Dell Networking Configuration Guide for the MXL 10/40GbE Switch I/O Module 9.10(0.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2016 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents 1 About this Guide.............................................................................................................31 Audience........................................................................................................................................................................... 31 Conventions......................................................................................................................................................................
Upgrading and Downgrading the Dell Networking OS...................................................................................................... 55 Verify Software Images Before Installation....................................................................................................................... 55 4 Management................................................................................................................. 57 Configuring Privilege Levels...................................
Recovering from a Forgotten Enable Password................................................................................................................ 78 Recovering from a Failed Start......................................................................................................................................... 79 5 802.1X........................................................................................................................... 80 The Port-Authentication Process...............
Configuring Filters with a Sequence Number..................................................................................................................106 Configuring Filters Without a Sequence Number............................................................................................................ 107 Established Flag..............................................................................................................................................................
Configure BFD for Physical Ports..............................................................................................................................133 Enabling BFD Globally............................................................................................................................................... 133 Establishing a Session on Physical Ports...................................................................................................................
Autonomous Systems (AS).............................................................................................................................................156 Sessions and Peers......................................................................................................................................................... 158 Establish a Session....................................................................................................................................................
Ethernet Enhancements in Data Center Bridging............................................................................................................221 Priority-Based Flow Control..................................................................................................................................... 222 Enhanced Transmission Selection.............................................................................................................................
Recognize an Over-Temperature Condition.............................................................................................................. 264 Troubleshoot an Over-Temperature Condition.......................................................................................................... 264 Recognize an Under-Voltage Condition....................................................................................................................265 Troubleshoot an Under-Voltage Condition..........
RTAG7........................................................................................................................................................................... 296 Flow-based Hashing for ECMP...................................................................................................................................... 297 16 FC FLEXIO FPORT.................................................................................................... 300 FC FLEXIO FPORT..........................
Important FRRP Points............................................................................................................................................ 328 Important FRRP Concepts.......................................................................................................................................329 Implementing FRRP.......................................................................................................................................................
Configuration Task List for Physical Interfaces......................................................................................................... 353 Overview of Layer Modes........................................................................................................................................ 353 Configuring Layer 2 (Data Link) Mode.....................................................................................................................
Configure MTU Size on an Interface...............................................................................................................................374 Port-Pipes...................................................................................................................................................................... 375 Auto-Negotiation on Ethernet Interfaces.......................................................................................................................
Stateless Autoconfiguration......................................................................................................................................397 IPv6 Header Fields......................................................................................................................................................... 399 Version (4 bits).........................................................................................................................................................
27 Intermediate System to Intermediate System............................................................ 420 IS-IS Protocol Overview.................................................................................................................................................420 IS-IS Addressing.............................................................................................................................................................420 Multi-Topology IS-IS.................................
Setting Station Move Violation Actions.....................................................................................................................461 Recovering from Learning Limit and Station Move Violations...................................................................................462 Disabling MAC Address Learning on the System...................................................................................................... 462 NIC Teaming..............................................
Manage the Source-Active Cache................................................................................................................................. 495 Viewing the Source-Active Cache............................................................................................................................495 Limiting the Source-Active Cache............................................................................................................................
Multicast Policies........................................................................................................................................................... 526 IPv4 Multicast Policies................................................................................................................................................... 526 Limiting the Number of Multicast Routes.................................................................................................................
Configuring Passive-Interface.................................................................................................................................. 566 Redistributing Routes...............................................................................................................................................567 Configuring a Default Route.....................................................................................................................................
Configuring Remote Port Mirroring.......................................................................................................................... 602 Displaying Remote-Port Mirroring Configurations.................................................................................................... 603 Configuring the Sample Remote Port Mirroring.......................................................................................................
Enabling QoS Rate Adjustment...................................................................................................................................... 649 Enabling Strict-Priority Queueing...................................................................................................................................650 Weighted Random Early Detection.................................................................................................................................
AAA Accounting.............................................................................................................................................................680 Configuration Task List for AAA Accounting.............................................................................................................680 AAA Authentication........................................................................................................................................................
Creating Access and Trunk Ports.............................................................................................................................. 719 Enable VLAN-Stacking for a VLAN........................................................................................................................... 719 Configuring the Protocol Type Value for the Outer VLAN Tag.................................................................................. 720 Configuring Options for Trunk Ports...........
Setting Up User-Based Security (SNMPv3)...................................................................................................................743 Reading Managed Object Values.................................................................................................................................... 744 Writing Managed Object Values......................................................................................................................................
Master Selection Criteria...........................................................................................................................................771 Configuring Priority and stack-group.........................................................................................................................771 Cabling Stacked Switches........................................................................................................................................ 772 Accessing the CLI.
Displaying STP Guard Configuration...............................................................................................................................799 54 SupportAssist............................................................................................................ 801 Configuring SupportAssist Using a Configuration Wizard...............................................................................................802 Configuring SupportAssist Manually..............................
Non-VLT ARP Sync...................................................................................................................................................831 RSTP Configuration....................................................................................................................................................... 832 Preventing Forwarding Loops in a VLT Domain........................................................................................................
Configuring Uplink Failure Detection.............................................................................................................................. 865 Clearing a UFD-Disabled Interface................................................................................................................................. 866 Displaying Uplink Failure Detection.................................................................................................................................
Data Center Bridging (DCB).......................................................................................................................................... 906 Ethernet Enhancements in Data Center Bridging.....................................................................................................906 Enabling Data Center Bridging..................................................................................................................................
1 About this Guide This guide describes the supported protocols and software features, and provides configuration instructions and examples, for the Dell Networking MXL 10/40GbE Switch IO Module. The MXL 10/40GbE Switch IO Module is installed in a Dell PowerEdge M1000e Enclosure. For information about how to install and perform the initial switch configuration, refer to the Getting Started Guides on the Dell Support website at http://support.dell.com/ manuals.
Related Documents For more information about the Dell Networking MXL 10/40GbE Switch IO Module, refer to the following documents: • Dell Networking OS Command Reference • Dell Quick Start Guide • Dell Networking OS Release Notes 32 About this Guide
2 Configuration Fundamentals The Dell Networking operating system command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. In the Dell Networking OS, after you enable a command, it is entered into the running configuration file.
• • INTERFACE sub-mode is the mode in which you configure Layer 2 and Layer 3 protocols and IP services specific to an interface. An interface can be physical (Management interface, 10 Gigabit Ethernet, 40 Gigabit Ethernet, or synchronous optical network technologies [SONET]) or logical (Loopback, Null, port channel, or virtual local area network [VLAN]). LINE sub-mode is the mode in which you to configure the console and virtual terminal lines.
CLI Command Mode Prompt Access Command • From every mode except EXEC and EXEC Privilege, enter the exit command. NOTE: Access all of the following modes from CONFIGURATION mode.
CLI Command Mode Prompt Access Command Dell(conf-routerZ_bgpv6_af)# (for IPv6) ROUTER ISIS Dell(conf-router_isis)# router isis ISIS ADDRESS-FAMILY Dell(conf-router_isisaf_ipv6)# address-family ipv6 unicast (ROUTER ISIS Mode) ROUTER OSPF Dell(conf-router_ospf)# router ospf ROUTER OSPFV3 Dell(conf-ipv6router_ospf)# ipv6 router ospf ROUTER RIP Dell(conf-router_rip)# router rip SPANNING TREE Dell(config-span)# protocol spanning-tree 0 TRACE-LIST Dell(conf-trace-acl)# ip trace-list CLASS-
CLI Command Mode Prompt Access Command VRRP Dell(conf-if-interface-typeslot/port-vrid-vrrp-groupid)# vrrp-group u-Boot Dell(=>)# Press any key when the following line appears on the console during a system boot: Hit any key to stop autoboot: UPLINK STATE GROUP Dell(conf-uplink-state-groupgroupID)# uplink-state-group The following example shows how to change the command mode from CONFIGURATION mode to PROTOCOL SPANNING TREE.
