Dell Networking Configuration Guide for the MXL 10/40GbE Switch IO Module Version 9.2(0.0) and 9.2(0.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. indicates potential damage to hardware or loss of data if instructions are not followed. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Information in this publication is subject to change without notice.
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com 6 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Configure Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Create a Custom Privilege Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Removing a Command from EXEC Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Request Identity Re-transmissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Configuring a Quiet Period after a Failed Authentication . . . . . . . . . . . . . . . . . . . . . 85 Forcibly Authorizing or Unauthorizing a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Re-authenticating a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Periodic Re-authentication . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Create a Route Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Configure Route Map Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Configure a Route Map for Route Redistribution. . . . . . . . . . . . . . . . . . . . . . . . 121 Configure a Route Map for Route Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Continue Clause . . . . . . . . . . . . . . . . . . . . .
Related configuration tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Establishing sessions with VLAN neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Changing session parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Disabling BFD for VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Configuring BFD for Port-Channels . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Configuration Task List for BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Enable BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Configure AS4 Number Representations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Configure Peer Groups .
12 Data Center Bridging (DCB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Ethernet Enhancements in Data Center Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Priority-Based Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Enhanced Transmission Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Data Center Bridging Exchange Protocol (DCBX) . . . . . . . . .
www.dell.com | support.dell.com Configure CoPP for protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Sample Config for CoPP protocol configuration . . . . . . . . . . . . . . . . . . . . . . . . 288 Configure CoPP for CPU queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Sample Config for CoPP CPU queue configuration . . . . . . . . . . . . . . . . . . . . . 290 Show commands . . . . . . . . . . . . . . . . . . . . . . . . .
Drop DHCP Packets on Snooped VLANs Only . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Dynamic ARP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Configuring Dynamic ARP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Bypassing the ARP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 Source Address Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com 17 FCoE Transit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 Fibre Channel over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 Ensuring Robustness in a Converged Ethernet Network . . . . . . . . . . . . . . . . . . . . . . . 347 FIP Snooping on Ethernet Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set FRRP Timers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 Clear FRRP counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 Show FRRP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 Show FRRP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 Troubleshooting FRRP . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Enable a Physical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 Configuration Task List for Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 Overview of Layer Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MTU Size on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Layer 2 Flow Control Using Ethernet Pause Frames . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Enable Pause Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Configure MTU Size on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Port-Pipes . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Enabling UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Configurations Using UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 UDP Helper with Broadcast-All Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Showing IPv6 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Showing the Running-Configuration for an Interface . . . . . . . . . . . . . . . . . . . . . . . 481 Clearing IPv6 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 26 iSCSI Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 iSCSI Optimization Overview . . . . . . . . . . . . .
www.dell.com | support.dell.com Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 28 Link Aggregation Control Protocol (LACP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Introduction to Dynamic LAGs and LACP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 LACP Modes . . . . . .
TIA-1057 (LLDP-MED) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552 TIA Organizationally Specific TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552 LLDP-MED Capabilities TLV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 LLDP-MED Network Policies TLV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 Extended Power via MDI TLV . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Reducing Source-active Message Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592 Specify the RP Address Used in SA Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . 592 MSDP Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596 32 Multiple Spanning Tree Protocol (MSTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 Overview . . . . . . . . . . . . . . . . . . . .
Area Border Router (ABR). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 Autonomous System Border Router (ASBR). . . . . . . . . . . . . . . . . . . . . . . . . . . 633 Internal Router (IR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 Designated and Backup Designated Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 Link-State Advertisements (LSAs) . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Configuring Passive-Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666 Redistributing Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667 Configuring a Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667 Enabling OSPFv3 Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700 Configuring Port Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702 38 Private VLANs (PVLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705 Private VLAN Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 Private VLAN Commands . .
www.dell.com | support.dell.com Create a Layer 2 Class Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736 Determine the Order in Which You Use ACLs to Classify Traffic . . . . . . . . . . . 736 Set DSCP Values for Egress Packets Based on Flow. . . . . . . . . . . . . . . . . . . . 736 Display Configured Class Maps and Match Criteria . . . . . . . . . . . . . . . . . . . . . 737 Create a QoS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767 Fault Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768 Set the RMON Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769 Configure an RMON Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Configure the Enable Password Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . 793 Configure Custom Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794 Specify the LINE Mode Password and Privilege . . . . . . . . . . . . . . . . . . . . . . . . 796 Enable and Disable Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating Access and Trunk Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819 Enabling VLAN-Stacking for a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819 Configuring the Protocol Type Value for the Outer VLAN Tag . . . . . . . . . . . . . . . . 820 Configuring FTOS Options for Trunk Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821 Debugging VLAN Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847 Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847 Setting up SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847 Create a Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Accessing the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883 Configuring and Bringing Up a Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883 Assigning a Priority to Stacked Switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884 Renumbering a Stack Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885 Provisioning a Stack Unit . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Removing an Interface from the Spanning Tree Group . . . . . . . . . . . . . . . . . . . . . . . . . 912 Modifying Global Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913 Modifying Interface STP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914 Enabling PortFast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Clearing a UFD-Disabled Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 946 Displaying Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948 Sample Configuration: Uplink Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951 54 Upgrade Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 953 Find the Upgrade Procedures . . . . . . . .
www.dell.com | support.dell.com Verifying a VLT Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994 Sample Configuration: Virtual Link Trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996 Troubleshooting VLT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999 57 Virtual Router Redundancy Protocol (VRRP) . . . . . . . . . . . . . . . . . . . . . . . . . . 1001 Overview . . .
3 About this Guide Objectives This guide describes the supported protocols and software features, and provides configuration instructions and examples, for the Dell Networking MXL 10/40GbE Switch IO Module. The MXL 10/40GbE Switch IO Module is installed in a Dell PowerEdge M1000e Enclosure. For information about how to install and perform the initial switch configuration, refer to the Getting Started Guides on the Dell Support website at http://support.dell.com/manuals.
www.dell.com | support.dell.com Conventions This document uses the following conventions to describe command syntax: Convention Description keyword Keywords are in bold and must be entered in the CLI as listed. parameter Parameters are in italics and require a number or word to be entered in the CLI. {X} Keywords and parameters within braces must be entered in the CLI. [X] Keywords and parameters within brackets are optional.
4 Configuration Fundamentals The Dell Networking operating software (FTOS) command line interface (CLI) is a text-based interface through which you can configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. In FTOS, after you enable a command, it is entered into the running configuration file.
www.dell.com | support.dell.com CLI Modes Different sets of commands are available in each mode. A command found in one mode cannot be executed from another mode (with the exception of EXEC mode commands preceded by the command do; for more information, refer to The do Command and EXEC Privilege Mode commands). You can set user access rights to commands and command modes using privilege levels; for more information about privilege levels and security options, refer to Security.
Figure 4-2. CLI Modes in FTOS Navigating CLI Modes The FTOS prompt changes to indicate the CLI mode. Table 4-1 lists the CLI mode, its prompt, and information about how to access and exit this CLI mode. You must move linearly through the command modes, with the exception of the end command, which takes you directly to EXEC Privilege mode and the exit command moves you up one command mode level.
FTOS Command Modes CLI Command Mode Prompt Access Command CONFIGURATION FTOS(conf)# • • From EXEC privilege mode, enter the command configure. From every mode except EXEC and EXEC Privilege, enter the command exit.
Table 4-1.
www.dell.com | support.dell.com Figure 4-4.
Layer 2 protocols are disabled by default. Enable them using the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree. Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help commands: • Enter ? at the prompt or after a keyword to list the keywords available in the current mode. • ? after a prompt lists all of the available keywords.
www.dell.com | support.dell.com Entering and Editing Commands When entering commands: • • Table 4-2. 40 | The CLI is not case sensitive. You can enter partial CLI keywords. • You must enter the minimum number of letters to uniquely identify a command. For example, cl cannot be entered as a partial keyword because both the clock and class-map commands begin with the letters “cl.” You can, however, enter clo as a partial keyword because only one command begins with those three letters.
Command History FTOS maintains a history of previously-entered commands for each mode. For example: • • When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC mode commands. When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered CONFIGURATION mode commands.
www.dell.com | support.dell.com • displays text that does not match the specified text. Figure 4-10 shows this command used in combination with the do show stack-unit all stack-ports all pfc details | except 0 command. except Figure 4-10.
Multiple Users in Configuration Mode FTOS notifies all users in the event that there are multiple users logged into CONFIGURATION mode. A warning message indicates the username, type of connection (console or vty), and in the case of a vty connection, the IP address of the terminal on which the connection was established.
44 | Configuration Fundamentals www.dell.com | support.dell.
5 Getting Started This chapter contains the following major sections: • • • • • • • • • • Console access Boot Process Default Configuration Configure a Host Name Access the System Remotely Configure the Enable Password Configuration File Management File System Management View the Command History Upgrading and Downgrading FTOS When the boot process is complete, the console monitor displays the Dell Networking operating software (FTOS) banner and EXEC mode prompt (Figure 5-2).
www.dell.com | support.dell.com Figure 5-1.
For the console port piMnout, refer to Table 5-1. To access the console port, follow these steps. Step Task 1 Connect the USB connector to the front panel. Use the RS-232 Serial Line cable to connect the MXL 10/40GbE Switch IO Module console port to a terminal server. 2 Connect the other end of the cable to the DTE terminal server.
www.dell.com | support.dell.com Figure 5-2. Completed Boot Process syncing disks... done unmounting file systems... unmounting /f10/flash (/dev/ld0e)... unmounting /usr (mfs:31)... unmounting /lib (mfs:23)... unmounting /f10 (mfs:20)... unmounting /tmp (mfs:15)... unmounting /kern (kernfs)... unmounting / (/dev/md0a)... done rebooting... NetLogic XLP Stage 1 Loader Built by build at tools-sjc-01 on Thu May 31 23:53:38 2012 IOM Boot Selector Label 4.0.0.
Figure 5-3. Completed Boot Process (Contd.) DRAM: 2 GB Initialized CPLD on CS3 Detected [XLP308 (Lite+) Rev A0] Initializing I2C0: speed = 30 KHz, prescaler = 0x0377 -- done. Initializing I2C1: speed = 100 KHz, prescaler = 0x0109 -- done. Initialized eMMC Host Controller Detected SD Card Now running in RAM - U-Boot [N64 ABI, Big-Endian] at: ffffffff8c100000 Flash: 256 MB PCIE (B0:D01:F0) : Link up. PCIE (B0:D01:F1) : No Link.
www.dell.com | support.dell.com Default Configuration A version of FTOS is pre-loaded onto the chassis; however, the system is not configured when you power up for the first time (except for the default hostname, which is FTOS). You must configure the system using the CLI. Configure a Host Name The host name appears in the prompt. The default host name is FTOS. • • Host names must start with a letter and end with a letter or digit. Characters within the string can be letters, digits, and hyphens.
3. Configure a username and password. Refer to Configure a Username and Password. Configure the Management Port IP Address Assign IP addresses to the management ports in order to access the system remotely. To configure the management port IP address, follow these steps: Step 1 2 Task Command Syntax Command Mode Enter INTERFACE mode for the Management port. interface ManagementEthernet slot/port CONFIGURATION Assign an IP address to the interface.
www.dell.com | support.dell.com Configure a Username and Password Configure a system username and password to access the system remotely. To configure a username and password, follow this step: Step 1 Task Command Syntax Command Mode Configure a username and password to access the system remotely. username username password [encryption-type] password encryption-type specifies how you are inputting the CONFIGURATION password, is 0 by default, and is not required.
Configuration File Management You can store on and access files from various storage media. Rename, delete, and copy files on the system from EXEC Privilege mode. Note: Using flash memory cards in the system that have not been approved by Dell Networking can cause unexpected system behavior, including a reboot. Copy Files to and from the System The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url.
www.dell.com | support.dell.
To save the running-configuration: Note: The commands in this section follow the same format as those in Copy Files to and from the System on page 53 but use the filenames startup-config and running-config. These commands assume that current directory is the internal flash, which is the system default.
www.dell.com | support.dell.com Figure 5-7.
Figure 5-8. Tracking Changes with Configuration Comments FTOS#show running-config Current Configuration ... Current Configuration ... ! Version E8-3-16-0 ! Last configuration change at Tue Mar 6 11:51:50 2012 by default ! Startup-config last updated at Tue Mar 6 07:41:23 2012 by default ! boot system stack-unit 5 primary tftp://10.11.200.241/dt-m1000e-3-a2 boot system stack-unit 5 secondary system: B: boot system stack-unit 5 default tftp://10.11.200.241/dt-m1000e-3-b2 boot system gateway 10.11.209.
www.dell.com | support.dell.com You can change the default storage location to the USB Flash (Figure 5-10). File management commands then apply to the USB Flash rather than the internal Flash. Figure 5-10. Alternative Storage Location FTOS#cd usbflash: FTOS#copy running-config test ! 3998 bytes successfully copied No File System Specified FTOS#dir Directory of usbflash: 1 drwx 2 drwx 3 -rwx 4 -rwx 4096 Jan 01 1980 00:00:00 +00:00 . 2048 May 02 2012 07:05:06 +00:00 ..
6 Management This chapter explains the different protocols or services used to manage the Dell Networking system including: • • • • • • • Configure Privilege Levels Configure Logging File Transfer Services Terminal Lines Lock CONFIGURATION Mode Recovering from a Forgotten Password Recovering from a Failed Start Configure Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 15 privilege levels, of which two are pre-defined.
www.dell.com | support.dell.com Removing a Command from EXEC Mode Remove a command from the list of available commands in EXEC mode for a specific privilege level using the privilege exec command from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, followed by the first keyword of each command to be restricted.
Task Command Syntax Command Mode Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all keywords in the command. privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword} CONFIGURATION Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. privilege {configure |interface | line | route-map | router} level level {command ||...
www.dell.com | support.dell.com Figure 6-1.
To set a privilege level for a user: Task Command Syntax Command Mode Configure a privilege level for a user. username username privilege level CONFIGURATION Apply a Privilege Level to a Terminal Line To set a privilege level for a terminal line: Task Command Syntax Command Mode Configure a privilege level for a terminal line.
www.dell.com | support.dell.com Disable System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, console, and syslog servers. To enable and disable system logging: Task Command Syntax Command Mode Disable all logging except on the console. no logging on CONFIGURATION Disable logging to the logging buffer. no logging buffer CONFIGURATION Disable logging to terminal lines. no logging monitor CONFIGURATION Disable console logging.
To change the severity level of messages logged to a syslog server, use any or all of the following commands in CONFIGURATION mode: Task Command Syntax Command Mode Specify the minimum severity level for logging to the logging buffer. logging buffered level CONFIGURATION Specify the minimum severity level for logging to the console. logging console level CONFIGURATION Specify the minimum severity level for logging to terminal lines.
www.dell.com | support.dell.com Figure 6-2. show logging Command Example FTOS#show logging Syslog logging: enabled Console logging: level debugging Monitor logging: level debugging Buffer logging: level debugging, 58 Messages Logged, Size (40960 bytes) Trap logging: level informational Logging to 172.31.1.4 Logging to 172.16.1.162 Logging to 133.33.33.4 Logging to 10.10.10.4 Logging to 10.1.2.4 May 20 20:00:10: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from vty0 ( 10.11.68 .
Configure a UNIX Logging Facility Level You can save system log messages with a UNIX system logging facility. To configure a UNIX logging facility level, use the following command in CONFIGURATION mode: Command Syntax Command Mode Purpose logging facility [facility-type] CONFIGURATION Specify one of the following parameters.
www.dell.com | support.dell.com Synchronize log messages You can configure FTOS to filter and consolidate system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system.
Enable timestamp on Syslog Messages By default, syslog messages do not include a time/date stamp stating when the error or message was created. To have FTOS include a timestamp with the syslog message, use the following command syntax in CONFIGURATION mode: Command Syntax Command Mode Purpose service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] | uptime] CONFIGURATION Add timestamp to syslog messages.
www.dell.com | support.dell.com Enable the FTP Server To enable the system as an FTP server, use the following command in CONFIGURATION mode: Command Syntax Command Mode Purpose ftp-server enable CONFIGURATION Enable FTP on the system. To view the FTP configuration, enter the show running-config ftp command in EXEC privilege mode (Figure 6-4). Figure 6-4.
Configure FTP Client Parameters To configure FTP client parameters, use the following commands in CONFIGURATION mode: Command Syntax Command Mode Purpose ip ftp source-interface interface CONFIGURATION Enter the following keywords and slot/port or number information: • For a loopback interface, enter the keyword loopback followed by a number between 0 and 16383.
www.dell.com | support.dell.com Figure 6-5. Applying an Access List to a VTY Line FTOS(conf-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 FTOS(conf-std-nacl)#line vty 0 FTOS(conf-line-vty)#show config line vty 0 access-class myvtyacl FTOS Behavior: Prior to FTOS version 7.4.2.0, in order to deny access on a VTY line, you must apply an ACL and AAA authentication to the line. Then users are denied access only after they enter a username and password.
Step 3 Task Command Syntax Command Mode If you used the line authentication method in the method list you applied to the terminal line, configure a password for the terminal line. password LINE VTY lines 0-2 use a single authentication method, line (Figure 6-6). Figure 6-6.
www.dell.com | support.dell.com Figure 6-7. Configuring EXEC Timeout FTOS(conf)#line con 0 FTOS(conf-line-console)#exec-timeout 0 FTOS(conf-line-console)#show config line console 0 exec-timeout 0 0 FTOS(conf-line-console)# Telnet to Another Network Device To telnet to another device (Figure 6-8): Task Command Syntax Command Mode Telnet to the stack-unit.You do not need to configure the management port on the stack-unit to be able to telnet to it.
You can set two types of locks: auto and manual. • • Set an auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set an auto-lock, every time a user is in CONFIGURATION mode, all other users are denied access. This means that you can exit to EXEC Privilege mode, and re-enter CONFIGURATION mode, without having to set the lock again. Set a manual lock using the configure terminal lock command from CONFIGURATION mode.
www.dell.com | support.dell.com You can then send any user a message using the send command from EXEC Privilege mode. Alternatively you can clear any line using the clear command from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode. Recovering from a Forgotten Password If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted to re-enter the password.
Step Task Command Syntax Command Mode 2 Power-cycle the chassis by switching off all of the power modules and then switching them back on. 3 Hit any key to abort the boot process. You enter uBoot immediately, as indicated by the => prompt. hit any key (during bootup) 4 Set the system parameters to ignore the enable password when the system reloads. setenv enablepwdignore true uBoot 5 Reload the system. reset uBoot 6 Configure a new enable password.
78 | Management www.dell.com | support.dell.
7 802.1X Protocol Overview 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
www.dell.com | support.dell.com Figure 7-1.
3. The authenticator decapsulates the EAP Response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame, and forwards the frame to the authentication server. 4. The authentication server replies with an Access-Challenge. The Access-Challenge is request that the supplicant prove that it is who it claims to be, using a specified method (an EAP-Method). The challenge is translated and forwarded to the supplicant by the authenticator. 5.
www.dell.com | support.dell.com Figure 7-3. Code RADIUS Frame Format Identifier Range: 1-4 Codes: 1: Access-Request 2: Access-Accept 3: Access-Reject 11: Access-Challenge Length Message-Authenticator Attribute Type (79) EAP-Message Attribute Length EAP-Method Data (Supplicant Requested Credentials) fnC0034mp RADIUS Attributes for 802.1 Support Dell Force10 systems includes the following RADIUS attributes in all 802.1X-triggered Access-Request messages: • • • • 82 | 802.
Configuring 802.1X Configuring 802.1X on a port is a two-step process: 1. Enable 802.1X globally. See page 83. 2. Enable 802.1X on an interface. See page 83. Related Configuration Tasks • • • • • • Configuring Request Identity Re-transmissions on page 85 Configuring Port-control on page 87 Re-authenticating a Port on page 87 Configuring Timeouts on page 89 Configuring a Guest VLAN on page 92 Configuring an Authentication-fail VLAN on page 92 Important Points to Remember • • FTOS supports 802.
www.dell.com | support.dell.com To enable 802.1X: Step Task Command Syntax Command Mode 1 Enable 802.1X globally. dot1x authentication CONFIGURATION 2 Enter INTERFACE mode on an interface or a range of interfaces. interface [range] INTERFACE 3 Enable 802.1X on an interface or a range of interfaces. dot1x authentication INTERFACE Verify that 802.1X is enabled globally and at interface level using the command show running-config | find from EXEC Privilege mode, as shown in Figure 7-5.
Configuring Request Identity Re-transmissions If the authenticator sends a Request Identity frame, but the supplicant does not respond, the authenticator waits 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator re-transmits are configurable.
www.dell.com | support.dell.com Figure 7-7 shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame: • • after 90 seconds and a maximum of 10 times for an unresponsive supplicant Re-transmits an EAP Request Identity frame Figure 7-7.
To place a port in one of these three states: Step 1 Task Command Syntax Command Mode Place a port in the ForceAuthorized, ForceUnauthorized, or Auto state. dot1x port-control {force-authorized | force-unauthorized | auto} INTERFACE Default: auto Figure 7-8 shows configuration information for a port that has been force-authorized. Figure 7-8. Configuring Port-control Force10(conf-if-gi-2/1)#dot1x port-control force-authorized Force10(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.
www.dell.com | support.dell.com To configure a re-authentication or a re-authentication period: 88 Step 1 Task Command Syntax Command Mode Configure the authenticator to periodically re-authenticate the supplicant. dot1x reauthentication [interval] seconds INTERFACE Range: 1-65535 Default:3600 To configure a maximum number of re-authentications: Step 1 | Task Command Syntax Command Mode Configure the maximum number of times that the supplicant can be reauthenticated.
Figure 7-9. Configuring a Reauthentiction Period Force10(conf-if-gi-2/1)#dot1x reauthentication interval 7200 Force10(conf-if-gi-2/1)#dot1x reauth-max 10 Force10(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.
www.dell.com | support.dell.com Figure 7-10. Configuring a Timeout Force10(conf-if-gi-2/1)#dot1x port-control force-authorized Force10(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.
Figure 7-11. Dynamic VLAN Assignment with 802.1X Force10(conf-if-gi-1/10)#show config interface GigabitEthernet 1/10 no ip address 2 switchport radius-server host 10.11.197.169 auth-port 1645 dot1x authentication 1 key 7 387a7f2df5969da4 no shutdow End-user Device Force10 switch 4 Force10#show dot1x interface gigabitethernet 1/10 802.
www.dell.com | support.dell.com If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network. Also, some dumb-terminals such as network printers do not have 802.1X capability and therefore cannot authenticate themselves.
Figure 7-13. Configuring an Authentication-fail VLAN Force10(conf-if-gi-1/2)#dot1x auth-fail-vlan 100 max-attempts 5 Force10(conf-if-gi-1/2)#show config ! interface GigabitEthernet 1/2 switchport dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown Force10(conf-if-gi-1/2)# View your configuration using the command show config from INTERFACE mode, as shown in Figure 7-12, or using the command show dot1x interface command from EXEC Privilege mode as shown in Figure 7-14. Figure 7-14.
94 | 802.1X www.dell.com | support.dell.
8 Access Control Lists (ACLs) This chapter describes the access control lists (ACLs), prefix lists, and route-maps.
www.dell.com | support.dell.com IP Access Control Lists (ACLs) In the Dell Networking switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet.
• • L3 Ingress Access list L3 Egress Access list Note: IP ACLs are supported over VLANs in Version 6.2.1.1 and higher. V ACLs and VLANs There are some differences when assigning ACLs to a VLAN rather than a physical port. For example, when using a single port-pipe, if you apply an ACL to a VLAN, one copy of the ACL entries gets installed in the ACL CAM on the port-pipe. The entry would look for the incoming VLAN in the packet.
www.dell.com | support.dell.com Figure 8-1. Using the Order Keyword in ACLs FTOS(conf)#ip access-list standard acl1 FTOS(conf-std-nacl)#permit 20.0.0.0/8 FTOS(conf-std-nacl)#exit FTOS(conf)#ip access-list standard acl2 FTOS(conf-std-nacl)#permit 20.1.1.
To deny second/subsequent fragments, use the same rules in a different order. These ACLs deny all second & subsequent fragments with destination IP 10.1.1.1 but permit the first fragment & non fragmented packets with destination IP 10.1.1.1 (Figure 8-3). Figure 8-3. Deny Second Packets FTOS(conf)#ip access-list extended ABC FTOS(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments FTOS(conf-ext-nacl)#permit ip any 10.1.1.
www.dell.com | support.dell.com Note the following when configuring ACLs with the fragments keyword. When an ACL filters packets, it looks at the fragment offset (FO) to determine whether or not it is a fragment. FO = 0 means it is either the first fragment or the packet is a non-fragment. FO > 0 means it is dealing with the fragments of the original packet.
Figure 8-6. Command Example: show ip accounting access-list FTOS#show ip accounting access ToOspf interface tengig 1/6 Standard IP access list ToOspf seq 5 deny any seq 10 deny 10.2.0.0 /16 seq 15 deny 10.3.0.0 /16 seq 20 deny 10.4.0.0 /16 seq 25 deny 10.5.0.0 /16 seq 30 deny 10.6.0.0 /16 seq 35 deny 10.7.0.0 /16 seq 40 deny 10.8.0.0 /16 seq 45 deny 10.9.0.0 /16 seq 50 deny 10.10.0.0 /16 FTOS# Figure 8-7 shows how the seq command orders the filters according to the sequence number assigned.
www.dell.com | support.dell.com Figure 8-8 shows a standard IP ACL in which the sequence numbers were assigned by FTOS. The filters were assigned sequence numbers based on the order in which they were configured (for example, the first filter was given the lowest sequence number). The show config command in IP ACCESS LIST mode displays the two filters with the sequence numbers 5 and 10. Figure 8-8. Standard IP ACL FTOS(conf-route-map)#ip access standard kigali FTOS(conf-std-nacl)#permit 10.1.0.
Configure Filters with a Sequence Number To create a filter for packets with a specified sequence number, follow these steps, starting in CONFIGURATION mode: Step 1 Command Syntax Command Mode Purpose ip access-list extended CONFIGURATION Enter the IP ACCESS LIST mode by creating an extended IP ACL. CONFIG-EXT-NACL Configure a drop or forward filter.
www.dell.com | support.dell.com To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the following commands in IP ACCESS LIST mode: Command Syntax Command Mode Purpose {deny | permit} {source mask | any | host ip-address} [count [byte]] [order] [fragments] CONFIG-EXT-NACL Configure a deny or permit filter to examine IP packets.
Configuring Layer 2 and Layer 3 ACLs on an Interface You can configure both Layer 2 and Layer 3 ACLs on an interface in Layer 2 mode. If both L2 and L3 ACLs are applied to an interface, the following rules apply: • • • The packets routed by FTOS are governed by the L3 ACL only because they are not filtered against an L2 ACL. The packets switched by FTOS are first filtered by the L3 ACL, then by the L2 ACL. When packets are switched by FTOS, the egress L3 ACL does not filter the packet.
www.dell.com | support.dell.com You can apply the same ACL to different interfaces and that changes its functionality. For example, you can take ACL “ABCD”, and apply it using the in keyword and it becomes an ingress access list. If you apply the same ACL using the out keyword, it becomes an egress access list. For more information about Layer-3 interfaces, refer to Interfaces.
To view the number of packets matching an ACL that is applied to an interface, follow these steps: Step Task 1 Create an ACL that uses rules with the count option. Refer to Configure a Standard IP ACL 2 Apply the ACL as an inbound or outbound ACL on an interface. Refer to Assign an IP ACL to an Interface 3 View the number of packets matching the ACL using the show ip accounting access-list command from EXEC Privilege mode.
www.dell.com | support.dell.com Configuring Egress ACLs Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack— malicious and incidental—by explicitly allowing only authorized traffic.These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation. Use an egress ACL when you would like to restrict egress traffic.
The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and CPU-forwarded traffic. Using permit rules with the count option, you can track on a per-flow basis whether CPU-generated and CPU-forwarded packets were transmitted successfully.. Task Command Syntax Command Mode Apply Egress ACLs to IPv4 system traffic.
www.dell.com | support.dell.com The following rules apply to prefix lists: • • • A prefix list without any permit or deny filters allows all routes. An “implicit deny” is assumed (that is, the route is dropped) for all route prefixes that do not match a permit or deny filter in a configured prefix list. After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route.
If you want to forward all routes that do not match the prefix list criteria, you must configure a prefix list filter to permit all routes (permit 0.0.0.0/0 le 32). The “permit all” filter must be the last filter in your prefix list. To permit the default route only, enter permit 0.0.0.0/0. Figure 8-15 shows how the seq command orders the filters according to the sequence number assigned.
www.dell.com | support.dell.com Figure 8-16 shows a prefix list in which the sequence numbers were assigned by the software. The filters were assigned sequence numbers based on the order in which they were configured (for example, the first filter was given the lowest sequence number). The show config command in PREFIX LIST mode displays the two filters with the sequence numbers 5 and 10. Figure 8-16. Prefix List FTOS(conf-nprefixl)#permit 123.23.0.0 /16 FTOS(conf-nprefixl)#deny 133.24.56.
Use a Prefix List for Route Redistribution To pass traffic through a configured prefix list, you must use the prefix list in a route redistribution command. The prefix list is applied to all traffic redistributed into the routing process and the traffic is either forwarded or dropped depending on the criteria and actions specified in the prefix list.
www.dell.com | support.dell.com To view the configuration, use the show config command in the ROUTER OSPF mode (Figure 8-20) or the show running-config ospf command in EXEC mode. Figure 8-20. Command Example: show config in ROUTER OSPF Mode FTOS(conf-router_ospf)#show config ! router ospf 34 network 10.2.1.1 255.255.255.255 area 0.0.0.1 distribute-list prefix awe in FTOS(conf-router_ospf)# ACL Resequencing ACL Resequencing allows you to re-number the rules and remarks in an access or prefix list.
Resequencing an ACL or Prefix List Resequencing is available for IPv4 ACLs, prefix lists, and MAC ACLs. To resequence an ACL or prefix list, use the appropriate command in Table 8-4. When using these commands, you must specify the list name, starting number, and increment. Table 8-4.
www.dell.com | support.dell.com Figure 8-22. Resequencing Remarks FTOS(conf-ext-nacl)# show config ! ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.
• • If no match is found in a route-map sequence, the process moves to the next route-map sequence until a match is found, or there are no more sequences. When a match is found, the packet is forwarded; no more route-map sequences are processed. • If a continue clause is included in the route-map sequence, the next or a specified route-map sequence is processed after a match is found.
www.dell.com | support.dell.com You can create multiple instances of this route map using the sequence number option to place the route maps in the correct order. FTOS processes the route maps with the lowest sequence number first. When a configured route map is applied to a command, such as redistribute, traffic passes through all instances of that route map until a match is found. Figure 8-24 shows an example with two instances of a route map. Figure 8-24.
Configure Route Map Filters Within ROUTE-MAP mode, there are match and set commands. match commands search for a certain criterion in the routes and set commands change the characteristics of those routes, either by adding something or by specifying a level. When there are multiple match commands of the same parameter under one instance of a route-map, FTOS does a match between either of those match commands.
www.dell.com | support.dell.com To configure match criterion for a route map, use any or all of the following commands in ROUTE-MAP mode: Command Syntax Command Mode Purpose match interface interface CONFIG-ROUTE-MAP Match routes whose next hop is a specific interface. The parameters are: • • • • For a loopback interface, enter the keyword loopback followed by a number between zero (0) and 16383.
Use these commands to create route map instances. There is no limit to the number of set and match commands per route map, but the convention is to keep the number of match and set filters in a route map low. Set commands do not require a corresponding match command. Configure a Route Map for Route Redistribution Route maps on their own cannot affect traffic and must be included in different commands to affect routing traffic.
www.dell.com | support.dell.com In Figure 8-28, the redistribute ospf command with a route map is used in ROUTER RIP mode to apply a tag of 34 to all internal OSPF routes that are redistributed into RIP. Figure 8-28.
Access Control Lists (ACLs) | 123
www.dell.com | support.dell.
9 Bidirectional Forwarding Detection (BFD) Bidirectional Forwarding Detection (BFD) is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
www.dell.com | support.dell.com If a system does not receive a control packet within an agreed-upon amount of time, the BFD Agent changes the session state to Down. It then notifies the BFD Manager of the change, and sends a control packet to the neighbor that indicates the state change (though it might not be received if the link or receiving interface is faulty).
Version (4) IHL TOS Total Length Preamble Flags Start Frame Delimiter Frag Offset Destination MAC TTL (255) Source MAC Protocol Ethernet Type (0x888e) Header Checksum Version (1) State Range: 3784 Source Port Options Diag Code Dest IP Addr Padding Checksum UDP Packet Detect Mult My Discriminator Your Discriminator Random number generated by remote system to identify a session Required Min RX Interval Required Min Echo RX Interval Auth Type The minimum interval between Echo pac
www.dell.com | support.dell.com Table 9-1. BFD Packet Fields Field Description Diagnostic Code The reason that the last session failed. State The current local session state. See BFD sessions. Flag A bit that indicates packet function. If the poll bit is set, the receiving system must respond as soon as possible, without regard to its transmit interval. The responding system clears the poll bit and sets the final bit in its response.
BFD sessions BFD must be enabled on both sides of a link in order to establish a session. The two participating systems can assume either of two roles: • • Active—The active system initiates the BFD session. Both systems can be active for the same session. Passive—The passive system does not initiate a session. It only responds to a request for session initialization from the active system.
www.dell.com | support.dell.com handshake. At this point, the discriminator values have been exchanged, and the transmit intervals have been negotiated. 4. The passive system receives the control packet, changes its state to Up. Both systems agree that a session has been established. However, since both members must send a control packet—that requires a response—anytime there is a state change or change in a session parameter, the passive system sends a final response indicating the state change.
Figure 9-3. BFD State Machine current session state Up, Admin Down, Timer the packet received Down Init Down Admin Down, Timer Down Init Admin Down, Down, Timer Init, Up Up Up, Init Important Points to Remember • • • • • • • BFD for line card ports is hitless, but is not hitless for VLANs since they are instantiated on the RPM. FTOS supports a maximum of 100 sessions per BFD agent. Each linecard processor has a BFD Agent, so the limit translates to 100 BFD sessions per linecard.
www.dell.com | support.dell.com Related configuration tasks • • Change session parameters. Disable or re-enable BFD on an interface. Enabling BFD globally BFD must be enabled globally on both routers, as shown in Figure 9-5. To enable BFD globally: Step 1 Task Command Syntax Command Mode Enable BFD globally. bfd enable CONFIGURATION Verify that BFD is enabled globally using the command show running bfd, as shown in Figure 9-4. Figure 9-4.
Figure 9-5. Establishing a BFD Session for Physical Ports R2: ACTIVE Role R1: ACTIVE Role 4/24 2/1 Force10(config)# bfd enable Force10(config)# interface gigabitethernet 2/1 Force10(conf-if-gi-2/1)# ip address 2.2.2.2/24 Force10(conf-if-gi-2/1)# bfd neighbor 2.2.2.1 Force10(config)# bfd enable Force10(config)# interface gigabitethernet 4/24 Force10(conf-if-gi-2/1)# ip address 2.2.2.1/24 Force10(conf-if-gi-2/1)# bfd neighbor 2.2.2.
www.dell.com | support.dell.com Figure 9-7. Viewing Session Details R1(conf-if-gi-4/24)#do show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.
Changing physical port session parameters BFD sessions are configured with default intervals and a default role (active). The parameters that can be configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured per interface; if you change a parameter, the change affects all physical port sessions on that interface. Dell Networking recommends maintaining the default values.
www.dell.com | support.dell.com Disabling and re-enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured. If BFD is disabled, all of the sessions on that interface are placed in an Administratively Down state (Message 2), and the remote systems are notified of the session state change (Message 3). To disable BFD on an interface: Step 1 Task Command Syntax Command Mode Disable BFD on an interface.
Configuring BFD for Static Routes BFD gives systems a link state detection mechanism for static routes. With BFD, systems are notified to remove static routes from the routing table as soon as the link state change occurs, rather than having to wait until packets fail to reach their next hop. Configuring BFD for static routes is a three-step process: 1. Enable BFD globally. See Enabling BFD globally on page 132. 2. On the local system, establish a session with the next hop of a static route. See page 137.
www.dell.com | support.dell.com Figure 9-10. Viewing Established Sessions for Static Routes R1(conf)#ip route 2.2.3.0/24 2.2.2.2 R1(conf)#ip route bfd R1(conf)#do show bfd neighbors * Ad Dn C I O R - Active session role Admin Down CLI ISIS OSPF Static Route (RTM) LocalAddr 2.2.2.1 RemoteAddr 2.2.2.
Configuring BFD for OSPF is a two-step process: 1. Enable BFD globally. See Enabling BFD globally on page 132. 2. Establish sessions for all or particular OSPF neighbors. See page 139. Related configuration tasks • • Change session parameters. See page 140. Disable BFD sessions for OSPF. See page 140. Establishing sessions with OSPF neighbors BFD sessions can be established with all OSPF neighbors at once, or sessions can be established with all neighbors out of a specific interface.
www.dell.com | support.dell.com View the established sessions using the command show bfd neighbors, as shown in Figure 9-12. Figure 9-12. Viewing Established Sessions for OSPF Neighbors R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * Ad Dn C I O R - Active session role Admin Down CLI ISIS OSPF Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr 2.2.2.
To disable BFD sessions with all OSPF neighbors: Step 1 Task Command Syntax Command Mode Disable BFD sessions with all OSPF neighbors.
www.dell.com | support.dell.com Figure 9-13. BFD Session Between BGP Neighbors Interior BGP Interior BGP Router 2 1/1 2.2.4.3 Router 1 2/2 2.2.4.2 Exterior BGP AS 1 Force10(conf )# bfd enable Force10(conf )# router bgp 1 Force10(conf-router-bgp)# neighbor 2.2.4.3 remote-as 2 Force10(conf-router-bgp)# neighbor 2.2.4.3 no shutdown Force10(conf-router-bgp)# bfd all-neighbors interval 200 min_rx 200 multiplier 6 role active OR Force10(conf-router-bgp)# neighbor 2.2.4.
Note that the sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: • • By establishing BFD sessions with all neighbors discovered by BGP (bfd all-neighbors command) By establishing a BFD session with a specified BGP neighbor (neighbor {ip-address | peer-group-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
www.dell.com | support.dell.com Step Task Command Syntax Command Mode Notes: - When you establish a BFD session with a specified BGP neighbor or peer group using the neighbor bfd command, the default BFD session parameters are used (interval: 100 milliseconds, min_rx: 100 milliseconds, multiplier: 3 packets, and role: active).
Using BFD in a BGP Peer Group If you establish a BFD session for the members of a peer group (neighbor peer-group-name bfd command in ROUTER BGP configuration mode), members of the peer group may have BFD: • • • Explicitly enabled (neighbor ip-address bfd command) Explicitly disabled (neighbor ip-address bfd disable command) Inherited (neither explicitly enabled or disabled) according to the current BFD configuration of the peer group.
www.dell.com | support.dell.com The following examples show the BFD for BGP output displayed for these show commands. Figure 9-14. Verifying a BFD for BGP Configuration: show running-config bgp Command R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors Figure 9-15.
