configure the authenticator for periodic re-authentication. After the supplicant has been authenticated, and the port has been authorized, you can configure the authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the supplicant is required to re-authenticate every 3600 seconds, but you can configure this interval. You can configure a maximum number of re-authentications as well.
1 The host sends a dot1x packet to the Dell Networking system 2 The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number 3 The RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the VLAN assignment using TunnelPrivate-Group-ID The illustration shows the configuration before connecting the end user device in black and blue text, and after connecting the device in red text.
If the supplicant fails to authenticate for a specified number of times, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves.
Configuring an Authentication-Fail VLAN If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time. NOTE: For more information about authenticator re-attempts, refer to Configuring a Quiet Period after a Failed Authentication. You can configure the maximum number of times the authenticator re-attempts authentication after a failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
Example of Viewing Configured Authentication 802.
Re-Authentication: Untagged VLAN id: Guest VLAN: Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Disable None Disable NONE Disable NONE NONE 90 seconds 120 seconds 10 15 seconds 15 seconds 7200 seconds 10 Auth Type: Auth PAE State: Backend State: SINGLE_HOST Initialize Initialize Enter the tasks the user should do after finishing this task (optional).
Figure 9. Multi-Host Authentication Mode When you configure multi-host mode authentication, the first client to respond to an identity request is authenticated and subsequent responses are still ignored. However, because the authenticator expects the possibility of multiple responses, no system log is generated. After the first supplicant is authenticated, all end users connected to the authorized port are allowed to access the network.
Port Auth Status: Re-Authentication: Untagged VLAN id: Guest VLAN: Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Critical VLAN: Critical VLAN id: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: UNAUTHORIZED Disable None Disable NONE Disable NONE NONE Disable NONE Disable Disable Disable NONE 30 seconds 60 seconds
feature is different from multi-host authentication in which multiple devices connected to a single authenticator port can access the network after only the one device is authenticated, and all hosts are placed in the same VLAN as the authenticated device. Multi-supplicant authentication is needed, for example, in the case of a workstation at which a VoIP phone and PC are connected to a single authenticator port.
Restricting Multi-Supplicant Authentication To restrict the number of devices that 802.1X can authenticate on a port in multi-supplicant (multi-auth) mode, enter the dot1x maxsupplicants number command in Interface mode. By default, the maximum number of multi-supplicant devices is 128.
MAB in Multi-Supplicant Authentication Mode Multi-supplicant authentication (multi-auth) mode is similar to other 802.1X modes in that the switch first attempts to authenticate a supplicant using 802.1X. 802.1X times out if the supplicant does not respond to the Request Identity frame. Then, if MAB authentication is enabled, the switch tries to authenticate every MAC it learns on the port, up to 128 MACs, which is the maximum number of supplicants that 802.
Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Critical VLAN: Critical VLAN id: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: NONE Disable NONE NONE Disable NONE Enable Disable Disable NONE 30 seconds 60 seconds 2 30 seconds 30 seconds 3600 seconds 2 SINGLE_HOST Authenticated Idle Dynamic CoS with 802.
4 5 6 7 • 3 1 2 4 4 5 2 4 0 0 0 2 The priority of untagged packets is assigned according to the remapped value of priority 0 traffic in the RADIUS-based table. For example, in the following remapping table, untagged packets are tagged with priority 2: Dell#show dot1x cos-mapping interface TenGigabitethernet 2/3 802.1Xp CoS remap table on Te 2/3: ----------------------------Dot1p Remapped Dot1p 0 2 1 6 2 5 3 4 4 3 5 2 6 1 7 0 • After being re-tagged by dynamic CoS for 802.
6 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. • Access control lists (ACLs), Ingress IP and MAC ACLs , and Egress IP and MAC ACLs are supported on the system. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
• Destination IP address • Source TCP port number • Destination TCP port number • Source UDP port number • Destination UDP port number For more information about ACL options, refer to the Dell Networking OS Command Reference Guide. For extended ACL, TCP, and UDP filters, you can match criteria on specific or ranges of TCP or UDP ports. For extended ACL TCP filters, you can also match criteria on established TCP sessions. When creating an access list, the sequence of the filters is important.
To determine whether sufficient ACL CAM space is available to enable a service-policy, use this command. To verify the actual CAM space required, create a class map with all the required ACL rules, then run the test cam-usage command in EXEC and EXEC Privilege mode. The following example shows the output when running this command. The status column indicates whether you can enable the policy.
The default CAM allocation settings for ingress ACL and QoS regions are the following: L2Acl : Ipv4Acl : Ipv6Acl : Ipv4Qos : L2Qos : L2PT : IpMacAcl : VmanQos : EcfmAcl : FcoeAcl : iscsiOptAcl : ipv4pbr : vrfv4Acl : Openflow : fedgovacl : nlbclusteracl: 5 4 0 2 1 0 0 0 0 0 0 0 0 0 0 0 Select the CAM allocation for Layer 2, IPv4, and IPv6 ACLs, Layer 2 and Layer 3 (IPv4) QoS, Layer 2 Protocol Tunneling (L2PT), IP and MAC source address validation for DHCP, and Policy-based Routing (PBR).
Dell(conf)#cam-acl-pe ? default Reset PE CAM ACL entries to default setting l2acl Set L2-ACL entries Dell(conf)#cam-acl-pe l2acl 3 ipv4acl 2 ipv6acl 2 ipv4qos 2 l2qos 1 ipmacacl 2 Allocating CAM for Egress ACLs on the Port Extender To allocate Content Addressable Memory (CAM) for egress ACLs on the port extender. You can re-allocate memory space for egress ACLs on the port extender by using the cam-acl-egress-pe command in CONFIGURATION mode.
Ipv6Acl : 2 Dell(conf)#cam-acl-egress-pe l2acl 2 ipv4acl 2 ipv6acl 0 The following example displays the running configuration for the configured CAM ACLs. Dell(conf)#do show running-config | grep cam-acl cam-acl l2acl 3 ipv4acl 4 ipv6acl 0 ipv4qos 2 l2qos 1 l2pt 0 ipmacacl 0 vman-qos 0 ecfmacl 0 ipv4pbr 2 cam-acl-pe l2acl 3 ipv4acl 2 ipv6acl 2 ipv4qos 2 l2qos 1 ipmacacl 2 cam-acl-egress-pe l2acl 2 ipv4acl 2 ipv6acl 0 Implementing ACLs on Dell EMC Networking OS You can assign one IP ACL per interface.
ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8. Therefore (without the keyword order), packets within the range 20.1.1.0/24 match positive against cmap1 and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be buffered in queue 4.
Optimizing ACL for More Number of IPv4 ACL Rules To optimize ACL for more number of IPv4 ACL rules, follow these steps: 1 Carve the vlanaclopt CAM region. CONFIGURATION mode cam-acl-vlan vlanopenflow 0 vlaniscsi 0 vlanaclopt 2 2 Enable the ACL optimized feature. CONFIGURATION mode feature acloptimized 3 Reload the system EXEC Privilege reload After the system reloads, the Dell Networking OS enables the feature.
Example of Permitting All Packets on an Interface The following configuration permits all packets (both fragmented and non-fragmented) with destination IP 10.1.1.1. The second rule does not get hit at all. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32Dell(conf-ext-nacl)#deny ip any 10.1.1.1./32 fragments Dell(conf-ext-nacl) Example of Denying Second and Subsequent Fragments To deny the second/subsequent fragments, use the same rules in a different order.
Dell(conf-ext-nacl)#permit udp any any fragment Dell(conf-ext-nacl)#deny ip any any log Dell(conf-ext-nacl) When configuring ACLs with the fragments keyword, be aware of the following. When an ACL filters packets, it looks at the fragment offset (FO) to determine whether it is a fragment. • • FO = 0 means it is either the first fragment or the packet is a non-fragment. FO > 0 means it is dealing with the fragments of the original packet.
seq 25 deny ip host 10.5.0.0 any log Dell(config-std-nacl)# To delete a filter, use the no seq sequence-number command in IP ACCESS LIST mode. Configuring a Standard IP ACL Filter If you are creating a standard ACL with only one or two filters, you can let the system assign a sequence number based on the order in which the filters are configured. The software assigns filters in multiples of five. 1 Configure a standard IP ACL and assign it a unique name.
Configure an Extended IP ACL Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. Because traffic passes through the filter in the order of the filter’s sequence, you can configure the extended IP ACL by first entering IP ACCESS LIST mode and then assigning a sequence number to the filter. Configuring Filters with a Sequence Number To configure filters with a sequence number, use the following commands.
seq sequence-number {deny | permit} tcp {source mask | any | host ip-address} [count [byte]] [order] [fragments] Example of the seq Command When you create the filters with a specific sequence number, you can create the filters in any order and the filters are placed in the correct order. NOTE: When assigning sequence numbers to filters, you may have to insert a new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or another number.
To view all configured IP ACLs and the number of packets processed through the ACL, use the show ip accounting access-list command in EXEC Privilege mode, as shown in the first example in Configure a Standard IP ACL Filter. Configure Layer 2 and Layer 3 ACLs Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode.
• You can add only one ACL to an interface at a time. • When you apply an ACL VLAN group to a member interface, an error message is displayed if an ACL with different criteria has already been separately applied to the interface. • The maximum number of members in an ACL VLAN group is determined by the type of switch and its hardware capabilities. This scaling limit depends on the number of slices that are allocated for ACL CAM optimization.
show acl-vlan-group {group-name | detail} Dell#show acl-vlan-group detail Group Name : TestGroupSeventeenTwenty Egress IP Acl : SpecialAccessOnlyExpertsAllowed Vlan Members : 100,200,300 Group Name : CustomerNumberIdentificationEleven Egress IP Acl : AnyEmployeeCustomerElevenGrantedAccess Vlan Members : 2-10,99 Group Name : HostGroup Egress IP Acl : Group5 Vlan Members : 1,1000 Dell# Allocating ACL VLAN CAM CAM optimization for ACL VLAN groups is not enabled by default.
CONFIGURATION mode interface interface {slot/port | port-channel-number} 2 Configure an IP address for the interface, placing it in Layer 3 mode. INTERFACE mode ip address ip-address 3 Apply an IP ACL to traffic entering or exiting an interface. INTERFACE mode ip access-group access-list-name {in} [implicit-permit] [vlan vlan-range] NOTE: The number of entries allowed per ACL is hardware-dependent. For detailed specification about entries allowed per ACL, refer to your line card documentation.
Dell(config-ext-nacl)#permit 1.1.1.2 Dell(config-ext-nacl)#end Dell#show ip accounting access-list ! Extended Ingress IP access list abcd on pegigE 1/0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.2 Applying Egress ACLs Egress ACLs are supported on interfaces and affect the traffic leaving the system. Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack — malicious and incidental — by explicitly allowing only authorized traffic.
ip control-plane [egress filter] 2 Apply Egress ACLs to IPv6 system traffic. CONFIGURATION mode ipv6 control-plane [egress filter] 3 Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic.
Implementation Information Prefix lists are used in processing routes for routing protocols (for example, router information protocol [RIP], open shortest path first [OSPF], and border gateway protocol [BGP]). NOTE: It is important to know which protocol your system supports prior to implementing prefix-lists. Configuration Task List for Prefix Lists To configure a prefix list, use commands in PREFIX LIST, ROUTER RIP, ROUTER OSPF, and ROUTER BGP modes.
seq 15 deny 120.0.0.0/8 le 16 seq 20 permit 0.0.0.0/0 le 32 Dell(conf-nprefixl)# NOTE: The last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded. To delete a filter, use the no seq sequence-number command in PREFIX LIST mode.
Examples of the show ip prefix-list Commands The following example shows the show ip prefix-list detail command. Dell>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 seq 5 deny 100.100.1.
network 10.0.0.0 Dell(conf-router_rip)#router ospf 34 Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. • Enter OSPF mode. CONFIGURATION mode router ospf • Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded.
Rules Resquencing seq 7 permit any host 1.1.1.3 seq 10 permit any host 1.1.1.4 Rules After Resequencing: seq 5 permit any host 1.1.1.1 seq 10 permit any host 1.1.1.2 seq 15 permit any host 1.1.1.3 seq 20 permit any host 1.1.1.4 Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs, prefix lists, and MAC ACLs. To resequence an ACL or prefix list, use the following commands. You must specify the list name, starting number, and increment when using these commands.
Remarks that do not have a corresponding rule are incremented as a rule. These two mechanisms allow remarks to retain their original position in the list. The following example shows remark 10 corresponding to rule 10 and as such, they have the same number before and after the command is entered. Remark 4 is incremented as a rule, and all rules have retained their original positions.
Configuration Task List for Route Maps Configure route maps in ROUTE-MAP mode and apply the maps in various commands in ROUTER RIP and ROUTER OSPF modes. The following list includes the configuration tasks for route maps, as described in the following sections.
To delete all instances of that route map, use the no route-map map-name command. To delete just one instance, add the sequence number to the command syntax. Dell(conf)#no route-map zakho 10 Dell(conf)#end Dell#show route-map route-map zakho, permit, sequence 20 Match clauses: interface TengigabitEthernet 0/1 Set clauses: tag 35 level stub-area Dell# The following example shows a route map with multiple instances. The show config command displays only the configuration of the current route map instance.
In the following example, instance 10 permits the route having a tag value of 1000 and instances 20 and 30 deny the route having a tag value of 1000. In this scenario, the system scans all the instances of the route-map for any permit statement. If there is a match anywhere, the route is permitted. However, other instances of the route-map deny it.
• Match source routes specified in a prefix list (IPv4). CONFIG-ROUTE-MAP mode • match ip route-source {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode • match ipv6 route-source {access-list-name | prefix-list prefix-list-name} Match routes with a specific value. CONFIG-ROUTE-MAP mode • match metric metric-value Match BGP routes based on the ORIGIN attribute.
set metric-type {external | internal | type-1 | type-2} • Assign an IP address as the route’s next hop. CONFIG-ROUTE-MAP mode set next-hop ip-address • Assign an IPv6 address as the route’s next hop. CONFIG-ROUTE-MAP mode set ipv6 next-hop ip-address • Assign an ORIGIN attribute. CONFIG-ROUTE-MAP mode set origin {egp | igp | incomplete} • Specify a tag for the redistributed routes. CONFIG-ROUTE-MAP mode set tag tag-value • Specify a value as the route’s weight.
Configure a Route Map for Route Tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol. As the route enters a different routing domain, it is tagged. The tag is passed along with the route as it passes through different routing protocols. You can use this tag when the route leaves a routing domain to redistribute those routes again.
number] ipv4pbr number }openflow number | fcoe number} [ipv4udfenable] [iscsioptacl number] [vrfv4acl number] Dell(conf)#cam-acl l2acl 1 ipv4acl 8 ipv6acl 2 ipv4qos 0 l2qos 2 l2pt 0 ipmacacl 0 vman-qos 0 ecfmacl 0 ipv4udfenable 3 View the currently configured CAM allocation. EXEC mode EXEC Privilege mode show cam-acl 4 Create a UDF packet format in the UDF TCAM table.
CONFIGURATION-UDF-Qualifier-Value Profile mode udf-id 1-12 value mask Dell(conf-udf-tcam-qual-val)#udf-id 1 aa ff 11 Associate the UDF qualifier value with a UDF packet profile in an IP access list.
7 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 10. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Detection Multiplier The number of packets that must be missed in order to declare a session down. Length The entire length of the BFD packet. My Discriminator A random number generated by the local system to identify the session. Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface.
Demand mode If one system requests Demand mode, the other system stops sending periodic control packets; it only sends a response to status inquiries from the Demand mode initiator. Either system (but not both) can request Demand mode at any time. NOTE: The Dell Networking OS supports Asynchronous mode only. A session can have four states: Administratively Down, Down, Init, and Up. Administratively Down The local system does not participate in a particular session.
Figure 11.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 12.
• Configure BFD for OSPF • Configure BFD for OSPFv3 • Configure BFD for IS-IS • Configure BFD for BGP • Configure BFD for VRRP • Configuring Protocol Liveness Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol.
Example of Viewing Session Parameters R1(conf-if-te-4/24)#bfd interval 100 min_rx 100 multiplier 4 role passive R1(conf-if-te-4/24)#do show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.
Configuring BFD for static routes is a three-step process: 1 Enable BFD globally. 2 Configure static routes on both routers on the system (either local or remote). 3 Configure an IP route to connect BFD on the static routes using the ip route bfd command. Related Configuration Tasks • • Changing Static Route Session Parameters Disabling BFD for Static Routes Establishing Sessions for Static Routes Sessions are established for all neighbors that are the next hop of a static route. Figure 13.
Establishing Sessions for Static Routes for Nondefault VRF You can also create nondefault VRFs and establish sessions for all neighbors that are the next hop of a static route. To establish a BFD session for nondefault VRFs, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route.
• A BFD session is enabled for the directly connected next-hop neighbor specified in the configured destination prefix list. • If you attach an empty prefix-list, all the existing established BFD sessions are teared down. If a destination prefix or prefix range is not present in the prefix-list, then it is considered as an implicit deny. • When a destination prefix is deleted from the prefix-list using the no permit option, the corresponding BFD session is torn down immediately.
Related Configuration Tasks • • Changing IPv6 Static Route Session Parameters Disabling BFD for Static Routes Establishing Sessions for IPv6 Static Routes for Default VRF Sessions are established for all neighbors that are the next hop of a static route on the default VRF. To establish a BFD session, use the following command. • Establish BFD sessions for all IPv6 neighbors that are the next hop of a static route.
• Change parameters for all static route sessions. CONFIGURATION mode ipv6 route bfd [vrf vrf-name][prefix-list prefix-list-name] interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command, as shown in the examples in Configure BFD for OSPF When using BFD with OSPF, the OSPF protocol registers with the BFD manager. BFD sessions are established with all neighboring interfaces participating in OSPF.
ip ospf bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command. Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 14.
ip ospf bfd all-neighbors Example of Verifying Sessions with OSPF Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 * 2.2.3.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 200 200 3 O 2.2.3.
R M V VT - Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 10.1.3.2 RemoteAddr 10.1.3.1 Interface State Rx-int Tx-int Mult Clients vlan 10 Up 300 250 3 C show bfd vrf VRF_blue neighbors * Ad Dn B C I O O3 R M V VT - Active session role Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 5.1.1.1 RemoteAddr 5.1.1.2 Interface Po 30 State Rx-int Tx-int Mult VRF Clients Up 200 200 3 255 O * 6.1.1.1 6.1.1.
TX: 200ms, RX: 200ms, Multiplier: 3 Role: Active Delete session on Down: True VRF: VRF_blue Client Registered: OSPF Uptime: 00:00:15 Statistics: Number of packets received from neighbor: 78 Number of packets sent to neighbor: 78 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 Session Discriminator: 7 Neighbor Discriminator: 2 Local Addr: 6.1.1.1 Local MAC Addr: 00:a0:c9:00:00:02 Remote Addr: 6.1.1.
1 Enable BFD globally. 2 Establish sessions with OSPFv3 neighbors. Related Configuration Tasks • Changing OSPFv3 Session Parameters • Disabling BFD for OSPFv3 Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role. Configure these parameters for all OSPFv3 sessions or all OSPFv3 sessions on a particular interface.
The following example shows the configuration to establish sessions with all OSPFv3 neighbors in a specific VRF: ipv6 router ospf 20 vrf vrf1 bfd all-neighbors ! The following example shows the configuration to establish sessions with all OSPFv3 neighbors on a single interface in a specific VRF: interface vlan 102 ip vrf forwarding vrf vrf1 ipv6 ospf bfd all-neighbors The following example shows the show bfd vrf neighbors command output for nondefault VRF: Dell#show * Ad Dn B C I O O3 R M V VT - bfd vrf vr
• Disable BFD sessions with OSPFv3 neighbors on a single interface. INTERFACE mode ipv6 ospf bfd all-neighbors disable Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface. Sessions are only established when the OSPFv3 adjacency is in the Full state. To establish BFD with all OSPFv3 neighbors or with OSPFv3 neighbors on a single interface, use the following commands.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 15. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. ROUTER-ISIS mode • bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 200 200 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface.
Prerequisites Before configuring BFD for BGP, you must first configure the following settings: 1 Configure BGP on the routers that you want to interconnect, as described in Border Gateway Protocol IPv4 (BGPv4). 2 Enable fast fall-over for BGP neighbors to reduce convergence time (the neighbor fall-over command), as described in BGP Fast Fall-Over. Establishing Sessions with BGP Neighbors Before configuring BFD for BGP, you must first configure BGP on the routers that you want to interconnect.
BFD notifies BGP of any failure conditions that it detects on the link. Recovery actions are initiated by BGP. BFD for BGP is supported only on directly-connected BGP neighbors and only in BGP IPv4 networks. Up to 128 simultaneous BFD sessions are supported As long as each BFD for BGP neighbor receives a BFD control packet within the configured BFD interval for failure detection, the BFD session remains up and BGP maintains its adjacencies.
bfd enable 2 Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3 Specify the address family as IPv4. CONFIG-ROUTERBGP mode address-family ipv4 vrf vrf-name 4 Add an IPv4 BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ip-address | peer-group name} remote-as as-number 5 Enable the BGP neighbor.
neighbor 10.1.1.2 remote-as 2 neighbor 10.1.1.2 no shutdown neighbor 20::2 remote-as 2 neighbor 20::2 no shutdown bfd all-neighbors exit-address-family ! address-family ipv6 unicast vrf vrf1 neighbor 20::2 activate exit-address-family DellEMC(conf-router_bgp)# Disabling BFD for BGP You can disable BFD for BGP. To disable a BFD for BGP session with a specified neighbor, use the first command. To remove the disabled state of a BFD for BGP session with a specified neighbor, use the second command.
router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors The following example shows viewing all BFD neighbors. The following example shows viewing BFD neighbors with full detail. The bold lines show the BFD session parameters: TX (packet transmission), RX (packet reception), and multiplier (maximum number of missed packets).
ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Neighbor is using BGP global mode BFD configuration For address family: IPv4 Unicast BGP table version 0, neighbor version 0 Prefixes accepted 0 (consume 0 bytes), withdrawn 0 by peer, martian prefixes ignored 0 Prefixes advertised 0, denied 0, withdrawn 0 from peer Connections established 1; dropped 0 Last reset never Local host: 2.2.2.3, Local port: 63805 Foreign host: 2.2.2.2, Foreign port: 179 E1200i_ExaScale# R2# show ip bgp neighbors 2.2.2.3 BGP neighbor is 2.
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 17. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. • Establish sessions with all VRRP neighbors.
* - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) V - VRRP LocalAddr * 2.2.5.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.5.2 Te 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command. The following example shows viewing VRRP session state information. The bold line shows the VRRP BFD session. R1(conf-if-te-4/25)#do show vrrp -----------------TenGigabitEthernet 4/1, VRID: 1, Net: 2.2.5.
• Disable all VRRP sessions on an interface. INTERFACE mode no vrrp bfd all-neighbors • Disable all VRRP sessions in a VRRP group. VRRP mode bfd disable • Disable a particular VRRP session on an interface. INTERFACE mode no vrrp bfd neighbor ip-address Configuring Protocol Liveness Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled. When you disable a client, all BFD sessions for that protocol are torn down.
8 Border Gateway Protocol IPv4 (BGPv4) This chapter provides a general description of BGPv4 as it is supported in the Dell Networking OS. BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
IBGP provides routers inside the AS with the knowledge to reach routers external to the AS. EBGP routers exchange information with other EBGP routers as well as IBGP routers to maintain connectivity and accessibility. Figure 18. Interior BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network.
Figure 19. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor. Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies.
State Description Idle BGP initializes all resources, refuses all inbound BGP connection attempts, and initiates a TCP connection to the peer. Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state.
Figure 20. BGP Router Rules 1 Router B receives an advertisement from Router A through eBGP. Because the route is learned through eBGP, Router B advertises it to all its iBGP peers: Routers C and D. 2 Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B.
preferences. BGP sees that the Weight criteria results in two potential “best paths” and moves to local preference to reduce the options. If a number of best paths is determined, this selection criteria is applied to group’s best to determine the ultimate best path. In non-deterministic mode (the bgp non-deterministic-med command is applied), paths are compared in the order in which they arrive.
6 Prefer the path with the lowest multi-exit discriminator (MED) attribute. The following criteria apply: a This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs are compared only if the first AS in the AS_SEQUENCE is the same for both paths. b If you entered the bgp always-compare-med command, MEDs are compared for all paths. c Paths with no MED are treated as “worst” and assigned a MED of 4294967295.
Figure 22. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 23. Multi-Exit Discriminators Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE. Origin Type Description IGP Indicates the prefix originated from information learned through an interior gateway protocol. EGP Indicates the prefix originated from information learned from an EGP protocol, which NGP replaced. INCOMPLETE Indicates that the prefix originated from an unknown source.
Example of Viewing AS Paths Dell#show ip bgp paths Total 30655 Paths Address Hash Refcount Metric 0x4014154 0 3 18508 0x4013914 0 3 18508 0x5166d6c 0 3 18508 0x5e62df4 0 2 18508 0x3a1814c 0 26 18508 0x567ea9c 0 75 18508 0x6cc1294 0 2 18508 0x6cc18d4 0 1 18508 0x5982e44 0 162 18508 0x67d4a14 0 2 18508 0x559972c 0 31 18508 0x59cd3b4 0 2 18508 0x7128114 0 10 18508 0x536a914 0 3 18508 0x2ffe884 0 1 18508 Path 701 3549 19421 i 701 7018 14990 i 209 4637 1221 9249 9249 i 701 17302 i 209 22291 i 209 3356 2529 i 20
Advertise IGP Cost as MED for Redistributed Routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value. Use the set metric-type internal command in a route-map to advertise the IGP cost as the MED to outbound EBGP peers when redistributing routes.
Traditional Format DOT Format 65001 0.65501 65536 1.0 100000 1.34464 4294967295 65535.65535 When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte identified routers. You cannot mix them. Configure 4-byte AS numbers with the four-octet-support command. AS4 Number Representation Multiple representations of 4-byte AS numbers (asplain, asdot+, and asdot) are supported.
ASDOT+ Dell(conf-router_bgp)#bgp asnotation asdot+ Dell(conf-router_bgp)#show conf ! router bgp 100 bgp asnotation asdot+ bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
Figure 24. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances support for the BGP management information base (MIB) with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
• Carrying MPLS labels in BGP is not supported. The f10BgpM2NlriOpaqueType and f10BgpM2NlriOpaquePointer fields are set to zero. • 4-byte ASN is supported. The f10BgpM2AsPath4byteEntry table contains 4-byte ASN-related parameters based on the configuration. Traps (notifications) specified in the BGP4 MIB draft are not supported. Such traps (bgpM2Established and bgpM2BackwardTransition) are supported as part of RFC 1657.
Item Default internal distance = 200 local distance = 200 keepalive = 60 seconds Timers holdtime = 180 seconds Add-path Disabled Enabling BGP By default, BGP is not enabled on the system. The Dell Networking OS supports one autonomous system (AS) and assigns the AS number (ASN). To establish BGP sessions and route traffic, configure at least one BGP neighbor or peer. In BGP, routers with an established TCP connection are called neighbors or peers.
CONFIG-ROUTER-BGP mode address-family [ipv4 | ipv6} Use this command to enter BGP for IPv6 mode (CONF-ROUTER_BGPv6_AF). 2 Add a neighbor as a remote AS. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group name} remote-as as-number • • peer-group name: 16 characters as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format) Formats: IP Address A.B.C.D You must Configure Peer Groups before assigning it a remote AS. 3 Enable the BGP neighbor.
10.10.32.3 100.10.92.9 192.168.10.1 192.168.12.2 R2# 65123 65192 65123 65123 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 never never never never Active Active Active Active For the router’s identifier, the system uses the highest IP address of the Loopback interfaces configured. Because Loopback interfaces are virtual, they cannot go down, thus preventing changes in the router ID. If you do not configure Loopback interfaces, the highest IP address of any interface is used as the router ID.
The following example shows verifying the BGP configuration. R2#show running-config bgp ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown neighbor 192.
bgp asnotation asdot+ Examples of the bgp asnotation Commands The following example shows the bgp asnotation asplain command. Dell(conf-router_bgp)#bgp asnotation asplain Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.
neighbor peer-group-name peer-group 2 Enable the peer group. CONFIG-ROUTERBGP mode neighbor peer-group-name no shutdown By default, all peer groups are disabled. 3 Create a BGP neighbor. CONFIG-ROUTERBGP mode neighbor ip-address remote-as as-number 4 Enable the neighbor. CONFIG-ROUTERBGP mode neighbor ip-address no shutdown 5 Add an enabled neighbor to the peer group. CONFIG-ROUTERBGP mode neighbor ip-address peer-group peer-group-name 6 Add a neighbor as a remote AS.
NOTE: When you configure a new set of BGP policies for a peer group, always reset the peer group by entering the clear ip bgp peer-group peer-group-name command in EXEC Privilege mode. To view the configuration, use the show config command in CONFIGURATION ROUTER BGP mode. When you create a peer group, it is disabled (shutdown). The following example shows the creation of a peer group (zanzibar) (in bold).
10.68.173.1 10.68.174.1 10.68.175.1 10.68.176.1 10.68.177.1 10.68.178.1 10.68.179.1 10.68.180.1 10.68.181.1 10.68.182.1 10.68.183.1 10.68.184.1 10.68.185.1 Dell> Configuring BGP Fast Fail-Over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fail-over feature reduces the convergence time while maintaining stability.
MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) fail-over enabled Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dropped 5 Last reset 00:19:37, due to Reset by peer Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 200.200.200.
You can constrain the number of passive sessions accepted by the neighbor. The limit keyword allows you to set the total number of sessions the neighbor will accept, between 2 and 265. The default is 256 sessions. 1 Configure a peer group that does not initiate TCP connections with other peers. CONFIG-ROUTER-BGP mode neighbor peer-group-name peer-group passive limit Enter the limit keyword to restrict the number of sessions accepted. 2 Assign a subnet to the peer group.
bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.
neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 allowas-in 9 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.2 no shutdown R2(conf-router_bgp)#R2(conf-router_bgp)# Enabling Neighbor Graceful Restart BGP graceful restart is active only when the neighbor becomes established. Otherwise, it is disabled. Graceful-restart applies to all neighbors with established adjacency.
ip as-path access-list as-path-name 2 Enter the parameter to match BGP AS-PATH for filtering. CONFIG-AS-PATH mode {deny | permit} filter parameter This is the filter that is used to match the AS-path. The entries can be any format, letters, numbers, or regular expressions. You can enter this command multiple times if multiple filters are desired. For accepted expressions, refer to Regular Expressions as Filters. 3 Return to CONFIGURATION mode. AS-PATH ACL mode exit 4 Enter ROUTER BGP mode.
Regular Expressions as Filters Regular expressions are used to filter AS paths or community lists. A regular expression is a special character used to define a pattern that is then compared with an input string. For an AS-path access list, as shown in the previous commands, if the AS path matches the regular expression in the access list, the route matches the access list. The following lists the regular expressions accepted in the Dell Networking OS.
Dell(config-as-path)#ex Dell(conf)#router bgp 99 Dell(conf-router_bgp)#neighbor AAA filter-list Eagle in Dell(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA filter-list Eaglein neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 filter-list 1 in neighbor 10.155.15.
Enabling Additional Paths The add-path feature is disabled by default. NOTE: Dell Networking recommends not using multipath and add path simultaneously in a route reflector. To allow multiple paths sent to peers, use the following commands. 1 Allow the advertisement of multiple paths for the same address prefix without the new paths replacing any previous ones. CONFIG-ROUTER-BGP mode bgp add-path {send | both} path-count count bgp add-path receive The range is from 2 to 64.
• • • • • local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED. no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE. no-export: routes with the COMMUNITY attribute of NO_EXPORT. quote-regexp: then any number of regular expressions. The software applies all regular expressions in the list. regexp: then a regular expression.
deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny Dell# 701:20 702:20 703:20 704:20 705:20 14551:20 701:112 702:112 703:112 704:112 705:112 14551:112 701:667 702:667 703:667 704:666 705:666 14551:666 Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group.
Manipulating the COMMUNITY Attribute In addition to permitting or denying routes based on the values of the COMMUNITY attributes, you can manipulate the COMMUNITY attribute value and send the COMMUNITY attribute with the route information. By default, the system does not send the COMMUNITY attribute. To send the COMMUNITY attribute to BGP neighbors, use the following command. • Enable the software to send the router’s COMMUNITY attribute to the BGP neighbor or peer group specified.
Example of the show ip bgp community Command To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode. To view BGP routes matching a certain community number or a pre-defined BGP community, use the show ip bgp community command in EXEC Privilege mode. Dell>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.
• Change the LOCAL_PREF value. CONFIG-ROUTER-BGP mode bgp default local-preference value – value: the range is from 0 to 4294967295. The default is 100. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show runningconfig bgp command in EXEC Privilege mode. A more flexible method for manipulating the LOCAL_PREF attribute value is to use a route map. 1 Enter the ROUTE-MAP mode and assign a name to a route map.
• If you do not use the all keyword, the next hop of only eBGP-learned routes is updated by the route reflector. If you use the all keyword, the next hop of both eBGP- and iBGP-learned routes are updated by the route reflector. Sets the next hop address. CONFIG-ROUTE-MAP mode set next-hop ip-address If the set next-hop command is applied on the out-bound interface using a route map, it takes precedence over the neighbor next-hop-self command.
NOTE: The system supports up to 255 characters in a set community statement inside a route map. NOTE: You can create inbound and outbound policies. Each of the commands used for filtering has in and out parameters that you must apply. The order of preference varies depending on whether the attributes are applied for inbound updates or outbound updates.
• If none of the routes match any of the filters in the prefix list, the route is denied. This action is called an implicit deny. (If you want to forward all routes that do not match the prefix list criteria, you must configure a prefix list filter to permit all routes. For example, you could have the following filter as the last filter in your prefix list permit 0.0.0.0/0 le 32). • After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route.
ip as-path access-list as-path-name 2 Create a AS-PATH ACL filter with a deny or permit action. AS-PATH ACL mode {deny | permit} as-regular-expression 3 Return to CONFIGURATION mode. AS-PATH ACL exit 4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Filter routes based on the criteria in the configured route map.
To view a route reflector configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp in EXEC Privilege mode. Aggregating Routes The system provides multiple ways to aggregate routes in the BGP routing table. At least one specific route of the aggregate must be in the routing table for the configured aggregate to become active. To aggregate routes, use the following command.
To view the configuration, use the show config command in CONFIGURATION ROUTER BGP mode. Enabling Route Flap Dampening When EBGP routes become unavailable, they “flap” and the router issues both WITHDRAWN and UPDATE notices. A flap is when a route: • is withdrawn • is readvertised after being withdrawn • has an attribute change The constant router reaction to the WITHDRAWN and UPDATE notices causes instability in the BGP process.
• – reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is less than the reuse value, the flapping route is once again advertised (or no longer suppressed). The default is 750. – suppress: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is greater than the suppress value, the flapping route is no longer advertised (that is, it is suppressed). The default is 2000.
BGP table version is 855562, main routing table version 780266 122836 network entrie(s) and 221664 paths using 29697640 bytes of memory 34298 BGP path attribute entrie(s) using 1920688 bytes of memory 29577 BGP AS-PATH entrie(s) using 1384403 bytes of memory 184 BGP community entrie(s) using 7616 bytes of memory Dampening enabled. 0 history paths, 0 dampened paths, 0 penalized paths Neighbor AS MsgRcvd MsgSent TblVer 10.114.8.34 18508 82883 79977 780266 10.114.8.
To reset a BGP connection using BGP soft reconfiguration, use the clear ip bgp command in EXEC Privilege mode at the system prompt. When you enable soft-reconfiguration for a neighbor and you execute the clear ip bgp soft in command, the update database stored in the router is replayed and updates are reevaluated. With this command, the replay and update process is triggered only if a routerefresh request is not negotiated with the peer.
2 In ROUTER BGP mode, enter the following command: ROUTER BGP Mode shutdown all You can use the no shutdown all command in the ROUTER BGP mode to re-enable all the BGP interface. You can also enable or disable BGP neighbors corresponding to the IPv4 unicast or multicast groups and the IPv6 unicast groups.
NOTE: This behavior applies to all BGP neighbors. Meaning, BGP neighbors that were explicitly disabled before global shutdown also remain in disabled state. Enable these neighbors individually using the no shutdown command. Route Map Continue The BGP route map continue feature, continue [sequence-number], (in ROUTE-MAP mode) allows movement from one routemap entry to a specific route-map entry (the sequence number).
• Exchange of IPv4 multicast route information occurs through the use of two new attributes called MP_REACH_NLRI and MP_UNREACH_NLRI, for feasible and withdrawn routes, respectively. • If the peer has not been activated in any AFI/SAFI, the peer remains in Idle state. Most BGP IPv4 unicast commands are extended to support the IPv4 multicast RIB using extra options to the command. For a detailed description of the MBGP commands, refer to the Dell Networking OS Command Line Interface Reference Guide.
• debug ip bgp dampening [in | out] View information about local BGP state changes and other BGP events. EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] events [in | out] View information about BGP KEEPALIVE messages. EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] keepalive [in | out] View information about BGP notifications received from or sent to neighbors.
Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) For address family: IPv4 Unicast BGP table version 1395, neighbor version 1394 Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by peer Prefixes advertised 0, rejected 0, 0 withdrawn from peer Connections established 3; droppe
PDU[2] : len 19, captured 00:34:51 ago ffffffff ffffffff ffffffff ffffffff 00130400 PDU[3] : len 19, captured 00:34:51 ago ffffffff ffffffff ffffffff ffffffff 00130400 PDU[4] : len 19, captured 00:34:22 ago ffffffff ffffffff ffffffff ffffffff 00130400 [. . .] Outgoing packet capture enabled for BGP neighbor 20.20.20.
Figure 25. Sample Configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int tengig 1/21 R1(conf-if-te-1/21)#ip address 10.0.1.21/24 R1(conf-if-te-1/21)#no shutdown R1(conf-if-te-1/21)#show config ! interface TenGigabitEthernet 1/21 ip address 10.0.1.
R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 R1(conf-router_bgp)#neighbor 192.168.128.3 remote 100 R1(conf-router_bgp)#neighbor 192.168.128.3 no shut R1(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0 R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.
router bgp 99 bgp router-id 192.168.128.2 network 192.168.128.0/24 bgp graceful-restart neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown R2(conf-router_bgp)#end R2#show ip bgp summary BGP router identifier 192.168.128.
! router bgp 100 network 192.168.128.0/24 neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown R3(conf)#end R3#show ip bgp summary BGP router identifier 192.168.128.
Member of peer-group AAA for session parameters BGP version 4, remote router ID 192.168.128.
Example of Enabling Peer Groups (Router 2) R2#conf R2(conf)#router bgp 99 R2(conf-router_bgp)# neighbor CCC peer-group R2(conf-router_bgp)# neighbor CC no shutdown R2(conf-router_bgp)# neighbor BBB peer-group R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.
R3(conf-router_bgp)# neighbor 192.168.128.2 no shutdown R3(conf-router_bgp)# neighbor 192.168.128.1 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.1 no shutdown R3(conf-router_bgp)# R3(conf-router_bgp)#end R3#show ip bgp summary BGP router identifier 192.168.128.
BGP table version 2, neighbor version 2 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Connections established 6; dropped 5 Last reset 00:12:01, due to Closed by neighbor Notification History 'HOLD error/Timer expired' Sent : 1 Recv: 0 'Connection Reset' Sent : 2 Recv: 2 Last notification (len 21) received 00:12:01 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Local host: 192.168.128.2, Local port: 65464 Foreign host: 192.168.