Dell(conf-if-gi-4/17)#no ip address Dell(conf-if-gi-4/17)#show config ! interface GigabitEthernet 4/17 no ip address no shutdown Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree.
Short-Cut Key Combination Action CNTL-E Moves the cursor to the end of the line. CNTL-F Moves the cursor forward one character. CNTL-I Completes a keyword. CNTL-K Deletes all characters from the cursor to the end of the command line. CNTL-L Re-enters the previous command. CNTL-N Return to more recent commands in the history buffer after recalling commands with CTRL-P or the UP arrow key. CNTL-P Recalls commands, beginning with the last command. CNTL-R Re-enters the previous command.
0 0 0 0 0 0 Pause Pause Pause Pause Pause Pause Tx Tx Tx Tx Tx Tx pkts, pkts, pkts, pkts, pkts, pkts, 0 0 0 0 0 0 Pause Pause Pause Pause Pause Pause Rx Rx Rx Rx Rx Rx pkts pkts pkts pkts pkts pkts NOTE: The Dell Networking OS accepts a space or no space before and after the pipe. To filter a phrase with spaces, underscores, or ranges, enclose the phrase with double quotation marks. The except keyword displays text that does not match the specified text.
If either of these messages appears, Dell Networking recommends coordinating with the users listed in the message so that you do not unintentionally overwrite each other’s configuration changes.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) during which the route processor module (RPM), switch fabric module (SFM), and line card status light emitting diodes (LEDs) blink green. The system then loads the Dell Networking operating system. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption.
Console Access The switch has two management ports available for system access: a serial console port and an out-of-bounds (OOB) port. Serial Console A universal serial bus (USB) (A-Type) connector is located at the front panel. The USB can be defined as an External Serial Console (RS-232) port, and is labeled on the chassis. The USB is present on the lower side, as you face the I/O side of the chassis, as shown.
Serial Console 44 Getting Started
External Serial Port with a USB Connector The following table list the pin assignments. Table 2. Pin Assignments USB Pin Number Signal Name Pin 1 RTS Pin 2 RX Pin 3 TX Pin 4 CTS Pin 5, 6 GND RxD Chassis GND Accessing the CLI Interface and Running Scripts Using SSH In addition to the capability to access a device using a console connection or a Telnet session, you can also use SSH for secure, protected communication with the device. You can open an SSH session and run commands or script files.
Execution of commands on CLI over SSH does not notice the errors that have occurred while executing the command. As a result, you cannot identify, whether a command has failed to be processed. The console output though is redirected back over SSH. Boot Process After you follow the Installation Procedure in the Getting Started Guide, the switch boots up. The switch with the Dell Networking OS version 8.3.16.1 requires boot flash version 4.0.1.0 and boot selector version 4.0.0.0.
Initialized eMMC Host Controller Detected SD Card Now running in RAM - U-Boot [N64 ABI, Big-Endian] at: ffffffff8c100000 Flash: 256 MB PCIE (B0:D01:F0) : Link up. PCIE (B0:D01:F1) : No Link.
Configuring a Unique Host Name on the System While you can manually configure a host name for the system, you can also configure the system to have a unique host name. The unique host name is a combination of the platform type and the serial number of the system. The unique host name appears in the command prompt. The running configuration gets updated with the feature unique-name command. It also overwrites any existing host name configured on the system using the hostname command.
Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port. To configure a management route, use the following command. • Configure a management route to the network from which you are accessing the system. CONFIGURATION mode management route ip-address/mask gateway – ip-address: the network address in dotted-decimal format (A.B.C.
* 5 is for inputting a password that is already encrypted using an MD5 hash. Obtain the encrypted password from the configuration file of another Dell Networking system. You can only use this for the enable secret password. * 7 is for inputting a password that is already encrypted using a DES hash. Obtain the encrypted password from the configuration file of another Dell Networking system. You can only use this for the enable password.
NOTE: If all of the following conditions are true, the Portmode Hybrid configuration is not applied, because of the configuration process for server ports as switch ports by default: • The running configuration is saved in flash. • The startup configuration is deleted. • The switch is reloaded. • The saved configuration is copied to the running configuration.
NOTE: When copying to a server, you can only use a host name if you have configured a DNS server. • Save the running-configuration to the startup-configuration on the internal flash of the primary RPM. Then copy the new startup-config file to the external flash of the primary RPM.
12 -rwx 13 -rwx 6900 Feb 17 2011 04:43:12 +00:00 startup-config.bak 1244038 Feb 13 2011 04:27:16 +00:00 f10cp_sysd_110213042625.acore.gz flash: 2143281152 bytes total (2123755520 bytes free) --More-- View Configuration Files Configuration files have three commented lines at the beginning of the file, as shown in the following example, to help you track the last time any user made a change to the file, which user made the changes, and when the file was last saved to the startupconfiguration.
You can change the default storage location to the USB Flash, as shown. File management commands then apply to the USB Flash rather than the internal Flash. The bold lines show that no file system is specified and that the file is saved to an USB Flash.
However, these changes are backward-compatible and do not affect existing behavior; meaning, you can still use the ip http source- interface command to communicate with a particular interface even if no VRF is configured on that interface NOTE: If the HTTP service is not VRF-aware, then it uses the global routing table to perform the look-up. To enable an HTTP client to look up the VRF table corresponding to either management VRF or any nondefault VRF, use the ip http vrf command in CONFIGURATION mode.
MD5 Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin MD5 hash for FTOS-SE-9.5.0.0.bin: 275ceb73a4f3118e1d6bcf7d75753459 SHA256 Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin SHA256 hash for FTOS-SE-9.5.0.0.bin: e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933 Examples: Entering the Hash Value for Verification MD5 Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin 275ceb73a4f3118e1d6bcf7d75753459 MD5 hash VERIFIED for FTOS-SE-9.5.0.0.bin SHA256 Dell# verify sha256 flash://FTOS-SE-9.5.0.0.
4 Management Dell Networking OS supports management. This chapter describes the different protocols or services used to manage the Dell Networking system. Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 15 privilege levels, of which two are pre-defined. The default privilege level is 1. • Level 1 — Access to the system begins at EXEC mode, and EXEC mode commands are limited to basic commands, some of which are enable, disable, and exit.
Allowing Access to INTERFACE, LINE, ROUTE-MAP, and ROUTER Mode 1. Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE, ROUTE-MAP, and ROUTER modes, first allow access to the command that enters you into the mode. For example, allow a user to enter INTERFACE mode using the privilege configure level level interface gigabitethernet command. 2.
Current privilege level is 3. Dell#? capture Capture packet configure Configuring from terminal disable Turn off privileged commands enable Turn on privileged commands exit Exit from the EXEC ip Global IP subcommands monitor Monitoring feature mtrace Trace reverse multicast path from destination to source ping Send echo messages quit Exit from the EXEC show Show running system information [output omitted] Dell#config [output omitted] Dell(conf)#do show priv Current privilege level is 3.
Configuring Logging The Dell Networking operating system tracks changes in the system using event and error messages. By default, the system logs these messages on: • • • the internal buffer console and terminal lines any configured syslog servers To disable logging, use the following commands. • Disable all logging except on the console. CONFIGURATION mode • no logging on Disable logging to the logging buffer. CONFIGURATION mode • no logging buffer Disable logging to terminal lines.
The security log contains security events and information. RBAC restricts access to audit and security logs based on the CLI sessions’ user roles. The types of information in this log consist of the following: • Establishment of secure traffic flows, such as SSH. • Violations on secure flows or certificate issues. • Adding and deleting of users.
Configuring Logging Format To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version {0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.