Figure 9-16. Verifying BFD Sessions with BGP Neighbors: show bfd neighbors detail Command R2# show bfd neighbors detail Session Discriminator: 9 Neighbor Discriminator: 10 Local Addr: 1.1.1.3 Local MAC Addr: 00:01:e8:66:da:33 Remote Addr: 1.1.1.
www.dell.com | support.dell.com Figure 9-17.
Figure 9-19. Displaying Routing Sessions with BGP Neighbors: show ip bgp neighbors Command R2# show ip bgp neighbors 2.2.2.2 BGP neighbor is 2.2.2.2, remote AS 1, external link BGP version 4, remote router ID 12.0.0.
www.dell.com | support.dell.com Configuring BFD for VRRP When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the RPM. BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred. Configuring BFD for VRRP is a three-step process: 1. Enable BFD globally. See Enabling BFD globally on page 132. 2.
Establishing VRRP sessions on VRRP neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. Therefore, VRRP BFD sessions on the backup router cannot change to the UP state. The master router must be configured to establish an individual VRRP session the backup router. To establish a session with a particular VRRP neighbor: Step 1 Task Command Syntax Command Mode Establish a session with a particular VRRP neighbor.
www.dell.com | support.dell.com To change parameters for all VRRP sessions: Step 1 Task Command Syntax Command Mode Change parameters for all VRRP sessions. vrrp bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] INTERFACE To change parameters for a particular VRRP session: Step 1 Task Command Syntax Command Mode Change parameters for a particular VRRP session.
Configuring BFD for VLANs BFD on Dell Networking systems is a Layer 3 protocol. Therefore, BFD is used with routed VLANs. BFD on VLANs is analogous to BFD on physical ports. If no routing protocol is enabled, and a remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet. If BFD is enabled, the local system removes the route when it stops receiving periodic control packets from the remote system.
www.dell.com | support.dell.com View the established sessions using the command show bfd neighbors, as shown in Figure 9-24. Figure 9-24. Viewing Established Sessions for VLAN Neighbors R2(conf-if-vl-200)#bfd neighbor 2.2.3.2 R2(conf-if-vl-200)#do show bfd neighbors * Ad Dn C I O R V - Active session role Admin Down CLI ISIS VLAN BFD OSPF Static Route (RTM) VRRP LocalAddr * 2.2.3.2 RemoteAddr 2.2.3.
Configuring BFD for Port-Channels BFD on port-channels is analogous to BFD on physical ports. If no routing protocol is enabled, and a remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet. If BFD is enabled, the local system removes the route when it stops receiving periodic control packets from the remote system.
www.dell.com | support.dell.com To establish a session on a port-channel: Step 1 Task Command Syntax Establish a session on a port-channel. bfd neighbor ip-address Command Mode INTERFACE PORT-CHANNEL View the established sessions using the command show bfd neighbors, as shown in Figure 9-8. Figure 9-26. Viewing Established Sessions for VLAN Neighbors R2(conf-if-po-1)#bfd neighbors 2.2.2.
To disable BFD for a port-channel: Step 1 Task Command Syntax Command Mode Disable BFD for a port-channel. no bfd enable INTERFACE PORT-CHANNEL Configuring Protocol Liveness Protocol Liveness is a feature that notifies the BFD Manager when a client protocol is disabled. When a client is disabled, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state (Message 3).
www.dell.com | support.dell.com Figure 9-28. debug bfd packet Command Output 158 RX packet dump: 20 c0 03 18 00 00 00 01 86 a0 00 00 00:34:13 : Sent packet for TX packet dump: 20 c0 03 18 00 00 00 01 86 a0 00 00 00:34:14 : Received packet RX packet dump: 20 c0 03 18 00 00 00 01 86 a0 00 00 00:34:14 : Sent packet for TX packet dump: 00 05 00 00 00 04 00 01 86 a0 00 00 session with neighbor 2.2.2.2 on Gi 4/24 00 04 00 00 00 05 00 01 86 a0 00 00 for session with neighbor 2.2.2.
10 Border Gateway Protocol IPv4 (BGPv4) This chapter is intended to provide a general description of Border Gateway Protocol version 4 (BGPv4) as it is supported in the Dell Force10 Operating System (FTOS). BGP protocol standards are listed in Standards Compliance. Protocol Overview Border Gateway Protocol (BGP) is an external gateway protocol that transmits interdomain routing information within and between Autonomous Systems (AS).
www.dell.com | support.dell.com When BGP operates inside an Autonomous System (AS1 or AS2 as seen in Figure 10-1), it is referred to as Internal BGP (IBGP Interior Border Gateway Protocol). When BGP operates between Autonomous Systems (AS1 and AS2), it is called External BGP (EBGP Exterior Border Gateway Protocol). IBGP provides routers inside the AS with the knowledge to reach routers external to the AS.
Figure 10-2. Full Mesh Examples 4 Routers 6 Routers 8 Routers The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor. Establishing a session Information exchange between peers is driven by events and timers.
www.dell.com | support.dell.com In order to make decisions in its operations with other BGP peers, a BGP peer uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in. The BGP protocol defines the messages that each peer should exchange in order to change the session from one state to another. The first state is the Idle mode.
• • If a route was received from a nonclient peer, reflect the route to all client peers. If the route was received from a client peer, reflect the route to all nonclient and all client peers. To illustrate how these rules affect routing, see Figure 10-3 and the following steps.Routers B, C, D, E, and G are members of the same AS - AS100. These routers are also in the same Route Reflection Cluster, where Router D is the Route Reflector.
www.dell.com | support.dell.com BGP Attributes Routes learned via BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination. These properties are referred to as BGP attributes, and an understanding of how BGP attributes influence route selection is required for the design of robust networks.
Figure 10-4. BGP Best Path Selection No, or Not Resulting in a Single Route Largest Weight Highest Local Pref Locally Originated Path Shortest AS Path Lowest Origin Code Lowest MED Learned via EBGP Lowest NEXT-HOP Cost Tie Breakers Short Cluster List from Lowest BGP ID Lowest Peering Addr A Single Route is Selected and Installed in the Forwarding Table Best Path selection details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3.
www.dell.com | support.dell.com • AS_CONFED_SEQUENCE has a path length of 1, no matter how many ASs are in the AS_CONFED_SEQUENCE. 5. Prefer the path with the lowest ORIGIN type (IGP is lower than EGP, and EGP is lower than INCOMPLETE). 6. Prefer the path with the lowest Multi-Exit Discriminator (MED) attribute.
Weight The Weight attribute is local to the router and is not advertised to neighboring routers. If the router learns about more than one route to the same destination, the route with the highest weight will be preferred. The route with the highest weight is installed in the IP routing table. Local Preference Local Preference (LOCAL_PREF) represents the degree of preference within the entire AS. The higher the number, the greater the preference for the route.
www.dell.com | support.dell.com One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this example, assume the MED is the only attribute applied. In Figure 10-6, AS100 and AS200 connect in two places. Each connection is a BGP session. AS200 sets the MED for its T1 exit point to 100 and the MED for its OC3 exit point to 50. This sets up a path preference through the OC3 link. The MEDs are advertised to AS100 routers so they know which is the preferred path.
Generally, an IGP indicator means that the route was derived inside the originating AS. EGP generally means that a route was learned from an external gateway protocol. An INCOMPLETE origin code generally results from aggregation, redistribution or other indirect ways of installing routes into BGP. In FTOS, these origin codes appear as shown in Figure 10-7. The question mark (?) indicates an Origin code of INCOMPLETE. The lower case letter (i) indicates an Origin code of IGP. Figure 10-7.
www.dell.com | support.dell.com Next Hop The Next Hop is the IP address used to reach the advertising router. For EBGP neighbors, the Next-Hop address is the IP address of the connection between the neighbors. For IBGP, the EBGP Next-Hop address is carried into the local AS. A Next Hop attribute is set when a BGP speaker advertises itself to another BGP speaker outside its local AS. It can also be set when advertising routes within an AS.
Advertise IGP cost as MED for redistributed routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value. FTOS 8.3.1.0 and later support configuring the set metric-type internal command in a route-map to advertise the IGP cost as the MED to outbound EBGP peers when redistributing routes.
www.dell.com | support.dell.com 4-Byte AS Numbers FTOS Version 7.7.1 and later support 4-Byte (32-bit) format when configuring Autonomous System Numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN message. If a 4-Byte BGP speaker has sent and received this capability from another speaker, all the messages will be 4-octet. The behavior of a 4-Byte BGP speaker will be different with the peer depending on whether the peer is 4-Byte or 2-Byte BGP speaker.
ASDOT+ representation splits the full binary 4-byte AS number into two words of 16 bits separated by a decimal point (.): .. Some examples are shown in Table 10-2. • • All AS Numbers between 0-65535 are represented as a decimal number, when entered in the CLI as well as when displayed in the show command outputs. AS Numbers larger than 65535 is represented using ASDOT notation as ..
www.dell.com | support.dell.com Figure 10-9. Dynamic changes of the bgp asnotation command in the show running config ASDOT Force10(conf-router_bgp)#bgp asnotation asdot Force10(conf-router_bgp)#show conf ! router bgp 100 bgp asnotation asdot bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
Figure 10-10. config Dynamic changes when bgp asnotation command is disabled in the show running AS NOTATION DISABLED Force10(conf-router_bgp)#no bgp asnotation Force10(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
www.dell.com | support.dell.com Figure 10-11. Local-AS Scenario Router A AS 100 Router C AS 300 Router B AS 200 Before Migration Router A AS 100 AS 100 Router C AS 300 Router B Local AS 200 After Migration, with Local-AS enabled When you complete your migration, and you have reconfigured your network with the new information you must disable this feature. If the “no prepend” option is used, the local-as will not be prepended to the updates received from the eBGP peer.
Local-as is prepended before the route-map to give an impression that update passed thru a router in AS 200 before it reached Router B. BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances FTOS BGP Management Information Base (MIB) support with many new SNMP objects and notifications (traps) defined in the draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell Force10 website, www.force10networks.com.
www.dell.com | support.dell.com • • • • • • • • • • • The AFI/SAFI is not used as an index to the f10BgpM2PeerCountersEntry table. The BGP peer's AFI/ SAFI (IPv4 Unicast or IPv6 Multicast) is used for various outbound counters. Counters corresponding to IPv4 Multicast cannot be queried.
BGP Configuration To enable the BGP process and begin exchanging information, you must assign an AS number and use commands in the ROUTER BGP mode to configure a BGP neighbor. Defaults By default, BGP is disabled. By default, FTOS compares the MED attribute on different paths from within the same AS (the bgp always-compare-med command is not enabled). Note: In FTOS, all newly configured neighbors and peer groups are disabled.
www.dell.com | support.dell.
Use these commands in the following sequence, starting in the CONFIGURATION mode to establish BGP sessions on the router. Step Command Syntax Command Mode Purpose 1 router bgp as-number CONFIGURATION Assign an AS number and enter the ROUTER BGP mode. AS Number: 0-65535 (2-Byte) or 1-4294967295 (4-Byte) or 0.1-65535.65535 (Dotted format) Only one AS is supported per system If you enter a 4-Byte AS Number, 4-Byte AS Support is enabled automatically.
www.dell.com | support.dell.com Enter show config in CONFIGURATION ROUTER BGP mode to view the BGP configuration. Use the show ip bgp summary command in EXEC Privilege mode to view the BGP status. Figure 10-12 shows the summary with a 2-Byte AS Number displayed; Figure 10-13 shows the summary with a 4-Byte AS Number displayed. Figure 10-12. Command example: show ip bgp summary (2-Byte AS Number displayed) R2#show ip bgp summary 2-Byte AS Number BGP router identifier 192.168.10.
Figure 10-14 displays two neighbors, one is an external and the second one is an internal BGP neighbor. The first line of the output for each neighbor displays the AS number and states whether the link is an external or internal. The third line of the show ip bgp neighbors output contains the BGP State. If anything other than ESTABLISHED is listed, the neighbor is not exchanging information and routes.
www.dell.com | support.dell.com Figure 10-15. Command example: show running-config bgp R2#show running-config bgp ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.
Task Command Syntax Command Mode Enable ASDOT AS Number representation. Figure 10-17 bgp asnotation asdot CONFIG-ROUTER-BGP Enable ASDOT+ AS Number representation.Figure 10-18 bgp asnotation asdot+ CONFIG-ROUTER-BGP Figure 10-16. Command example and output: bgp asnotation asplain Force10(conf-router_bgp)#bgp asnotation asplain Force10(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.
www.dell.com | support.dell.com Configure Peer Groups To configure multiple BGP neighbors at one time, create and populate a BGP peer group. Another advantage of peer groups is that members of a peer groups inherit the configuration properties of the group and share same update policy. A maximum of 256 Peer Groups are allowed on the system. You create a peer group by assigning it a name, then adding members to the peer group. Once a peer group is created, you can configure route policies for it.
When you add a peer to a peer group, it inherits all the peer group’s configured parameters.
www.dell.com | support.dell.com Figure 10-20. Command example: show config (peer-group enabled Force10(conf-router_bgp)#neighbor zanzibar no shutdown Force10(conf-router_bgp)#show config ! Enabling neighbor zanzibar router bgp 45 bgp fast-external-fallover bgp log-neighbor-changes neighbor zanzibar peer-group neighbor zanzibar no shutdown neighbor 10.1.1.1 remote-as 65535 neighbor 10.1.1.
Figure 10-21. Command example: show ip bgp peer-group Force10>show ip bgp peer-group Peer-group zanzibar, remote AS 65535 BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is zanzibar, peer-group internal, Number of peers in this group 26 Peer-group members (* - outbound optimized): 10.68.160.1 10.68.161.1 10.68.162.1 10.68.163.1 10.68.164.1 10.68.165.1 10.68.166.1 10.68.167.1 10.68.168.1 10.68.169.1 10.68.170.1 10.68.171.1 10.68.172.1 10.68.
www.dell.com | support.dell.com BGP fast fall-over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fall-over feature reduces the convergence time while maintaining stability. The connection to a BGP peer is immediately reset if a link to a directly connected external peer fails. When fall-over is enabled, BGP tracks IP reachability to the peer remote address and the peer local address.
Figure 10-22. Command example: show ip bgp neighbors Force10#sh ip bgp neighbors BGP neighbor is 100.100.100.100, remote AS 65517, internal link Member of peer-group test for session parameters BGP version 4, remote router ID 30.30.30.
www.dell.com | support.dell.com Figure 10-23. Command example: show ip bgp peer-group Force10#sh ip bgp peer-group Peer-group test Fall-over enabled BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.
Step Command Syntax Command Mode Purpose 3 neighbor peer-group-name no shutdown CONFIG-ROUTERBGP Enable the peer group. 4 neighbor peer-group-name remote-as as-number CONFIG-ROUTERBGP Create and specify a remote peer for BGP neighbor. Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED. Once the peer group is ESTABLISHED, the peer group is the same as any other peer group.
www.dell.com | support.dell.com Figure 10-24. Local-as information shown R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support Actual AS Number neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown Local-AS Number 6500 Maintained During Migration neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.
Figure 10-25. Allowas-in information shown R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.
www.dell.com | support.dell.com • • Bring the secondary RPM online as the primary and re-open sessions with all peers operating in “no shutdown” mode. Defer best path selection for a certain amount of time. This helps optimize path selection and results in fewer updates being sent out. Enable graceful restart using the configure router bgp graceful-restart command.
Filter on an AS-Path attribute The BGP attribute, AS_PATH, can be used to manipulate routing policies. The AS_PATH attribute contains a sequence of AS numbers representing the route’s path. As the route traverses an Autonomous System, the AS number is prepended to the route. You can manipulate routes based on their AS_PATH to affect interdomain routing. By identifying certain AS numbers in the AS_PATH, you can permit or deny routes based on the number in its AS_PATH.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 2 {deny | permit} filter CONFIG-AS-PATH Enter the parameter to match BGP AS-PATH for filtering. This is the filter that will be used to match the AS-path. The entries can be any format, letters, numbers, or regular expressions. This command can be entered multiple times if multiple filters are desired. See Table 10-4 for accepted expressions.
Figure 10-27. Filtering with Regular Expression Force10(config)#router bgp 99 Force10(conf-router_bgp)#neigh AAA peer-group Force10(conf-router_bgp)#neigh AAA no shut Force10(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown Force10(conf-router_bgp)#neigh 10.155.15.
www.dell.com | support.dell.com Table 10-4. Regular Expression Regular Expressions Definition ( ) (parenthesis) Specifies patterns for multiple use when followed by one of the multiplier metacharacters: asterisk *, plus sign +, or question mark ? [ ] (brackets) Matches any enclosed character; specifies a range of single characters - (hyphen) Used within brackets to specify a range of AS or community numbers. _ (underscore) Matches a ^, a $, a comma, a space, a {, or a }.
Command Syntax Command Mode Purpose redistribute ospf process-id [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] ROUTER BGP or CONF-ROUTER_BGPv6_ AF Include specific OSPF routes in IS-IS. Configure the following parameters: • process-id range: 1 to 65535 • match external range: 1 or 2 • match internal • metric-type: external or internal. • map-name: name of a configured route map. Enable additional paths By default, the add-path feature is disabled.
www.dell.com | support.dell.com • • • All routes with the NO_EXPORT_SUBCONFED (0xFFFFFF03) community attribute are not sent to CONFED-EBGP or EBGP peers, but are sent to IBGP peers within CONFED-SUB-AS. All routes with the NO_ADVERTISE (0xFFFFFF02) community attribute must not be advertised. All routes with the NO_EXPORT (0xFFFFFF01) community attribute must not be advertised outside a BGP confederation boundary, but are sent to CONFED-EBGP and IBGP peers.
To set or modify an extended community attribute, use the set extcommunity {rt | soo} {ASN:NN | IPADDR:NN} command. To view the configuration, use the show config command in the CONFIGURATION COMMUNITY-LIST or CONFIGURATION EXTCOMMUNITY LIST mode or the show ip {community-lists | extcommunity-list} command in EXEC Privilege mode (Figure 10-28). Figure 10-28.
www.dell.com | support.dell.com To view which BGP routes meet an IP Community or Extended Community list’s criteria, use the show ip bgp {community-list | extcommunity-list} command in EXEC Privilege mode. Manipulate the COMMUNITY attribute In addition to permitting or denying routes based on the values of the COMMUNITY attributes, you can manipulate the COMMUNITY attribute value and send the COMMUNITY attribute with the route information. By default, FTOS does not send the COMMUNITY attribute.
Step Command Syntax Command Mode Purpose 2 set comm-list CONFIG-ROUTE-MAP Configure a set filter to delete all COMMUNITY numbers in the IP Community list. set community {community-number | local-as | no-advertise | no-export | none} CONFIG-ROUTE-MAP Configure a Community list by denying or permitting specific community numbers or types of community • community-number: use AA:NN format where AA is the AS number (2 or 4 Bytes) and NN is a value specific to that autonomous system.
www.dell.com | support.dell.com Figure 10-29. Command example: show ip bgp community (Partial) Force10>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.48 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * i 3.0.0.0/8 195.171.0.16 100 0 209 701 80 i *>i 4.2.49.12/30 195.171.0.16 100 0 209 i * i 4.21.132.0/23 195.171.0.
Use the following command in the CONFIGURATION ROUTER BGP mode to change the default values of this attribute for all routes received by the router. Command Syntax Command Mode Purpose bgp default local-preference value CONFIG-ROUTERBGP Change the LOCAL_PREF value. • value range: 0 to 4294967295 • Default is 100. Use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode to view BGP configuration.
www.dell.com | support.dell.com You can also use route maps to change this and other BGP attributes. For example, you can include the following command in a route map to specify the next hop address: Command Syntax Command Mode Purpose set next-hop ip-address CONFIG-ROUTE-M AP Sets the next hop address. Change WEIGHT attribute Use the following command in CONFIGURATION ROUTER BGP mode to change the how the WEIGHT attribute is used.
Filter BGP routes Filtering routes allows you to implement BGP policies. You can use either IP prefix lists, route maps, AS-PATH ACLs or IP Community lists (via a route map) to control which routes are accepted and advertised by the BGP neighbor or peer group. Prefix lists filter routes based on route and prefix length, while AS-Path ACLs filter routes based on the Autonomous System number. Route maps can filter and set conditions, change attributes, and assign update policies.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 5 neighbor {ip-address | peer-group-name} distribute-list prefix-list-name {in | out} CONFIG-ROUTERBGP Filter routes based on the criteria in the configured prefix list. Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • prefix-list-name: enter the name of a configured prefix list. • in: apply the prefix list to inbound routes.
Step Command Syntax Command Mode Purpose neighbor {ip-address | peer-group-name} route-map map-name {in | out} CONFIG-ROUTER-BGP Filter routes based on the criteria in the configured route map. Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • map-name: enter the name of a configured route map. • in: apply the route map to inbound routes. • out: apply the route map to outbound routes.
www.dell.com | support.dell.com Configure BGP route reflectors BGP route reflectors are intended for Autonomous Systems with a large mesh and they reduce the amount of BGP control traffic. With route reflection configured properly, IBGP routers are not fully meshed within a cluster but all receive routing information. Configure clusters of routers where one router is a concentration router and others are clients who receive their updates from the concentration router.
Use the following command in the CONFIGURATION ROUTER BGP mode to aggregate routes. Command Syntax Command Mode Purpose aggregate-address ip-address mask [advertise-map map-name] [as-set] [attribute-map map-name] [summary-only] [suppress-map map-name] CONFIG-ROUTERBGP Assign the IP address and mask of the prefix to be aggregated.
www.dell.com | support.dell.com Use the following commands in the CONFIGURATION ROUTER BGP mode to configure BGP confederations. Command Syntax Command Mode Purpose bgp confederation identifier as-number CONFIG-ROUTERBGP Specifies the confederation ID. AS-number: 0-65535 (2-Byte) or 1-4294967295 (4-Byte) bgp confederation peers as-number [... as-number] CONFIG-ROUTERBGP Specifies which confederation sub-AS are peers.
Figure 10-31.
www.dell.com | support.dell.com To set dampening parameters via a route map, use the following command in CONFIGURATION ROUTE-MAP mode: Command Syntax Command Mode Purpose set dampening half-life reuse CONFIG-ROUTE-MAP Enter the following optional parameters to configure route dampening parameters: • half-life range: 1 to 45. Number of minutes after which the Penalty is decreased.
Use the following command in EXEC Privilege mode to clear information on route dampening and return suppressed routes to active state. Command Syntax Command Mode Purpose clear ip bgp dampening [ip-address mask] EXEC Privilege Clear all information or only information on a specific route. Use the following command in EXEC and EXEC Privilege mode to view statistics on route flapping.
www.dell.com | support.dell.com Change BGP timers Use either or both of the following commands in the CONFIGURATION ROUTER BGP mode to configure BGP timers. Command Syntax Command Mode Purpose neighbors {ip-address | peer-group-name} timers keepalive CONFIG-ROUTERBGP Configure timer values for a BGP neighbor or peer group. • keepalive range: 1 to 65535. Time interval, in seconds, between keepalive messages sent to the neighbor routers. (Default: 60 seconds) • holdtime range: 3 to 65536.
Use the clear ip bgp command in EXEC Privilege mode at the system prompt to reset a BGP connection using BGP soft reconfiguration. Command Syntax Command Mode Purpose clear ip bgp {* | neighbor-address | AS Numbers | ipv4 | peer-group-name} [soft [in | out]] EXEC Privilege Clear all information or only specific details.
www.dell.com | support.dell.com Route map continue The BGP route map continue feature (in ROUTE-MAP mode) allows movement from one route-map entry to a specific route-map entry (the sequence number). If the sequence number is not specified, the continue feature moves to the next sequence number (also known as an implied continue). If a match clause exists, the continue feature executes only after a successful match occurs. If there are no successful matches, continue is ignored.
MBGP Configuration Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing. The routes associated with multicast routing are used by the Protocol Independent Multicast (PIM) to build data distribution trees. FTOS MBGP is implemented as per RFC 1858. The MBGP feature can be enabled per router and/or per peer/peer-group. Default is IPv4 Unicast routes.
www.dell.com | support.dell.com Debugging BGP Use any of the commands in EXEC Privilege mode to enable BGP debugging. Command Syntax Command Mode Purpose debug ip bgp [ip-address | peer-group peer-group-name] [in | out] EXEC Privilege View all information on BGP, including BGP events, keepalives, notifications, and updates. debug ip bgp dampening [in | out] EXEC Privilege View information on BGP route being dampened.
Storing Last and Bad PDUs FTOS stores the last notification sent/received, and the last bad PDU received on per peer basis. The last bad PDU is the one that causes a notification to be issued. These PDUs are shown in the output of the command show ip bgp neighbor, as shown in Figure 10-34. Figure 10-34. Viewing the Last Bad PDU from BGP Peers Force10(conf-router_bgp)#do show ip bgp neighbors 1.1.1.2 BGP neighbor is 1.1.1.2, remote AS 2, external link BGP version 4, remote router ID 2.4.0.
www.dell.com | support.dell.com Capturing PDUs Capture incoming and outgoing PDUs on a per-peer basis using the command capture bgp-pdu neighbor direction. Disable capturing using the no form of this command. The buffer size supports a maximum value between 40 MB (the default) and 100 MB. The capture buffers are cyclic and reaching the limit prompts the system to overwrite the oldest PDUs when new ones are received for a given neighbor or direction.
• • • clear ip bgp is issued New PDU are captured and there is no more space to store them The max buffer size is reduced. (This may cause PDUs to be cleared depending upon the buffer space consumed and the new limit.) With full internet feed (205K) captured, approximately 11.8MB is required to store all of the PDUs, as shown in Figure 10-36. Figure 10-36. Required Memory for Captured PDUs Force10(conf-router_bgp)#do show capture bgp-pdu neighbor 172.30.1.
www.dell.com | support.dell.com Figure 10-37. Sample Configuration Illustration Physical Links AS 99 Virtual Links GigE 1/21 10.0.1.21 /24 GigE 2/11 10.0.1.22 /24 Peer Group AAA e Pe Loopback ck 1 192.168.128.1 /24 Loopback 1 Lo 192.168.128.2 /24 19 rG u ro p GigE 1/31 10.0.3.31 /24 BB B er Pe GigE 3/11 10.0.3.33 /24 o Gr C CC p u GigE 3/21 10.0.2.3 /24 Loopback 1 192.168.128.3 /24 AS 100 226 | Border Gateway Protocol IPv4 (BGPv4) GigE 2/31 10.0.2.
Figure 10-38. Enable BGP - Router 1 R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int gig 1/21 R1(conf-if-gi-1/21)#ip address 10.0.1.21/24 R1(conf-if-gi-1/21)#no shutdown R1(conf-if-gi-1/21)#show config ! interface GigabitEthernet 1/21 ip address 10.0.1.21/24 no shutdown R1(conf-if-gi-1/21)#int gig 1/31 R1(conf-if-gi-1/31)#ip address 10.0.3.
www.dell.com | support.dell.com Figure 10-39. Enable BGP - Router 2 R2# conf R2(conf)#int loop 0 R2(conf-if-lo-0)#ip address 192.168.128.2/24 R2(conf-if-lo-0)#no shutdown R2(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.2/24 no shutdown R2(conf-if-lo-0)#int gig 2/11 R2(conf-if-gi-2/11)#ip address 10.0.1.22/24 R2(conf-if-gi-2/11)#no shutdown R2(conf-if-gi-2/11)#show config ! interface GigabitEthernet 2/11 ip address 10.0.1.
Figure 10-40. Enable BGP - Router 3 R3# conf R3(conf)# R3(conf)#int loop 0 R3(conf-if-lo-0)#ip address 192.168.128.3/24 R3(conf-if-lo-0)#no shutdown R3(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.3/24 no shutdown R3(conf-if-lo-0)#int gig 3/11 R3(conf-if-gi-3/11)#ip address 10.0.3.33/24 R3(conf-if-gi-3/11)#no shutdown R3(conf-if-gi-3/11)#show config ! interface GigabitEthernet 3/11 ip address 10.0.3.
www.dell.com | support.dell.com Figure 10-41. Enable Peer Group - Router 1 R1#conf R1(conf)#router bgp 99 R1(conf-router_bgp)# network 192.168.128.0/24 R1(conf-router_bgp)# neighbor AAA peer-group R1(conf-router_bgp)# neighbor AAA no shutdown R1(conf-router_bgp)# neighbor BBB peer-group R1(conf-router_bgp)# neighbor BBB no shutdown R1(conf-router_bgp)# neighbor 192.168.128.2 peer-group AAA R1(conf-router_bgp)# neighbor 192.168.128.
Figure 10-42.
www.dell.com | support.dell.com Figure 10-43. Enable Peer Groups - Router 2 R2#conf R2(conf)#router bgp 99 R2(conf-router_bgp)# neighbor CCC peer-group R2(conf-router_bgp)# neighbor CC no shutdown R2(conf-router_bgp)# neighbor BBB peer-group R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.
Figure 10-44. Enable Peer Group - Router 3 R3#conf R3(conf)#router bgp 100 R3(conf-router_bgp)# neighbor AAA peer-group R3(conf-router_bgp)# neighbor AAA no shutdown R3(conf-router_bgp)# neighbor CCC peer-group R3(conf-router_bgp)# neighbor CCC no shutdown R3(conf-router_bgp)# neighbor 192.168.128.2 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.2 no shutdown R3(conf-router_bgp)# neighbor 192.168.128.1 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.
www.dell.com | support.dell.com Figure 10-45.
11 Content Addressable Memory (CAM) Content addressable memory (CAM) is a type of memory that stores information in the form of a look-up table (LUT). On Dell Networking systems, the CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACL), flows, and routing policies.
www.dell.com | support.dell.com The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges. Note: On the MXL 10/40GbE Switch IO Module, there can be only one odd number of blocks in the command line interface (CLI) configuration; the other blocks must be in factors of two. For example, a CLI configuration of 5+4+2+1+1 blocks is not supported; a configuration of 6+4+2+1 blocks is supported.
Figure 11-1. Command Example: test cam-usage FTOS#test cam-usage service-policy input pmap stack-unit all Stack-Unit | Portpipe | CAM Partition | Available CAM | Estimated CAM per Port | Status -----------------------------------------------------------------------------------------2 | 0 | L2ACL | 28 | 1 | Allowed (28) View CAM-ACL Settings View the current cam-acl settings for the system chassis and each component using the show cam-acl command (Figure 11-2). Figure 11-2.
www.dell.com | support.dell.com CAM Optimization 238 | When you enable the CAM optimization command, if a policy map containing classification rules (ACL and/or dscp/ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only one FP entry is used). When you disable this command, the system behaves as described in this chapter. However, enabling CAM optimization would apply a single rate policy FP entry.
12 Data Center Bridging (DCB) The data center bridging (DCB) features are supported on the MXL 10/40GbE Switch.
www.dell.com | support.dell.com Data center bridging satisfies the needs of the following types of data center traffic in a unified fabric: • • • LAN traffic consists of a large number of flows that are generally insensitive to latency requirements, while certain applications, such as streaming video, are more sensitive to latency. Ethernet functions as a best-effort network that may drop packets in case of network congestion.
Figure 12-1. Priority-Based Flow Control PFC is implemented as follows in the Dell Networking operating software (FTOS): • • • • • • PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface. However, only two lossless queues are supported on an interface: one for FCoE converged traffic and one for SCSI storage traffic. You must configure the same lossless queues on all ports.
www.dell.com | support.dell.com Although you can configure strict-priority queue scheduling for a priority group, ETS introduces flexibility that allows the bandwidth allocated to each priority group to be dynamically managed according to the amount of LAN, storage, and server traffic in a flow. Unused bandwidth in a priority-group is dynamically allocated to other priority groups for which traffic is available to be scheduled. Traffic is queued according to its 802.
Data Center Bridging Exchange Protocol (DCBX) The data center bridging exchange (DCBX) protocol is enabled by default on any switch on which PFC or ETS are enabled. DCBX allows a switch to automatically discover DCB-enabled peers and exchange configuration information. PFC and ETS use DCBX to exchange and negotiate parameters with peer devices.
www.dell.com | support.dell.com Enabling Data Center Bridging Data center bridging is enabled by default on an MXL 10/40GbE Switch to support converged enhanced Ethernet (CEE) in a data center network, and is a prerequisite for configuring: • • • • Priority-based flow control Enhanced transmission selection Data center bridging exchange protocol FCoE initialization protocol (FIP) snooping DCB processes virtual local area network (VLAN)-tagged packets and dot1p priority values.
QoS dot1p Traffic Classification and Queue Assignment DCB supports PFC, ETS, and DCBX to handle converged Ethernet traffic that is assigned to an egress queue according to the following quality of service (QoS) methods: • • Important: of two Honor dot1p: Using the service-class dynamic dot1p command in INTERFACE Configuration mode, you can honor dot1p priorities in ingress traffic at the port or global switch level (refer to Honoring dot1p Values on Ingress Packets).
www.dell.com | support.dell.com Configuring Priority-Based Flow Control Priority-based flow control provides a flow control mechanism based on the 802.1p priorities in converged Ethernet traffic received on an interface and is enabled by default. As an enhancement to the existing Ethernet pause mechanism, PFC stops traffic transmission for specified priorities (CoS values) without impacting other priority classes. Different traffic types are assigned to different priority classes.
FTOS Behavior: If you reconfigure the PFC priorities in an input policy and re-apply the policy to an interface, As soon as you apply a DCB policy with PFC enabled on an interface, DCBX starts exchanging information with PFC-enabled peers. The IEEE802.1Qbb, CEE and CIN versions of PFC TLV are supported. DCBX also validates PFC configurations received in TLVs from peer devices. By applying a DCB input policy with PFC enabled, you enable PFC operation on ingress port traffic.
www.dell.com | support.dell.com Configuring Lossless Queues DCB also supports the manual configuration of lossless queues on an interface when PFC mode is turned off and priority classes are disabled in a DCB input policy applied to the interface. The configuration of no-drop queues provides flexibility for ports on which PFC is not needed but lossless traffic should egress from the interface. Lossless traffic egresses out the no-drop queues.
Configuring the PFC Buffer in a Switch Stack In a switch stack, you must configure all stacked ports with the same PFC configuration. In addition, you must configure a separate buffer of memory allocated exclusively to a service pool accessed by queues on which priority-based control flows are mapped. These PFC-enabled queues ensure the lossless transmission of storage and server traffic.
www.dell.com | support.dell.com Configuring Enhanced Transmission Selection Enhanced transmission selection (ETS) provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic. Different traffic types have different service needs. Using ETS, you can create groups within an 802.1p priority class to configure different treatment for traffic with different bandwidth, latency, and best-effort needs.
Creating a QoS ETS Output Policy A QoS output policy that you create to optimize bandwidth on an output interface for specified priority traffic consists of the ETS settings used in DCBX negotiations with peer devices: • • Bandwidth percentage Queue scheduling To create a QoS output policy with ETS settings, follow these steps: Step Task Command Command Mode 1 Create a QoS output policy to configure the ETS bandwidth allocation and scheduling for priority traffic. Maximum: 32 characters.
www.dell.com | support.dell.com FTOS Behavior: Traffic in priority groups is assigned to strict-queue or WERR scheduling in an ETS output policy and is managed using the ETS bandwidth-assignment algorithm. FTOS removes all frames of strict-priority traffic from the queue before servicing any other queues. A queue with strict-priority traffic can starve other queues in the same port. ETS-assigned bandwidth allocation and scheduling apply only to data queues, not to control queues.
Creating an ETS Priority Group An ETS priority group specifies the range of 802.1p priority traffic to which a QoS output policy with ETS settings is applied on an egress interface. You can associate a priority group to more than one ETS output policy on different interfaces. To create a priority group for ETS, follow these steps: Step Task Command Command Mode 1 Create an ETS priority group to use with an ETS output policy. Maximum: 32 characters.
www.dell.com | support.dell.com Applying an ETS Output Policy for a Priority Group to an Interface To apply ETS on egress port traffic, you must associate a priority group with an ETS output policy which has scheduling and bandwidth configuration in a DCB output policy, and then apply the output policy to an interface. To apply ETS on egress port traffic, follow these steps: Step Task Command Command Mode 1 Create a DCB output policy to associate an ETS configuration with priority traffic.
ETS Operation with DCBX In DCBX negotiation with peer ETS devices, ETS configuration is handled as follows: • • • • • ETS TLVs are supported in DCBX versions CIN, CEE, and IEEE2.5. ETS operational parameters are determined by the DCBX port-role configurations (Configuring DCBX Operation). ETS configurations received from TLVs from a peer are validated. In case of a hardware limitation or TLV error: • DCBX operation on an ETS port goes down.
www.dell.com | support.dell.com To create a QoS output policy that allocates different amounts of bandwidth to the different traffic types/ dot1p priorities assigned to a queue and apply the output policy to the interface, follow these steps. 256 Step | Task Command Command Mode 1 Create a QoS output policy. Maximum: 32 alphanumeric characters.
Applying DCB Policies in a Switch Stack You can apply a DCB input policy with PFC configuration to all stacked ports in a switch stack or on a stacked switch. You can apply different DCB input policies to different stacked switches. Task Command Command Mode Apply the specified DCB input policy on all ports of the switch stack or a single stacked switch.
www.dell.com | support.dell.com Configuring DCBX Operation The data center bridging exchange protocol (DCBX) is used by DCB devices to exchange configuration information with directly connected peers using the link layer discovery protocol (LLDP) protocol. DCBX can detect the misconfiguration of a peer DCB device, and optionally, configure peer DCB devices with DCB feature settings to ensure consistent operation in a data center network.
DCBX Port Roles Use the following DCBX port roles to enable the auto-configuration of DCBX-enabled ports and propagate DCB configurations learned from peer DCBX devices internally to other switch ports: • • • Auto-upstream: The port advertises its own configuration to DCBX peers and receives its configuration from DCBX peers (ToR or FCF device). The port also propagates its configuration to other ports on the switch.
www.dell.com | support.dell.com • On a DCBX port that is the configuration source, all PFC and application priority TLVs are enabled. ETS recommend TLVs are disabled and ETS configuration TLVs are enabled. Manual - The port is configured to operate only with administrator-configured settings and does not auto-configure with DCB settings received from a DCBX peer or from an internally propagated configuration from the configuration source.
Configuration Source Election When an auto-upstream or auto-downstream port receives a DCB configuration from a peer, the port first checks to see if there is an active configuration source on the switch. • • If a configuration source already exists, the received peer configuration is checked against the local port configuration. If the received configuration is compatible, the DCBX marks the port as DCBX-enabled.
www.dell.com | support.dell.com Auto-Detection and Manual Configuration of the DCBX Version When operating in Auto-Detection mode (dcbx version auto command in DCBX Configuration Procedure), a DCBX port automatically detects the DCBX version on a peer port. Legacy CIN and CEE versions are supported in addition to the standard IEEE version 2.5 DCBX. A DCBX port detects a peer version after receiving a valid frame for that version.