9 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On the switch, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. On a line card, there are one or two CAM (Dual-CAM) modules per port-pipe.
L2PT IpMacAcl VmanQos EcfmAcl Openflow : : : : : 0 0 0 0 0 -- linecard 1 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 5 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 5 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4
reload Test CAM Usage The test cam-usage command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs. Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy. Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege mode to verify the actual CAM space required. The Status column in the command output indicates whether or not the policy can be enabled.
L2Acl Ipv4Acl Ipv6Acl Ipv4Qos L2Qos L2PT IpMacAcl VmanQos EcfmAcl Openflow : : : : : : : : : : 6 4 0 2 1 0 0 0 0 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub-partitions) using the show cam-usage command from EXEC Privilege mode.
You can assign CAM threshold value using cam-threshold command to receive syslog messages when the CAM usage reaches the configured CAM threshold. The configured CAM threshold is a value specific to FP based on CAM features such as Ingress and Egress L2, IPV4, IPV6. The system checks the CAM usage of the features with the set threshold to display a syslog message, which contains the CAM region, slot/port-pipe and pipeline information. By default, syslog warning appears when the CAM usage is 90 percent.
90 95 91 DellEMC(conf)#Nov 5 19:55:12 %S6000:0 %ACL_AGENT-4ACL_AGENT_CAM_USAGE_BELOW_THE_THRESHOLD: The cam-usage of Ipv4Acl cam region on stack-unit 0 Portpipe 0 Pipeline 0 is below 95%. 98 100 100 No syslog 95 80 10 No syslog 92 90 89 No syslog Return to the Default CAM Configuration Return to the default CAM Profile, microcode, IPv4Flow, or Layer 2 ACL configuration using the keyword default from EXEC Privilege mode or CONFIGURATION mode, as shown in the following example.
• When an IP header is present, hashing is based on IP three tuples (source IP address, destination IP address, and IP protocol). • If an IP header is not found after the fifth label, hashing is based on the MPLS labels. • If the packet has more than five MPLS labels, hashing is based on the source and destination MAC address. To enable this type of hashing, use the default CAM profile with the microcode lag-hash-mpls.
Dell(conf)# Dell(conf)#end Dell#01:13:44: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from console Dell# 2 Display the hardware forwarding table mode in the current boot and in the next boot.
10 Control Plane Policing (CoPP) Control plane policing (CoPP) protects the switch’s routing, control, and line-card processors from undesired or malicious traffic and Denial of Service (DoS) attacks by filtering control-plane flows. CoPP uses a dedicated control-plane service policy that consists of ACLs and QoS policies, which provide filtering and rate-limiting capabilities for control-plane packets.
• Queues 14 to 20 process packets destined to the line-card CPU.
15 LP/LM — 1 100 16 LP/LM Trace Flow, Station Move, Source Miss 1200 100 17 LP/LM BFD, ACL LOGGING 1200 1000 18 LP/LM — 7000 1000 19 LP/LM FRRP, Hyperpull 800 7000 20 LP/LM LP/LM SFLOW 5000 1000 NOTE: In the line-card CPU, some queues have no protocol traffic mapped to them. These rows appear blank in the preceding table. CoPP Example The illustrations in this section show the benefit of using CoPP compared to not using CoPP on a switch.
Figure 27. CoPP Versus Non-CoPP Operation Configure Control Plane Policing You can create a CoPP service policy on a per-protocol and/or a per-queue basis that serves as the system-wide configuration for filtering and rate limiting control-plane traffic. Configuring CoPP for Protocols This section describes how to create a protocol-based CoPP service policy and apply it to control plane traffic.
mac access-list extended name cpu-qos permit {arp | frrp | gvrp | isis | lacp | lldp | stp} 2 Create a Layer 3 extended ACL for specified protocol traffic. CONFIGURATION mode ip access-list extended name cpu-qos permit {bgp | dhcp | dhcp-relay | ftp | icmp | igmp | msdp | ntp | ospf | pim | rip | ssh | telnet | vrrp} 3 Create an IPv6 ACL for specified protocol traffic.
Dell(conf-ipv6-acl-cpuqos)#exit Dell(conf)#ipv6 access-list ipv6-vrrp cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit vrrp Dell(conf-ipv6-acl-cpuqos)#exit Example of Creating a QoS Rate-Limiting Input Policy Dell(conf)#qos-policy-in rate_limit_200k cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 200 40 peak 500 40 Dell(conf-in-qos-policy-cpuqos)#exit Dell(conf)#qos-policy-in rate_limit_400k cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 400 50 peak 600 50 Dell(conf-in-qos-policy-cpuqos)#exit Dell(conf)#q
rate-police [rate-kbps] [burst-kbytes] peak [rate-kbps] [burst-kbytes] 2 Create an input policy-map to assign the QoS rate-limit policy to a control-plane queue. CONFIGURATION mode policy-map-input name cpu-qos service-queue queue-number qos-policy name On the switch, the range of queue-number values is from 0 to 20.
Displaying CoPP Configuration The CLI provides show commands to display the protocol traffic assigned to each control-plane queue and the current rate-limit applied to each queue. Other show commands display statistical information for trouble shooting CoPP operation. Viewing Queue Rates To view the rates that are currently applied on each control-plane queue, use the show cpu-queue rate [all | queue-id id | range from-queue to-queue] command.
Dell# Dell#show mac protocol-queue-mapping Protocol Destination Mac EtherType -----------------------------ARP any 0x0806 FRRP 01:01:e8:00:00:10/11 any LACP 01:80:c2:00:00:02 0x8809 LLDP any 0x88cc GVRP 01:80:c2:00:00:21 any STP 01:80:c2:00:00:00 any ISIS 01:80:c2:00:00:14/15 any 09:00:2b:00:00:04/05 any Queue ----Q1/Q8/Q2/Q9 Q19 Q13 Q6 Q12 Q13 Q13 Q13 EgPort -----CP/RP LP RP CP RP RP RP RP Rate (kbps) ----------100 300 500 500 200 150 500 500 Viewing IPv4 Protocol-Queue Mapping To view the queues to wh
FTP TELNET SSH VLT GARP VLT CTRL - CP CPU VLT CTRL - CP & RP CPU VLT IPM PDU L3 LOCAL TERMINATED Dell# Q3 Q3 Q3 Q3/Q10 Q3 Q3/Q10 Q3/Q10 Q3 CP CP CP CP/RP CP CP/RP CP/RP CP 400 400 400 500 2000 2000 500 400 400 400 400 500 2000 2000 500 400 3000 2000 2000 3000 3000 3000 3000 5000 3000 2000 2000 3000 3000 3000 3000 5000 Viewing Complete Protocol-Queue Mapping To view the queues to which all protocol traffic is assigned, use the show protocol-queue-mapping command.
FEFD Q6 TRACEFLOW Q16 FCoE Q12 L3 LOCAL TERMINATED Q3 L3 UNKNOWN/UNRESOLVED ARP Q7 L2 DST HIT/BROADCAST Q1/Q8 MULTICAST CATCH ALL Q7 ACL LOGGING Q17 L3 HEADER ERROR/TTL0 Q0 IP OPTION/TTL1 Q0 VLAN L3 MTU FAIL Q0 Physical L3 MTU FAIL Q0 SOURCE MISS Q16 STATION MOVE Q16 SFLOW_EGRESS Q20 SFLOW_INGRESS Q20 CP LP RP CP RP CP/RP RP LP CP CP CP CP LP LP LP LP 150 200 300 400 200 200 200 200 200 100 200 200 200 200 5000 5000 150 200 300 400 200 200 200 200 200 100 200 200 200 200 5000 5000 1000 500 2000 5000 300
NOTE: When you finish troubleshooting CoPP operation, disable the collection of CPU traffic statistics by entering the no debug cpu-traffic-stats command. Troubleshooting CPU Packet Loss To troubleshoot the reason for CPU packet loss, you can display statistics about system flows on the central switch (aggregated CoPP) or on a specified set of switch ports by entering the show hardware system-flow[cp-switch | linecard slot-id portset port-pipe] command.
policer= statistics={stat id 3 slice = 9 idx=1 entries=1}{Packets} --More-################# FP Entry for redirecting GVRP traffic to RSM ########### EID 0x000002fc: gid=0xa, slice=9, slice_idx=0x4, part =0 prio=0x2fc, flags=0x10202, Installed, Enabled tcam: color_indep=0, Stage InPorts DATA=0x0000000000000000000000000000000000000000000000000000222222222222 MASK=0x0000000000000000000000000000000000000000000000000000222222222223 DstMac Offset: 88 Width: 48 DATA=0x00000180 c2000021 MASK=0x0000ffff ffffffff ac
v6 ICMP/ICMP MLD MSDP FTP/TELNET/SSH/L3 LOCAL TERMINATED L3 UNKNOWN/UNRESOLVED ARP iSCSI FCoE SFLOW HYPERPULL OPENFLOW L2 DST HIT/BROADCAST VLT TTL1/TRACEFLOW/TTL0/STATION MOVE/TTL1 /IP OPTION/L3 MTU FAIL/SOURCE MISS v6 ICMP NS 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Dell#show control-traffic protocol pe 0 stack-unit 0 portset 0 counters Protocol RxBytes TxBytes ------------------STP/ARP/ICMP(v4/v6)/IGMP/MLD/NTP/FTP/TELNET/SSH 0 0 PE CSP/PE-CB LLDP 26157 26157 LL
v6 MULTICAST CATCH ALL IPv6 DHCP v6 RAGUARD v6 ICMP NA v6 ICMP RA v6 ICMP NS v6 ICMP RS v6 ICMP BGP OSPF RIP VRRP ICMP IGMP PIM MSDP BFD ON PHYSICAL PORTS BFD ON LOGICAL PORTS 802.
Viewing Per-Queue CoPP Counters To view per-queue counters of CoPP rate-limited traffic, use the show control-traffic queue {all | queue-id queuenumber} counters command. The range of queue-number values is from 0 to 20. The twenty-one control–plane queues are divided into groups of seven queues for the Route Processor, Control Processor, and line-card CPUs as follows: • Queues 0 to 6 process packets destined to the Control Processor CPU .
11 Data Center Bridging (DCB) Topics: • • • • • • • • • • • • • • • • Enabling Data Center Bridging Ethernet Enhancements in Data Center Bridging QoS dot1p Traffic Classification and Queue Assignment SNMP Support for PFC and Buffer Statistics Tracking DCB Maps and its Attributes Data Center Bridging: Default Configuration Configuration Notes: PFC and ETS in a DCB Map Configuring Priority-Based Flow Control Configuring Enhanced Transmission Selection Configure a DCBx Operation Verifying the DCB Configuratio
dcb-map linecard 0 backplane all dcb-map linecard all backplane all NOTE: Dell Networking OS Behavior: DCB is not supported if you enable link-level flow control on one or more interfaces. For more information, refer to Ethernet Pause Frames. Ethernet Enhancements in Data Center Bridging The following section describes DCB.
• Data Center Bridging Exchange (DCBx) protocol NOTE: Dell Networking OS supports only the PFC, ETS, and DCBx features in data center bridging. Priority-Based Flow Control In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion. When PFC detects congestion on a queue for a specified priority, it sends a pause frame for the 802.
– PFC uses DCB MIB IEEE 802.1azd2.5 and PFC MIB IEEE 802.1bb-d2.2. • A dynamic threshold handles intermittent traffic bursts and varies based on the number of PFC priorities contending for buffers, while a static threshold places an upper limit on the transmit time of a queue after receiving a message to pause a specified priority. PFC traffic is paused only after surpassing both static and dynamic thresholds for the priority specified for the port. • By default, PFC is enabled when you enable DCB.
– PFC enabled or disabled – No bandwidth limit or no ETS processing • ETS uses the DCB MIB IEEE 802.1azd2.5. Data Center Bridging Exchange Protocol (DCBx) By default, the data center bridging exchange (DCBx) protocol is disabled; ETS is also disabled. DCBx allows a switch to automatically discover DCB-enabled peers and exchange configuration information. PFC and ETS use DCBx to exchange and negotiate parameters with peer devices.
QoS dot1p Traffic Classification and Queue Assignment The following section describes QoS dot1P traffic classification and assignments. DCB supports PFC, ETS, and DCBx to handle converged Ethernet traffic that is assigned to an egress queue according to the following QoS methods: Honor dot1p You can honor dot1p priorities in ingress traffic at the port or global switch level (refer to Default dot1p to Queue Mapping) using the service-class dynamic dot1p command in INTERFACE configuration mode.
The SNMP support for monitoring PFC and BST counters and statistics is supported. The enhancement is made on F10-FPSTATS MIB with additional tables to display the PFC and BST counters and statistics. The following new tables are supported in F10-FPSTATS MIB • fpEgrQBuffSnapshotTable • fpIngPgBuffSnapshotTable • fpStatsPerPgTable • pfcPerPrioTable fpEgrQBuffSnapshot This table fetches the BST statistics at Egress Port with respect to the buffer used.
Important Points to Remember • If you remove a dot1p priority-to-priority group mapping from a DCB map (no priority pgid command), the PFC and ETS parameters revert to their default values on the interfaces on which the DCB map is applied. By default, PFC is not applied on specific 802.1p priorities; ETS assigns equal bandwidth to each 802.1p priority. As a result, PFC and lossless port queues are disabled on 802.
Step Task Command Command Mode You cannot apply a DCB map on an interface that has been already configured for PFC using thepfc priority command or which is already configured for lossless queues (pfc no-drop queues command). Configuring PFC without a DCB Map In a network topology that uses the default ETS bandwidth allocation (assigns equal bandwidth to each priority), you can also enable PFC for specific dot1p-priorities on individual interfaces without using a DCB map.
• A limit of 4 lossless queues are supported on a port. If the number of lossless queues configured exceeds the maximum supported limit per port (two), an error message is displayed. You must re-configure the value to a smaller number of queues. • If you configure lossless queues on an interface that already has a DCB map with PFC enabled (pfc on), an error message is displayed. Table 18. Configuring Lossless Queues Step Task Command Command Mode 1 Enter INTERFACE Configuration mode.
Applying a DCB Map on a Line Card On the C9010, DCB is supported per-line card. If the traffic handled by a DCB map is transmitted on ports on different line cards, you must manually configure the DCB map on the backplane ports of the C9010 line cards on which the ports reside. • Apply a DCB map with PFC and ETS settings on the backplane ports of C9010 line cards.
Configuration Notes: PFC and ETS in a DCB Map The switch supports the use of a DCB map in which you configure priority-based flow control (PFC) and enhanced transmission selection (ETS) settings. To configure PFC and ETS parameters, you must apply a DCB map on the interface. PFC Configuration Notes PFC provides flow control based on the 802.1p priorities in a converged Ethernet traffic that is received on an interface and is enabled when you enable DCB.
ETS Configuration Notes ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic. Different traffic types have different service needs. Using ETS, you can create groups within an 802.1p priority class to configure different treatment for traffics with different bandwidth, latency, and best-effort needs.
Priority-Group Configuration Notes When you configure priority groups in a DCB map: • A priority group consists of 802.1p priority values that are grouped together for similar bandwidth allocation and scheduling, and that share the same latency and loss requirements. All 802.1p priorities mapped to the same queue must be in the same priority group. • In a DCB map, each 802.1p priority must map to a priority group.
Dell Networking OS Behavior: As soon as you apply a DCB policy with PFC enabled on an interface, DCBx starts exchanging information with PFC-enabled peers. The IEEE802.1Qbb, CEE, and CIN versions of PFC Type, Length, Value (TLV) are supported. DCBx also validates PFC configurations that are received in TLVs from peer devices. NOTE: You cannot enable PFC and link-level flow control at the same time on an interface. Dell Networking OS does not support MACsec Bypass Capability (MBC).
For example, storage traffic is sensitive to frame loss; interprocess communication (IPC) traffic is latency-sensitive. ETS allows different traffic types to coexist without interruption in the same converged link by: • Allocating a guaranteed share of bandwidth to each priority group. • Allowing each group to exceed its minimum guaranteed bandwidth if another group is not fully using its allotted bandwidth. Creating an ETS Priority Group An ETS priority group specifies the range of 802.
ETS Operation with DCBx The following section describes DCBx negotiation with peer ETS devices. In DCBx negotiation with peer ETS devices, ETS configuration is handled as follows: • ETS TLVs are supported in DCBx versions CIN, CEE, and IEEE2.5. • The DCBx port-role configurations determine the ETS operational parameters (refer to Configure a DCBx Operation). • ETS configurations received from TLVs from a peer are validated.
• Accepts the DCB configuration from a peer if a DCBx port is in “willing” mode to accept a peer’s DCB settings and then internally propagates the received DCB configuration to its peer ports. DCBx Port Roles To enable the auto-configuration of DCBx-enabled ports and propagate DCB configurations learned from peer DCBx devices internally to other switch ports, use the following DCBx port roles.
source. If you enable DCBx, ports in Manual mode advertise their configurations to peer devices but do not accept or propagate internal or external configurations. Unlike other user-configured ports, the configuration of DCBx ports in Manual mode is saved in the running configuration. On a DCBx port in a manual role, all PFC, application priority, ETS recommend, and ETS configuration TLVs are enabled.
– The port role is auto-upstream. – The port is enabled with link up and DCBx enabled. – The port has performed a DCBx exchange with a DCBx peer. – The switch is capable of supporting the received DCB configuration values through either a symmetric or asymmetric parameter exchange. A newly elected configuration source propagates configuration changes received from a peer to the other auto-configuration ports.
Behavior of Tagged Packets The below is example for enabling PFC for priority 2 for tagged packets. Priority (Packet Dot1p) 2 will be mapped to PG6 on PRIO2PG setting. All other Priorities for which PFC is not enabled are mapped to default PG – PG7. Classification rules on ingress (Ingress FP CAM region) matches incoming packet-dot1p and assigns an internal priority (to select queue as per Table 1 and Table 2).
a Enable DCB globally. Dell(conf)#dcb enable b Apply PFC Priority configuration. Configure priorities on which PFC is enabled. DCBx Example The following figure shows how to use DCBx. The device is connected to third-party, top-of-rack (ToR) switches through 40GbE or 10GBE uplinks. The ToR switches are part of a Fibre Channel storage network. The ports connected to the server with CNA are configured as auto-downstream ports. Figure 31.
DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
• manual: configures the port to operate only on administer-configured DCB parameters. The port does not accept a DCB configuration received from a peer or a local configuration source. The default is Manual. 5 On manual ports only: Configure the PFC and ETS TLVs advertised to DCBx peers. PROTOCOL LLDP mode [no] advertise DCBx-tlv {ets-conf | ets-reco | pfc} [ets-conf | ets-reco | pfc] [ets-conf | ets-reco | pfc] • ets-conf: enables the advertisement of ETS Configuration TLVs.
• auto: configures all ports to operate using the DCBx version received from a peer. • cee: configures a port to use CEE (Intel 1.01). cin configures a port to use Cisco-Intel-Nuova (DCBx 1.0). • ieee-v2.5: configures a port to use IEEE 802.1Qaz (Draft 2.5). The default is Auto. NOTE: To configure the DCBx port role the interfaces use to exchange DCB information, use the DCBx port-role command in INTERFACE Configuration mode (Step 3).
DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs. LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface. DSM_DCBx_PEER_VERSION_CONFLICT: A local port expected to receive the IEEE, CIN, or CEE version in a DCBx TLV from a remote peer but received a different, conflicting DCBx version.
Command Output To clear PFC TLV counters, use the clear pfc counters interface port-type slot/port command. show interface port-type slot/port pfc statistics Displays counters for the PFC frames received and transmitted (by dot1p priority class) on an interface. You can use the show interface pfc statistics command even without enabling DCB on the system.
Local is enabled Oper status is Recommended PFC DCBx Oper status is Up State Machine Type is Feature TLV Tx Status is enabled PFC Link Delay 45556 pause quantams Application Priority TLV Parameters : -------------------------------------FCOE TLV Tx Status is disabled ISCSI TLV Tx Status is disabled Local FCOE PriorityMap is 0x8 Local ISCSI PriorityMap is 0x10 Remote FCOE PriorityMap is 0x8 Remote ISCSI PriorityMap is 0x8 Dell# show interfaces tengigabitethernet 1/4 pfc detail Interface TenGigabitEthernet 1/
Fields Description • • • Init: Local PFC configuration parameters were exchanged with peer. Recommend: Remote PFC configuration parameters were received from peer. Internally propagated: PFC configuration parameters were received from configuration source. PFC DCBx Oper status Operational status for exchange of PFC configuration on local port: match (up) or mismatch (down).
The following example shows the show interface ets summary command.
0 13% ETS 1 13% ETS 2 13% ETS 3 13% ETS 4 12% ETS 5 12% ETS 6 12% ETS 7 12% ETS Remote Parameters: ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# Bandwidth TSA 0 0,1,2,3,4,5,6,7 100% ETS 1 0% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Priority# Bandwidth TSA 0 13% ETS 1 13% ETS 2 13% ETS 3 13% ETS 4 12% ETS 5 12% ETS 6 12% ETS 7 12% ETS Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input
------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# 0 0,1,2,3,4,5,6,7 1 2 3 4 5 6 7 Bandwidth 100% 0% 0% 0% 0% 0% 0% 0% Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Pkts TSA ETS ETS ETS ETS ETS ETS ETS ETS TSA ETS ETS ETS ETS ETS ETS ETS ETS Pkts, 0 Error C
5 - - - - 6 - - - - 7 - - - - Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 0 Input Traffic Class TLV Pkts, 0 Output Traffic Class TLV Pkts, 0 Error Traffic Class TLV Pkts The following table describes the show interface ets detail command fields. Table 22. show interface ets detail Command Description Field Description Interface Interface type with stack-unit, linecard, and port number.
Field Description ETS TLV Statistic: Error Conf TLV pkts Number of ETS Error Configuration TLVs received. The following example shows the show linecard 2 port-set 0 backplane all pfc details command.
I-Application priority for iSCSI enabled i-Application Priority for iSCSI disabled ------------------------------------------------------------------------------------Interface TenGigabitEthernet 1/14 Remote Mac Address 00:01:e8:8a:df:a0 Port Role is Auto-Upstream DCBx Operational Status is Enabled Is Configuration Source? FALSE Local DCBx Compatibility mode is CEE Local DCBx Configured mode is CEE Peer Operating version is CEE Local DCBx TLVs Transmitted: ErPFi Local DCBx Status ----------------DCBx Operat
Field Description Local DCBx Status: DCBx Max Version Supported Highest DCBx version supported in Control TLVs. Local DCBx Status: Sequence Number Sequence number transmitted in Control TLVs. Local DCBx Status: Acknowledgment Number Acknowledgement number transmitted in Control TLVs. Local DCBx Status: Protocol State Current operational state of DCBx protocol: ACK or IN-SYNC. Peer DCBx Status: DCBx Operational Version DCBx version advertised in Control TLVs received from peer device.
Using PFC and ETS to Manage Data Center Traffic The following shows examples of using PFC and ETS to manage your data center traffic. In the following example: • • • Incoming SAN traffic is configured for priority-based flow control. Outbound LAN, IPC, and SAN traffic is mapped into three ETS priority groups and configured for enhanced traffic selection (bandwidth allocation and scheduling). One lossless queue is used. Figure 32.
dot1p Value in the Incoming Frame Priority Group Assignment 0 LAN 1 LAN 2 LAN 3 SAN 4 IPC 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment. PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic.
Hierarchical Scheduling in ETS Output Policies ETS supports up to three levels of hierarchical scheduling. For example, you can apply ETS output policies with the following configurations: Priority group 1 Assigns traffic to one priority queue with 20% of the link bandwidth and strict-priority scheduling. Priority group 2 Assigns traffic to one priority queue with 30% of the link bandwidth.
Dynamic ingress buffering enables the sending of pause frames at different thresholds based on the number of ports that experience congestion at a time. This behavior impacts the total buffer size used by a particular lossless priority on an interface. The pause and resume thresholds can also be configured dynamically.
The number of ports supported based on lossless queues configured will depend on the buffer. The default number of PFC queues in the system is two. For each priority, you can specify the shared buffer threshold limit, the ingress buffer size, buffer limit for pausing the acceptance of packets, and the buffer offset limit for resuming the acceptance of received packets.
12 Debugging and Diagnostics This chapter describes the debugging and diagnostics tasks you can perform on the switch.
Specify the port extender ID and stack unit ID. • where pe-id is a port-extender group ID number from 0 to 255 • stack-unitunit-number is a PE stack-unit number from 0 to 7 Dell#diag pe 0 stack-unit 0 A warning is displayed with a CLI prompt asking you to click Yes or No. Dell#diag pe 0 stack-unit 0 level0 ? Warning - PE-Unit 0 at PEID 0 will go offline to run the diagnostics. Offline of system will bring down all the protocols and the system will be operationally down, except for running Diagnostics.
PE unit will be automatically reloaded once the diagnostics tests are completed. Warning - The diagnostic execution will cause multiple link flaps on the peer side - advisable to shut directly connected ports Proceed with PE diag [confirm yes/no]:yes Dell# Jul 30 12:59:39: %RPM0-P:CP %BRM-5-PE_UNIT_DOWN: PE:255 Unit:2 Unit MAC:f8:b1:56:00:02:d1 is operationally down.
boardRevision ............................................... PASS cpldAccess .................................................. PASS cpuType ..................................................... PASS Starting test: fanControllerSpeedGet ...... 000 - FAN Controller Get Speed Test ................................ PASS 001 - FAN Controller Get Speed Test ................................ PASS fanControllerSpeedGet ....................................... PASS fanStatusMonitor ...................................
029 - One Gig PHY Access Test ...................................... PASS 030 - One Gig PHY Access Test ...................................... PASS 031 - One Gig PHY Access Test ...................................... PASS 032 - One Gig PHY Access Test ...................................... PASS 033 - One Gig PHY Access Test ...................................... PASS 034 - One Gig PHY Access Test ...................................... PASS 035 - One Gig PHY Access Test ......................................
poeManagerVolt .............................................. PASS poeUARTStress ............................................... PASS powerRailStatus ............................................. PASS psuEepromAccess ............................................. PASS psuEpsPresence .............................................. PASS psuEpsStatusMonitor ......................................... PASS psuFanAirFlowType ........................................... PASS psuFanStatus ..............................
020 - One Gig PHY Link Test ........................................ PASS 021 - One Gig PHY Link Test ........................................ PASS 022 - One Gig PHY Link Test ........................................ PASS 023 - One Gig PHY Link Test ........................................ PASS !!!!!! LEVEL 2 DIAGNOSTIC snakeOneGMac ................................................ snakeOneGPhy ................................................ snakeSfpPlusMac .............................................
Running Offline Diagnostics on a Standalone Switch To run offline diagnostics on a Standalone Switch: 1 Shut down the directly connected port extender ports before you run offline diagnostics. 2 Place the entire system or particular linecard in offline state. EXEC Privilege mode offline system offline linecard linecard_number The following message displays. Warning - offline of system will bring down all the protocols and the system will be operationally down, except for running Diagnostics.
% Error: linecard 11 is not present.
% Error: Invalid command - card is not present. % Error: Invalid command - card is not present. % Error: Invalid command - card is not present. Dell#Apr 26 22:32:01: %C9000LC0640:4 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on linecard 4 2d3h3m : Approximate time to complete the Diags (all levels)... 10 Mins Apr 26 22:32:01: %C9000LC0640:5 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on linecard 5 2d3h3m : Approximate time to complete the Diags (all levels)... 10 Mins Apr 26 22:32:01: %C9000-RPM-2.
PPID PPID Rev Service Tag Part Number Part Number Revision LM CPLD LM extended CPLD SW Version --------- CN0CYFF2779314A60021 X00 15YQG02 0CYFF2 X00 31 30 1-0(0-4854) Available free memory: 1,664,086,016 bytes LEVEL 0 DIAGNOSTIC Starting test: bcm56854AccessTest ...... + Access Test for unit 0 : PASSED bcm56854AccessTest .......................................... PASS biosVerGetTest .............................................. PASS boardRevisionTest ...........................................
+Board First Thermal Monitor Sensor[3] is 37.0 C CPU Temp 31 c DDR Temperature 35 c showTemperature ............................................. PASS slotInfoTest ................................................ PASS Starting test: spiFlashAccessTest ......temperature monitor 0: current= 49.8, peak= 86.1 temperature monitor 1: current= 50.9, peak= 86.1 temperature monitor 2: current= 51.4, peak= 87.8 temperature monitor 3: current= 52.0, peak= 87.8 temperature monitor 4: current= 50.3, peak= 87.
Iteration 16 - File System /dev/rwd0k: 3 files, 20398 Iteration 17 - File System /dev/rwd0k: 3 files, 20398 Iteration 18 - File System /dev/rwd0k: 3 files, 20398 Iteration 19 - File System /dev/rwd0k: 3 files, 20398 Iteration 20 - File System /dev/rwd0k: 3 files, 20398 Iteration 21 - File System /dev/rwd0k: 3 files, 20398 Iteration 22 - File System /dev/rwd0k: 3 files, 20398 Iteration 23 - File System /dev/rwd0k: 3 files, 20398 Iteration 24 - File System /dev/rwd0k: 3 files, 20398 Iteration 25 - File System
Completed 50 iterations No issues found in SD Flash (/dev/wd0k) SD Flash File System Stress Test is Passed ssdFlashFileSystemStressTest ................................ PASS LEVEL 2 DIAGNOSTIC ipcTrafficTest ..............................................
fpgaAccessTest .............................................. PASS Starting test: i2cTest ......
PSU[2] Voltage Test FAIL psuVoltageTest .............................................. FAIL rtcTest ..................................................... PASS sataSsdTest ................................................. PASS Starting test: showTemperature ...... +Board First Thermal Monitor Sensor[0] is 38.0 C +Board First Thermal Monitor Sensor[1] is 33.0 C +Board First Thermal Monitor Sensor[2] is 31.0 C +Board First Thermal Monitor Sensor[3] is 38.0 C +Board First Thermal Monitor Sensor[4] is 34.
FAN TRAY[2] FAN 2 Controller Speed Test FAIL ERROR: Tray[2] fan[3] speed 56% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[2] FAN TRAY[2] FAN 3 Controller Speed Test FAIL fanCntrlSpeedTest ........................................... FAIL fanTrayEepromAccessTest ..................................... PASS Starting test: i2cTest ......
Iteration 21 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 22 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 23 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 24 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 25 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 26 - File System Check passed /dev/rwd0k: 3 files, 20398
Link Status for Port: 27 -> Peer Slot7 on unit: 0 is Link Status for Port: 2 -> Peer Slot8 on unit: 0 is Link Status for Port: 29 -> Peer Slot9 on unit: 0 is Link Status for Port: 6 -> Peer pRPM on unit: 0 is udfLinkStatusTest ........................................... FAIL Starting test: usbTest ...... -USB "/dev/rsd0d" is not plugged/mounted/formatted; test SKIPPED usbTest ..................................................... FAIL LEVEL 2 DIAGNOSTIC ipcPingTrafficTest ........
Service Tag Part Number Part Number Revision LM CPLD LM extended CPLD SW Version ------- 15YQG02 0CYFF2 X00 31 30 1-0(0-4854) Available free memory: 1,664,086,016 bytes LEVEL 0 DIAGNOSTIC Starting test: bcm56854AccessTest ...... + Access Test for unit 0 : PASSED bcm56854AccessTest .......................................... PASS biosVerGetTest .............................................. PASS boardRevisionTest ........................................... PASS cpldAccessTest ..............................
DDR Temperature 35 c showTemperature ............................................. PASS slotInfoTest ................................................ PASS Starting test: spiFlashAccessTest ......temperature monitor 0: current= 49.8, peak= 86.1 temperature monitor 1: current= 50.9, peak= 86.1 temperature monitor 2: current= 51.4, peak= 87.8 temperature monitor 3: current= 52.0, peak= 87.8 temperature monitor 4: current= 50.3, peak= 87.8 temperature monitor 5: current= 49.8, peak= 87.
Iteration 17 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 18 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 19 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 20 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 21 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 22 - File System Check passed /dev/rwd0k: 3 files, 20398
SD Flash File System Stress Test is Passed ssdFlashFileSystemStressTest ................................ PASS LEVEL 2 DIAGNOSTIC ipcTrafficTest ..............................................
boardRevisionTest ........................................... PASS Starting test: cpldAccessTest ......CPLD Major Ver 3 Minor Ver 3 cpldAccessTest .............................................. PASS Starting test: cpuGELinkStatusTest ...... + GbE1 Link Status UP + GbE2 Link Status DOWN + GbE3 Link Status UP cpuGELinkStatusTest ......................................... FAIL cpuRevisionTest ............................................. PASS cpuSdramPresenceTest ........................................
PSU[2] Fan Status Test FAIL psuFanStatusTest ............................................ FAIL psuPresenceTest ............................................. FAIL Starting test: psuShowTempTest ...... PSU[0] Show Temparature Test FAIL PSU[1] Show Temparature Test FAIL PSU[2] Show Temparature Test FAIL psuShowTempTest ............................................. FAIL Starting test: psuStatusTest ...... PSU[0] Status Test FAIL PSU[1] Status Test FAIL PSU[2] Status Test FAIL psuStatusTest .....................
ERROR: Fan speed variation failed for tray[1] FAN TRAY[1] FAN 1 Controller Speed Test FAIL ERROR: Tray[1] fan[2] speed 56% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[1] FAN TRAY[1] FAN 2 Controller Speed Test FAIL ERROR: Tray[1] fan[3] speed 57% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[1] FAN TRAY[1] FAN 3 Controller Speed Test FAIL ERROR: Tray[2] fan[0] speed 57% is out of expected range [80-100%] ERROR: Fan speed variation failed for
Iteration 13 - File System /dev/rwd0k: 3 files, 20398 Iteration 14 - File System /dev/rwd0k: 3 files, 20398 Iteration 15 - File System /dev/rwd0k: 3 files, 20398 Iteration 16 - File System /dev/rwd0k: 3 files, 20398 Iteration 17 - File System /dev/rwd0k: 3 files, 20398 Iteration 18 - File System /dev/rwd0k: 3 files, 20398 Iteration 19 - File System /dev/rwd0k: 3 files, 20398 Iteration 20 - File System /dev/rwd0k: 3 files, 20398 Iteration 21 - File System /dev/rwd0k: 3 files, 20398 Iteration 22 - File System
/dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 48 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 49 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 50 - File System Check passed Completed 50 iterations No issues found in SD Flash (/dev/wd0k) SD Flash File System Stress Test is Passed ssdFlashFileSystemStressTest ................................ PASS Starting test: udfLinkStatusTest ......
Auto Save on Reload, Crash, or Rollover Exception information for the switch is stored in the flash:/TRACE_LOG_DIR directory. This directory contains files that save trace information when there has been a task crash or timeout and trace information from the Route Processor and Control Processor CPUs. You can access the TRACE_LOG_DIR files by FTP or by using the show file command from the flash://TRACE_LOG_DIR directory.
show hardware Commands Use the show hardware commands to troubleshoot error conditions by displaying information about a hardware subcomponent and details from hardware-based feature tables. NOTE: Use the show hardware commands only under the guidance of the Dell Networking Technical Assistance Center (TAC). • Display internal interface status of the line-card CPU port which connects to the external management interface.
• Display the internal statistics for each port-pipe (unit) on per port basis. show hardware linecard slot—id unit unit-number port-stats [detail] • Display the line-card internal registers for each port-pipe. show hardware linecard slot—id unit unit-number register • Display the tables from the bShell through the CLI without going into the bShell. show hardware linecard slot—id unit unit-number table-dump {table-name} • Display hardware statistics from the specified port extender and stack-unit.
Environmental Monitoring The system components use environmental monitoring hardware to detect transmit power readings, receive power readings, and temperature updates. To receive periodic power updates, enable the enable optic-info-update interval command. The output in the following example displays the environment status of the RPM.
----------------------------------------------------------------------------0 0 down AC up 1376 0.0 0 1 up AC up 18848 666.0 0 2 down AC up 1312 0.0 0 3 up AC up 18880 643.0 When an under-voltage condition occurs on a power supply (for example, a power cable is removed): • A Syslog message is displayed to inform you that the power supply is down.
When you configure a 40GbE QSFP+ port to operate in quad (4x10GbE) mode as four 10GbE SFP+ ports, a Syslog message is displayed for each 10GbE port.
QSFP QSFP QSFP QSFP 168 168 168 168 BR min Vendor SN Datecode CheckCodeExt = = = = 0 Z12I00005 130117 0xe8 QSFP 168 Diagnostic Information =================================== QSFP 168 Rx Power measurement type =================================== QSFP 168 Temp High Alarm threshold QSFP 168 Voltage High Alarm threshold QSFP 168 Bias High Alarm threshold QSFP 168 RX Power High Alarm threshold QSFP 168 Temp Low Alarm threshold QSFP 168 Voltage Low Alarm threshold QSFP 168 Bias Low Alarm threshold QSFP 168
Troubleshoot an Over-Temperature Condition To troubleshoot an over-temperature condition, determine the sensor(s) that triggered the over-temperature alarm by displaying the current temperature levels and the historical logs of the temperature threshold-crossing events. The RPM has CP and LP card whose sensor temperature are monitored. Similarly the Linecard’s sensor is monitored as well. The “show alarm threshold” provides the temperature threshold values for Linecards and RPM.
PEid100/Stack0 60 65 72 75 105 To display current temperature of line sensors, use the show environment thermal-sensors command. Minor threshold crossings do not cause alarms, but are used to trigger increases in the speed of the system fans as needed to keep the component temperature within the desired range.
When the system experiences a high temperature on any temperature sensor that exceeds the Critical threshold, a shutdown log event is generated; for example: Dell#Jun 18 01:57:03: %RPM1-P:CP %CHMGR-2-TEMP_SHUTDOWN_WARN: WARNING! linecard 11 temperature is 110C; approaching shutdown threshold of 110C) Dell#Jun 18 01:57:04: %RPM1-P:CP %CHMGR-0-TEMP_SHUTDOWN_WARN: linecard 11 temperature exceeded or equal to shutdown temperature 110C; Unit will shutdown now.Power cycle the unit to power it on.
show hardware linecard {0–2} drops unit {0–3} Dell#show hardware linecard 2 drops UNIT No: 0 Total Ingress Drops Total IngMac Drops Total Mmu Drops Total EgMac Drops Total Egress Drops : : : : : 41694 0 0 0 0 Dell#show hardware linecard 2 drops unit 0 UserPort 0 4 8 12 16 17 18 19 20 21 22 23 24 28 32 36 40 44 Internal Internal Internal Internal Internal Internal Internal Internal Internal Internal Internal Internal PortNumber 1 5 9 13 17 18 19 20 21 22 23 24 25 29 33 37 41 45 50 51 52 53 54 55 56 57 58
TR MGV Frames = 0 Bytes Transmitted = 0 Frames Transmitted = 125183 Mcast Frames Transmitted = 0 Bcast Frames Transmitted = 4 Pause Frames Transmitted = 0 Deferred Transmits = 0 Excessive Deferred Transmits = 0 TX single collisions = 0 TX multiple collisions = 0 TX late collisions = 0 TX Excessive collisions = 0 TX total collisions = 0 TX Drops = 0 TX Jabber = 0 TX FCS errors = 0 TX Control frames = 0 TX oversize frames = 0 TX undersize frames = 0 TX fragments = 0 Bytes received = 0 Frames received = 2868 B
Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx 128to255octets Packets = 441 256to511octets Packets = 3816 512to1023octets Packets = 3247 1024toMaxoctets Packets = 150599 Jabbers = 0 align errors = 0 fcs errors = 0 good octets = 251640594 Drop pkts = 0 Unicast Packets = 333370 Multicast Packets = 193621 Broadcast Packets = 45 Source Address Changes = 3 Fragments = 0 Jumbo Packets = 0 Symbol Errros = 0 In Range Errors = 0 OutofRange Errors = 0 Displaying Line-Card Counters The show hardware linecard
f10Ch_lp__.acore.gz • An application core dump generated from LM: f10Ch_lp__.acore.