1. On the switch, enable the SSH server 2. On the syslog server, create a reverse SSH tunnel from the syslog server to the Dell OS switch, using following syntax: Dell(conf)#ip ssh server enable ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is 10.16.131.141 and the listening port is 5140 ssh -R 5140:10.156.166.48:5141 admin@10.16.131.
Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
In the previous lines, local7 is the logging facility level and debugging is the severity level. Changing System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands, you control the number of system messages logged. To specify the system logging settings, use the following commands.
Console logging: level Debugging Monitor logging: level Debugging Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes) Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
– lpr (for line printer system messages) – mail (for mail system messages) – news (for USENET news messages) – sys9 (system use) – sys10 (system use) – sys11 (system use) – sys12 (system use) – sys13 (system use) – sys14 (system use) – syslog (for syslog messages) – user (for user programs) – uucp (UNIX to UNIX copy protocol) Example of the show running-config logging Command To view non default settings, use the show running-config logging command in EXEC mode.
To view the logging synchronous configuration, use the show config command in LINE mode. Enabling Timestamp on Syslog Messages By default, syslog messages do not include a time/date stamp stating when the error or message was created. To enable timestamp, use the following command. • Add timestamp to syslog messages.
For more information about FTP, refer to RFC 959, File Transfer Protocol. Configuration Task List for File Transfer Services The configuration tasks for file transfer services are: • Enabling the FTP Server (mandatory) • Configuring FTP Server Parameters (optional) • Configuring FTP Client Parameters (optional) Enabling the FTP Server To enable the system as an FTP server, use the following command. To view FTP configuration, use the show running-config ftp command in EXEC privilege mode.
– For a Loopback interface, enter the keyword loopback then a number between 0 and 16383. – For a port channel interface, enter the keywords port-channel then a number from 1 to 128. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
Example of an ACL that Permits Terminal Access To view the configuration, use the show config command in LINE mode. Dell(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 Dell(config-std-nacl)#line vty 0 Dell(config-line-vty)#show config line vty 0 access-class myvtyacl Dell OS Behavior: Prior to Dell OS version 7.4.2.0, in order to deny access on a VTY line, apply an ACL and accounting, authentication, and authorization (AAA) to the line.
password myvtypassword login authentication myvtymethodlist line vty 1 password myvtypassword login authentication myvtymethodlist line vty 2 password myvtypassword login authentication myvtymethodlist Dell(config-line-vty)# Setting Time Out of EXEC Privilege Mode EXEC time-out is a basic security feature that returns the Dell Networking OS to EXEC mode after a period of inactivity on the terminal lines. To set time out, use the following commands. • Set the number of minutes and seconds.
Login: admin Password: Dell>exit Dell#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin Dell# Lock CONFIGURATION Mode The systems allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2).
Limit Concurrent Login Sessions Dell Networking OS enables you to limit the number of concurrent login sessions of users on VTY, Aux, and console lines. You can also clear any of your existing sessions when you reach the maximum permitted number of concurrent sessions. By default, you can use all 10 VTY lines, one console line, and one Aux line. You can limit the number of available sessions using the login concurrent-session limit command and so restrict users to that specific number of sessions.
3 vty 1 10.14.1.97 Clear existing session? [line number/Enter to cancel]: When you try to create more than the permitted number of sessions, the following message appears, prompting you to close one of the existing sessions. If you close any of the existing sessions, you are allowed to login. : $ telnet 10.11.178.17 Trying 10.11.178.17... Connected to 10.11.178.17. Escape character is '^]'. Login: admin Password: Maximum concurrent sessions for the user reached.
The following example enables login activity tracking and configures the system to store the login activity details for 12 days. Dell(config)#login statistics enable Dell(config)#login statistics time-period 12 Display Login Statistics To view the login statistics, use the show login statistics command. Example of the show login statistics Command The show login statistics command displays the successful and failed login details of the current user in the last 30 days or the custom defined time period.
Example of the show login statistics user user-id command The show login statistics user user-id command displays the successful and failed login details of a specific user in the last 30 days or the custom defined time period. Dell# show login statistics user admin -----------------------------------------------------------------User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.
7. Copy startup-config.bak to the running config. EXEC Privilege mode copy flash://startup-config.bak running-config 8. Remove all authentication statements you might have for the console. LINE mode no authentication login no password 9. Save the running-config. EXEC Privilege mode copy running-config startup-config 10. Set the system parameters to use the startup configuration file when the system reloads. uBoot mode setenv stconfigignore false 11. Save the running-config.
Recovering from a Failed Start A system that does not start correctly might be attempting to boot from a corrupted Dell Networking OS image or from a misspecified location. In this case, you can restart the system and interrupt the boot process to point the system to another boot location. Use the setenv command, as described in the following steps.
5 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
6. If the identity information provided by the supplicant is valid, the authentication server sends an Access-Accept frame in which network privileges are specified. The authenticator changes the port state to authorized and forwards an EAP Success frame. If the identity information is invalid, the server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator forwards an EAP Failure frame. Figure 4. EAP Port-Authentication EAP over RADIUS 802.
RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 5 NAS-Port: the physical port number by which the authenticator is connected to the supplicant. Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 5 indicates Ethernet.
Enabling 802.1X Enable 802.1X globally and at a interface level. Figure 6. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on an interface or a range of interfaces. INTERFACE mode dot1x authentication Example of Verifying that 802.1X is Enabled Globally Example of Verifying 802.1X is Enabled on an Interface Verify that 802.
The bold lines show that 802.1X is enabled. Dell#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface GigabitEthernet 2/1 ip address 2.2.2.2/24 dot1x authentication no shutdown ! interface GigabitEthernet 2/2 ip address 1.0.0.1/24 dot1x authentication no shutdown --More-View 802.1X configuration information for an interface using the show dot1x interface command. The bold lines show that 802.1X is enabled on all ports unauthorized by default.
The range is from 1 to 65535 (1 year) • The default is 30. Configure a maximum number of times the authenticator re-transmits a Request Identity frame. INTERFACE mode dot1x max-eap-req number The range is from 1 to 10. The default is 2. The example in Configuring a Quiet Period after a Failed Authentication shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits a maximum of 10 times.
Auth PAE State: Backend State: Initialize Initialize Configuring dot1x Profile You can configure a dot1x profile for defining a list of trusted supplicant MAC addresses. A maximum of 10 dot1x profiles can be configured. The profile name length is limited to 32 characters. Thedot1x profile {profile-name} command sets the dot1x profile mode and you can enter profile-related commands, such as the mac command. To configure a dot1x profile, use the following commands. • Configure a dot1x profile.
• Configure static MAB and static MAB profile on dot1x interface. INTERFACE mode dot1x static-mab profile profile-name Eenter a name to configure the static MAB profile name. The profile name length is limited to a maximum of 32 characters.
interface TenGigabitEthernet 2/1 switchport dot1x critical-vlan 300 no shutdown Dell#show dot1x interface tengigabitethernet 2/1 802.
802.
Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval:7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Configuring Timeouts If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default. You can configure the amount of time the authenticator waits for a response.
Enter the tasks the user should do after finishing this task (optional). Configuring Dynamic VLAN Assignment with Port Authentication The system supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure: 1. The host sends a dot1x packet to the Dell Networking system 2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number 3.
Guest and Authentication-Fail VLANs Typically, the authenticator (the Dell Networking system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured or the VLAN that the authentication server indicates in the authentication data. NOTE: Ports cannot be dynamically assigned to the default VLAN.
! interface GigabitEthernet 1/2 switchport dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown Dell(conf-if-gi-1/2)# View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC Privilege mode. Dell(conf-if-gi-2/1)#dot1x port-control force-authorized Dell(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This chapter describes the access control list (ACL) VLAN group and content addressable memory (CAM) enhancements. Optimizing CAM Utilization During the Attachment of ACLs to VLANs You can enable and configure the ACL CAM optimization functionality to minimize the number of entries in CAM while ACLs are applied on a VLAN or a set of VLANs, and also while ACLs are applied on a set of ports.