Figure 12-4. DCBX Sample Topology DCBX Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBX operation on a port: • • DCBX requires LLDP in both send (TX) and receive (RX) mode to be enabled on a port interface (protocol lldp mode command; refer to Figure 30-7). If a multiple DCBX peer ports are detected on a local DCBX interface, LLDP is shut down.
www.dell.com | support.dell.com DCBX Configuration Procedure To configure an MXL Switch for DCBX operation in a data center network, you must: 1. Configure ToR- and FCF-facing interfaces as auto-upstream ports. 2. Configure server-facing interfaces as auto-downstream ports. 3. Configure a port to operate in a configuration-source role. 4. Configure ports to operate in a manual role. To verify the DCBX configuration on a port, use the show interface dcbx detail command (Figure 12-16).
Step 5 Task Command Command Mode On manual ports only: Configure the PFC and ETS TLVs advertised to DCBX peers, where: • ets-conf enables the advertisement of ETS Configuration TLVs. • ets-reco enables the advertisement of ETS Recommend TLVs. • pfc enables the advertisement of PFC TLVs. Default: All PFC and ETS TLVs are advertised.
www.dell.com | support.dell.com Configuring DCBX Globally on the Switch To globally configure DCBX operation on a switch, follow these steps: Step Task Command Command Mode 1 Enter Global Configuration mode. configure EXEC PRIVILEGE 2 Enter LLDP Configuration mode to enable DCBX operation.
Step 5 Task Command Command Mode Configure the Application Priority TLVs to be advertised on unconfigured interfaces with a manual port-role, where: • fcoe enables the advertisement of FCoE in Application Priority TLVs. • iscsi enables the advertisement of iSCSI in Application Priority TLVs. Default: Application Priority TLVs are enabled and advertise FCoE and iSCSI.
www.dell.com | support.dell.com Debugging DCBX on an Interface 268 To enabled DCBX debug traces for all or a specific control path, use the following command: | Task Command Command Mode Enable DCBX debugging, where: • all: Enables all DCBX debugging operations. auto-detect-timer: Enables traces for DCBX auto-detect timers. • config-exchng: Enables traces for DCBX configuration exchanges. • fail: Enables traces for DCBX failures. • mgmt: Enables traces for DCBX management frames.
Verifying DCB Configuration Use the show commands in Table 12-2 to display DCB configurations. Table 12-2. Displaying DCB Configurations Command Output show dot1p-queue mapping (Figure 12-5) Displays the current 802.1p priority-queue mapping. show dcb [stack-unit unit-number] (Figure 12-6) Displays data center bridging status, number of PFC-enabled ports, and number of PFC-enabled queues. On the master switch in a stack, you can specify a stack-unit number. Valid values: 0 to 5.
www.dell.com | support.dell.com Figure 12-8. show qos dcb-output Command Example FTOS# show qos dcb-output dcb-output ets priority-group san qos-policy san priority-group ipc qos-policy ipc priority-group lan qos-policy lan Figure 12-9. show qos priority-groups Command Example FTOS#show qos priority-groups priority-group ipc priority-list 4 set-pgid 2 Figure 12-10.
Table 12-3. show interface pfc summary Command Description Field Description Interface Interface type with stack-unit and port number. Admin mode is on Admin is enabled PFC Admin mode is on or off with a list of the configured PFC priorities. When PFC admin mode is on, PFC advertisements are enabled to be sent and received from peers; received PFC configuration takes effect. The admin operational status for a DCBX exchange of PFC configuration is enabled or disabled.
www.dell.com | support.dell.com Table 12-3. show interface pfc summary Command Description Field Description PFC TLV Statistics: Output TLV pkts Number of PFC TLVs transmitted. PFC TLV Statistics: Error pkts Number of PFC error packets received. PFC TLV Statistics: Pause Tx pkts Number of PFC pause frames transmitted. PFC TLV Statistics: Pause Rx pkts Number of PFC pause frames received Figure 12-11.
Figure 12-12.
www.dell.com | support.dell.com Figure 12-13.
Table 12-4. show interface ets detail Command Description Field Description Interface Interface type with stack-unit and port number. Max Supported TC Group Maximum number of priority groups supported. Number of Traffic Classes Number of 802.1p priorities currently configured. Admin mode ETS mode: on or off. When on, the scheduling and bandwidth allocation configured in an ETS output policy or received in a DCBX TLV from a peer can take effect on an interface.
www.dell.com | support.dell.com Figure 12-14.
Figure 12-16.
www.dell.com | support.dell.com Table 12-5. 278 show interface dcbx detail Command Description Field | Description Local DCBX Compatibility mode DCBX version accepted in a DCB configuration as compatible. In auto-upstream mode, a port can only received a DCBX version supported on the remote peer. Local DCBX Configured mode DCBX version configured on the port: CEE, CIN, IEEE v2.5, or Auto (port auto-configures to use the DCBX version received from a peer).
PFC and ETS Configuration Examples This section contains examples of how to configure and apply DCB input and output policies on an interface. Using PFC and ETS to Manage Data Center Traffic In the example shown in Figure 12-17 for an MXL 10/40GbE Switch: • • • Incoming SAN traffic is configured for priority-based flow control. Outbound LAN, IPC, and SAN traffic is mapped into three ETS priority groups and configured for enhanced traffic selection (bandwidth allocation and scheduling).
www.dell.com | support.dell.com QoS Traffic Classification: On the MXL Switch, the service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in Table 12-6. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment. Table 12-6.
Table 12-8. Example: priority group-bandwidth Assignment Priority Group Figure 12-18.
www.dell.com | support.dell.com Figure 12-19.
Hierarchical Scheduling in ETS Output Policies On an MXL Switch, ETS supports up to three levels of hierarchical scheduling. For example, you can apply ETS output policies with the following configurations: • • • Priority group 1 assigns traffic to one priority queue with 20% of the link bandwidth and strict-priority scheduling. Priority group 2 assigns traffic to one priority queue with 30% of the link bandwidth.
284 | Data Center Bridging (DCB) www.dell.com | support.dell.
13 Control Plane Policing (CoPP) Control Plane Policing (CoPP) is supported on the MXL Switch platform. Overview Control Plane Policing (CoPP) uses ACL rules and QoS policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
OPSF flood CPU at 1100 PPS ICMP fails Q5 Q4 CPU Processes (OSPF, LACP, STP, ICMP, etc) Packets Q6 400 PPS CPU Software Queue ICMP PING Q7 1100 PPS (Ingress Flow Entries) STP Protocol to Queue Classification Hardware Queue Rate Limiting Front End Ports No CoPP Rules Q3 Q2 Q1 STP Q0 Q7 receives STP at 1100 pps due to network storm/loop. The CPU is hit with the entire 1100 pps and the PING attemp fails intermittently.
The CoPP policies are configured by creating extended ACL rules and specifying rate-limits through QoS policies. The ACLs and QoS policies are assigned as service-policies. Configure CoPP for protocols This section lists the commands necessary to create and enable the service-policies for CoPP. Refer to Access Control Lists (ACLs) and Quality of Service (QoS) for complete information about creating ACLs and QoS rules.
www.dell.com | support.dell.
Match QoS Class Map to QoS Policy Force10(conf)#policy-map-input egressFP_rate_policy cpu-qos Force10(conf-policy-map-in-cpuqos)#class-map class_ospf qos-policy rate_limit_500k Force10(conf-policy-map-in-cpuqos)#class-map class_bgp qos-policy rate_limit_400k Force10(conf-policy-map-in-cpuqos)#class-map class_lacp qos-policy rate_limit_200k Force10(conf-policy-map-in-cpuqos)#class-map class-ipv6 qos-policy rate_limit_200k Force10(conf-policy-map-in-cpuqos)#exit Create Control Plane Service Policy Force10(co
www.dell.com | support.dell.
Use the show ip protocol-queue-mapping command to view the queue mapping for each configured protocol.
www.dell.com | support.dell.
Skippy812 14 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
www.dell.com | support.dell.com 294 Figure 14-1. DHCP Packet Format op htype hlen hops xid secs flags ciaddr yiaddr siaddr giaddr chaddr sname Code options file Length The following table lists common DHCP options. Table 14-1. | Common DHCP Options Option Number and Description Subnet Mask Option 1 Specifies the clients subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway.
Table 14-1. Common DHCP Options Option Number and Description L2 DHCP Snooping Option 82 Specifies IP addresses for DHCP messages received from the client that are to be monitored to build a DHCP snooping database. End Option 255 Signals the last option in the DHCP packet. Assigning an IP Address Using DHCP The following section describes DHCP and the client in a network. When a client joins a network: 1.
www.dell.com | support.dell.com Figure 14-2. Client and Server Messaging Client Relay Agent Server 1. DHCPDISCOVER 2. DHCPOFFER 3. DHCPREQUEST 4. DHCPACK 5. DHCPRELEASE Implementation Information The following describes DHCP implementation. • • The Dell Networking implementation of DHCP is based on RFC 2131 and RFC 3046. IP source address validation is a sub-feature of DHCP Snooping; the Dell Networking operating system (FTOS) uses access control lists (ACLs) internally to implement this feature.
• • • FTOS provides 40K entries that you can divide between leased addresses and excluded addresses. By extension, the maximum number of pools you can configure depends on the on the subnet mask that you give to each pool. For example, if all pools were configured for a /24 mask, the total would be 40000/253 (approximately 158). If the subnet is increased, more pools can be configured. The maximum subnet that can be configured for a single pool is /17.
www.dell.com | support.dell.com Create an IP Address Pool An address pool is a range of IP addresses that may be assigned by the DHCP server. Address pools are indexed by subnet number. An address pool is a range of IP addresses that the DHCP server may assign. The subnet number indexes the address pools. To create an address pool, follow these steps: Step Task Command Syntax Command Mode 1 Access the DHCP server CLI context.
Excluding Addresses from the Address Pool The DHCP server assumes that all IP addresses in a DHCP address pool are available for assigning to DHCP clients. You must specify the IP address that the DHCP server should not assign to clients. Task Command Syntax Command Mode Exclude an address range from DHCP assignment. The exclusion applies to all configured pools. excluded-address DHCP Specifying an Address Lease Time To specify an address lease time, use the following command.
www.dell.com | support.dell.com In the following illustration, an IP phone is powered by power over Ethernet (PoE) and has acquired an IP address from the Dell Networking system, which is advertising link layer discover protocol (LLDP)-media endpoint discovery (MED). The leased IP address is displayed using the show ip dhcp binding command and confirmed with the show lldp neighbors command. Figure 14-3.
Step 2 Task Command Syntax Command Mode Specify the NetBIOS node type for a Microsoft DHCP client. Dell Networking recommends specifying clients as hybrid. netbios-node-type type DHCP Creating Manual Binding Entries An address binding is a mapping between the IP address and media access control (MAC) address of a client. The DHCP server assigns the client an available IP address automatically, and then creates a entry in the binding table.
www.dell.com | support.dell.com Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands: Task Command Syntax Command Mode Clear DHCP binding entries for the entire binding table. clear ip dhcp binding EXEC Privilege Clear a DHCP binding entry for an individual IP address. clear ip dhcp binding ip address EXEC Privilege Clear a DHCP address conflict. clear ip dhcp conflict EXEC Privilege Clear DHCP server counters.
Figure 14-4. Configuring a DHCP Relay Device To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Figure 14-5. Displaying the Helper Address Configuration FTOS#show ip int tengig 1/3 TenGigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
www.dell.com | support.dell.com Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • • • • • The switch can obtain a dynamically-assigned IP address from a DHCP server. The switch does not receive a start-up configuration.
FTOS Behavior: The ip address dhcp command enables DHCP server-assigned dynamic IP addresses on an interface. This setting persists after a switch reboot. If you enter the shutdown command on the interface, DHCP transactions are stopped and the dynamically-acquired IP address is saved. Use the show interface type slot/port command to display the dynamic IP address and DHCP as the mode of IP address assignment.
www.dell.com | support.dell.com To configure and view an interface as a DHCP client to receive an IP address, use the following commands. Step Task Command Syntax Command Mode 1 Enter INTERFACE Configuration mode on an Ethernet interface. interface type slot/port CONFIGURATION 2 Acquire the IP address for an Ethernet interface from a DHCP network server.
Figure 14-7. show ip dhcp lease FTOS# show ip dhcp lease interface tengigabitethernet 4/37 Interface Lease-IP ====== ========= Te 4/37 189.17.9.2/30 Renew Time ========== 09-05-2023 04:56 Def-Router ========= 0.0.0.0 ServerId ======== 189.17.9.
www.dell.com | support.dell.com Figure 14-8 shows an example of the packet- and event-level debug messages displayed for the packet transmissions and state transitions on a DHCP client interface when you enable and disable a DHCP client. Figure 14-8.
Figure 14-9 shows an example of the packet- and event-level debug messages displayed for the packet transmissions and state transitions on a DHCP client interface when you release and renew a DHCP client. Figure 14-9.
www.dell.com | support.dell.com DHCP Client on a Management Interface These conditions apply when you enable a management interface to operate as a DHCP client. • • • • • • • The management default route is added with the gateway as the router IP address received in the DHCP ACK packet. This is required to send and receive traffic to and from other subnets on the external network. This route is added irrespective both when the DHCP client and server are in the same or different subnets.
VLAN and Port Channels DHCP client configuration and behavior is the same on port-channel (LAG) and VLAN interfaces as on a physical interface. DHCP Snooping A DHCP client can run at the same on a switch with the DHCP snooping feature as follows: • • If you enable DHCP snooping globally on the switch and DHCP client on an interface, the trust port, source MAC address, and snooping table validations are not performed on the interface by DHCP snooping for packets destined to the DHCP client daemon.
www.dell.com | support.dell.com Option 82 RFC 3046 (the relay agent information option, or Option 82) is used for class-based IP address assignment. The code for the relay agent information option is 82 and is comprised of two sub-options, circuit ID and remote ID. • • Circuit ID is the interface on which the client-originated message is received. Remote ID identifies the host from which the message is received. The value of this sub-option is the MAC address of the relay agent that adds Option 82.
The relay agent checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, and DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is legitimate and that the packet arrived on the correct port. Packets that do not pass this check are forwarded to the server for validation. This checkpoint prevents an attacker from spoofing a client and declining or releasing the real client’s address.
www.dell.com | support.dell.com Clearing the Binding Table To clear the binding table, use the following command. Task Command Syntax Command Mode Delete all of the entries in the binding table clear ip dhcp snooping binding EXEC Privilege Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. Task Command Syntax Command Mode Display the contents of the binding table.
Drop DHCP Packets on Snooped VLANs Only Binding table entries are deleted when a lease expires or the relay agent encounters a DHCPRELEASE. Starting with FTOS Release 8.2.1.1, line cards maintain a list of snooped VLANs. When the binding table fills, DHCP packets are dropped only on snooped-VLANs, while such packets are forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made.
www.dell.com | support.dell.com packets to it. Likewise, the attacker sends the gateway an ARP message containing the attacker’s MAC address and the client’s IP address. The gateway then thinks that the attacker is the client and forwards all packets addressed to the client to it. As a result, the attacker is able to sniff all packets to and from the client.
To view the number of entries in the ARP database, use the show arp inspection database command. Figure 14-12. Example of Viewing the ARP Database FTOS#show arp inspection database Protocol Address Age(min) Hardware Address Interface VLAN CPU ---------------------------------------------------------------------------Internet 10.1.1.251 00:00:4d:57:f2:50 Te 0/2 Vl 10 CP Internet 10.1.1.252 00:00:4d:57:e6:f6 Te 0/1 Vl 10 CP Internet 10.1.1.253 00:00:4d:57:f8:e8 Te 0/3 Vl 10 CP Internet 10.1.1.
www.dell.com | support.dell.com Source Address Validation Using the DHCP binding table, FTOS can perform three types of source address validation (SAV): • • • Enabling IP Source Address Validation: prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table. DHCP MAC Source Address Validation: verifies a DHCP packet’s source hardware address matches the client hardware address field (CHADDR) in the payload.
Enabling IP+MAC Source Address Validation IP source address validation validates the IP source address of an incoming packet against the DHCP snooping binding table. IP+MAC source address validation ensures that the IP source address and MAC source address are a legitimate pair, rather than validating each attribute individually. You cannot configure IP+MAC SAV with IP SAV.
www.dell.com | support.dell.
15 Debugging and Diagnostics The chapter contains the following sections: • • • • • • • • • Offline Diagnostics Trace Logs Show Hardware Commands Environmental Monitoring Buffer Tuning Troubleshooting Packet Loss Application Core Dumps Mini Core Dumps TCP Dumps Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware.
www.dell.com | support.dell.com Important Points to Remember • • • • You can only perform offline diagnostics on an offline standalone unit. You cannot perform diagnostics if the ports are configured in a stacking group. Remove the port(s) from the stacking group before executing the diagnostic test. Diagnostics only test connectivity, not the entire data path. Diagnostic results are stored on the flash of the unit on which you performed the diagnostics.
Trace Logs In addition to the syslog buffer, the Dell Networking operating software (FTOS) buffers trace messages which are continuously written by various FTOS software tasks to report hardware and software events and status information. Each trace message provides the date, time, and name of the FTOS process. All messages are stored in a ring buffer and can be saved to a file either manually or automatically upon failover.
www.dell.com | support.dell.com Table 15-1. show hardware Commands Command Description show hardware stack-unit {0-5} cpu management View the internal interface status of the stack-unit CPU port which statistics connects to the external management interface. show hardware stack-unit {0-5} cpu data-plane statistics View the driver-level statistics for the data-plane port on the CPU for the specified stack-unit.
Figure 15-4. show interfaces transceiver Command Example FTOS#show int ten 0/49 transceiver SFP is present SFP 49 Serial Base ID fields SFP 49 Id = 0x03 SFP 49 Ext Id = 0x04 SFP 49 Connector = 0x07 SFP 49 Transceiver Code = 0x00 0x00 0x00 0x01 0x20 0x40 0x0c 0x01 SFP 49 Encoding = 0x01 SFP 49 BR Nominal = 0x0c SFP 49 Length(9um) Km = 0x00 SFP 49 Length(9um) 100m = 0x00 SFP 49 Length(50um) 10m = 0x37 SFP 49 Length(62.
www.dell.com | support.dell.com Recognize an Over-Temperature Condition An over-temperature condition occurs for one of two reasons: • • The card genuinely is too hot. A sensor has malfunctioned. Inspect cards adjacent to the one reporting condition to discover the cause. • • If directly adjacent cards are not a normal temperature, suspect a genuine overheating condition. If directly adjacent cards are a normal temperature, suspect a faulty sensor.
Figure 15-6.
www.dell.com | support.dell.com The simple network management protocol (SNMP) traps and OIDs in Table 15-2 provide information about environmental monitoring hardware and hardware components. Table 15-2. SNMP Traps and OIDs OID String OID Name Description chSysPortXfpRecvPower OID to display the receiving power of the connected optics. chSysPortXfpTxPower OID to display the transmitting power of the connected optics. chSysPortXfpRecvTemp OID to display the Temperature of the connected optics.
All ports support eight queues, four for data traffic and four for control traffic. All eight queues are tunable. Physical memory is organized into cells of 128 bytes. The cells are organized into two buffer pools—a dedicated buffer and a dynamic buffer. • • Dedicated buffer is reserved memory that cannot be used by other interfaces on the same ASIC or by other queues on the same interface. This buffer is always allocated, and no dynamic recarving takes place based on changes in interface status.
www.dell.com | support.dell.com Deciding to Tune Buffers Dell Networking recommends exercising caution when configuring any non-default buffer settings, as tuning can significantly affect system performance. The default values work for most cases. As a guideline, consider tuning buffers if traffic is very bursty (and coming from several interfaces). In this case: • • • Reduce the dedicated buffer on all queues/interfaces. Increase the dynamic buffer on all interfaces.
FTOS Behavior: When you remove a buffer-profile using the no buffer-profile [fp | csf] command from CONFIGURATION mode, the buffer-profile name still appears in the output of show buffer-profile [detail | summary]. After a stack unit is reset, the buffer profile correctly returns to the default values, but the profile name remains.
www.dell.com | support.dell.com Figure 15-9. Displaying Buffer Profile Allocations FTOS#show running-config interface tengigabitethernet 2/0 ! interface TenGigabitEthernet 2/0 no ip address mtu 9252 switchport no shutdown buffer-policy myfsbufferprofile FTOS#show buffer-profile detail int tengig 0/10 Interface Tengig 0/10 Buffer-profile fsqueue-fp Dynamic buffer 1256.00 (Kilobytes) Queue# Dedicated Buffer Buffer Packets (Kilobytes) 0 3.00 256 1 3.00 256 2 3.00 256 3 3.00 256 4 3.00 256 5 3.00 256 6 3.
You must reload the system for the global buffer profile to take effect (Message 3). Message 3 Reload After Applying Global Buffer Profile % Info: For the global pre-defined buffer profile to take effect, please save the config and reload the system. FTOS Behavior: After you configure buffer-profile global 1Q, Message 3 is displayed during every bootup. Only one reboot is required for the configuration to take effect; afterwards this bootup message may be ignored.
www.dell.com | support.dell.com Figure 15-10.
Figure 15-11.
www.dell.com | support.dell.com Figure 15-12.
Figure 15-13.
www.dell.com | support.dell.com Displaying Stack Port Statistics The show hardware stack-unit stack-port command displays input and output statistics for a stack-port interface (Figure 15-15). Figure 15-15.
Application Core Dumps Application core dumps are disabled by default. A core dump file can be very large. Due to memory requirements, the file can only be sent directly to an FTP server. It is not stored on the local flash. To enable full application core dumps, use the following command: Task Command Syntax Command Mode Enable RPM core dumps and specify the shutdown mode. logging coredump server CONFIGURATION To undo this command, use the no logging coredump server command.
www.dell.com | support.dell.com Figure 15-17.
TCP Dumps TCP dump captures CPU bound control plane traffic to improve troubleshooting and system manageability. When enabled, a TCP dump captures all the packets on the local CPU, as specified in the CLI. You can save the traffic capture files to flash, FTP, SCP, or TFTP. The files saved on the flash are located in the flash://TCP_DUMP_DIR/Tcpdump_/ directory, and labeled tcpdump_*.pcap. There can be up to 20 Tcpdump_ directories.
342 | Debugging and Diagnostics www.dell.com | support.dell.
16 Equal Cost Multi-Path (ECMP) Equal Cost Multi-Path (ECMP) is supported on the MXL Switch platform. ECMP for Flow-based Affinity ECMP for Flow-based Affinity is available on the MXL Switch platform: Note: IPv6 /128 routes having multiple paths do not form ECMPs. The /128 route is treated as a host entry and finds its place in the host table. Note: Using XOR algorithms will result in imbalanced loads across an ECMP/LAG when the number of members in said ECMP/LAG is a multiple of 4.
www.dell.com | support.dell.com Link Bundle Monitoring Monitoring linked ECMP bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time. A threshold of 60% is defined as an acceptable amount of traffic on a member link. Links are monitored in 15-second intervals for three consecutive instances. Any deviation within that time causes a syslog to be sent and an alarm event to be generated.
Use the ip ecmp-group path-fallback command to enable or disable the feature. Task Command Syntax Command Mode Configure the maximum number of paths per ECMP group ip ecmp-group maximum-paths {2-64} CONFIGURATION Enable ECMP group path management ip ecmp-group path-fallback CONFIGURATION Note: You must save the new ECMP settings to the startup-config (write-mem) then reload the system for the new settings to take effect. Figure 16-1.
www.dell.com | support.dell.
17 FCoE Transit The Fibre Channel over Ethernet (FCoE) Transit feature supported on the MXL 10/40GbE Switch. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. Note: FCoE Transit is not supported on Fibre Channel interfaces. Fibre Channel over Ethernet FCoE provides a converged Ethernet network that allows the combination of storage-area network (SAN) and LAN traffic on a Layer 2 link by encapsulating Fibre Channel data into Ethernet frames.
www.dell.com | support.dell.com • • Operate between FCoE end-devices and FCFs over intermediate Ethernet bridges to prevent unauthorized access to the network and achieve the required security. Allow transit Ethernet bridges to efficiently monitor FIP frames passing between FCoE end-devices and an FCF, and use the FIP snooping data to dynamically configure ACLs on the bridge to only permit traffic authorized by the FCF.
Figure 17-1. FIP Discovery and Login Between an ENode and an FCF FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF. An Ethernet bridge that provides these functions is called a FIP snooping bridge (FSB).
www.dell.com | support.dell.com • • 350 Port-based ACLs take precedence over global ACLs. FCoE-generated ACLs take precedence over user-configured ACLs. A user-configured ACL entry cannot deny FCoE and FIP snooping frames. The following illustration shows an MXL 10/40GbE Switch used as a FIP snooping bridge in a converged Ethernet network. The top-of-rack (ToR) switch operates as an FCF for FCoE traffic. Converged LAN and SAN traffic is transmitted between the ToR switch and an MXL switch.
The following sections describe how to configure the FIP snooping feature on a switch that functions as a FIP snooping bridge so that it can perform the following functions: • • • • • Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis. To assign a MAC address to an FCoE end-device (server ENode or storage device) after a server successfully logs in, set the FCoE MAC address prefix (FC-MAP) value used by an FCF.
www.dell.com | support.dell.com FIP Snooping Prerequisites Before you enable FCoE transit and configure FIP snooping on a switch, ensure that certain conditions are met. A FIP snooping bridge requires data center bridging exchange protocol (DCBx) and priority-based flow control (PFC) to be enabled on the switch for lossless Ethernet connections (refer to the Data Center Bridging (DCB) chapter).
Enabling the FCoE Transit Feature The following sections describe how to enable FCoE transit. Note: FCoE transit is disabled by default. To enable this feature, you must follow the information in Configuring FIP Snooping. As soon as you enable the FCoE transit feature on a switch-bridge, existing VLAN-specific and FIP snooping configurations are applied.
www.dell.com | support.dell.com Configure a Port for a Bridge-to-Bridge Link If a switch port is connected to another FIP snooping bridge, configure the FCoE-Trusted Port mode for bridge-bridge links. Initially, all FCoE traffic is blocked. Only FIP frames with the ALL_FCF_MAC and ALL_ENODE_MAC values in their headers are allowed to pass. After the switch learns the MAC address of a connected FCF, it allows FIP frames destined to or received from the FCF MAC address.
FIP Snooping Prerequisites Before you configure FIP snooping on an MXL switch, ensure that the following conditions are met: • • A FIP snooping bridge requires DCBX and PFC to be enabled on the switch for lossless Ethernet connections (refer to Data Center Bridging (DCB)). Dell recommends that you also enable ETS; ETS is recommended but not required. If you enable DCBX and PFC mode is on (PFC is operationally up) in a port configuration, FIP snooping is operational on the port.
www.dell.com | support.dell.com Step Task Command Command Mode 2 Enable FIP snooping on all VLANs or on a specified VLAN. Default: FIP snooping is disabled on all VLANs. fip-snooping enable CONFIGURATION Or VLAN INTERFACE 3 Configure the FC-MAP value used by FIP snooping on all VLANs. Default: 0x0EFC00. Valid values are from 0EFC00 to 0EFCFF. fip-snooping fc-map fc-map-value CONFIGURATION Or VLAN INTERFACE 4 Enter interface configuration mode to configure the port for FIP snooping links.
Table 17-1. Displaying FIP Snooping Information Command Output show fip-snooping statistics [interface vlan vlan-id | interface port-type port/slot | interface port-channel port-channel-number] (Figure 17-7 and Figure 17-8) Displays statistics on the FIP packets snooped on all interfaces, including VLANs, physical ports, and port channels.
www.dell.com | support.dell.com Figure 17-3. show fip-snooping sessions Command Example FTOS#show fip-snooping sessions Enode MAC Enode Intf aa:bb:cc:00:00:00 Te 0/42 aa:bb:cc:00:00:00 Te 0/42 aa:bb:cc:00:00:00 Te 0/42 aa:bb:cc:00:00:00 Te 0/42 aa:bb:cc:00:00:00 Te 0/42 FCoE MAC 0e:fc:00:01:00:01 0e:fc:00:01:00:02 0e:fc:00:01:00:03 0e:fc:00:01:00:04 0e:fc:00:01:00:05 Table 17-2.
Figure 17-5. show fip-snooping enode Command Example FTOS# show fip-snooping enode Enode MAC Enode Interface ----------------------d4:ae:52:1b:e3:cd Te 0/11 Table 17-3. FCF MAC ------54:7f:ee:37:34:40 VLAN ---100 FC-ID ----62:00:11 show fip-snooping enode Command Description Field Description ENode MAC MAC address of the ENode. ENode Interface Slot/ port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. VLAN VLAN ID number used by the session.
www.dell.com | support.dell.com Figure 17-7.
Figure 17-8.
www.dell.com | support.dell.com 362 Table 17-5. show fip-snooping statistics Command Descriptions Field | Description Number of Vlan Requests Number of FIP-snooped VLAN request frames received on the interface. Number of VLAN Notifications Number of FIP-snooped VLAN notification frames received on the interface. Number of Multicast Discovery Solicits Number of FIP-snooped multicast discovery solicit frames received on the interface.
Figure 17-9. show fip-snooping system Command Example FTOS# show fip-snooping system Global Mode FCOE VLAN List (Operational) FCFs Enodes Sessions : : : : : Enabled 1, 100 1 2 17 Note: NPIV sessions are included in the number of FIP-snooped sessions displayed. Figure 17-10.
www.dell.com | support.dell.com FIP Snooping Configuration Example Figure 17-11 shows an MXL Switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 17-11. Configuration Example: FIP Snooping on an MXL 10/40GbE Switch In Figure 17-11, DCBX and PFC are enabled on the MXL Switch (FIP snooping bridge) and on the FCF ToR switch.
Figure 17-12 shows how to configure FIP snooping on FCoE VLAN 10, an FCF-facing port (0/50), and an ENode server-facing port (0/1), and to configure the FIP snooping ports as tagged members of the FCoE VLAN enabled for FIP snooping. Figure 17-12.
366 | FCoE Transit www.dell.com | support.dell.
18 Enabling FIPS Cryptography This chapter describes how to enable FIPS cryptography requirements on the Dell Networking MXL Switch platform. This feature provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. The FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module.
www.dell.com | support.dell.com When the FIPS mode is enabled, the following actions are taken: • • • • If enabled, the SSH server will be disabled. All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, will be closed. Any existing host keys (both RSA and RSA1) will be deleted from system memory and NVRAM storage. The FIPS mode is enabled. — If the SSH server was enabled when the fips mode enable command was entered, it will be re-enabled for version 2 only.
Monitoring FIPS Mode Status The status of the current FIPS mode (Enabled/Disabled) can be viewed directly using either the show fips status command or the show system command as shown below. FTOS#show fips status FIPS Mode : Enabled for the system using the show system command.
370 | Enabling FIPS Cryptography www.dell.com | support.dell.
19 Force10 Resilient Ring Protocol (FRRP) Force10 Resilient Ring Protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a Metropolitan Area Network (MAN) or large campuses. FRRP is similar to what can be achieved with the Spanning Tree Protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
www.dell.com | support.dell.com Figure 19-1. Normal Operating FRRP Topology R2 TRANSIT Primary Forwarding Secondary Forwarding R ing D irec tion Primary Forwarding Secondary Blocking R1 MASTER Primary Forwarding Secondary Forwarding R3 TRANSIT A Virtual LAN (VLAN) is configured on all node ports in the ring. All ring ports must be members of the Member VLAN and the Control VLAN. The Member VLAN is the VLAN used to transmit data as described earlier.
If the Master node does not receive the Ring Health Frame (RHF) before the fail-period timer expires (a configurable timer), the Master node moves from the Normal state to the Ring-Fault state and unblocks its Secondary port. The Master node also clears its forwarding table and sends a control frame to all other nodes, instructing them to also clear their forwarding tables. Immediately after clearing its forwarding table, each node starts learning the new topology.
www.dell.com | support.dell.com In the following example, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both FRRP groups. Switch R3 has two instances of FRRP running on it: one for each ring. The example topology that follows shows R3 assuming the role of a Transit node for both FRRP 101 and FRRP 202. Figure 19-2.
• • • • • • • • • Multiple physical rings can be run on the same switch One Master node per ring—all other nodes are Transit Each node has 2 member interfaces—Primary, Secondary No limit to the number of nodes on a ring Master node ring port states—blocking, pre-forwarding, forwarding, disabled Transit node ring port states—blocking, pre-forwarding, forwarding, disabled STP disabled on ring interfaces Master node secondary port is in blocking state during Normal operation Ring Health Frames (RHF) • Hello R
www.dell.com | support.dell.com Table 19-1. FRRP Components (continued) Concept Explanation Ring Interface State Each interface (port) that is part of the ring maintains one of four states • • • • Blocking State: Accepts ring protocol packets but blocks data packets. LLDP, FEFD, or other Layer 2 control packets are accepted. Only the master node Secondary port can enter this state. Pre-Forwarding State: A transition state before moving to the Forward state.
• • • The Control VLAN is used to carry any data traffic; it carries only RHFs. The Control VLAN cannot have members that are not ring ports. If multiple rings share one or more member VLANs, they cannot share any links between them. • Member VLANs across multiple rings are not supported in Master nodes. • Each ring has only one Master node; all others are transit nodes. FRRP Configuration These are the tasks to configure FRRP.
www.dell.com | support.dell.com • • • • • • • All VLANS must be in Layer 2 mode. Only ring nodes can be added to the VLAN. A Control VLAN can belong to one FRRP group only. Control VLAN ports must be tagged. All ports on the ring must use the same VLAN ID for the Control VLAN. A VLAN cannot be configured as both a Control VLAN and Member VLAN on the same ring. Only two interfaces can be members of a Control VLAN (the Master Primary and Secondary ports).
Step Command Syntax Command Mode Purpose 3 interface primary int slot/port secondary int slot/port control-vlan vlan id CONFIG-FRRP Assign the Primary and Secondary ports, and the Control VLAN for the ports on the ring. Interface: • For a 10/100/1000 Ethernet interface, enter the keyword keyword GigabitEthernet followed by the slot/port information.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 2 tagged interface slot/ port {range} CONFIG-INT-VLAN Tag the specified interface or range of interfaces to this VLAN. Interface: • For a 10/100/1000 Ethernet interface, enter the keyword keyword GigabitEthernet followed by the slot/port information.
Set FRRP Timers Step Command Syntax Command Mode Purpose 1 timer {hello-interval|dead-interval} CONFIG-FRRP Enter the desired intervals for Hello-Interval or Dead-Interval times. Hello-Interval: 50-2000, in increments of 50 (default is 500) Dead-Interval: 50-6000, in increments of 50 (default is 1500) milliseconds The Dead-Interval time should be set at 3x the Hello-Interval. Clear FRRP counters Use one of the following commands to clear the FRRP counters.
www.dell.com | support.dell.com Troubleshooting FRRP Configuration Checks • • • • • • Each Control Ring must use a unique VLAN ID Only two interfaces on a switch can be Members of the same Control VLAN There can be only one Master node for any FRRP Group. FRRP can be configured on Layer 2 interfaces only Spanning Tree (if enabled globally) must be disabled on both Primary and Secondary interfaces when FRRP is enabled.
Figure 19-3.
www.dell.com | support.dell.
20 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP) is supported on the MXL Switch platform. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GARP VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches.
www.dell.com | support.dell.com Figure 20-1. GVRP Compatibility Error Message FTOS(conf)#protocol spanning-tree pvst FTOS(conf-pvst)#no disable % Error: GVRP running. Cannot enable PVST. FTOS(conf)#protocol gvrp FTOS(conf-gvrp)#no disable % Error: PVST running. Cannot enable GVRP. Configuring GVRP Globally, enable GVRP on each switch to facilitate GVRP communications. Then, GVRP configuration is per interface on a switch-by-switch basis.
Figure 20-2. GVRP Configuration Overview GVRP is configured globally and on all VLAN trunk ports for the edge and core switches. Edge Switches Edge Switches Core Switches VLANs 70-80 VLANs 10-20 VLANs 10-20 VLANs 30-50 VLANs 70-80 VLANs 30-50 NOTES: VLAN 1 mode is always fixed and cannot be configured All VLAN trunk ports must be configured for GVRP All VLAN trunk ports must be configured as 802.1Q Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
www.dell.com | support.dell.com Enabling GVRP Globally Enable GVRP for the entire switch using the gvrp enable command in CONFIGURATION mode (Figure 20-3). Use the show gvrp brief command to inspect the global configuration. Figure 20-3.
• • • Normal Registration: Allows dynamic creation, registration, and de-registration of VLANs (if you enabled dynamic VLAN creation). By default, the registration mode is set to normal when you enable GVRP on a port. This default mode enables the port to dynamically register and de-register VLANs, and to propagate both dynamic and static VLAN information.
www.dell.com | support.dell.com Figure 20-6 shows GVRP registration. Figure 20-6. Configuring GVRP Registration FTOS(conf)#garp timer leav 1000 FTOS(conf)#garp timers leave-all 5000 FTOS(conf)#garp timer join 300 Verification: FTOS(conf)#do show garp timer GARP Timers Value (milliseconds) ---------------------------------------Join Timer 300 Leave Timer 1000 LeaveAll Timer 5000 FTOS(conf)# FTOS displays Message 1 if an attempt is made to configure an invalid GARP timer.
21 Internet Group Management Protocol (IGMP) Multicast is based on identifying many hosts by a single destination IP address. Hosts represented by the same IP address are a multicast group. The internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
www.dell.com | support.dell.com Figure 21-1. IGMP Version 2 Packet Format Preamble IHL Version (4) TOS (0xc0) Total Length Start Frame Delimiter Destination MAC Flags Frag Offset Source MAC TTL (1) Protocol (2) Padding IP Packet Ethernet Type Header Checksum Src IP Addr Dest IP Addr FCS Options (Router Alert) Type Padding Max.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences: • Version 3 adds the ability to filter by multicast source, which helps the multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
www.dell.com | support.dell.com Joining and Filtering Groups and Sources Figure 21-4 shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Leaving and Staying in Groups Figure 21-5 shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2. The querier, before making any state changes, sends a group-and-source query to see if any other host is interested in these two sources; queries for state-changes are retransmitted multiple times.
www.dell.com | support.dell.com IGMP Snooping Implementation Information • • • • IGMP snooping on the Dell Force 10 operating system (FTOS) uses IP multicast addresses not MAC addresses. IGMP snooping is not supported on stacked VLANs. IGMP snooping is supported on all MXL 10/40GbE stack members. IGMP snooping reacts to STP and MSTP topology changes by sending a general query on the interface that transitions to the forwarding state.
Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. On the MXL Switch, when you configure no ip igmp snooping flood, the system forwards the frames on mrouter ports for first 96 IGMP snooping enabled VLANs. For all other VLANs, the unregistered multicast packets are dropped.
www.dell.com | support.dell.com Fast Convergence after MSTP Topology Changes When a port transitions to the forwarding state as a result of an STP or MSTP topology change, FTOS sends a general query out of all ports except the multicast router ports. The host sends a response to the general query and the forwarding database is updated without having to wait for the query interval to expire.