0035d60c : 00274f8c : 0024e2b0 : 0024dee8 : 0024d9c4 : 002522b0 : 0026a8d0 : 0026a00c : ------------------------STACK TRACE END------------------------------------------FREE MEMORY--------------uvmexp.free = 0x2312 Full Kernel Core Dumps The system supports full core dumps for kernel crashes. The kernel core dump applies to all switch CPUs and is not enabled by default.
tcpdump {cp | rp} [capture-duration time | filter expression | max-file-count value | packetcount value | snap-length value | write-to path] Accessing Port Extender Core and Mini Core Dumps For port extenders (PE), the application core dump and the mini core dump of the port extenders are uploaded to the controller bridge’s flash inside directory /flash/CORE_DUMP_DIR. The format of a PE application core uploaded to CB are as follows: f10pe___Stk.acore.
13 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Option Number and Description End Option 255 Signals the last option in the DHCP packet. Assign an IP Address using DHCP The following section describes DHCP and the client in a network. When a client joins a network: 1 The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters.
Implementation Information The following describes DHCP implementation. • Dell Networking implements DHCP based on RFC 2131 and RFC 3046. • IP source address validation is a sub-feature of DHCP Snooping; the Dell Networking OS uses access control lists (ACLs) internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP source address validation.
Configuring the Server for Automatic Address Allocation Automatic address allocation is an address assignment method by which the DHCP server leases an IP address to a client from a pool of available addresses. An address pool is a range of IP addresses that the DHCP server may assign. The subnet number indexes the address pools. To create an address pool, follow these steps. 1 Access the DHCP server CLI context. CONFIGURATION mode ip dhcp server 2 Create an address pool and give it a name.
To exclude an address, follow this step. • Exclude an address range from DHCP assignment. The exclusion applies to all configured pools. DHCP mode excluded-address Specifying an Address Lease Time To specify an address lease time, use the following command. • Specify an address lease time for the addresses in a pool. DHCP Mode lease {days [hours] [minutes] | infinite} The default is 24 hours.
Using NetBIOS WINS for Address Resolution Windows internet naming service (WINS) is a name resolution service that Microsoft DHCP clients use to correlate host names to IP addresses within a group of networks. Microsoft DHCP clients can be one of four types of NetBIOS nodes: broadcast, peer-to-peer, mixed, or hybrid. 1 Specify the NetBIOS WINS name servers, in order of preference, that are available to Microsoft Dynamic Host Configuration Protocol (DHCP) clients.
Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. • Clear DHCP binding entries for the entire binding table. EXEC Privilege mode. clear ip dhcp binding • Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode. clear ip dhcp binding ip address Configure the System to be a Relay Agent DHCP clients and servers request and offer configuration information via broadcast DHCP messages.
Figure 35. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (OS version and a configuration file). BMP is enabled as a factory-default setting on a switch.
VLAN and Port Channels DHCP client configuration and behavior are the same on Virtual LAN (VLAN) and port-channel (LAG) interfaces as on a physical interface.
The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server. The server can use this information to: • track the number of address requests per relay agent. Restricting the number of addresses available per relay agent can harden a server against address exhaustion attacks. • associate client MAC addresses with a relay agent to prevent offering an IP address to a client spoofing the same MAC address on a different relay agent. • assign IP addresses according to the relay agent.
DHCP Snooping for a Multi-Tenant Host You can configure the DHCP snooping feature such that multiple IP addresses are expected for the same MAC address. You can use the ip dhcp snooping command multiple times to map the same MAC address with different IP addresses. This configuration is also used for dynamic ARP inspection (DAI) and source address validation (SAV). The DAI and SAV tables reflect the same entries in the DHCP snooping binding table.
• Delete all of the entries in the binding table. EXEC Privilege mode clear ip dhcp snooping binding Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. • Display the DHCP snooping information. EXEC Privilege mode • show ip dhcp snooping Display the contents of the binding table.
To view the number of entries in the table, use the show ip dhcp snooping binding command. This output displays the snooping binding table created using the ACK packets from the trusted port. Dell#show ip dhcp snooping binding Codes : S - Static D - Dynamic IP Address MAC Address Expires(Sec) Type VLAN Interface ================================================================ 10.1.1.251 00:00:4d:57:f2:50 172800 D Vl 10 Te 0/2 10.1.1.252 00:00:4d:57:e6:f6 172800 D Vl 10 Te 0/1 10.1.1.
NOTE: Dynamic ARP inspection (DAI) uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM entry is required for every DAI-enabled VLAN. You can enable DAI on up to 16 VLANs on a system. However, the default CAM profile allocates only nine entries to the L2SysFlow region for DAI. You can configure 10 to 16 DAI-enabled VLANs by allocating more CAM space to the L2SysFlow region before enabling DAI. SystemFlow has 102 entries by default.
To bypass the ARP inspection, use the following command. • Specify an interface as trusted so that ARPs are not validated against the binding table. INTERFACE mode arp inspection-trust DAI is supported on Layer 2 and Layer 3. Source Address Validation Using the DHCP binding table, Dell Networking OS can perform three types of source address validation (SAV). Table 27.
NOTE: Before enabling SAV With VLAN option, allocate at least one FP block to the ipmacacl CAM region. DHCP MAC Source Address Validation DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against the client hardware address field (CHADDR) in the payload. The system ensures that the packet’s source MAC address is checked against the CHADDR field in the DHCP header only for packets from snooped VLANs. • Enable DHCP MAC SAV.
Viewing the Number of SAV Dropped Packets The following output of the show ip dhcp snooping source-address-validation discard-counters command displays the number of SAV dropped packets.
14 Equal Cost Multi-Path (ECMP) Equal cost multi-path (ECMP) supports multiple paths in next-hop packet forwarding to a destination device. ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Enabling Deterministic ECMP Next Hop Deterministic ECMP next hop arranges all ECMPs in order before writing them into the content addressable memory (CAM). For example, suppose the RTM learns eight ECMPs in the order that the protocols and interfaces came up.
• Specify the hash algorithm seed. CONFIGURATION mode. hash-algorithm seed value [linecard slot-id] [port-set number] The range is from 0 to 4095. Link Bundle Monitoring Link bundle monitoring allows the system to monitor the use of multiple links for an uneven distribution. A global default threshold of 60% is the usage percentage for the bundle; when the system reaches this threshold, it begins monitoring the configured ECMP groups for uneven distribution.
Creating an ECMP Group Bundle Within each ECMP group, you can specify an interface. If you enable monitoring for the ECMP group, the utilization calculation is performed when the average utilization of the link-bundle (as opposed to a single link within the bundle) exceeds 60%. 1 Create a user-defined ECMP group bundle. CONFIGURATION mode ecmp-group ecmp-group-id The range is from 1 to 64. 2 Add interfaces to the ECMP group bundle.
BGP Multipath Operation with Link Bankwidth BGP Link Bandwidth (LB) is a way to tell BGP to load-share in an unequal or weighted fashion. LB is an optional, non-transitive Extended Community that indicates the cost of the (external) link in bytes per second. LB is similar to the MED attribute and cannot extend beyond the neighboring AS. The following network diagram depicts a scenario where a 10Gbps link connects the routers R2 and R4 and a 40Gbps link connects the routers R3 and R5: Figure 36.
bgp dmzlink-bw neighbor 1.1.1.1 remote-as 1 neighbor 1.1.1.1 no shutdown neighbor 4.4.4.2 remote-as 2 neighbor 4.4.4.2 dmzlink-bw neighbor 4.4.4.2 no shutdown neighbor 5.5.5.2 remote-as 2 neighbor 5.5.5.2 dmzlink-bw neighbor 5.5.5.2 no shutdown R3# interface tengigbitethernet 1/1 ip address 1.1.1.3/24 no shutdown interface fortyGigE 1/48 ip address 3.3.3.1/24 no shut router bgp 1 maximum-paths ebgp 2 bgp dmzlink-bw neighbor 1.1.1.1 remote-as 1 neighbor 1.1.1.1 no shutdown neighbor 3.3.3.
Weighted ECMP for Static Routes Dell Networking OS also supports Weighted ECMP for static routes. You can configure weights corresponding to the paths for a static destination. If all configured paths have weights, traffic distribution is performed using the Weighted ECMP method with the RTM these passing weights to the FIB. If all configured paths do not have weights, regular ECMP is used to determine traffic paths.
15 FCoE Transit The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces.
FIP enables FCoE devices to discover one another, initialize and maintain virtual links over an Ethernet network, and access storage devices in a storage area network (SAN). FIP satisfies the Fibre Channel requirement for point-to-point connections by creating a unique virtual link for each connection between an FCoE end-device and an FCF via a transit switch. FIP provides functionality for discovering and logging into an FCF.
Figure 37. FIP Discovery and Login Between an ENode and an FCF FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF. An Ethernet bridge that provides these functions is called a FIP snooping bridge (FSB).
Figure 38. FIP Snooping on an Core Switch The following sections describe how to configure the FIP snooping feature on a switch that functions as a FIP snooping bridge so that it can perform the following functions: • Allocate CAM resources for FCoE. • Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis.
FIP Snooping in a Switch Stack FIP snooping supports switch stacking as follows: • A switch stack configuration is synchronized with the standby stack unit. • Dynamic population of the FCoE database (ENode, Session, and FCF tables) is synchronized with the standby stack unit. The FCoE database is maintained by snooping FIP keep-alive messages. • In case of a failover, the new master switch starts the required timers for the FCoE database tables. Timers run only on the master stack unit.
• To allow FIP frames to pass through the switch on all VLANs, enable FIP snooping globally on a switch. • A switch can support a maximum eight FIP snooping VLANs. Configure at least one FCF/bridge-to-bridge port mode interface for any FIP snooping-enabled VLAN. • You can configure multiple FCF-trusted interfaces in a VLAN. • When you disable FIP snooping: – ACLs are not installed, FIP and FCoE traffic is not blocked, and FIP packets are not processed.
Configure a Port for a Bridge-to-Bridge Link If a switch port is connected to another FIP snooping bridge, configure the FCoE-Trusted Port mode for bridge-bridge links. Initially, all FCoE traffic is blocked. Only FIP frames with the ALL_FCF_MAC and ALL_ENODE_MAC values in their headers are allowed to pass. After the switch learns the MAC address of a connected FCF, it allows FIP frames destined to or received from the FCF MAC address.
• The maximum number of FIP snooping sessions supported per ENode server is 32 by default and the maximum number of sessions you can configure is 64. To increase the maximum number of sessions to 64, use the fip-snooping max-sessions-per-enodemac command. • The maximum number of FCFs supported per FIP snooping-enabled VLAN is twelve. • The maximum number of FCoE VLANs supported on the switch is eight.
Displaying FIP Snooping Information Use the following show commands to display information on FIP snooping, . Table 30. Displaying FIP Snooping Information Command Output show fip-snooping sessions [interface vlan vlan-id] Displays information on FIP-snooped sessions on all VLANs or a specified VLAN, including the ENode interface and MAC address, the FCF interface and MAC address, VLAN ID, FCoE MAC address and FCoE session ID number (FC-ID), worldwide node name (WWNN) and the worldwide port name (WWPN).
Table 31. show fip-snooping sessions Command Description Field Description ENode MAC MAC address of the ENode. ENode Interface Slot/ port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. FCF Interface Slot/ port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FCoE MAC MAC address of the FCoE session assigned by the FCF. FC-ID Fibre Channel ID assigned by the FCF. Port WWPN Worldwide port name of the CNA port.
Table 33. show fip-snooping fcf Command Description Field Description FCF MAC MAC address of the FCF. FCF Interface Slot/port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FC-MAP FC-Map value advertised by the FCF. ENode Interface Slot/number of the interface connected to the ENode. FKA_ADV_PERIOD Period of time (in milliseconds) during which FIP keep-alive advertisements are transmitted. No of ENodes Number of ENodes connected to the FCF.
The following example shows the show fip-snooping statistics port-channel command.
Field Description Number of FDISC Accepts Number of FIP FDISC accept frames received on the interface. Number of FDISC Rejects Number of FIP FDISC reject frames received on the interface. Number of FLOGO Accepts Number of FIP FLOGO accept frames received on the interface. Number of FLOGO Rejects Number of FIP FLOGO reject frames received on the interface. Number of CVLs Number of FIP clear virtual link frames received on the interface.
FCoE Transit Configuration Example The following illustration shows an core switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 39. Configuration Example: FIP Snooping on an Core Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
Example of Enabling an FC-MAP Value on a VLAN Dell(conf-if-vl-10)# fip-snooping fc-map 0xOEFC01 NOTE: Configuring an FC-MAP value is only required if you do not use the default FC-MAP value (0x0EFC00).
16 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms.
Enabling FIPS Mode To enable or disable FIPS mode, use the console port. Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. When you enable FIPS mode, the following actions are taken: • • • • If enabled, the SSH server is disabled. All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.
System MAC : 00:01:e8:8a:ff:0c Reload Type : normal-reload [Next boot : normal-reload] -- Unit 0 -Unit Type Status Next Boot Required Type Current Type Master priority Hardware Rev Num Ports Up Time Dell Version Jumbo Capable POE Capable FIPS Mode Burned In MAC No Of MACs ... : : : : : : : : : : : : : : : Management Unit online online C9010 - 48-port GE/TE/FG (SE) C9010 - 48-port GE/TE/FG (SE) 0 3.
17 Flex Hash and Optimized Boot-Up This chapter describes the Flex Hash and fast-boot enhancements. Topics: • Flex Hash Capability Overview • Configuring the Flex Hash Mechanism • LACP Fast Switchover • Configuring LACP Fast Switchover • LACP • RDMA Over Converged Ethernet (RoCE) Overview • Sample Configurations • Preserving 802.
When load balancing RRoCE packets using flex hash is enabled, the show ip flow command is disabled. Similarly, when the show ip flow command is in use (ingress port-based load balancing is disabled), the hashing of RRoCE packets is disabled. Flex hash APIs do not mask out unwanted byte values after extraction of the data from the Layer 4 headers for the offset value.
RRoCE packets are received and transmitted on specific interfaces called lite-subinterfaces. These interfaces are similar to the normal Layer 3 physical interfaces except for the extra provisioning that they offer to enable the VLAN ID for encapsulation. You can configure a physical interface or a Layer 3 Port Channel interface as a lite subinterface. When you configure a lite subinterface, only tagged IP packets with VLAN encapsulation are processed and routed. All other data packets are discarded.
Sample Configurations Figure 40.
Description Link to RoCE Adapter no ip address mtu 9216 portmode hybrid switchport no spanning-tree ! protocol lldp dcbx port-role auto-downstream no shutdown ! interface fortyGigE 0/33 Description “To C9010s” no ip address mtu 9216 ! port-channel-protocol LACP port-channel 1 mode active ! protocol lldp no advertise dcbx-tlv ets-reco dcbx port-role auto-upstream no shutdown C9010 1 and C9010 2, VLT, RoCE, and iSCSI ! dcb-map converged Description DCB map for C9010 interlinks priority-group 0 bandwidth 30 pf
interface fortyGigE 1/4 no ip address mtu 9216 dcb-map Converged protocol lldp no shutdown C9010 2 vlt domain 2 peer-link port-channel 128 back-up destination interface Port-channel 128 no ip address mtu 9216 channel-member fortyGigE 1/4 no shutdown interface fortyGigE 1/4 no ip address mtu 9216 dcb-map Converged protocol lldp no shutdown Description from MXL B1 Switch no ip address mtu 9216 dcb-map RoCE ! port-channel-protocol LACP port-channel 50 mode active ! protocol lldp no shutdown
Description SOFS- iSCSI no ip address mtu 9216 portmode hybrid switchport spanning-tree rstp edge-port spanning-tree 0 portfast dcb-map iSCSI ! protocol lldp no shutdown Preserving 802.1Q VLAN Tag Value for Lite Subinterfaces All the frames in a Layer 2 VLAN are identified using a tag defined in the IEEE 802.1Q standard to determine the VLAN to which the frames or traffic are relevant or associated. Such frames are encapsulated with the 802.1Q tags.
18 Force10 Resilient Ring Protocol (FRRP) Force10 resilient ring protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass through all ports in the ring, including the secondary port of the Master node. Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring.
Member VLAN Spanning Two Rings Connected by One Switch A member VLAN can span two rings interconnected by a common switch, in a figure-eight style topology. A switch can act as a Master node for one FRRP group and a Transit for another FRRP group, or it can be a Transit node for both rings. In the following example, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both FRRP groups.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202, as shown in the illustration in Member VLAN Spanning Two Rings Connected by One Switch. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose.
FRRP Configuration These are the tasks to configure FRRP. • Creating the FRRP Group • Configuring the Control VLAN – Configure Primary and Secondary ports • Configuring and Adding the Member VLANs – Configure Primary and Secondary ports Other FRRP related commands are: • Clearing the FRRP Counters • Viewing the FRRP Configuration • Viewing the FRRP Information Creating the FRRP Group Create the FRRP group on each switch in the ring. To create the FRRP group, use the command.
VLAN ID: from 1 to 4094. 2 Tag the specified interface or range of interfaces to this VLAN. CONFIG-INT-VLAN mode. tagged interface slot/ port {range} Interface: • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Slot/Port, Range: Slot and Port ID for the interface. Range is entered Slot/Port-Port.
interface vlan vlan-id VLAN ID: the range is from 1 to 4094. 2 Tag the specified interface or range of interfaces to this VLAN. CONFIG-INT-VLAN mode. tagged interface slot/port {range} Interface: 3 • Slot/Port, range: Slot and Port ID for the interface. The range is entered Slot/Port-Port. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
Clearing the FRRP Counters To clear the FRRP counters, use one of the following commands. • Clear the counters associated with this Ring ID. EXEC PRIVELEGED mode. clear frrp ring-id • Ring ID: the range is from 1 to 255. Clear the counters associated with all FRRP groups. EXEC PRIVELEGED mode. clear frrp Viewing the FRRP Configuration To view the configuration for the FRRP group, use the following command. • Show the configuration for this FRRP group. CONFIG-FRRP mode.
• • • • There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only. Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP. – When the interface ceases to be a part of any FRRP process, if you enable Spanning Tree globally, also enable it explicitly for the interface. The maximum number of rings allowed on a chassis is 255.
Example of R3 TRANSIT interface TengigabitEthernet 3/14 no ip address switchport no shutdown ! interface TengigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TengigabitEthernet 3/14,21 no shutdown ! interface Vlan 201 no ip address tagged TengigabitEthernet 3/14,21 no shutdown ! protocol frrp 101 interface primary TengigabitEthernet 3/21 secondary TengigabitEthernet 3/14 control-vlan 101 member-vlan 201 mode transit no disable FRRP Support on VLT Using FRRP
This active-active FRRP configuration blocks the FRRP ring on a per VLAN or VLAN group basis enabling the configuration to spawn across different set of VLANs. The FRRP configuration where VLTi nodes act as the primary or secondary interfaces ensure that all the optics used to connect VLT domains across data centers are fully utilized.
Figure 42. FRRP Ring using VLTi links Important Points to Remember • VLTi can be configured only as the primary interface for the primary interface of any FRRP ring. • Only RSTP and PVST are supported in the VLT environment. Enabling either RSTP or PVST effects FRRP functionality even though these features are disabled on FRRP enabled interfaces. • Dell Networking OS does not support coexistence of xSTP and FRRP configurations.
19 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 43.
Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch. CONFIGURATION mode gvrp enable Example of Configuring GVRP Dell(conf)#protocol gvrp Dell(config-gvrp)#no disable Dell(config-gvrp)#show config ! protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command.
Based on the configuration in the following example, the interface 1/21 is not removed from VLAN 34 or VLAN 35 despite receiving a GVRP Leave message. Additionally, the interface is not dynamically added to VLAN 45 or VLAN 46, even if a GVRP Join message is received.
20 High Availability (HA) High availability (HA) is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions.
Online Insertion and Removal You can add, replace, or remove chassis components (RPMs, line cards, fan modules, power supplies) while the switch is operating. C9010 RPMs and line cards are hot-swappable. Use the information in this section when inserting an RPM or line card in the C9010 chassis. For more information about how to install an RPM or line card in the C9010, see the C9010 Getting Started Guide or C9010 Installation Guide.
Dell# show linecard 3 -- Linecard 3 -Status Required Type : not present : C9000LC2410G - 24-port TE/GE Replacing a Line Card To replace a line card with a line card of the same type, you can remove the old card and insert a new card without any additional configuration. To replace a line card with a different card type, remove the card and then remove the existing line-card configuration for the slot using the command no linecard slot-id provision.
The following protocols are hitless: • 802.1X (802.
Core Dumps A core dump is the contents of RAM a program uses at the time of a software exception and identifies the cause of the exception. There are two types of core dumps: application and kernel. • Kernel core dump — the central component of an OS that manages system processors and memory allocation and makes these facilities available to applications. A kernel core dump is the contents of the memory the kernel uses at the time of an exception.
To display the reason for the last control-plane failover on the chassis, enter the show redundancy command in EXEC Privilege mode.
NOTE: You can also force the port extender to failover from the RPM, using the redundancy force-failover pe peid command in EXEC Privilege mode. Example of the redundancy force-failover rpm Command Dell#redundancy force-failover rpm Dell#redundancy force-failover pe pe-id Specifying an Auto-Failover Limit When a non-recoverable fatal error is detected, an automatic failover occurs. However, the Dell Networking OS is configured to auto-failover only three times within any 60-minute period.
21 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 44. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1 One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. • Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. • To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
Figure 46. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1 The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2 The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 47. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1 Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary.
Figure 48. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1 Enable multicast routing using the ip multicast-routing command. 2 Enable a multicast routing protocol.
Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. • View IGMP-enabled interfaces. EXEC Privilege mode show ip igmp interface Example of the show ip igmp interface Command Dell(conf-if-te-1/0)#show ip igmp interface tengigabitethernet 1/0 TenGigabitEthernet 1/0 Inbound IGMP access group is not set Internet address is 1.1.1.
• View both learned and statically configured IGMP groups. EXEC Privilege mode show ip igmp groups Example of the show ip igmp groups Command Dell#show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface 225.1.1.1 TenGigabitEthernet 1/0 225.1.1.2 TenGigabitEthernet 1/0 Mode Uptime IGMPv2-Compat 00:00:06 IGMPv2-Compat 00:00:06 Expires 00:02:03 00:02:03 Last Reporter 1.1.1.2 1.1.1.
• Enable IGMP snooping on a switch. CONFIGURATION mode ip igmp snooping enable • View the configuration. CONFIGURATION mode show running-config • Disable snooping on a VLAN.
Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. When you configure the no ip igmp snooping flood command, the system drops the packets immediately. The system does not forward the frames on mrouter ports, even if they are present. Disable Layer 3 multicast (no ip multicast-routing) in order to disable multicast flooding.
Adjusting the Last Member Query Interval To adjust the last member query interval, use the following command. When the querier receives a Leave message from a receiver, it sends a group-specific query out of the ports specified in the forwarding table. If no response is received, it sends another. The amount of time that the querier waits to receive a response to the initial query before sending a second one is the last member query interval (LMQI).
22 Interfaces This chapter describes interface types, both physical and logical, and how to configure them on the switch. • 1-Gigabit Ethernet, 10-Gigabit Ethernet and 40-Gigabit Ethernet interfaces are supported on the C9010 switch and 1-Gigabit Ethernet C1048P port extender.
• Management Interfaces • Port Extender Interfaces • VLAN Interfaces • Loopback Interfaces • Null Interfaces • Port Channel Interfaces • Bulk Configuration • Defining Interface Range Macros • Monitoring and Maintaining Interfaces • Displaying Traffic Statistics on HiGig Ports • Link Bundle Monitoring • Monitoring HiGig Link Bundles • Non Dell-Qualified Transceivers • Splitting QSFP Ports to SFP+ Ports • Configuring wavelength for 10–Gigabit SFP+ optics • Link Dampening • Usi
Figure 49. C9010 Slot Numbering To configure a C9010 port, specify the interface with the command syntax: interface {TenGigabitEthernet | fortyGigE} slot/port-number • • The slot is a chassis slot number from 0 to 11. port-number is a linecard port number from 0 to 23 or an RPM port number from 0 to 3. NOTE: For slots 10 and 11, the port number is from 0 to 3 only. On the C9010, port interface numbers are written above the ports.
NOTE: To locate a 4x10G port, enter the system location-led interface {fortyGigE | tengigabitethernet} slot/port on command. The 4x10G port LED turns solid blue. Figure 51. 1/10GbE SFP+ Port Numbering On the 1/10GbE SFP+ line card, ports are numbered from 0 to 23 and operate in 1/10G mode. Figure 52. 1/10GbE RJ-45 Port Numbering On the 1/10GbE RJ-45 line card, ports are numbered from 0 to 23 and operate in 1/10G mode. Figure 53.
interface peGigE pe-id/pe-stack—unit-id/port-number • pe-id is a port-extender ID number from 0 to 255. • pe-stack-unit-id is a PE stack-unit number from 0 to 7 • port-number is a port number from 1 to 48. interface peTenGigE pe-id/unit-number/port-id • pe-id is a port-extender ID number from 0 to 255. • unit-number is a PE stack-unit number from 0 to 7 • port-id is from 25 to 28 or 49 to 52 depending on the PE.
show interfaces This command has options to display the interface status, IP and MAC addresses, and multiple counters for the amount and type of traffic passing through the interface. If you configured a port channel interface, this command lists the interfaces configured in the port channel. NOTE: To end output from the system, such as the output from the show interfaces command, enter CTRL+C. The system returns you to the command prompt.
DHCP Client-ID :6cc000430991 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed auto, Mode auto Auto-mdix enabled, ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 1d18h43m Queueing strategy: fifo Input Statistics: 0 packets, 0 bytes 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 0 packets,
Te 2/23 Fo 5/0 Fo 5/4 Fo 5/8 Fo 5/12 Fo 5/16 Fo 5/20 Te 6/0 Te 6/1 Te 6/2 Te 6/3 Te 6/4 Te 6/5 Te 6/6 Te 6/7 Te 6/8 Te 6/9 Te 6/10 Te 6/11 Te 6/12 Te 6/13 Te 6/14 Te 6/15 Te 6/16 Te 6/17 Te 6/18 Te 6/19 Te 6/20 Te 6/21 Te 6/22 Te 6/23 Fo 9/0 Fo 9/4 Fo 9/8 Fo 9/12 Fo 9/16 Fo 9/20 Te 10/0 Te 10/1 Te 10/2 Te 10/3 Te 11/0 Te 11/1 Te 11/2 Te 11/3 PeGi 255/1/1 PeGi 255/1/2 PeGi 255/1/3 PeGi 255/1/4 PeGi 255/1/5 PeGi 255/1/6 PeGi 255/1/7 PeGi 255/1/8 PeGi 255/1/9 PeGi 255/1/10 PeGi 255/1/11 PeGi 255/1/12 PeGi 255/
PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi 438 255/1/25 255/1/26 255/1/27 255/1/28 255/1/29 255/1/30 255/1/31 255/1/32 255/1/33 255/1/34 255/1/35 255/1/36 255/1/37 255/1/38 255/1/39 255/1/40 255/1/41 255/1/42
PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi 255/2/46 255/2/47 255/2/48 255/3/1 255/3/2 255/3/3 255/3/4 255/3/5 255/3/6 255/3/7 255/3/8 255/3/9 255/3/10 255/3/11 255/3/12 255/3/13 255/3/14 255/3/15 255/3/16 255/3/17 255/3/18 255/3/19 255/3/20 255/3/21 255/3/22 255/3/23 255/3/24 255/3/25 255/3/26 255/
To view only configured interfaces, use the show interfaces configured command in the EXEC Privilege mode. To determine which physical interfaces are available, use the show running-config command in EXEC mode. This command displays all physical interfaces available on the line cards. Dell#show running Current Configuration ...
All the applied configurations are removed and the interface is set to the factory default state. Enabling a Physical Interface After determining the type of physical interfaces available, to enable and configure the interfaces, enter INTERFACE mode by using the interface interface {slot/port | pe-id/stack-unit/port} command. 1 Enter the keyword interface then the type of interface and slot/port information.
show interfaces [interface | stack—unit stack-unit-number] status 2 Determine the remote interface status. EXEC mode or EXEC Privilege mode [Use the command on the remote system that is equivalent to the first command.] 3 Access CONFIGURATION mode. EXEC Privilege mode config 4 Access the port. CONFIGURATION mode interface interface-type 5 Set the local port speed.
Table 37. Layer Modes Type of Interface Possible Modes Requires Creation Default State 10–Gigabit Ethernet and 40– Gigabit Ethernet Layer 2 No Shutdown (disabled) Management N/A No Shutdown (disabled) PE Gigabit Ethernet Layer 2 No Shutdown (disabled) Loopback Layer 3 Yes No shutdown (enabled) Null interface N/A No Enabled Port Channel Layer 2 Yes Shutdown (disabled) Yes, except for the default VLAN.
For information about enabling and configuring the Spanning Tree Protocol, refer to Spanning Tree Protocol (STP). To view the interfaces in Layer 2 mode, use the show interfaces switchport command in EXEC mode. Configuring Layer 3 (Network) Mode When you assign an IP address to a physical interface, you place it in Layer 3 mode. To enable Layer 3 mode on an individual interface, use the following commands.
To view all interfaces to see with an IP address assigned, use the show ip interfaces brief command in EXEC mode as shown in View Basic Interface Information. To view IP information on an interface in Layer 3 mode, use the show ip interface command in EXEC Privilege mode. Dell>show ip int vlan 58 Vlan 58 is up, line protocol is up Internet address is 1.1.49.1/24 Broadcast address is 1.1.49.
Management Interfaces The switch supports the Management Ethernet interface as well as the standard interface on any port. You can use either method to connect to the system. Configuring a Dedicated Management Interface The dedicated Management interface provides management access to the system. You can configure this interface using the CLI, but the configuration options on this interface are limited.
Input 791 packets, 62913 bytes, 775 multicast Received 0 errors, 0 discarded Output 21 packets, 3300 bytes, 20 multicast Output 0 errors, 0 invalid protocol Time since last interface status change: 00:06:03 Unless you configure the management route command, you can only access the Management interface from the local LAN. To access the Management interface from another LAN, configure the management route command to point to the Management interface.
B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination ----------C 6.1.1.0/24 C 10.1.1.0/24 *S 0.0.0.
NOTE: You cannot simultaneously use egress rate shaping and ingress rate policing on the same VLAN. The system supports Inter-VLAN routing (Layer 3 routing in VLANs). You can add IP addresses to VLANs and use them in routing protocols in the same manner that physical interfaces are used. For more information about configuring different routing protocols, refer to the chapters on the specific protocol.
Null Interfaces The Null interface is another virtual interface. There is only one Null interface. It is always up, but no traffic is transmitted through this interface. To enter INTERFACE mode of the Null interface, use the following command. • Enter INTERFACE mode of the Null interface. CONFIGURATION mode interface null 0 The only configurable command in INTERFACE mode of the Null interface is the ip unreachable command.
Up to 128 port- channels with sixteen 10GbE or 40GbE port members per channel are supported. As soon as you configure a port channel, the system treats it like a physical interface. For example, IEEE 802.1Q tagging is maintained while the physical interface is in the port channel. Member ports of a LAG are added and programmed into the hardware in a predictable order based on the port ID, instead of in the order in which the ports come up.
interface port-channel id-number 2 Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown After you enable the port channel, you can place it in Layer 2 or Layer 3 mode. To place the port channel in Layer 2 mode use the switchport command, or configure and IP address to place the port channel in Layer 3 mode. NOTE: L3 is not supported on port extender (PE) ports or on port-channels when they have PE ports as members.
2 L2L3 up Dell# Te 00:06:03 Te Te Te Te 1/12 (Up) 1/7 (Up) * 1/8 (Up) 1/13 (Up) 1/14 (Up) To view a summary of the port channel’s status, use the show interfaces port-channel brief command.
channel. In the following example, interface TengigabitEthernet 1/6 is part of port channel 5, which is in Layer 2 mode, and an error message appeared when an IP address was configured. Dell(conf-if-portch)#show config ! interface Port-channel 5 no ip address switchport channel-member TengigabitEthernet 1/6 Dell(conf-if-portch)#int te 1/6 Dell(conf-if)#ip address 10.56.4.4 /24 % Error: Port is part of a LAG Te 1/6.
• Enter the number of links in a LAG that must be in “oper up” status. INTERFACE mode minimum-links number The default is 1. Example of Configuring the Minimum Oper Up Links in a Port Channel Dell#config t Dell(conf)#int po 1 Dell(conf-if-po-1)#minimum-links 5 Dell(conf-if-po-1)# Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs.
– secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Deleting or Disabling a Port Channel To delete or disable a port channel, use the following commands. • Delete a port channel. CONFIGURATION mode no interface portchannel channel-number • Disable a port channel. shutdown When you disable a port channel, all interfaces within the port channel are operationally down also.
Example of the hash-algorithm Command Dell(conf)#hash-algorithm ecmp xor1 lag crc16 Dell(conf)# The hash-algorithm command is specific to ECMP group. The default ECMP hash configuration is crc-lower. This command takes the lower 32 bits of the hash key to compute the egress port. Other options for ECMP hash-algorithms are: • crc-upper — uses the upper 32 bits of the hash key to compute the egress port. • dest-ip — uses destination IP address as part of the hash key.
Create a Single-Range The following is an example of a single range. Dell(config)# interface range tengigabitethernet 0/1 - 23 Dell(config-if-range-te-0/1-23)# no shutdown Dell(config-if-range-te-0/1-23)# The following is an example of single range on PE ports. Dell(config)#interface range peGigE 1/0/4-47 Dell(conf-if-range-pegi-1/0/4-47)# no shut Dell(conf-if-range-pegi-1/0/4-47)# Create a Multiple-Range The following is an example of multiple range.
Add Ranges The following example shows how to use commas to add VLAN and port-channel interfaces to the range. Dell(conf)#int range te5/1-23 , te1/1 - 2 Dell(conf-if-range-te-1/1-2,te-5/1-23)#interface range vlan 2 - 100 , Port 1 - 25 Dell(conf-if-range-vl-2-100,po-1-25)# Interface Range Enhancements Inserting a space between comma-separated interfaces and interface ranges in interface range command syntax is no longer required.
Monitoring and Maintaining Interfaces Monitor interface statistics with the monitor interface command. This command displays an ongoing list of the interface status (up/ down), number of packets, traffic statistics, and so on. To view the interface’s statistics, use the following command. • View the interface’s statistics. EXEC Privilege mode Enter the type of interface and slot/port information: – For the Management interface, enter the keyword ManagementEthernet then the slot/port information.
q - Quit q Dell# Maintenance Using TDR The time domain reflectometer (TDR) is supported on all Dell Networking switch/routers. TDR is an assistance tool to resolve link issues that helps detect obvious open or short conditions within any of the four copper pairs. TDR sends a signal onto the physical cable and examines the reflection of the signal that returns.
Link Bundle Monitoring Monitoring linked LAG bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time. A threshold of 60% is defined as an acceptable amount of traffic on a member link. Links are monitored in 15-second intervals for three consecutive instances.
You can enable the capability to detect uneven traffic distribution in the member links of a HiGig link bundle on a line-card or SFM NPU. You can also enable a notification to be sent using alarms and SNMP traps. The algorithm used to determine uneven distribution of traffic is predefined. Monitoring HiGig link bundles allows you to view and analyze unequal traffic flow in backplane port channels and take corrective action.
threshold. If unevenness is recorded for three consecutive measurements, an alarm event is generated. The rate interval defines the time interval between measurements. Enabling HiGig Link-Bundle Monitoring To enable the monitoring of HiGig link bundles, follow these steps. 1 Enable the monitoring of traffic distribution on the member links in a HiGig link bundle (port-channel).
• SR4 • LM4 • PSM4 • PSM4-LR If you use any of the transceivers in the preceding list that is not Dell-qualified, Dell Networking OS places the interface in error-disabled (operationally down) state.
You can use QSFP optical cables (without a QSA) to split a 40 Gigabit port on a switch or a server into four 10 Gigabit ports. To split the ports, enable the fan-out mode. Similarly, you can enable the fan-out mode to configure the QSFP port on a device to act as an SFP or SFP+ port. As the QSA enables a QSFP or QSFP+ port to be used as an SFP or SFP+ port, Dell Networking OS does not immediately detect the QSA after you insert it into a QSFP port cage.
Configuring wavelength for 10–Gigabit SFP+ optics You can set the wavelength for tunable 10–Gigabit SFP+ optics using the wavelength command. To set the wavelength, follow these steps: • Enter the interface mode and set the wavelength. INTERFACE mode wavelength 1529.0 • The wavelength range is from 1528.3 nm to 1568.77nm. Verify configuration changes.
Examples of the show interfaces dampening Commands R1(conf-if-te-1/1)#show config ! interface TengigabitEthernet 1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown R1(conf-if-te-1/1)#exit To view the link dampening configuration on an interface, use the show config command. To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode.
• For ports directly attached to the chassis you can have a maximum of 4 sessions per port pipe. Refer to Port Numbering Convention for the exact port location on switch line cards. Configure MTU Size on an Interface Maximum Transmission Unit (MTU) is defined as the entire Ethernet packet (Ethernet header + FCS + payload). The link MTU is the frame size of a packet, and the IP MTU size is used for IP fragmentation.
monitor session-ID: Enables mirror flow control frames on this port. Changes in the flow-control values may not be reflected automatically in show interface output. To display the change, apply the new flowcontrol setting, perform a shutdown followed by a no shutdown on the interface, and then check re-display the show interface output for the port. Threshold Settings When the transmission pause is set (tx on), you can set three thresholds to define the controls more closely.
◦ Flow-control buffer threshold in KB: the range is from 1 to 2013 (default = 49KB). ◦ Flow-control discard threshold in KB: the range is from 1 to 2013 (default= 75KB) – monitor session-ID: Enter the keyword monitor then the session–ID to enable mirror flow control frames on the port. The session–ID range is from 1 to 65535. Pause control is triggered when either the flow control buffer threshold or flow control packet pointer threshold is reached.
The local interface and the directly connected remote interface must have the same setting, and auto-negotiation is the easiest way to accomplish that, as long as the remote interface is capable of auto-negotiation. NOTE: As a best practice, Dell Networking recommends keeping auto-negotiation enabled. Only disable auto-negotiation on switch ports that attach to devices not capable of supporting negotiation or where connectivity issues arise from interoperability issues.
The following table describes how the speed and negotiation auto commands work with different modes of a combo port: Table 39. Behavior on Combo Ports Mode Behavior of speed Behavior of negotiation auto Auto/Hybrid Cannot be configured and an error is displayed. Cannot be configured and no error is displayed. Copper Can be configured. Can be configured. Fiber Cannot be configured. Cannot be configured. When SFP is inserted on copper-provisioned combo port, the system displays a syslog message.