• A line card returns to the active state after going down, and this line card contains a VLAN that is a member of an ACL group. • The ACL VLAN group is deleted and it contains VLAN members. The ACL manager does not notify the ACL agent in the following cases: • The ACL VLAN group is created. • The ACL VLAN group is deleted and it does not contain any VLAN members. • The ACL is applied or removed from a group, and the ACL group does not contain a VLAN member.
increases the CAM space utilization. Attaching an ACL individually to VLAN interfaces is similar to the behavior of ACL-VLAN mapping storage in CAM prior to the implementation of the ACL VLAN group functionality. 1. Create an ACL VLAN group CONFIGURATION mode acl-vlan-group {group name} You can have up to eight different ACL VLAN groups at any given time. 2. Add a description to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode description description 3.
CONFIGURATION mode cam-acl-vlan vlaniscsi <0-2> 3. Allocate the number of FP blocks for ACL VLAN optimization feature. CONFIGURATION mode cam-acl-vlan vlanaclopt <0-2> 4. View the number of flow processor (FP) blocks that is allocated for the different VLAN services.
The following sample output displays the CAM space utilization when Layer 2 and Layer 3 ACLs are configured: Dell#show cam-usage acl Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============ 11 | 0 | IN-L2 ACL | 1008 | 0 | 1008 | | IN-L3 ACL | 12288 | 2 | 12286 | | OUT-L2 ACL | 1024 | 2 | 1022 | | OUT-L3 ACL | 1024 | 0 | 1024 The following sample output displays the CAM space utilization for Layer 2 ACLs: Dell#show cam
To display the number of FP blocks that is allocated for the different VLAN services, you can use the show cam-acl-vlan command. After CAM configuration for ACL VLAN groups is performed, reboot the system to enable the settings to be stored in nonvolatile storage. During the initialization of CAM, the chassis manager reads the NVRAM and allocates the dynamic VCAP regions.
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, ACLs, prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
Implementing ACL on the Dell Networking OS You can assign one IP ACL per interface with the Dell Networking OS. If you do not assign an IP ACL to an interface, it is not used by the software in any other capacity. The number of entries allowed per ACL is hardware-dependent. For detailed specification on entries allowed per ACL, refer to your line card documentation. If you enable counters on IP ACL rules that are already configured, those counters are reset when a new rule is inserted or prepended.
Dell(conf-class-map)#match ip access-group acl1 Dell(conf-class-map)#exit Dell(conf)#class-map match-all cmap2 Dell(conf-class-map)#match ip access-group acl2 Dell(conf-class-map)#exit Dell(conf)#policy-map-input pmap Dell(conf-policy-map-in)#service-queue 7 class-map cmap1 Dell(conf-policy-map-in)#service-queue 4 class-map cmap2 Dell(conf-policy-map-in)#exit Dell(conf)#interface gig 1/0 Dell(conf-if-gi-1/0)#service-policy input pmap IP Fragment Handling The Dell Networking OS supports a configurable optio
• FO > 0 means it is dealing with the fragments of the original packet. Permit an ACL line with L3 information only, and the fragments keyword is present: If a packet’s L3 information matches the L3 information in the ACL line, the packet's FO is checked. • If a packet's FO > 0, the packet is permitted. • If a packet's FO = 0, the next ACL entry is processed.
To view the rules of a particular ACL configured on a particular interface, use the show ip accounting access-list ACLname interface interface command in EXEC Privilege mode. Example of Viewing the Rules of a Specific ACL on an Interface Example of the seq Command to Order Filters Dell#show ip accounting access-list ToOspf interface gig 1/6 Standard IP access list ToOspf seq 5 deny any seq 10 deny 10.2.0.0 /16 seq 15 deny 10.3.0.0 /16 seq 20 deny 10.4.0.0 /16 seq 25 deny 10.5.0.0 /16 seq 30 deny 10.6.0.
To view all configured IP ACLs, use the show ip accounting access-list command in EXEC Privilege mode. Dell#show ip accounting access example interface gig 4/12 Extended IP access list example seq 15 deny udp any any eq 111 seq 20 deny udp any any eq 2049 seq 25 deny udp any any eq 31337 seq 30 deny tcp any any range 12345 12346 seq 35 permit udp host 10.21.126.225 10.4.5.0 /28 seq 40 permit udp host 10.21.126.226 10.4.5.0 /28 seq 45 permit udp 10.8.0.0 /16 10.50.188.
Configuring Filters Without a Sequence Number If you are creating an extended ACL with only one or two filters, you can let the system assign a sequence number based on the order in which the filters are configured. The system assigns filters in multiples of five. To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the following commands: • Configure a deny or permit filter to examine IP packets.
For the following features, if you enable counters on rules that have already been configured and a new rule is either inserted or prepended, all the existing counters are reset: • L2 ingress access list • L3 egress access list • L2 egress access list • L3 ingress access list If a rule is simply appended, existing counters are not affected. Table 4. L2 and L3 Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Deny Deny L3 ACL denies.
NOTE: The number of entries allowed per ACL is hardware-dependent. For detailed specification about entries allowed per ACL, refer to your line card documentation. 4. Apply rules to the new ACL. INTERFACE mode ip access-list [standard | extended] name To view which IP ACL is applied to an interface, use the show config command in INTERFACE mode, or use the show running-config command in EXEC mode.
Dell(conf-ext-nacl)#permit 1.1.1.2 Dell(conf-ext-nacl)#end Dell#show ip accounting access-list ! Extended Ingress IP access list abcd on tengigethernet 0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.2 Configure Egress ACLs Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack — malicious and incidental — by explicitly allowing only authorized traffic.
CONFIG-NACL mode permit ip {source mask | any | host ip-address} {destination mask | any | host ipaddress} count Dell Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group management protocol (IGMP) packets are not affected when you enable egress ACL filtering for CPU traffic. Packets sent by the CPU with the source address as the VRRP virtual IP address have the interface MAC address instead of VRRP virtual MAC address.
For a complete listing of all commands related to prefix lists, refer to the Dell Networking OS Command Line Interface Reference Guide. Creating a Prefix List To create a prefix list, use the following commands. 1. Create a prefix list and assign it a unique name. You are in PREFIX LIST mode. CONFIGURATION mode ip prefix-list prefix-name 2. Create a prefix list with a sequence number and a deny or permit action.
ip prefix-list prefix-name 2. Create a prefix list filter with a deny or permit action. CONFIG-NPREFIXL mode {deny | permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] The optional parameters are: • ge min-prefix-length: is the minimum prefix length to be matched (from 0 to 32). • le max-prefix-length: is the maximum prefix length to be matched (from 0 to 32).
ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 Dell> Applying a Prefix List for Route Redistribution To pass traffic through a configured prefix list, use the prefix list in a route redistribution command. Apply the prefix list to all traffic redistributed into the routing process. The traffic is either forwarded or dropped, depending on the criteria and actions specified in the prefix list. To apply a filter to routes in RIP, use the following commands. • Enter RIP mode.
distribute-list prefix-list-name out [connected | rip | static] Example of Viewing Configured Prefix Lists (ROUTER OSPF mode) To view the configuration, use the show config command in ROUTER OSPF mode, or the show running-config ospf command in EXEC mode. Dell(conf-router_ospf)#show config ! router ospf 34 network 10.2.1.1 255.255.255.255 area 0.0.0.
Example of Resequencing ACLs When Remarks and Rules Have the Same Number Example of Resequencing ACLs When Remarks and Rules Have Different Numbers The example shows the resequencing of an IPv4 access-list beginning with the number 2 and incrementing by 2. Remarks and rules that originally have the same sequence number have the same sequence number after you apply the resequence command.