22 Interfaces This chapter describes 100/1000/10000 Mbps Ethernet, 10 Gigabit Ethernet, and 40 Gigabit Ethernet interface types, both physical and logical, and how to configure them with the Dell Networking operating software (FTOS).
www.dell.com | support.dell.com Interface Types The following lists the different interface types.
Figure 22-1.
www.dell.com | support.dell.com Use the show ip interfaces brief command in EXEC Privilege mode to view which interfaces are enabled for Layer 3 data transmission. In Figure 22-2, the TenGigabitEthernet interface 1/5 is in Layer 3 mode because an IP address has been assigned to it and the interface’s status is operationally up. Figure 22-2.
Enable a Physical Interface After determining the type of physical interfaces available, you can enter INTERFACE mode by entering the interface interface slot/port command to enable and configure the interface.
www.dell.com | support.dell.com The following section includes information about optional configurations for physical interfaces: • • • • • • Overview of Layer Modes Configure Layer 2 (Data Link) Mode Management Interfaces Auto-Negotiation on Ethernet Interfaces Adjust the Keepalive Timer Clear Interface Counters Overview of Layer Modes On all systems running FTOS, you can place physical interfaces, port channels, and VLANs in Layer 2 mode or Layer 3 mode. By default, VLANs are in Layer 2 mode.
To configure an interface in Layer 2 mode, use these commands in INTERFACE mode: Command Syntax Command Mode Purpose no shutdown INTERFACE Enable the interface. switchport INTERFACE Place the interface in Layer 2 (switching) mode. For information about enabling and configuring STP, refer to Layer 2 on page 541. To view the interfaces in Layer 2 mode, use the command show interfaces switchport in EXEC mode.
www.dell.com | support.dell.com To assign an IP address, use the following commands in INTERFACE mode: Command Syntax Command Mode Purpose no shutdown INTERFACE Enable the interface. ip address ip-address mask [secondary] INTERFACE Configure a primary IP address and mask on the interface. The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be decimal and should be mentioned in slash format (/xx).
You can access the full switch using: • • • • Internal RS-232 using the chassis management controller (CMC). Telnet into CMC and do a connect -b switch-id to get console access to corresponding IOM. External serial port with a universal serial bus (USB) connector (front panel): connect using the IOM front panel USB serial line to get console access (Labeled as USB B). Telnet/others using the public IP interface on the fabric D interface. CMC through the private IP interface on the fabric D interface.
www.dell.com | support.dell.com You can manage the MXL Switch from any port. Configure an IP address for the port using the ip address command. Enable the IP address for the port using the no shutdown command. You can use the description command from INTERFACE mode to note that the interface is the management interface. There is no separate management routing table, so you must configure all routes in the IP routing table (use the ip route command).
VLAN Interfaces VLANs are logical interfaces and are, by default, in Layer 2 mode. Physical interfaces and port channels can be members of VLANs. For more information about VLANs and Layer 2, refer to Layer 2 and Virtual LANs (VLAN). Note: To monitor VLAN interfaces, use the Management Information Base for Network Management of TCP/IP-based internets: MIB-II (RFC 1213). Note: You cannot simultaneously use egress rate shaping and ingress rate policing on the same VLAN.
www.dell.com | support.dell.com Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Because this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability. You can place loopback interfaces in default Layer 3 mode.
Port Channel Interfaces Port channel interfaces support link aggregation, as described in IEEE Standard 802.3ad. This section covers the following topics: • • • • Port Channel Definition and Standards Port Channel Benefits Port Channel Implementation Configuration Task List for Port Channel Interfaces Port Channel Definition and Standards Link aggregation is defined by IEEE 802.
www.dell.com | support.dell.com Table 22-2 lists the number of port channels per platform. Table 22-2. Number of Port Channels per Platform Platform MXL 10/40GbE Switch IO Module Port-channels Members/Channel 128 16 As soon as a port channel is configured, FTOS treats it like a physical interface. For example, IEEE 802.1Q tagging is maintained while the physical interface is in the port channel.
Configuration Task List for Port Channel Interfaces To configure a port channel (LAG), you use the commands similar to those found in physical interfaces. By default, no port channels are configured in the startup configuration.
www.dell.com | support.dell.com • ip mtu (if the interface is on a Jumbo-enabled by default.) Note: The MXL Switch supports jumbo frames by default (the default maximum transmission unit [MTU] is 1554 bytes) You can configure the MTU using the mtu command from INTERFACE mode. To view the interface’s configuration, enter INTERFACE mode for that interface and use the show config command or from EXEC Privilege mode, use the show running-config interface interface command.
Figure 22-11 shows the port channel’s mode (L2 for Layer 2 and L3 for Layer 3 and L2L3 for a Layer 2 port channel assigned to a routed VLAN), the status, and the number of interfaces belonging to the port channel. Figure 22-11.
www.dell.com | support.dell.com Figure 22-12. Error Message FTOS(conf-if-po-1)#show config ! interface Port-channel 1 no ip address channel-member TenGigabitEthernet 0/16 shutdown FTOS(conf-if-po-1)# FTOS(conf-if-po-1)#int tengig 1/6 FTOS(conf-if)#ip address 10.56.4.4 /24 % Error: Te 1/6 Port is part of a LAG. FTOS(conf-if)# Error message Reassign an Interface to a New Port Channel An interface can be a member of only one port channel.
Configure the Minimum oper up Links in a Port Channel (LAG) You can configure the minimum links in a port channel (LAG) that must be in “oper up” status for the port channel to be considered in “oper up” status. To configure the minimum links, use the following command in INTERFACE mode: Command Syntax minimum-links number Command Mode Purpose INTERFACE Enter the number of links in a LAG that must be in “oper up” status.
www.dell.com | support.dell.com Assign an IP Address to a Port Channel You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols. To assign an IP address, use the following command in INTERFACE mode: Command Syntax Command Mode Purpose ip address ip-address mask [secondary] INTERFACE Configure an IP address and mask on the interface. • ip-address mask: enter an address in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/24).
Important Points to Remember: • • • • On a new MXL switch running FTOS version 9.2.(0.0), with no saved startup configuration, the switch comes up with all server ports as switch ports in no shut state. When you configure STP, the switch brings up the uplink and saves the running configuration to the startup-config file. All the server ports without any specific configuration will have the default configuration of Layer2 switch port and no shut mode saved.
www.dell.com | support.dell.com Note: When creating an interface range, interfaces appear in the order they were entered and are not sorted. To display all interfaces that have been validated under the interface range context, use the show range command in Interface Range mode. To display the running configuration only for interfaces that are part of interface range, use the show configuration command in Interface Range mode.
Figure 22-17. Interface Range Prompt Excluding Duplicate Entries FTOS(conf)#interface range vlan 1 , vlan 1 , vlan 3 , vlan 3 FTOS(conf-if-range-vl-1,vl-3)# FTOS(conf)#interface range tengigabitethernet 2/0 - 23 , tengigabitethernet 2/0 - 23 , tengigab 2/0 - 23 FTOS(conf-if-range-te-2/0-23)# Exclude a Smaller Port Range If the interface range has multiple port ranges, the smaller port range is excluded from the prompt. Figure 22-18.
www.dell.com | support.dell.com Figure 22-21. Multiple-Range Bulk Configuration with VLAN, and Port-channel FTOS(conf-ifrange-te-5/1-23-te-1/1-2)# interface range Vlan 2 – 100 , Port 1 – 25 FTOS(conf-if-range-te-5/1-23-te-1/1-2-vl-2-100-po-1-25)# no shutdown FTOS(conf-if-range)# Interface Range Macros You can define an interface-range macro to automatically select a range of interfaces for configuration.
FTOS(conf)# interface range macro test FTOS(conf-if)# Interfaces | 423
www.dell.com | support.dell.com Monitor and Maintain Interfaces Monitor interface statistics with the monitor interface command. This command displays an ongoing list of the interface status (up/down), number of packets, traffic statistics, etc. Command Syntax Command Mode Purpose monitor interface interface EXEC Privilege View the interface’s statistics.
Figure 22-24. monitor interface Command Example FTOS#monitor interface tengig 3/1 Dell Networking uptime is 1 day(s), 4 hour(s), 31 minute(s) Monitor time: 00:00:00 Refresh Intvl.
www.dell.com | support.dell.com To test the condition of cables on 100/1000/10000 BASE-T modules, following these steps using the tdr-cable-test command. Step 1 2 Command Syntax Command Mode Usage tdr-cable-test tengigabitethernet / EXEC Privilege To test for cable faults on the TenGigabitEthernet cable. • Between two ports, you must not start the test on both ends of the cable. • Enable the interface before starting the test.
Merging SFP+ Ports to QSFP 40G Ports To remove FANOUT mode in 40G QSFP Ports, use the following commands: Command Syntax Command Mode Purpose no stack-unit stack-unit port number portmode quad CONFIGURATION Merge 4-10G ports to a single 40G port. stack-unit: Enter the stack member unit identifier of the stack member to reset. Range: 0 to 5 To display the stack-unit number, enter the show system brief command. port : Enter the port number of the 40GbE QSFP+ port.
www.dell.com | support.dell.com Table 22-3 lists the range for each transmission media. Table 22-3. MTU Range Transmission Media MTU Range (in bytes) Ethernet 594-12000 = link MTU 576-11982 = IP MTU Layer 2 Flow Control Using Ethernet Pause Frames Ethernet pause frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it.
The flow-control sender and receiver must be on the same port-pipe. Flow control is not supported across different port-pipes (also refer to iSCSI Optimization: Operation on page 487). Command Syntax Command Mode Purpose flowcontrol rx [off | on] tx [off | on] [threshold INTERFACE Control how the system responds to and generates 802.3x pause frames on 10 and 40Gig ports.
www.dell.com | support.dell.com Table 22-4 lists the various Layer 2 overheads found in FTOS and the number of bytes. Table 22-4. Difference between Link MTU and IP MTU Layer 2 Overhead Difference between Link MTU and IP MTU Ethernet (untagged) 18 bytes VLAN Tag 22 bytes Untagged Packet with VLAN-Stack Header 22 bytes Tagged Packet with VLAN-Stack Header 26 bytes Link MTU and IP MTU considerations for port channels and VLANs are as follows.
Auto-Negotiation on Ethernet Interfaces Setting Speed and Duplex Mode of Ethernet Interfaces By default, auto-negotiation of speed and duplex mode is enabled on 100/1000/10000 Base-T Ethernet interfaces. Only 10GbE interfaces do not support auto-negotiation. When using 10GbE interfaces, verify that the settings on the connecting devices are set to no auto-negotiation. The local interface and the directly connected remote interface must have the same setting.
www.dell.com | support.dell.com Figure 22-25.
Setting Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/ forced slave after you enable auto-negotiation. Caution: Ensure that only one end of the node is configured as forced-master and the other is configured as forced-slave. If both are configured the same (that is, both as forced-master or both as forced-slave), the show interface command flaps between an auto-neg-error and forced-master/slave states. Table 22-5.
www.dell.com | support.dell.com Figure 22-27.
Figure 22-28.
www.dell.com | support.dell.com Configure Interface Sampling Size 436 To configure the number of seconds of traffic statistics to display in the show interfaces output, use the rate-interval command in INTERFACE mode. You can enter any value between five and 299 seconds (the default). If you enter 1 to 5 seconds, software polling is done at 5 sec interval. If you enter 6 to 10 sec, software polling is done at 10 sec interval. For any other value, software polling is done once every 15 seconds.
Figure 22-30 shows how to configure rate interval when changing the default value. Figure 22-30.
www.dell.com | support.dell.com Dynamic Counters By default, counting for the following four applications is enabled: • • • • IPFLOW IPACL L2ACL L2FIB For the remaining applications, FTOS automatically turns on counting when you enable the application and is turned off when you disable the application. Note that if you enable more than four counter-dependent applications on a port pipe, there is an impact on line rate performance.
To clear the counters, use the following command in EXEC Privilege mode: Command Syntax Command Mode Purpose clear counters [interface] [vrrp [vrid] | learning-limit] EXEC Privilege Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones. Without an interface specified, the command clears all interface counters.
440 | Interfaces www.dell.com | support.dell.
23 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, gateways, or hosts and gateways. IPSec is compatible with Telnet and file transfer protocols (FTPs) and can operate in Transport mode. In Transport mode, IPSec encrypts only the packet payload; the IP header is unchanged. This is the default mode.
www.dell.com | support.dell.com 442 Configuring IPSec The following sample configuration shows how to configure FTP for IPSec. Step | Task Command Syntax Command Mode 1 Define the Transform-set. crypto ipsec transform-set myXform-seta esp-authentication md5 esp-encryption des CONFIGURATION 2 Define the crypto policy.
24 IPv4 Routing The Dell Networking operating software (FTOS) supports various IP addressing features. This chapter explains the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in FTOS. • • • • • • IP Addresses Directed Broadcast Resolution of Host Names Address Resolution Protocol (ARP) Internet Control Message Protocol (ICMP) UDP Helper Table 24-1 lists the defaults for the IP addressing features described in this chapter.
www.dell.com | support.dell.com Implementation Information In FTOS, you can configure any IP address as a static route except IP addresses already assigned to interfaces. Note: FTOS versions 7.7.1.0 and later support 31-bit subnet masks (/31, or 255.255.255.254) as defined by RFC 3021. This feature allows you to save two more IP addresses on point-to-point links than 30-bit masks. FTOS supports RFC 3021 with ARP.
Step Command Syntax Command Mode Purpose 3 ip address ip-address mask [secondary] INTERFACE Configure a primary IP address and mask on the interface. • ip-address mask: IP address must be in dotted decimal format (A.B.C.D) and the mask must be in slash prefix-length format (/24). • Add the keyword secondary if the IP address is the interface’s backup IP address.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose ip route ip-address mask {ip-address | interface [ip-address]} [distance] [permanent] [tag tag-value] CONFIGURATION Configure a static IP address. Use the following required and optional parameters: • ip-address: Enter an address in dotted decimal format (A.B.C.D). • mask: Enter a mask in slash prefix-length format (/X). • interface: Enter an interface type followed by slot/port information. • distance range: 1 to 255 (optional).
• • • When an interface comes up, FTOS re-installs the route. When a recursive resolution is “broken,” FTOS withdraws the route. When a recursive resolution is satisfied, FTOS re-installs the route. Configure Static Routes for the Management Interface When an IP address used by a protocol and a static management route exists for the same prefix, the protocol route takes precedence over the static management route.
www.dell.com | support.dell.com Resolution of Host Names Domain name service (DNS) maps host names to IP addresses. This feature simplifies commands such as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default. Unless you enable the feature, the system resolves only host names entered into the host table with the ip host command.
Specify Local System Domain and a List of Domains If you enter a partial domain, FTOS can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. FTOS searches the host table first to resolve the partial domain. The host table contains both statically configured and dynamically learnt host and IP addresses. If FTOS cannot resolve the domain, it tries the domain name assigned to the local system.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose traceroute [host | ip-address ] CONFIGURATION When you enter the traceroute command without specifying an IP address (Extended Traceroute), you are prompted for: • a target and source IP address • timeout in seconds (default is 5) • a probe count (default is 3) • minimum TTL (default is 1) • maximum TTL (default is 30) • port number (default is 33434). To keep the default setting for those parameters, press the ENTER key.
In FTOS, proxy ARP enables hosts with knowledge of the network to accept and forward packets from hosts that contain no knowledge of the network. Proxy ARP makes it possible for hosts to be ignorant of the network, including subnetting. For more information about proxy ARP, refer to RFC 925, Multi-LAN Address Resolution, and RFC 1027, Using ARP to Implement Transparent Subnet Gateways.
www.dell.com | support.dell.com To view the static entries in the ARP cache, use the show arp static command in EXEC privilege mode (Figure 24-7). Figure 24-7. show arp static Command Example FTOS#show arp Protocol Address Age(min) Hardware Address Interface VLAN CPU ----------------------------------------------------------------------------------------Internet 10.11.68.14 94 00:01:e9:45:00:03 Ma 0/0 CP Internet 10.11.209.
Clear ARP Cache To clear the ARP cache of dynamically learned ARP information, use the following command in EXEC Privilege mode: Command Syntax Command Mode Purpose clear arp-cache [interface | ip ip-address] [no-refresh] EXEC privilege Clear the ARP caches for all interfaces or for a specific interface by entering the following information: • For a port channel interface, enter the keyword port-channel followed by a number from 1 to 128.
www.dell.com | support.dell.com ARP Learning via ARP Request In FTOS versions prior to 8.3.1.0, FTOS learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address. If the target IP does not match the incoming interface, the packet is dropped. If there is an existing entry for the requesting host, it is updated (Figure 24-8). Beginning with FTOS version 8.3.1.
The default backoff interval remains at 20 seconds. On the MXL switch platform, with FTOS version 8.3.8.0 and later, the time between ARP re-send is configurable. This timer is an exponential backoff timer. Over the specified period, the time between ARP requests increases. This reduces the potential for the system to slow down while waiting for a multitude of ARP responses. Task Command Syntax Command Mode Set the number of ARP retries.
www.dell.com | support.dell.com To view if ICMP unreachable messages are sent on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output. UDP Helper UDP helper allows you to direct the forwarding IP/UDP broadcast traffic by creating special broadcast addresses and rewriting the destination IP address of packets to match those addresses.
Figure 24-11. Viewing the UDP Broadcast Configuration FTOS#show ip udp-helper -------------------------------------------------Port UDP port list -------------------------------------------------TenGig 1/1 1000 Configurations Using UDP Helper When you enable UDP helper and the destination IP address of an incoming packet is a broadcast address, FTOS suppresses the destination address of the packet. The following sections describe various configurations that employ UDP helper to direct broadcasts.
www.dell.com | support.dell.com Figure 24-12. UDP helper with All Broadcast Addresses VLAN 100 IP address: 1.1.0.1/24 Subnet broadcast address: 1.1.0.255 Configured broadcast address: 1.1.255.255 Hosts on VLAN 100: 1.1.0.2, 1.1.0.3, 1.1.0.4 Packet 1 Destination Address: 255.255.255.255 1/2 1/1 1/3 Ingress interface IP Address: 2.1.1.1/24 UDP helper enabled VLAN 101 IP address: 1.11.1/24 Subnet broadcast address: 1.1.1.255 Configured broadcast address: 1.1.255.255 Hosts on VLAN 100: 1.1.1.2, 1.1.1.
Packet 2 is sent from a host on VLAN 101. It has broadcast MAC address and a destination IP address that matches the configured broadcast address on VLAN 101. In this case, Packet 2 is flooded on VLAN 101 with the destination address unchanged because the forwarding process is Layer 2. If you enabled UDP helper, the packet is flooded on VLAN 100 as well. Figure 24-14. UDP Helper with Configured Broadcast Addresses VLAN 100 IP address: 1.1.0.1/24 Subnet broadcast address: 1.1.0.
www.dell.com | support.dell.com Figure 24-16. 460 Debugging IP Helper with UDP Helper Packet 0.0.0.0:68 -> 255.255.255.255:67 TTL 128 2005-11-05 11:59:35 %RELAY-I-PACKET, BOOTP REQUEST (Unicast) received at interface 172.21.50.193 BOOTP Request, XID = 0x9265f901, secs = 0 hwaddr = 00:02:2D:8D:46:DC, giaddr = 0.0.0.0, hops = 2 2005-11-05 11:59:35 %RELAY-I-BOOTREQUEST, Forwarded BOOTREQUEST for 00:02:2D:8D:46:DC to 137.138.17.
25 IPv6 Routing Internet protocol version 6 (IPv6) is supported on the MXL Switch platform. Note: The IPv6 basic commands are supported on all platforms. However, not all features are supported on all platforms, nor for all releases. To determine the FTOS version supporting which features and platforms, refer to Implementing IPv6 with FTOS. IPv6 is the successor to IPv4. Due to the extremely rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage.
www.dell.com | support.dell.com Stateless auto-configuration uses three mechanisms for IPv6 address configuration: • • • Prefix Advertisement - Routers use “Router Advertisement” messages to announce the network prefix. Hosts then use their interface-identifier MAC address to generate their own valid IPv6 address. Duplicate Address Detection (DAD) - Before configuring its IPv6 address, an IPv6 host node device checks whether that address is used anywhere on the network using this mechanism.
• • • • Next Header (8 bits) Hop Limit (8 bits) Source Address (128 bits) Destination Address (128 bits) IPv6 provides for extension headers. Extension headers are used only if necessary. There can be no extension headers, one extension header or more than one extension header in an IPv6 packet. Extension headers are defined in the Next Header field of the preceding IPv6 header. IPv6 Header Fields The 40 bytes of the IPv6 header are ordered as show in the following illustration. Figure 25-1.
www.dell.com | support.dell.com The sending router can label sequences of IPv6 packets so that forwarding routers can process packets within the same flow without needing to reprocess each packet’s header separately. Note: All packets in the flow must have the same source and destination addresses. Payload Length (16 bits) The Payload Length field specifies the packet payload. This is the length of the data following the IPv6 header.
Each time the packet moves through a forwarding router, this field decrements by 1. If a router receives a packet with a Hop Limit of 1, it decrements it to 0 (zero). The router discards the packet and sends an ICMPv6 message back to the sending router indicating that the Hop Limit was exceeded in transit. Source Address (128 bits) The Source Address field contains the IPv6 address for the packet originator.
www.dell.com | support.dell.com • Header Extension Length (1 byte) This field identifies the length of the Hop-by-Hop Options header in 8-byte units, but does not include the first 8 bytes. Consequently, if the header is less than 8 bytes, the value is 0 (zero). • Options (size varies) This field can contain 1 or more options. The first byte if the field identifies the Option type, and directs the router how to handle the option. 00 Skip and continue processing 01 Discard the packet.
IPv6 networks are written using Classless Inter-Domain Routing (CIDR) notation. An IPv6 network (or subnet) is a contiguous group of IPv6 addresses the size of which must be a power of two; the initial bits of addresses, which are identical for all hosts in the network, are called the network's prefix. A network is denoted by the first address in the network and the size in bits of the prefix (in decimal), separated with a slash.
www.dell.com | support.dell.com The following table lists the FTOS version in which an IPv6 feature became available. The sections following the table give some greater detail about the feature. Table 25-2. FTOS and IPv6 Feature Support Feature and/or Functionality FTOS Release Introduction Documentation and Chapter Location MXL Basic IPv6 Commands 9.2(0.0) IPv6 Basic Commands in the FTOS Command Line Interface Reference Guide IPv6 Basic Addressing IPv6 address types: Unicast 9.2(0.
Table 25-2. FTOS and IPv6 Feature Support (continued) ISIS for IPv6 support for distribute lists and administrative distance 9.2(0.0) Chapter 27, “Intermediate System to Intermediate System,” on page 491 in the FTOS Configuration Guide IPv6 IS-IS in the FTOS Command Line Reference Guide OSPF for IPv6 (OSPFv3) 9.2(0.0) Equal Cost Multipath for IPv6 9.2(0.0) OSPFv3 in the FTOS Command Line Reference Guide IPv6 Services and Management Telnet client over IPv6 (outbound Telnet) 9.2(0.
www.dell.com | support.dell.com Table 25-2. FTOS and IPv6 Feature Support (continued) MLDv1 Snooping N/A IPv6 Multicast in this chapter Multicast IPv6 in the FTOS Command Line Reference Guide MLDv2 Snooping N/A IPv6 Multicast in this chapter Multicast IPv6 in the FTOS Command Line Reference Guide IPv6 QoS trust DSCP values N/A IPv6 Multicast in this chapter ICMPv6 ICMPv6 is supported on the MXL Switch platform. ICMP for IPv6 combines the roles of ICMP, IGMP and ARP in IPv4.
Figure 25-2. MTU Discovery Path Destination Source Router B Router A MTU = 1600 MTU = 1400 MTU = 1200 Packet (MTU = 1600) ICMPv6 (Type 2) Use MTU = 1400 Packet (MTU = 1400) ICMPv6 (Type 2) Use MTU = 1200 Packet (MTU = 1200) Packet Received IPv6 Neighbor Discovery IPv6 Neighbor Discovery Protocol (NDP) is supported on the MXL Switch platform. NDP is a top-level protocol for neighbor discovery on an IPv6 network.
www.dell.com | support.dell.com Figure 25-3. NDP Router Redirect Router C Network 2001:db8::1428:57ab Send a Packet to Network 2001:db8::1428:57ab Router A Local Link Router B Packet Destination (2001:db8::1428:57ab) ICMPv6 Redirect (Data: Use Router C) Packet Destination (Destination 2001:db8::1428:57ab) IPv6 Neighbor Discovery of MTU packets With FTOS 8.3.1.0, you can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface.
Refer to the FTOS Command Line Interface Reference Guide Neighbor Discovery Protocol (NDP), Multicast IPv6, and Protocol Independent Multicast (IPv6) chapters for configuration details. Secure Shell (SSH) over an IPv6 Transport IPv6 Secure Shell (SSH) is supported on the MXL Switch platform. FTOS supports both inbound and outbound SSH sessions using IPv6 addressing. Inbound SSH supports accessing the system through the management interface as well as through a physical Layer 3 interface.
www.dell.com | support.dell.com • • L3 QoS (ipv4qos): 1 L2 QoS (l2qos): 1 To have the changes take effect, save the new CAM settings to the startup-config (write-mem or copy run then reload the system for the new settings. start) Command Syntax Command Mode Purpose cam-acl { ipv6acl } CONFIGURATION Allocate space for IPV6 ACLs. Enter the CAM profile name followed by the amount to be allotted. When not selecting the default option, you must enter all of the profiles listed and a range for each.
Command Syntax Command Mode Purpose Note: IPv6 addresses are normally written as eight groups of four hexadecimal digits. Separate each group by a colon (:). Omitting zeros is accepted as described in Addressing. Assigning a Static IPv6 Route IPv6 static routes are supported on the MXL Switch platform. Use the ipv6 route command to configure IPv6 static routes.
www.dell.com | support.dell.com The Telnet client and server in FTOS supports IPv6 connections. You can establish a Telnet session directly to the router using an IPv6 Telnet client, or you can initiate an IPv6 Telnet connection from the router. Note: Telnet to link local addresses is not supported on the MXL Switch. Command Syntax Command Mode Purpose telnet ipv6 address EXEC or EXEC Privileged Enter the IPv6 Address for the device.
Command Syntax Command Mode Purpose show ipv6 ? EXEC or EXEC Privileged List the IPv6 show options.
www.dell.com | support.dell.com Showing an IPv6 Interface 478 To view the IPv6 configuration for a specific interface, use the following commands. Command Syntax Command Mode Purpose show ipv6 interface type {slot/ EXEC Show the currently running configuration for the specified interface Enter the keyword interface followed by the type of interface and slot/port information: • For all brief summary of IPv6 status and configuration, enter the keyword brief.
Figure 25-4.
www.dell.com | support.dell.com Figure 25-5.
Showing the Running-Configuration for an Interface To view the configuration for any interface, use the following command. Command Syntax Command Mode Purpose show running-config interface type {slot/port} EXEC Show the currently running configuration for the specified interface Enter the keyword interface followed by the type of interface and slot/port information: • For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/port information.
482 | IPv6 Routing www.dell.com | support.dell.
26 iSCSI Optimization The MXL switch enables internet small computer system interface (iSCSI) optimization with default iSCSI parameter settings (Default iSCSI Optimization Values) and is auto-provisioned to support: • • Detection and Autoconfiguration for Dell EqualLogic Arrays Configuring Ports for Dell Compellent Arrays To display information on iSCSI configuration and sessions, you can use the show commands iSCSI optimization enables quality-of-service (QoS) treatment for iSCSI traffic.
www.dell.com | support.dell.com • 484 • • • If you configure flow-control, iSCSI uses the current configuration. If you do not configure flow-control, iSCSI auto-configures flow control. iSCSI monitoring sessions — the switch monitors and tracks active iSCSI sessions with connections on the switch, including port information and iSCSI session information. iSCSI QoS — A user-configured iSCSI class of service (CoS) profile is applied to all iSCSI traffic.
Figure 26-1. iSCSI Optimization Example Monitoring iSCSI Traffic Flows The switch snoops iSCSI session-establishment and termination packets by installing classifier rules that trap iSCSI protocol packets to the CPU for examination. Devices that initiate iSCSI sessions usually use well-known transmission control protocol (TCP) ports 3260 or 860 to contact targets. When you enable iSCSI optimization, by default the switch identifies IP packets to or from these ports as iSCSI traffic.
www.dell.com | support.dell.
Configuring Ports for Dell Compellent Arrays For the best iSCSI traffic conditions, the MXL switch auto-configures a port connected to a Dell Compellent storage array, when configured as compellent connected port through CLI.
www.dell.com | support.dell.com Default iSCSI Optimization Values Table 26-1 lists the default values for the iSCSI optimization feature. Table 26-1. iSCSI Optimization: Default Parameters Parameter Default Value iSCSI Optimization global setting Enabled iSCSI CoS mode (802.1p priority queue mapping) Enabled: dot1p priority 4 without the remark setting iSCSI CoS Treatment iSCSI packets are queued based on dot1p instead of DSCP values.
Figure 26-2. show iscsi Command Example FTOS# show isci iSCSI is enabled iSCSI session monitoring is enabled iSCSI COS : dot1p is 4 no-remark Session aging time: 10 Maximum number of connections is 256 -----------------------------------------------iSCSI Targets and TCP Ports: -----------------------------------------------TCP Port Target IP Address 3260 860 Figure 26-3.
490 | iSCSI Optimization www.dell.com | support.dell.
27 Intermediate System to Intermediate System Intermediate System to Intermediate System (IS-IS) is supported on the MXL Switch platform. The IS-IS protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter.
www.dell.com | support.dell.com IS-IS Addressing IS-IS PDUs require ISO-style addressing called network entity title (NET). For those familiar with name-to-name service mapping point (NSAP) addresses, the composition of the NET is identical to an NSAP address, except the last byte is always 0. The NET is composed of IS-IS area address, system ID, and the N-selector. The last byte is the N-selector. All routers within an area have the same area portion.
The Multi-Topology ID is shown in the first octet of the IS-IS packet. Certain MT topologies are assigned to serve predetermined purposes: • • • • • • MT ID #0: Equivalent to the “standard” topology. MT ID #1: Reserved for IPv4 in-band management purposes. MT ID #2: Reserved for IPv6 routing topology. MT ID #3: Reserved for IPv4 multicast routing topology. MT ID #4: Reserved for IPv6 multicast routing topology. MT ID #5: Reserved for IPv6 in-band management purposes.
www.dell.com | support.dell.com Graceful Restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change.
You can configure the system as a Level 1 router, a Level 2 router, or a Level 1-2 router. For IPv6, the IPv4 implementation has been expanded to include two new type, length, values (TLVs) in the PDU that carry information required for IPv6 routing. These TLVs are IPv6 Reachability and IPv6 Interface Address. Also, an IPv6 protocol identifier is included in the supported TLVs. The TLVs use the extended metrics and up/down bit semantics.
www.dell.com | support.dell.com Configuration Information To use IS-IS, you must configure and enable IS-IS in two or three modes: CONFIGURATION ROUTER ISIS, CONFIGURATION INTERFACE, and (when configuring for IPv6) ADDRESS-FAMILY mode. Commands in ROUTER ISIS mode configure IS-IS globally, while commands in INTERFACE mode enable and configure IS-IS features on that interface only. Commands in ADDRESS-FAMILY mode are specific to IPv6.
Configuration Task List for IS-IS The following list includes the configuration tasks for IS-IS: • • • • • • • • • • Enabling IS-IS on page 497 Configure Multi-Topology IS-IS (MT IS-IS) on page 500 Configure IS-IS Graceful Restart on page 500 Change LSP Attributes on page 503 Configure IS-IS Metric Style and Cost on page 504 Change the IS-type on page 506 Control Routing Updates on page 508 Configuring Authentication Passwords on page 512 Setting the Overload Bit on page 513 Debugging IS-IS on page 513 En
www.dell.com | support.dell.com Step Task Command Syntax Command Mode 3 Enter the interface configuration mode. Enter the keyword interface, the type of interface and slot/ port information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. • For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. • For a port channel, enter the keyword port-channel then a number from 1 to 255.
Figure 27-1. Command Example: show isis protocol FTOS#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
www.dell.com | support.dell.com Configure Multi-Topology IS-IS (MT IS-IS) Step 1 Task Command Syntax Command Mode Enable multi-topology IS-IS for IPv6. Enter the keyword transition to allow an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode. After every router has been configured with the transition keyword and all the routers are in MT IS-IS IPv6 mode, users can remove the transition keyword on each router.
Command Syntax Command Mode Purpose graceful-restart restart- wait seconds ROUTER-ISIS Enable the Graceful Restart maximum wait time before a restarting peer comes up. Be sure to set the T3 timer to adjacency on the restarting router when implementing this command. The range is from 5 to 120 seconds. The default is 30 seconds.
www.dell.com | support.dell.com To view all graceful restart-related configurations, use the show isis graceful-restart detail command in EXEC Privilege mode. Figure 27-3.
To view all interfaces configured with IS-IS routing along with the defaults, use the show isis interface command in EXEC Privilege mode. Figure 27-4. Command Example: show isis interface show isis interface G1/34 GigabitEthernet 2/10 is up, line protocol is up MTU 1497, Encapsulation SAP Routing Protocol: IS-IS Circuit Type: Level-1-2 Interface Index 0x62cc03a, Local circuit ID 1 Level-1 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.
www.dell.com | support.dell.com To view the configuration, use the show config command in ROUTER ISIS mode or the show running-config isis command in EXEC Privilege mode. Figure 27-5. Command Example: show running-config isis FTOS#show running-config isis ! router isis lsp-refresh-interval 902 net 47.0005.0001.000C.000A.4321.00 net 51.0005.0001.000C.000A.4321.00 FTOS# Configure IS-IS Metric Style and Cost All IS-IS links or interfaces are associated with a cost that is used in the SPF calculations.
FTOS supports the following IS-IS metric styles: Table 27-2. Metric Styles Cost Range Supported on IS-IS Interfaces Metric Style Characteristics narrow Sends and accepts narrow or old TLVs (Type Length Value). 0 to 63 wide Sends and accepts wide or new TLVs. 0 to 16777215 transition Sends both wide (new) and narrow (old) TLVs. 0 to 63 narrow transition Sends narrow (old) TLVs and accepts both narrow (old) and wide (new) TLVs.
www.dell.com | support.dell.com To change the metric or cost of the interface, use the following commands: Command Syntax Command Mode Purpose isis metric default-metric [level-1 | level-2] INTERFACE default-value range: 0 to 63 if the metric-style is narrow, narrow-transition, or transition. The range is 0 to 16777215 if the metric style is wide or wide transition. The default is 10. isis ipv6 metric default-metric [level-1 | level-2] INTERFACE Assign a metric for an IPv6 link or interface.
To change the IS-type for the router, use the following commands. Command Syntax Command Mode Purpose is-type {level-1 | level-1-2 | level-2-only} ROUTER ISIS Configure IS-IS operating level for a router. The default is level-1-2. is-type {level-1 | level-1-2 | level-2} ROUTER ISIS Change the IS-type for the IS-IS process. To view which IS-type is configured, use the show isis protocol command in EXEC Privilege mode.
www.dell.com | support.dell.com Control Routing Updates To control the source of IS-IS route information, use the following command. Command Syntax Command Mode Purpose passive-interface interface ROUTER ISIS Disable a specific interface from sending or receiving IS-IS routing information. Enter the type of interface and slot/port information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information.
Command Syntax Command Mode Purpose distribute-list prefix-list-name in [interface] ROUTER ISIS Apply a configured prefix list to all incoming IPv4 IS-IS routes. Enter the type of interface and slot/port information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. • For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. • For a port channel, enter the keyword port-channel then a number from 1 to 255.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose distribute-list prefix-list-name in [interface] ROUTER ISIS-AF IPV6 Apply a configured prefix list to all incoming IPv6 IS-IS routes. Enter the type of interface and slot/port information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. • For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383.
Command Syntax Command Mode Purpose redistribute {bgp as-number | connected | rip | static} [level-1 level-1-2 | level-2] [metric metric-value] [metric-type {external | internal}] [route-map map-name] ROUTER ISIS Include BGP, directly connected, RIP, or user-configured (static) routes in IS-IS. Configure the following parameters: • level-1, level-1-2, or level-2: Assign all redistributed routes to a level. The default is level-2. • metric The range is 0 to 16777215. The default is 0.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose redistribute ospf process-id [level-1| level-1-2 | level-2] [metric value] [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] ROUTER ISIS Include specific OSPF routes in IS-IS. Configure the following parameters: • process-id: The range is 1 to 65535. • level-1, level-1-2, or level-2: Assign all redistributed routes to a level. The default is level-2.
To remove a password, use either the no area-password or no domain-password commands in ROUTER ISIS mode. Setting the Overload Bit Another use for the overload bit is to prevent other routers from using this router as an intermediate hop in their shortest path first (SPF) calculations. For example, if the IS-IS routing database is out of memory and cannot accept new LSPs, FTOS sets the overload bit and IS-IS traffic continues to transit the system.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose debug isis adj-packets [interface] EXEC Privilege View information on all adjacency-related activity (for example, hello packets that are sent and received). To view specific information, enter one of the following optional parameters: • interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only.
• Configure Metric Values on page 515 FTOS supports the following IS-IS metric styles: • • • • • narrow (supports only TLV up to 63) wide (supports TLV up to 16777215) transition (supports both narrow and wide and uses a TLV up to 63) narrow transition (accepts both narrow and wide and sends only narrow or old-style TLV) wide transition (accepts both narrow and wide and sends only wide or new-style TLV) Configure Metric Values For any level (Level-1, Level-2, or Level-1-2), the value range possible in t
www.dell.com | support.dell.com In the following scenarios, the IS-type is either Level-1, Level-2, or Level-1-2 and the metric style changes. Table 27-5. Metric Value when Metric Style Changes Beginning metric style Final metric style Resulting IS-IS metric value wide narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition truncated value1 (the truncated value appears in the LSP only.
Moving to transition and then to another metric style produces different results. Table 27-6. Metric Value when Metric Style Changes Multiple Times Beginning metric style next isis metric style resulting isis metric value Next metric style final isis metric value wide transition truncated value wide original value is recovered. wide transition transition truncated value wide transition original value is recovered.
www.dell.com | support.dell.com Sample Configurations The following configurations are examples for enabling IPv6 IS-IS. These examples are not comprehensive directions. They are intended to give you guidance with typical configurations. S Note: Only one IS-IS process can run on the router, even if you are using both IPv4 and IPv6 routing. You can copy and paste from these examples to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure you make the necessary changes.