Name: TengigabitEthernet 4/3 802.1QTagged: True Vlan membership: Vlan 2 --More-- Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG. The following example shows how to configure rate interval when changing the default value.
Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 100 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
Input 300.00 Mbits/sec, 1534517 packets/sec, 30.00% of line-rate Output 100.00 Mbits/sec, 4636111 packets/sec, 10.
Clearing Interface Counters The counters in the show interfaces command are reset by the clear counters command. This command does not clear the counters any SNMP program captures. To clear the counters, use the following the command. • Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones. Without an interface specified, the command clears all interface counters.
23 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
CONFIGURATION mode crypto ipsec policy myCryptoPolicy 10 ipsec-manual transform-set myXform-set session-key inbound esp 256 auth encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.
24 IPv4 Routing IPv4 routing and various IP addressing features are supported. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
NOTE: 31-bit subnet masks (/31, or 255.255.255.254), as defined by RFC 3021, are supported. This feature allows you to save two more IP addresses on point-to-point links than 30-bit masks. The system also supports RFC 3021 with ARP. Configuration Tasks for IP Addresses The following describes the tasks associated with IP address configuration.
ip address 10.11.1.1/24 no shutdown ! Dell(conf-if)# Dell(conf-if)#show conf ! interface TengigabitEthernet 0/0 ip address 10.11.1.1/24 no shutdown ! Dell(conf-if)# Configuring Static Routes A static route is an IP address that you manually configure and that the routing protocol does not learn, such as open shortest path first (OSPF). Often, static routes are used as backup routes in case other dynamically learned routes are unreachable. You can enter as many static IP addresses as necessary.
Direct, Lo 0 --More-The system installs a next hop that is on the directly connected subnet of current IP address on the interface (for example, if interface gig 0/0 is on 172.31.5.0 subnet, the system installs the static route). The system also installs a next hop that is not on the directly connected subnet but which recursively resolves to a next hop on the interface's configured subnet. For example, if gig 0/0 has ip address on subnet 2.2.2.0 and if 172.31.5.43 recursively resolves to 2.2.2.
Resolution of Host Names Domain name service (DNS) maps host names to IP addresses. This feature simplifies commands such as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default. Unless you enable the feature, the system resolves only host names entered into the host table with the ip host command.
• Enter up to 63 characters to configure one domain name. CONFIGURATION mode ip domain-name name • Enter up to 63 characters to configure names to complete unqualified host names. CONFIGURATION mode ip domain-list name Configure this command up to six times to specify a list of possible domain names. The system searches the domain names in the order they were configured until a match is found or the list is exhausted.
ARP The system uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, the system creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time.
◦ For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. ◦ For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. ◦ For a port extender (PE) Gigabit Ethernet interface, enter the keyword peGigE then the pe-id/stack-unit /port-id information. The pe-id is a port-extender ID number from 0 to 255; the stack-unit unit-number is from 0 to 7; and the port-id range is from 1 to 48.
Enabling Proxy ARP By default, Proxy ARP is enabled. To disable Proxy ARP, use the no ip proxy-arp command in the interface mode. To re-enable Proxy ARP, use the following command. • Re-enable Proxy ARP. INTERFACE mode ip proxy-arp To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output.
Enabling ARP Learning via Gratuitous ARP To enable ARP learning via gratuitous ARP, use the following command. • Enable ARP learning via gratuitous ARP. CONFIGURATION mode arp learn-enable ARP Learning via ARP Request The system learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address. If the target IP does not match the incoming interface, the packet is dropped.
Configuring ARP Retries The number of ARP retries is user-configurable. The default backoff interval remains at 20 seconds. To set and display ARP retries, use the following commands. • Set the number of ARP retries. CONFIGURATION mode arp retries number The default is 5. • The range is from 1 to 20. Set the exponential timer for resending unresolved ARPs. CONFIGURATION mode arp backoff-time The default is 30. The range is from 1 to 3600.
no ip unreachable • Set the system to create and send ICMP unreachable messages on the interface. INTERFACE mode ip unreachable To view if ICMP unreachable messages are sent on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output.
25 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
Extended Address Space The address format is extended from 32 bits to 128 bits. This not only provides room for all anticipated needs, it allows for the use of a hierarchical address space structure to optimize global addressing. Stateless Autoconfiguration When a booting device comes up in IPv6 and asks for its network prefix, the device can get the prefix (or prefixes) from an IPv6 router on its link.
• Flow Label (20 bits) • Payload Length (16 bits) • Next Header (8 bits) • Hop Limit (8 bits) • Source Address (128 bits) • Destination Address (128 bits) IPv6 provides for extension headers. Extension headers are used only if necessary. There can be no extension headers, one extension header or more than one extension header in an IPv6 packet. Extension headers are defined in the Next Header field of the preceding IPv6 header.
Payload Length (16 bits) The Payload Length field specifies the packet payload. This is the length of the data following the IPv6 header. IPv6 Payload Length only includes the data following the header, not the header itself. The Payload Length limit of 2 bytes requires that the maximum packet payload be 64 KB. However, the Jumbogram option type Extension header supports larger packet sizes when required. Next Header (8 bits) The Next Header field identifies the next header’s type.
Source Address (128 bits) The Source Address field contains the IPv6 address for the packet originator. Destination Address (128 bits) The Destination Address field contains the intended recipient’s IPv6 address. This can be either the ultimate destination or the address of the next hop router. Extension Header Fields Extension headers are used only when necessary. Due to the streamlined nature of the IPv6 header, adding extension headers do not severely impact performance.
10 Discard the packet and send an ICMP Parameter Problem Code 2 message to the packet’s Source IP Address identifying the unknown option type. 11 Discard the packet and send an ICMP Parameter Problem, Code 2 message to the packet’s Source IP Address only if the Destination IP Address is not a multicast address. The second byte contains the Option Data Length. The third byte specifies whether the information can change en route to the destination.
the same IPv6 address to a particular computer, and never to assign that IP address to another computer. This allows static IPv6 addresses to be configured in one place, without having to specifically configure each computer on the network in a different way. In IPv6, every interface, whether using static or dynamic address assignments, also receives a local-link address automatically in the fe80::/64 subnet.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location OSPF for IPv6 (OSPFv3) 8.3.11 OSPFv3 in the Dell Networking OS Command Line Reference Guide. Equal Cost Multipath for IPv6 8.3.11 IPv6 Services and Management Telnet client over IPv6 (outbound Telnet) 8.3.11 Configuring Telnet with IPv6 Control and Monitoring in the Dell Networking OS Command Line Reference Guide. Telnet server over IPv6 (inbound Telnet) 8.3.
• Informational messages provide diagnostic functions and additional host functions, such as Neighbor Discovery and Multicast Listener Discovery. These messages also include Echo Request and Echo Reply messages. The ping and traceroute commands extend to support IPv6 addresses. These commands use ICMPv6 Type-2 messages.
Figure 58. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
Dell(conf-if-te-0/1)#ipv6 nd dns-server 1000::1 ? <0-4294967295> Max lifetime (sec) which RDNSS address may be used for name resolution infinite Infinite lifetime (sec) which RDNSS address may be used for name resolution Dell(conf-if-te-0/1)#ipv6 nd dns-server 1000::1 1 Debugging IPv6 RDNSS Information Sent to the Host To verify that you configured the IPv6 RDNSS information sent to the host correctly, use the debug ipv6 nd command in EXEC Privilege mode.
ND dns-server address is 2000::1 with lifetime of 0 seconds IP unicast RPF check is not supported To display IPv6 RDNSS information, use the show configuration command in INTERFACE CONFIG mode. Dell(conf-if-te-1/1)#show configuration The following example uses the show configuration command to display IPv6 RDNSS information.
To have the changes take effect, save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings. • Allocate space for IPV6 ACLs. Enter the CAM profile name then the allocated amount. CONFIGURATION mode cam-acl { ipv6acl } When not selecting the default option, enter all of the profiles listed and a range for each. The total space allocated must equal 13. The ipv6acl range must be a factor of 2. • Show the current CAM settings.
Assigning a Static IPv6 Route To configure IPv6 static routes, use the ipv6 route command. NOTE: After you configure a static IPv6 route (the ipv6 route command) and configure the forwarding router’s address (specified in the ipv6 route command) on a neighbor’s interface, the IPv6 neighbor does not display in the show ipv6 route command output. • Set up IPv6 static routes.
• snmp-server user ipv6 • snmp-server community ipv6 • snmp-server community access-list-name ipv6 • snmp-server group ipv6 • snmp-server group access-list-name ipv6 Displaying IPv6 Information To view a specified IPv6 configuration, use the show ipv6command. • List the IPv6 show options.
Example of the show ipv6 interface Command Dell#show ipv6 int man 1/0 ManagementEthernet 1/0 is up, line protocol is up IPV6 is enabled Stateless address autoconfiguration is enabled Link Local address: fe80::201:e8ff:fe8b:386e Global Unicast address(es): Actual address is 400::201:e8ff:fe8b:386e, subnet is 400::/64 Actual address is 412::201:e8ff:fe8b:386e, subnet is 412::/64 Virtual-IP IPv6 address is not set Received Prefix(es): 400::/64 onlink autoconfig Valid lifetime: 2592000, Preferred lifetime: 6048
Route Source Active Routes Non-active Routes connected 5 0 static 0 0 Total 5 0 Dell#show ipv6 route Codes: C - connected, L - local, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, Gateway of last resort is not set Desti
Clearing IPv6 Routes To clear routes from the IPv6 routing table, use the following command. • Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} – *: all routes. – ipv6 address: the format is x:x:x:x::x. – mask: the prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:).
4 Define the role of the device attached to the port. POLICY LIST CONFIGURATION mode device-role {host | router} Use the keyword host to set the device role as host. Use the keyword router to set the device role as router. 5 Set the hop count limit. POLICY LIST CONFIGURATION mode hop-limit {maximum | minimum limit} The hop limit range is from 0 to 254. 6 Set the managed address configuration flag.
retrans—timer value The retransmission time range is from 100 to 4,294,967,295 milliseconds. 15 Display the configurations applied on the RA guard policy mode. POLICY LIST CONFIGURATION mode show config NOTE: IPv6 RA Guard is not supported on Port Extender.
Monitoring IPv6 RA Guard To debug IPv6 RA guard, use the following command. EXEC Privilege mode debug ipv6 nd ra-guard [interface slot/port | count value] The count range is from 1 to 65534. The default is infinity. For a complete listing of all commands related to IPv6 RA Guard, see the Dell Networking OS Command Line Reference Guide.
26 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter.
The NET length is variable, with a maximum of 20 bytes and a minimum of 8 bytes. It is composed of the following: • area address — within your routing domain or area, each area must have a unique area value. The first byte is called the authority and format indicator (AFI). • system address — the router’s MAC address. • N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.
Interface Support MT IS-IS is supported on physical Ethernet interfaces, physical synchronous optical network technologies (SONET) interfaces, portchannel interfaces (static and dynamic using LACP), and virtual local area network (VLAN) interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions.
IPv6 Reachability and IPv6 Interface Address. Also, a new IPv6 protocol identifier has also been included in the supported TLVs. The new TLVs use the extended metrics and up/down bit semantics. Multi-topology IS-IS adds TLVs: • MT TLV — contains one or more Multi-Topology IDs in which the router participates. This TLV is included in IIH and the first fragment of an LSP. • MT Intermediate Systems TLV — appears for every topology a node supports.
Configuration Tasks for IS-IS The following describes the configuration tasks for IS-IS. • Enabling IS-IS • Configure Multi-Topology IS-IS (MT IS-IS) • Configuring IS-IS Graceful Restart • Changing LSP Attributes • Configuring the IS-IS Metric Style • Configuring IS-IS Cost • Changing the IS-Type • Controlling Routing Updates • Configuring Authentication Passwords • Setting the Overload Bit • Debuging IS-IS Enabling IS-IS By default, IS-IS is not enabled.
4 • For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. • For a port channel, enter the keywords port-channel then a number. • For a SONET interface, enter the keyword sonet then the slot/port information. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a VLAN, enter the keyword vlan then a number from 1 to 4094. Enter an IPv4 Address.
Accept wide metrics: Dell# none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
4 Implement a wide metric-style globally. ROUTER ISIS AF IPV6 mode isis ipv6 metric metric-value [level-1 | level-2 | level-1-2] To configure wide or wide transition metric style, the cost can be between 0 and 16,777,215. Configuring IS-IS Graceful Restart To enable IS-IS graceful restart globally, use the following commands. Also, you can implement optional commands to enable the graceful restart settings. • Enable graceful restart on ISIS processes.
– adjacency: the restarting router receives the remaining time value from its peer and adjusts its T3 value so if user has configured this option. – manual: allows you to specify a fixed value that the restarting router should use. The range is from 50 to 120 seconds. The default is 30 seconds. Example of the show isis graceful-restart detail and show isis interface Commands NOTE: If this timer expires before the synchronization has completed, the restarting router sends the overload bit in the LSP.
Restart Capable Neighbors: 2, In Start: 0, In Restart: 0 Dell# Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary. To change the defaults, use any or all of the following commands. • Set interval between LSP generation.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
Distance: 115 Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: Dell# level-1-2 level-1-2 none none Configuring the IS-IS Cost When you change from one IS-IS metric style to another, the IS-IS metric value could be affected. For each interface with IS-IS enabled, you can assign a cost or metric that is used in the link state calculation. To change the metric or cost of the interface, use the following commands. • Assign an IS-IS metric.
Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router. ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2-only} • Default is level-1-2. Change the IS-type for the IS-IS process.
– For a SONET interface, enter the keyword sonet then the slot/port information. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/ port information. – For a VLAN, enter the keyword vlan then a number from 1 to 4094. Distribute Routes Another method of controlling routing information is to filter the information through a prefix list.
Applying IPv6 Routes To apply prefix lists to incoming or outgoing IPv6 routes, use the following commands. NOTE: These commands apply to IPv6 IS-IS only. To apply prefix lists to IPv4 routes, use ROUTER ISIS mode, previously shown. • Apply a configured prefix list to all incoming IPv6 IS-IS routes.
redistribute {bgp as-number | connected | rip | static} [level-1 level-1-2 | level-2] [metric metric-value] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: – level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. – metric-value the range is from 0 to 16777215. The default is 0. – metric-type: choose either external or internal. The default is internal. • – map-name: enter the name of a configured route map.
– match external: the range is 1 or 2. – match internal – metric-type: external or internal. – map-name: name of a configured route map. To view the IS-IS configuration globally (including both IPv4 and IPv6 settings), use the show running-config isis command in EXEC Privilege mode. To view the current IPv4 IS-IS configuration, use the show config command in ROUTER ISIS mode. To view the current IPv6 IS-IS configuration, use the show config command in ROUTER ISIS-ADDRESS FAMILY IPV6 mode.
no set-overload-bit Example of Viewing the Overload Bit Setting When the bit is set, a 1 is placed in the OL column in the show isis database command output. The overload bit is set in both the Level-1 and Level-2 database because the IS type for the router is Level-1-2. Dell#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000003 0x07BF eljefe.00-00 * 0x0000000A 0xF963 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
EXEC Privilege mode debug isis update-packets [interface] To view specific information, enter the following optional parameter: – interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. The system displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode. To disable a specific debug command, enter the keyword no then the debug command.
Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow. When you change from one IS-IS metric style to another, the IS-IS metric value (configured with the isis metric command) could be affected.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value narrow transition transition original value wide transition wide original value wide transition narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition narrow transition default value (10) if the original value is greater than 63. A message is sent to the console. wide transition transition truncated value (the truncated value appears in the LSP only).
Level-1 Metric Style Level-2 Metric Style Resulting Metric Value wide transition truncated value narrow transition wide original value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value transition wide original value transition narrow original value transition wide transition original value transition narrow transition original value wide transition wide original value wide transition narrow
Figure 60. IPv6 IS-IS Sample Topography IS-IS Sample Configuration — Congruent Topology IS-IS Sample Configuration — Multi-topology IS-IS Sample Configuration — Multi-topology Transition The following is a sample configuration for enabling IPv6 IS-IS. Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ip address 24.3.1.
exit-address-family Dell (conf-router_isis)# Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell(conf-if-te-3/17)# Dell(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
27 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
• Auto-detection of EqualLogic storage arrays — the switch detects any active EqualLogic array directly attached to its ports. • Manual configuration to detect Compellent storage arrays where auto-detection is not supported. • Automatic configuration of switch ports after detection of storage arrays. • If you configure flow-control, iSCSI uses the current configuration.
Figure 61. iSCSI Optimization Example Default iSCSI Optimization Values The following table lists the default values for the iSCSI optimization feature. Table 46. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization global setting Disabled. iSCSI CoS mode (802.1p priority queue mapping) dot1p priority 4 without the remark setting when you enable iSCSI. If you do not enable iSCSI, this feature is disabled.
Parameter Default Value Remark Not configured. iSCSI session aging time 10 minutes iSCSI optimization target ports iSCSI well-known ports 3260 and 860 are configured as default (with no IP address or name) but can be removed as any other configured target. iSCSI session monitoring Disabled. The CAM allocation for iSCSI is set to zero (0). iSCSI Optimization Prerequisites The following are iSCSI optimization prerequisites. • • iSCSI optimization requires LLDP on the switch.
• tcp-port-n is the TCP port number or a list of TCP port numbers on which the iSCSI target listens to requests. You can configure up to 16 target TCP ports on the switch in one command or multiple commands. The default is 860, 3260. Separate port numbers with a comma. If multiple IP addresses are mapped to a single TCP port, use the no iscsi target port tcp-port-n command to remove all IP addresses assigned to the TCP number.
The default is: Compellent disk arrays are not detected. NOTE: The [no] iscsi profile-compellent. command is not supported on cascade interfaces or extended ports Displaying iSCSI Optimization Information To display information on iSCSI optimization, use the following show commands. • Display the currently configured iSCSI settings. show iscsi • Display information on active iSCSI sessions on the switch. show iscsi session • Display detailed information on active iSCSI sessions on the switch.
iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 The following example shows the show iscsi session detailed command. VLT PEER1 Dell# show iscsi session detailed Session 0: -------------------------------------------------------Target:iqn.2010-11.com.ixia:ixload:iscsi-TG1 Initiator:iqn.2010-11.com.ixia.
Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer The following behavior occurs during synchronization of iSCSI sessions. • If the iSCSI login request packet is received on a port belonging to a VLT lag, the information is synced to the VLT peer and the connection is associated with this interface. • Additional updates to connections (including aging updates) that are learnt on VLT lag members are synced to the peer.
Only sessions the switch observes are learned; sessions flowing through an adjacent switch are not learned. Session monitoring learns sessions that actually flow through the switch, it does not learn all sessions in the entire topology. After a switch is reloaded, any information exchanged during the initial handshake is not available. If the switch picks up the communication after reloading, it would detect a session was in progress but could not obtain complete information for it.
Enter the iscsi profile-compellent command in INTERFACE Configuration mode; for example: Dell(conf-if-te-o/50)# iscsi profile-compellent Application of Quality of Service to iSCSI Traffic Flows You can configure iSCSI CoS mode. This mode controls whether CoS (dot1p priority) queue assignment and/or packet marking is performed on iSCSI traffic. When you enable iSCSI CoS mode, the CoS policy is applied to iSCSI traffic.
28 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. Introduction to Dynamic LAGs and LACP The Dell Networking OS uses LACP to create dynamic LAGs. LACP provides a standardized means of exchanging information between two systems (also called Partner Systems) and automatically establishes the LAG between the systems.
LACP Modes Three LACP configuration modes are supported — Off, Active, and Passive. • Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. • Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state. A port in Active state also automatically initiates negotiations with other ports by initiating LACP packets.
The default is 32768. LACP Configuration Tasks The following configuration tasks apply to LACP. • Creating a LAG • Configuring the LAG Interfaces as Dynamic • Setting the LACP Long Timeout • Monitoring and Debugging LACP • Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. • Create a dynamic port channel (LAG).
Dell(conf-if-te-3/16-lacp)#port-channel 32 mode active ... Dell(conf)#interface Tengigabitethernet 4/15 Dell(conf-if-te-4/15)#no shutdown Dell(conf-if-te-4/15)#port-channel-protocol lacp Dell(conf-if-te-4/15-lacp)#port-channel 32 mode active ...
• Debug LACP, including configuration and events. EXEC mode [no] debug lacp [config | events | pdu [in | out | [interface [in | out]]]] Shared LAG State Tracking Shared LAG state tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG.
Examples of Configuring and Viewing LAGs In the following example, LAGs 1 and 2 have been placed into to the same failover group. R2#config R2(conf)#port-channel failover-group R2(conf-po-failover-grp)#group 1 port-channel 1 port-channel 2 To view the failover group configuration, use the show running-configuration po-failover-group command.
Important Points about Shared LAG State Tracking The following is more information about shared LAG state tracking. • • • • • This feature is available for static and dynamic LAGs. Only a LAG can be a member of a failover group. You can configure shared LAG state tracking on one side of a link or on both sides. If a LAG that is part of a failover group is deleted, the failover group is deleted. If a LAG moves to the Down state due to this feature, its members may still be in the Up state.
Port is part of Port-channel 10 Hardware is Dell Force10Eth, address is 00:01:e8:06:95:c0 Current address is 00:01:e8:06:95:c0 Interface Index is 109101113 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit, Mode full duplex, Slave Flowcontrol rx on tx on ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:02:11 Queueing strategy: fifo Input statistics: 132 packets, 163668 bytes 0 Vlans 0 64-byte p
Figure 66.
Figure 67.
Summary of the LAG Configuration on Bravo Bravo(conf-if-te-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-te-3/21-lacp)#port-channel 10 mode active Bravo(
Figure 68. Inspecting a LAG Port on BRAVO Using the show interface Command The following figure illustrates inspecting LAG 10 Using the show interfaces port-channel Command.
Figure 69. Inspecting LAG 10 Using the show interfaces port-channel Command The following figure illustrates inspecting the LAG Status Using the show lacp command.
Figure 70. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
29 Layer 2 This chapter describes the Layer 2 features supported on the switch. Manage the MAC Address Table You can perform the following management tasks inr the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
In this case, the configuration is still present in the running-config and show output. Remove the configuration before re-applying a MAC learning limit with a lower value. Also, ensure that you can view the Syslog messages on your session. Setting the MAC Learning Limit To set a MAC learning limit on an interface, use the following command. • Specify the number of MAC addresses that the system can learn off a Layer 2 interface.
mac learning-limit station-move The mac learning-limit station-move command allows a MAC address already in the table to be learned from another interface. For example, if you disconnect a network device from one interface and reconnect it to another interface, the MAC address is learned on the new interface. When the system detects this “station move,” the system clears the entry learned on the original interface and installs a new entry on the new interface.
• Shut down the second port to learn the MAC address. INTERFACE mode station-move-violation shutdown-offending • Shut down both the first and second port to learn the MAC address. INTERFACE mode station-move-violation shutdown-both • Display a list of all of the interfaces configured with MAC learning limit or station move violation.
If you don’t use any option, the mac-address-table disable-learning command disables source MAC address learning from both LACP and LLDP BPDUs. NIC Teaming NIC teaming is a feature that allows multiple network interface cards in a server to be represented by one MAC address and one IP address in order to provide transparent redundancy, balancing, and to fully utilize network adapter resources. The following illustration shows a topology where two NICs have been teamed together.
Figure 72. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 73. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
Important Points about Configuring Redundant Pairs • • • • You may not configure any interface to be a backup for more than one interface, no interface can have more than one backup, and a backup interface may not have a backup interface. The active or backup interface may not be a member of a LAG. The active and standby do not have to be of the same type (1G, 10G, and so on). You may not enable any Layer 2 protocol on any interface of a redundant pair or to ports connected to them.
and Po 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-STATE_ACT_STBY: Changed interface state to standby: Po 2 Dell(conf-if-po-1)# Dell# Dell#show interfaces switchport backup Interface Status Paired Interface Status Port-channel 1 Active Port-chato mannel 2 Standby Port-channel 2 Standby Port-channel 1 Active Dell# Dell(conf-if-po-1)#switchport backup interface tengigabitethernet 0/2 Apr 9 00:16:29: %STKUNIT0-M:CP %IFMGR-5-
FEFD State Changes FEFD has two operational modes: Normal and Aggressive. When a far-end failure is detected on an FEFD-enabled interface: • If the interface is in normal FEFD mode, no user intervention is required to reset the interface; it automatically resets to an FEFD operational state. • If the interface is in aggressive FEFD mode, manual intervention is required to reset the interface.
Configuring FEFD You can configure FEFD on all interfaces from CONFIGURATION mode or on individual interfaces from INTERFACE mode. To enable FEFD globally on all interfaces, use the following command. • CONFIGURATION mode fefd-global To report interval frequency and mode adjustments, use the following commands. 1 Configure two or more connected interfaces for Layer 2 or Layer 3 traffic. INTERFACE mode switchport ip address ip address 2 Activate the ports.
• Disable FEFD protocol on one interface. INTERFACE mode fefd disable Disabling an interface shuts down all protocols working on that interface’s connected line. It does not delete your previous FEFD configuration which you can enable again at any time. To set up and activate two or more connected interfaces, use the following commands. 1 Setup two or more connected interfaces for Layer 2 or Layer 3. INTERFACE mode ip address ip address, switchport 2 Activate the necessary ports administratively.
2w1d22h: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 4/0 2w1d22h: %SYSTEM-P:CP %IFMGR-5-INACTIVE: Changed Vlan interface state to inactive: Vl 1 2w1d22h : FEFD state on Te 4/0 changed from Bi-directional to Unknown The following example shows the debug fefd packets command.
30 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Table 48. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live An administratively assigned name that identifies a port through which TLVs are sent and received.
Figure 77. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Networking system to advertise any or all of these TLVs. Table 49. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. The Dell Networking OS does not currently support this TLV.
Type TLV Description LLDP, but is available and mandatory (nonconfigurable) in the LLDP-MED implementation. 127 Power via MDI Dell Networking supports the LLDP-MED protocol, which recommends that Power via MDI TLV be not implemented, and therefore Dell Networking implements Extended Power via MDI TLV only. 127 Link Aggregation Indicates whether the link is capable of being aggregated, whether it is currently in a LAG, and the port identification of the LAG.
Type SubType TLV Description • • • whether the transmitting device supports LLDP-MED what LLDP-MED TLVs it supports LLDP device class 127 2 Network Policy Indicates the application type, VLAN ID, Layer 2 Priority, and DSCP value. 127 3 Location Identification Indicates that the physical location of the device expressed in one of three possible formats: • • • 127 4 Inventory Management TLVs Implementation of this set of TLVs is optional in LLDP-MED devices. None or all TLVs must be supported.
LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV. • The value of the LLDP-MED capabilities field in the TLV is a 2–octet bitmap, each bit represents an LLDP-MED capability (as shown in the following table). • The possible values of the LLDP-MED device type are shown in the following.
• VLAN ID • VLAN tagged or untagged status • Layer 2 priority • DSCP value An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED network policy TLV is generated for each application type that you specify with the CLI (Advertising TLVs).
Extended Power via MDI TLV The extended power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices. Advertise the extended power via MDI on all ports that are connected to an 802.3af powered, LLDP-MED endpoint device. • Power Type — there are two possible power types: power source entity (PSE) or power device (PD). The Dell Networking system is a PSE, which corresponds to a value of 0, based on the TIA-1057 specification.
LLDP Compatibility • Spanning tree and force10 ring protocol “blocked” ports allow LLDPDUs. • 802.1X controlled ports do not allow LLDPDUs until the connected device is authenticated. CONFIGURATION versus INTERFACE Configurations All LLDP configuration commands are available in PROTOCOL LLDP mode, which is a sub-mode of the CONFIGURATION mode and INTERFACE mode. • Configurations made at the CONFIGURATION level are global; that is, they affect all interfaces on the system.
Enabling LLDP LLDP is disabled by default. Enable and disable LLDP globally or per interface. If you enable LLDP globally, all UP interfaces send periodic LLDPDUs. To enable LLDP, use the following command. 1 Enter Protocol LLDP mode. CONFIGURATION or INTERFACE mode protocol lldp 2 Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP To disable or undo LLDP, use the following command. • Disable LLDP globally or for an interface.
LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no. Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces. • If you configure the system globally, all interfaces send LLDPDUs with the specified TLVs. • If you configure an interface, only the interface sends LLDPDUs with the specified TLVs.
Figure 81. Configuring LLDP Storing and Viewing Unrecognized LLDP TLVs Dell EMC Networking OS provides support to store unrecognized (reserved and organizational specific) LLDP TLVs. Also, support is extended to retrieve the stored unrecognized TLVs using SNMP. When the incoming TLV from LLDP neighbors is not recognized, the TLV is categorized as unrecognized TLV.
The organizational specific TLV list is limited to store 256 entries per neighbor. If TLV entries are more than 256, then the oldest entry (of that neighbor) in the list is replaced. A syslog message appears when the organization specific unrecognized TLV list exceeds more than 205 entries (80 percent of 256) for you to take action.
• Display brief information about adjacent devices. show lldp neighbors • Display all of the information that neighbors are advertising.
( 79, 4) ( 80, 4) ( 81, 4) ( 82, 4) ( 83, 4) ( 84, 4) ( 85, 4) ( 89, 4) ( 90, 4) ( 91, 4) ( 92, 4) ( 93, 4) ( 94, 4) ( 95, 4) ( 99, 4) (100, 4) (101, 4) (102, 4) (103, 4) (104, 4) (105, 4) (109, 4) (110, 4) (111, 4) (112, 4) (113, 4) (114, 4) (115, 4) (119, 4) (120, 4) (121, 4) (122, 4) (123, 4) (124, 4) (125, 4) OrgUnknownTLVList: --------------------------------------------------------------------------- ( 86, ( 96, (106, (116, (126, 4) 4) 4) 4) 4) ( 87, ( 97, (107, (117, 4) 4) 4) 4) ( 88, ( 98, (108
! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#mode ? rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description mode tx no disable R1(conf-lldp)#no mode R1(conf-lldp)#show config ! proto
no mode Example of Configuring a Single Mode R1(conf)#protocol lldp R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#mode ? rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities
multiplier 5 no disable R1(conf-lldp)#no multiplier R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Debugging LLDP You can view the TLVs that your system is sending and receiving. To view the TLVs, use the following commands. • View a readable version of the TLVs.
The following is an example of LLDPDU with both (Reserved and Organizational specific) unrecognized TLVs.
MIB Object Category LLDP Variable LLDP MIB Object Description statsFramesInTotal lldpStatsRxPortFramesTotal Total number of LLDP frames received through the port. statsFramesOutTotal lldpStatsTxPortFramesTotal Total number of LLDP frames transmitted through the port. statsTLVsDiscardedTotal lldpStatsRxPortTLVsDiscardedTotal Total number of TLVs received then discarded. statsTLVsUnrecognizedTotal lldpStatsRxPortTLVsUnrecognizedTot Total number of all TLVs the local al agent does not recognize.
TLV Type TLV Name TLV Variable System LLDP MIB Object interface numbering subtype Local lldpLocManAddrIfSubtype Remote lldpRemManAddrIfSubtype Local lldpLocManAddrIfId Remote lldpRemManAddrIfId Local lldpLocManAddrOID Remote lldpRemManAddrOID interface number OID Table 56. LLDP 802.
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object lldpXMedRemConfigTLVsTx Enable LLDP-MED Class Type 2 Network Policy Application Type Unknown Policy Flag Tagged Flag VLAN ID L2 Priority DSCP Value 3 Location Identifier Location Data Format Location ID Data 4 Extended Power via MDI Power Device Type Power Source 596 Link Layer Discovery Protocol (LLDP) Local lldpXMedLocDeviceClass Remote lldpXMedRemDeviceClass Local lldpXMedLocMediaPolicyAp pType Remote lldpXMedRem
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object lldpXMedLocXPoEPDPowe rSource Remote lldpXMedRemXPoEPSEPo werSource lldpXMedRemXPoEPDPow erSource Power Priority Local lldpXMedLocXPoEPDPowe rPriority lldpXMedLocXPoEPSEPort PDPriority Remote lldpXMedRemXPoEPSEPo werPriority lldpXMedRemXPoEPDPow erPriority Power Value Local lldpXMedLocXPoEPSEPort PowerAv lldpXMedLocXPoEPDPowe rReq Remote lldpXMedRemXPoEPSEPo werAv lldpXMedRemXPoEPDPow erReq Link Layer Discovery Protocol (LLDP) 5
31 Multicast Source Discovery Protocol (MSDP) This chapter describes how to configure and use the multicast source discovery protocol (MSDP). Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 84.
With Anycast RP, all the RPs are configured to be MSDP peers of each other. When a source registers with one RP, an SA message is sent to the other RPs informing them that there is an active source for a particular multicast group. The result is that each RP is aware of the active sources in the area of the other RPs. If any of the RPs fail, IP routing converges and one of the RPs becomes the active RP in more than one area. New sources register with the backup RP.
Figure 85.
Figure 86.
Figure 87.
Figure 88. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1 Enable MSDP. CONFIGURATION mode ip multicast-msdp 2 Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source Example of Configuring and Viewing MSDP R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
R3(conf)#do show ip msdp summary Peer Addr Description Local Addr State Source SA Up/Down To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
show ip msdp sa-limit If the total number of active sources is already larger than the limit when limiting is applied, the sources that are already in the OS are not discarded. To enforce the limit in such a situation, use the clear ip msdp sa-cache command to clear all existing entries. Clearing the Source-Active Cache To clear the source-active cache, use the following command. • Clear the SA cache of all, local, or rejected entries, or entries for a specific group.
Figure 89.
Figure 90.
Figure 91.
Figure 92. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
GroupAddr 229.0.50.2 229.0.50.3 229.0.50.4 SourceAddr 24.0.50.2 24.0.50.3 24.0.50.4 RPAddr 200.0.0.50 200.0.0.50 200.0.0.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Dell#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 Expire 73 73 73 UpTime 00:13:49 00:13:49 00:13:49 LearnedFrom 10.0.50.2 10.
R1_E600(conf)#do show ip msdp sa-cache R1_E600(conf)#do show ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 1 rejected SAs received, cache-size 1000 UpTime GroupAddr SourceAddr RPAddr LearnedFrom 00:02:20 239.0.0.1 10.11.4.2 192.168.0.1 local Reason Redistribute Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1 OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache.
Example of Verifying the System is not Advertising Local Sources In the following example, R1 stops advertising source 10.11.4.2. Because it is already in the SA cache of R3, the entry remains there until it expires. [Router 1] R1(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.3 list mylocalfilter R1(conf)#do show run acl ! ip access-list extended mylocalfilter seq 5 deny ip host 239.0.0.1 host 10.11.4.
Output (S,G) filter: none [Router 1] R1(conf)#do show ip msdp peer Peer Addr: 192.168.0.3 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:03 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Clearing Peer Statistics To clear the peer statistics, use the following command. • Reset the TCP connection to the peer and clear all peer statistics.
03:17:10 : MSDP-0: Peer 192.168.0.3, 03:17:27 : MSDP-0: Peer 192.168.0.3, Input (S,G) filter: none Output (S,G) filter: none rcvd Keepalive msg sent Source Active msg MSDP with Anycast RP Anycast RP uses MSDP with PIM-SM to allow more than one active group to use RP mapping.
Figure 93. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP: 1 In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2 Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3 In each routing domain that has multiple RPs serving a group, create another Loopback interface on each RP serving the group with a unique IP address.
4 Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5 Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP.
no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.22 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.22 ip msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 The following shows an R2 configuration for MSDP with Anycast RP.
The following shows an R3 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 0/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface TenGigabitEthernet 0/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.0.1/32 area 0 network 10.11.3.0/24 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R2 Running-Config ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.
ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface ManagementEthernet 0/0 ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.
! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.2/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.
neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.23 MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface TenGigabitEthernet 0/21 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface TenGigabitEthernet 0/22 ip address 10.10.42.1/24 no shutdown ! interface TenGigabitEthernet 0/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.
32 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview In contrast, PVST+ allows a spanning tree instance for each VLAN.
• Influencing MSTP Root Selection • Interoperate with Non-Dell Bridges • Changing the Region Name or Revision • Modifying Global Parameters • Modifying the Interface Parameters • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • MSTP Sample Configurations • Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell Networking OS supports four variations of spanning tree, as shown in the following table. Table 58.
• Interoperate with Non-Dell Networking OS Bridges • Changing the Region Name or Revision • Modifying Global Parameters • Modifying the Interface Parameters • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • Debugging and Verifying MSTP Configurations • Prevent Network Disruptions with BPDU Guard • Enabling SNMP Traps for Root Elections and Topology Changes Enable Multiple Spanning Tree Globally MSTP is not enabled by default.
msti Specify the keyword vlan then the VLANs that you want to participate in the MSTI. Examples of Creating and Viewing MSTP Instances The following example shows using the msti command. Dell(conf)#protocol spanning-tree mstp Dell(conf-mstp)#msti 1 vlan 100 Dell(conf-mstp)#msti 2 vlan 200-300 Dell(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping.
• Assign a number as the bridge priority. PROTOCOL MSTP mode msti instance bridge-priority priority A lower number increases the probability that the bridge becomes the root bridge. The range is from 0 to 61440, in increments of 4096. The default is 32768. Example of Assigning and Verifying the Root Bridge Priority By default, the simple configuration shown previously yields the same forwarding path for both MSTIs.
Example of the name Command To view the current region name and revision, use the show spanning-tree mst configuration command from EXEC Privilege mode. Dell(conf-mstp)#name my-mstp-region Dell(conf-mstp)#exit Dell(conf)#do show spanning-tree mst config MST region name: my-mstp-region Revision: 0 MSTI VID 1 100 2 200-300 Modifying Global Parameters The root bridge sets the values for forward-delay, hello-time, max-age, and max-hops and overwrites the values set on other MSTP bridges.
PROTOCOL MSTP mode max-hops number The range is from 1 to 40. The default is 20. Example of the forward-delay Parameter To view the current values for MSTP parameters, use the show running-config spanning-tree mstp command from EXEC privilege mode.
spanning-tree msti number priority priority The range is from 0 to 240, in increments of 16. The default is 128. To view the current values for these interface parameters, use the show config command from INTERFACE mode. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner.
Flush MAC Addresses after a Topology Change The system has an optimized MAC address flush mechanism for RSTP, MSTP, and PVST+ that flushes addresses only when necessary, which allows for faster convergence during topology changes. However, you may activate the flushing mechanism defined by 802.1Q-2003 using the tc-flush-standard command, which flushes MAC addresses after every topology change notification.
no ip address switchport no shutdown ! interface TenGigabitEthernet 1/31 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instance
tagged TenGigabitEthernet 2/11,31 no shutdown Router 3 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology. 3 Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
spanning-tree MSTi vlan 2 300 (Step 2) interface 1/0/31 no shutdown spanning-tree port mode enable switchport protected 0 exit interface 1/0/32 no shutdown spanning-tree port mode enable switchport protected 0 exit (Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs.
– Is the Region name blank? That may mean that a name was configured on one router and but was not configured or was configured differently on another router (spelling and capitalization counts). • MSTP Instances. – To verify the VLAN to MSTP instance mapping, use the show commands. – Are there “extra” MSTP instances in the Sending or Received logs? This may mean that an additional MSTP instance was configured on one router but not the others. The following example shows viewing an MSTP configuration.