Route Maps Similar to ACLs and prefix lists, route maps are composed of a series of commands that contain a matching criterion and an action; however, route maps can change the packets meeting the criterion. ACLs and prefix lists can only drop or forward the packet or traffic. Route maps process routes for route redistribution. For example, a route map can be called to filter only specific routes and to add a metric. Route maps also have an “implicit deny.
The optional seq keyword allows you to assign a sequence number to the route map instance. Example of Viewing a Configured Route Map Example of Multiple Instances of a Route-Map Example of Deleting One Instance of a Route Map Example of Viewing All Instances of a Specified Route Map The default action is permit and the default sequence number starts at 10. When you use the keyword deny in configuring a route map, routes that meet the match filters are not redistributed.
Configure Route Map Filters Within ROUTE-MAP mode, there are match and set commands. • match commands search for a certain criterion in the routes. • set commands change the characteristics of routes, either adding something or specifying a level. When there are multiple match commands with the same parameter under one instance of route-map, the system does a match between all of those match commands.
– For a VLAN, enter the keyword vlan then a number from 1 to 4094. • – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Match destination routes specified in a prefix list (IPv4). CONFIG-ROUTE-MAP mode • match ip address prefix-list-name Match next-hop routes specified in a prefix list (IPv4). CONFIG-ROUTE-MAP mode • match ip next-hop {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv4).
• Specify a tag for the redistributed routes. CONFIG-ROUTE-MAP mode set tag tag-value To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the number of set filters in a route map low. Set commands do not require a corresponding match command. Configure a Route Map for Route Redistribution Route maps on their own cannot affect traffic and must be included in different commands to affect routing traffic.
Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed. If you configure the continue command at the end of a module, the next module (or a specified module) is processed even after a match is found. The following example shows a continue clause at the end of a route-map module. In this example, if a match is found in the route-map “test” module 10, module 30 is processed.
• For IP packets that contain the transport layer protocol as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP), the ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses, source and destination IP addresses, and the source and destination ports (Layer 4 parameters) are also recorded. If the packet contains an unidentified EtherType or transport layer protocol, the values for these parameters are saved as Unknown in the log message.
seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [log [threshold-in-msgs count] ] 2. Specify the interval in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes. The default frequency at which ACL logs are generated is 5 minutes. If ACL logging is stopped because the configured threshold has exceeded, it is re-enabled after the logging interval period elapses.
If you configure the flow-based enable command and do not apply an ACL on the source port or the monitored port, both flow-based monitoring and port mirroring do not function. Flow-based monitoring is supported only for ingress traffic and not for egress packets. The port mirroring application maintains a database that contains all monitoring sessions (including port monitor sessions).
Enabling Flow-Based Monitoring Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead of all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 2 and Layer 3 ingress and egress traffic. You can specify traffic using standard or extended access-lists. 1. Enable flow-based monitoring for a monitoring session. MONITOR SESSION mode flow-based enable 2.
8 Bidirectional Forwarding Detection (BFD) Bidirectional forwarding detection (BFD) is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 8. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description My Discriminator A random number generated by the local system to identify the session. Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
Administratively Down The local system does not participate in a particular session. Down The remote system is not sending control packets or at least not within the detection time for a particular session. Init The local system is communicating. Up Both systems are exchanging control packets. The session is declared down if: • A control packet is not received within the detection time. • Sufficient echo packets are lost.
Figure 9.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 10. Session State Changes Important Points to Remember • BFD for line card ports is hitless, but is not hitless for VLANs because they are instantiated on the RPM.
• Configure BFD for OSPF • Configure BFD for OSPFv3 • Configure BFD for BGP • Configure BFD for VRRP • Configure BFD for VLANs • Configuring Protocol Liveness • Troubleshooting BFD Configure BFD for Physical Ports BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
Establishing a Session on Physical Ports To establish a session, enable BFD at the interface level on both ends of the link, as shown in the following illustration. The configuration parameters do not need to match. Figure 11. Establishing a BFD Session on Physical Ports 1. Enter interface mode. CONFIGURATION mode interface 2. Assign an IP address to the interface if one is not already assigned. INTERFACE mode ip address ip-address 3.
Configured parameters: TX: 200ms, RX: 200ms, Multiplier: 3 Neighbor parameters: TX: 200ms, RX: 200ms, Multiplier: 3 Actual parameters: TX: 200ms, RX: 200ms, Multiplier: 3 Role: Active Delete session on Down: False Client Registered: CLI Uptime: 00:03:57 Statistics: Number of packets received from neighbor: 1775 Number of packets sent to neighbor: 1775 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 Log messages displa
Number Number Number Number of of of of packets sent to neighbor: 4093 state changes: 1 messages from IFA about port state change: 0 messages communicated b/w Manager and Agent: 7 Disabling and Re-Enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured.
Establishing Sessions for Static Routes Sessions are established for all neighbors that are the next hop of a static route. Figure 12. Establishing Sessions for Static Routes To establish a BFD session, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route. CONFIGURATION mode ip route bfd Example of the show bfd neighbors Command to Verify Static Routes To verify that sessions have been created for static routes, use the show bfd neighbors command.
ip route bfd interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information. Disabling BFD for Static Routes If you disable BFD, all static route BFD sessions are torn down. A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change to the Down state. To disable BFD for static routes, use the following command.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 13. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Establish sessions with all OSPF neighbors.
The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 * 2.2.3.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Gi 2/1 Up 200 200 3 O 2.2.3.2 Gi 2/2 Up 200 200 3 O Changing OSPF Session Parameters Configure BFD sessions with default intervals and a default role.
Configuring BFD for OSPFv3 is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPFv3 neighbors. Related Configuration Tasks • Changing OSPFv3 Session Parameters • Disabling BFD for OSPFv3 Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface. Sessions are only established when the OSPFv3 adjacency is in the Full state.
• Disable BFD sessions with all OSPFv3 neighbors. ROUTER-OSPFv3 mode no bfd all-neighbors • Disable BFD sessions with OSPFv3 neighbors on a single interface. INTERFACE mode ipv6 ospf bfd all-neighbors disable Configure BFD for BGP In a BGP core network, bidirectional forwarding detection (BFD) provides rapid detection of communication failures in BGP fastforwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence.
Figure 14. Establishing Sessions with BGP Neighbors The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: • By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). • By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peer-group-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
CONFIGURATION mode router bgp as-number 3. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number 4. Enable the BGP neighbor. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group-name} no shutdown 5. Configure parameters for a BFD session established with all neighbors discovered by BGP. OR Establish a BFD session with a specified BGP neighbor or peer group using the default BFD session parameters.
• Explicitly enabled (the neighbor ip-address bfd command) • Explicitly disabled (the neighbor ip-address bfd disable command) • Inherited (neither explicitly enabled or disabled) according to the current BFD configuration of the peer group. For information about BGP peer groups, refer to Configuring Peer Groups.
neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors R2# show bfd neighbors * - Active session role Ad Dn - Admin Down B - BGP C - CLI I - ISIS O - OSPF R - Static Route (RTM) M - MPLS V - VRRP LocalAddr * 1.1.1.3 * 2.2.2.3 * 3.3.3.3 RemoteAddr 1.1.1.2 2.2.2.2 3.3.3.
Statistics: Number of packets received from neighbor: 1428 Number of packets sent to neighbor: 1428 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 R2# show bfd counters bgp Interface TenGigabitEthernet 6/0 Protocol BGP Messages: Registration De-registration Init Up Down Admin Down : : : : : : 5 4 0 6 0 2 Interface TenGigabitEthernet 6/1 Protocol BGP Messages: Registration De-registration Init Up Down Admin Down :
Last read 00:00:30, last write 00:00:30 Hold time is 180, keepalive interval is 60 seconds Received 8 messages, 0 in queue 1 opens, 0 notifications, 0 updates 7 keepalives, 0 route refresh requests Sent 9 messages, 0 in queue 2 opens, 0 notifications, 0 updates 7 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_R
3. On the master router, establish a VRRP BFD sessions with the backup routers. Refer to Establishing Sessions with All VRRP Neighbors. Related Configuration Tasks • Changing VRRP Session Parameters. • Disabling BFD for VRRP. Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 15.