Figure 28. IS-IS Sample Configuration Router 1 R1(conf)#interface Loopback 0 R1(conf-if-lo-0)#ip address 192.168.1.1/24 R1(conf-if-lo-0)#ipv6 address 2001:db8:9999:1::/48 R1(conf-if-lo-0)#ip router isis 9999 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#router isis 9999 R1(conf-router_isis)#is-type level-1 R1(conf-router_isis)#net FF.F101.0002.0C00.1111.
www.dell.com | support.dell.com Figure 27-1. IS-IS Sample Configuration continued Router 2 R2(conf)#interface Loopback 0 R2(conf-if-lo-0)#ip address 192.168.1.1/24 R2(conf-if-lo-0)#ipv6 address 2001:db8:9999:1::/48 R2(conf-if-lo-0)#ip router isis 9999 R2(conf-if-lo-0)#no shutdown R2(conf-if-lo-0)#router isis 9999 R2(conf-router_isis)#int gi 2/11 R2(conf-if-gi-2/11)#ip address 10.0.12.
Figure 27-2. IS-IS Sample Configuration continued Router 3 R3(conf)#interface Loopback 0 R3(conf-if-lo-0)#ip address 192.168.1.3/24 R3(conf-if-lo-0)#ipv6 address 2001:db8:9999:3::/48 R3(conf-if-lo-0)#ip router isis 9999 R3(conf-if-lo-0)#no shutdown R3(conf-if-lo-0)#router isis 9999 R3(conf-router_isis)#net FF.F101.0002.0C00.1133.00 R3(conf-router_isis)#ipv6 route 2001:db8:9999:1::/128 2001:db8:1022:1:: R3(conf)#ipv6 route 2001:db8:9999:2::/128 2001:db8:1023:2:: R3(conf)#ip route 192.168.1.1/32 10.0.13.
www.dell.com | support.dell.com Figure 27-3. IPv6 IS-IS Sample Topography Loopback 0 2001:0db8:9999:2:: /48 (192.168.1.2 /24) GigE 2/11 2001:0db8:1021:2:: /48 (10.0.12.2 /24) GigE 2/31 2001:0db8:1023:2:: /48 (10.0.23.2 /24) R2 GigE 1/21 2001:0db8:1021:1:: /48 (10.0.12.1 /24) GigE 3/21 2001:0db8:1023:3:: /48 (10.0.23.3 /24) Loopback 0 R1 2001:0db8:9999:1:: /48 GigE 1/34 (192.168.1.1 /24) 2001:0db8:1022:1:: /48 (10.0.13.
28 Link Aggregation Control Protocol (LACP) Link Aggregation control protocol (LACP) is supported on the MXL Switch platform. Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel by the Dell Networking operating software (FTOS), provides both load-sharing and port redundancy across stack units. You can enable LAGs as static or dynamic. The benefits and constraints are basically the same, as described in Port Channel Interfaces in Interfaces.
www.dell.com | support.dell.com • • • • If a physical interface is a part of a dynamic LAG, it cannot be added as a member of a static LAG. The channel-member tengigabitethernet x/y command is rejected in the static LAG interface for that physical interface. You can create a dynamic LAG with any type of configuration. There is a difference between the shutdown command and the no interface port-channel command: • The shutdown command on LAG “xyz” disables the LAG and retains the user commands.
Command Syntax Command Mode Purpose [no] port-channel-protocol lacp INTERFACE Enable or disable LACP on any LAN port: • Default is LACP disabled • This command creates a new context. [no] port-channel number mode [active | passive | off] LACP Configure LACP mode. • Default is LACP active • number cannot statically contain any links [no] lacp port-priority priority-value LACP Configure port priority.
www.dell.com | support.dell.com Configure the LAG Interfaces as Dynamic After creating a LAG, to configure the dynamic LAG interfaces, use the port-channel-protocol lacp command. Figure 28-3 shows ports 3/15, 3/16, 4/15, and 4/16 added to LAG 32 in LACP mode. Figure 28-3. Creating a Dynamic LAG Example FTOS(conf)#interface TenGigabitethernet 3/15 FTOS(conf-if-te-3/15)#no shutdown FTOS(conf-if-te-3/15)#port-channel-protocol lacp FTOS(conf-if-te-3/15-lacp)#port-channel 32 mode active ...
Figure 28-4. Invoking the LACP Long Timeout FTOS(conf)# interface port-channel 32 FTOS(conf-if-po-32)#no shutdown FTOS(conf-if-po-32)#switchport FTOS(conf-if-po-32)#lacp long-timeout FTOS(conf-if-po-32)#end FTOS# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.a12b Partner System ID: Priority 32768, Address 0001.e801.
www.dell.com | support.dell.com Figure 28-5. LAGs using ECMP without Shared LAG State Tracking R4 Po 2 Po 1 Po 1 failure R1 Po 2 over-subscribed R2 R3 fnC0049mp To avoid packet loss, traffic must be re-directed through the next lowest-cost link (R3 to R4). FTOS has the ability to bring LAG 2 down in the event that LAG 1 fails, so that traffic can be re-directed. This is shared LAG state tracking.
In Figure 28-8, LAGs 1 and 2 are members of a failover group. LAG 1 fails and LAG 2 is brought down upon the failure. This effect is logged by Message 1, in which a console message declares both LAGs down at the same time. Figure 28-8.
www.dell.com | support.dell.com • • • You can configure shared LAG state tracking on one side of a link or on both sides. If a LAG that is part of a failover group is deleted, the failover group is deleted. If a LAG moves to the down state due to this feature, its members may still be in the up state. LACP Basic Configuration Example The screenshots in this section are based on the example topology shown in Figure 28-10.
Figure 28-11.
www.dell.com | support.dell.com Figure 28-12 shows the LAG port configuration (ALPHA). 532 Figure 28-12.
Figure 28-13 shows inspecting the LAG 10 configuration (ALPHA). Figure 28-13.
www.dell.com | support.dell.com To Verify LAG 10 Status on ALPHA, use the show lacp command (Figure 28-13). 534 Figure 28-14.
Summary of the Configuration on ALPHA Figure 28-15 shows the summary of the configuration (ALPHA) Figure 28-15.
www.dell.com | support.dell.com Summary of the Configuration on BRAVO Figure 28-16 shows the summary of the configuration (BRAVO). Figure 28-16.
To inspect a LAG port on BRAVO, use the show interface command (Figure 28-17). Figure 28-17.
www.dell.com | support.dell.com To inspect the LAG, use the show interfaces port-channel command (Figure 28-18). Figure 28-18. show interfaces port-channel Command Example to inspect LAG 10 To inspect the LAG status, use the show lacp command (Figure 28-19).
Figure 28-19.
www.dell.com | support.dell.
29 Layer 2 Layer 2 features are supported on the MXL Switch platform.
www.dell.com | support.dell.com To set the aging time for dynamic entries, use the following commands: Task Command Syntax Command Mode Disable MAC address aging for all dynamic entries. mac-address-table aging-time 0 CONFIGURATION Specify an aging time. mac-address-table aging-time seconds CONFIGURATION Range: 10-1000000 FTOS Behavior: The time elapsed before the configured MAC aging time expires is not precisely as configured.
MAC Learning Limit This section describes the following: • • • • • MAC Learning Limit Dynamic MAC Learning Limit Station-Move Learning Limit Violation Actions Station Move Violation Actions Recovering from Learning Limit and Station Move Violations The MAC address learning limit is a method of port security on Layer 2 port-channel and physical interfaces, and virtual local area networks (VLANs). It allows you to set an upper limit on the number of MAC addresses that are learned on an interface/VLAN.
www.dell.com | support.dell.com MAC Learning Limit Dynamic The MAC address table is stored on the Layer 2 forwarding information base (FIB) region of the CAM. The Layer 2 FIB region allocates space for static MAC address entries and dynamic MAC address entries. When you enable MAC learning limit, entries created on this port are static by default. When you configure the dynamic option, learned MAC addresses are stored in the dynamic region and are subject to aging.
Task Command Syntax Command Mode Shut down both the first and second port to learn the MAC address. mac station-move-violation shutdown-both INTERFACE To display a list of interfaces configured with MAC learning limit or station move violation actions, use the following command: Task Command Syntax Command Mode Display a list of all of the interfaces configured with MAC learning limit or station move violation.
www.dell.com | support.dell.com Figure 29-1. Redundant NICs with NIC Teaming X Port 0/1 MAC: A:B:C:D A:B IP: 1.1.1.1 k Active Lin Port 0/5 fnC0025mp When you use NIC teaming, consider that the server MAC address is originally learned on Port 0/1 of the switch (Figure 29-2). When the NIC fails, the same MAC address is learned on Port 0/5 of the switch. The MAC address must be disassociated with the one port and re-associated with another in the ARP table; in other words, the ARP entry must be “moved”.
is the number of times a station move must be detected in a single interval in order to trigger a system log message. For example, if you configure mac-address-table station-move threshold 2 time-interval 5000, and 4 station moves occur in 5000ms, two log messages are generated.
548 | Layer 2 www.dell.com | support.dell.
30 Link Layer Discovery Protocol (LLDP) The Link Layer discovery protocol (LLDP) is supported on the MXL Switch platform. Overview Link layer discovery protocol (LLDP)—defined by IEEE 802.1AB—is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
www.dell.com | support.dell.com There are five types of TLVs (Table 30-1). All types are mandatory in the construction of an LLDPDU except Optional TLVs. You can configure the inclusion of individual Optional TLVs. Table 30-1. Type Type, Length, Value (TLV) Types TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent.
Organizationally Specific TLVs Organizationally specific TLVs can be defined by a professional organization or a vendor. They have two mandatory fields (Figure 30-3) in addition to the basic TLV fields (Figure 30-1): • Organizationally Unique Identifier (OUI)—a unique number assigned by the IEEE to an organization or vendor. OUI Sub-type—These sub-types indicate the kind of information in the following data field. The sub-types are determined by the owner of the OUI. • Figure 30-3.
www.dell.com | support.dell.com Table 30-2. Optional TLV Types Type TLV Description IEEE 802.3 Organizationally Specific TLVs 127 MAC/PHY Configuration/Status Indicates the capability and current setting of the duplex status and bit rate, and whether the current settings are the result of auto-negotiation. This TLV is not available in the FTOS implementation of LLDP, but is available and mandatory (non-configurable) in the LLDP-MED implementation.
Table 30-3 list the five types of TIA-1057 Organizationally Specific TLVs. Table 30-3.
www.dell.com | support.dell.com Figure 30-4. LLDP-MED Capabilities TLV TLV Type (127) Organizationally Organizationally Unique ID Defined Sub-type (00-12-BB) (1) TLV Length (7) LLDP-MED Capabilites (00000000 00001111) LLDP-MED Device Type (4) fnC0053mp 7 bits Table 30-4.
The application type is represented by an integer (the Type integer in Table 30-6), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED Network Policy TLV is generated for each application type that you specify with the FTOS command line interface (CLI) (Advertising TLVs).
www.dell.com | support.dell.com Extended Power via MDI TLV The Extended Power via MDI TLV enables advanced power over Ethernet (PoE) management between LLDP-MED endpoints and network connectivity devices (Figure 30-6). Advertise the Extended Power via MDI on all ports that are connected to an 802.3af powered, LLDP-MED endpoint device. • • • • Power Type—there are two possible power types: power sourcing entity (PSE) or power device (PD).
Important Points to Remember • • • • • LLDP is disabled by default. Dell Networking systems support up to eight neighbors per interface. Dell Networking systems support a maximum of 8000 total neighbors per system. If the number of interfaces multiplied by eight exceeds the maximum, the system does not configure more than 8000. INTERFACE level configurations override all CONFIGURATION level configurations. LLDP is not hitless.
www.dell.com | support.dell.com Figure 30-7.
Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces. • • If you configure the system globally, all interfaces send LLDPDUs with the specified TLVs. If you configure an interface, only the interface sends LLDPDUs with the specified TLVs. If you configure LLDP both globally and at interface level, the interface-level configuration overrides the global configuration.
www.dell.com | support.dell.com In Figure 30-8, LLDP is enabled globally. R1 and R2 are transmitting periodic LLDPDUs that contain management, 802.1, and 802.3 TLVs. Figure 30-8. Configuring LLDP Viewing the LLDP Configuration To display the LLDP configuration, use the show config command in either CONFIGURATION or INTERFACE mode (Figure 30-9) and (Figure 30-10). Figure 30-9.
Figure 30-10. Viewing LLDP Interface Configurations R1(conf-lldp)#exit R1(conf)#interface tengigabitethernet 1/31 R1(conf-if-te-1/31)#show config ! interface TenGigabitEthernet 1/31 no ip address ! no shutdown R1(conf-if-te-1/31)#protocol lldp R1(conf-if-te-1/31-lldp)#show config ! protocol lldp R1(conf-if-te-1/31-lldp)# Viewing Information Advertised by Adjacent LLDP Agents To display brief information about adjacent devices, use the show lldp neighbors command (Figure 30-11).
www.dell.com | support.dell.com Figure 30-12.
Configuring LLDPDU Intervals LLDPDUs are transmitted periodically; the default interval is 30 seconds. To configure a non-default transmit interval—at CONFIGURATION level or INTERFACE level—use the hello command (Figure 30-13). Figure 30-13.
www.dell.com | support.dell.com Configuring Transmit and Receive Mode 564 | After you enable LLDP, Dell Networking systems transmit and receive LLDPDUs by default. You can configure the system—at CONFIGURATION level or INTERFACE level—to transmit only by executing the mode tx command, or receive only by executing the mode rx command. To return to the default setting, use the no mode command (Figure 30-14). Figure 30-14.
Configuring a Time to Live The information received from a neighbor expires after a specific amount of time (measured in seconds) called a Time to Live (TTL). The TTL is the product of the LLDPDU transmit interval (hello) and an integer called a multiplier. The default multiplier is 4, which results in a default TTL of 120 seconds. To adjust the TTL value—at CONFIGURATION level or INTERFACE level—use the multiplier command.
www.dell.com | support.dell.com Debugging LLDP 566 | The debug lldp command allows you to view the TLVs that your system is sending and receiving. • • Use the debug lldp brief command to view a readable version of the TLVs. Use the debug lldp detail command to view a readable version of the TLVs plus a hexadecimal version of the entire LLDPDU. Figure 30-16.
Relevant Management Objects FTOS supports all IEEE 802.1AB MIB objects. • • • • Table 30-7 lists the objects associated with received and transmitted TLVs. Table 30-8 lists the objects associated with the LLDP configuration on the local agent. Table 30-9 lists the objects associated with IEEE 802.1AB Organizationally Specific TLVs. Table 30-10 lists the objects associated with received and transmitted LLDP-MED TLVs.
www.dell.com | support.dell.com Table 30-7.
Table 30-8.
www.dell.com | support.dell.com Table 30-9. LLDP 802.1 Organizationally Specific TLV MIB Objects TLV Type TLV Name TLV Variable 127 Port and Protocol VLAN ID port and protocol VLAN supported Local port and protocol VLAN enabled PPVID 127 VLAN Name VID VLAN name length VLAN name Table 30-10.
Table 30-10.
www.dell.com | support.dell.com Table 30-10.
31 Multicast Source Discovery Protocol (MSDP) Multicast Source Discovery Protocol (MSDP) is supported on the MXL Switch platform. Protocol Overview Multicast Source Discovery Protocol (MSDP) is a Layer 3 protocol that connects IPv4 PIM-SM domains. A domain in the context of MSDP is contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as BGP. Each RP peers with every other RP via TCP.
www.dell.com | support.dell.com RPs advertise each (S,G) in its domain in Type, Length, Value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 31-18. Source Port Dest. Port (639) MSDP SA Message Format Seq. Number Type Code: 1: 2: 3: 4: 5: 6: 7: Ack.
Configuring Multicast Source Discovery Protocol Configuring MSDP is a three-step process: 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Figure 31-21 and MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP. Otherwise, see Open Shortest Path First (OSPFv2 and OSPFv3) and Chapter 10, Border Gateway Protocol IPv4 (BGPv4). 2. Configure PIM-SM within each EGP routing domain.
interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown Multicast Source Discovery Protocol (MSDP) 1/1 PC 1 : 10.11.3.2/24 R1 1/21 R2 2/11 interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.
router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.0.1/32 area 0 network 10.11.3.0/24 area 0 router ospf 1 network 192.168.0.1/32 area 0 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 redistribute static redistribute connected redistribute bgp 100 R2_E300(conf)#do show run bgp ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 update-source Loopback 0 neighbor 192.168.0.
M PI P GM +I Multicast Source Discovery Protocol (MSDP) R1 1/2 RP1 PC 2 Receiver: 239.0.0.1 1/1 R3 3/41 4/31 R4 AS 200 ip multicast-routing ! ip pim rp-address 192.168.0.3 group-address 224.0.0.0/4 ip multicast-routing ! ip pim rp-address 192.168.0.3 group-address 224.0.0.0/4 4/1 P GM + I PC 3 Receiver: 239.0.0.1 RP2 3/21 ip multicast-routing ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 2/11 2/31 M PI | 1/21 R2 2/1 PC 2 Source: 239.0.0.
R1_E600(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom Expire UpTime 239.0.0.1 10.11.4.2 192.168.0.1 local 95 16:49:25 (10.11.4.2, 239.0.0.1), uptime 1d16h, expires 00:03:12, flags: CTA Incoming interface: GigabitEthernet 1/21, RPF neighbor 10.11.1.21 Outgoing interface list: GigabitEthernet 1/1 Forward/Sparse 22:26:37/Never (*, 239.0.0.1), uptime 22:26:37, expires 00:00:00, RP 192.168.0.
www.dell.com | support.dell.com Enable MSDP Enable MSDP by peering RPs in different administrative domains. Step Task Command Syntax Command Mode 1 Enable MSDP. ip multicast-msdp CONFIGURATION 2 PeerPIM systems in different administrative domains. ip msdp peer connect-source CONFIGURATION Figure 31-23. Configuring an MSDP Peer R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.1 connect-source Loopback 0 R3_E600(conf)#do show ip msdp summary Peer Addr 192.168.0.
• • RPs can transmit SA messages periodically to prevent SA storms, and only sources that are in the cache are advertised in the SA to prevent transmitting multiple copies of the same source information. View the Source-active Cache Task Command Syntax Command Mode View the SA cache. show ip msdp sa-cache EXEC Privilege Figure 31-25. Displaying the MSDP Source-active Cache R3_E600#show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr 239.0.0.1 10.11.4.2 192.168.0.
www.dell.com | support.dell.com • • Task Command Syntax Command Mode Cache rejected sources. ip msdp cache-rejected-sa CONFIGURATION Accept Source-active Messages that fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check. • • • • 582 the peer RP is unreachable, or because of an SA message format error. | In Scenario 1 of Figure 31-26, all MSPD peers are up.
Figure 31-26.
www.dell.com | support.dell.com Task Command Syntax Command Mode Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. If you do not specify an access list, the peer accepts all sources advertised by that peer. All sources from RPs denied by the ACL are subjected to the normal RPF check. ip msdp default-peer ip-address list CONFIGURATION Figure 31-27. Accepting Source-active Messages with FTOS(conf)#ip msdp peer 10.0.50.
Prevent MSDP from Caching a Local Source You can prevent MSDP from caching an active source based on source and/or group. Since the source is not cached, it is not advertised to remote RPs. Task Command Syntax Command Mode OPTIONAL: Cache sources that are denied by the redistribute list in the rejected SA cache. ip msdp cache-rejected-sa CONFIGURATION Prevent the system from caching local SA entries based on source and group using an extended ACL.
www.dell.com | support.dell.com Prevent MSDP from Caching a Remote Source Task Command Syntax Command Mode OPTIONAL: Cache sources that are denied by the SA filter in the rejected SA cache. ip msdp cache-rejected-sa CONFIGURATION Prevent the system from caching remote sources learned from a specific peer based on source and group. ip msdp sa-filter list out peer list ext-acl CONFIGURATION In Figure 31-30, R1 is advertising source 10.11.4.2.
Prevent MSDP from Advertising a Local Source Task Command Syntax Command Mode Prevent an RP from advertising a source in the SA cache. ip msdp sa-filter list in peer list ext-acl CONFIGURATION In Figure 31-30, R1 stops advertising source 10.11.4.2. Since it is already in the SA cache of R3, the entry remains there until it expires. Figure 31-30. Preventing MSDP from Advertising a Local Source [Router 1] R1_E600(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.
www.dell.com | support.dell.com Log Changes in Peership States Task Command Syntax Command Mode Log peership state changes. ip msdp log-adjacency-changes CONFIGURATION Terminate a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639. Task Command Syntax Command Mode Terminate the TCP connection with a peer.
Clear Peer Statistics Task Command Syntax Command Mode Reset the TCP connection to the peer and clear all peer statistics. clear ip msdp peer peer-address CONFIGURATION Figure 31-32. Clearing Peer Statistics R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
www.dell.com | support.dell.com Debug MSDP Task Command Syntax Command Mode Display the information exchanged between peers. debug ip msdp CONFIGURATION Figure 31-33. Debugging MSDP R1_E600(conf)#do debug ip msdp All MSDP debugging has been turned on R1_E600(conf)#03:16:08 : MSDP-0: Peer 03:16:09 : MSDP-0: Peer 192.168.0.3, 03:16:27 : MSDP-0: Peer 192.168.0.3, 03:16:38 : MSDP-0: Peer 192.168.0.3, 03:16:39 : MSDP-0: Peer 192.168.0.3, 03:17:09 : MSDP-0: Peer 192.168.0.3, 03:17:10 : MSDP-0: Peer 192.
MSDP with Anycast RP (10.11.4.2, 239.0.0.1), uptime 00:00:52, expires 00:03:20, flags: FTA Incoming interface: GigabitEthernet 2/1, RPF neighbor 0.0.0.0 Outgoing interface list: GigabitEthernet 2/11 Forward/Sparse 00:00:50/00:02:40 GigabitEthernet 2/31 Forward/Sparse 00:00:50/00:02:40 + PI M PC 2 Source MP IG + MP IG PC 3 Receiver 4/1 R4 4/31 + PI M AS X Area 0 OS PF + Figure 31-34. OS PF 2/1 BGP (*, 239.0.0.1), uptime 00:00:23, expires 00:00:00, RP 192.168.0.
www.dell.com | support.dell.com Reducing Source-active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group. A mesh in this context is a topology in which each RP in a set of RPs has a peership with all other RPs in the set.
Figure 31-35. R1 Configuration for MSDP with Anycast RP ip multicast-routing ! interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.11/32 no shutdown ! router ospf 1 network 10.11.2.
www.dell.com | support.dell.com Figure 31-36. 594 R2 Configuration for MSDP with Anycast RP ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.
Figure 31-37. R3 Configuration for MSDP with Anycast RP ip multicast-routing ! interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
www.dell.com | support.dell.com MSDP Sample Configurations 596 | The following figures show the running-configurations for the routers shown in figures Figure 31-21, Figure 31-20, Figure 31-21, Figure 31-22. Figure 31-38. MSDP Sample Configuration: R1 Running-config ip multicast-routing ! interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.11.2.
Figure 31-39. MSDP Sample Configuration: R2 Running-config ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.
www.dell.com | support.dell.com Figure 31-40. 598 MSDP Sample Configuration: R3 Running-config ip multicast-routing ! interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown ! interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface ManagementEthernet 0/0 ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
Figure 31-41. MSDP Sample Configuration: R4 Running-config ip multicast-routing ! interface GigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface GigabitEthernet 4/22 ip address 10.10.42.1/24 no shutdown ! interface GigabitEthernet 4/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.4/32 no shutdown ! router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.168.0.
www.dell.com | support.dell.
32 Multiple Spanning Tree Protocol (MSTP) Overview Multiple spanning tree protocol (MSTP)—specified in IEEE 802.1Q-2003—is an rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on PVST+. MSTP allows multiple spanning tree instances and allows you to map many virtual local area networks (VLANs) to one spanning tree instance to reduce the total number of required instances. In contrast, per-VLAN spanning tree plus (PVST+) allows a spanning tree instance for each VLAN.
www.dell.com | support.dell.com The Dell Networking operating software (FTOS) supports three other variations of Spanning Tree (Table 32-1). Table 32-1. FTOS Supported Spanning Tree Protocols Dell Networking Term IEEE Specification Spanning Tree Protocol 802.1d Rapid Spanning Tree Protocol 802.1w Multiple Spanning Tree Protocol 802.1s Per-VLAN Spanning Tree Plus Third Party Implementation Information • • • • • The FTOS MSTP implementation is based on IEEE 802.
• • Preventing Network Disruptions with BPDU Guard SNMP Traps for Root Elections and Topology Changes Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP, follow these steps: Step Task Command Syntax Command Mode 1 Enter PROTOCOL MSTP mode. protocol spanning-tree mstp CONFIGURATION 2 Enable MSTP. no disable PROTOCOL MSTP To verify that MSTP is enabled, use the show config command from PROTOCOL MSTP mode (Figure 32-2). Figure 32-2.
www.dell.com | support.dell.com Figure 32-3. Mapping VLANs to MSTI Instances FTOS(conf)#protocol spanning-tree mstp FTOS(conf-mstp)#msti 1 vlan 100 FTOS(conf-mstp)#msti 2 vlan 200-300 FTOS(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping. To view which instance a VLAN is mapped, use the show spanning-tree mst vlan command from EXEC Privilege mode.
To change the bridge priority, use the following command: Task Command Syntax Command Mode Assign a number as the bridge priority. A lower number increases the probability that the bridge becomes the root bridge. Range: 0 to 61440, in increments of 4096 Default: 32768 msti instance bridge-priority priority PROTOCOL MSTP The simple configuration (Figure 32-1) by default yields the same forwarding path for both MSTIs.
www.dell.com | support.dell.com To change the region name or revision, use the following commands: Task Command Syntax Command Mode Change the region name. name name PROTOCOL MSTP Change the region revision number. • Range: 0 to 65535 • Default: 0 revision number PROTOCOL MSTP To view the current region name and revision, use the show spanning-tree mst configuration command from EXEC Privilege mode (Figure 32-6). Figure 32-6.
Task Command Syntax Command Mode Change the hello-time parameter. Note: With large configurations (especially those with more ports) Dell Networking recommends that you increase the hello-time. Range: 1 to 10 Default: 2 seconds hello-time seconds PROTOCOL MSTP Change the max-age parameter. Range: 6 to 40 Default: 20 seconds max-age seconds PROTOCOL MSTP Change the max-hops parameter.
www.dell.com | support.dell.com Figure 32-8. BPDU Filtering enabled globally Task Command Syntax Command Mode Enable BPDU Filter globally to filter transmission of BPDU port fast enabled interfaces. edge-port bpdu filter default PROTOCOL MSTP Modify Interface Parameters You can adjust two interface parameters to increase or decrease the probability that a port becomes a forwarding port: • • Port cost is a value that is based on the interface type.
Table 32-2. MSTP Default Port Cost Values Port Cost Default Value Port Channel with two 10-Gigabit Ethernet interfaces 1800 Port Channel with two 40-Gigabit Ethernet interfaces 600 To change the port cost or priority of an interface, use the following commands: Task Command Syntax Command Mode Change the port cost of an interface. Range: 0 to 2000000 Default: refer to Table 32-2. spanning-tree msti number cost cost INTERFACE Change the port priority of an interface.
www.dell.com | support.dell.com To verify that EdgePort is enabled on a port, use the show config command from INTERFACE mode (Figure 32-9). FTOS Behavior: Regarding bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel, all the member ports are disabled in the hardware. 2 When a physical port is added to a port channel already in error disable state, the new member port is also disabled in the hardware.
Figure 32-10. MSTP with Three VLANs Mapped to Two Spanning Tree Instances root R1 R2 1/2 Forwarding 2/1 2/3 Blocking 1/3 3/1 3/2 R3 Figure 32-11.
www.dell.com | support.dell.com Figure 32-12.
Figure 32-13.
www.dell.com | support.dell.com Figure 32-14.
Debugging and Verifying an MSTP Configuration To display BPDUs, use the debug spanning-tree mstp bpdu command from EXEC Privilege mode (Figure 32-15). To display MSTP-triggered topology change messages, use the debug spanning-tree mstp events command. Figure 32-15. Displaying BPDUs and Events FTOS#debug spanning-tree mstp bpdu 1w1d17h : MSTP: Sending BPDU on TenGig 1/31 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x68 CIST Root Bridge Id: 32768:0001.e806.
www.dell.com | support.dell.com • MSTP Instances. • Use the show commands to verify the VLAN to MSTP instance mapping. • Are there “extra” MSTP Instances in the Sending or Received logs? That may mean that an additional MSTP instance was configured on one router but not the others. Figure 32-16.
Figure 32-18. Displaying BPDUs and Events - Debug Log of Unsuccessful MSTP Configuration 4w0d4h : MSTP: Received BPDU on TenGig 2/21 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x78Different Region CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.953e, CIST Port Id: 128:470 Msg Age: 0, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver Name: Tahiti, Rev: 123, Int Root Path Cost: 0 Rem Hops: 20, Bridge Id: 32768:0001.e8d5.
www.dell.com | support.dell.
33 Multicast Features Multicast Features are supported on the MXL switch.
Figure 33-1. Multicast with ECMP te Rou IG M P J Gig A Gig Y Source Receiver Rou te 1 IGMP Group Table Group Address Interface Group 1 GigabitEthernet Y Group 2 GigabitEthernet X Group 3 GigabitEthernet X Gig W G1 RP IGMP Join: Gig B Gig Z n: G3 Gig X P Joi IGM 2 oin: G 2 www.dell.com | support.dell.com In Figure 33-1, the receiver joins three groups.
Therefore, do not use well-known protocol multicast addresses for data transmission, such as the following. Protocol Ethernet Address • • • OSPF 01:00:5e:00:00:05 01:00:5e:00:00:06 RIP 01:00:5e:00:00:09 NTP 01:00:5e:00:01:01 VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d The FTOS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. Multicast is not supported on secondary IP addresses.
www.dell.com | support.dell.com IPv4 Multicast Policies • • • • • • Limiting the Number of Multicast Routes Preventing a Host from Joining a Group Rate Limiting IGMP Join Requests Preventing a PIM Router from Forming an Adjacency Preventing a Source from Registering with the RP Preventing a PIM Router from Processing a Join Limiting the Number of Multicast Routes Task Command Syntax Command Mode Limit the total number of multicast routes on the system.
Preventing a Host from Joining a Group You can prevent a host from joining a particular group by blocking specific IGMP reports. Create an extended access list containing the permissible source-group pairs. Note: For rules in IGMP access lists, source is the multicast source, not the source of the IGMP packet. For IGMPv2, use the keyword any for source (as shown in Figure 33-2), since IGMPv2 hosts do not know in advance who the source is for the group in which they are interested.
Multicast Features ip igmp snooping enable interface Vlan 400 ip pim sparse-mode ip address 10.11.4.1/24 untagged GigabitEthernet 1/2 ip igmp access-group igmpjoinfilR2G2 no shutdown (*, 239.0.0.1), uptime 00:00:06, expires 00:00:00, RP 10.11.12.2, flags: SCJ Incoming interface: GigabitEthernet 1/21, RPF neighbor 10.11.12.
Rate Limiting IGMP Join Requests If you expect a burst of IGMP Joins, protect the IGMP process from overload by limiting that rate at which new groups can be joined. Hosts whose IGMP requests are denied will use the retry mechanism built-in to IGMP so that their membership is delayed rather than permanently denied. Task Command Syntax Command Mode Limit the rate at which new groups can be joined.
626 | Multicast Features (10.11.5.2, 239.0.0.2), uptime 00:00:33, expires 00:03:07, flags: CT Incoming interface: GigabitEthernet 1/31, RPF neighbor 10.11.13.2 Outgoing interface list: Vlan 300 Forward/Sparse 00:00:40/Never (*, 239.0.0.2), uptime 00:00:40, expires 00:00:00, RP 10.11.12.2, flags: SCJ Incoming interface: GigabitEthernet 1/21, RPF neighbor 10.11.12.2 Outgoing interface list: Vlan 300 Forward/Sparse 00:00:40/Never (10.11.5.2, 239.0.0.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. Note: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
628 | Multicast Features www.dell.com | support.dell.
34 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first version 2 (OSPFv2 for IPv4) and OSPF version 3 (OSPFv3 for IPv6) are supported on the MXL Switch platform. This chapter provides a general description of OSPFv2 and OSPFv3 as supported in the Dell Networking operating system (FTOS). Note: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
www.dell.com | support.dell.com The largest entity within the hierarchy is the AS, which is a collection of networks under a common administration that share a common routing strategy. OSPF is an intra-AS (interior gateway) routing protocol, although it is capable of receiving routes from and sending routes to other ASs. You can divide an AS into a number of areas, which are groups of contiguous networks and attached hosts. Routers with multiple interfaces can participate in multiple areas.
All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. In this case, backbone connectivity must be restored through virtual links. Virtual links are configured between any backbone routers that share a link to a non-backbone area and function as if they were direct links. An OSPF backbone is responsible for distributing routing information between areas.
www.dell.com | support.dell.com The following example shows different router designations. 632 Figure 34-2.
Backbone Router (BR) A BR is part of the OSPF backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an ABR connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
www.dell.com | support.dell.com Each router exchanges information with the DR and BDR. The DR and BDR relay the information to the other routers. On broadcast network segments, the number of OSPF packets is further reduced by the DR and BDR sending such OSPF updates to a multicast IP address that all OSPF routers on the network segment are listening on. These router designations are not the same as the router IDs described earlier. The DR and BDR are configurable in FTOS.
• Type 11 - Grace LSA (OSPFv3) For OSPFv3 only, this LSA is a link-local “opaque” LSA sent by a restarting OSPFv3 router during a graceful restart. For all LSA types, there are 20-byte LSA headers. One of the fields of the LSA header is the link-state ID. Each router link is defined as one of four types: type 1, 2, 3, or 4. The LSA includes a link ID field that identifies, by the network number and mask, the object to which this link connects. Depending on the type, the link ID has different meanings.
www.dell.com | support.dell.com The two endpoints of a virtual link are ABRs, and you must configure the virtual link in both routers. The common non-backbone area to which the two routers belong is called a transit area. A virtual link specifies the transit area and the router ID of the other virtual endpoint (the other ABR). Note: You cannot configure a virtual link through a stub area or NSSA. Router Priority and Cost Router priority and cost is the method the system uses to “rate” the routers.
OSPF with FTOS FTOS supports up to 10,000 OSPF routes for OSPFv2. Within that 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 designated as inter/intra area routes. FTOS version 7.8.1.0 and later supports multiple OSPF processes (OSPF MP). The MXL Switch supports up to 16 processes simultaneously. On OSPFv3, FTOS supports only one process at a time for all platforms. Prior to FTOS version 7.8.1.0, FTOS supported one OSPFv2 and one OSPFv3 process ID per system.
www.dell.com | support.dell.com • • An OSPFv2 router sends Type 9 LSAs. An OSPFv3 router sends Type 11 LSAs. Type 9 and 11 LSAs include a grace period, which is the time period an OSPF router advertises to adjacent neighbor routers as the time to wait for it to return to full control plane functionality. During the grace period, neighbor OSPFv2 /v3 interfaces save the LSAs from the restarting OSPF interface.
FTOS allows you to accept and originate LSAs as soon as they are available to speed up route information propagation. Note: The faster the convergence, the more frequent the route calculations and updates. This impacts CPU utilization and may impact adjacency stability in larger topologies. Multi-Process OSPF (OSPFv2, IPv4 only) Multi-process OSPF is supported on OSPFv2 with IPv4 only. Multi-process OSPF allows multiple OSPFv2 processes on a single router.
www.dell.com | support.dell.com Enabling RFC 2328 Compliant OSPF Flooding To enable OSPF flooding, use the following command. When you enable this command, it configures FTOS to flood LSAs on all interfaces. • Enable RFC 2328 flooding ROUTER OSPF mode flood-2328 To confirm RFC 2328 flooding behavior, use debug ip ospf packet command. The following example shows no changes in the updated packets (shown in bold). ACKs 2 (shown in bold) is printed only for ACK packets. Figure 34-4.
OSPF ACK Packing The OSPF ACK Packing feature bundles multiple LS acknowledgments in a single packet, significantly reducing the number of ACK packets transmitted when the number of LSAs increases. This feature also enhances network utilization and reduces the number of small ACK packets sent to a neighboring router. OSPF ACK packing is enabled by default and is non-configurable.
www.dell.com | support.dell.com Configuration Information The interfaces must be in Layer 3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode. OSPF features and functions are assigned to each router using the CONFIG-INTERFACE commands for each interface.
Enabling OSPFv2 To enable Layer 3 routing, assign an IP address to an interface (physical or loopback). By default, OSPF, similar to all routing protocols, is disabled. You must configure at least one interface for Layer 3 before enabling OSPFv2 globally. If implementing multi-process OSPF, you must create an equal number of Layer 3-enabled interfaces and OSPF process IDs. For example, if you create 4 OSPFv2 process IDs, you must have four interfaces with Layer 3 enabled.
www.dell.com | support.dell.com The router ID is not required to be the router’s IP address. However, Dell Networking recommends using the IP address as the router ID for easier management and troubleshooting Optional process-id commands are also described. Command Syntax Command Mode Usage router-id ip address CONFIG-ROUTER-OSPF-id Assign the Router ID for the OSPFv2 process. IP Address: A.B.C.D To disable OSPF, use the no router ospf process-id command in CONFIGURATION mode.
To enable the OSPF process, return to CONFIGURATION mode. The OSPF process ID is the identifying number assigned to the OSPF process. The Router ID is the IP address associated with the OSPF process. Command Syntax Command Mode Usage router ospf process-id [vrf] CONFIGURATION Enable the OSPFv2 process globally. The range is from 0 to 65535. After the OSPF process and the VRF are tied together, the OSPF process ID cannot be used again in the system.
www.dell.com | support.dell.com Enabling OSPFv2 on Interfaces Enable and configure OSPFv2 on each interface (configure for Layer 3 protocol), and not be shutdown. You can also assign OSPFv2 to a loopback interface as a virtual interface. OSPF functions and features, such as MD5 Authentication, Grace Period, Authentication Wait Time, are assigned on a per interface basis. Note: If using features like MD5 Authentication, ensure all the neighboring routers are also configured for MD5.
Figure 34-10. Example of Viewing Active Interfaces and Assigned Areas FTOS>show ip ospf 1 interface TenGigabitEthernet 12/17 is up, line protocol is up Internet Address 10.2.2.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 11.1.2.1, Interface address 10.2.2.1 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.
www.dell.com | support.dell.com To ensure connectivity in your OSPFv2 network, never configure the backbone area as a stub area. To configure a stub area, use the following commands. Step Command Syntax Command Mode Usage 1 show ip ospf process-id database database-summary EXEC Privilege Review all areas after they were configured to determine which areas are NOT receiving Type 5 LSAs. 2 configure EXEC Privilege Enter CONFIGURATION mode.