33 Multicast Features The Dell Networking OS supports the following multicast protocols: • PIM Sparse-Mode (PIM-SM) • Internet Group Management Protocol (IGMP) • Multicast Source Discovery Protocol (MSDP) Topics: • Enabling IP Multicast • Implementation Information • First Packet Forwarding for Lossless Multicast • Multicast Policies • Understanding Multicast Traceroute (mtrace) • Printing Multicast Traceroute (mtrace) Paths • Supported Error Codes • mtrace Scenarios Enabling IP Multic
Protocol Ethernet Address NTP 01:00:5e:00:01:01 VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d • The Dell Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. • Multicast is not supported on secondary IP addresses. • Egress L3 ACL is not applied to multicast data traffic if you enable multicast routing. First Packet Forwarding for Lossless Multicast All initial multicast packets are forwarded to receivers to achieve lossless multicast.
When the multicast route limit is reached, Dell Networking OS displays the following: 3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB limit reached. No new routes will be learnt until TIB level falls below low watermark. 3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB below low watermark. Route learning will begin. To limit the number of multicast routes, use the following command. • Limit the total number of multicast routes on the system.
Figure 96. Preventing a Host from Joining a Group Table 60. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • • • ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
• Limit the rate at which new groups can be joined. INTERFACE mode ip igmp group-join-limit To view the enable status of this feature, use the show ip igmp interface command from EXEC Privilege mode. Preventing a PIM Router from Forming an Adjacency To prevent a router from participating in PIM (for example, to configure stub multicast routing), use the following command. • Prevent a router from participating in protocol independent multicast (PIM).
Figure 97. Preventing a Source from Transmitting to a Group Table 61. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • • • ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
Important Points to Remember • Destination address of the mtrace query message can be either a unicast or a multicast address. NOTE: When you use mtrace to trace a specific multicast group, the query is sent with the group's address as the destination. Retries of the query use the unicast address of the receiver. • When you issue an mtrace without specifying a group address (weak mtrace), the destination address is considered as the unicast address of the receiver.
– Source Network/Mask — source mask Example of the mtrace Command to View the Network Path The following is an example of tracing a multicast route. R1>mtrace 103.103.103.3 1.1.1.1 226.0.0.3 Type Ctrl-C to abort. Querying reverse path for source 103.103.103.3 to destination 1.1.1.1 via group 226.0.0.
The response data block filled in by the last-hop router contains a Forwarding code field. Forwarding code can be added at any node and is not restricted to the last hop router. This field is used to record error codes before forwarding the response to the next neighbor in the path towards the source. In a response data packet, the following error codes are supported: Table 63.
Scenario Output -4 103.103.103.3 --> Source ----------------------------------------------------------------- You can issue the mtrace command specifying the source multicast tree and multicast group without specifying the destination. Mtrace traces the complete path traversing through the multicast group to reach the source. The output displays the destination and the first hop (-1) as 0 to indicate any PIM enabled interface on the node. R1>mtrace 103.103.103.3 1.1.1.1 226.0.0.3 Type Ctrl-C to abort.
Scenario Output 103.103.103.0/24 -3 2.2.2.1 PIM 103.103.103.0/24 -4 103.103.103.3 --> Source ----------------------------------------------------------------- You can issue the mtrace command by providing the source and multicast information. However, if the multicast group is a shared group (*,G), then mtrace traces the path of the shared tree until it reaches the RP. The source mask field reflects the shared tree that is being used to trace the path.
Scenario Output -3 10.10.10.1 PIM No route default ----------------------------------------------------------------- If a multicast tree is not formed due to a configuration issue (for example, PIM is not enabled on one of the interfaces on the path), you can invoke a weak mtrace to identify the location in the network where the error has originated. R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort.
Scenario Output -3 2.2.2.1 PIM 99.99.0.0/16 -4 * * * * ----------------------------------------------------------------- If there is no response for mtrace even after switching to expanded hop search, the command displays an error message. R1>mtrace 99.99.99.99 1.1.1.1 Type Ctrl-C to abort. While traversing the path from source to destination, if the mtrace packet exhausts the maximum buffer size of the packet, then NO SPACE error is displayed in the output.
Scenario Output scenario, a corresponding error message is displayed. ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 4.4.4.5 --> Destination -1 4.4.4.4 PIM 6.6.6.0/24 -2 20.20.20.2 PIM 6.6.6.0/24 -3 10.10.10.1 PIM Wrong interface 6.6.6.0/24 ----------------------------------------------------------------R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort.
34 Object Tracking IPv4 or IPv6 object tracking is available on Dell Networking OS. Object tracking allows the Dell Networking operating system (OS) client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes.
Figure 98. Object Tracking Example When you configure a tracked object, such as an IPv4 or IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • UP and DOWN thresholds used to report changes in a route metric. • A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table. Specify a tracked route by its IPv4 or IPv6 address and prefix-length. Optionally specify a tracked route by a virtual routing and forwarding (VRF) instance name if the tracked route is part of a VRF. The next-hop address is not part of the definition of the tracked object.
• 2 ISIS routes - 1 to 1000. The default is 1. • OSPF routes - 1 to 1592. The efault is 1. Configure object tracking on the metric of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} metric threshold [vrf vrf-name] Valid object IDs are from 1 to 65535. Enter an IPv4 address in dotted decimal format. Valid IPv4 prefix lengths are from /0 to /32. Enter an IPv6 address in X:X:X:X::X format.
The following example configures object tracking on the metric threshold of an IPv6 route. Dell(conf)#track 8 ipv6 route 2::/64 metric threshold Dell(conf-track-8)#threshold metric up 30 Dell(conf-track-8)#threshold metric down 40 Track Route Reachability If you configure the reachability of an IP route entry as a tracked object, the UP/DOWN state of the route is determined by the entry of the next-hop address in the ARP cache.
Examples of IPv4 and IPv6 Tracking Route Reachability The following example configures object tracking on the reachability of an IPv4 route. Dell(conf)#track 104 ip route 10.0.0.0/8 reachability Dell(conf-track-104)#delay up 20 down 10 Dell(conf-track-104)#end Dell#show track 104 Track 104 IP route 10.0.0.0/8 reachability Reachability is Down (route not in route table) 2 changes, last change 00:02:49 Tracked by: Dell#configure Dell(conf)#track 4 ip route 3.1.1.
Object Tracking Configuration You can configure three types of object tracking for a client. • Track Layer 2 Interfaces • Track Layer 3 Interfaces • Track IPv4 and IPv6 Routes For a complete listing of all commands related to object tracking, refer to the Dell Networking OS Command Line Interface Reference Guide. Tracking a Layer 2 Interface You can create an object that tracks the line-protocol state of a Layer 2 interface and monitors its operational status (UP or DOWN).
Example of Configuring Object Tracking Dell(conf)#track 100 interface tengigabitethernet 7/1/1 line-protocol Dell(conf-track-100)#delay up 20 Dell(conf-track-100)#description San Jose data center Dell(conf-track-100)#end Dell#show track 100 Track 100 Interface TenGigabitEthernet 7/1/1 line-protocol Description: San Jose data center Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface.
The text string can be up to 80 characters. 4 (Optional) Display the tracking configuration and the tracked object’s status. EXEC Privilege mode show track object-id Examples of Configuring Object Tracking for an IPv4 or IPv6 Interface Example of configuring object tracking for an IPv4 interface.
Track 3 IPv6 route 2050::/64 reachability Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is GigabitEthernet 13/2 Tracked by: VRRP GigabitEthernet 7/30 IPv6 VRID 1 Track 4 Interface GigabitEthernet 13/4 ip routing IP routing is Up 3 changes, last change 00:03:30 Tracked by: Example of the show track brief command. Router# show track brief ResId State 1 Resource LastChange IP route reachability Parameter 10.16.0.0/16 Example of the show track resolution command.
35 Open Shortest Path First (OSPFv2 and OSPFv3) This chapter describes how to configure and use Open Shortest Path First (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3. This chapter identifies and clarifies the differences between the two versions of OSPF. Except where identified, the information in this chapter applies to both protocol versions.
Areas allow you to further organize your routers within in the AS. One or more areas are required within the AS. Areas are valuable in that they allow sub-networks to "hide" within the AS, thus minimizing the size of the routing tables on all routers. An area within the AS may not see the details of another area’s topology. AS areas are known by their area number or the router’s IP address. Figure 99. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.
• Totally stubby areas are referred to as no summary areas in the Dell Networking OS. Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism.
Figure 100. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
An ABR can connect to many areas in an AS, and is considered a member of each area it connects to. Autonomous System Border Router (ASBR) The autonomous system border area router (ASBR) connects to more than one AS and exchanges information with the routers in other ASs. Generally, the ASBR connects to a non-interior gate protocol (IGP) such as BGP or uses static routes.
• Type 7: External LSA — Routers in an NSSA do not receive external LSAs from ABRs, but are allowed to send external routing information for redistribution. They use Type 7 LSAs to tell the ABRs about these external routes, which the ABR then translates to Type 5 external LSAs and floods as normal to the rest of the OSPF network. • Type 8: Link LSA (OSPFv3) — This LSA carries the IPv6 address information of the local links.
• Priority is a numbered rating 0 to 255. The higher the number, the higher the priority. • Cost is a numbered rating 1 to 65535. The higher the number, the greater the cost. The cost assigned reflects the cost should the router fail. When a router fails and the cost is assessed, a new priority number results. Figure 101. Priority and Cost Examples OSPF Implementation The Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2.
• Grace LSA, OSPFv3 only (type 11) Fast Convergence (OSPFv2, IPv4 Only) Fast convergence allows you to define the speeds at which LSAs are originated and accepted, and reduce OSPFv2 end-to-end convergence time. The system allows you to accept and originate LSAs as soon as they are available to speed up route information propagation. NOTE: The faster the convergence, the more frequent the route calculations and updates. This impacts CPU utilization and may impact adjacency stability in larger topologies.
Examples of OSPF Flooding Behavior To confirm RFC 2328 flooding behavior, use the debug ip ospf packet command. The following example shows no change in the updated packets (shown in bold). ACKs 2 (shown in bold) is printed only for ACK packets. 00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.2 aid:1500 chk:0xdbee aut:0 auk: keyid:0 from:Vl 1000 LSType:Type-5 AS External id:160.1.1.0 adv:6.1.0.0 seq:0x8000000c LSType:Type-5 AS External id:160.1.2.0 adv:6.1.0.
Examples of Setting and Viewing a Dead Interval In the following example, the dead interval is set at 4x the hello interval (shown in bold). Dell(conf)#int te 2/2 Dell(conf-if-te-2/2)#ip ospf hello-interval 20 Dell(conf-if-te-2/2)#ip ospf dead-interval 80 Dell(conf-if-te-2/2)# In the following example, the dead interval is set at 4x the hello interval (shown in bold).
• Troubleshooting OSPFv2 1 Configure a physical interface. Assign an IP address, physical or Loopback, to the interface to enable Layer 3 routing. 2 Enable OSPF globally. Assign network area and neighbors. 3 Add interfaces or configure other attributes. For a complete list of the OSPF commands, refer to the OSPF section in the Dell Networking OS Command Line Reference Guide document. Enabling OSPFv2 To enable Layer 3 routing, assign an IP address to an interface (physical or Loopback).
CONFIG-ROUTER-OSPF-id mode router-id ip address • Disable OSPF. CONFIGURATION mode no router ospf process-id • Reset the OSPFv2 process. EXEC Privilege mode clear ip ospf process-id • View the current OSPFv2 status. EXEC mode show ip ospf process-id Example of Viewing the Current OSPFv2 Status Dell#show ip ospf 55555 Routing Process ospf 55555 with ID 10.10.10.
If you try to enable more OSPF processes than available Layer 3 interfaces, the following message displays: Dell(conf)#router ospf 1 % Error: No router ID available. Assigning an OSPFv2 Area After you enable OSPFv2, assign the interface to an OSPF area. Set up OSPF areas and enable OSPFv2 on an interface with the network command. You must have at least one AS area: Area 0. This is the backbone area. If your OSPF network contains more than one area, configure a backbone area (Area ID 0.0.0.0).
To view the configuration, use the show config command in CONFIGURATION ROUTER OSPF mode. OSPF, by default, sends hello packets out to all physical interfaces assigned an IP address that is a subset of a network on which OSPF is enabled. To view currently active interfaces and the areas assigned to them, use the show ip ospf interface command. Example of Viewing Active Interfaces and Assigned Areas Dell>show ip ospf 1 interface TengigabitEthernet 12/17 is up, line protocol is up Internet Address 10.2.2.
To configure a stub area, use the following commands. 1 Review all areas after they were configured to determine which areas are NOT receiving type 5 LSAs. EXEC Privilege mode show ip ospf process-id [vrf] database database-summary 2 Enter CONFIGURATION mode. EXEC Privilege mode configure 3 Enter ROUTER OSPF mode. CONFIGURATION mode router ospf process-id [vrf] Process ID is the ID assigned when configuring OSPFv2 globally. 4 Configure the area as a stub area.
Enabling Passive Interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface. Although the passive interface does not send or receive routing updates, the network on that interface is still included in OSPF updates sent via other interfaces. To suppress the interface’s participation on an OSPF interface, use the following command. This command stops the router from sending updates on that interface.
Enabling Fast-Convergence The fast-convergence CLI sets the minimum origination and arrival LSA parameters to zero (0), allowing rapid route calculation. When you disable fast-convergence, origination and arrival LSA parameters are set to 5 seconds and 1 second, respectively. Setting the convergence parameter (from 1 to 4) indicates the actual convergence level.
Changing OSPFv2 Parameters on Interfaces You can modify the OSPF configuration on switch interfaces. Some interface parameter values must be consistent across all interfaces to avoid routing errors. For example, set the same time interval for the hello packets on all routers in the OSPF network to prevent misconfiguration of OSPF neighbors. To change OSPFv2 parameters on the interfaces, use any or all of the following commands. • Change the cost associated with OSPF traffic on the interface.
– seconds: the range is from 1 to 65535 (the default is 5 seconds). • The retransmit interval must be the same on all routers in the OSPF network. Change the wait period between link state update packets sent out the interface. CONFIG-INTERFACE mode ip ospf transmit-delay seconds – seconds: the range is from 1 to 65535 (the default is 1 second). The transmit delay must be the same on all routers in the OSPF network.
The default is 0 seconds. Creating Filter Routes To filter routes, use prefix lists. OSPF applies prefix lists to incoming or outgoing routes. Incoming routes must meet the conditions of the prefix lists. If they do not, OSPF does not add the route to the routing table. Configure the prefix list in CONFIGURATION PREFIX LIST mode prior to assigning it to the OSPF process. • Create a prefix list and assign it a unique name. CONFIGURATION mode ip prefix-list prefix-name • You are in PREFIX LIST mode.
– bgp, connected, isis, rip, static: enter one of the keywords to redistribute those routes. – metric metric-value: the range is from 0 to 4294967295. – metric-type metric-type: 1 for OSPF external route type 1. 2 for OSPF external route type 2. – route-map map-name: enter a name of a configured route map. – tag tag-value: the range is from 0 to 4294967295.
• View the configuration of OSPF neighbors connected to the local router. EXEC Privilege mode • show ip ospf neighbor View the LSAs currently in the queue. EXEC Privilege mode • show ip ospf timers rate-limit View debug messages. EXEC Privilege mode debug ip ospf process-id [event | packet | spf | database-timers rate-limit] To view debug messages for a specific OSPF process ID, use the debug ip ospf process-id command. If you do not enter a process ID, the command applies to the first OSPF process.
Figure 102. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Te 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface TengigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface TengigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.
OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface TengigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface TengigabitEthernet 2/2 ip address 10.2.22.2/24 no shutdown OSPFv3 NSSA NSSA (Not-So-Stubby-Area) is a stub area that does not support Type-5 LSAs, but supports Type-7 LSAs to forward external links.
NOTE: The OSPFv2 network area command enables OSPF on multiple interfaces with the single command. Use the OSPFv3 ipv6 ospf area command on each interface that runs OSPFv3. All IPv6 addresses on an interface are included in the OSPFv3 process that is created on the interface. Enable OSPFv3 for IPv6 by specifying an OSPF process ID and an area in INTERFACE mode. If you have not created an OSPFv3 process, it is created automatically.
Assigning Area ID on an Interface To assign the OSPFv3 process to an interface, use the following command. The ipv6 ospf area command enables OSPFv3 on an interface and places the interface in the specified area. Additionally, the command creates the OSPFv3 process with ID on the router. OSPFv2 requires two commands to accomplish the same tasks — the router ospf command to create the OSPF process, then the network area command to enable OSPFv2 on an interface.
Assigning OSPFv3 Process ID and Router ID to a VRF To assign, disable, or reset OSPFv3 on a non-default VRF, use the following commands. • Enable the OSPFv3 process on a non-default VRF and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID}} • The process ID range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} – number: the IPv4 address. The format is A.B.C.D.
Configuring Stub Areas To configure IPv6 stub areas, use the following command. • Configure the area as a stub area. CONF-IPV6-ROUTER-OSPF mode area area-id stub [no-summary] – no-summary: use these keywords to prevent transmission in to the area of summary ASBR LSAs. – Area ID: a number or IP address assigned when creating the area. You can represent the area ID as a number from 0 to 65536 if you assign a dotted decimal format rather than an IP address.
– – – – – bgp | connected | static: enter one of the keywords to redistribute those routes. metric metric-value: The range is from 0 to 4294967295. metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. route-map map-name: enter a name of a configured route map. tag tag-value: The range is from 0 to 4294967295. Configuring a Default Route To generate a default external route into the OSPFv3 routing domain, configure the following parameters.
be used together. The difference between the two mechanisms is the extent of the coverage. ESP only protects IP header fields if they are encapsulated by ESP. You decide the set of IPsec protocols that are employed for authentication and encryption and the ways in which they are employed. When you correctly implement and deploy IPsec, it does not adversely affect users or hosts. AH and ESP are designed to be cryptographic algorithm-independent.
The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. Configure the same authentication policy (the same SPI and key) on each OSPFv3 interface in a link. • Enable IPsec authentication for OSPFv3 packets on an IPv6-based interface. INTERFACE mode ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} [key-encryption-type] key} – null: causes an authentication policy configured for the area to not be inherited on the interface.
• • • • – key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted). For SHA-1 authentication, the key must be 40 hex digits (non-encrypted) or 80 hex digits (encrypted). – key-authentication-type: (optional) specifies if the authentication key is encrypted. The valid values are 0 or 7. Remove an IPsec encryption policy from an interface.
NOTE: When you configure encryption using the area encryption command, you enable both IPsec encryption and authentication. However, when you enable authentication on an area using the area authentication command, you do not enable encryption at the same time. If you have enabled IPsec authentication in an OSPFv3 area using the area authentication command, you cannot use the area encryption command in the area at the same time.
– For a Port Channel interface, enter port-channel number. – For a 40-Gigabit Ethernet interface, enter FortyGigabitEthernet slot/port. – For a VLAN interface, enter vlan vlan-id. The valid VLAN IDs are from 1 to 4094. Examples of the show crypto ipsec Commands In the first example, the keys are not encrypted (shown in bold). In the second and third examples, the keys are encrypted (shown in bold).
outbound esp sas Interface: TenGigabitEthernet 0/1 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 The system provides several tools to
EXEC Privilege mode show ipv6 ospf database • View the configuration of OSPFv3 neighbors. EXEC Privilege mode show ipv6 ospf neighbor • View debug messages for all OSPFv3 interfaces. EXEC Privilege mode debug ipv6 ospf [event | packet] {type slot/port} – event: View OSPF event messages. – packet: View OSPF packets. – For a 10–Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information (for example, passive-interface te 2/1).
36 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). Protocol Overview A sample PVST+ topology is shown below. For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 103.
Table 65. Spanning Tree Versions Supported Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table).
Disabling PVST+ To disable PVST+ globally or on an interface, use the following commands. • Disable PVST+ globally. PROTOCOL PVST mode disable • Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst Example of Viewing PVST+ Configuration To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
Figure 104. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. • Assign a bridge priority.
Number of topology changes 5, last change occurred 00:34:37 ago on Te 1/32 Port 375 (TengigabitEthernet 1/22) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.375 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.
Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
This feature is the same as PortFast mode in spanning tree. CAUTION: Configure EdgePort only on links connecting to an end station. EdgePort can cause loops if you enable it on an interface connected to a network. To enable EdgePort on an interface, use the following command. • Enable EdgePort on an interface.
Figure 105. PVST+ with Extend System ID • Augment the bridge ID with the VLAN ID. PROTOCOL PVST mode extend system-id Example of Viewing the Extend System ID in a PVST+ Configuration Dell(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
interface Vlan 200 no ip address tagged TengigabitEthernet 1/22,32 no shutdown ! interface Vlan 300 no ip address tagged TengigabitEthernet 1/22,32 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface TengigabitEthernet 2/12 no ip address switchport no shutdown ! interface TengigabitEthernet 2/32 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TengigabitEthernet 2/12,32 no shutdown ! interface Vlan 200
! protocol spanning-tree pvst no disable vlan 300 bridge-priority 4096 Per-VLAN Spanning Tree Plus (PVST+) 709
37 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message. This behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
1 After receiving an IGMP Join message, the receiver gateway router (last-hop DR) creates a (*,G) entry in its multicast routing table for the requested group. The interface on which the join message was received becomes the outgoing interface associated with the (*,G) entry. 2 The last-hop DR sends a PIM Join message to the RP.
Configuring PIM-SSM Configuring PIM-SM is a three-step process. 1 Enable multicast routing (refer to the following step). 2 Select a rendezvous point. 3 Enable PIM-SM on an interface. Enable multicast routing. CONFIGURATION mode ip multicast-routing Related Configuration Tasks The following are related PIM-SM configuration tasks.
127.87.50.5 Dell# Te 1/13 00:03:08/00:01:37 v2 1 / S To display the PIM routing table, use the show ip pim tib command from EXEC privilege mode. Dell#show ip pim tib PIM Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 192.1.2.1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.
Dell#sh run pim ! ip pim rp-address 1.1.1.1 group-address 224.0.0.0/4 Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. Use the following command if you have configured a static RP for a group.
Create multicast boundaries and domains by filtering inbound and outbound bootstrap router (BSR) messages per interface. The following command is applied to the subsequent inbound and outbound updates. Timeout removes existing BSR advertisements. • Create multicast boundaries and domains by filtering inbound and outbound BSR messages per interface. ip pim bsr-border • Remove candidate RP advertisements.
38 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Configure PIM-SMM Configuring PIM-SSM is a two-step process. 1 Configure PIM-SMM. 2 Enable PIM-SSM for a range of addresses. Related Configuration Tasks • Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1 Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2 Enter the ip pim ssm-range command and specify the ACL you created.
To display the source to which a group is mapped, use the show ip igmp ssm-map [group] command. If you use the group option, the command displays the group-to-source mapping even if the group is not currently in the IGMP group table. If you do not specify the group option, the display is a list of groups currently in the IGMP group table that has a group-to-source mapping. To display the list of sources mapped to a group currently in the IGMP group table, use the show ip igmp groups group detail command.
Electing an RP using the BSR Mechanism Every PIM router within a domain must map a particular multicast group address to the same RP. The group-to-RP mapping may be statically or dynamically configured. RFC 5059 specifies a dynamic, self-configuring method called the Bootstrap Router (BSR) mechanism, by which an RP is elected from a pool of RP candidates (C-RPs). Some routers within the domain are configured to be C-RPs.
ip pim [vrf vrf-name] rp-Candidate interface [priority] [acl-name] The specified acl-list is associated to the rp-candidate. NOTE: You can create the ACL list of multicast prefix using the ip access-list standard command.
39 Policy-based Routing (PBR) Policy-based Routing (PBR) allows a switch to make routing decisions based on policies applied to an interface.
To enable a PBR, you create a redirect list. Redirect lists are defined by rules, or routing policies.
Interfaces in this case).
Create a Rule for a Redirect-list The following example creates a redirect list by the name of “xyz.” Dell(conf)#ip redirect-list ? WORD Redirect-list name (max 16 chars) Dell(conf)#ip redirect-list xyz Use the following command in CONFIGURATION REDIRECT-LIST mode to set the rules for the redirect list. You can enter the command multiple times and create a sequence of redirect rules. Use the seq nn redirect version of the command to organize your rules. Table 68.
• udp — User Datagram Protocol bit — (Optional) For TCP protocol type only, enter one or a combination of the following TCP flags: • • • • • • ack = acknowledgement fin = finish (no more data from the user) psh = push function rst = reset the connection yn = synchronize sequence numbers urg = urgent field operators — For TCP and UDP parameters only.
on the psh bit range Match only packets in the range of port numbers rst Match on the rst bit syn Match on the syn bit urg Match on the urg bit cr Dell(conf-redirectlist)#redirect 1.1.1.1 udp any any ? eq Match only packets on a given port number gt Match only packets with a greater port number lt Match only packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbers Delete a rule with the no redirect command.
Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 /32 77.1.1.1 Mask A.B.C.D or /nn Mask in dotted decimal or in Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 /32 77.1.1.1 Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 /32 77.1.1.1 Dell(conf-redirect-list)#do show ip redirect-list ? slash format /32 ? /32 IP redirect-list xyz: Defined as: seq 5 redirect 3.3.3.3 ip host 222.1.1.1 host 77.1.1.
seq 10 permit ip host 3.3.3.3 any seq 15 redirect 2.2.2.2 ip any any Apply a Redirect-list to an Interface using a Redirect-group IP redirect lists are supported on physical interfaces as well as VLAN and port-channel interfaces. NOTE: When you apply a redirect-list on a port-channel, when traffic is redirected to the next hop and the destination portchannel is shut down, the traffic is dropped. Use the following command inINTERFACE mode to apply a redirect list to an interface.
List the redirect list configuration using the show ip redirect-list redirect-list-name command. The non-contiguous mask is displayed in dotted format (x.x.x.x). The contiguous mask is displayed in /x format. Some sample outputs are shown below: Dell#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.
Apply a Redirect-list to an Interface using a Redirect-group IP redirect lists are supported on physical interfaces as well as virtual local area network (VLAN) and port-channel interfaces. NOTE: When you apply a redirect-list on a port-channel, when traffic is redirected to the next hop and the destination portchannel is shut down, the traffic is dropped. However, the traffic redirected to the destination port-channel is sometimes switched.
List the redirect list configuration using the show ip redirect-list redirect-list-name command. The non-contiguous mask displays in dotted format (x.x.x.x). The contiguous mask displays in /x format. Use the show ip redirect-list (without the list name) to display all the redirect-lists configured on the device. NOTE: If you apply the redirect-list to an interface, the output of the show ip redirect-list redirect-listname command displays reachability status for the specified next-hop.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23/1)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.
Dell(conf-redirect-list)#redirect Dell(conf-redirect-list)#redirect Dell(conf-redirect-list)#redirect Dell(conf-redirect-list)#redirect Dell(conf-redirect-list)#redirect Dell(conf-redirect-list)#end 42.1.1.2 42.1.1.2 42.1.1.2 42.1.1.2 43.1.1.2 track track track track track 3 3 3 3 4 tcp 155.55.2.0/24 222.22.2.0/24 tcp any any udp 155.55.0.0/16 host 144.144.144.144 udp any host 144.144.144.144 ip host 7.7.7.7 host 144.144.144.
Dell(conf-if-tu-2)#end Dell# Create Track Objects to track the Tunnel Interfaces: Dell#configure terminal Dell(conf)#track 1 interface tunnel 1 ip routing Dell(conf-track-1)#exit Dell(conf)#track 2 interface tunnel 2 ipv6 routing Dell(conf-track-2)#end Verify the Status of the Track Objects (Up/Down): Dell#show track brief ResId 1 2 Dell# Resource Interface ip routing Interface ipv6 routing Parameter Tunnel 1 Tunnel 2 State Up Up LastChange 00:00:00 00:00:00 Create a Redirect-list with Track Objects pe
40 Port Extenders (PEs) The C9010 switch supports the IEEE 802.1BR fabric protocol to expand the port density of the chassis, using C1048P, N20xx and N30xx port extenders. In this deployment, the C9010 operates as a controlling bridge for the port extenders. The C1048P, N20xx or N30xx function as a remote line card that is physically connected to, and provisioned by, a C9010 over 10GbE links according to the IEEE 802.1BR standard. IEEE 802.1BR The IEEE 802.
802.1BR Terms and Definitions The 802.1BR protocol uses the following terms to describe the operation of a controlling bridge and attached port extenders. 802.1BR Term Definition Cascade port A port on a controlling bridge or bridge port extender that connects to an upstream port. In the case of the connection between two bridge port extenders, the cascade port is the port closest to the controlling bridge. Controlling bridge A bridge that supports one or more bridge port extenders.
• 3 pe-id is a PE ID number from 0 to 255. You must enter a pe-id value; there is no default. (Optional) Provision a C1048P for PE stacking. PORT-EXTENDER CONFIGURATION mode Dell(conf-pe-0)# stack-unit unit-id type unit-type 4 • unit-id is a stack-unit ID number from 0 to 7. The default value is 0. • unit-type is a stack-unit type. The only supported value is C1048P. Provisioning a C1048P automatically creates a LAG (port channel) on the C9010.
Current number of PEs in the system: 15 (Online: 0 Offline: 15) Codes: A - Active, I - Inactive SVC - Software Version Compatible Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, PVE - Port Validation Error ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setup Error, CVE - Card Validation Error PE-ID assigned: 1 Status: online System Mac: f8:b1:56:73:a2:91 PE Up Time: 03:00:27 PE Description: PE Discovery S
VLT Dual Homing scenarios In a VLT dual homing setup, if the same PE units (maximum of 80 PE units) are configured in both the VLT CB nodes before the VLT pairing is up, the PEX port counts on both the modes is the same after the VLT pairing is up. However, if separate PE units (maximum of 80 PE units) are configured in each VLT CB node before the VLT pairing is up, the PEs may not get synchronized properly after the VLT pairs come up.
only cascade ports 1/0 and 1/12 are cabled to PE 10; port 1/8 is cabled to a different PE. As a result, only PE 10 comes online becomes it is connected to the lowest numbered cascade port: port 1/0. Port 1/8 is placed in an error state and the PE to which it connects does not come online.
SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, PVE - Port Validation Error ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setup Error, CVE - Card Validation Error PE-ID assigned: 10 Status: online System Mac: 00:01:02:03:11:01 PE Up Time: 00:01:22 PE Discovery Status: Provisioned PE User Configured Cascade Ports: Te 1/12(A) Cascade LAG: Po 268(Up) -----------------------------------------------------------------------Stack-id Status Reason Type UnitMac No.
Maximum number of PE Units allowed: 80 Current number of PE units in the system: 80 (Online: 0 Offline: 80) Current number of PEs in the system: 15 (Online: 0 Offline: 15) Codes: A - Active, I - Inactive SVC - Software Version Compatible Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, PVE - Port Validation Error ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setup Error, CVE - Card Validation Error PE-ID
2 3 4 5 6 7 Standby Member Member Member Member Member not not not not not not present present present present present present C1048P C1048P -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) ------------------------------------------------------------------------0 0 up AC NA NA 0 1 absent NA NA -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -----------------------------------------------------------------------------------0 0 up up 8888 up 9056 Speed in RPM For more information
NOTE: Dell Networking OS recommends that you use the command because xSTP protocols are not supported on PEs. 2 If a station move for a MAC address is detected above the configured threshold and within the specified time, a syslog message is triggered with the port information. All ports on which the station move was detected are shut down, except the old interface.
• If there is a match, the kernel notifies L2Mgr about the loop detection and L2Mgr would in turn, bring down the appropriate PE interface and show an appropriate syslog to the user to correct the loop. Loop caused due to mis-cabling in an un-managed L2 switch • An un-managed layer 2 switch is connected to a PE. • There is some mis-cabling in the L2 switch. This can result in loops.
This loop will be broken based on the data traffic or control PDUs received at the PE. In the event of data traffic at the PE and continuous station moves between the PE and LM interface, the PE interface will be brought down. In case there is no data traffic on the LAN, control PDUs received at the PE will be used to break the loop.
• upgrade system-image pe {0-255} stack-unit {0-7} upgrades a standalone PE. • upgrade system-image pe {0-255} stack-unit all upgrades all the units in a PE stack. The PE ID (0–255) specifies the stack master unit. • upgrade system-image pe all upgrades all PEs discovered by the controlling bridge. • rpmA: or rpmB: specifies the flash partition (A: or B:) on the controlling bridge where the OS version to use for the PE upgrade is stored.
linecard linecard RPM RPM RPM RPM RPM RPM RPM RPM RPM RPM 6 6 0 0 0 0 0 1 1 1 1 1 CPLD IAP FPGA 1 CPLD FPGA 2 Backup FPGA IAP FPGA 1 CPLD FPGA 2 Backup FPGA IAP 2.1 3.2 2.14 2.6 2.0 2.0 3.2 2.14 2.6 2.0 2.0 3.2 PE RELEASE IMAGE INFORMATION : --------------------------------------------------------------------Platform Version Size ReleaseTime C-Series:C1048P 9.9(0.
NOTE: PEs which are marked as SVC must be rebooted or upgraded as early as possible or in the scheduled maintenance time window.
– LAGs – LLDP – Loop detection and MAC Learning Limit • A port extender does not support: – DCB – FEFD – GVRP – FRRP – Sticky MAC – STP Edge port support on PE interfaces – VLAN stacking – VLT Dual Homing Dual homing provides support to manage and control the PEs from both the primary and the secondary chassis in a VLT setup. The C9010 switch supports dual homing using port extenders. You can also stack the port extenders in a dual homing setup.
Configuration Terminal Batch Mode The C9010 platform with Dell Networking OS 9.10(0.0) supports the Configuration Terminal Batch mode. You should perform the common PE configurations using this mode. To enter Configuration Terminal Batch mode: 1 Verify that you are logged in to EXEC Privilege mode. 2 Enter the configure terminal batch command. The prompt changes to include (conf-b). You can return to EXEC mode by using the exit command.
You can connect System A and System B and configure them as VLT peers as follows: 1 Ensure that PE IDs of PE 1 and PE 2 are different. The IDs should be unique and cannot overlap during the configuration. 2 Ensure that System A and System B are upgraded to OS 9.10(0.) or later. 3 Enter VLT-domain configuration mode for a specified VLT domain. Ensure that both the systems are configured with the same VLT domain ID. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000.
Figure 109. Systems with Port Extender — After setting up Dual Homing You can configure PE 1 and PE 2 from both the systems.
On the VLT peer: Dell#show pe 1 Maximum number of PE Units allowed: 80 Current number of PE units in the system: 80 (Online: 0 Offline: 80) Current number of PEs in the system: 15 (Online: 0 Offline: 15) Codes: A - Active, I - Inactive SVC - Software Version Compatible Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, PVE - Port Validation Error ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setup Error, CV
3 Remove the disconnected interface (Te 0/1) from the configuration mode of PE 1 in System A. The configuration would be already available in System A and needs to be removed. PE CONFIGURATION (BATCH mode) no cascade interface interface slot/port Dell(conf-b-pe-1)# no cascade interface TenGigabitEthernet 0/1 4 Configure the cascade interface of the System B through the batch mode of System A and commit the configuration.
Systems without Port Extender You can connect two standalone systems in a VLT domain and then connect a PE to the systems to setup a dual homed environment. In the following illustration, System A and System B are standalone systems. Figure 112. Systems without Port Extender— Before setting up Dual Homing To convert the above system into a dual homing setup, perform the following: 1 Repeat the steps 2 to 7 from Systems with Port Extender. 2 Physically connect a PE to System A.
Figure 113. Systems without Port Extender — After setting up Dual Homing You can configure PE 1 from both System A and System B. Upgrading to OS 9.10(0.0) To upgrade the Dell Networking OS 9.9(0.0) to OS 9.10(0.0): • Upgrade the bootflash of the devices to 3.3.1.18 in OS 9.10.0.0. • Upgrade the system-image in the Controlling Bridge (CB). Select the flash partition path to boot from, then Save and Reload. The following example shows a CB and a PE running OS 9.9(0.
feature extended-bridge ! pe provision 200 cascade interface TenGigabitEthernet 0/22-23 stack-unit 2 type C1048P Dell#show pe brief -- Port Extenders Information ----------------------------------------------------------PE-id Status Stack-size Type System-MAC ---------------------------------------------------------200 online 1 C1048P f8:b1:56:00:02:8a Dell#show pe 200 Maximum number of PE Units allowed: 80 Current number of PE units in the system: 80 (Online: 0 Offline: 80) Current number of PEs in the sys
*********************************************************************** * Warning - Upgrading boot flash is inherently risky and should only * * be attempted when necessary. A failure at this upgrade may cause * * a board RMA. Proceed with caution ! * *********************************************************************** Proceed Boot Flash image for all cards [yes/no]: yes !!!!!!Sep 7 19:20:23: %RPM0-P:CP %DOWNLOAD-6-UPGRADE: PE 0 manual upgrade result - upgrade success.
PE-id Status Stack-size Type System-MAC ---------------------------------------------------------200 offline 1 C1048P f8:b1:56:00:02:8a Dell#show pe 200 Codes: A - Active, I - Inactive Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setup Error, CVE - Card Validation Error PE-ID assigned: 200 Status: offline System Mac: f8:b1:56:00:02:8a PE Up Time: 00:00:00 P
Apr 3 00:41:01: %PE200-UNIT2-M:CP %RAM-5-STACKUNIT_STATE: Stack-unit 2 is in Active State.
Upgrading from OS 9.10(0.0) To upgrade a dual homing setup with Dell Networking OS 9.10(0.0) to later versions, perform the following steps: In the following example, C9010–1 is the primary system and C9010–2 is secondary. The VLT peers and the PEs in the setup are upgraded from Dell Networking OS 9.10(0.1) to 9.11(0.0). After the upgrade is completed, the VLT peers exchange the roles. C9010–2 becomes the secondary VLT peer and C9010–1 takes up the secondary role.
5 Upgrade boot partition in primary VLT peer with the new software image. C9010-1#upgrade system-image all tftp://10.11.8.184/users/dellnetworking/FTOSC9000-9.11.0.0.bin B: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!............................................ .....! 146025615 bytes successfully copied Image upgraded to CP. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!! PE (0) Image upgraded successfully. PE (1) Image upgraded successfully.
8 The PEs reboot with the new software image and traffic is affected till the PEs come up. The PEs reload with the new software image and become online with the new primary system. The traffic flow starts once the PEs come up. 9 The peer system comes up and takes up the secondary role. C9010-1#show version Dell Real Time Operating System Software Dell Operating System Version: 2.0 Dell Application Software Version: 9.11(0.0) Copyright (c) 1999-2016 by Dell Inc. All Rights Reserved.
• upgrade system-image pe pe-id stack-unit unit-number {rpmA:|rpmB:} • upgrade poe-controller pe pe-id stack-unit unit-number • upload trace-log pe pe-id stack-unit unit-number [sw-trace | hw-trace] • show link-bundle-distribution port-channel port-number • show logging kernellog pe-id stack-unit unit-number • show processes {cpu|memory} pe pe-id summary • show qos statistics Port Extenders (PEs) 765
41 Port Extender (PE) Stacking You can stack up to eight port extenders using the mini-SAS stack ports on the back panel. The C1048P supports stacking only with other C1048P port extenders. The N20xx series devices support stacking only with other N20xx series port extenders. The N30xx series devices support stacking only with other N30xx series port extenders. Stacking is not supported on C9010 switches.