Example of Viewing Sessions with VRRP Neighbors Example of Viewing VRRP Session State Information To view the established sessions, use the show bfd neighbors command. The bold line shows that VRRP BFD sessions are enabled. R1(conf-if-gi-4/25)#vrrp bfd all-neighbors R1(conf-if-gi-4/25)#do show bfd neighbor * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) V - VRRP LocalAddr * 2.2.5.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.5.
Disabling BFD for VRRP If you disable any or all VRRP sessions, the sessions are torn down. A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to the Down state. To disable all VRRP sessions on an interface, sessions for a particular VRRP group, or for a particular VRRP session on an interface, use the following commands. • Disable all VRRP sessions on an interface. INTERFACE mode no vrrp bfd all-neighbors • Disable all VRRP sessions in a VRRP group.
Establish Sessions with VLAN Neighbors To establish a session, enable BFD at interface level on both ends of the link, as shown in the following illustration. The session parameters do not need to match. Figure 16. Establishing Sessions with VLAN Neighbors To establish a BFD session with a VLAN neighbor, follow this step. • Establish sessions with a VLAN neighbor.
Disabling BFD for VLANs If you disable BFD on an interface, sessions on the interface are torn down. A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to the Down state. To disable BFD on a VLAN interface, use the following command. • Disable all sessions on a VLAN interface. INTERFACE VLAN mode no bfd enable Configure BFD for Port-Channels BFD on port-channels is analogous to BFD on physical ports.
To establish a session on a port-channel, use the bfd neighbor ip-address command in INTERFACE PORT-CHANNEL mode. View the established sessions using the show bfd neighbors command, as shown in Changing Port-Channel Session Parameters. Viewing Established Sessions for VLAN Neighbors R2(conf-if-po-1)#bfd neighbors 2.2.2.
Troubleshooting BFD To troubleshoot BFD, use the following commands and examples. To control packet field values or to examine the control packets in hexadecimal format, use the following command. • Examine control packet field values. CONFIGURATION mode debug bfd detail • Examine the control packets in hexadecimal format.
9 Border Gateway Protocol IPv4 (BGPv4) This chapter provides a general description of BGPv4 as it is supported in the Dell Networking operating system. BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
Figure 18. Interior BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 19. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor. Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies.
State Description Idle BGP initializes all resources, refuses all inbound BGP connection attempts, and initiates a TCP connection to the peer. Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state.
Figure 20. BGP Router Rules 1. Router B receives an advertisement from Router A through eBGP. Because the route is learned through eBGP, Router B advertises it to all its iBGP peers: Routers C and D. 2. Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B. 3.
they were received from the neighbors because MED may or may not get compared between the adjacent paths. In deterministic mode, the system compares MED between the adjacent paths within an AS group because all paths in the AS group are from the same AS. NOTE: In the Dell Networking OS version 8.3.11.4, the bgp bestpath as-path multipath-relax command is disabled by default, preventing BGP from load-balancing a learned route across two or more eBGP peers.
6. Prefer the path with the lowest multi-exit discriminator (MED) attribute. The following criteria apply: a. This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs are compared only if the first AS in the AS_SEQUENCE is the same for both paths. b. If you entered the bgp always-compare-med command, MEDs are compared for all paths. c. Paths with no MED are treated as “worst” and assigned a MED of 4294967295. 7.
Figure 22. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 23. Multi-Exit Discriminators NOTE: With the Dell Networking OS version 8.3.1.0, configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
Example of Viewing AS Paths Dell#show ip bgp paths Total 30655 Paths Address Hash Refcount Metric 0x4014154 0 3 18508 0x4013914 0 3 18508 0x5166d6c 0 3 18508 0x5e62df4 0 2 18508 0x3a1814c 0 26 18508 0x567ea9c 0 75 18508 0x6cc1294 0 2 18508 0x6cc18d4 0 1 18508 0x5982e44 0 162 18508 0x67d4a14 0 2 18508 0x559972c 0 31 18508 0x59cd3b4 0 2 18508 0x7128114 0 10 18508 0x536a914 0 3 18508 0x2ffe884 0 1 18508 Path 701 3549 19421 i 701 7018 14990 i 209 4637 1221 9249 9249 i 701 17302 i 209 22291 i 209 3356 2529 i 20
Advertise IGP Cost as MED for Redistributed Routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value. The Dell Networking OS version 8.3.1.
Traditional Format DOT Format 65001 0.65501 65536 1.0 100000 1.34464 4294967295 65535.65535 When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte identified routers. You cannot mix them. Configure 4-byte AS numbers with the four-octet-support command. AS4 Number Representation The Dell Networking OS version 8.2.1.0 supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot.
BGP table version is 24901, local router ID is 172.30.1.57
allowing Router B to appear as if it still belongs to Router B’s old network (AS 200) as far as communicating with Router C is concerned. Figure 24. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the no prepend option, the Local-AS does not prepend to the updates received from the eBGP peer.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances Dell Networking OS BGP management information base (MIB) support with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
Traps (notifications) specified in the BGP4 MIB draft are not supported. Such traps (bgpM2Established and bgpM2BackwardTransition) are supported as part of RFC 1657.
Item Default Timers keepalive = 60 seconds holdtime = 180 seconds Add-path Disabled Enabling BGP By default, BGP is not enabled on the system. The Dell Networking OS supports one autonomous system (AS) and assigns the AS number (ASN). To establish BGP sessions and route traffic, configure at least one BGP neighbor or peer. In BGP, routers with an established TCP connection are called neighbors or peers.
2. Add a neighbor as a remote AS. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group name} remote-as as-number • peer-group name: 16 characters • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format) Formats: IP Address A.B.C.D You must use Configuring Peer Groups before assigning them a remote AS. 3. Enable the BGP neighbor.
For the router’s identifier, the system uses the highest IP address of the Loopback interfaces configured. Because Loopback interfaces are virtual, they cannot go down, thus preventing changes in the router ID. If you do not configure Loopback interfaces, the highest IP address of any interface is used as the router ID. To view the status of BGP neighbors, use the show ip bgp neighbors command in EXEC Privilege mode as shown in the first example.
network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.
neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 Dell(conf-router_bgp)#bgp asnotation asdot Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp asnotation asdot bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.
6. Add a neighbor as a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number Formats: IP Address A.B.C.D • • Peer-Group Name: 16 characters. as-number: the range is from 0 to 65535 (2-Byte) or 1 to 4294967295 | 0.1 to 65535.65535 (4-Byte) or 0.1 to 65535.65535 (Dotted format) To add an external BGP (EBGP) neighbor, configure the as-number parameter with a number different from the BGP asnumber configured in the router bgp as-number command.
! router bgp 45 bgp fast-external-fallover bgp log-neighbor-changes neighbor zanzibar peer-group neighbor zanzibar no shutdown neighbor 10.1.1.1 remote-as 65535 neighbor 10.1.1.1 shutdown To disable a peer group, use the neighbor peer-group-name shutdown command in CONFIGURATION ROUTER BGP mode. The configuration of the peer group is maintained, but it is not applied to the peer group members.
CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} fail-over Example of Verifying that Fast Fail-Over is Enabled on a BGP Neighbor Example of Verifying that Fast Fail-Over is Enabled on a Peer-Group To verify fast fail-over is enabled on a particular BGP neighbor, use the show ip bgp neighbors command. Because fast failover is disabled by default, it appears only if it has been enabled (shown in bold). Dell#sh ip bgp neighbors BGP neighbor is 100.100.100.