Configure LSA throttling timers Configured LSA timers replace the standard transmit and acceptance times for the LSAs. The LSA throttling timers are configured in milliseconds, with the interval time increasing exponentially until a maximum time has been reached. If the maximum time, the system continues to transmit at the maximum interval. If the system is stable for twice the maximum interval time, the system reverts to the start interval timer and the cycle begins again.
www.dell.com | support.dell.com To suppress the interface’s participation on an OSPF interface, use the following command. This command stops the router from sending updates on that interface. Command Syntax Command Mode Usage passive-interface {default | interface} CONFIG-ROUTER-OSPF-id Specify whether all or some of the interfaces are passive. Entering the physical interface type, slot, and number enable passive interface on only the identified interface.
Figure 34-13. Example of Viewing Passive Interfaces FTOS#show ip ospf 34 int TenGigabitEthernet 0/0 is up, line protocol is down Internet Address 10.1.2.100/24, Area 1.1.1.1 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DOWN, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 0.0.0.0 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.
www.dell.com | support.dell.com Command Syntax Command Mode Usage Note: A higher convergence level can result in occasional loss of OSPF adjacency. Generally, convergence level 1 meets most convergence requirements. Higher convergence levels should only be selected following consultation with Dell Technical Support. In the examples below, Convergence Level shows the fast-converge parameter settings and Min LSA origination shows the LSA parameter settings (shown in bold). Figure 34-14.
To change OSPFv2 parameters on the interfaces, use any or all of the following commands. Command Syntax Command Mode Usage ip ospf cost CONFIG-INTERFACE Change the cost associated with OSPF traffic on the interface. cost: The range is from 1 to 65535 (the default depends on the interface speed). ip ospf dead-interval seconds CONFIG-INTERFACE Change the time interval the router waits before declaring a neighbor dead. seconds: The range is from 1 to 65535 (the default is 40 seconds).
www.dell.com | support.dell.com To view interface configurations, use the show config command. To view the interface status in the OSPF process, use the show ip ospf interface command. The bold lines in the example below show the change on the interface. The change is reflected in the OSPF configuration. Figure 34-16. Example of Changing and Verifying the cost Parameter and Viewing Interface Status FTOS(conf-if)#ip ospf cost 45 FTOS(conf-if)#show config ! interface TenGigabitEthernet 0/0 ip address 10.1.
Enabling OSPFv2 Graceful Restart Graceful restart is enabled for the global OSPF process. For more information, refer to Graceful Restart. The Dell Networking implementation of OSPFv2 graceful restart enables you to specify: • • • • grace period — the length of time the graceful restart process can last before OSPF terminates it. helper-reject neighbors — the router ID of each restart router that does not receive assistance from the configured router.
www.dell.com | support.dell.com For more information about OSPF graceful restart, refer to the FTOS Command Line Reference Guide. When you configure a graceful restart on an OSPFv2 router, the show run ospf command displays information similar to the following. Figure 35. Example of the show run ospf Command FTOS#show run ospf ! router ospf 1 graceful-restart grace-period 300 graceful-restart role helper-only graceful-restart mode unplanned-only graceful-restart helper-reject 10.1.1.
To configure virtual links, use the following command. Command Syntax Command Mode Usage area area-id virtual-link router-id [hello-interval seconds | retransmit-interval seconds | transmit-delay seconds | dead-interval seconds | authentication-key key | message-digest-key keyid md5 key] CONFIG-ROUTEROSPF- id Configure the optional parameters of a virtual link. • area ID: assigned earlier (the range is from 0 to 65535 or A.B.C.D). • router ID: IP address associated with the virtual link neighbor.
www.dell.com | support.dell.com Command Syntax Command Mode Usage seq sequence-number {deny |permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] CONFIG- PREFIX LIST Create a prefix list with a sequence number and a deny or permit action. The optional parameters are: ge min-prefix-length: the minimum prefix length to be matched (from 0 to 32). le max-prefix-length:: the maximum prefix length to be matched (from 0 to 32).
Redistributing Routes You can add routes from other routing instances or protocols to the OSPF process. \ With the redistribute command, you can include router information protocol (RIP), static, or directly connected routes in the OSPF process. Note: Do not route iBGP routes to OSPF unless there are route-maps associated with the OSPF redistribution. To redistribute routes, use the following command.
www.dell.com | support.dell.com Troubleshooting OSPFv2 FTOS has several tools to make troubleshooting easier. Be sure to check the following, as these are typical issues that interrupt an OSPFv2 process. Note: This is not a comprehensive list, just some examples of typical troubleshooting checks.
Command Syntax Command Mode Usage debug ip ospf process-id [event | packet | spf | database-timers rate-limit] EXEC Privilege View debug messages. To view debug messages for a specific OSPF process ID, use the debug ip ospf process-id command. If you do not enter a process ID, the command applies to the first OSPF process. To view debug messages for a specific operation, enter one of the optional keywords: • event: view OSPF event messages. • packet: view OSPF packet information.
www.dell.com | support.dell.com Basic OSPFv2 Router Topology The following illustration is a sample basic OSPFv2 topology. Figure 34-4. Basic Topology for OSPFv2 OSPF Area 0 — Gl 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface GigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.
OSPF Area 0 — Gl 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.0.23.0/24 area 0 ! interface Loopback 30 ip address 192.168.100.100/24 no shutdown ! interface GigabitEthernet 3/1 ip address 10.1.13.3/24 no shutdown ! interface GigabitEthernet 3/2 ip address 10.2.13.3/24 no shutdown OSPF Area 0 — Gl 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.
www.dell.com | support.dell.com The OSPFv3 ipv6 ospf area command enables OSPFv3 on the interface and places the interface in an area. With OSPFv2, two commands are required to accomplish the same tasks — the router ospf command to create the OSPF process, then the network area command to enable OSPF on an interface. Note: The OSPFv2 network area command enables OSPF on multiple interfaces with the single command. Use the OSPFv3 ipv6 ospf area command on each interface that runs OSPFv3.
The ipv6 ospf area command enables OSPFv3 on an interface and places the interface in the specified area. Additionally, the command creates the OSPFv3 process with ID on the router. OSPFv2 requires two commands to accomplish the same tasks — the router ospf command to create the OSPF process, then the network area command to enable OSPFv2 on an interface. Note: The OSPFv2 network area command enables OSPFv2 on multiple interfaces with the single command.
www.dell.com | support.dell.com Configuring Stub Areas To configure IPv6 stub areas, use the following command. Command Syntax Command Mode Usage area area-id stub CONF-IPV6-ROUTER-OSPF Configure the area as a stub area. • no-summary: use these keywords to prevent transmission in to the area of summary ASBR LSAs. • area id: a number or IP address assigned when creating the area. You can represent the area ID as a number from 0 to 65536 if you assign a dotted decimal format rather than an IP address.
Redistributing Routes You can add routes from other routing instances or protocols to the OSPFv3 process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process. Route redistribution is also supported between OSPF Routing process IDs. To add redistributing routes, use the following command.
www.dell.com | support.dell.com Enabling OSPFv3 Graceful Restart Graceful restart for OSPFv3 is supported on the MXL Switch platform. For more information about graceful restart, refer to Graceful Restart. By default, OSPFv3 graceful restart is disabled and functions only in a helper role to help restarting neighbor routers in their graceful restarts when it receives a Grace LSA. To enable OSPFv3 graceful restart, enter the ipv6 router ospf process-id command to enter OSPFv3 configuration mode.
Command Syntax Command Mode Usage graceful-restart mode [planned-only | unplanned-only] CONF-IPV6-ROUTER-OSPF Specify the operating mode and type of events that trigger a graceful restart. Planned-only: the OSPFv3 router supports graceful restart only for planned restarts. A planned restart is when you manually enter a redundancy force-failover rpm command to force the primary RPM over to the secondary RPM.
www.dell.com | support.dell.com Figure 34-5. Example of the show run ospf Command FTOS#show run ospf ! router ospf 1 router-id 200.1.1.1 log-adjacency-changes graceful-restart grace-period 180 network 20.1.1.0/24 area 0 network 30.1.1.0/24 area 0 ! ipv6 router ospf 1 log-adjacency-changes graceful-restart grace-period 180 Figure 34-6. Example of the show ipv6 ospf database database-summary Command FTOS#show ipv6 ospf database database-summary ! OSPFv3 Router with ID (200.1.1.
Figure 35. Example of the show ipv6 ospf database grace-lsa Command FTOS#show ipv6 ospf database grace-lsa ! Type-11 Grace LSA (Area 0) LS Age : 10 Link State ID : 6.16.192.66 Advertising Router : 100.1.1.1 LS Seq Number : 0x80000001 Checksum : 0x1DF1 Length : 36 Associated Interface : Gi 5/3 Restart Interval : 180 Restart Reason : Switch to Redundant Processor OSPFv3 Authentication Using IPsec OSPFv3 authentication using IP security (IPsec) is supported on the MXL Switch platform.
www.dell.com | support.dell.com • ESP — encapsulating security payload encapsulates data, enabling the protection of data that follows in the datagram. ESP provides authentication and confidentiality of every packet. The ESP extension header is designed to provide a combination of security services for both IPv4 and IPv6. Insert the ESP header after the IP header and before the next layer protocol header in Transport mode.
• • • • IPsec security associations (SAs) are supported only in Transport mode (Tunnel mode is not supported). ESP with null encryption is supported for authenticating only OSPFv3 protocol headers. ESP with non-null encryption is supported for full confidentiality. 3DES, DES, AES-CBC, and NULL encryption algorithms are supported; encrypted and unencrypted keys are supported. Note: To encrypt all keys on a router, use the service password-encryption command in Global Configuration mode.
www.dell.com | support.dell.com The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. Configure the same authentication policy (the same SPI and key) on each OSPFv3 interface in a link. 674 | Command Syntax Command Mode Usage ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} [key-encryption-type] key} INTERFACE Enable IPsec authentication for OSPFv3 packets on an IPv6-based interface.
Configuring IPsec Encryption on an Interface To configure, remove, or display IPsec encryption on an interface, use the following commands. Prerequisite: Before you enable IPsec encryption on an OSPFv3 interface, first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (refer to Configuration Task List for OSPFv2 (OSPF for IPv4)).
www.dell.com | support.dell.com The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. Configure the same authentication policy (the same SPI and key) on each OSPFv3 interface in a link.
Command Syntax Command Mode Usage Display the security associations set up for OSPFv3 interfaces in encryption policies. show crypto ipsec sa ipv6 Configuring IPSec Authentication for an OSPFv3 Area To configure, remove, or display IPSec authentication for an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
www.dell.com | support.dell.com Command Syntax Command Mode show crypto ipsec policy Usage Display the configuration of IPSec authentication policies on the router. Configuring IPsec Encryption for an OSPFv3 Area To configure, remove, or display IPsec encryption in an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec encryption in an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
The configuration of IPsec encryption on an interface-level takes precedence over an area-level configuration. If you remove an interface configuration, an area encryption policy that has been configured is applied to the interface. Command Syntax Command Mode Usage area area-id encryption ipsec spi number esp encryption-algorithm [key-encryption-type] key authentication-algorithm [key-authentication-type] key CONF-IPV6-ROUTER-OSPF Enable IPsec encryption for OSPFv3 packets in an area.
www.dell.com | support.dell.com Displaying OSPFv3 IPsec Security Policies To display the configuration of IPsec authentication and encryption policies, use the following commands. Command Syntax Command Mode Usage show crypto ipsec policy [name name] EXEC Privilege Display the AH and ESP parameters configured in IPsec security policies, including the SPI number, key, and algorithms used. • name: displays configuration details about a specified policy.
Figure 36.
www.dell.com | support.dell.com Figure 37.
• • • • • • Is the OSPF process active on the interface? Are the adjacencies established correctly? Did you configure the interfaces for Layer 3 correctly? Is the router in the correct area type? Did you include the routes in the OSPF database? Did you include the OSPF routes in the routing table (not just the OSPF database)? Some useful troubleshooting commands are: • • • • • • show ipv6 interfaces show ipv6 protocols debug ipv6 ospf events and/or packets show ipv6 neighbors show virtual links show ipv6
www.dell.com | support.dell.
35 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse mode (PIM-SM) is supported on the MXL Switch platform. PIM-SM is a multicast protocol that forwards multicast traffic to a subnet only upon request using a PIM Join message; this behavior is the opposite of PIM-Dense Mode, which forwards multicast traffic to all subnets until a request to stop.
www.dell.com | support.dell.com The gateway router is then responsible for joining the shared tree to the RP (RPT) so that the host can receive the requested traffic. 1. After receiving an IGMP Join message, the receiver gateway router (last-hop DR) creates a (*,G) entry in its multicast routing table for the requested group. The interface on which the join message was received becomes the outgoing interface associated with the (*,G) entry. 2. The last-hop DR sends a PIM Join message to the RP.
After receiving the first multicast packet from a particular source, the last-hop DR sends a PIM Join message to the source to create an SPT to it. 4. There are then two paths between the receiver and the source, a direct SPT and an RPT.
www.dell.com | support.dell.com Enabling PIM-SM You must enable PIM-SM on each participating interface: Step 1 2 Task Command Command Mode Enable multicast routing on the system. ip multicast-routing CONFIGURATION Enable PIM-Sparse Mode ip pim sparse-mode INTERFACE To display which interfaces are enabled with PIM-SM use the command show ip pim interface from EXEC Privilege mode. Figure 35-1. Viewing PIM-SM Enabled Interfaces FTOS#show ip pim interface Address Interface VIFindex Ver/ Mode 189.87.
Figure 35-3. Viewing the PIM Multicast Routing Table FTOS#show ip pim tib PIM Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 192.1.2.1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.6, flags: SCJ Incoming interface: GigabitEthernet 4/12, RPF neighbor 10.87.3.
www.dell.com | support.dell.com Task Command Command Mode Set the expiry time for a specific (S,G) entry. The range is from 211 to 86,400 seconds. The default is 210 seconds. ip pim sparse-mode sg-expiry-timer seconds CONFIGURATION sg-list access-list-name Note: The expiry time configuration is nullified, and the default global expiry time is used if: • an ACL is specified in the ip pim sparse-mode sg-expiry-timer command, but the ACL has not been created or is a standard ACL.
Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. Use the following command if you have configured a static RP for a group. If you do not use the override option with the following command, the RPs advertised in the BSR updates take precedence over any statically configured RPs.
www.dell.com | support.dell.com • Display the current value of these parameters. Use the show ip pim interface command from EXEC Privilege mode. Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the internet.
36 PIM Source-Specific Mode (PIM-SSM) PIM Source-Specific Mode (PIM-SSM) is supported on the MXL Switch platform. PIM-Source-Specific Mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of Protocol Independent Multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
694 | PIM Source-Specific Mode (PIM-SSM) (10.11.5.2, 239.0.0.2), uptime 00:00:36, expires 00:03:14, flags: CT Incoming interface: GigabitEthernet 1/31, RPF neighbor 10.11.13.2 Outgoing interface list: Vlan 300 Forward/Sparse 00:02:12/Never interface Vlan 400 ip pim sparse-mode ip address 10.11.4.1/24 untagged GigabitEthernet 1/2 ip igmp version 3 no shutdown interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown RP 2/1 R1 3/21 3/1 Source 1 10.11.5.
Implementation Information • • The Dell Networking implementation of PIM-SSM is based on RFC 3569. FTOS reduces the number of control messages sent between multicast routers by bundling Join and Prune requests in the same message. Important Points to Remember • • • The default SSM range is 232/8 always. Applying an SSM range does not overwrite the default range. Both the default range and SSM range are effective even when the default range is not added to the SSM ACL.
www.dell.com | support.dell.com Display address ranges in the PIM-SSM range using the command show ip pim ssm-range from EXEC Privilege mode. Figure 36-2. Enabling PIM-SSM R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#do show ip pim ssm-range Group Address / MaskLen 239.0.0.
interface Vlan 400 ip pim sparse-mode ip address 10.11.4.1/24 untagged GigabitEthernet 1/2 ip igmp version 3 no shutdown ip igmp snooping enable (10.11.5.2, 239.0.0.2), uptime 00:00:33, expires 00:00:00, flags: CJ Incoming interface: GigabitEthernet 1/31, RPF neighbor 10.11.13.2 Outgoing interface list: Vlan 300 Forward/Sparse 00:00:33/Never (10.11.5.2, 239.0.0.1), uptime 00:01:50, expires 00:03:28, flags: CT Incoming interface: GigabitEthernet 1/31, RPF neighbor 10.11.13.
www.dell.com | support.dell.com Figure 36-4. Configuring PIM-SSM with IGMPv2 R1(conf)#show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode 239.0.0.
37 Port Monitoring Port monitoring is a feature that copies all incoming or outgoing packets on one port and forwards (mirrors) them to another port. The source port is the monitored port (MD) and the destination port is the monitoring port (MG). Port monitoring functionality is different between platforms, but the behavior is the same, with highlighted exceptions.
www.dell.com | support.dell.com Port Monitoring The MXL 10/40GbE Switch supports multiple source-destination statements in a monitor session, but there may only be one destination port in a monitoring session (Message 2). Message 2 One Destination Port in a Monitoring Session Error Message % Error: Only one MG port is allowed in a session. The number of source ports FTOS allows within a port-pipe is equal to the number of physical ports in the port-pipe (n).
Figure 37-2. Number of Monitoring Ports FTOS(conf)#mon ses 300 FTOS(conf-mon-sess-300)#source tengig 0/17 destination tengig 0/4 direction tx % Error: Exceeding max MG ports for this MD port pipe.
www.dell.com | support.dell.com FTOS Behavior: All monitored frames are tagged if the configured monitoring direction is transmit (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port. If the MD port is a Layer 2 port, the frames are tagged with the VLAN ID of the VLAN to which the MD belongs. If the MD port is a Layer 3 port, the frames are tagged with VLAN ID 4095. If the MD port is in a Layer 3 VLAN, the frames are tagged with the respective Layer 3 VLAN ID.
To display monitor sessions, use the show monitor session command from EXEC Privilege mode (Figure 37-4). Figure 37-4.
704 | Port Monitoring www.dell.com | support.dell.
38 Private VLANs (PVLAN) For syntax details about the commands described in this chapter, refer to the Private VLANs (PVLAN) Commands chapter in the FTOS Command Reference Guide.
www.dell.com | support.dell.com Private VLAN Concepts The VLAN types in a PVLAN include: Community VLAN—a type of secondary VLAN in a primary VLAN: • • • Ports in a community VLAN can communicate with each other. Ports in a community VLAN can communicate with all promiscuous ports in the primary VLAN. A community VLAN can only contain ports configured as host. Isolated VLAN—a type of secondary VLAN in a primary VLAN: • • • Ports in an isolated VLAN cannot talk directly to each other.
Each of the port types can be any type of physical Ethernet port, including port channels (LAGs). For details about port channels, refer to Port Channel Interfaces in Interfaces. For an introduction to VLANs, refer to Layer 2. Private VLAN Commands The commands dedicated to supporting the PVLANs feature are: Table 38-1. Private VLAN Commands Task Command Syntax Command Mode Enable/disable Layer 3 communication between secondary VLANs.
www.dell.com | support.dell.com Private VLAN Configuration Task List The following sections contain the procedures that configure a PVLAN: • • • • Creating PVLAN Ports Creating a Primary VLAN Creating a Community VLAN Creating an Isolated VLAN Creating PVLAN Ports PVLAN ports are those that are assigned to the Private VLAN.
Creating a Primary VLAN A primary VLAN is a port-based VLAN that is specifically enabled as a primary VLAN to contain the promiscuous ports and PVLAN trunk ports for the private VLAN. A primary VLAN also contains a mapping to secondary VLANs, which are comprised of community VLANs and isolated VLANs.
www.dell.com | support.dell.com Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a Private VLAN. The ports in a community VLAN can talk to each other and with the promiscuous ports in the primary VLAN. To create a community VLAN, follow these steps: Step Command Syntax Command Mode Purpose 1 interface vlan vlan-id CONFIGURATION Access INTERFACE VLAN mode for the VLAN that you want to make a community VLAN. 2 no shutdown INTERFACE VLAN Enable the VLAN.
Figure 38-2.
www.dell.com | support.dell.com The results are: • • • • The ports in community VLAN 4001 can communicate directly with each other and with promiscuous ports. The ports in community VLAN 4002 can communicate directly with each other and with promiscuous ports. The ports in isolated VLAN 4003 can only communicate with the promiscuous ports in the primary VLAN 4000.
• • You can also use one of three show commands that are specific to the Private VLAN feature: • show interfaces private-vlan [interface interface]: Display the type and status of the configured PVLAN interfaces. Refer to the example output in the Security chapter of the FTOS Command Reference Guide. • show vlan private-vlan [community | interface | isolated | primary | primary_vlan | interface interface]: Display the configured PVLANs or interfaces that are part of a PVLAN.
www.dell.com | support.dell.com Figure 38-6.
Private VLANs (PVLAN) | 715
716 | Private VLANs (PVLAN) www.dell.com | support.dell.
39 Per-VLAN Spanning Tree Plus (PVST+) Overview Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree—developed by a third party—that allows you to configure a separate spanning tree instance for each VLAN (Figure 39-1). For more information about spanning tree, refer to Spanning Tree Protocol (STP). Figure 39-1.
www.dell.com | support.dell.com The Dell Networking operating software (FTOS) supports three other variations of spanning tree (Table 39-1). Table 39-1. FTOS Supported Spanning Tree Protocols Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802.1d Rapid Spanning Tree Protocol (RSTP) 802.1w Multiple Spanning Tree Protocol (MSTP) 802.1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • • • The FTOS implementation of PVST+ is based on RPVST.
Enable PVST+ When you enable PVST+, FTOS instantiates STP on each active VLAN. To enable PVST+ globally, follow these steps: Step Task Command Syntax Command Mode 1 Enter PVST context. protocol spanning-tree pvst PROTOCOL PVST 2 Enable PVST+. no disable PROTOCOL PVST Disable PVST+ To disable PVST+, use the following commands. Task Command Syntax Command Mode Disable PVST+ globally. disable PROTOCOL PVST Disable PVST+ on an interface, or remove a PVST+ parameter configuration.
STI 2 root vlan 100 bridge-priority 4096 STI 3 root STI 1: VLAN 100 STI 2: VLAN 200 STI 3: VLAN 300 R2 2/32 Blocking R3 vlan 100 bridge-priority 4096 3/22 X 3/12 2/12 Forwarding www.dell.com | support.dell.com Figure 39-3. Load Balancing with PVST+ 1/22 X X 1/32 STI 1 root R1 vlan 100 bridge-priority 4096 The bridge with the bridge value for bridge priority is elected root.
Display the PVST+ forwarding topology by entering the show spanning-tree pvst [vlan vlan-id] command from EXEC Privilege mode (Figure 39-4). Figure 39-4. Display the PVST+ Forwarding Topology FTOS(conf-if-te-5/41)#do show spanning-tree pvst vlan 2 VLAN 2 Root Identifier has priority 32768, Address 001e.c9f1.00f3 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 32768, Address 001e.c9f1.
www.dell.com | support.dell.com To change PVST+ parameters, use the following commands on the Root Bridge: Task Command Syntax Command Mode Change the forward-delay parameter. • Range: 4 to 30 • Default: 15 seconds vlan forward-delay PROTOCOL PVST Change the hello-time parameter. vlan hello-time PROTOCOL PVST vlan max-age PROTOCOL PVST Note: With large configurations (especially those with more ports), Dell Networking recommends that you increase the hello-time.
Figure 39-5. BPDU Filtering enabled globally Task Command Syntax Command Mode Enable BPDU Filter globally to filter transmission of BPDU port fast enabled interfaces. edge-port bpdu filter default PROTOCOL PVST Modify Interface PVST+ Parameters To increase or decrease the probability that a port becomes a forwarding port, you can adjust two interface parameters: • • Port cost is a value that is based on the interface type.
www.dell.com | support.dell.com Note: The FTOS implementation of PVST+ uses IEEE 802.1s costs as the default costs. Other implementations use IEEE 802.1d costs as the default costs. If you are using Dell Networking systems in a multi-vendor network, verify that the costs are values you intended. To change the port cost or priority of an interface, use the following commands: Task Command Syntax Command Mode Change the port cost of an interface. Range: 0 to 200000 Default: refer to Table 39-2.
FTOS Behavior: Regarding the bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel, all the member ports are disabled in the hardware. 2 When you add a physical port to a port channel already in Error Disable state, the new member port id also disabled in the hardware. 3 When you remove a physical port from a port channel in Error Disable state, the Error Disabled state is cleared on this physical port (the physical port is enabled in the hardware).
www.dell.com | support.dell.com Figure 39-6. PVST+ with Extend System ID Task Command Syntax Command Mode Augment the Bridge ID with the VLAN ID. extend system-id PROTOCOL PVST FTOS(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
PVST+ Sample Configurations Figure 39-7, Figure 39-8, and Figure 39-9 provide the running configurations for the topology shown in Figure 39-3. Figure 39-7.
www.dell.com | support.dell.com Figure 39-8.
40 Quality of Service (QoS) Overview Differentiated service is accomplished by classifying and queuing traffic and assigning priorities to those queues. The MXL Switch traffic has four data queues per port. All queues are serviced using the Weighted Round Robin scheduling algorithm. You can only manage prioritize queuing on egress.
www.dell.com | support.dell.com Table 40-1.
Figure 40-1. Dell Networking QoS Architecture Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
www.dell.com | support.dell.com Set dot1p Priorities for Incoming Traffic Change the priority of incoming traffic on the interface using the dot1p-priority command from INTERFACE mode (Figure 40-2). The Dell Networking operating software (FTOS) places marked traffic in the corresponding queue as shown in Table 40-2. If you set a dot1p priority for a port-channel, all port-channel members are configured with the same value. You cannot assign a dot1p value to individual interfaces in a port-channel.
On the MXL Switch, you can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries. For more information, refer to Mapping dot1p Values to Service Queues. Note: You cannot configure service-policy input and service-class dynamic dot1p on the same interface. Figure 40-3.
www.dell.com | support.dell.com Configure Port-based Rate Shaping Rate shaping buffers, rather than drops, traffic that exceeds the specified rate until the buffer is exhausted. If any stream exceeds the configured bandwidth on a continuous basis, it can consume all of the buffer space that is allocated to the port. • • To apply rate shaping to outgoing traffic on a port, use the rate shape command from INTERFACE mode (Figure 40-5).
Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to each class. For both class maps, Layer 2 and Layer 3, FTOS matches packets against match criteria in the order that you configure them. Create a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value or IP precedence, and characteristics defined in an IP access control list (ACL).
www.dell.com | support.dell.com Create a Layer 2 Class Map All class maps are Layer 3 by default; you can create a Layer 2 class map by specifying the option layer2 with the class-map command. A Layer 2 class map differentiates traffic according to the 802.1p value and/ or characteristics defined in a MAC ACL. 1. To create a match-any class map, use the class-map match-any command or to create a match-all class map, use the class-map match-all command from CONFIGURATION mode, and enter the keyword layer2.
Figure 40-8. Marking Flows in the Same Queue with Different DSCP Values FTOS#show ! class-map match ip match ip match ip run class-map match-any example-flowbased-dscp access-group test set-ip-dscp 2 access-group test1 set-ip-dscp 4 precedence 7 set-ip-dscp 1 FTOS#show run qos-policy-input ! qos-policy-input flowbased set ip-dscp 3 Display Configured Class Maps and Match Criteria To display all class-maps or a specific class map, use the show qos class-map command from EXEC Privilege mode.
www.dell.com | support.dell.com 1. Create a Layer 3 input QoS policy using the qos-policy-input command from CONFIGURATION mode. Create a Layer 2 input QoS policy by specifying the keyword layer2 after the qos-policy-input command. 2.
Configure Policy-Based Rate Shaping To rate shape egress traffic, use the rate-shape command from QOS-POLICY-OUT mode. Allocate Bandwidth to the Queue To allocate bandwidth, use the bandwidth-percentage command in QOS-POLICY-OUT mode. FTOS recommends that you pre-calculate your bandwidth requirements before creating them. Make sure you apply the QoS policy to all the four queues and that the sum of the bandwidths allocated through them is exactly 100.
www.dell.com | support.dell.com 3. Apply the input policy map to an interface. Apply a Class-Map or Input QoS Policy to a Queue To assign an input QoS policy to a queue, use the service-queue command from POLICY-MAP-IN mode. Apply an Input QoS Policy to an Input Policy Map To apply an input QoS policy to an input policy map, use the policy-aggregate command from POLICY-MAP-IN mode.
Honoring dot1p Values on Ingress Packets FTOS provides the ability to honor dot1p values on ingress packets with the trust dot1p feature. To enable trust dot1p, use the trust dot1p command from POLICY-MAP-IN mode. Table 40-4 lists the queue to which the classified traffic is sent based on the dot1p value. Table 40-4. Default dot1p to Queue Mapping dot1p Queue ID 0 0 1 0 2 0 3 1 4 2 5 3 6 3 7 3 The dot1p value is also honored for frames on the default VLAN.
www.dell.com | support.dell.com Figure 40-10.
Mapping dot1p Values to Service Queues All traffic is, by default, mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Table 40-4 using the service-class dynamic dot1p command from INTERFACE mode. Apply this queuing strategy globally by entering this command from CONFIGURATION mode. • • All dot1p traffic is mapped to Queue 0 unless you enable the service-class dynamic dot1p command on an interface or globally.
www.dell.com | support.dell.com Apply an Output Policy Map to an Interface To apply an output policy map to an interface, use the service-policy output command from INTERFACE mode. You can apply the same policy map to multiple interfaces, and you can modify a policy map after you apply it.
Strict-Priority Queueing To assign strict-priority to one unicast queue, 1 to 3, use the strict-priority command from CONFIGURATION mode. Strict-priority means that FTOS dequeues all packets from the assigned queue before servicing any other queues. • • • The strict-priority command supersedes the bandwidth-percentage command percentage configurations. A queue with strict-priority can starve other queues in the same port-pipe.
www.dell.com | support.dell.com Table 40-5. Pre-defined WRED Profiles Default Profile Name Minimum Threshold Maximum Threshold Maximum Drop Rate wred_drop 0 0 100 wred_teng_y 467 4671 100 wred_teng_g 467 4671 50 wred_fortyg_y 467 4671 50 wred_fortyg_g 467 4671 25 Create WRED Profiles To create a WRED profile, follow these steps: 1. To create a WRED profile, use the wred command from CONFIGURATION mode. 2. The wred command places you in WRED mode.
Display WRED Drop Statistics To display the number of packets FTOS dropped by the WRED profile, use the show qos statistics command from EXEC Privilege mode (Figure 40-13). Figure 40-13.
748 | Quality of Service (QoS) www.dell.com | support.dell.
41 Routing Information Protocol (RIP) Routing Information Protocol (RIP) is based on a distance-vector algorithm. RIP tracks distances or hop counts to nearby routers when establishing network connections. • • • • Overview Implementation Information Configuration Information RIP Configuration Example RIP protocol standards are listed in the Standards Compliance chapter. Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2).
www.dell.com | support.dell.com RIPv2 RIPv2 adds support for subnet fields in the RIP routing updates, thus qualifying it as a classless routing protocol. The RIPv2 message format includes entries for route tags, subnet masks, and next hop addresses. Another enhancement included in RIPv2 is multicasting for route updates on IP multicast address 224.0.0.9.
• • • • • Generate a Default Route (optional) Control Route Metrics (optional) Summarize Routes (optional) Control Route Metrics Debug RIP For a complete listing of all commands related to RIP, refer to the FTOS Command Reference Guide. Enable RIP Globally By default, RIP is not enabled in FTOS.
www.dell.com | support.dell.com When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes (Figure 41-2). Figure 41-2. show ip rip database Command Example (Partial) FTOS#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 4.0.0.
Control RIP Routing Updates By default, RIP broadcasts routing information to all enabled interfaces, but you can configure RIP to send or to block RIP routing information, either from a specific IP address or a specific interface. To control which devices or interfaces receive routing updates, you must configure a direct update to one router and configure interfaces to block RIP updates from other sources.
www.dell.com | support.dell.com To add routes from other routing instances or protocols, use any of the following commands in ROUTER RIP mode: Command Syntax Command Mode Purpose redistribute {connected | static} [metric metric-value] [route-map map-name] ROUTER RIP Include directly connected or user-configured (static) routes in RIP. • metric range: 0 to 16 • map-name: name of a configured route map.
Figure 41-3 shows an example of the RIP configuration after you use the version command to set RIPv2 in ROUTER RIP mode. After you set the version command in ROUTER RIP mode, the interface (TenGigabitEthernet 0/0) participating in the RIP process is also set to send and receive RIPv2. Figure 41-3.
www.dell.com | support.dell.com The show ip protocols command example Figure 41-5 confirms that both versions are sent out that interface. This interface no longer sends and receives the same RIP versions as FTOS does globally. Figure 41-5.
Summarize Routes Routes in the RIPv2 routing table are summarized by default, thus reducing the size of the routing table and improving routing efficiency in large networks. By default, the autosummary command in ROUTER RIP mode is enabled and summarizes RIP routes up to the classful network boundary. If you must perform routing between discontiguous subnets, disable automatic summarization. With automatic route summarization disabled, subnets are advertised.
www.dell.com | support.dell.com To view configuration changes, use the show config command in ROUTER RIP mode. Debug RIP To enable RIP debugging, use the debug ip rip command. When you enable debugging, you can view information about RIP protocol changes or RIP routes (Figure 41-6). To enable RIP debugging, use the following command in EXEC privilege mode: Command Syntax Command Mode Purpose debug ip rip [interface | database | events | trigger] EXEC privilege Enable debugging of RIP. Figure 41-6.
Figure 41-7. RIP Topology Example Configuring RIPv2 on Core 2 Figure 41-8. Configuring RIPv2 on Core 2 Core2(conf-if-te-2/31)# Core2(conf-if-te-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
www.dell.com | support.dell.com Figure 41-9. Example of RIP Configuration Response from Core 2 Core2(conf-router_rip)#end 00:12:24: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console Core2#show ip rip database Total number of routes in RIP database: 7 10.11.30.0/24 [120/1] via 10.11.20.1, 00:00:03, TenGigabitEthernet 2/31 10.300.10.0/24 directly connected,TenGigabitEthernet 2/42 10.200.10.0/24 directly connected,TenGigabitEthernet 2/41 10.11.20.
Figure 41-11.
www.dell.com | support.dell.com Core 3 RIP Output The examples in this section are: • • • To display the Core 3 RIP database, use the show ip rip database command (Figure 41-13). To display the Core 3 RIP setup, use the show ip route command (Figure 41-14). To display the Core 3 RIP activity, use the show ip protocols command (Figure 41-15). Figure 41-13. show ip rip database Command Example for Core 3 RIP Setup Core3#show ip rip database Total number of routes in RIP database: 7 10.11.10.
Figure 41-15.
www.dell.com | support.dell.com RIP Configuration Summary Figure 41-16. Summary of Core 2 RIP Configuration Using Output of show run Command ! interface TenGigabitEthernet 2/11 ip address 10.11.10.1/24 no shutdown ! interface TenGigabitEthernet 2/31 ip address 10.11.20.2/24 no shutdown ! interface TenGigabitEthernet 2/41 ip address 10.200.10.1/24 no shutdown ! interface TenGigabitEthernet 2/42 ip address 10.300.10.1/24 no shutdown router rip version 2 10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.
Routing Information Protocol (RIP) | 765
www.dell.com | support.dell.
42 Remote Monitoring (RMON) Overview This chapter describes remote monitoring (RMON). This chapter includes the following sections: • • Implementation Fault Recovery RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces.
www.dell.com | support.dell.com RMON implements the following standard request for comment (RFCs) (for more information, refer to RFC and I-D Compliance): • • • RFC-2819 RFC-3273 RFC-3434 Fault Recovery RMON provides the following fault recovery functions: Interface Down—When an RMON-enabled interface goes down, monitoring continues. However, all data values are registered as 0xFFFFFFFF (32 bits) or ixFFFFFFFFFFFFFFFF (64 bits). When the interface comes back up, RMON monitoring processes resumes.
Set the RMON Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. To disable the alarm, use the no form of these commands: Command Syntax Command Mode Purpose [no] rmon alarm number variable interval {delta | absolute} rising-threshold [value event-number] falling-threshold value event-number [owner string] CONFIGURATION Set an alarm on any MIB object. Use the no form of this command to disable the alarm.
www.dell.com | support.dell.com To configure an RMON alarm, use the rmon alarm command (Figure 42-1). Figure 42-1. rmon alarm Command Example FTOS(conf)#rmon alarm 10 1.3.6.1.2.1.2.2.1.20.1 20 delta rising-threshold 15 1 falling-threshold 0 owner nms1 Alarm Number MIB Variable Monitor Interval Counter Value Limit Triggered Event The above example configures RMON alarm number 10. The alarm monitors the MIB variable 1.3.6.1.2.1.2.2.1.20.1 (ifEntry.
Figure 42-2. rmon event Command Example FTOS(conf)#rmon event 1 log trap eventtrap description “High ifOutErrors” owner nms1 The configuration in Figure 42-2 creates RMON event number 1 with the description “High ifOutErrors”, and generates a log entry when the event is triggered by an alarm. The user nms1 owns the row that is created in the event table by this command. This configuration also generates an SNMP trap when the event is triggered using the SNMP community string “eventtrap”.
www.dell.com | support.dell.com Configure RMON Collection History To enable the RMON MIB history group of statistics collection on an interface, use the rmon collection history command in CONFIGURATION INTERFACE (conf-if) mode. To remove a specified RMON history group of statistics collection, use the no rmon collection history command.
43 Rapid Spanning Tree Protocol (RSTP) Overview Rapid spanning tree protocol (RSTP) is a Layer 2 protocol—specified by IEEE 802.1w—that is essentially the same as the spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). FTOS supports three other variations of spanning tree (Table 43-1). Table 43-1.
www.dell.com | support.dell.com • • • SNMP Traps for Root Elections and Topology Changes Fast Hellos for Link State Detection Flush MAC Addresses after a Topology Change Important Points to Remember • • • • RSTP is disabled by default. FTOS supports only one RST instance. All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology.
To configure and enable the interfaces for Layer 2, use the following commands: Step Task Command Syntax Command Mode 1 If the interface has been assigned an IP address, remove it. no ip address INTERFACE 2 Place the interface in Layer 2 mode. switchport INTERFACE 3 Enable the interface. no shutdown INTERFACE To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. Figure 43-2.
www.dell.com | support.dell.com To verify that RSTP is enabled, use the show config command from PROTOCOL SPANNING TREE RSTP mode (Figure 43-3). Figure 43-3. Verifying RSTP is Enabled FTOS(conf-rstp)#show config ! protocol spanning-tree rstp no disable FTOS(conf-rstp)# Indicates that Rapid Spanning Tree is enabled When you enable RST, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology (Figure 43-4).
To view the interfaces participating in RST, use the show spanning-tree rstp command from EXEC privilege mode (Figure 43-5). If a physical interface is part of a port channel, only the port channel is listed in the command output. Figure 43-5. show spanning-tree rstp Command Example FTOS#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
www.dell.com | support.dell.com To confirm that a port is participating in RST, use the show spanning-tree rstp brief command from EXEC privilege mode (Figure 43-6). Figure 43-6. show spanning-tree rstp brief Command Example FTOS#show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e80f.