Stack Master Election When a PE stack reloads and all stack units come up, all units participate in the stack master election. The master and standby units are chosen based on the priority or MAC address. The stack takes the MAC address of the master unit. • Unit priority — The range is from 1 to 14. The unit with the highest priority is elected the master management unit; the unit with the second highest priority is elected the standby unit. The default is 0.
PE Stack Configuration You can perform the following configuration tasks for PE stacking. NOTE: The recommended mode for PE dual homed stack configuration is Configuration Terminal Batch mode. Configuring a PE Stack Before you start, ensure that the PE stack units are cabled in a ring topology, powered on, and that one or more stack units are attached to a 10GbE port on the parent C9010.
Dell(conf-pe-2)# exit Dell(conf)# interface range tengigabitethernet 0/0-1 Dell(conf-if-range-te-0/0-1)# no shutdown Dell(conf-if-range-te-0/0-1)# end Dell# show pe 2 Maximum number of PE Units allowed: 80 Current number of PE units in the system: 80 (Online: 0 Offline: 80) Current number of PEs in the system: 15 (Online: 0 Offline: 15) Codes: A - Active, I - Inactive SVC - Software Version Compatible Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Err
On the secondary VLT peer: Dell# show pe 2 Maximum number of PE Units allowed: 80 Current number of PE units in the system: 80 (Online: 0 Offline: 80) Current number of PEs in the system: 15 (Online: 0 Offline: 15) Codes: A - Active, I - Inactive SVC - Software Version Compatible Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, PVE - Port Validation Error ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setu
Renumbering the stack master triggers a stack reload, as shown in the following message. When the stack comes back online, the master unit remains the management unit. Renumbering management unit will reload the stack. WARNING: Interface configuration for current unit will be lost! Proceed[confirm yes/no]: yes Prioritizing Stack Units In a PE stack, by default, the stack unit with the highest MAC address is elected master; the stack unit with the second highest MAC address is elected standby.
The following example shows the redundancy reset-counter pe command. • Dell #redundancy reset-counter pe 0 Display redundancy information. EXEC Privilege mode show redundancy pe pe-id pe-id — Port-extender identifier of the master stack unit. The range is from to 255. The following example shows the show redundancy pe command.
Unit UnitType Status ReqTyp CurTyp Version Ports ----------------------------------------------------------0 Management online C1048P C1048P 1-0(0-4149) 52 1 Member online C1048P C1048P 1-0(0-4149) 52 2 Member not present 3 Standby online C1048P C1048P 1-0(0-4149) 52 4 Member not present 5 Member not present 6 Member not present 7 Member not present The following example displays the status of stack-unit 1 after it is removed from the PE stack.
• Stack-id Status Reason Type UnitMac No. of Ports ------------------------------------------------------------------0 online C1048P a0:68:00:3f:92:bc 52 1 online C1048P 6c:c0:00:11:22:33 52 2 online C1048P 34:17:eb:00:bb:09 52 3 online C1048P 62:74:00:41:54:c8 52 4 online C1048P 62:74:00:41:54:c9 52 5 online C1048P cb:28:00:42:bd:7c 52 6 online C1048P 62:74:00:41:54:01 52 7 online C1048P 6c:c0:00:43:11:11 52 Display summary information about the PE stack units attached to the master PE.
Voltage Serial Number Part Number Vendor Id Date Code Country Code Piece Part ID PPID Revision Service Tag Expr Svc Code Auto Reboot Burned In MAC No Of MACs : : : : : : : : : : : : : ok NA 0J9K8D Rev X01 DG 09092014 TW TW-0J9K8D-28298-499-0001 X01 CL73Z01 274 031 203 69 enabled f8:b1:56:00:02:d1 66 -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) ------------------------------------------------------------2 0 up AC NA NA 2 1 up DC NA NA -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 S
CAUTION: You should use caution while configuring an uplink port as access port. The conversion of the uplink port that is connected to CB causes disconnection of PE. If disconnected, you have to convert the access port back to uplink port using no stack-unit unitnumber access-ports port-range command and reload the PE. When the uplink port is converted to access port, Dell EMC Networking OS creates a logical peTenGigE interface based on the 10/100/1000BASE-T Ports in the PE.
N2024 N3024 N3048 2 SFP+ Ports 4 (2 SFP+ Ports in front panel and 2 10GBASE-T or SFP Ports in back panel) 4 (2 SFP+ Ports in front panel and 2 10GBASE-T or SFP Ports in back panel) • 1 — 1/0/25 • 2 — 1/0/26 • 1 — 1/0/25 • 2 — 1/0/26 • 3 — 1/0/27 • 4 — 1/0/28 • 1 — 1/0/49 • 2 — 1/0/50 • 3 — 1/0/51 • 4 — 1/0/52 NOTE: When a PE is reloaded, the uplink port come up as uplink by default, even though it has been configured as access ports.
pe provision 2 stack-unit 1 type C1048P stack-unit 1 access-ports 1 stack-unit 3 type N2024P-PE cascade interface TenGigabitEthernet 1/2 The following example shows the show interfaces petenGigE 2/1/49 output: DellEMC#show interfaces petenGigE 2/1/49 peTenGigE 2/1/49 is down, line protocol is down Hardware is DellEMCEth, address is 00:00:00:00:00:00 Current address is 00:00:00:00:00:00 Pluggable media not present No transmit power Interface index is 558915592 Internet address is not set Mode of IPv4 Address
The following example disables the location-led feature on the PE stack-unit 5 Dell#location-led pe 0 stack-unit 5 off Troubleshooting a PE Stack To troubleshoot the operation of a PE stack, use the following tasks. Diagnosing an Error Condition For debugging purposes, you can prevent the stack master from rebooting after a failover to allow you to gather information on stack operation.
42 Port Monitoring Port monitoring (also referred to as mirroring) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. The Dell Networking OS supports the following mirroring techniques: • Port monitoring — Monitors network traffic by forwarding a copy of incoming and outgoing packets from a source port to a destination port on the same network router.
Figure 115. Port Monitoring Configurations Dell Networking OS Behavior: All monitored frames are tagged if the configured monitoring direction is egress (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port. If the MD port is a Layer 2 port, the frames are tagged with the VLAN ID of the VLAN to which the MD belongs. If the MD port is a Layer 3 port, the frames are tagged with VLAN ID 4095.
10 Te 0/14 Te 0/2 20 Te 0/15 Te 0/3 30 Te 0/16 Te 0/37 300 Te 0/17 Te 0/1 Dell(conf-mon-sess-300)# rx rx rx tx interface interface interface interface Port-based Port-based Port-based Port-based Example of Configuring Another Monitoring Session with a Previously Used Destination Port Dell(conf)#mon ses 300 Dell(conf-mon-sess-300)#source tengig 0/17 destination tengig 0/4 direction tx %Unable to create MTP entry for MD tenG 0/17 MG tenG 0/4 in stack-unit 0 port-pipe 0.
Enter the one of the following keywords and slot/port information: • For a 10–Gigabit Ethernet interface, enter the keyword TenGigabitEthernet, then the slot/port information. • For a 40–Gigabit Ethernet interface, enter the keyword fortyGigE, then the slot/port information. • For a port extender (PE) Gigabit Ethernet interface, enter the keyword peGigE then the pe-id/stack-unit /port-idinformation.
Figure 116. Port Monitoring Example Remote Port Mirroring Local port monitoring allows you to monitor traffic from one or more source ports by directing it to a destination port on the same switch/ router. Remote port mirroring allows you to monitor Layer 2 and Layer 3 ingress and/or egress traffic on multiple source ports on different switches and forward the mirrored traffic to multiple destination ports on different switches.
Remote Port Mirroring Example Remote port mirroring uses the analyzers shown in the aggregation network in Site A. The VLAN traffic on monitored links from the access network is tagged and assigned to a dedicated L2 VLAN. Monitored links are configured in two source sessions shown with orange and green circles. Each source session uses a separate reserved VLAN to transmit mirrored packets (mirrored source-session traffic is shown with an orange or green circle with a blue border).
• You can configure any switch in the network with source ports and destination ports, and allow it to function in an intermediate transport session for a reserved VLAN at the same time for multiple remote-port mirroring sessions. You can enable and disable individual mirroring sessions. • BPDU monitoring is not required to use remote port mirroring.
• You can configure the same source port to be used in multiple source sessions. • You cannot configure a source port channel or source VLAN in a source session if the port channel or VLAN has a member port that is configured as a destination port in a remote-port mirroring session. • A destination port for remote port mirroring cannot be used as a source port, including the session in which the port functions as the destination port. • A destination port cannot be used in any spanning tree instance.
Table 72. Configuring Remote Port Monitoring Session Step Command Description 1 configure terminal Enter global configuration mode. 2 monitor session id type rpm Specify a unique session ID number and RPM as the session type, and enter Monitoring-Session configuration mode. 3 source {interface | range} destination interface direction {rx | tx | both} Enter a source port or a range of source port interfaces to be monitored. Enter the destination port interface.
Dell(conf-mon-sess-3)#exit Dell(conf)#end Dell# Dell#show monitor session SessID Source Destination ------ ---------------1 Te 0/5 remote-vlan 10 2 Vl 100 remote-vlan 20 3 Po 10 remote-vlan 30 Dell# Dir --rx rx both Mode ---Port Port Port Source IP --------N/A N/A N/A Dest IP -------N/A N/A N/A Dell(conf)#interface te 0/0 Dell(conf-if-te-0/0)#switchport Dell(conf-if-te-0/0)#no shutdown Dell(conf-if-te-0/0)#exit Dell(conf)#interface te 0/1 Dell(conf-if-te-0/1)#switchport Dell(conf-if-te-0/1)#no shutdown
1 Enable the MAC control-plane egress ACL. 2 Create an extended MAC access list and add a deny rule for (0x0180c2xxxxxx) packets using the following commands: mac control-plane egress-acl mac access-list extended mac2 seq 5 deny any 01:80:c2:00:00:00 00:00:00:ff:ff:ff count 3 Apply the extended MAC ACL on the RPM VLAN (VLAN 10 in the following example).
Table 73. Configuring ERMP Sessions Step Command Description 1 configure terminal Enter global configuration mode. 2 monitor session id type erpm Specify a session ID and ERPM as the type of monitoring session, and enter Monitoring-Session configuration mode. The session number needs to be unique and not already defined. 3 source {interface | range } direction {rx | tx | both} Specify the source port or range of ports.
tagged TenGigabitEthernet 0/1-3 mac access-group flow in shutdown Dell# The following example shows you how to configures a source as a physical interface only for ERPM. Dell(conf)#monitor session 3 type erpm Dell(conf-mon-sess-3)#)source vlan 100 dir rx Dell(conf-mon-sess-3)# erpm source-ip 1.1.1.1 dest-ip 100.1.1.2 Dell(conf-mon-sess-3)# flow-based enable Dell(conf-mon-sess-3)# no disable The following example configures the port extender ports so that they are tagged and untagged members of VLAN 100.
VLTi link is added as an implicit member of the RPM vlan. As a result, the mirrored traffic also reaches the peer VLT device effecting VLTi link's bandwidth usage. To mitigate this issue, the L2 VLT egress mask drops the duplicate packets that egress out of the VLT port. If the LAG status of the peer VLT device is OPER-UP, then the other VLT peer blocks the transmission of packets received through VLTi to its port or LAG.
Scenario RPM Restriction Recommended Solution Mirroring Orphan Ports across VLT Devices — In this scenario, an orphan port on the primary VLT device is mirrored to another orphan port on the secondary VLT device through the ICL LAG. The port analyzer is connected to the secondary VLT device. No restrictions apply to the RPM session. The following example shows the configuration on the primary VLT device:source orphan port destination remote vlan direction rx/tx/both.
43 Power over Ethernet (PoE) The PoE feature supports electrical power and transmission of data on Ethernet cabling. A single cable can provide both a data connection and electrical power to the attached devices such as wireless access points or IP cameras. The PoE feature is supported on a C1048P, N2024P, N2048P , N3024P, or N3048P port-extender (PE); PoE is not supported on the C9010 switches. PoE, as described by IEEE 802.3af, specifies that a maximum of 15.
• Manage Ports using Power Priority and the Power Budget • Setting the Threshold Limit for the PoE Power Budget • Advertising the Extended Power through MDI • Advertising Extended Power Though dot3–TLVs • Detecting Legacy Devices and Allocating Power • Deploying Voice Over IP (VoIP) • Managing PoE on the Port Extender Configuring PoE or PoE+ Configuring PoE or PoE+ is a two-step process: 1 Connect the IEEE 802.3af/802.3at-compliant powered device directly to a port.
Manage Ports using Power Priority and the Power Budget The allocation and return of power-on ports depends on the total inline power available in the system and the power priority calculation. Determining the Power Priority for a Port The Dell Networking OS uses a sophisticated port prioritization algorithm to determine which ports receive power so that the PoE and PoE + ports are powered up and down deterministically.
Managing Power Priorities PoE or PoE+ enabled port extender ports have power access priorities based first on the priority configured and then on their port number. The default priority is with respect to the port numbers, the lower port numbers have higher priorities when compared with higher port numbers You can augment the default prioritization using the [no] power inline {[max_milliwatts] | priority {critical | high | low}} command, where critical is the highest priority and low is the lowest priority.
Example: Configuring Power Management Static Mode on the Port Extender The following example configures the power management to Static mode on the port extender 0 on stack unit 0. Dell(conf)#power inline mode pe 0 stack-unit 0 static Example: Displaying PoE Power Allocation on a Port Extender The following example displays the PoE power allocation on a specified port extender, using the show power inline {pe pe-id stack—unit unit number | interface interface } command in EXEC and EXEC Privilege mode.
NOTE: Avoid allocating more power than necessary to a port because allocated power is made unavailable to other ports regardless of whether it is consumed when using the power inline max_milliwatts command. Typical IP phones use 3 to 10 Watts. The power inline command has the following parameters: • max_milliwatts — (OPTIONAL) Specify the maximum inline power that is allocated to a powered device connected to the interface. The range if from 440 to 30000 mW.
Interface ------------PeGi 255/0/1 Inline Power Max / Alloc (Watts) -----------30.00/21.40 Inline Power Consumed (Watts) -----------21.50 Class Device Type PoE Port Priority LLDP Support ------4 -----2 -------low -----0 Example of Configuring Port Extender Interfaces with a Maximum Power of 15000 and 5000 mW The following example sets the maximum allocated power to 15000 mW on interface peGigE 0/0/1 and 5000 mW on interface peGigE 0/0/2 interface peGigE 0/0/3 is not configured.
Example of Setting the Global Threshold Limit for the PoE Power Budget The following example sets the global threshold limit for the PoE power budget to 99 percent on port extender 0 on stack unit 0.
3 Priority — Dell Networking OS uses priority for priority calculation. 4 PD requested power value — Dell Networking OS uses this value for power allocation. 5 PSE allocated power value — Dell Networking OS uses this value to check whether the PD is in sync with the PSE. To enable the system or interface to advertise IEEE 802.3 power-via-mdi TLV to advertise its power negotiation capabilities with the powered devices using LLDP, use the advertise dot3–tlv power—via—mdi command.
Deploying Voice Over IP (VoIP) For a complete list of all PoE commands, see the Dell Networking OS Command Line Reference Guide. Current VoIP phones follow the same basic boot and operations process: 1 Wait for an LLDP from the Ethernet switch. 2 Obtain an IP address from a dynamic host configuration protocol (DHCP) server. 3 Send an LLDP-MED frame to the switch. 4 Wait for an LLDP-MED frame from the switch and read the Network Policy TLV to get the VLAN ID, Layer 2 priority, and DSCP value.
description "Voice VLAN" no ip address tagged PeGigGE 0/6/10-11,22-23,46-47 shutdown ! interface Vlan 300 description "Voice Signaling VLAN" no ip address tagged PeGigGE 0/6/10-11,22-23,46-47 shutdown Configuring LLDP-MED for an Office VoIP Deployment VoIP deployments may optionally use LLDP-MED. LLDP-MED advertises VLAN, dot1P, and DSCP configurations on the switch so that you do not need to manually configure every phone with this information.
service-queue 5 qos-policy VoIP_Q Dell#show run qos-policy-output ! qos-policy-output VoIP_Q scheduler strict Honoring the Incoming dot1p Value If you know that traffic originating from the phone is tagged with a dot1p value of 5, you can make the associated queue a strict-priority queue, as shown in the following example.
To classify VoIP traffic and apply QoS policies for an office VoIP deployment, use the following commands: 1 Create three standard or extended access-lists, one each for voice, voice signaling, and PC data, and place each in its own match-any class-map. CONFIGURATION mode or CLASS-MAP mode ip access-list or class-map match-any 2 Create an input policy-map containing all three class-maps and assign each class-map a different service queue.
bandwidth-weight 8 ! qos-policy-output signalling bandwidth-weight 64 Dell#sh run policy-map-output ! policy-map-output BW service-queue 1 qos-policy data service-queue 2 qos-policy signalling Dell#sh run | grep strict-p strict-priority unicast 3 Dell#sh run int gi 0/6/10 ! interface GigabitEthernet 0/6/10 description "IP Phone X” no ip address portmode hybrid switchport service-policy input phone-pc power inline no shutdown Dell#sh run int gi 0/6/2 ! interface GigabitEthernet 0/6/2 description "Uplink to C
Suspending Power Delivery on the Port Extender You can temporarily disable and then restore power on the port extender. For information about how to restore power to the port extender, see Restoring Power Delivery on the PE. To disable inline power on the port extender, use the following command. When you use this command, the inline power to all the ports on the port extender are disabled. • Disable inline power on the port extender.
Remaining inline power Available:841W Power Management Mode: Static Interface Inline Power Inline Power Class Device PoE Port LLDP Max / Alloc Consumed Type Priority Support (Watts) (Watts) ----------------------- ------------ ------- ------ -------- -----PeGi 0/0/0 30.00/0.00 0.00 NO_PD critical 0 Monitor the Power Budget The power budget is the amount of power available from the installed PSUs minus the power required to operate the port extender.
Table 77.
Global inline power Threshold : Power Reserved for inline Power: Total Inline Power Consumed: Remaining inline power Available: 90% 1530W 15W 1515W Power Management Mode: Static Interface Inline Power Class Consumed (Watts) ------------ ----15.00 4 --------PeGi 2/1/2 Inline Power Max / Alloc Watts) ------------30.00 / 15.00 Device Type PoE Port Priority LLDP Support -----2 -------- ------Low PowViaMDI Table 78.
show power detail {pe pe-id stack-unit unit-number} • pe pe-id — Enter the keyword pe and the port extender ID. The range is from 0 to 255. • stack-unit unit-number — Enter the keyword stack-unit and the stack unit number. The range is from 0 to 7.
44 Private VLANs (PVLAN) Private VLANs (PVLANs) extend Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN). A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports or trunk ports.
– A switch can have one or more primary VLANs, and it can have none. – A primary VLAN has one or more secondary VLANs. – A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs in the switch. – A primary VLAN has one or more promiscuous ports. – A primary VLAN might have one or more trunk ports, or none. • Secondary VLAN — a subdomain of the primary VLAN. – There are two types of secondary VLAN — community VLAN and isolated VLAN.
show vlan private-vlan [community | interface | isolated | primary | primary_vlan | interface interface] • Display primary-secondary VLAN mapping. EXEC mode or EXEC Privilege mode show vlan private-vlan mapping • Set the PVLAN mode of the selected port. INTERFACE switchport mode private-vlan {host | promiscuous | trunk} NOTE: Secondary VLANs are Layer 2 VLANs, so even if they are operationally down while primary VLANs are operationally up, Layer 3 traffic is still transmitted across secondary VLANs.
NOTE: You cannot add interfaces that are configured as PVLAN ports to regular VLANs. Conversely, you cannot add “regular” ports (ports not configured as PVLAN ports) to PVLANs. The example below shows the switchport mode private-vlan command on a port and on a port channel.
You can only add promiscuous ports or PVLAN trunk ports to the PVLAN (no host or regular ports). 6 (OPTIONAL) Assign an IP address to the VLAN. INTERFACE VLAN mode ip address ip address 7 (OPTIONAL) Enable/disable Layer 3 communication between secondary VLANs. INTERFACE VLAN mode ip local-proxy-arp NOTE: If a promiscuous or host port is untagged in a VLAN and it receives a tagged packet in the same VLAN, the packet is NOT dropped.
no shutdown 3 Set the PVLAN mode of the selected VLAN to isolated. INTERFACE VLAN mode private-vlan mode isolated 4 Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add ports defined as host to the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 121. Sample Private VLAN Topology The following configuration is based on the example diagram: • Te 0/0 and Te 23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • Te 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. • Te 0/24 and Te 0/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
In parallel, on S50-1: • Te 0/3 is a promiscuous port and Te 0/25 is a PVLAN trunk port, assigned to the primary VLAN 4000. • Te 0/4-6 are host ports. Te 0/4 and Te 0/5 are assigned to the community VLAN 4001, while Te 0/6 is assigned to the isolated VLAN 4003. The result is that: • The S50V ports would have the same intra-switch communication characteristics as described for the C300.
The following example shows viewing a private VLAN for a S50V system. Dell#show vlan private-vlan Primary Secondary Type ------- --------- --------4000 Primary 4001 Community 4003 Isolated Active -----Yes Yes Yes Ports ----------Te 0/3,25 Te 0/4-5 Te 0/6 The following example shows the show vlan private-vlan mapping command.
private-vlan mapping secondary-vlan 4001-4003 no ip address tagged TengigabitEthernet 0/3,25 no shutdown ! interface Vlan 4001 private-vlan mode community Private VLANs (PVLAN) 823
45 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Figure 122.
• • • Using A Configurable Weight for WRED and ECN Pre-Calculating Available QoS CAM Space SNMP Support for Buffer Statistics Tracking Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
Dell(conf)#interface tengigabitethernet 1/2 Dell(conf-if)#switchport Dell(conf-if)#dot1p-priority 1 Dell(conf-if)#end Dell# Honoring dot1p Priorities on Ingress Traffic By default, the system does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces.
Example of Configuring and Viewing Rate Policing The following example shows configuring rate policing. Dell#config t Dell(conf)#interface tengigabitethernet 1/2 Dell(conf-if)#rate police 100 40 peak 150 50 Dell(conf-if)#end Dell# Configuring Port-Based Rate Shaping Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 123. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, the system matches packets against match criteria in the order that you configure them.
Use step 1 or step 2 to start creating a Layer 3 class map. 1 Create a match-any class map. CONFIGURATION mode class-map match-any class-map-name 2 Create a match-all class map. CONFIGURATION mode class-map match-all class-map-name 3 Specify your match criteria. CLASS MAP mode match {ip | ipv6 | ip-any} After you create a class-map, you are placed in CLASS MAP mode. Match-any class maps allow up to five ACLs. Match-all class-maps allow only one ACL. 4 Link the class-map to a queue.
Use Step 1 or Step 2 to start creating a Layer 2 class map. 1 Create a match-any class map. CONFIGURATION mode class-map match-any 2 Create a match-all class map. CONFIGURATION mode class-map match-all 3 Specify your match criteria. CLASS MAP mode match mac After you create a class-map, you are placed in CLASS MAP mode. Match-any class maps allow up to five access-lists. Match-all class-maps allow only one. You can match against only one VLAN ID. 4 Link the class-map to a queue.
Applying DSCP and VLAN Match Criteria on a Service Queue You can configure Layer 3 class maps which contain both a Layer 3 Differentiated Services Code Point (DSCP) and IP VLAN IDs as match criteria to filter incoming packets on a service queue on the switch. To configure a Layer 3 class map to classify traffic according to both an IP VLAN ID and DSCP value, use the match ip vlan vlan-id command in class-map input configuration mode.
When class-maps with overlapping ACL rules are applied to different queues, use the keyword order to process ACL rules in the desired order. ACL rules with lower order numbers (order numbers closer to 0) are applied before rules with higher order numbers so that packets are matched as you intended. • Specify the order in which you want to apply ACL rules using the keyword order. order The order can range from 0 to 254. By default, all ACL rules have an order of 254.
Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. • Layer 3 — QoS input policies allow you to rate police and set a DSCP or dot1p value. In addition, you can configure a drop precedence for incoming packets based on their DSCP value by using a DSCP color map. For more information, see DSCP Color Maps.
Example of Setting a DSCP Value for Egress Packets Dell#config Dell(conf)#qos-policy-input my-input-qos-policy Dell(conf-qos-policy-in)#set ip-dscp 34 % Info: To set the specified DSCP value 34 (100-010 b) the QoS policy must be mapped to queue 4 (100 b). Dell(conf-qos-policy-in)#show config ! qos-policy-input my-input-qos-policy set ip-dscp 34 Dell(conf-qos-policy-in)#end Dell# Setting a dot1p Value for Egress Packets To set a dot1p value for egress packets, use the following command.
rate-shape {kbps | pps} peak-rate {burst-kbps | burst-packets} [committed {kbps | pps} committed-rate {burst-kbps | burst-packets}] In a QoS output policy, you can configure rate-shaping on egress traffic: • In either kilobits per second (kbps) or packets per second (pps) • By specifying peak rate and the peak burst, and (optionally) committed rate and committed burst size You must configure the peak rate and peak burst size using the same value: kilobits or packets per second.
QOS-POLICY-OUT mode wred For more information, refer to Applying a WRED Profile to Traffic. Create Policy Maps There are two types of policy maps: input and output. Creating Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2. 1 Create a Layer 3 input policy map. CONFIGURATION mode policy-map-input Create a Layer 2 input policy map by entering the policy-map-input layer2 command.
Honoring DSCP Values on Ingress Packets You can configure the ability to honor DSCP values on ingress packets by using the Trust DSCP feature. The following table lists the standard DSCP definitions and indicates how DSCP values are mapped to queues. When you configure trust DSCP, the matched packets and matched bytes counters are not incremented in the show qos statistics. Table 82.
trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets. You may apply this queuing strategy globally by entering the following command from CONFIGURATION mode. • All dot1p traffic is mapped to Queue 0 unless you enable service-class dynamic dot1p on an interface or globally.
Specifying an Aggregate QoS Policy Applying an Output Policy Map to an Interface 3 Apply the policy map to an interface. Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. • Apply an output QoS policy to queues. INTERFACE mode service-queue Specifying an Aggregate QoS Policy To specify an aggregate QoS policy, use the following command. • Specify an aggregate QoS policy.
• All DSCP values that are not specified as yellow or red are colored green (low drop precedence). • A DSCP value cannot be in both the yellow and red lists. Setting the red or yellow list with any DSCP value that is already in the other list results in an error and no update to that DSCP list is made. • Each color map can only have one list of DSCP values for each color; any DSCP values previously listed for that color that are not in the new DSCP list are colored green.
Display a specific DSCP color map. Dell# show qos dscp-color-map mapTWO Dscp-color-map mapTWO yellow 16,55 Displaying a DSCP Color Policy Configuration To display the DSCP color policy configuration for one or all interfaces, use the show qos dscp-color-policy {summary [interface] | detail {interface}} command in EXEC mode. summary: Displays summary information about a color policy on one or more interfaces.
• Include a specified number of bytes of packet overhead to include in rate limiting, policing, and shaping calculations. CONFIGURATION mode qos-rate-adjust overhead-bytes For example, to include the Preamble and SFD, enter qos-rate-adjust 8. For variable length overhead fields, know the number of bytes you want to include. The default is disabled. The range is from 1 to 31.
Figure 124. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Table 84.
Applying a WRED Profile to Traffic After you create a WRED profile, you must specify on which traffic the system applies the profile. The system assigns a color-coded drop precedence — red, yellow, or green — to each packet based on the fourth bit of the 6-bit DSCP field in the packet header before queuing it. • If the fourth DSCP bit is 0, packet is marked as green. • If the fourth DSCP bit is 1, the packet is marked as yellow (except for DSCP 63, which is marked as red).
Green Yellow Out of Profile 51624 51300 0 The following shows the show qos statistics output on the port extender.
• If queued packets fall below the minimum threshold, they are transmitted. • If queued packets exceed the maximum threshold, they are dropped. ECN Packet Classification When ECN for WRED is enabled on an interface, non-ECN-capable packets are marked as green-profiled traffic and are subject to early WRED drops. For example, TCP-acks, OAM, and ICMP ping packets are non-ECN-capable. However, it is not desirable for these packets to be WRED-dropped.
policy-map-input ecn_0_pmap service-queue 0 class-map ecn_0_cmap Applying the policy map “ecn_0_pmap” marks all incoming packets with the ECN field set to 0 for “yellow” handling on queue 0 (default queue). Example: Color-marking non-ECN Packets in Different Traffic Classes The following examples both show how to mark non-ECN packets for “yellow” handling when packets with DCSP 40 egress on queue 2 and packets with DSCP 50 egress on queue 3.
service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Using A Configurable Weight for WRED and ECN The switch supports a user-configurable weight that determines the average queue size used in WRED and Explicit Congestion Notification (ECN) operation on front-end I/O and backplane interfaces.
Global Service-Pools for WRED with ECN You can enable WRED with ECN to work with global service-pools. Global service pools that function as shared buffers are accessed by multiple queues when the minimum guaranteed buffers for a queue are consumed. The switch supports four global service-pools in the egress direction. Two types of service-pools are used: one for lossy queues and the other for lossless (priority-based flow control (PFC)) queues.
Queue Configuration Service-Pool Configuration WRED Threshold Relationship Q threshold = Q-T Service-pool threshold = SP-T Expected Functionality ECN marking up to shared buffer limits of the service-pool and then packets are tail dropped. SP-T < Q-T Same as above but ECN marking starts above SP-T. Configuring a Weight for WRED and ECN Operation You can configure a WRED weight to customize WRED and ECN operation on a front-end or backplane interface.
Dell(conf)#service-class wred ecn 0, 3-5, 7 backplane Pre-Calculating Available QoS CAM Space Pre-calculating available QoS CAM space allows you to measure the number of CAM entries a policy-map consumes. This feature allows you to avoid applying a policy-map on an interface that requires more CAM entries than are available and receive a CAM full error message (shown in the following example). The partial policy-map configuration might cause unintentional system behavior.
In the F10-FPSTATS MIB, the following tables display BST counters: • fpEgrQBuffSnapshotTable: Retrieves BST statistics from the egress port used in a buffer. This table displays a snapshot of the buffer cells used by unicast and multicast data and control queues. • fpIngPgBuffSnapshotTable: Retrieves BST statistics from the ingress port for the shared and headroom cells used in a priority group.
46 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP protocol standards are listed in the Standards Compliance chapter. Topics: • Protocol Overview • Implementation Information • Configuration Information Protocol Overview RIP is the oldest interior gateway protocol.
Implementation Information The Dell Networking OS supports both versions of RIP and allows you to configure one version globally and the other version on interfaces or both versions on the interfaces. The following table lists the default values for RIP parameters on the switch. Table 86.
Enabling RIP Globally By default, RIP is disabled on the switch. To enable RIP globally, use the following commands. 1 Enter ROUTER RIP mode and enable the RIP process. CONFIGURATION mode router rip 2 Assign an IP network address as a RIP network to exchange routing information.
192.161.1.0/24 auto-summary 192.162.3.0/24 [120/1] via 29.10.10.12, 00:01:22, Fa 0/0 192.162.3.0/24 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes. By default, interfaces that you enable and configure with an IP address in the same subnet as the RIP network address receive RIPv1 and RIPv2 routes and send RIPv1 routes.
Adding RIP Routes from Other Instances In addition to filtering routes, you can add routes from other routing instances or protocols to the RIP process. With the redistribute command, you can include open shortest path first (OSPF), static, or directly connected routes in the RIP process. To add routes from other routing instances or protocols, use the following commands. • Include directly connected or user-configured (static) routes in RIP.
The following example shows the RIP configuration after the ROUTER RIP mode version command is set to RIPv2. When you set the ROUTER RIP mode version command, the interface (TengigabitEthernet 0/0) participating in the RIP process is also set to send and receive RIPv2 (shown in bold).
• Specify the generation of a default route in RIP. ROUTER RIP mode default-information originate [always] [metric value] [route-map route-map-name] – always: Enter the keyword always to always generate a default route. – value The range is from 1 to 16. – route-map-name: The name of a configured route map. To confirm that the default route configuration is completed, use the show config command in ROUTER RIP mode.
– prefix-list-name: the name of an established Prefix list to determine which incoming routes are modified – offset: the range is from 0 to 16. – interface: the type, slot, and number of an interface. To view the configuration changes, use the show config command in ROUTER RIP mode. Debugging RIP The debug ip rip command enables RIP debugging. When you enable debugging, you can view information on RIP protocol changes or RIP routes. To enable RIP debugging, use the following command.
RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Example of Configuring RIPv2 on Core 2 Core2(conf-if-te-2/31)# Core2(conf-if-te-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
Destination Gateway Dist/Metric Last Change ----------- ------- ----------- ----------C 10.11.10.0/24 Direct, Te 2/11 C 10.11.20.0/24 Direct, Te 2/31 R 10.11.30.0/24 via 10.11.20.1, Te 2/31 C 10.200.10.0/24 Direct, Te 2/41 C 10.300.10.0/24 Direct, Te 2/42 R 192.168.1.0/24 via 10.11.20.1, Te 2/31 R 192.168.2.0/24 via 10.11.20.1, Te 2/31 Core2# R 192.168.1.0/24 via 10.11.20.1, Te 2/31 R 192.168.2.0/24 via 10.11.20.
Core 3 RIP Output The examples in this section show the core 2 RIP output. • To display Core 3 RIP database, use the show ip rip database command. • To display Core 3 RIP setup, use the show ip route command. • To display Core 3 RIP activity, use the show ip protocols command. Examples of the show ip Command with Core 3 Output To view learned RIP routes on Core 3, use the show ip rip database command. Core3#show ip rip database Total number of routes in RIP database: 7 10.11.10.0/24 [120/1] via 10.11.
Default version control: receive version 2, send version 2 Interface Recv Send TenGigabitEthernet 3/21 2 2 TenGigabitEthernet 3/11 2 2 TenGigabitEthernet 3/44 2 2 TenGigabitEthernet 3/43 2 2 Routing for Networks: 10.11.20.0 10.11.30.0 192.168.2.0 192.168.1.0 Routing Information Sources: Gateway Distance Last Update 10.11.20.
ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
47 Remote Monitoring (RMON) Remote monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment.
Setting the RMON Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
Configuring an RMON Event To add an event in the RMON event table, use the rmon event command in GLOBAL CONFIGURATION mode. • Add an event in the RMON event table. CONFIGURATION mode [no] rmon event number [log] [trap community] [description string] [owner string] – number: assigned event number, which is identical to the eventIndex in the eventTable in the RMON MIB. The value must be an integer from 1 to 65,535 and be unique in the RMON Event Table.
Configuring the RMON Collection History To enable the RMON MIB history group of statistics collection on an interface, use the rmon collection history command in INTERFACE CONFIGURATION mode. • Configure the RMON MIB history group of statistics collection. CONFIGURATION INTERFACE (config-if) mode [no] rmon collection history {controlEntry integer} [owner ownername] [buckets bucket-number] [interval seconds] – controlEntry: specifies the RMON group of statistics using a value.
48 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanningtree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP).. Protocol Overview The Dell Networking OS supports three other versions of spanning tree, as shown in the following table. Table 87.
• Adding a group of ports to a range of VLANs sends multiple messages to the RSTP task, avoid using the range command. When using the range command, Dell Networking recommends limiting the range to five ports and 40 VLANs. RSTP and VLT Virtual link trunking (VLT) provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures.
Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • Only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports. To enable RSTP globally for all Layer 2 interfaces, use the following commands.
Figure 126. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.379, designated path cost 0 Number of transitions to forwarding state 1 BPDU : sent 121, received 5 The port is not in the Edge port mode Port 380 (TengigabitEthernet 2/4) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.380 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
The following table displays the default values for RSTP. Table 88. RSTP Default Values RSTP Parameter Default Value Forward Delay 15 seconds Hello Time 2 seconds Max Age 20 seconds Port Cost: Port Cost: • • • • 10-Gigabit Ethernet interfaces Port Channel with 10-Gigabit Ethernet interfaces Port Priority 2000 1800 128 To change these parameters, use the following commands. • Change the forward-delay parameter. PROTOCOL SPANNING TREE RSTP mode forward-delay seconds The range is from 4 to 30.
snmp-server enable traps xstp Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port. • Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states. The bpduguard shutdown-on-violation option causes the interface hardware to be shut down when it receives a BPDU.
• Configure a hello time on the order of milliseconds. PROTOCOL RSTP mode hello-time milli-second interval The range is from 50 to 950 milliseconds. Example of Verifying Hello-Time Interval Dell(conf-rstp)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e811.2233 Root Bridge hello time 50 ms, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e811.
49 Security This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
Overview of RBAC With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role. Users are granted permissions based on their user roles, not on their individual user ID. User roles are created for job functions and through those roles they acquire the permissions to perform their associated job function. Each user can be assigned only a single role. Many users can have the same role. The Dell Networking OS supports the constrained RBAC model.
3 Specify an authentication method list (RADIUS, TACACS+, or Local). You must specify at least local authentication. For consistency, the best practice is to define the same authentication method list across all lines, in the same order of comparison; for example VTY and console port. You could also use the default authentication method to apply to all the LINES (console port, VTY). NOTE: The authentication method list should be in the same order as the authorization method list.
• System Administrator (sysadmin). This role has full access to all the commands in the system, exclusive access to commands that manipulate the file system formatting, and access to the system shell. This role can also create user IDs and user roles. The following summarizes the modes that the predefined user roles can access.
The configuration in the following example creates a new user role, myrole, which inherits the security administrator (secadmin) permissions. Create a new user role, myrole and inherit security administrator permissions. Dell(conf)#userrole myrole inherit secadmin Verify that the user role, myrole, has inherited the security administrator permissions. The output highlighted in bold indicates that the user role has successfully inherited the security administrator permissions.
The following example allows the security administrator (secadmin) to configure the spanning tree protocol. Note command is protocol spanning-tree. Dell(conf)#role configure addrole secadmin protocol spanning-tree Example: Allow Security Administrator to Access Interface Mode The following example allows the security administrator (secadmin) to access Interface mode.
The following example resets only the secadmin role to its original setting. Dell(conf)#no role configure addrole secadmin protocol Example: Reset System-Defined Roles and Roles that Inherit Permissions In the following example the command protocol permissions are reset to their original setting or one or more of the system-defined roles and any roles that inherited permissions from them.
To configure AAA authentication, use the aaa authentication command in CONFIGURATION mode. aaa authentication login {method-list-name | default} method [… method4] Configure AAA Authorization for Roles Authorization services determine if the user has permission to use a command in the CLI. Users with only privilege levels can use commands in privilege-or-role mode (the default) provided their privilege level is the same or greater than the privilege level of those commands.
authorization exec ucraaa accounting commands role netadmin line vty 4 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 5 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 6 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 7 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 8 login authentication ucraaa authorization exe
In the following example, you create an AV pair for a user-defined role. You must also define a role, using the userrole myrole inherit command on the switch to associate it with this AV pair. Force10-avpair= ”shell:role=myrole“ The string, “myrole”, is associated with a TACACS+ user group. The user IDs are associated with the user group. Role Accounting This section describes how to configure role accounting and how to display active sessions for roles.
Task ID 2, EXEC Accounting record, 00:00:26 Elapsed, service=shell Display Information About User Roles This section describes how to display information about user roles.
Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the show users command in EXEC Privilege mode. The output displays privilege level and/or user role. The mode is displayed at the start of the output and both the privilege and roles for all users is also displayed. If the role is not defined, the system displays "unassigned" .