Configuring Passive Peering When you enable a peer-group, the software sends an OPEN message to initiate a TCP connection. If you enable passive peering for the peer group, the software does not send an OPEN message, but it responds to an OPEN message. When a BGP neighbor connection with authentication configured is rejected by a passive peer-group, the system does not allow another passive peer-group on the same subnet to connect with the BGP neighbor.
Example of the Verifying that Local AS Numbering is Disabled The first line in bold shows the actual AS number. The second two lines in bold show the local AS number (6500) maintained during migration. To disable this feature, use the no neighbor local-as command in CONFIGURATION ROUTER BGP mode. R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.
neighbor neighbor neighbor neighbor neighbor 100.10.92.9 local-as 6500 100.10.92.9 no shutdown 192.168.10.1 remote-as 65123 192.168.10.1 update-source Loopback 0 192.168.10.1 no shutdown Enabling Graceful Restart Use this feature to lessen the negative effects of a BGP restart. The Dell Networking OS advertises support for this feature to BGP neighbors through a capability advertisement. You can enable graceful restart by router and/or by peer or peer group.
With the graceful restart feature, the system enables the receiving/restarting mode by default. In Receiver-Only mode, graceful restart saves the advertised routes of peers that support this capability when they restart. This option provides support for remote peers for their graceful restart without supporting the feature itself. You can implement BGP graceful restart either by neighbor or by BGP peer-group. For more information, refer to the Dell Networking OS Command Line Interface Reference Guide.
exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Use a configured AS-PATH ACL for route filtering and manipulation. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} filter-list as-path-name {in | out} If you assign an non-existent or empty AS-PATH ACL, the software allows all routes. Example of the show ip bgp paths Command To view all BGP path attributes in the BGP database, use the show ip bgp paths command in EXEC Privilege mode.
Regular Expression Definition + (plus) Matches 1 or more sequences of the immediately previous character or pattern. ? (question) Matches 0 or 1 sequence of the immediately previous character or pattern. ( ) (parenthesis) Specifies patterns for multiple use when one of the multiplier metacharacters follows: asterisk *, plus sign +, or question mark ? [ ] (brackets) Matches any enclosed character and specifies a range of single characters.
• Include, directly connected or user-configured (static) routes in BGP. ROUTER BGP or CONF-ROUTER_BGPv6_ AF mode redistribute {connected | static} [route-map map-name] Configure the map-name parameter to specify the name of a configured route map. • Include specific ISIS routes in BGP.
Configuring IP Community Lists Within the Dell Networking OS, you have multiple methods of manipulating routing attributes. One attribute you can manipulate is the COMMUNITY attribute. This attribute is an optional attribute that is defined for a group of destinations. You can assign a COMMUNITY attribute to BGP routers by using an IP community list. After you create an IP community list, you can apply routing decisions to all routers meeting the criteria in the IP community list.
Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1. Create a extended community list and enter the EXTCOMMUNITY-LIST mode. CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2. Two types of extended communities are supported.
4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number AS-number: 0 to 65535 (2-Byte) or 1 to 4294967295 (4-Byte) or 0.1 to 65535.65535 (Dotted format) 5. Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
exit 4. Enter the ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} Example of the show ip bgp community Command To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
• Change the LOCAL_PREF value. CONFIG-ROUTER-BGP mode bgp default local-preference value – value: the range is from 0 to 4294967295. The default is 100. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. A more flexible method for manipulating the LOCAL_PREF attribute value is to use a route map. 1. Enter the ROUTE-MAP mode and assign a name to a route map.
Changing the WEIGHT Attribute To change how the WEIGHT attribute is used, enter the first command. You can also use route maps to change this and other BGP attributes. For example, you can include the second command in a route map to specify the next hop address. • Assign a weight to the neighbor connection. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} weight weight – weight: the range is from 0 to 65535. • The default is 0. Sets weight for the route.
NOTE: When you configure a new set of BGP policies, to ensure the changes are made, always reset the neighbor or peer group by using the clear ip bgp command in EXEC Privilege mode. To filter routes using prefix lists, use the following commands. 1. Create a prefix list and assign it a name. CONFIGURATION mode ip prefix-list prefix-name 2. Create multiple prefix list filters with a deny or permit action.
route-map map-name [permit | deny] [sequence-number] 2. Create multiple route map filters with a match or set action. CONFIG-ROUTE-MAP mode {match | set} For information about configuring route maps, refer to Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Filter routes based on the criteria in the configured route map.
• ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • as-path-name: enter the name of a configured AS-PATH ACL. • in: apply the AS-PATH ACL map to inbound routes. • out: apply the AS-PATH ACL to outbound routes. To view which commands are configured, use the show config command in CONFIGURATION ROUTER BGP mode and the show ip as-path-access-list command in EXEC Privilege mode. To forward all routes not meeting the AS-PATH ACL criteria, include the permit .
Network *> 7.0.0.0/29 *> 7.0.0.0/30 *>a 9.0.0.0/8 Next Hop 10.114.8.33 10.114.8.33 192.0.0.0 Metric LocPrf Weight Path 0 0 18508 ? 0 0 18508 ? 32768 18508 701 {7018 2686 3786} ? Configuring BGP Confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, BGP confederations are recommended only for IBGP peering involving many IBGP peering sessions per router.
To configure route flap dampening parameters, set dampening parameters using a route map, clear information on route dampening and return suppressed routes to active state, view statistics on route flapping, or change the path selection from the default mode (deterministic) to non-deterministic, use the following commands. • Enable route dampening.
NOTE: When you change the best path selection method, path selection for existing paths remains unchanged until you reset it by entering the clear ip bgp command in EXEC Privilege mode. Example of Configuring a Route for Reuse or Restart Example of Viewing the Number of Dampened Routes To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode.
– keepalive: the range is from 1 to 65535. Time interval, in seconds, between keepalive messages sent to the neighbor routers. The default is 60 seconds. • – holdtime: the range is from 3 to 65536. Time interval, in seconds, between the last keepalive message and declaring the router dead. The default is 180 seconds. Configure timer values for all neighbors. CONFIG-ROUTER-BGP mode timers bgp keepalive holdtime – keepalive: the range is from 1 to 65535.
BGP stores all the updates received by the neighbor but does not reset the peer-session. Entering this command starts the storage of updates, which is required to do inbound soft reconfiguration. Outbound BGP soft reconfiguration does not require inbound soft reconfiguration to be enabled. Example of Soft-Reconfigration of a BGP Neighbor The example enables inbound soft reconfiguration for the neighbor 10.108.1.1.
• When exchanging updates with the peer, BGP sends and receives IPv4 multicast routes if the peer is marked as supporting that AFI/SAFI. • Exchange of IPv4 multicast route information occurs through the use of two new attributes called MP_REACH_NLRI and MP_UNREACH_NLRI, for feasible and withdrawn routes, respectively. • If the peer has not been activated in any AFI/SAFI, the peer remains in Idle state.
EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] updates [in | out] [prefix-list name] • Enable soft-reconfiguration debug. EXEC Privilege mode debug ip bgp {ip-address | peer-group-name} soft-reconfiguration In-BGP is shown using the show ip protocols command. The system displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode.
'UPDATE error/Missing well-known attr' Sent : 1 Recv: 0 'Connection Reset' Sent : 1 Recv: 0 PDU Counters The Dell Networking OS version 7.5.1.0 introduces additional counters for various types of PDUs sent and received from neighbors. These are seen in the output of the show ip bgp neighbor command. Sample Configurations The following example configurations show how to enable BGP and set up some peer groups. These examples are not comprehensive directions.
Example of Enabling BGP (Router 1) Example of Enabling BGP (Router 2) Example of Enabling BGP (Router 3) Example of Enabling Peer Groups (Router 1) Example of Enabling Peer Groups (Router 2) Example of Enabling Peer Groups (Router 3) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int gig 1/21 R1(conf-if-gi-1/21)#ip address 10.0.1.