• Max-age is the length of time the bridge maintains configuration information before it refreshes that information by recomputing the RST topology. Note: Dell Networking recommends that only experienced network administrators change the RST group parameters. Poorly planned modification of the RSTG parameters can negatively impact network performance. Table 43-2 lists the default values for RSTP. Table 43-2.
www.dell.com | support.dell.com Enable BPDU Filtering globally The enabling of BPDU Filtering stops transmitting of BPDUs on the operational port fast enabled ports by default. When BPDUs are received, the spanning tree is automatically prepared. By default global bpdu filtering is disabled. Figure 43-7. BPDU Filtering enabled globally Task Command Syntax Command Mode Enable BPDU Filter globally to filter transmission of BPDU port fast enabled interfaces.
To change the port cost or priority of an interface, use the following commands: Task Command Syntax Command Mode Change the port cost of an interface. Range: 0 to 65535 Default: refer to Table 43-2. spanning-tree rstp cost cost INTERFACE Change the port priority of an interface. Range: 0 to 240 Default: 128 spanning-tree rstp priority priority-value INTERFACE To view the current values for interface parameters, use the show spanning-tree rstp command from EXEC privilege mode (Figure 43-5).
www.dell.com | support.dell.com FTOS Behavior: Regarding bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel, all the member ports are disabled in the hardware. 2 When a physical port is added to a port channel already in the Error Disable state, the new member port is also disabled in the hardware.
Figure 43-9. bridge-priority Command Example FTOS(conf-rstp)#bridge-priority 4096 FTOS(conf-rstp)#2d0h22m: %STKUNIT3-M:CP %SPANMGR-5-STP_ROOT_CHANGE: RSTP root changed. My Bridge ID: 4096:001e.c9f1.00cf Old Root: 32768:0001.e88a.fdb3 New Root: 4096:001e.c9f1.00cf Old root bridge ID New root bridge ID SNMP Traps for Root Elections and Topology Changes To enable SNMP traps for RSTP, MSTP, and PVST+ collectively, use the snmp-server enable traps xstp command.
www.dell.com | support.dell.
44 Security This chapter describes the following: • • • • • • • • • AAA Accounting AAA Authentication AAA Authorization RADIUS TACACS+ Protection from TCP Tiny and Overlapping Fragment Attacks SCP and SSH Telnet VTY Line and Access-Class Configuration For details about all the commands described in this chapter, refer to the Security Commands chapter in the FTOS Command Reference Guide.
www.dell.com | support.dell.com • • Configure AAA Accounting for Terminal Lines (optional) Monitor AAA Accounting (optional) Enable AAA Accounting To create a record for any or all of the accounting functions monitored, use the aaa accounting command.
Configure Accounting of EXEC and Privilege-Level Command Usage The network access server monitors the accounting functions defined in the terminal access controller access control system (TACACS+) attribute/value (AV) pairs. In Figure 44-1, AAA accounting is set to track all usage of EXEC commands and commands on privilege level 15. Figure 44-1.
www.dell.com | support.dell.com Figure 44-3.
Configure AAA Authentication Login Methods To configure an authentication method and method list, use these commands in the following sequence in CONFIGURATION mode: Step Command Syntax Command Mode Purpose aaa authentication login {method-list-name | default} method1 [...method4] CONFIGURATION Define an authentication method-list (method-list-name) or specify the default. The default method-list is applied to all terminal lines.
www.dell.com | support.dell.com Enable AAA Authentication To enable AAA authentication, use the following command in CONFIGURATION mode: Command Syntax Command Mode Purpose aaa authentication enable {method-list-name | default} method1 [... method4] CONFIGURATION • • • default—Uses the listed authentication methods that follows this argument as the default list of methods when a user logs in.
To use local authentication for enable secret on the console, while using remote authentication on virtual terminal line (VTY) lines, use the following commands: FTOS(conf)# aaa authentication enable mymethodlist radius tacacs FTOS(conf)# line vty 0 9 FTOS(conf-line-vty)# enable authentication mymethodlist Server-Side Configuration TACACS+: When using TACACS+, Dell Networking sends an initial packet with service type SVC_ENABLE, and then, a second packet with just the password.
www.dell.com | support.dell.com Privilege levels 2 through 14 are not configured and you can customize them for different users and access. After you configure other privilege levels, enter those levels by adding the level parameter after the enable command or by configuring a user name or password that corresponds to the privilege level. For more information about configuring user names, refer to Configure a Username and Password. By default, commands in FTOS are assigned to different privilege levels.
To configure a username and password, use the following command in CONFIGURATION mode: Command Syntax Command Mode Purpose username name [access-class access-list-name] [nopassword | password [encryption-type] password] [privilege level] CONFIGURATION Assign a user name and password. Configure the optional and required parameters: • name: Enter a text string up to 63 characters long. • access-class access-list-name: Enter the name of a configured IP ACL.
www.dell.com | support.dell.com Configure Custom Privilege Levels In addition to assigning privilege levels to the user, you can configure the privilege levels of commands so that they are visible in different privilege levels. Within FTOS, commands have certain privilege levels. With the privilege command, you can change the default level or you can reset their privilege level back to the default.
To view the configuration, use the show running-config command in EXEC Privilege mode. Figure 44-4 is an example of a configuration to allow a user “john” to view only EXEC mode commands and all snmp-server commands. Because the snmp-server commands are “enable” level commands and, by default, found in CONFIGURATION mode, you must also assign the launch command for CONFIGURATION mode, configure, to the same privilege level as the snmp-server commands. Figure 44-4.
www.dell.com | support.dell.com Specify the LINE Mode Password and Privilege You can specify a password authentication of all users on different terminal lines. The user’s privilege level is the same as the privilege level assigned to the terminal line. To specify a password for the terminal line, use the following commands, in any order, in LINE mode: Command Syntax Command Mode Purpose privilege level level LINE Configure a custom privilege level for the terminal lines. • level level range: 0 to 15.
Transactions between the RADIUS server and the client are encrypted (the users’ passwords are not sent in plain text). RADIUS uses the user datagram protocol (UDP) as the transport protocol between the RADIUS server host and the client. For more information about RADIUS, refer to RFC 2865, Remote Authentication Dial-in User Service.
www.dell.com | support.dell.com RADIUS can specify an ACL for the user if both of the following are true: • • If an ACL is absent. There is a very long delay for an entry, or a denied entry because of an ACL, and a message is logged. Note: The ACL name must be a string. Only standard ACLs in authorization (both RADIUS and TACACS) are supported. Authorization is denied in cases using extended ACLs.
Define an AAA Method List to be Used for RADIUS To configure RADIUS to authenticate or authorize users on the system, you must create an AAA method list. Default method lists do not need to be explicitly applied to the line, so they are not mandatory.
www.dell.com | support.dell.com To specify a RADIUS server host and configure its communication parameters, use the following command in CONFIGURATION mode: Command Syntax Command Mode Purpose radius-server host {hostname | ip-address} [auth-port port-number] [retransmit retries] [timeout seconds] [key [encryption-type] key] CONFIGURATION Enter the host name or IP address of the RADIUS server host.
Command Syntax Command Mode Purpose radius-server key [encryption-type] key CONFIGURATION Configure a key for all RADIUS communications between the system and RADIUS server hosts. • encryption-type: Enter 7 to encrypt the password. Enter 0 to keep the password as plain text. • key: Enter a string. The key can be up to 42 characters long. You cannot use spaces in the key. radius-server retransmit retries CONFIGURATION Configure the number of times FTOS retransmits RADIUS requests.
www.dell.com | support.dell.com • Choose TACACS+ as the Authentication Method For a complete listing of all commands related to TACACS+, refer to the Security chapter in the FTOS Command Reference Guide. Choose TACACS+ as the Authentication Method One of the login authentication methods available is TACACS+ and the user’s name and password are sent for authentication to the TACACS hosts specified.
Figure 44-6.
www.dell.com | support.dell.com Figure 44-7 shows how to configure access-class from a TACACS+ server. This causes the configured access-class on the VTY line to be ignored. If you have configured a deny10 ACL on the TACACS+ server, FTOS downloads it and applies it. If the user is found to be coming from the 10.0.0.0 subnet, FTOS also immediately closes the Telnet connection. Note that no matter where the user is coming from, they see the login prompt. Figure 44-7.
To delete a TACACS+ server host, use the no tacacs-server host {hostname | ip-address} command. freebsd2# telnet 2200:2200:2200:2200:2200::2202 Trying 2200:2200:2200:2200:2200::2202... Connected to 2200:2200:2200:2200:2200::2202. Escape character is '^]'. Login: admin Password: FTOS# FTOS# Command Authorization The AAA command authorization feature configures FTOS to send each configuration command to a TACACS server for authorization before it is added to the running configuration.
www.dell.com | support.dell.com SCP and SSH Secure shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network. FTOS is compatible with SSH versions 1.5 and 2, both the client and server modes. SSH sessions are encrypted and use authentication. For information about command syntax, refer to the Security chapter in the FTOS Command Line Interface Reference Guide. Secure copy (SCP) is a remote file copy program that works with SSH and is supported by FTOS.
Figure 44-8. Specifying an SSH version FTOS(conf)#ip ssh server version 2 FTOS(conf)#do show ip ssh SSH server : disabled. SSH server version : v2. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. Vty Encryption Remote IP To disable SSH server functions, use the no ip ssh server enable command.
www.dell.com | support.dell.com • ip ssh authentication-retries: Configure the maximum number of attempts that should be used to authenticate a user. • • • • • • • • • • • ip ssh connection-rate-limit: Configure the maximum number of incoming SSH connections per minute. ip ssh hostbased-authentication enable: Enable hostbased-authentication for the SSHv2 server. ip ssh key-size: Configure the size of the server-generated RSA SSHv1 key.
Figure 44-10. Enabling SSH Password Authentication FTOS(conf)#ip ssh server enable % Please wait while SSH Daemon initializes ... done. FTOS(conf)#ip ssh password-authentication enable FTOS#sh ip ssh SSH server : enabled. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. Vty Encryption Remote IP RSA Authentication of SSH To authenticates an SSH client based on an RSA key using RSA authentication, follow these steps.
www.dell.com | support.dell.com To configure host-based authentication, use the following steps: Step Task Command Syntax Command Mode 1 Configure RSA Authentication. Refer to RSA Authentication of SSH above. 2 Create shosts by copying the public RSA key to the to the file shosts in the diretory .ssh, and write the IP address of the host to the file (Figure 44-12). Figure 44-12. cp /etc/ssh/ssh_host_rsa_key.pub /.
Client-based SSH Authentication To set SSH from the chassis to the SSH client, use the ssh ip_address command. This method uses SSH version 1 or version 2. If the SSH port is a non-default value, to change the default port number, use the ip ssh server port number command. You may only change the port number when SSH is disabled. You must then still use the -p option with the ssh command. Figure 44-14. Client-Based SSH Authentication FTOS#ssh 10.16.127.
www.dell.com | support.dell.com Telnet To use Telnet with SSH, you must first enable SSH, as described above. By default, the Telnet daemon is enabled. To disable the Telnet daemon, use the [no] ip telnet server enable command, or disable Telnet in the startup config (Figure 44-15). Figure 44-15.
You can assign line authentication on a per-VTY basis; it is a simple password authentication using an access-class as authorization. Local authentication is configured globally. You configure access classes on a per-user basis. FTOS can assign different access classes to different users by username. Until users attempt to log in, FTOS does not know if they will be assigned a VTY line.
www.dell.com | support.dell.com Figure 44-17. Example Access Class Configuration Using TACACS+ Without Prompt FTOS(conf)#ip access-list standard deny10 FTOS(conf-ext-nacl)#permit 10.0.0.0/8 FTOS(conf-ext-nacl)#deny any FTOS(conf)# FTOS(conf)#aaa authentication login tacacsmethod tacacs+ FTOS(conf)#tacacs-server host 256.1.1.
Security | 815
816 | Security www.dell.com | support.dell.
45 Service Provider Bridging Service Provider Bridging is supported on the MXL Switch platform. This chapter contains the following major sections: • • • • • VLAN Stacking VLAN Stacking Packet Drop Precedence Dynamic Mode CoS for VLAN Stacking Layer 2 Protocol Tunneling Provider Backbone Bridging VLAN Stacking Virtual local area network (VLAN) stacking is supported on the MXL Switch platform. VLAN Stacking, also called Q-in-Q, is defined in IEEE 802.1ad—Provider Bridges, which is an amendment to IEEE 802.
PCP TPID (0x9100) DEI VID (VLAN 300) TPID (0x8100) PCP CFI (0) VID (VLAN Red) AN 1 00 tagged 100 AN 0 10 VL VL www.dell.com | support.dell.com Figure 45-1.
Creating Access and Trunk Ports To create access and trunk ports, use the following commands. • • Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN. A trunk port — a port on a service provider bridge that connects to another service provider bridge and is a member of multiple service provider VLANs. Physical ports and port-channels can be access or trunk ports.
www.dell.com | support.dell.com To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLAN-Stacking-enabled VLAN are marked with an M in column Q. Figure 45-3.
Configuring FTOS Options for Trunk Ports 802.1ad trunk ports may also be tagged members of a VLAN so that it can carry single and double-tagged traffic. You can enable trunk ports to carry untagged, single-tagged, and double-tagged VLAN traffic by making the trunk port a hybrid port. To configure trunk ports, use the following commands: Step Task Command Syntax Command Mode 1 Configure a trunk port to carry untagged, single-tagged, and double-tagged traffic by making it a hybrid port.
www.dell.com | support.dell.com Debugging VLAN Stacking To debug the internal state and membership of a VLAN and its ports, use the debug member command, as shown in Figure 45-5. The port notations are as follows: • • • • • MT — stacked trunk MU — stacked access port T— 802.1Q trunk port U— 802.1Q access port NU— Native VLAN (untagged) Figure 45-5.
Previous versions allowed you to configure the first byte only, and thus, the systems did not differentiate between TPIDs with a common first byte. For example, 0x8100 and any other TPID beginning with 0x81 were treated as the same TPID, as shown in Figure 45-6. FTOS Versions 8.2.1.0 and later differentiate between 0x9100 and 0x91XY, also shown in Figure 45-8. You can configure the first eight bits of the TPID using the command vlan-stack protocol-type command. The TPID is global.
LUE NB VLA DEFAULT VLAN www.dell.com | support.dell.com Figure 45-7. Single and Double-Tag First-byte TPID Match TPID 0x8181 R2-C-Series w/ FTOS <8.2.1.0 ED TPID: 0x8181 VLAN R PURPLE VLAN GREEN, VLAN EN GRE VLAN UE DEFAULT VLAN N BL R3-C-Series w/ FTOS >=8.2.1.0 VL VLA TPID: 0x8181 AN PU R1-C-Series w/ FTOS <8.2.1.
Table 45-1 details the outcome of matched and mismatched TPIDs in a VLAN-stacking network. Table 45-1. Network Position Behaviors for Mis-matched TPID Incoming Packet TPID System TPID Match Type Pre-8.2.1.0 8.2.1.
www.dell.com | support.dell.com When you enable drop eligibility, DEI mapping or marking takes place according to the defaults. In this case, the CFI is affected according to Table 45-2. Table 45-2.
Task Command Syntax Command Mode FTOS#show interface dei-honor Default Drop precedence: Green Interface CFI/DEI Drop precedence ------------------------------------------------------------Gi 0/1 0 Green Gi 0/1 1 Yellow Gi 8/9 1 Red Gi 8/40 0 Yellow Marking Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress. For ingress information, refer to Honoring the Incoming DEI Value.
www.dell.com | support.dell.com Figure 45-9. Statically and Dynamically Assigned dot1p for VLAN Stacking Untagged S-Tag with statically-assigned dot1p S-Tag DATA 0x0800 SA DA DATA 100 1 C-Tag C-Tag 3 0x0800 0x8100 SA DA 3 100 0x8100 C-Tagged 400 0x9100 SA DA 0x9100 SA DA S-Tag 4 400 S-Tag with mapped dot1p When configuring Dynamic Mode CoS, you have two options: a Mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p.
FTOS Behavior: For Option A shown in the previous illustration, when there is a conflict between the queue selected by Dynamic Mode CoS (vlan-stack dot1p-mapping) and a QoS configuration, the queue selected by Dynamic Mode CoS takes precedence. However, rate policing for the queue is determined by QoS configuration.
www.dell.com | support.dell.com Mapping C-Tag to S-Tag dot1p Values To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly, use the following commands: Step 1 Task Command Syntax Command Mode Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag. vman-qos: mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. This method requires half as many CAM entries as vman-qos-dual-fp.
VLAN Stacking without L2PT SPANNI NG TR Figure 45-10. INTE RN E ETWORK EN RE SPAN NIN G T no spanning-tree T ING TREE ANN SP PROVIDER w/ VICE R SE EE EE TR Building B no spanning-tree X BPDU w/ destination MAC address: 01-80-C2-00-00-00 Building A You might need to transport control traffic transparently through the intermediate network to the other region.
SPANNI NG TR VLAN Stacking with L2PT E RE INTE RN E T no spanning-tree NETWORK SPAN NIN G www.dell.com | support.dell.com Figure 45-11.
To specify a destination MAC address for BPDUs, use the following command: Task Command Syntax Command Mode Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network. The default is 01:01:e8:00:00:00 protocol-tunnel destination-mac CONFIGURATION Setting Rate-limit BPDUs CAM space is allocated in sections called field processor (FP) blocks. There are total 13 user-configurable FP blocks.
www.dell.com | support.dell.com Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. 802.
46 sFlow This chapter contains the following sections: • • • • • • • • Enable and Disable sFlow sFlow Show Commands Specify Collectors Polling Intervals Sampling Rate Back-Off Mechanism sFlow on LAG ports Extended sFlow Overview The Dell Networking operating software (FTOS) supports sFlow version 5. sFlow is a standard-based sampling technology embedded within switches and routers which you can use to monitor network traffic (Figure 46-1).
www.dell.com | support.dell.com Figure 46-1. sFlow Traffic Monitoring System sFlow Collector Switch/Router sFlow Datagrams sFlow Agent Poll Interface Counters Interface Counters Flow Samples Switch ASIC Implementation Information The Dell Networking sFlow is designed so that the hardware sampling rate is per stack unit port-pipe and is decided based on all the ports in that port-pipe.
• • • • • • The 802.1P source priority field is not filled in extended switch element in the sFlow datagram. Only the Destination and Destination Peer AS number are packed in the dst-as-path field in extended gateway element. If the packet being sampled is redirected using policy-based routing (PBR), the sFlow datagram may contain incorrect extended gateway and/or router information. The source VLAN field in the extended switch element is not packed in case of routed packet.
www.dell.com | support.dell.com Show sFlow Globally To view sFlow statistics, use the following command (Figure 46-2): Command Syntax show sflow Command Mode EXEC Purpose Display sFlow configuration information and statistics. Figure 46-2. show sflow Command Example FTOS#show sflow Indicates sFlow is globally enabled sFlow services are enabled Global default sampling rate: 32768 Global default counter polling interval: 20 1 collectors configured Collector IP addr: 133.33.33.53, Agent IP addr: 133.33.33.
Show sFlow on a Stack Unit To view sFlow statistics on a specified stack unit, use the following command (Figure 46-4): Command Syntax Command Mode show sflow stack-unit unit-number EXEC Purpose Display sFlow configuration information and statistics on the specified interface. Figure 46-4.
www.dell.com | support.dell.com . Command Syntax Command Mode sflow polling-interval interval value CONFIGURATION or INTERFACE Usage Change the global default counter polling interval. interval value—in seconds. Range: 15 to 86400 seconds. Default: 20 seconds. Sampling Rate The sFlow sampling rate is the number of packets that are skipped before the next sample is taken. sFlow does not have time-based packet sampling.
3. Configures interface Tengig 1/1 to a sub-sampling rate of 2 to achieve an actual rate of 8192. Note: Sampling rate backoff can change the sampling rate value that is set in the hardware. The following equation shows the relationship between the actual sampling rate, the sub-sampling rate, and the hardware sampling rate for an interface: Actual sampling rate = sub-sampling rate * hardware sampling rate Note: There is an absence of a configured rate in the equation.
www.dell.com | support.dell.com To confirm that extended information packing is enabled, use the show sflow to confirm that extended information packing is enabled (Figure 46-5). Figure 46-5. Confirming that Extended sFlow is Enabled FTOS#show sflow sFlow services are enabled Extended sFlow settings Global default sampling rate: 4096 show all 3 types are enabled Global default counter polling interval: 15 Global extended information enabled: switch 1 collectors configured Collector IP addr: 10.10.10.
sFlow | 843
844 | sFlow www.dell.com | support.dell.
47 Simple Network Management Protocol (SNMP) Protocol Overview Network management stations use the Simple Network Management Protocol (SNMP) to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a Management Information Base (MIB).
www.dell.com | support.dell.com Configuring SNMP version 3 requires you to configure SNMP users in one of three methods. See Setting Up User-based Security (SNMPv3).
Related Configuration Tasks The following list contains configuration tasks for SNMP: • • • • • • • • • • • • • Setting up SNMP Setting Up User-based Security (SNMPv3) Read Managed Object Values Write Managed Object Values Configure Contact and Location Information Using SNMP Subscribe to Managed Object Value Updates using SNMP Copy Configuration Files Using SNMP Manage VLANs Using SNMP Enable and Disable a Port Using SNMP Fetch Dynamic MAC Entries Using SNMP Deriving Interface Indices Monitor Port-Channel
www.dell.com | support.dell.com Create a Community For SNMPv1 and SNMPv2, you must create a community to enable the community-based security in FTOS. The management station generates requests to either retrieve or alter the value of a management object and is called the SNMP manager. A network element that processes SNMP requests is called an SNMP agent. An SNMP community is a group of SNMP agents and managers that are allowed to interact.
Figure 47-2. Select a User-based Security Type FTOS(conf)#snmp-server host 1.1.1.1 traps {oid tree} version 3 ? auth Use the SNMPv3 authNoPriv Security Level noauth Use the SNMPv3 noAuthNoPriv Security Level priv Use the SNMPv3 authPriv Security Level FTOS(conf)#snmp-server host 1.1.1.1 traps version 3 noauth ? WORD SNMPv3 user name To set up a user with view privileges only (no password or privacy privileges): Task Command Command Mode Configure the user.
www.dell.com | support.dell.com Read Managed Object Values You may only retrieve (read) managed object values if your management station is a member of the same community as the SNMP agent. Dell Networking supports RFC 4001, Textual Conventions for Internet Work Addresses that defines values representing a type of internet address. These values display for ipAddressTable objects using the snmpwalk command. In the following figure, the value “4” displays in the OID before the IP address for IPv4.
Task Command Figure 47-5. Reading the Value of Many Managed Objects at Once > snmpwalk -v 2c -c mycommunity 10.11.209.217 .1.3.6.1.2.1.1 SNMPv2-MIB::sysDescr.0 = STRING: Dell Networking OS Operating System Version: 1.0 Application Software Version: E8-3-16-0 Series: MXL-10/40GbE Copyright (c) 1999-2012 by Dell Inc. All Rights Reserved. Build Time: Tue May 22 22:40:56 PDT 2012 SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6027.1.4.
www.dell.com | support.dell.com To configure system contact and location information from the Dell Networking system: Task Command Command Mode Identify the system manager along with this person’s contact information (e.g., E-mail address or phone number). You may use up to 55 characters. Default: None snmp-server contact text CONFIGURATION Identify the physical location of the system. For example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1. You may use up to 55 characters.
To configure the system to send SNMP notifications, follow these steps: Step Task Command Command Mode Configure the Dell Networking system to send notifications to an SNMP server. • Enter the keyword traps to send trap messages. • Enter the keyword informs to send informational messages. • Enter the keyword version to send the SNMP version to use for notification messages. • Enter the name of the community-string to identify the SNMPv1 community string.
www.dell.com | support.dell.com Table 47-2.
Table 47-2. Dell Networking Enterprise-specific SNMP Traps Command Option Trap 10.16.130.140 [10.16.130.140]: Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (645746) 1:47:37.46, SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkDown, IF-MIB::ifIndex.45420801 = INTEGER: 45420801, SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_DN: Changed interface state to down: Te 0/44", SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 22 ets ETS peer state enabled 10.16.130.140 [10.16.130.
www.dell.com | support.dell.com 856 • copy configuration files from a server to the Dell Networking system. You can perform all of these tasks using IPv4 addresses. The relevant MIBs for these functions are: Table 47-3. | MIB Objects for Copying Configuration Files Using SNMP MIB Object OID Object Values Description copySrcFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.2 1 = FTOS file 2 = running-config 3 = startup-config Specifies the type of file to copy from.
Table 47-3. MIB Objects for Copying Configuration Files Using SNMP MIB Object OID Object Values Description copyUserName .1.3.6.1.4.1.6027.3.5.1.1.1.1.9 Username for the server. Username for the FTP, TFTP, or SCP server. • If the copyUserName is specified so must copyUserPassword. copyUserPassword .1.3.6.1.4.1.6027.3.5.1.1.1.1.10 Password for the server. Password for the FTP, TFTP, or SCP server.
www.dell.com | support.dell.com Note: In UNIX, enter the command snmpset for help using this command. Place the file f10-copy-config.mib in the directory from which you are executing the snmpset command or in the snmpset tool path.
Table 47-4. Copying Configuration Files via SNMP Task Copy the startup-config to the running-config using the following command from a UNIX machine: snmpset -c private -v 2c force10system-ip-address copySrcFileType.index i 3 copyDestFileType.index i 2 Figure 47-9. Copying Configuration Files via SNMP using Object-Name Syntax > snmpset -c public -v 2c -m ./f10-copy-config.mib 10.11.131.162 copySrcFileType.7 i 3 copyDestFileType.7 i 2 FORCE10-COPY-CONFIG-MIB::copySrcFileType.
www.dell.com | support.dell.com Table 47-4. Copying Configuration Files via SNMP Task Figure 47-12. Copying Configuration Files via SNMP and TFTP to a Remote Server .snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.4 i 3 copyDestFileType.4 i 1 copyDestFileLocation.4 i 3 copyDestFileName.4 s /home/myfilename copyServerAddress.4 a 11.11.11.
To obtain a value for any of the MIB Objects in Table 47-5, follow this step: Step Task 1 Get a copy-config MIB object value. snmpset -v 2c -c public -m /f10-copy-config.mib force10system-ip-address [OID.index | mib-object.index • index is the index value used in the snmpset command used to complete the copy operation. Note: You can use the entire OID rather than the object name. Use the form: OID.index as shown in Figure 47-15.
www.dell.com | support.dell.com Create a VLAN Use the dot1qVlanStaticRowStatus object to create a VLAN. The snmpset operation in the following figure creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. Figure 47-16. Creating a VLAN Using SNMP > snmpset -v2c -c mycommunity 123.45.6.78 .1.3.6.1.2.1.17.7.1.4.3.1.5.10 i 4 SNMPv2-SMI::mib-2.17.7.1.4.3.1.5.
Display the Ports in a VLAN FTOS identifies VLAN interfaces using an interface index number that is displayed in the output of the command show interface vlan, as shown in the following figure. Figure 47-18.
www.dell.com | support.dell.com Figure 47-19 shows the output for an MXL Switch. All hex pairs are 00, indicating that no ports are assigned to VLAN 10. In the following figure, Port 0/2 is added to VLAN 10 as untagged. And the first hex pair changes from 00 to 04. Figure 47-20.
In Figure 47-21, Port 0/2 is added as an untagged member of VLAN 10. Figure 47-21. Adding Untagged Ports to a VLAN using SNMP >snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 x "40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" .1.3.6.1.2.1.17.7.1.4.3.1.4.
www.dell.com | support.dell.com Enable and Disable a Port Using SNMP Step Task Command Syntax Command Mode 1 Create an SNMP community on the Dell Networking system. snmp-server community CONFIGURATION 2 From the Dell Networking system, identify the interface index of the port for which you want to change the admin status. Or, from the management system, use the snmpwwalk command to identify the interface index.
In Figure 47-23, R1 has one dynamic MAC address, learned off of port TenGigabitEthernet 1/21, which is a member of the default VLAN, VLAN 1. The SNMP walk returns the values for dot1dTpFdbAddress, dot1dTpFdbPort, and dot1dTpFdbStatus. Each object is comprised an OID concatenated with an instance number. In the case of these objects, the instance number is the decimal equivalent of the MAC address; derive the instance number by converting each hex pair to its decimal equivalent.
www.dell.com | support.dell.com Deriving Interface Indices FTOS assigns an interface number to each (configured or unconfigured) physical and logical interface. Display the interface index number using the command show interface from EXEC Privilege mode, as shown in Figure 47-26. Figure 47-26.
Figure 47-28. Binary Representation of Interface Index For interface indexing, slot and port numbering begins with binary one. If the Dell Networking system begins slot and port numbering from 0, then binary 1 represents slot and port 0. On the S4810, the first interface is 0/0, but in the MXL Switch the first interface is 0/1. Hence, in the MXL Switch 0/0s ifindex is unused and Ifindex creation logic is not changed. Since Zero is reserved for logical interfaces, it starts from 1.
www.dell.com | support.dell.com If we learn mac address for the LAG, status is shown for those as well. dot3aCurAggVlanId SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.1.1.0.0.0.0.0.1.1 dot3aCurAggMacAddr SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.2.1.0.0.0.0.0.1.1 dot3aCurAggIndex SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.3.1.0.0.0.0.0.1.1 dot3aCurAggStatus SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.4.1.0.0.0.0.0.1.
Entity MIBS The Entity MIB provides a mechanism for presenting hierarchies of physical entities using SNMP tables. The Entity MIB contains the following groups, which describe the physical elements and logical elements of a managed system The following tables are implemented for the MXL Switch. Physical Entity A physical entity or physical component represents an identifiable physical resource within a managed system. Zero or more logical entities may utilize a physical resource at any given time.
www.dell.com | support.dell.com 872 The status for the MIBS is as follows: vijayakrishnan@tapti[3:42pm] : /tftpboot > snmpwalk -c public -v 2c 10.16.130.135 1.3.6.1.2.1.47.1.1.1.1.2 SNMPv2-SMI::mib-2.47.1.1.1.1.2.1 = "" SNMPv2-SMI::mib-2.47.1.1.1.1.2.2 = STRING: "PowerConnect MXL 10/40GbE" SNMPv2-SMI::mib-2.47.1.1.1.1.2.3 = STRING: "Module 0" SNMPv2-SMI::mib-2.47.1.1.1.1.2.4 = STRING: "Unit: 0 Port 1 10G Level" SNMPv2-SMI::mib-2.47.1.1.1.1.2.5 = STRING: "Unit: 0 Port 2 10G Level" SNMPv2-SMI::mib-2.47.1.1.
SNMPv2-SMI::mib-2.47.1.1.1.1.2.77 = STRING: "Unit: 1 Port 10 10G Level" SNMPv2-SMI::mib-2.47.1.1.1.1.2.78 = STRING: "Unit: 1 Port 11 10G Level" SNMPv2-SMI::mib-2.47.1.1.1.1.2.79 = STRING: "Unit: 1 Port 12 10G Level" SNMPv2-SMI::mib-2.47.1.1.1.1.2.80 = STRING: "Unit: 1 Port 13 10G Level" SNMPv2-SMI::mib-2.47.1.1.1.1.2.81 = STRING: "Unit: 1 Port 14 10G Level" SNMPv2-SMI::mib-2.47.1.1.1.1.2.82 = STRING: "Unit: 1 Port 15 10G Level" SNMPv2-SMI::mib-2.47.1.1.1.1.2.
www.dell.com | support.dell.com SNMPv2-SMI::mib-2.47.1.1.1.1.2.158 = SNMPv2-SMI::mib-2.47.1.1.1.1.2.159 = SNMPv2-SMI::mib-2.47.1.1.1.1.2.160 = SNMPv2-SMI::mib-2.47.1.1.1.1.2.161 = SNMPv2-SMI::mib-2.47.1.1.1.1.2.162 = SNMPv2-SMI::mib-2.47.1.1.1.1.2.163 = SNMPv2-SMI::mib-2.47.1.1.1.1.2.164 = SNMPv2-SMI::mib-2.47.1.1.1.1.2.165 = SNMPv2-SMI::mib-2.47.1.1.1.1.2.169 = SNMPv2-SMI::mib-2.47.1.1.1.1.2.170 = SNMPv2-SMI::mib-2.47.1.1.1.1.2.174 = SNMPv2-SMI::mib-2.47.1.1.1.1.2.175 = SNMPv2-SMI::mib-2.47.1.1.1.1.2.
48 Stacking Overview Stacking is supported on a MXL 10/40GbE Switch on the 40GbE ports (for the base module) or a 2-Port 40GbE QSFP+ module. You can connect up to six MXL 10/40GbE Switches in a single stack. Stacking provides a single point of management and network interface controller (NIC) teaming for high availability and higher throughput.
www.dell.com | support.dell.com Figure 48-1. Four Stacked MXL 10/40GbE Switches 10GbE LAN Uplinks (LAG) 40GbE Stack Links Member Switches Master Switch Standby Switch Stack Management Roles The stack elects the management units for the stack management: • • Stack master: primary management unit Standby: secondary management unit The master holds the control plane and the other units maintain a local copy of the forwarding databases.
If the master switch goes off line, the standby replaces it as the new master and the switch with the next highest priority or MAC address becomes standby. Note: For the MXL Switch, the entire stack has only one management IP address. Stack Master Election The stack elects a master and standby unit at bootup time based on two criteria: • • Unit priority: This is user-configurable. Valid values are from 1 to 14. A higher value means a higher priority. The default is 0.
www.dell.com | support.dell.com Figure 48-2.
Supported Stacking Topologies Stacking is supported on the MXL Switch in ring and daisy-chain topologies. Example 1: Dual-Ring Stack Across Multiple Chassis Using two separate stacks in a dual-ring stacking topology provides redundancy and increased high availability in case of stack failure. Also, stacking upgrades are simplified when you have to take one stack offline (Figure 48-3).
www.dell.com | support.dell.com Example 2: Dual Daisy-Chain Stack Across Multiple Chassis 880 Using two separate, daisy-chained stacks in a stacking topology provides redundancy and increased high availability in case of stack failure. Also, stacking upgrades are simplified when you have to take one stack offline (Figure 48-4). Figure 48-4.
Stack Group/Port Numbers By default, each switch in Standalone mode is numbered stack-unit 0. Stack-unit numbers are assigned to member switches when the stack comes up. Figure 48-5 shows the stack-group numbers of 40GbE ports on an MXL 10/40GbE Switch. Figure 48-5.
www.dell.com | support.dell.com Stacking Prerequisites Before you cable and configure a stack of MXL 10/40GbE Switches, review the following prerequisites: • • • • • All MXL 10/40GbE Switches in the stack must be powered up with the initial or startup configuration before you attach the cables. All stacked MXL 10/40GbE Switches must run the same FTOS version. The minimum FTOS version required is 8.3.16.0. To check the FTOS version that a switch is running, use the show version command.
Cabling Procedure The following cabling procedure uses the stacking topology in Figure 48-1. Follow the same steps to cable switches in any of the stacking topologies shown in Supported Stacking Topologies. To connect the cabling, follow these steps: 1. Connect a 40GbE port on the first switch to a 40GbE port on the second switch. 2. Connect another 40GbE port on the second switch to a 40GbE port on the third switch. 3. Connect another 40GbE port on the third switch to a 40GbE port on the fourth switch. 4.
www.dell.com | support.dell.com Step 3 Task Command Syntax Command Mode Configure a 40GbE port for stacking mode, where: stack-unit unit-number stack-group group-number CONFIGURATION write memory EXEC PRIVILEGE reload EXEC PRIVILEGE stack-unit is the unit-number of the member stack unit. Valid values: 0 to 5. Default value: 0. stack-group group-number is the number of stacked port on unit. Valid values: 0 to 1 (Figure 48-5). 4 Save the stacking configuration on the 40GbE ports.
Renumbering a Stack Unit To renumber a stack unit to reset the unit numbering for a master, standby or member unit, enter the stack-unit renumber command in EXEC Privilege mode and reload the switch. Task Command Syntax Command Mode Assign a stack-number to a unit. stack-unit unit-number renumber new-number EXEC Privilege • • • • If you renumber the master switch, you are prompted to reload the entire stack.
www.dell.com | support.dell.com FTOS Behavior: Stacking configuration is handled as follows on an MXL 10/40GbE Switch: • If a stack unit goes down and is removed from the stack, the logical provisioning configured for the stack-unit number is saved on the master and standby switches. • When you add a new unit to the stack and the stack already has an existing member unit with the same stack-unit number, the new unit is assigned the smallest available unit number (0 to 5).
To remove a stack port, use the following command: Task Command Syntax Command Mode Remove a stacked port from a stack. no stack-unit unit-number stack-group group end write memory reload CONFIGURATION When the reload completes, the port comes up in 40GbE mode if it is on the base module and in 4x10GbE (quad) mode if the port is on a FlexIO module, such as a 2-Port 40GbE QSFP+ module.
www.dell.com | support.dell.com Step 4 Task Command Syntax Command Mode Configure a 40GbE port for stacking, where: stack-unit 0 stack-group group-number CONFIGURATION stack-unit 0 defines the default ID unit-number in the initial configuration of a switch. stack-group group-number configures a 40GbE port for stacking. Base-module ports are stack groups 0 and 1; 40GbE ports on a FlexIO module in slot 0 are stack groups 2 and 3 and in slot 1 are stack groups 4 and 5 (Figure 48-5).
• • If there is no unit numbering conflict, the stack members retain their previous unit numbers. Otherwise, the stack master assigns new unit numbers, based on the order in which they come online. The new stack master uses its own startup and running configurations to synchronize the configurations on the new stack members. Note: Adding a new unit that is powered on and has stack groups configured is the same as merging two stacks (refer to Adding a Stack Unit).
www.dell.com | support.dell.com Reset a Unit on a Stack Use the following reset commands to reload any of the member units or the standby in a stack. If you try to reset the stack master, an error message is displayed: Reset of master unit is not allowed. Task Command Syntax Command Mode Reload a stack unit from the master switch reset stack-unit unit-number EXEC Privilege Reload a member unit from the unit itself. reset-self EXEC Privilege Reset a stack-unit when the unit is in a problem state.
Table 48-2. Displaying Stack Configurations Command Output show system stack-ports [status | topology] Displays the type of stack topology (ring or daisy chain) with a list of all stacked ports, port status, link speed, and peer stack-unit connection. (Figure 48-13) Figure 48-8.
www.dell.com | support.dell.com Figure 48-9.