– exec: sends accounting information when a user has logged in to EXEC mode. – command level: sends accounting of commands executed at the specified privilege level. – default | name: enter the name of a list of accounting methods. – start-stop: use for more accounting information, to send a start-accounting notice at the beginning of the requested event and a stop-accounting notice at the end.
accounting commands 15 com15 accounting exec execAcct Example of Enabling AAA Accounting with a Named Method List Dell(config-line-vty)# accounting commands 15 com15 Dell(config-line-vty)# accounting exec execAcct Monitoring AAA Accounting The system does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting.
Configure Login Authentication for Terminal Lines You can assign up to five authentication methods to a method list. The system evaluates the methods in the order in which you enter them in each list. If the first method list does not respond or returns an error, the system applies the next method list until the user either passes or fails the authentication. If the user fails a method list, the system does not apply the next method list.
Enabling AAA Authentication To enable AAA authentication, use the following command. • Enable AAA authentication. CONFIGURATION mode aaa authentication enable {method-list-name | default} method1 [... method4] – default: uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. – method-list-name: character string used to name the list of enable authentication methods activated when a user logs in. – method1 [...
Server-Side Configuration Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or RADIUS server. • TACACS+ — When using TACACS+, the switch sends an initial packet with service type SVC_ENABLE, and then sends a second packet with just the password. The TACACS server must have an entry for username $enable$.
AAA Authorization The system enables AAA new-model by default. You can set authorization to be either local or remote. Different combinations of authentication and authorization yield different results. By default, the system sets both to local. Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network. However, at times, you might need to allow others access to the router and you can limit that access to a subset of commands.
Configuring a Username and Password In the Dell Networking OS, you can assign a specific username to limit user access to the system. To configure a username and password, use the following command. • Assign a user name and password. CONFIGURATION mode username name [access-class access-list-name] [nopassword | password [encryption-type] password] [privilege level] Configure the optional and required parameters: – name: Enter a text string up to 63 characters long.
router authentication strings, VRRP authentication by obscuring this information. Passwords and keys are stored encrypted in the configuration file and by default are displayed in the encrypted form when the configuration is displayed. Enabling the service obscure-passwords command displays asterisks instead of the encrypted passwords and keys. This command prevents a user from reading these passwords and keys by obscuring this information with asterisks.
• level level: specify a level from 0 to 15. Level 15 includes all levels. • encryption-type: enter 0 for plain text or 7 for encrypted text. • password: enter a string up to 25 characters long. To change only the password for the enable command, configure only the password parameter. 3 Configure level and commands for a mode or reset a command’s level.
Current privilege level is 8 Dell#? configure Configuring from terminal disable Turn off privileged commands enable Turn on privileged commands exit Exit from the EXEC no Negate a command show Show running system information terminal Set terminal line parameters traceroute Trace route to destination Dell#confi Dell(conf)#? end Exit from Configuration mode exit Exit from Configuration mode no Reset a command snmp-server Modify SNMP parameters Dell(conf)# Specifying LINE Mode Password and Privilege You can s
– level-number: The level-number you wish to set. If you enter disable without a level-number, your security level is 1. Resetting a Password To reset a password on the switch, follow the procedure in Recovering from a Forgotten Password on the switch. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol.
• The administrator changes the idle-time of the line on which the user has logged in. • The idle-time is lower than the RADIUS-returned idle-time. ACL Configuration Information The RADIUS server can specify an ACL. If an ACL is configured on the RADIUS server, and if that ACL is present, the user may be allowed access based on that ACL. If the ACL is absent, authorization fails, and a message is logged indicating this.
To view the configuration, use the show config in LINE mode or the show running-config command in EXEC Privilege mode. Defining a AAA Method List to be Used for RADIUS To configure RADIUS to authenticate or authorize users on the system, create a AAA method list. Default method lists do not need to be explicitly applied to the line, so they are not mandatory. To create a method list, use the following commands.
– auth-port port-number: the range is from 0 to 65335. Enter a UDP port number. The default is 1812. – retransmit retries: the range is from 0 to 100. Default is 3. – timeout seconds: the range is from 0 to 1000. Default is 5 seconds. – key [encryption-type] key: enter 0 for plain text or 7 for encrypted text, and a string for the key. The key can be up to 42 characters long. This key must match the key configured on the RADIUS server host.
Monitoring RADIUS To view information on RADIUS transactions, use the following command. • View RADIUS transactions to troubleshoot problems. EXEC Privilege mode debug radius Microsoft Challenge-Handshake Authentication Protocol Support for RADIUS Authentication Dell Networking OS supports Microsoft Challenge-Handshake Authentication Protocol (MS-CHAPv2) with RADIUS authentication. RADIUS is used to authenticate Telnet, SSH, console, REST, and OMI access to the switch based on the AAA configuration.
Support for Change of Authorization and Disconnect Messages packets The Network Access Server (NAS) uses RADIUS to authenticate AAA or dot1x user-access to the switch. The RADIUS service does not support unsolicited messages sent from the RADIUS server to the NAS. However, there are many instances in which it is desirable for changes to be made to session characteristics, without requiring the NAS to initiate the exchange.
Table 89. NAS Identification Attributes Attribute code Attribute Description 4 NAS-IP-Address IPv4 address of the NAS. 95 NAS-IPv6–Address IPv6 address of the NAS. Table 90. Change of Authorization (CoA) Attribute Attribute code Attribute Description 5 NAS-Port Port associated with the session to be processed for EAP or MAB users or the VTY ID for AAA sessions. Table 91.
Error-cause Values It is possible that a Dynamic Authorization Server cannot honor Disconnect Message request or CoA request packets for some reason. The Error-Cause Attribute provides more detail on the cause of the problem. It may be included within CoA-Nak and Disconnect-Nak packets. The following table describes various error causes for the CoA and DM requests: Table 94.
NOTE: The Invalid Attribute Value Error-Cause is applicable to following scenarios: – if the CoA request contains incorrect Vendor-Specific attribute value. – if the CoA request contains incorrect NAS-port or calling-station-id values. • rejects the CoA-Request containing NAS-IP-Address or NAS-IPV6-Address attribute that does not match the NAS with a CoA-Nak; Error-Cause value is “NAS Identification Mismatch” (403).
Disconnect Message Processing This section lists various actions that the NAS performs during DM processing. The following activities are performed by NAS: • responds with DM-Nak, if no matching session is found in NAS for the session identification attributes in DM; Error-Cause value is “Session Context Not Found” (503). • responds with DM-Nak for any internal processing error in NAS; Error-Cause value is “Resources Unavailable” (506).
client-key encryption-type key Dell(conf-dynamic-auth#)client-key 7 password Disconnecting administrative users logged in through RADIUS Dell EMC Networking OS enables you to configure disconnect messages (DMs) to disconnect RADIUS administrative users who are logged in through an AAA interface. Before disconnecting an administrative user using the disconnect messages, ensure that the following prerequisites are satisfied: • Shared key is configured in NAS for DAC.
NAS disables the authentication port that is hosting the session and re-enables it after 10 seconds. All user sessions connected to this authentication port are affected. Dell(conf#)radius dynamic-auth Dell(conf-dynamic-auth#)coa-bounce-port NAS takes the following actions whenever port-bounce is triggered: • validates the CoA request and the session identification attributes. • sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain the NAS-port attributes.
• sends-ACK if user is configured with forced-authorization. Terminating the 802.1x user session Dell EMC Networking OS provides RADIUS extension commands that terminate the 802.1x user session. When this request is initiated, the NAS disconnects the 802.1x user session without disabling the physical port that authenticated the current session. Before terminating the 802.1x user session, ensure that the following prerequisites are satisfied: • Shared key is configured in NAS for DAC.
NAS administratively shuts down the 802.1x enabled port that is hosting the session. You can re-enable this port only through a nonRADIUS mechanism or through bounce-port request. Dell(conf#)radius dynamic-auth Dell(conf-dynamic-auth#)coa-disable-port NAS takes the following actions: • validates the CoA request and the session identification attributes. • sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain the NAS-port attribute.
NAS considers the new replay protection window value from next window period. The range is from 1 to 10 minutes. The default is 5 minutes. Dell(conf-dynamic-auth#)replay-prot-window 10 Rate-limiting RADIUS packets NAS enables you to allow or reject RADIUS dynamic authorization packets based on the rate-limiting value that you specify. NAS lets you to configure number of RADIUS dynamic authorization packets allowed per minute. The default value is 30 packets per minute.
To select TACACS+ as the login authentication method, use the following commands. 1 Configure a TACACS+ server host. CONFIGURATION mode tacacs-server host {ip-address | host} Enter the IP address or host name of the TACACS+ server. Use this command multiple times to configure multiple TACACS+ server hosts. 2 Enter a text string (up to 16 characters long) as the name of the method list you wish to use with the TACAS+ authentication method.
Dell(conf)#username angeline password angeline Dell(conf)#%SYSTEM-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline on vty0 (10.11.9.209) %SYSTEM-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password authentication success on vty0 ( 10.11.9.209 ) Monitoring TACACS+ To view information on TACACS+ transactions, use the following command. • View TACACS+ transactions to troubleshoot problems.
Configure the optional communication parameters for the specific host: – port port-number: the range is from 0 to 65335. Enter a TCP port number. The default is 49. – timeout seconds: the range is from 0 to 1000. Default is 10 seconds. – key key: enter a string for the key. The key can be up to 42 characters long. This key must match a key configured on the TACACS+ server host. This parameter must be the last parameter you configure.
• Open an SSH connection and specifying the host name, username, port number, and version of the SSH client. EXEC Privilege mode ssh {hostname} [-l username | -p port-number | -v {1 | 2} hostname is the IP address or host name of the remote device. Enter an IPv4 or IPv6 address in dotted decimal format (A.B.C.D). • Configure the Dell Networking system as an SCP/SSH server.
4 On Switch 2, in response to prompts, enter the path to the desired file and enter the port number specified in Step 1. EXEC Privilege mode Example of Using SCP to Copy from an SSH Server on Another Switch Other SSH-related commands include: • crypto key generate: generate keys for the SSH server. • debug ip ssh: enables collecting SSH debug information. • ip scp topdir: identify a location for files used in secure copy transfer.
Configure the following parameters: • rekey-interval: time-based rekey threshold for an SSH session. The range is from 10 to 1440 minutes. The default is 60 minutes. • rekey-limit: volume-based rekey threshold for an SSH session. The range is from 1 to 4096 to megabytes. The default is 1024 megabytes. Examples The following example configures the time-based rekey threshold for an SSH session to 30 minutes.
Example of DNS Configuration in SSH Server Connections To view the status of DNS in the SSH server configuration, use the show running-config ip ssh command from EXEC mode. DellEMC#show running-config ip ssh ! ip ssh server dns enable ip ssh hostbased-authentication enable no ip ssh password-authentication enable ip ssh server enable Configuring the HMAC Algorithm for the SSH Server To configure the HMAC algorithm for the SSH server, use the ip ssh server mac hmac-algorithm command in CONFIGURATION mode.
• hmac-md5-96 • hmac-sha1 • hmac-sha1-96 • hmac-sha2-256 The default list of HMAC algorithm is in the following order: • hmac-sha2-256 • hmac-sha1 • hmac-sha1-96 • hmac-md5 • hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256, hmac-sha1, hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list.
The following ciphers are available. • 3des-cbc • aes128-cbc • aes192-cbc • aes256-cbc • aes128-ctr • aes192-ctr • aes256-ctr The default cipher list is in the given order: aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc. Example of Configuring a Cipher List The following example shows you how to configure a cipher list. Dell(conf)#ip ssh cipher aes128-ctr aes128-cbc 3des-cbc Secure Shell Authentication Secure Shell (SSH) is disabled by default.
Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. Using RSA Authentication of SSH The following procedure authenticates an SSH client based on an RSA key using RSA authentication. This method uses SSH version 2. 1 On the SSH client (UNIX machine), generate an RSA key, as shown in the following example. 2 Copy the public key id_rsa.pub to the Dell Networking system. 3 Disable password authentication if enabled.
7 Bind shosts and rhosts to host-based authentication. CONFIGURATION mode ip ssh pub-key-file flash://filename or ip ssh rhostsfile flash://filename Examples of Creating shosts and rhosts The following example shows creating shosts. admin@Unix_client# cd /etc/ssh admin@Unix_client# ls moduli sshd_config ssh_host_dsa_key.pub ssh_host_key.pub ssh_host_rsa_key.pub ssh_config ssh_host_dsa_key ssh_host_key ssh_host_rsa_key admin@Unix_client# cat ssh_host_rsa_key.
Enable host-based authentication on the server (Dell Networking system) and the client (Unix machine). The following message appears if you attempt to log in via SSH and host-based is disabled on the client. In this case, verify that host-based authentication is set to “Yes” in the file ssh_config (root permission is required to edit this file): permission denied (host based). If the IP address in the RSA key does not match the IP address from which you attempt to log in, the following message appears.
line with a deny-all access class. After users identify themselves, the system retrieves the access class from the local database and applies it. (The system can then close the connection if a user is denied access.) NOTE: If a VTY user logs in with RADIUS authentication, the privilege level is applied from the RADIUS server only if you configure RADIUS authentication. The following example shows how to allow or deny a Telnet connection to a user. Users see a login prompt even if they cannot log in.
Dell(conf)# Dell(conf)#line vty 0 9 Dell(config-line-vty)#access-class sourcemac Dell(config-line-vty)#end Two Factor Authentication (2FA) Two factor authentication also known as 2FA, strengthens the login security by providing one time password (OTP) in addition to username and password. 2FA supports RADIUS authentications with Console, Telnet, and SSHv2. To perform 2FA, follow these steps: • When the Network access server (NAS) prompts for the username and password, provide the inputs.
SSH server macs : hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96. SSH server kex algorithms : diffie-hellman-group-exchange-sha1,diffie-hellman-group1sha1,diffie-hellman-group14-sha1. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. Challenge Response Auth : enabled. Vty Encryption HMAC Remote IP 2 aes128-cbc hmac-md5 10.16.127.141 4 aes128-cbc hmac-md5 10.16.127.141 * 5 aes128-cbc hmac-md5 10.16.127.
ICMPv4 message types IP header bad (12) Timestamp request (13) Timestamp reply (14) Information request (15) Information reply (16) Address mask request (17) Address mask reply (18) NOTE: The Dell Networking OS does not suppress the ICMP message type echo request (8). Table 97.
Dell EMC Networking OS Security Hardening The security of a network consists of multiple factors. Apart from access to the device, best practices, and implementing various security features, security also lies with the integrity of the device. If the software itself is compromised, all of the aforementioned methods become ineffective. The Dell EMC Networking OS is enhanced verify whether the startup configuration file is altered before loading.
verified boot hash startup—config hash-value NOTE: The verified boot hash command is only applicable for the startup configuration file in the local file system. After enabling and configuring startup configuration verification, the device verifies the hash checksum of the startup configuration during every reload. DellEMC# verified boot hash startup—config 619A8C1B7A2BC9692A221E2151B9DA9E Configuring the root User Password For added security, you can change the root user password.
50 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell Networking OS. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 127. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-stack-enabled VLAN. • Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-stack VLAN.
Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1 Creating Access and Trunk Ports 2 Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3 Enabling VLAN-Stacking for a VLAN.
switchport vlan-stack trunk no shutdown Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible Example of Viewing VLAN Stack Member Status To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLAN-Stackingenabled VLAN are marked with an M in column Q.
NOTE: You can add a trunk port to an 802.1Q VLAN as well as a Stacking VLAN only when the TPID 0x8100. 2 Add the port to a 802.1Q VLAN as tagged or untagged. INTERFACE VLAN mode [tagged | untagged] Example of Configuring a Trunk Port as a Hybrid Port and Adding it to Stacked VLANs In the following example, the TenGigabitEthernet 0/1 interface is a trunk port that is configured as a hybrid port and then added to VLAN 100 as untagged VLAN 101 as tagged, and VLAN 103, which is a stacking VLAN.
Dell#debug member port tengigabitethernet 1/47 vlan id : 603 (MT), 100(T), 101(NU) VLAN Stacking in Multi-Vendor Networks The first field in the VLAN tag is the tag protocol identifier (TPID), which is 2 bytes. In a VLAN-stacking network, after the frame is double tagged, the outer tag TPID must match the TPID of the next-hop system. While 802.1Q requires that the inner tag TPID is 0x8100, it does not require a specific value for the outer tag TPID. Systems may use any 2byte value.
Figure 128.
Figure 129.
Figure 130. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Table 98. Drop Eligibility Behavior Ingress Egress DEI Disabled DEI Enabled Normal Port Normal Port Retain CFI Set CFI to 0. Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI. Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 Access Port Trunk Port To enable drop eligibility globally, use the following command. • Make packets eligible for dropping based on their DEI value.
Marking Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress. For ingress information, refer to Honoring the Incoming DEI Value. To mark egress packets, use the following command. • Set the DEI value on egress according to the color currently assigned to the packet.
NOTE: The ability to map incoming C-Tag dot1p to any S-Tag dot1p requires installing up to eight entries in the Layer 2 QoS and Layer 2 ACL table for each configured customer VLAN. The scalability of this feature is limited by the impact of the 1:8 expansion in these content addressable memory (CAM) tables.
• vman-qos-dual-fp: mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p. This method requires twice as many CAM entries as vman-qos and FP blocks in multiples of 2. The default is: 0 FP blocks for vman-qos and vman-qos-dual-fp. 2 The new CAM configuration is stored in NVRAM and takes effect only after a save and reload. EXEC Privilege mode copy running-config startup-config reload 3 Map C-Tag dot1p values to a S-Tag dot1p value.
Figure 132. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 133. VLAN Stacking with L2PT Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. • No protocol packets are tunneled when you enable VLAN stacking. • L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1 Verify that the system is running the default CAM profile. Use this CAM profile for L2PT.
show cam-profile 2 Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3 Tunnel BPDUs the VLAN. INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, the system uses a Dell Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command.
Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. 802.
51 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
To avoid the back-off, either increase the global sampling rate or configure all the line card ports with the desired sampling rate even if some ports have no sFlow configured. Important Points to Remember • The Dell Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. • Dell Networking recommends the sFlow Collector be connected to the Dell Networking chassis through a line card port rather than the management Ethernet port. • Only egress sampling is supported.
Displaying Show sFlow Global To view sFlow statistics, use the following command. • Display sFlow configuration information and statistics. EXEC mode show sflow Example of Viewing sFlow Configuration (Global) The first bold line indicates sFlow is globally enabled. The second bold lines indicate sFlow is enabled on linecards Te 1/16 and Te 1/17.
Displaying Show sFlow on a Line Card To view sFlow statistics on a specified line card, use the following command. • Display sFlow configuration information and statistics on the specified interface.
Back-Off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the sampling-rate until the CPU condition is cleared. This is as per sFlow version 5 draft.
Global extended information enabled: none 0 collectors configured 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Important Points to Remember • If the IP source address is learned via IGP, srcAS and srcPeerAS are zero. • The srcAS and srcPeerAS might be zero even though the IP source address is learned via BGP.
52 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a management information base (MIB). MIBs are hierarchically structured and use object identifiers to address managed objects, but managed objects also have a textual name called an object descriptor.
• User ACLs override group ACLs. Set up SNMP The Dell Networking OS supports SNMP version 1 and version 2 that are community-based security models. The primary difference between the two versions is that version 2 supports two additional protocol operations (informs operation and snmpgetbulk query) and one additional object (counter64 object). SNMP version 3 (SNMPv3) is a user-based security model that provides password authentication for user security and encryption for data security and privacy.
snmp-server user name group-name 3 noauth • Configure an SNMP group with view privileges only (no password or privacy privileges). CONFIGURATION mode snmp-server group group-name 3 noauth auth read name write name • Configure an SNMPv3 view. CONFIGURATION mode snmp-server view view-name oid-tree {included | excluded} NOTE: To give a user read and write view privileges, repeat this step for each privilege type. • Configure the user with an authorization password (password privileges only).
• Read the value of the managed object directly below the specified object. snmpgetnext -v version -c community agent-ip {identifier.instance | descriptor.instance} • Read the value of many objects at once. snmpwalk -v version -c community agent-ip {identifier.instance | descriptor.instance} Examples of Reading Managed Object Values In the following example, the value “4” displays in the OID before the IP address for IPv4. For an IPv6 IP address, a value of “16” displays.
snmp-server contact text You may use up to 55 characters. • The default is None. (From a Dell Networking system) Identify the physical location of the system (for example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1). CONFIGURATION mode snmp-server location text You may use up to 55 characters. • The default is None. (From a management station) Identify the system manager along with this person’s contact information (for example, an email address or phone number).
• rp — Enter the keyword rp to configure the CPU utilization time for the Route Processor CPU • lp — Enter the keyword lp to configure the line processor CPU utilization time. The range of switch slot IDs is from 0 to 2. • pe — Configure the CPU utilization time of all PEs that are configured in the system. • all — Enter the keyword all to configure the CPU utilization time on all switch CPUs: Control Processor, Route Processor, PE, and line cards.
Use the util-threshold memory command to configure the high or low memory utilization threshold for SNMP traps. Use the show util-threshold memory to display the configured values of memory utilization thresholds. Parameters • cp — Enter the keyword cp to configure the memory utilization threshold for the Control Processor CPU.
Subscribing to Managed Object Value Updates using SNMP By default, the system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system. The following sets of traps are supported: • RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss.
• Enable a subset of SNMP traps. snmp-server enable traps NOTE: The envmon option enables all environment traps including those traps that are enabled with the envmon supply, envmon temperature, and envmon fan options. The following traps are available.
FAN_TRAY_BAD: Major alarm: fantray %d is missing or down FAN_TRAY_OK: Major alarm cleared: fan tray %d present FAN_BAD: Minor alarm: some fans in fan tray %d are down FAN_OK: Minor alarm cleared: all fans in fan tray %d are good vlt Enable VLT traps. vrrp Enable VRRP state change traps xstp %SPANMGR-5-STP_NEW_ROOT: New Spanning Tree Root, Bridge ID Priority 32768, Address 0001.e801.fc35. %SPANMGR-5-STP_TOPOLOGY_CHANGE: Bridge port TenGigabitEthernet 11/38 transitioned from Forwarding to Blocking state.
alarm from SNMP OID Copy config traps FILEMGR_COPY_CONFIG_TRAP: Copy-config from running-config to startup-config succeeded RMON traps %SYSTEM-P:CP %SNMP-4-RMON_RISING_THRESHOLD: RMON rising threshold alarm from SNMP OID %SYSTEM-P:CP %SNMP-4-RMON_FALLING_THRESHOLD: RMON falling threshold alarm from SNMP OID %SYSTEM-P:CP %SNMP-4-RMON_HC_RISING_THRESHOLD: RMON high-capacity rising threshold alarm from SNMP OID Enabling an SNMP Agent to Notify Syslog Server Failure You can configure a network device to s
Following is the sample audit log message that other syslog servers that are reachable receive: Oct 21 05:26:04: dv-fedgov-s4810-6: %EVL-6-REACHABLE:Syslog server 10.11.226.121 (port: 9140) is reachable Copy Configuration Files Using SNMP To do the following, use SNMP from a remote client.
MIB Object OID Object Values Description copyDestFileLocation and copyDestFileName. copyDestFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.6 1 = flash 2 = slot0 3 = tftp Specifies the location of destination file. • 4 = ftp If copyDestFileLocation is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. 5 = scp copyDestFileName .1.3.6.1.4.1.6027.3.5.1.1.1.1.7 Path (if the file is not in the default directory) and filename. Specifies the name of destination file.
• To complete the command, use as many MIB objects in the command as required by the MIB object descriptions shown in the previous table. NOTE: You can use the entire OID rather than the object name. Use the form: OID.index i object-value. To view more information, use the following options in the snmpset command. • -c: View the community, either public or private. • -m: View the MIB files for the SNMP command. • -r: Number of retries using the option • -t: View the timeout.
Examples of Copying Configuration Files from a UNIX Machine The following example shows copying configuration files from a UNIX machine using the object name. > snmpset -c public -v 2c -m ./f10-copy-config.mib 10.11.131.162 copySrcFileType.7 i 3 copyDestFileType.7 i 2 FTOS-COPY-CONFIG-MIB::copySrcFileType.7 = INTEGER: runningConfig(3) FTOS-COPY-CONFIG-MIB::copyDestFileType.7 = INTEGER: startupConfig(2) The following example shows copying configuration files from a UNIX machine using the OID.
Copy a Binary File to the Startup-Configuration To copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP, use the following command. • Copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.index i 4 copySrcFileName.index s filepath/ filename copyDestFileType.index i 3 copyServerAddress.
MIB Object OID Values Description copy. The state is set to active when the copy is completed. Obtaining a Value for MIB Objects To obtain a value for any of the MIB objects, use the following command. • Get a copy-config MIB object value. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address [OID.index | mibobject.index] index: the index value used in the snmpset command used to complete the copy operation. NOTE: You can use the entire OID rather than the object name.
Viewing the Reason for Last System Reboot Using SNMP • To view the reason for last system reboot using SNMP, you can use any one of the applicable SNMP commands: The following example shows a sample output of the snmpwalk command to view the last reset reason. [apoosappan@login-maa-06 ~]$ snmpwalk -c public -v 2c 10.16.130.49 1.3.6.1.4.1.6027.3.26.1.4.3.1.7 DELL-NETWORKING-CHASSIS-MIB::dellNetProcessorResetReason.supervisor.1.
MIB Object OID Description dellNetFlashPartitionMountPoint 1.3.6.1.4.1.6027.3.26.1.4.8.1.6 Symbolic or Alias name for the partition. Viewing the Available Partitions on Flash • • To view the available partitions on flash using SNMP, use the following command: snmpwalk -v 2c -c public -On 10.16.150.97 1.3.6.1.4.1.6027.3.26.1.4.8 .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.1 = STRING: "tmpfs" .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.2 = STRING: "/dev/wd0i" .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.3 = STRING: "mfs:477" .1.3.6.1.
MIB Support to Display Egress Queue Statistics Dell Networking OS provides MIB objects to display the information of the packets transmitted or dropped per unicast or multicast egress queue. The following table lists the related MIB objects: Table 105. MIB Objects to display egress queue statistics MIB Object OID Description dellNetFpEgrQTxPacketsRate 1.3.6.1.4.1.6027.3.27.1.20.1.6 Rate of Packets transmitted per Unicast/ Multicast Egress queue. dellNetFpEgrQTxBytesRate 1.3.6.1.4.1.6027.3.27.1.20.1.
INTEGER: 1275078656 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.30.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.70.70.70.0.24.0.0.0.0 = INTEGER: 2097157 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.70.70.70.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.70.70.70.2.32.1.4.70.70.70.2.1.4.70.70.70.2 = INTEGER: 2097157 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.80.80.80.0.24.1.4.10.1.1.1.1.4.10.1.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.0.24.0.0.0.0 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.1.32.1.4.30.1.1.1.1.4.30.1.1.1 = STRING: "Po 20" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.70.70.70.0.24.0.0.0.0 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.70.70.70.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.
MIB Support for entAliasMappingTable Dell Networking provides a method to map the physical interface to its corresponding ifindex value. The entAliasMappingTable table contains zero or more rows, representing the logical entity mapping and physical component to external MIB identifiers. The following table lists the related MIB objects: Table 107. MIB Objects for entAliasMappingTable MIB Object OID Description entAliasMappingTable 1.3.6.1.2.1.47.1.3.2 Contains information about entAliasMapping table.
SNMP Walk Example Output snmpwalk -v 2c -c public 10.16.151.246 1.3.6.1.4.1.6027.3.27.1.3 | grep 2107012 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.1.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.2.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.3.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.4.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.5.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.6.
MIB Object OID Description dot3adAggMACAddress 1.2.840.10006.300.43.1.1.1.1.1 Contains a six octet read–only value carrying the individual MAC address assigned to the Aggregator. dot3adAggActorSystemPriority 1.2.840.10006.300.43.1.1.1.1.2 Contains a two octet read–write value indicating the priority value associated with the Actor’s system ID. dot3adAggActorSystemID 1.2.840.10006.300.43.1.1.1.1.
snmpbulkget -v 2c -c LagMIB 10.16.148.157 1.2.840.10006.300.43.1.1.1.1.1 iso.2.840.10006.300.43.1.1.1.1.1.1258356224 iso.2.840.10006.300.43.1.1.1.1.1.1258356736 iso.2.840.10006.300.43.1.1.1.1.2.1258356224 iso.2.840.10006.300.43.1.1.1.1.2.1258356736 iso.2.840.10006.300.43.1.1.1.1.3.1258356224 iso.2.840.10006.300.43.1.1.1.1.3.1258356736 iso.2.840.10006.300.43.1.1.1.1.4.1258356224 iso.2.840.10006.300.43.1.1.1.1.4.1258356736 iso.2.840.10006.300.43.1.1.1.1.5.1258356224 iso.2.840.10006.300.43.1.1.1.1.5.
iso.0.8802.1.1.2.1.4.3.1.2.0.3161092.6.9 = STRING: "Dell" iso.0.8802.1.1.2.1.4.3.1.2.0.3161092.6.10 = STRING: "Dell" iso.0.8802.1.1.2.1.4.3.1.2.0.4209668.6.9 = STRING: "Dell" iso.0.8802.1.1.2.1.4.3.1.2.0.4209668.6.10 = STRING: "Dell" snmpget -v2c -c public 10.16.150.83 1.0.8802.1.1.2.1.4.3.1.2.0.4209668.6.9 iso.0.8802.1.1.2.1.4.3.1.2.0.4209668.6.
snmpget -v2c -c public 10.16.150.102 1.0.8802.1.1.2.1.4.4.1.4.0.1048580.2.0.1.232.16.1 iso.0.8802.1.1.2.1.4.4.1.4.0.1048580.2.0.1.232.16.1 = STRING: "A" Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object.
NOTE: Whether adding a tagged or untagged port, specify values for both dot1qVlanStaticEgressPorts and dot1qVlanStaticUntaggedPorts. In the following example, Port 0/2 is added as an untagged member of VLAN 10. Example of Adding an Untagged Port to a VLAN using SNMP >snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.
To set time to wait till bgp session are up set 1.3.6.1.4.1.6027.3.18.1.3 and 1.3.6.1.4.1.6027.3.18.1.6 Enabling and Disabling a Port using SNMP To enable and disable a port using SNMP, use the following commands. 1 Create an SNMP community on the Dell system. CONFIGURATION mode snmp-server community 2 From the Dell Networking system, identify the interface index of the port for which you want to change the admin status.
Each object is comprised of an OID concatenated with an instance number. In the case of these objects, the instance number is the decimal equivalent of the MAC address; derive the instance number by converting each hex pair to its decimal equivalent. For example, the decimal equivalent of E8 is 232, and so the instance number for MAC address 00:01:e8:06:95:ac is.0.1.232.6.149.172. The value of dot1dTpFdbPort is the port number of the port off which the system learns the MAC address.
Figure 134. Example of Assigning Interface Index Numbers Starting from the least significant bit (LSB) in the preceding figure: • The first 14 bits represent the card type of a physical interface or the interface number of a logical interface. • The next 4 bits represent the interface type. • The next 12 bits represent the slot and port numbers. • The next bit is 0 for a physical interface and 1 for a logical interface. • The last next is unused.
Example of Deriving the Interface Index Number If you know the interface index, use the following commands to find the interface number. DellEMC ~ $ snmpwalk -v 2c -c public 10.16.206.127 .1.3.6.1.2.1.2.2.1.2 | grep 2097156 IF-MIB::ifDescr.2097156 = STRING: TenGigabitEthernet 1/1 DellEMC ~ $ snmpwalk -v 2c -c public 10.16.206.127 .1.3.6.1.2.1.31.1.1.1.1 | grep 2097156 IF-MIB::ifName.2097156 = STRING: TenGigabitEthernet 1/1 You can use the show interfaces command to view the interface index.
• neighbor 30.1.1.1 no shutdown • exit-address-family To map the context to a VRF instance for SNMPv3, follow these steps: 1 2 Create a community and map a VRF to it. Create a context and map the context and community, to a community map.
SNMPv2-SMI::enterprises.6027.20.1.2.3.3.1.1.0.1.30.1.1.2.1.30.1.1.1 = Gauge32: 90 SNMPv2-SMI::enterprises.6027.20.1.2.3.3.1.2.0.1.30.1.1.2.1.30.1.1.1 = Gauge32: 30 Example of SNMP Walk Output for BGP timer (SNMPv3) snmpwalk -v 3 -a md5 -A helloworld -l authNoPriv -n cx1 -u admin 10.16.143.179 1.3.6.1.4.1.6027.20.1.3.6.1.4 SNMPv2-SMI::enterprises.6027.20.1.3.6.1.4.2963474636.0.1 = Gauge32: 200 SNMPv2-SMI::enterprises.6027.20.1.3.6.1.4.2963475124.0.
SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500932) 23:36:49.32 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkUp IF-MIB::ifIndex.33865785 = INTEGER: 33865785 SNMPv2-SMI::enterprises. 6027.3.1.1.4.1.2 = STRING: "OSTATE_UP: Changed interface state to up: Te 0/0" 2010-02-10 14:22:40 10.16.130.4 [10.16.130.4]: SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500934) 23:36:49.34 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkUp IF-MIB::ifIndex.1107755009 = INTEGER: 1107755009 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.
53 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports unknown-unicast, muticast, and broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. To view the storm control broadcast configuration show storm-control broadcast | multicast | unknown-unicast | pfc-llfc[interface] command.
• Configure the packets per second of broadcast traffic allowed on an interface (ingress only). INTERFACE mode storm-control broadcast packets_per_second in • Configure the packets per second of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. INTERFACE mode storm-control multicast packets_per_second in • Shut down the port if it receives the PFC/LLFC packets more than the configured rate.
54 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network.
• Enabling Spanning Tree Protocol Globally Related Configuration Tasks • Adding an Interface to the Spanning Tree Group • Modifying Global Parameters • Modifying Interface STP Parameters • Enabling PortFast • Prevent Network Disruptions with BPDU Guard • STP Root Guard • Enabling SNMP Traps for Root Elections and Topology Changes Important Points to Remember • STP is disabled by default. • The Dell Networking OS supports only one spanning tree instance (0).
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 136. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1 If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2 Place the interface in Layer 2 mode. INTERFACE switchport 3 Enable the interface.
Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport no shutdown Dell(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default.
no disable Examples of Verifying and Viewing Spanning Tree To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 To remove a Layer 2 interface from the spanning tree topology, enter the no spanning-tree 0 command. Modifying Global Parameters You can modify the spanning tree parameters.
• the default is 2 seconds. Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology). PROTOCOL SPANNING TREE mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally.
To enable PortFast on an interface, use the following command. • Enable PortFast on an interface. INTERFACE mode spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] Example of Verifying PortFast is Enabled on an Interface To verify that PortFast is enabled on a port, use the show spanning-tree command from EXEC Privilege mode or the show config command from INTERFACE mode. Dell Networking recommends using the show config command.
Figure 138. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. • drops the BPDU after it reaches the Route Processor and generates a console message.
Dell(conf-if-te-0/7)#do show ip int br te 0/7 Interface IP-Address OK Method Status Protocol TenGigabitEthernet 0/7 unassigned YES Manual up up Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command.
the port on Switch C transitions from a forwarding to a root-inconsistent state (shown by the green X icon). As a result, Switch A becomes the root bridge. Figure 139. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface.
spanning-tree {0 | mstp | rstp | pvst} rootguard – 0: enables root guard on an STP-enabled port assigned to instance 0. – mstp: enables root guard on an MSTP-enabled port. – rstp: enables root guard on an RSTP-enabled port. – pvst: enables root guard on a PVST-enabled port. To disable STP root guard on a port or port-channel interface, use the no spanning-tree 0 rootguard command in an interface configuration mode.
Figure 140. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. The following conditions apply to a port enabled with loop guard: • Loop guard is supported on any STP-enabled port or port-channel interface.
• Enabling Portfast BPDU guard and loop guard at the same time on a port results in a port that remains in a blocking state and prevents traffic from flowing through it. For example, when Portfast BPDU guard and loop guard are both configured: – If a BPDU is received from a remote device, BPDU guard places the port in an Err-Disabled Blocking state and no traffic is forwarded on the port.
55 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell Networking device. For more information on SmartScripts, see Dell Networking Open Automation guide. Figure 141.
• Configuring SupportAssist Company • Configuring SupportAssist Person • Configuring SupportAssist Server • Viewing SupportAssist Configuration Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist. The generated commands are added to the running configuration, including the DNS resolve commands, if configured. This command starts the configuration wizard for the SupportAssist. At any time, you can exit by entering Ctrl-C.
services from Dell,. You further agree to allow Dell to transmit and store the Collected Data from SupportAssist in accordance with these terms. You agree that the provision of SupportAssist may involve international transfers of data from you to Dell and/or to Dells affiliates, subcontractors or business partners. When making such transfers, Dell shall ensure appropriate protection is in place to safeguard the Collected Data being transferred in connection with SupportAssist.
enable all Dell(conf)#support-assist Dell(conf-supportassist)#enable all 7 Trigger an activity event immediately. EXEC Privilege mode support-assist activity {full-transfer | core-transfer} start now Dell#support-assist activity full-transfer start now Dell#support-assist activity core-transfer start now Configuring SupportAssist Activity SupportAssist Activity mode allows you to configure and view the action-manifest file for a specific activity.
action-manifest show {all} Dell(conf-supportassist-act-full-transfer)#action-manifest show all custom_file1.json Dell(conf-supportassist-act-full-transfer)# Dell(conf-supportassist-act-event-transfer)#action-manifest show all custom_event_file1.json [installed] Dell(conf-supportassist-act-event-transfer)# 5 Remove the action-manifest file for an activity. SUPPORTASSIST ACTIVITY mode action-manifest remove Dell(conf-supportassist-act-full-transfer)#action-manifest remove custom_file1.
[no] street-address {address1}[address2]…[address8] Dell(conf-supportassist-cmpy-test)#street-address 123 Main Street Dell(conf-supportassist-cmpy-test)# 4 Configure the territory and set the coverage for the company site.
Configuring SupportAssist Server SupportAssist Server mode allows you to configure server name and the means of reaching the server. By default, a SupportAssist server URL has been configured on the device. Configuring a URL to reach the SupportAssist remote server should be done only under the direction of Dell SupportChange. To configure SupportAssist server, use the following commands. 1 Configure the name of the remote SupportAssist Server and move to SupportAssist Server mode.
Service status: Enabled Activity ----------------------core-transfer event-transfer full-transfer Dell# 2 State ------Success Success Success Last Start -----------------------Feb 15 2016 09:43:41 IST Feb 15 2016 09:47:43 IST Feb 15 2016 09:36:12 IST Last Success -----------------------Feb 15 2016 09:43:56 IST Feb 15 2016 09:48:21 IST Feb 15 2016 09:38:27 IST Display the current configuration and changes from the default values.
enable the performance of all of the various functions of SupportAssist during your entitlement to receive related repair services from Dell,. You further agree to allow Dell to transmit and store the Collected Data from SupportAssist in accordance with these terms. You agree that the provision of SupportAssist may involve international transfers of data from you to Dell and/or to Dells affiliates, subcontractors or business partners.
56 System Time and Date System time and date settings are user-configurable and maintained through the network time protocol (NTP). System times and dates are also set in hardware settings using the Dell Networking OS CLI. Topics: • • Network Time Protocol Time and Date Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients. The protocol also coordinates time distribution in a large, diverse network with various interfaces.
serve as a client to the NTP host. As soon as a host-client relationship is established, the networking device propagates the time information throughout its local network. Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately.
Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell Networking system synchronizes. To specify multiple servers, enter the command multiple times. You may specify an unlimited number of servers at the expense of CPU resources. • Specify the NTP server to which the Dell Networking system synchronizes.
To view whether NTP is configured on the interface, use the show config command in INTERFACE mode. If ntp disable is not listed in the show config command output, NTP is enabled. (The show config command displays only non-default configuration information.) Configuring a Source IP Address for NTP Packets By default, the source address of NTP packets is the IP address of the interface used to reach the network. You can configure one interface’s IP address include in all NTP packets.
• 3 key: enter a text string. This text string is encrypted. Define a trusted key. CONFIGURATION mode ntp trusted-key number Configure a number from 1 to 4294967295. The number must be the same as the number used in the ntp authentication-key command. 4 Configure an NTP server.
version - NTP version 3 leap NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
• Setting Recurring Daylight Saving Time Setting the Time and Date for the Switch Software Clock You can change the order of the month and day parameters to enter the time and date as time day month year. You cannot delete the software clock. The software clock runs only when the software is up. The clock restarts, based on the hardware clock, when the switch reboots. To set the software clock, use the following command. • Set the system software clock to the current time and date.
Set Daylight Saving Time The system supports setting the system to daylight saving time once or on a recurring basis every year. Setting Daylight Saving Time Once Set a date (and time zone) on which to convert the switch to daylight saving time on a one-time basis. To set the clock for daylight savings time once, use the following command. • Set the clock to the appropriate timezone and daylight saving time.
– time-zone: Enter the three-letter name for the time zone. This name displays in the show clock output. – start-week: (OPTIONAL) Enter one of the following as the week that daylight saving begins and then enter values for startday through end-time: ◦ week-number: Enter a number from 1 to 4 as the number of the week in the month to start daylight saving time. ◦ first: Enter the keyword first to start daylight saving time in the first week of the month.
Configuring a Custom-defined Period for NTP time Synchronization You can configure the system to send an audit log message to a syslog server if the time difference from the NTP server is greater than a threshold value (offset-threshold). However, time synchronization still occurs. To configure the offset-threshold, follow this procedure. • Specify the threshold time interval before which the system generates an NTP audit log message if the system time deviates from the NTP server.
57 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported.
interface Tunnel 2 no ip address ipv6 address 2::1/64 tunnel destination 90.1.1.1 tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.
Configuring Tunnel allow-remote Decapsulation You can configure an IPv4 or IPV6 address or prefix whose tunneled packet will be accepted for decapsulation. • If no allow-remote entries are configured, then tunneled packets from any remote peer address will be accepted. • Upto eight allow-remote entries can be configured on any particular multipoint receive-only tunnel. The following sample configuration shows how to configure a tunnel allow-remote address.
Guidelines for Configuring Multipoint Receive-Only Tunnels • You can configure up to eight remote end-points for a multipoint receive-only tunnel. The maximum number of remote end-points supported for all multipoint receive-only tunnels on the switch depends on the hardware table size to setup termination. • The IP MTU configured on the physical interface determines how multiple nested encapsulated packets are handled in a multipoint receive-only tunnel.
58 Upgrade Procedures For detailed upgrade procedures, refer to the Dell Networking OS Release Notes for your switch. The release notes describe the requirements and steps to follow to upgrade to a desired OS version. Upgrade Overview To upgrade system software on the switch, follow these general steps: 1 Identify the boot and system images currently stored on the switch (Control Processor, Route Processor, and line-card CPUs) using the show boot system all command.
59 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 143. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 144. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
To revert to the default setting, use the no downstream disable links command. 4 (Optional) Enable auto-recovery so that UFD-disabled downstream ports in the uplink-state group come up when a disabled upstream port in the group comes back up. UPLINK-STATE-GROUP mode downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5 (Optional) Enters a text description of the uplink-state group.
02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 1/4 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 1/8 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 1/12 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 02:37:29: %SYSTEM-P:CP %IFMGR-5-ASTATE_DN: 02:37:29: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 02:37:29 : UFD: Group:3, UplinkState: DOWN 02:37:29: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 02:37:29: %SYSTEM-P:CP %IF
(For UPLINK-STATE-GROUP mode) show configuration – group-id: The values are from 1 to 16. Examples of Viewing Uplink State Group Status The following example shows viewing the uplink state group status for an S50 system.
0 packets, 0 bytes, 0 underruns 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
Dell(conf-uplink-state-group-3)#exit Dell(conf)#exit Dell# 00:13:06: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from console by console Dell# show running-config uplink-state-group ! uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream TengigabitEthernet 0/1-2,5,9,11-12 upstream TengigabitEthernet 0/3-4 Dell# show uplink-state-group 3 Uplink State Group: 3 Status: Enabled, Up Dell# show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface
60 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
By default, VLAN 1 is the Default VLAN. To change that designation, use the default vlan-id command in CONFIGURATION mode. You cannot delete the Default VLAN. NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN. For more information about assigning IP addresses, refer to Assigning an IP Address to a VLAN. • Untagged interfaces must be part of a VLAN.
Figure 145. Tagged Frame Format The tag header contains some key information that the system uses: • The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). • Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard.
NOTE: You cannot assign an IP address to the Default VLAN (VLAN 1). To assign another VLAN ID to the Default VLAN, use the default vlan-id vlan-id command. You can place VLANs and other logical interfaces in Layer 3 mode to receive and send routed traffic. For more information, refer to Bulk Configuration. To assign an IP address, use the following command. • Configure an IP address and mask on the interface.
Creating a Port-Based VLAN To configure a port-based VLAN, create the VLAN and then add physical interfaces or port channel (LAG) interfaces to the VLAN. NOTE: The Default VLAN (VLAN 1) is part of the system startup configuration and does not require configuration. A VLAN is active only if the VLAN contains interfaces and those interfaces are operationally up. As shown in the following example, VLAN 1 is inactive because it does not contain any interfaces.
To tag frames leaving an interface in Layer 2 mode, assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, use the following commands. 1 Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2 Enable an interface to include the IEEE 802.1Q tag header.
Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1 Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2 Configure an interface as untagged. INTERFACE mode untagged interface This command is available only in VLAN interfaces.
61 VLT Proxy Gateway The Virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a L3 end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration.
Figure 146. VLT Proxy Gateway — Topology 1 Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable this functionality: 1 The proxy gateway is supported only for VLT; for example, across VLT domain.
8 If the port-channel specified in theproxy-gateway command is not a VLT LAG, the configuration is rejected by the CLI. The VLT LAG cannot be configured as a legacy LAG when it is part of a proxy-gateway 9 You cannot change the LLDP port channel interface to a legacy LAG when you enable the proxy gateway. 10 Dell recommends using thevlt-peer-mac transmit command only for square VLTs without diagonal links. 11 VRRP and IPv6 routing is not supported. 12 Private VLANs (PVLANs) are not supported.
The LLDP organizational TLV passes local destination MAC address information to peer VLT domain devices so they can act as the proxy gateway.
Sample Scenario for VLT Proxy Gateway Figure 147. VLT Proxy Gateway — Topology 2 1 The above figure (Topology 2) shows a sample VLT Proxy gateway scenario. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This undergoes sub-optimal routing with the VLT Proxy Gateway LLDP method.
4 You can disable the VLT Proxy Gateway for a particular VLAN using an "Exclude-VLAN" configuration. The configuration has to be done in both the VLT domains [C and D in VLT domain 1 and C1 and D1 in VLT domain 2].
3 You can configure the port channel interface for an LLDP proxy gateway and exclude a VLAN or a range of VLANs from proxy routing. This parameter is for an LLDP proxy gateway configuration. VLT DOMAIN PROXY GW LLDP mode Dell(conf-vlt-domain-proxy-gw-lldp)#peer-domain-link port-channel interface exclude-vlan vlan-range 4 Display the VLT proxy gateway configuration.
62 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time. VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices.
Figure 148. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
NOTE: To configure a router ID in a non-default VRF, configure at least one IP address in both the default as well as the nondefault VRF. Table 116. Features Supported in VRF Feature/Capability Support Status for Default VRF Support Status for Non-default VRF Configuration rollback for commands introduced or modified Yes No LLDP protocol on the port Yes No 802.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF Layer 2 ACLs on VLANs Yes No FEED Yes No Layer 2 QoS Yes Yes Support for storm-control (broadcast and unknown-unicast) Yes No sFlow Yes No VRRP on physical and logical interfaces Yes Yes Secondary IP Addresses Yes No Following IPv6 capabilities No Basic Yes No OSPFv3 Yes No ISIS Yes No BGP Yes No ACL Yes Yes Multicast Yes No NDP Yes No RAD Yes No Ingress/Egress Storm-Control
Table 117. Load VRF CAM Step Task Command Syntax Command Mode 1 Load CAM memory for the VRF feature. feature vrf CONFIGURATION After you load VRF CAM, CLI parameters that allow you to configure non-default VRFs are made available on the system. Creating a Non-Default VRF Instance VRF is enabled by default on the switch and supports up to 512 VRF instances: 1 to 512 and the default VRF (0). Table 118.
Task Command Syntax Command Mode Assign an IPv4 address to the interface. ip address 10.1.1.1/24 INTERFACE CONFIGURATION ipv6 address 1::1 INTERFACE CONFIGURATION NOTE: You can assign either an IPv4 or an IPv6 address but not both. Assign an IPv6 address to the interface. NOTE: You can also auto configure an IPv6 address using the ipv6 address autoconfig command. View VRF Instance Information To display information about VRF configuration, enter the show ip vrf command. Table 121.
Table 123. VRRP on VRF Task Command Syntax Command Mode Create VRF ip vrf vrf1 CONFIGURATION Assign the VRF to an interface ip vrf forwarding vrf1 Assign an IP address to the interface VRF CONFIGURATION ip address 10.1.1.1 /24 no shutdown Configure the VRRP group and vrrp-group 10 virtual-address 10.1.1.100 virtual IP address show config ----------------------------! interface TenGigabitEthernet 0/13 ip vrf forwarding vrf1 ip address 10.1.1.1/24 ! vrrp-group 10 virtual-address 10.1.1.
• ipv6 nd max-ra-interval — Set IPv6 Max Router Advertisement Interval • ipv6 nd mtu — Configure MTU advertisements in RA packets • ipv6 nd other-config-flag — Hosts should use DHCP for non-address config • ipv6 nd prefix — Configure IPv6 Routing Prefix Advertisement • ipv6 nd ra-guard — Configure IPv6 ra-guard • ipv6 nd ra-lifetime — Set IPv6 Router Advertisement Lifetime • ipv6 nd reachable-time — Set advertised reachability time • ipv6 nd retrans-timer — Set NS retransmit interval used and
NOTE: The Dell EMC Networking OS supports route leaking only for transit traffic. If the system receives a packet on one VRF which is destined to another VRF, the packet is routed to that destination. If the system receives a packet on one VRF which is destined to the same device (such as a ping), they system drops the packet. The following example illustrates how route leaking between two VRFs can be performed: interface TenGigabitEthernet 0/9 ip vrf forwarding VRF1 ip address 120.0.0.
Figure 150. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 Router 2 The following shows the output of the show commands on Router 1. Router 1 The following shows the output of the show commands on Router 2.
Previous FTOS releases support static route leaking, which enables route leaking through static commands. Dynamic Route Leaking, introduced in the 9.7(0.0) release, enables a source VRF to share both its connected routes as well as dynamically learnt routes from various protocols, such as ISIS, OSPF, BGP, and so on, with other default or non-default VRFs. You can also leak global routes to be made available to VRFs.
4 Configure the export target in the source VRF with route-map export_ospfbgp_protocol. ip route-export 1:1 export_ospfbgp_protocol 5 Configure VRF-blue. ip vrf vrf-blue interface-type slot/port ip vrf forwarding VRF-blue ip address ip—address mask A non-default VRF named VRF-blue is created and the interface 1/22 is assigned to it. 6 Define the route-map import_ospf_protocol. Dell(config)route-map import_ospf_protocol permit 10 7 Define the matching criteria for importing routes into VRF-blue.
you use) to various other VRFs. The destinations or target VRFs then import these IPv4 or IPv6 routes using the ip route-import tag or the ipv6 route-import tag command respectively. NOTE: In Dell Networking OS, you can configure at most one route-export per VRF as only one set of routes can be exposed for leaking. However, you can configure multiple route-import targets because a VRF can accept routes from multiple VRFs.
ip route-import ip route-import 2:2 3:3 Show routing tables of all the VRFs (without any route-export and route-import tags being configured) Show routing tables of VRFs( after route-export and route-import tags are configured). Important Points to Remember • If the target VRF conatins the same prefix as either the sourced or Leaked route from some other VRF, then route Leaking for that particular prefix fails and the following error-log is thrown.
63 Virtual Link Trunking (VLT) Virtual link trunking (VLT) is supported on Dell Networking OS. Overview In a traditional switched topology as shown below, spanning tree protocols (STPs) are used to block one or more links to prevent loops in the network. Although loops are prevented, bandwidth of all links is not effectively utilized by the connected devices. Figure 151. Traditional switched topology VLT not only overcomes this caveat, but also provides a multipath to the connected devices.
Figure 152. VLT providing multipath VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches and supporting a loop-free topology. To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol. After VLT is established, you may use rapid spanning tree protocol (RSTP) to prevent loops from forming with new links that are incorrectly connected and outside the VLT domain.
Figure 153. Example of VLT Deployment VLT offers the following benefits: • Allows a single device to use a LAG across two upstream devices. • Eliminates STP-blocked ports. • Provides a loop-free topology. • Uses all available uplink bandwidth. • Provides fast convergence if either the link or a device fails. • Optimized forwarding with virtual router redundancy protocol (VRRP). • Provides link-level resiliency. • Assures high availability. • Active-Active load sharing with VRRP.
VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode.
• If the DHCP server is located on the ToR and the VLTi (ICL) is down due to a failed link when a VLT node is rebooted in BMP mode, it is not able to reach the DHCP server, resulting in BMP failure. • If the source is connected to an orphan (non-spanned, non-VLT) port in a VLT peer, the receiver is connected to a VLT (spanned) portchannel, and the VLT port-channel link between the VLT peer connected to the source and TOR is down, traffic is duplicated due to route inconsistency between peers.
– Unknown, multicast, and broadcast traffic can be flooded across the VLT interconnect. – MAC addresses for VLANs configured across VLT peer chassis are synchronized over the VLT interconnect on an egress port such as a VLT LAG. MAC addresses are the same on both VLT peer nodes. – ARP entries configured across the VLTi are the same on both VLT peer nodes.
• Software features supported on VLT port-channels – In a VLT domain, the following software features are supported on VLT port-channels: 802.1p, ingress and egress ACLs, BGP, DHCP relay, IS-IS, OSPF, active-active PIM-SM, PIM-SSM, VRRP, Layer 3 VLANs, LLDP, flow control, port monitoring, jumbo frames, IGMP snooping, sFlow, ingress and egress ACLs, and Layer 2 control protocols RSTP only). NOTE: PVST+ passthrough is supported in a VLT domain. PVST+ BPDUs does not result in an interface shutdown.
– If the primary chassis fails, the secondary chassis takes on the operational role of the primary. • The SNMP MIB reports VLT statistics. Primary and Secondary VLT Peers Primary and secondary VLT peers are supported to prevent issues when connectivity between peers is lost on the switch. You can elect or configure the Primary Peer. By default, the peer with the lowest MAC address is selected as the Primary Peer. You can configure another peer as the Primary Peer using the VLT primary-priority command.
VLT and High Availability High availability (HA) support on VLT ensures seamless and uninterrupted flow of VLT features during RPM failure (failover). When RPM failover happens, the new active RPM triggers a new VLT registration to its VLT peer. It ensures that the VLT node with new active RPM receives all the VLT information from its VLT peer.
This delay in bringing up the VLT ports also applies when the VLTi link recovers from a failure that caused the VLT ports on the secondary VLT peer node to be disabled. PIM-Sparse Mode Support on VLT The designated router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. Figure 154.
On a VLT-enabled PIM router, if any PIM neighbor is reachable through a Spanned Layer 3 (L3) VLAN interface, this must be the only PIMenabled interface to reach that neighbor. A Spanned L3 VLAN is any L3 VLAN configured on both peers in a VLT domain. This does not apply to server-side L2 VLT ports because they do not connect to any PIM routers. These VLT ports can be members of multiple PIMenabled L3 VLANs for compatibility with IGMP.
VLT unicast, VLAN configuration must be symmetrical on both peers. You cannot configure the same VLAN as Layer 2 on one node and as Layer 3 on the other node. Configuration mismatches are logged in the syslog and display in the show vlt mismatch command output. If you enable VLT unicast routing, the following actions occur: • • L3 routing is enabled on any new IP or IPv6 address configured for a VLAN interface that is up. L3 routing is enabled on any VLAN with an admin state of up.
• • • • • • You can only use one spanned VLAN from a PIM-enabled VLT node to an external neighboring PIM router. If you connect multiple spanned VLANs to a PIM neighbor, or if both spanned and non-spanned VLANs can access the PIM neighbor, ECMP can cause the PIM protocol running on each VLT peer node to choose a different VLAN or IP route to reach the PIM neighbor. This can result in issues with multicast route syncing between peers.
BPDUs use the MAC address of the primary VLT peer as the RSTP bridge ID in the designated bridge ID field. The primary VLT peer sends these BPDUs on VLT interfaces connected to access devices. The MAC address for a VLT domain is automatically selected on the peer switches when you create the domain (refer to Enabling VLT and Creating a VLT Domain). Configure both ends of the VLT interconnect trunk with identical RSTP configurations.
Configuring VLT VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. To configure VLT, use the following procedure. Prerequisites: Before you begin, make sure that both VLT peer switches are running the same Dell Networking OS version and are configured for RSTP as described in RSTP Configuration.
Enabling VLT and Creating a VLT Domain To enable VLT and create a VLT domain: 1 Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id The domain ID range is from 1 to 1000. Configure the same domain ID on the peer switch to allow for common peering. VLT uses the domain ID to automatically create a VLT MAC address for the domain.
Configuring a VLT Backup Link To configure a VLT backup link, use the following command. 1 Specify the management interface to be used for the backup link through an out-of-band management network. CONFIGURATION mode interface managementethernet slot/ port Enter the slot (0-1) and the port (0). 2 Configure an IPv4 address (A.B.C.D) or IPv6 address (X:X:X:X::X) and mask (/x) on the interface.
Reconfiguring the Default VLT Settings (Optional) To reconfigure the default VLT settings, use the following commands. 1 Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2 (Optional) When you create a VLT domain on a switch, the system automatically creates a VLT-system MAC address used for internal system operations.
3 Place the interface in Layer 2 mode. INTERFACE PORT-CHANNEL mode switchport 4 Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 5 • 1-Gigabit Ethernet: enter gigabitethernet slot/port. • 10-Gigabit Ethernet: enter tengigabitethernet slot/port. • 40-Gigabit Ethernet: Enter fortyGigE slot/port. Ensure that the port channel is active.
The range is from 1 to 4094. Configuring Enhanced VLT (eVLT) (Optional) To configure enhanced VLT (eVLT) between two VLT domains on your network, use the following procedure. For a sample configuration, refer to eVLT Configuration Example. To set up the VLT domain, use the following commands. 1 Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode.
Use this command to minimize the time required for the VLT system to synchronize the default MAC address of the VLT domain on both peer switches when one peer switch reboots. 7 When you create a VLT domain on a switch, the system automatically assigns a unique unit ID (0 or 1) to each peer switch. VLT DOMAIN CONFIGURATION mode unit-id {0 | 1} The unit IDs are used for internal system operations. To explicitly configure the default values on each peer switch, use the unit-id command.
17 Repeat steps 1 through 15 for the first VLT node in Domain 2. 18 Repeat steps 1 through 15 for the VLT peer node in Domain 2. To verify the configuration of a VLT domain, use any of the show commands described in Verifying a VLT Configuration. VLT Sample Configuration To review a sample VLT configuration setup, study these steps. 1 Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2. VLT DOMAIN mode vlt domain domain id 2 Configure the VLTi between VLT peer 1 and VLT peer 2.
EXEC mode or EXEC Privilege mode show interfaces interface Example of Configuring VLT In the following sample VLT configuration steps, VLT peer 1 is Dell-2, VLT peer 2 is Dell-4, and the ToR is S60-1. NOTE: If you use a third-party ToR unit, Dell Networking recommends using static LAGs with VLT peers to avoid potential problems if you reboot the VLT peers. Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2.
port-channel 2 mode active no shutdown Dell-2#show running-config interface port-channel 2 ! interface Port-channel 2 no ip address switchport vlt-peer-lag port-channel 2 no shutdown Dell-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel L LAG 2 Mode L2L3 Status up Uptime 03:33:14 Ports Te 0/40 (Up) In the ToR unit, configure LACP on the physical ports.
Verify that the VLT LAG is up in both VLT peer units. Dell-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG L 2 Mode L2L3 Status up Uptime 03:43:24 Ports Te 0/40 (Up) Dell-4#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG L 2 Mode L2L3 Status up Uptime 03:33:31 Ports Te 0/18 (Up) eVLT Configuration Example The following example demonstrates the steps to configure enhanced VLT (eVLT) in a network. In this example, you are configuring two domains.
Configure eVLT on Peer 1. Domain_1_Peer1(conf)#interface port-channel 100 Domain_1_Peer1(conf-if-po-100)# switchport Domain_1_Peer1(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer1(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 1.
Next, configure the VLT domain and VLTi on Peer 4. Domain_2_Peer4#configure Domain_2_Peer4(conf)#interface port-channel 1 Domain_2_Peer4(conf-if-po-1)# channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer4#no shutdown Domain_2_Peer4(conf)#vlt domain 200 Domain_2_Peer4(conf-vlt-domain)# peer-link port-channel 1 Domain_2_Peer4(conf-vlt-domain)# back-up destination 10.18.130.
VLT_Peer2(conf-if-vl-4001)#exit VLT_Peer2(conf)#end Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, use any of the following show commands on the primary and secondary VLT switches. • Display information on backup link operation. EXEC mode • show vlt backup-link Display general status information about VLT domains currently configured on the switch.
Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.18 Up 1 3 34998 1026 1025 Dell_VLTpeer2# show vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.20 Up 1 3 34998 1030 1014 The following example shows the show vlt brief command.
2 100 127 100 UP UP UP UP 20, 30 10, 20, 30 The following example shows the show vlt role command.
Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 4096, Address 0001.e88a.d656 Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- -------- ---- ------- --------- ------- -----------------Po 1 128.2 128 200000 DIS 800 4096 0001.e88a.d656 128.2 Po 3 128.4 128 200000 DIS 800 4096 0001.e88a.d656 128.4 Po 4 128.5 128 200000 DIS 800 4096 0001.e88a.d656 128.5 Po 100 128.101 128 800 FWD(VLTi) 800 0 0001.e88a.
Configure the port channel to an attached device. Dell_VLTpeer1(conf)#interface port-channel 110 Dell_VLTpeer1(conf-if-po-110)#no ip address Dell_VLTpeer1(conf-if-po-110)#switchport Dell_VLTpeer1(conf-if-po-110)#channel-member fortyGigE 0/52 Dell_VLTpeer1(conf-if-po-110)#no shutdown Dell_VLTpeer1(conf-if-po-110)#vlt-peer-lag port-channel 110 Dell_VLTpeer1(conf-if-po-110)#end Verify that the port channels used in the VLT domain are assigned to the same VLAN.
10 Active U Po110(Fo 0/48) T Po100(Fo 0/46,50) Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access Switch) On an access device, verify the port-channel connection to a VLT domain. Dell_TORswitch(conf)# show running-config interface port-channel 11 ! interface Port-channel 11 no ip address switchport channel-member fortyGigE 1/18,22 no shutdown Troubleshooting VLT To help troubleshoot different VLT issues that may occur, use the following information.
Description Behavior at Peer Up Behavior During Run Time Action to Take System MAC mismatch A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated. Verify that the unit ID of VLT peers is not the same on both units and that the MAC address is the same on both units. Unit ID mismatch The VLT peer does not boot up. The VLTi is forced to a down state. The VLT peer does not boot up. The VLTi is forced to a down state.
The association of PVLAN with the VLT LAG must also be identical. After the VLT LAG is configured to be a member of either the primary or secondary PVLAN (which is associated with the primary), ICL becomes an automatic member of that PVLAN on both switches. This association helps the PVLAN data flow received on one VLT peer for a VLT LAG to be transmitted on that VLT LAG from the peer. You can associate either a VLT VLAN or a VLT LAG to a PVLAN.
The PVLAN mode of VLT LAGs on one peer is validated against the PVLAN mode of VLT LAGs on the other peer. MAC addresses that are learned on that VLT LAG are synchronized between the peers only if the PVLAN mode on both the peers is identical. For example, if the MAC address is learned on a VLT LAG and the VLAN is a primary VLT VLAN on one peer and not a primary VLT VLAN on the other peer, MAC synchronization does not occur.
Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN The following table illustrates the association of the VLTi link and PVLANs, and the MAC synchronization of VLT nodes in a PVLAN (for various modes of operations of the VLT peers): Table 127.
VLT LAG Mode Peer1 PVLAN Mode of VLT VLAN Peer2 Access Access ICL VLAN Membership Mac Synchronization Peer1 Peer2 - Primary VLAN X - Primary VLAN Y No No Secondary (Community) Secondary (Community) No No - Primary VLAN Y - Primary VLAN X No No Promiscuous Access Primary Secondary No No Trunk Access Primary/Normal Secondary No No Configuring a VLT VLAN or LAG in a PVLAN You can configure the VLT peers or nodes in a private VLAN (PVLAN).
6 Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 7 Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number The range is from 1 to 128. 8 (Optional) To configure a VLT LAG, enter the VLAN ID number of the VLAN where the VLT forwards packets received on the VLTi from an adjacent peer that is down.
INTERFACE VLAN mode private-vlan mode primary 8 Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). • Specified with this command even before they have been created. • Amended by specifying the new secondary VLAN to be added to the list.
link or peer is down, and the ARP request for a private VLAN IP address reaches the wrong peer, then the wrong peer responds to the ARP request with the peer MAC address. The IP address of the VLT node VLAN interface is synchronized with the VLT peer over ICL when the VLT peers are up. Whenever an IP address is added or deleted, this updated information is synchronized with the VLT peer. IP address synchronization occurs regardless of the VLAN administrative state.
outgoing interface (OIF) maps after a peer node failure, use the timeout value that you configured through the multicast peerrouting timeout value command. You can configure an optimal time for a VLT node to retain synced multicast routes or synced multicast outgoing interface (OIF), after a VLT peer node failure, through the multicast peer-routing-timeout command in VLT DOMAIN mode.
no ip address switchport vlan-stack access vlt-peer-lag port-channel 10 no shutdown Dell# Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)#vlt-peer-lag port-channel 20 Dell(conf-if-po-20)#vlan-stack trunk Dell(conf-if-po-20)#no shutdown Dell#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown Dell# Configure VLAN as VLAN-Stack VLAN and add the VLT LAG as Members to
no shutdown Dell# Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)#vlt-peer-lag port-channel 20 Dell(conf-if-po-20)#vlan-stack trunk Dell(conf-if-po-20)#no shutdown Dell#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown Dell# Configure the VLAN as VLAN-Stack VLAN and add the VLT LAG as members to the VLAN Dell(conf)#interface vlan 50 Dell(conf-if-vl-50)#vlan-stack
64 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is supported on Dell Networking OS. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. Authentication is not supported on VRRPv3. VRRP is supported on “all types” of interfaces, including physical, VLAN, port-channel, and port extender interfaces. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
Figure 156. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
Table 128. Recommended VRRP Advertise Intervals on the Switch Recommended Advertise Interval Groups/Interface Total VRRP Groups Less than 250 1 second 12 Between 250 and 450 2–3 seconds 24 Between 450 and 600 3–4 seconds 36 Between 600 and 800 4 seconds 48 Between 800 and 1000 5 seconds 84 Between 1000 and 1200 7 seconds 100 Between 1200 and 1500 8 seconds 120 VRRP Configuration By default, VRRP is not configured.
• NOTE: The interface must already have a primary IP address defined and be enabled, as shown in the second example. Delete a VRRP group. INTERFACE mode no vrrp-group vrid Examples of Configuring Verifying a VRRP Configuration The following example shows configuring a VRRP configuration. Dell(conf)#int te 1/1 Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)# The following example shows verifying a VRRP configuration.
2 Set the master switch to VRRP protocol version 3. 3 Set the backup switches to version 3. Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID). A VRRP group does not transmit VRRP packets until you assign the Virtual IP address to the VRRP group. For more information, refer to VRRP Implementation.
interface TenGigabitEthernet 1/1/1 ip address 10.10.10.1/24 ! vrrp-group 111 priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 ! vrrp-group 222 no shutdown The following example shows the same VRRP group (VRID 111) configured on multiple interfaces on different subnets. Dell#show vrrp -----------------TenGigabitEthernet 1/1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.
To verify the VRRP group priority, use the show vrrp command. Dellshow vrrp -----------------TenGigabitEthernet 1/1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 2343, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------TenGigabitEthernet 1/2/1, VRID: 111, Net: 10.10.
Disabling Preempt The preempt command is enabled by default. The command forces the system to change the MASTER router if another router with a higher priority comes online. Prevent the BACKUP router with the higher priority from becoming the MASTER router by disabling preempt. NOTE: You must configure all virtual routers in the VRRP group the same: you must configure all with preempt enabled or configure all with preempt disabled.
• Change the advertisement interval setting. INTERFACE-VRID mode advertise-interval seconds The range is from 1 to 255 seconds. • The default is 1 second. For VRRPv3, change the advertisement centisecs interval setting. INTERFACE-VRID mode advertise-interval centisecs centisecs The range is from 25 to 4075 centisecs in units of 25 centisecs. The default is 100 centisecs.
• Set the delay time for VRRP initialization on an individual interface. INTERFACE mode vrrp delay minimum seconds This time is the gap between an interface coming up and being operational, and VRRP enabling. The seconds range is from 0 to 900. • The default is 0. Set the delay time for VRRP initialization on all the interfaces in the system configured for VRRP. INTERFACE mode vrrp delay reload seconds This time is the gap between system boot up completion and VRRP enabling.
Tracking an Interface To track an interface, use the following commands. NOTE: The sum of all the costs for all tracked interfaces must be less than the configured priority of the VRRP group. • Monitor an interface and, optionally, set a value to be subtracted from the interface’s VRRP group priority. INTERFACE-VRID mode track interface [priority-cost cost] The cost range is from 1 to 254. • The default is 10. (Optional) Display the configuration.
Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is GigabitEthernet 1/3 Tracked by: VRRP GigabitEthernet 1/8 IPv6 VRID 1 The following example shows verifying the VRRP status. ON the MASTER ========== Dell#show vrrp -----------------TenGigabitEthernet 0/1, IPv4 VRID: 1, Version: 2, Net: 1.1.1.1 VRF: 0 default State: Master, Priority: 100, Master: 1.1.1.
Sample Configurations Before you set up VRRP, review the following sample configurations. VRRP for an IPv4 Configuration The following configuration shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.3 no shutdown R2(conf-if-te-2/31)#end R2#show vrrp -----------------TenGigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 State: Master, Priority: 200, Master: 10.1.1.
Figure 158. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. Example of Configuring VRRP for IPv6 Router 2 and Router 3 Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
R2(conf-if-te-0/0-vrid-10)#virtual-address 1::10 R2(conf-if-te-0/0-vrid-10)#no shutdown R2(conf-if-te-0/0)#show config interface TenGigabitEthernet 0/0 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-0/0)#end ON MASTER ========== Dell#show vrrp -----------------TenGigabitEthernet 0/1, IPv4 VRID: 1, Version: 2, Net: 1.1.1.1 VRF: 0 default State: Master, Priority: 100, Master: 1.1.1.
Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 11, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:0a VRRP in a VRF Configuration The following example shows how to enable VRRP operation in a VRF virtualized network for the following scenarios. • Multiple VRFs on physical interfaces running VRRP. • Multiple VRFs on VLAN interfaces running VRRP. To view a VRRP in a VRF configuration, use the show commands described in Displaying VRRP in a VRF Configuration.
Figure 159. VRRP in a VRF: Non-VLAN Example Example of Configuring VRRP in a VRF on Switch-1 (Non-VLAN) Switch-1 S1(conf)#ip vrf default-vrf 0 ! S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 2/1 S1(conf-if-te-2/1)#ip vrf forwarding VRF-1 S1(conf-if-te-2/1)#ip address 10.10.1.5/24 S1(conf-if-te-12/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177.
% Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-2/3-vrid-105)#priority 255 S1(conf-if-te-2/3-vrid-105)#virtual-address 20.1.1.5 S1(conf-if-te-2/3)#no shutdown Example of Configuring VRRP in a VRF on Switch-2 (Non-VLAN Configuration) Switch-2 S2(conf)#ip vrf default-vrf 0 ! S2(conf)#ip vrf VRF-1 1 ! S2(conf)#ip vrf VRF-2 2 ! S2(conf)#ip vrf VRF-3 3 ! S2(conf)#interface TenGigabitEthernet 2/1 S2(conf-if-te-2/1)#ip vrf forwarding VRF-1 S2(conf-if-te-2/1)#ip address 10.10.1.
S1(conf-if-te-2/4)#no shutdown ! S1(conf-if-te-2/4)#interface vlan 100 S1(conf-if-vl-100)#ip vrf forwarding VRF-1 S1(conf-if-vl-100)#ip address 10.10.1.5/24 S1(conf-if-vl-100)#tagged tengigabitethernet 2/4 S1(conf-if-vl-100)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177. S1(conf-if-vl-100-vrid-101)#priority 100 S1(conf-if-vl-100-vrid-101)#virtual-address 10.10.1.
S2(conf-if-vl-300)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S2(conf-if-vl-300-vrid-101)#priority 100 S2(conf-if-vl-300-vrid-101)#virtual-address 20.1.1.5 S2(conf-if-vl-300)#no shutdown Displaying VRRP in a VRF Configuration To display information on a VRRP group that is configured on an interface that belongs to a VRF instance, use the following commands. • Display information on a VRRP group that is configured on an interface that belongs to a VRF instance.
65 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
SFF-8431 SFP+ Direct Attach Cable (10GSFP+Cu) MTU 9,252 bytes RFC and I-D Compliance The C9000 series supports the following standards. The standards are grouped by related protocol. General Internet Protocols The following table lists the Dell Networking OS support on the C9000 Series for the general internet protocols. Table 129.
RFC# Full Name 2439 BGP Route Flap Damping 2545 Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing 2796 BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP) 2842 Capabilities Advertisement with BGP-4 2858 Multiprotocol Extensions for BGP-4 2918 Route Refresh Capability for BGP-4 3065 Autonomous System Confederations for BGP 4360 BGP Extended Communities Attribute 4893 BGP Support for Four-octet AS Number Space 5396 Textual Representation of Autonomous S
General IPv6 Protocols The following table lists the Dell Networking OS support on the C9000 series for general IPv6 protocols. Table 132.
RFC# Full Name 5306 Restart Signaling for IS-IS 5308 Routing IPv6 with IS-IS draft-ietf-isis-igpp2p- over-lan-06 Point-to-point operation over LAN in link-state routing protocols draft-kaplan-isis-e xt-eth-02 Extended Ethernet Frame Size Support Network Management The following table lists the Dell Networking OS support on the C9000 Series for network management protocol. Table 134.
RFC# Full Name 2618 RADIUS Authentication Client MIB, except the following four counters: radiusAuthClientInvalidServerAddresses radiusAuthClientMalformedAccessResponses radiusAuthClientUnknownTypes radiusAuthClientPacketsDropped 2698 A Two Rate Three Color Marker 3635 Definitions of Managed Objects for the Ethernet-like Interface Types 2674 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions 2787 Definitions of Managed Objects for the V
RFC# Full Name draft-ietf-netmodinterfaces-cfg-03 Defines a YANG data model for the configuration of network interfaces. Used in the Programmatic Interface RESTAPI feature. IEEE 802.1AB Management Information Base module for LLDP configuration, statistics, local system data and remote systems data components. IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.1 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) IEEE 802.
Multicast The following table lists the Dell Networking OS support per platform for Multicast protocol. Table 135. Multicast RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale 1112 Host Extensions for IP Multicasting 7.8.1 7.7.1 √ 8.1.1 2236 Internet Group Management Protocol, Version 2 7.8.1 7.7.1 √ 8.1.1 2710 Multicast Listener Discovery (MLD) for IPv6 √ 8.2.1 3376 Internet Group Management Protocol, Version 3 7.8.1 7.7.1 √ 8.1.
Open Shortest Path First (OSPF) The following table lists the Dell Networking OS support on the C9000 Series for OSPF protocol. Table 136.
66 X.509v3 Dell Networking OS supports X.509v3 standards. Topics: • • • • • • • • • Introduction to X.509v3 certification X.509v3 support in Dell Networking OS Information about installing CA certificates Information about Creating Certificate Signing Requests (CSR) Information about installing trusted certificates Transport layer security (TLS) Online certificate status protocol (OSCP) Verifying certificates Event logging Introduction to X.509v3 certification X.
1 An entity or organization that wants a digital certificate requests one through a CSR. 2 To request a digital certificate through a CSR, a key pair is generated and the CSR is signed using the secret private key. The CSR contains information identifying the applicant and the applicant's public key. This public key is used to verify the signature of the CSR and the Distinguished Name (DN). 3 This CSR is sent to a Certificate Authority (CA).
The Root CA generates a private key and a self-signed CA certificate. The Intermediate CA generates a private key and a Certificate Signing Request (CSR). Using its private key, the root CA signs the intermediate CA’s CSR generating a CA certificate for the Intermediate CA. This intermediate CA can then sign certificates for hosts in the network and also for further intermediate CAs.
During the initial TLS protocol negotiation, both participating parties also check to see if the other’s certificate is revoked by the CA. To do this check, the devices query the CA’s designated OCSP responder on the network. The OCSP responder information is included in the presented certificate, the Intermediate CA inserts the info upon signing it, or it may be statically configured on the host. Information about installing CA certificates Dell Networking OS enables you to download and install X.
crypto ca-cert install {path} Information about Creating Certificate Signing Requests (CSR) Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA. In order for a device to get a X.509v3 certificate, the device first requests a certificate from a CA through a Certificate Signing Request (CSR). While creating a CSR, you need to provide the information about the certificate and the private key details.
• Organization Name • Organization Unit Name • Common Name • Email address • Validity • Length • Alternate Name NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS.
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 When not operating in FIPS mode, the system may support TLS 1.0 up to 1.
Configuring OCSP setting on CA You can configure the CA to contact multiple OCSP servers. To configure OCSP server for a CA, perform the following step: In the certificate mode, enter the following command: ocsp-server URL [nonce] [sign-requests] NOTE: If you have an IPv6 address in the URL, then enclose this address in square brackets. For example, http:// [1100::203]:6514.
NOTE: A CA certificate can also be revoked. Verifying Server certificates Verifying that server certificates are mandatory in the TLS protocol. As a result, all TLS-enabled applications require certificate verification, including Syslog servers. The system checks the Server certificates against installed CA certificates. Verifying client certificates Verifying that client certificates are optional in the TLS protocol and is not explicitly required by Common Criteria.