Figure 48-10. show inventory optional-module Command Example FTOS# show inventory optional-module Unit Slot Expected Inserted Next Boot Power ----------------------------------------------------------------0 0 SFP+ SFP+ AUTO Good 0 1 QSFP+ QSFP+ AUTO Good * - Mismatch Figure 48-11. show system stack-unit stack-group configured Command Example FTOS# show system stack-unit 1 stack-group configured Configured stack groups in stack-unit 1 --------------------------------------0 1 4 5 Figure 48-12.
www.dell.com | support.dell.com Figure 48-13. show system stack-ports (ring) Command Example FTOS# show system stack-ports Topology: Ring Interface Connection Link Speed (Gb/s) Admin Status Link Status 0/33 0/37 1/37 2/33 40 40 up up up up 0/41 1/49 40 up up 0/45 2/53 40 up up 1/33 2/37 40 up up 1/37 0/33 40 up up 1/49 0/41 40 up up 1/53 2/49 40 up up 2/33 0/37 40 up up 2/37 1/33 40 up up 2/49 1/53 40 up up 2/53 0/45 40 up up Figure 48-14.
Troubleshooting a Switch Stack Troubleshooting Commands To perform troubleshooting operations on a switch stack, use the commands in Table 48-3 on the master switch. Table 48-3. Troubleshooting Stack Commands Command Output show system stack-ports (Figure 48-15) Displays the status of stacked ports on stack units.
www.dell.com | support.dell.com Figure 48-16. show redundancy Command Example FTOS#show redundancy -- Stack-unit Status --------------------------------------------------------Mgmt ID: 0 Stack-unit ID: 0 Stack-unit Redundancy Role: Primary Stack-unit State: Active Indicates Master Unit.
Figure 48-17.
www.dell.com | support.dell.com Master Switch Fails Problem: The master switch fails due to a hardware fault, software crash, or power loss. Resolution: A failover procedure begins: 1. Keep-alive messages from the MXL 10/40GbE master switch time out after 60 seconds and the switch is removed from the stack. 2. The standby switch takes the master role. Data traffic on the new master switch is uninterrupted. Protocol traffic is managed by the control plane. 3. A member switch is elected as the new standby.
Master Switch Recovers from Failure Problem: The master switch recovers from a failure after a reboot and rejoins the stack: • • As a member unit if there is already a standby As a standby if there is no standby in the stack Protocol and control plane recovery requires time before the switch is fully online. Resolution: When the entire stack is reloaded, the recovered master switch becomes the master unit of the stack.
www.dell.com | support.dell.com Figure 48-20.
Upgrading a Switch Stack To upgrade all switches in a stack with the same FTOS version, follow these steps: Step Task Command Syntax Command Mode 1 Copy the new FTOS image to a network server. 2 Download the FTOS image by accessing an interactive CLI that requests the server IP address and image filename, and prompts you to upgrade all member stack units. Specify the system partition on the master switch into which you want to copy the FTOS image; valid values are a: and b:.
www.dell.com | support.dell.com Upgrading a Single Stack Unit Upgrading a single stacked switch is necessary when the unit was disabled due to an incorrect FTOS version. This procedure upgrades the image in the boot partition of the member unit from the corresponding partition in the master unit.
Stacking | 903
904 | Stacking www.dell.com | support.dell.
49 Storm Control This chapter contains the following sections: • • Overview Configuring Storm Control Overview The storm control feature allows you to control unknown-unicast and broadcast traffic on Layer 2, Layer 3, and multicast physical interfaces. FTOS Behavior: The Dell Networking operating software (FTOS) supports broadcast control (storm-control broadcast command) for Layer 2 and Layer 3 traffic. FTOS Behavior: The minimum number of packets per second (PPS) that storm control can limit is two.
www.dell.com | support.dell.com You can configure storm control for ingress traffic in CONFIGURATION mode.
50 Spanning Tree Protocol (STP) Overview The spanning tree protocol (STP) is a Layer 2 protocol—specified by IEEE 802.1d—that eliminates loops in a bridged topology by enabling only a single path through the network. By eliminating loops, the protocol improves scalability in a large network and allows you to implement redundant paths, which can be activated after the failure of active paths.
www.dell.com | support.dell.com Configuring Spanning Tree Configuring STP is a two-step process: 1. Configure interfaces for Layer 2. 2. Enable STP.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in STP must be in Layer 2 mode and enabled. Figure 50-1. Example of Configuring Interfaces for Layer 2 Mode To configure the interfaces for Layer 2 and then enable them, follow these steps: Step Task Command Syntax Command Mode 1 If the interface has been assigned an IP address, remove it. no ip address INTERFACE 2 Place the interface in Layer 2 mode. switchport INTERFACE 3 Enable the interface.
www.dell.com | support.dell.com To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode (Figure 50-2). Figure 50-2. show config Command Example FTOS(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport Indicates no shutdown FTOS(conf-if-te-1/1)# that the interface is in Layer 2 mode Enabling Spanning Tree Protocol Globally You must enable STP globally; it is not enabled by default.
Figure 50-4. Spanning Tree Enabled Globally To view the STP configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output (Figure 50-5). Figure 50-5. show spanning-tree 0 Command Example FTOS#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.
www.dell.com | support.dell.com To confirm that a port is participating in STP, use the show spanning-tree 0 brief command from EXEC privilege mode (Figure 50-6). Figure 50-6. show spanning-tree brief Command Example FTOS#show spanning-tree 0 brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e80d.2462 We are the root of the spanning tree Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e80d.
Modifying Global Parameters You can modify the STP parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP. Note: Dell Networking recommends that only experienced network administrators change the STP parameters. Poorly planned modification of the STP parameters can negatively impact network performance. Table 50-2.
www.dell.com | support.dell.com Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. • • Port cost is a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost. The default values are listed in Table 50-2.
To enable PortFast on an interface, use the following command: Task Command Syntax Command Mode Enable PortFast on an interface. spanning-tree stp-id portfast [bpduguard [shutdown-on-violation] | bpdufilter] INTERFACE To verify that PortFast is enabled on a port, use the show spanning-tree command from EXEC privilege mode or the show config command from INTERFACE mode. Dell Networking recommends using the show config command (Figure 50-7). Figure 50-7.
www.dell.com | support.dell.com Note: Note that unless you enable the shutdown-on-violation option, STP only drops packets after a BPDU violation; the physical interface remains up, as shown below: FTOS#show spanning-tree 0 brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e88a.fdb3 Cost 1 Root Port 2 (Port-channel 1) Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 001e.c9f1.
Figure 50-8. Enabling BPDU Guard FTOS Behavior: BPDU guard blocks BPDUs (refer to Removing an Interface from the Spanning Tree Group). • BPDU guard is used on edgeports and blocks all traffic on edge port if it receives a BPDU. BPDU Filtering . Global BPDU Filtering When BPDU Filtering is enabled globally, it should stop transmitting BPDUs on the operational port fast enabled ports by default. When it receives BPDUs, it automatically participates in the spanning tree.
www.dell.com | support.dell.com Figure 50-9. BPDU Filtering enabled globally ] Interface BPDU Filtering When BPDU Filtering is enabled on an interface, it should stop sending and receiving BPDUs on the port fast enabled ports. When BPDU guard and BPDU filter is enabled on the port, then BPDU filter takes the highest precedence. By default bpdu filtering on an interface is disabled. Figure 50-10.
STP Root Selection STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command: Task Command Syntax Command Mode Assign a number as the bridge priority or designate it as the root or secondary root. priority-value range: 0 to 65535.
www.dell.com | support.dell.com In STP topology 2 (Figure 50-12 upper right), STP is enabled on device D on which a software bridge application is started to connect to the network. Because the priority of the bridge in device D is lower than the root bridge in Switch A, device D is elected as root, causing the link between Switches A and B to enter a Blocking state. Network traffic then begins to flow in the directions indicated by the BPDU arrows in the topology.
Figure 50-12.
www.dell.com | support.dell.com Root Guard Configuration You enable STP root guard on a per-port or per-port-channel basis. FTOS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
Displaying STP Guard Configuration To verify the STP guard configured on port or port-channel interfaces, use the show spanning-tree 0 guard [interface interface] command. Figure 50-13 shows an example for an STP network (instance 0) in which: • • • Root guard is enabled on a port that is in a Root-Inconsistent state. BPDU guard is enabled on a port that is shut down (Error Disabled state) after receiving a BPDU. Bpdu filter is disabled on the ports. Figure 50-13.
www.dell.com | support.dell.
51y System Time and Date You can set and maintain system times and dates through the network time protocol (NTP). You can also set them through the Dell Networking operating software (FTOS) command line interfaces (CLIs) and hardware settings.
www.dell.com | support.dell.com NTP is designed to produce three products: clock offset, roundtrip delay, and dispersion, all of which are relative to a selected reference clock. • • • Clock offset represents the amount to adjust the local clock to bring it into correspondence with the reference clock. Roundtrip delay provides the capability to launch a message to arrive at the reference clock at a specified time. Dispersion represents the maximum error of the local clock relative to the reference clock.
Figure 51-1. NTP Fields Source Port (123) Destination Port (123) Length NTP Packet Payload Checksum Range: +32 to -32 Status Leap Indicator Code: 00: No Warning 01: +1 second 10: -1 second 11: reserved Type Precision Est. Error Est.
www.dell.com | support.dell.com To specify an NTP server, use the following command. Task Command Command Mode Specify the NTP server to which the Dell Networking system will synchronize. ntp server ip-address CONFIGURATION To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode (Figure 51-2). Figure 51-2. show ntp status Command Example (with respect to NTP) FTOS(conf)#do show ntp status Clock is synchronized, stratum 2, reference is 192.168.1.
Configure NTP Broadcasts With FTOS, you can receive broadcasts of time information. You can set interfaces within the system to receive NTP information through broadcast. To configure an interface to receive NTP broadcasts, use the following command in INTERFACE mode: Task Command Command Set the interface to receive NTP packets. ntp broadcast client INTERFACE Table 51-1. ntp broadcast client Command Example 2w1d11h : NTP: Maximum Slew:-0.000470, Remainder = -0.
www.dell.com | support.dell.com To configure an IP address as the source address of NTP packets, use the following command in CONFIGURATION mode: Command Syntax Command Mode Purpose ntp source interface CONFIGURATION Enter the following keywords and slot/port or number information: • For a loopback interface, enter the keyword loopback followed by a number between 0 and 16383. • For a port channel interface, enter the keyword lag followed by a number from 1 to 128.
Figure 51-5. show running-config ntp Command Example FTOS#show running ntp ! ntp authenticate ntp authentication-key 345 md5 5A60910F3D211F02 ntp server 11.1.1.1 version 3 ntp trusted-key 345 FTOS# encrypted key Command Syntax Command Mode Purpose ntp server ip-address [key keyid] [prefer] [version number] CONFIGURATION Configure an NTP server.
www.dell.com | support.dell.com • 932 | Leap Indicator (sys.leap, peer.leap, pkt.leap): This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
FTOS Time and Date You can set the time and date using the FTOS CLI.
www.dell.com | support.dell.com Set the Time and Date for the Switch Software Clock You can change the order of the month and day parameters to enter the time and date as time day month year. You cannot delete the software clock. The software clock runs only when the software is up. The clock restarts, based on the hardware clock, when the switch reboots.
Command Syntax Command Mode Purpose FTOS#conf FTOS(conf)#clock timezone Pacific -8 FTOS# Set Daylight Savings Time FTOS supports setting the system to daylight savings time once or on a recurring basis every year. Set Daylight Saving Time Once Set a date (and time zone) on which to convert the switch to daylight savings time on a one-time basis.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose FTOS(conf)#clock summer-time pacific date Mar 14 2012 00:00 Nov 7 2012 00:00 FTOS(conf)# Set Recurring Daylight Saving Time Set a date (and time zone) on which to convert the switch to daylight savings time on a specific day every year. If you have already set daylight savings for a one-time setting, you can set that date and time as the recurring setting using the clock summer-time time-zone recurring command.
Command Syntax Command Mode Purpose • • • • • • • • • end-week: If you entered a start-week, enter one of the following as the week that daylight savings ends: week-number: enter a number from 1 to 4 as the number of the week to end daylight savings time. first: enter the keyword first to end daylight savings time in the first week of the month. last: enter the keyword last to end daylight savings time in the last week of the month. end-month: Enter the name of one of the 12 months in English.
938 | System Time and Date www.dell.com | support.dell.
52 Configuring a Tunnel You can configure a tunnel in IPv6 mode, IPv6IP mode, and IPIP mode. • • • If the tunnel mode is IPIP or IPv6IP, the tunnel source address and the tunnel destination address must be an IPv4 address. If the tunnel mode is IPv6, the tunnel source address and the tunnel destination address must be an IPv6 address.
www.dell.com | support.dell.com The following sample configuration shows a tunnel configured in IPV6IP mode (IPv4 tunnel carries IPv6 traffic only): FTOS(conf-if-tu-22)#sho c ! interface Tunnel 22 no ip address tunnel destination 23.22.21.3 tunnel source 23.22.22.3 tunnel mode ipv6ip no shutdown FTOS(conf-if-tu-22)#ipv6 address 5adb::3/64 FTOS(conf-if-tu-22)#sho c ! interface Tunnel 22 no ip address ipv6 address 5adb::3/64 tunnel destination 23.22.21.3 tunnel source 23.22.22.
53 Uplink Failure Detection (UFD) Feature Description Uplink Failure Detection (UFD) provides detection of the loss of upstream connectivity and, if used with NIC teaming, automatic recovery from a failed link. A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
www.dell.com | support.dell.com Figure 53-1. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 53-2. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a link-down state. This number is user-configurable and is calculated by the ratio of upstream port bandwidth to downstream port bandwidth in the same uplink-state group.
www.dell.com | support.dell.com Important Points to Remember When you configure Uplink Failure Detection, the following conditions apply: • You can configure up to sixteen uplink-state groups. By default, no uplink-state groups are created. An uplink-state group is considered to be operationally up if it has at least one upstream interface in the link-up state. An uplink-state group is considered to be operationally down if it has no upstream interfaces in the link-up state.
Configuring Uplink Failure Detection To configure Uplink Failure Detection, follow these steps: Step 1 Command Syntax and Mode Description uplink-state-group group-id Creates an uplink-state group and enabling the tracking of upstream links on the switch/router. Valid group-id values are 1 to 16. Command Mode: CONFIGURATION To delete an uplink-state group, enter the no uplink-state-group group-id command.
www.dell.com | support.dell.com Step 5 Command Syntax and Mode Description description text (Optional) Enters a text description of the uplink-state group. Maximum length: 80 alphanumeric characters. Command Mode: UPLINK-STATE-GROUP 6 no enable (Optional) Disables upstream-link tracking without deleting the uplink-state group. Command Mode: UPLINK-STATE-GROUP Default: Upstream-link tracking is automatically enabled in an uplink-state group.
Message 1 shows the Syslog messages displayed when you clear the UFD-disabled state from all disabled downstream interfaces in an uplink-state group by entering the clear ufd-disable uplink-state-group group-id command. All downstream interfaces return to an operationally up state.
www.dell.com | support.dell.com Displaying Uplink Failure Detection To display information on the Uplink Failure Detection feature, enter any of the following show commands: Show Command Syntax Description show uplink-state-group [group-id] [detail] Displays status information on a specified uplink-state group or all groups. Valid group-id values are 1 to 16. Command Mode: EXEC detail displays additional status information on the upstream and downstream interfaces in each group (see Figure 53-3).
Figure 53-3.
www.dell.com | support.dell.com Figure 53-4.
Sample Configuration: Uplink Failure Detection Figure 53-7 shows a sample configuration of Uplink Failure Detection on a switch/router in which you: • • • • • • Configure uplink-state group 3. Add downstream links TenGigabitethernet 0/1, 0/2, 0/5, 0/9, 0/11, and 0/12. Configure two downstream links to be disabled if an upstream link fails. Add upstream links TenGigabitethernet 0/3 and 0/4. Add a text description for the group. Verify the configuration with various show commands.
www.dell.com | support.dell.com Figure 53-7.
54 Upgrade Procedures Find the Upgrade Procedures To see all the requirements to upgrade to the desired Dell Networking operating software (FTOS) version, go to the FTOS Release Notes for your system type. Follow the procedures in the FTOS Release Notes for the software version you wish to upgrade to. Get Help with Upgrades Direct any questions or concerns about the FTOS Upgrade Procedures to the Dell Networking Technical Support Center. You can reach Technical Support: • • • On the Web: www.
954 | Upgrade Procedures www.dell.com | support.dell.
55 Virtual LANs (VLAN) This section contains the following subsections: • • • • • Default VLAN Port-Based VLANs VLANs and Port Tagging Configuration Task List for VLANs Enable Null VLAN as the Default VLAN Virtual LANs (VLANs), are a logical broadcast domain, or logical grouping of interfaces in a LAN, in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices.
www.dell.com | support.dell.com Table 55-1 lists the defaults for VLANs in FTOS. Table 55-1. VLAN Defaults on FTOS Feature Default Spanning Tree group ID All VLANs are part of Spanning Tree group 0 Mode Layer 2 (no IP address is assigned) Default VLAN ID VLAN 1 Default VLAN When you configure interfaces for Layer 2 mode, they are automatically placed in the default VLAN as untagged interfaces. Only untagged interfaces can belong to the default VLAN.
Untagged interfaces must be part of a VLAN. To remove an untagged interface from the default VLAN, you must create another VLAN and place the interface into that VLAN. Alternatively, use the no switchport command, and FTOS removes the interface from the default VLAN. A tagged interface requires an additional step to remove it from Layer 2 mode. Because tagged interfaces can belong to multiple VLANs, you must remove the tagged interface from all VLANs using the no tagged interface command.
www.dell.com | support.dell.com The tag header contains some key information used by FTOS: • • The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. Note: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1518 bytes specified in the IEEE 802.3 standard.
To view the configured VLANs, use the show vlan command in EXEC privilege mode (Figure 55-3). Figure 55-3.
www.dell.com | support.dell.com To tag frames leaving an interface in Layer 2 mode, you must assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, follow these steps: Step Command Syntax Command Mode Purpose 1 interface vlan vlan-id CONFIGURATION Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. tagged interface INTERFACE Enable an interface to include the IEEE 802.1Q tag header.
Except for hybrid ports, only a tagged interface can be a member of multiple VLANs. You can assign hybrid ports to two VLANs if the port is untagged in one VLAN and tagged in all others. When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN. If you remove the tagged interface from the only VLAN to which it belongs, the interface is placed in the default VLAN as an untagged interface.
www.dell.com | support.dell.com The only way to remove an interface from the default VLAN is to place the interface in Default mode by using the no switchport command in INTERFACE mode. Assign an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces.
To configure a port so that it can be a member of an untagged and tagged VLANs, follow these steps: Step Task Command Command Mode 1 Remove any Layer 2 or Layer 3 configurations from the interface. INTERFACE 2 Configure the interface for hybrid mode. portmode hybrid INTERFACE 3 Configure the interface for switchport mode. switchport INTERFACE 4 Add the interface to a tagged or untagged VLAN.
964 | Virtual LANs (VLAN) www.dell.com | support.dell.
56 Virtual Link Trunking (VLT) Overview Virtual link trunking (VLT) allows physical links between two chassis to appear as a single virtual link to the network core. VLT reduces the role of Spanning Tree protocols by allowing LAG terminations on two separate distribution or core switches, and by supporting a loop free topology. (A Spanning Tree protocol is still needed to prevent the initial loop that may occur prior to VLT being established.
www.dell.com | support.dell.com Figure 56-1. Virtual Link Trunking Out-of-Band Management Network Backup Link S4810 Backup Link S4810 Chassis VLT Domain Chassis Interconnect Trunk Virtual Link Trunk Switch or Server that supports LACP (802.1ad) VLT peer devices have independent management planes. A chassis interconnect trunk between the VLT chassis maintains synchronization of L2/L3 control planes across the two VLT peers. The chassis interconnect trunk uses 10GE or 40GE user ports on the chassis.
Multi-domain VLT A multi-domain VLT (mVLT) configuration creates a port channel between two VLT domains by allowing two different VLT domains, using different VLT Domain ID numbers, connected by a standard LACP LAG to form a loop-free Layer 2 topology in the aggregation layer. This configuration supports a maximum of four (4) nodes per mVLT domain, increasing the number of available ports and allowing for dual redundancy of the VLT.
www.dell.com | support.dell.com VLT interconnect (VLTi) - The link used to synchronize states between the VLT peer switches. Both ends must be on 10Gor 40G interfaces. VLT domain - This domain includes both VLT peer devices, the VLT interconnect, and all of the port channels in the VLT connected to the attached devices. It is also associated to the configuration mode that must be used to assign VLT global parameters.
• If the source is connected to an orphan (non-spanned, non-VLT) port in a VLT peer, the receiver is connected to a VLT (spanned) port-channel, and the VLT port-channel link between the VLT peer connected to the source and TOR is down, traffic is duplicated due to route inconsistency between peers. To avoid this scenario, Dell Networking recommends configuring both the source and the receiver on a spanned VLT VLAN.
www.dell.com | support.dell.com Configuration Notes When you configure VLT, the following conditions apply: • • 970 | VLT domain: • A VLT domain supports two chassis members, which appear as a single logical device to network access devices connected to VLT ports through a port channel. • A VLT domain consists of the two core chassis, the interconnect trunk, backup link, and the LAG members connected to attached devices. The domain ID can be from 1 to 1000.
• • • • • • • • The VLT interconnect is used for data traffic only when there is a link failure that requires the VLTi to be used in order for data packets to reach their final destination. Unknown, multicast and broadcast traffic can be flooded across the VLT interconnect. MAC addresses for VLANs configured across VLT peer chassis are synchronized over the VLT interconnect on an egress port such as a VLT LAG. MAC addresses are the same on both VLT peer nodes.
www.dell.com | support.dell.com • • The chassis backup link does not carry control plane information or data traffic. Its use is restricted to health checks only. Virtual link trunks (VLTs) between access devices and VLT peer switches: • To connect servers and access switches with VLT peer switches, you use a VLT port channel (see Figure 56-1). Up to 48 port-channels are supported; up to 8 member links are supported in each port channel between the VLT domain and an access device.
• • • • • All system management protocols are supported on VLT ports, including SNMP, RMON, AAA, ACL, DNS, FTP, SSH, Syslog, NTP, RADIUS, SCP, TACACS+, Telnet, and LLDP. • Layer 3 VLAN connectivity VLT peers is enabled by configuring a VLAN network interface for the same VLAN on both switches. • IGMP snooping is supported over VLT ports. The multicast forwarding state is synchronized on both VLT peer switches.
www.dell.com | support.dell.com • • the network. In either case, upon recovery of the peer link or reestablishment of message forwarding across the interconnect trunk, the two VLT peers resynchronize any MAC addresses learned while communication was interrupted, and the VLT system continues normal data forwarding. If the primary chassis is rebooted, the secondary chassis takes on the operational role of the primary.
When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (Message 2) and an SNMP trap. Message 2 Excessive VLTi Bandwidth Usage Drops Below Threshold Value Error %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (port-channel 25) reaches below threshold.
www.dell.com | support.dell.com PIM-Sparse Mode Support on VLT The Designated Router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. The VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources.
If the VLT node elected as the designated router fails, traffic loss will occur until another VLT node is elected the designated router. VLT Unicast VLT unicast locally routes packets destined for the L3 endpoint of the VLT peer. This method avoids suboptimal routing. Peer-routing syncs the MAC addresses of both VLT peers and requires two local DA entries in TCAM. In case a VLT node is down, resiliency is provided by a timer that allows you to configure the amount of time needed for peer recovery.
www.dell.com | support.dell.com VLT Multicast VLT multicast provides multiple alternate paths for resiliency against link and node failures. This feature supports inter-server multicast communication between top-of-rack (ToR) switches using an inter-VLAN Layer 3 routing protocol (for example, PIM, IS-IS, or OSPF). It also provides traffic resiliency during multicast routing convergence after failure without disrupting or altering multicast routing behavior.
VLT DOMAIN mode peer-routing 3. Configure the multicast peer-routing timeout. VLT DOMAIN mode multicast peer-routing—timeout value value: Specify a value (in seconds) from 1 to 1200. 4. Configure a PIM-SM compatible VLT node as a designated router (DR). For more information, refer to Configuring a Designated Router. 5. Configure a PIM-enabled peer router as a rendezvous point (RP). For more information, refer to Configuring a Static Rendezvous Point. 6.
www.dell.com | support.dell.com Preventing Forwarding Loops in a VLT Domain During the bootup of VLT peer switches, a forwarding loop may occur until the VLT configurations are applied on each switch and the primary/secondary roles are determined.
VLT Configuration Procedure To configure virtual link trunking and create a VLT domain in which two MXL Switches are physically connected and treated as a single port channel by access devices, you must configure the following settings on each VLT peer device: Prerequisite: Before you begin, make sure that both VLT peer switches are running the same FTOS version and are configured for RSTP as described in Rapid Spanning Tree Protocol (RSTP).
www.dell.com | support.dell.com Configure a VLT backup link Step Task Command Syntax Command Mode 1 Specify the management interface to be used for the backup link through an out-of-band management network. Enter the slot (0-1) and the port (0). interface managementethernet slot/ port CONFIGURATION 2 Configure an IPv4 address (A.B.C.D) or IPv6 address (X:X:X:X::X) and mask (/x) on the interface. This is the IP address to be configured on the VLT peer with the back-up destination command.
(Optional) Reconfigure default VLT settings Step 2 Task Command Syntax Command Mode (Optional) After you configure the VLT domain on each peer switch on both sides of the interconnect trunk, by default, the FTOS software elects a primary and secondary VLT peer device. primary-priority value VLT DOMAIN CONFIGURATION system-mac mac-address VLT DOMAIN CONFIGURATION Use the primary-priority command to reconfigure the primary role of VLT peer switches.
www.dell.com | support.dell.com Connect a VLT domain to an attached access device (switch or server) Step Task Command Syntax Command Mode 2 Remove an IP address from the interface. no ip address INTERFACE PORT-CHANNEL 3 Place the interface in Layer 2 mode. switchport INTERFACE PORT-CHANNEL Add one or more port interfaces to the port channel.
Use the following procedure to configure a multi-domain VLT between two VLT domains on your network. Refer to the mVLT Configuration Example for a sample configuration. (Optional) Configure Multi-domain VLT (mVLT) Step Task Command Syntax Command Mode Set up the VLT domain. 1 Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode. Enter the same port-channel number configured with the peer-link port-channel command.
www.dell.com | support.dell.com (Optional) Configure Multi-domain VLT (mVLT) Step 7 Task Command Syntax Command Mode When you create a VLT domain on a switch, the FTOS software automatically assigns a unique unit ID (0 or 1) to each peer switch. The unit IDs are used for internal system operations. unit-id {0 | 1} VLT DOMAIN CONFIGURATION Use the unit-id command to explicitly configure the default values on each peer switch. You must configure a different unit ID (0 or 1) on each peer switch.
To verify the configuration of a VLT domain, enter any of the show commands described in Verifying a VLT Configuration. Task Command Syntax Command Mode 1. vlt domain domain id VLT DOMAIN Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2. Configure the VLTi between VLT peer 1 and VLT peer 2. 2. LACP/Static LAG can be configured between the peer units (not shown).
www.dell.com | support.dell.com In the following sample VLT configuration steps, VLT peer 1 is S4810-2, VLT peer 2 is S4810-4, and the ToR is S60-1: Note: If a third-party ToR unit is used, Dell Networking recommends using static LAGs with VLT peers to avoid potential problems if the VLT peers are rebooted.
3. In the top of rack unit, configure LACP in the physical ports (shown for VLT peer 1 only. Repeat steps for VLT peer 2. The highlighted vlt-peer-lag port-channel 2 indicates that port-channel 2 is the port-channel id configured in VLT peer 2).
www.dell.com | support.dell.
s4810-4# mVLT Configuration Example The following example demonstrates the steps to configure multi-domain VLT (mVLT) in a network. In this example there are two domains being configured. Domain 1 consists of Peer 1 and Peer 2; Domain 2 consists of Peer 3 and Peer 4 as shown. Out-of-Band Management Network Backup Link Backup Link S4810 Chassis VLT Domain S4810 Chassis Interconnect Trunk Virtual Link Trunk Switch or Server that supports LACP (802.
www.dell.com | support.dell.
Domain_1_Peer4#no shutdown Domain_2_Peer4(conf)#vlt domain 200 Domain_2_Peer4(conf-vlt-domain)#peer-link port-channel 1 Domain_2_Peer4(conf-vlt-domain)#back-up destination 10.18.130.
www.dell.com | support.dell.com VLT_Peer2(conf-if-vl-4001)#exit VLT_Peer2(conf)#end Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, enter any of the following show commands on the primary and secondary VLT switches: Show Command Syntax Description show vlt backup-link Displays information on backup link operation (see Figure 56-4).
FTOS#VLTpeer2#show vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: Figure 56-5. 10.11.200.
www.dell.com | support.dell.com Figure 56-8. show running-config vlt Command Output on VLT peer switches FTOS#VLTpeer1#show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.18 FTOS#VLTpeer2#show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.20 Figure 56-9.
Figure 56-10. Configuring Virtual Link Trunking (VLT Peer 1) FTOS_VLTpeer1(conf)#vlt domain 999 FTOS_VLTpeer1(conf-vlt-domain)#peer-link port-channel 100 FTOS_VLTpeer1(conf-vlt-domain)#back-up destination 10.11.206.35 FTOS_VLTpeer1(conf-vlt-domain)#exit Enable VLT and create a VLT domain with a backup-link and interconnect (VLTi) FTOS_VLTpeer1(conf)#interface ManagementEthernet 0/0 FTOS_VLTpeer1(conf-if-ma-0/0)#ip address 10.11.206.
www.dell.com | support.dell.com Figure 56-11. Configuring Virtual Link Trunking (VLT Peer 2) FTOS_VLTpeer2(conf)#vlt domain 999 FTOS_VLTpeer2(conf-vlt-domain)#peer-link port-channel 100 FTOS_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.23 FTOS_VLTpeer2(conf-vlt-domain)#exit Enable VLT and create a VLT domain with a backup-link VLT interconnect (VLTi) FTOS_VLTpeer2(conf)#interface ManagementEthernet 0/0 FTOS_VLTpeer2(conf-if-ma-0/0)#ip address 10.11.206.
Troubleshooting VLT Use the following information to help troubleshoot different VLT issues that may occur. Note: For information on VLT failure mode timing and its impact, contact your Dell Networking representative. Description Behavior at Peer Up Behavior During Run Time A syslog error message and an SNMP trap is generated when the VLTi bandwidth usage goes above its threshold. Action to Take Depending on the traffic that is received, the traffic can be offloaded inVLTi.
www.dell.com | support.dell.com Description Unit ID mismatch Behavior During Run Time Action to Take Verify the unit ID is correct The VLT peer does not The VLT peer does not boot up. The VLTi is forced boot up. The VLTi is forced on both VLT peers. Unit ID numbers must be to a down state. to a down state. A syslog error message is sequential on peer units; The VLT domain will not i.e., if Peer 1 is unit ID “0”, generated. be formed. The VLTi will Peer 2 unit ID must be “1’. be in a down state.
57 Virtual Router Redundancy Protocol (VRRP) This chapter covers the following information: • • • • • Overview VRRP Benefits VRRP Implementation VRRP Configuration Sample Configurations Overview Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
www.dell.com | support.dell.com In Figure 57-1, Router A is configured as the MASTER router. It is configured with the IP address of the virtual router and sends any packets addressed to the virtual router through interface TenGigabitEthernet 1/ 1 to the Internet. As the BACKUP router, Router B is also configured with the IP address of the virtual router. If for any reason Router A becomes unavailable, VRRP elects a new MASTER Router. Router B assumes the duties of Router A and becomes the MASTER router.
VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and they are not dependent on internal gateway protocol (IGP) to converge or update routing tables. VRRP Implementation The MXL 10/40GbE Switch supports a total of 2000 VRRP groups on a switch and 255 VRRP groups per interface (Table 57-1). Within a single VRRP group, up to 12 virtual IP addresses are supported.
www.dell.com | support.dell.com VRRP Configuration By default, VRRP is not configured.
Figure 57-3. show config Command Example FTOS(conf-if-te-1/1)#show conf ! interface Tengigabitethernet 1/1 ip address 10.10.10.1/24 ! vrrp-group 111 no shutdown FTOS(conf-if-te-1/1)# Note that the interface has an IP Address and is enabled Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID). A VRRP group does not transmit VRRP packets until you assign the virtual IP address to the VRRP group.
www.dell.com | support.dell.com To configure a virtual IP address, follow these steps: Step Task Command Syntax Command Mode 1 Configure a VRRP group. VRID Range: 1 to 255 vrrp-group vrrp-id INTERFACE 2 Configure virtual IP addresses for this VRID. Range: up to 12 addresses virtual-address ip-address1 [...ip-address12] INTERFACE -VRID Figure 57-4. virtual-address Command Example FTOS(conf-if-te-1/1-vrid-111)#virtual-address 10.10.10.1 FTOS(conf-if-te-1/1-vrid-111)#virtual-address 10.10.10.
Figure 57-6 shows the same VRRP group configured on multiple interfaces on different subnets. Figure 57-6. show vrrp Command Example Same VRRP Group (VRID) FTOS#do show vrrp -----------------Tengigabitethernet 1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 1768, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.
www.dell.com | support.dell.com To configure the VRRP group’s priority, use the following command: Task Command Syntax Command Mode Configure the priority for the VRRP group. Range: 1 to 255 Default: 100 priority priority INTERFACE -VRID Figure 57-7. priority Command Example FTOS(conf-if-te-1/2)#vrrp-group 111 FTOS(conf-if-te-1/2-vrid-111)#priority 125 Figure 57-8. show vrrp Command Example FTOS#show vrrp -----------------Tengigabitethernet 1/1, VRID: 111, Net: 10.10.10.
To configure simple authentication, use the following command: Task Command Syntax Command Mode Configure a simple text password. Parameters: authentication-type simple [encryption-type] password INTERFACE-VRID encryption-type: 0 indicates unencrypted; 7 indicates encrypted password: plain text Figure 57-9.
www.dell.com | support.dell.com Because preempt is enabled by default, disable the preempt function with the following command in VRRP mode. To re-enable preempt, use the preempt command. When you enable preempt, it does not display in the show commands because it is a default setting. Task Command Syntax Command Mode Prevent any BACKUP router with a higher priority from becoming the MASTER router. no preempt INTERFACE-VRID Figure 57-11.
Figure 57-13. advertise-interval Command Example FTOS(conf-if-te-1/1)#vrrp-group 111 FTOS(conf-if-te-1/1-vrid-111)#advertise-interval 10 FTOS(conf-if-te-1/1-vrid-111)# Figure 57-14. show config Command Example FTOS(conf-if-te-1/1-vrid-111)#show conf ! vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.
www.dell.com | support.dell.com You can configure a tracked object for a VRRP group (using the track object-id command in INTERFACE-VRID mode) before you actually create the tracked object (using a track object-id command in CONFIGURATION mode) (Figure 57-15) and (Figure 57-16). However, no changes in the VRRP group’s priority occur until the tracked object is defined and determined to be down.
Figure 57-17. show vrrp Command Example FTOS#show track Track 2 IPv6 route 2040::/64 metric threshold Metric threshold is Up (STATIC/0/0) 5 changes, last change 00:02:16 Metric threshold down 255 up 254 First-hop interface is GigabitEthernet 13/2 Tracked by: VRRP GigabitEthernet 7/30 IPv6 VRID 1 Track 3 IPv6 route 2050::/64 reachability Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is GigabitEthernet 13/2 Tracked by: VRRP GigabitEthernet 7/30 IPv6 VRID 1 Figure 57-18.
www.dell.com | support.dell.com Task Command Syntax Command Mode Set the delay time for VRRP initialization on an individual interface. This is the gap between an interface coming up and being operational, and VRRP enabling. Seconds range: 0-900 Default: 0 vrrp delay minimum seconds INTERFACE Set the delay time for VRRP initialization on all the interfaces in the system configured for VRRP. This is the gap between system boot up completion and VRRP enabling.
Figure 57-19.
www.dell.com | support.dell.com Figure 57-20. Configure VRRP for IPv4 Router R2(conf)#int tengig 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface Tengigabitethernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
58 Standards Compliance This chapter contains the following sections: • • • IEEE Compliance RFC and I-D Compliance MIB Location Note: Unless noted, when a standard cited here is listed as supported by Dell Networking operating software (FTOS), FTOS also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website.
www.dell.com | support.dell.com RFC and I-D Compliance The following standards are supported by FTOS, and are grouped by related protocol. The columns showing support by platform indicate which version of FTOS first supports the standard.
General IPv4 Protocols RFC# Full Name 791 Internet Protocol 792 Internet Control Message Protocol 826 An Ethernet Address Resolution Protocol 1027 Using ARP to Implement Transparent Subnet Gateways 1035 DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION (client) 1042 A Standard for the Transmission of IP Datagrams over IEEE 802 Networks 1191 Path MTU Discovery 1305 Network Time Protocol (Version 3) Specification, Implementation and Analysis 1519 Classless Inter-Domain Routing (CIDR): an Add
www.dell.com | support.dell.
Open Shortest Path First (OSPF) RFC# Full Name 1587 The OSPF Not-So-Stubby Area (NSSA) Option 2154 OSPF with Digital Signatures 2328 OSPF Version 2 2370 The OSPF Opaque LSA Option 3623 Graceful OSPF Restart 4222 Prioritized Treatment of Specific OSPF Version 2 Packets and Congestion Avoidance Routing Information Protocol (RIP) RFC# Full Name 1058 Routing Information Protocol 2453 RIP Version 2 Standards Compliance | 1021
www.dell.com | support.dell.
Network Management (continued) RFC# Full Name 2575 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) 2576 Coexistence Between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework 2578 Structure of Management Information Version 2 (SMIv2) 2579 Textual Conventions for SMIv2 2580 Conformance Statements for SMIv2 2618 RADIUS Authentication Client MIB, except the following four counters: radiusAuthClientInvalidServerAddress
www.dell.com | support.dell.com Network Management (continued) RFC# Full Name 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) 3434 Remote Monitoring MIB Extensions for High Capacity Alarms, High-Capacity Alarm Table (64 bits) 5060 Protocol Independent Multicast MIB ANSI/TIA-1057 The LLDP Management Information Base extension module for TIA-TR41.
Network Management (continued) RFC# Full Name FORCE10-LIN KAGG-MIB Force10 Enterprise Link Aggregation MIB FORCE10-COP Force10 File Copy MIB (supporting SNMP Y-CONFIG-MI SET operation) B FORCE10-MO N-MIB Force10 Monitoring MIB FORCE10-PRO Force10 Product Object Identifier MIB DUCTS-MIB FORCE10-SSCHASSIS-MIB Force10 S-Series Enterprise Chassis MIB FORCE10-SMI Force10 Structure of Management Information FORCE10-SYS Force10 System Component MIB (enables the TEM-COMPO user to view CAM usage information
www.dell.com | support.dell.com MIB Location MIBs are under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/csportal20/MIBs/MIB_OIDs.aspx Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/Support/AccountRequest.