192.168.128.3 100 5 R1# 4 1 0 0 00:00:09 4 R2# conf R2(conf)#int loop 0 R2(conf-if-lo-0)#ip address 192.168.128.2/24 R2(conf-if-lo-0)#no shutdown R2(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.2/24 no shutdown R2(conf-if-lo-0)#int gig 2/11 R2(conf-if-gi-2/11)#ip address 10.0.1.22/24 R2(conf-if-gi-2/11)#no shutdown R2(conf-if-gi-2/11)#show config ! interface GigabitEthernet 2/11 ip address 10.0.1.
R3(conf-if-lo-0)#ip address 192.168.128.3/24 R3(conf-if-lo-0)#no shutdown R3(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.3/24 no shutdown R3(conf-if-lo-0)#int gig 3/11 R3(conf-if-gi-3/11)#ip address 10.0.3.33/24 R3(conf-if-gi-3/11)#no shutdown R3(conf-if-gi-3/11)#show config ! interface GigabitEthernet 3/11 ip address 10.0.3.33/24 no shutdown R3(conf-if-lo-0)#int gig 3/21 R3(conf-if-gi-3/21)#ip address 10.0.2.
R1(conf-router_bgp)# neighbor 192.168.128.2 peer-group AAA R1(conf-router_bgp)# neighbor 192.168.128.3 peer-group BBB R1(conf-router_bgp)# R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 peer-group AAA neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.
Notification History 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:00:57 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Local host: 192.168.128.1, Local port: 179 Foreign host: 192.168.128.2, Foreign port: 65464 BGP neighbor is 192.168.128.3, remote AS 100, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
1 network entrie(s) using 132 bytes of memory 3 paths using 204 bytes of memory BGP-RIB over all using 207 bytes of memory 2 BGP path attribute entrie(s) using 128 bytes of memory 2 BGP AS-PATH entrie(s) using 90 bytes of memory 2 neighbor(s) using 9216 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.1 99 140 136 2 0 (0) 00:11:24 1 192.168.128.3 100 138 140 2 0 (0) 00:18:31 1 R2#show ip bgp neighbor BGP neighbor is 192.168.128.
85 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 1,
ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 2, neighbor version 2 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Border Gateway Protocol IPv4 (BGPv4) 211
10 Content Addressable Memory (CAM) Content addressable memory (CAM) is a type of memory that stores information in the form of a lookup table. On Dell Networking systems, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. CAM Allocation Allocate space for IPV4 ACLs and quality of service (QoS) regions by using the cam-acl command in CONFIGURATION mode. The CAM space is allotted in filter processor (FP) blocks.
NOTE: Selecting default resets the CAM entries to the default settings. Select l2acl to allocate space for the ACLs and QoS regions. 2. Enter the number of FP blocks for each region. EXEC Privilege mode l2acl number ipv4acl number ipv6acl number, ipv4qos number l2qos number, l2pt number ipmacacl number ecfmacl number nlbcluster number[vman-qos | vman-dual-qos number 3. Reload the system. EXEC Privilege mode reload 4. Verify that the new settings will be written to the CAM on the next boot.
L2Qos L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl Dell# : : : : : : : : 1 0 0 0 0 0 0 2 CAM Optimization When you enable this command, if a Policy Map containing classification rules (ACL and/or dscp/ ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only 1 FP entry is used). When you disable this command, the system behaves as described in this chapter.
11 Control Plane Policing (CoPP) Dell Networking OS supports control plane policing (CoPP). CoPP uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 27. CoPP Implemented Versus CoPP Not Implemented Configure Control Plane Policing The switch can process maximum of 4200 PPS (packets per second). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though Per Protocol CoPP is applied. This happens because QueueBased Rate Limiting is applies first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
Dell(conf)#ip access-list extended bgp cpu-qos Dell(conf-ip-acl-cpuqos)#permit bgp Dell(conf-ip-acl-cpuqos)#exit Dell(conf)#mac access-list extended lacp cpu-qos Dell(conf-mac-acl-cpuqos)#permit lacp Dell(conf-mac-acl-cpuqos)#exit Dell(conf)#ipv6 access-list ipv6-icmp cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit icmp Dell(conf-ipv6-acl-cpuqos)#exit Dell(conf)#ipv6 access-list ipv6-vrrp cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit vrrp Dell(conf-ipv6-acl-cpuqos)#exit Dell(conf)#qos-policy-in rate_limit_200k cpu-qo
qos-policy-input name cpu-qos 2. Create an input policy-map to assign the QoS policy to the desired service queues.l. CONFIGURATION mode policy-map--input name cpu-qos service-queue 0 qos-policy name 3. Enter Control Plane mode. CONFIGURATION mode control-plane-cpuqos 4. Assign a CPU queue-based service policy on the control plane in cpu-qos mode. Enabling this command sets the queue rates according to those configured.
To view the queue mapping for each configured protocol, use the show ip protocol-queue-mapping command.
12 Data Center Bridging (DCB) Data center bridging (DCB) is supported on the FC Flex IO module installed in the MXL 10/40GbE Switch. Ethernet Enhancements in Data Center Bridging The following section describes DCB.
• Data Center Bridging Exchange (DCBx) protocol NOTE: In the Dell Networking OS version 8.3.12.0, only the PFC, ETS, and DCBx features are supported in data center bridging. Priority-Based Flow Control In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion.
bandwidth. For example, you can prioritize low-latency storage or server cluster traffic in a traffic class to receive more bandwidth and restrict best-effort LAN traffic assigned to a different traffic class. Although you can configure strict-priority queue scheduling for a priority group, ETS introduces flexibility that allows the bandwidth allocated to each priority group to be dynamically managed according to the amount of LAN, storage, and server traffic in a flow.
• ETS uses the DCB MIB IEEE 802.1azd2.5. Data Center Bridging Exchange Protocol (DCBx) DCBx allows a switch to automatically discover DCB-enabled peers and exchange configuration information. PFC and ETS use DCBx to exchange and negotiate parameters with peer devices. DCBx capabilities include: • Discovery of DCB capabilities on peer-device connections. • Determination of possible mismatch in DCB configuration on a peer link. • Configuration of a peer device over a DCB link.
DCB processes virtual local area network (VLAN)-tagged packets and dot1p priority values. Untagged packets are treated with a dot1p priority of 0. For DCB to operate effectively, you can classify ingress traffic according to its dot1p priority so that it maps to different data queues. The dot1p-queue assignments used are shown in the following table. On the MXL Switch, by default, DCB is enabled and MMU buffers are reserved to achieve no-drop traffic handling for PFC.
3. Specify the dot1p priority-to-priority group mapping for each priority. Priority-group range: 0 to 7. DCB MAP mode priority-pgid dot1p0_group_num dot1p1_group_num dot1p2_group_num dot1p3_group_num dot1p4_group_num dot1p5_group_num dot1p6_group_num dot1p7_group_num All priorities that map to the same queue must be in the same priority group.Leave a space between each priority group number.
2. Enable PFC on specified priorities. Range: 0-7. Default: None.Maximum number of lossless queues supported on an Ethernet port: 2.Separate priority values with a comma. Specify a priority range with a dash, for example: pfc priority 3,5-7. INTERFACE mode pfc priority priority-range You cannot configure PFC using the pfc priority command on an interface on which a DCB map has been applied or which is already configured for lossless queues (pfc no-drop queues command).
values with a comma; specify a priority range with a dash; for example: pfc no-drop queues 1,3 or pfc no-drop queues 2-3 Default: No lossless queues are configured. INTERFACE mode pfc no-drop queuesqueue-range Data Center Bridging: Default Configuration Before you configure PFC and ETS on a switch see the priority group setting taken into account the following default settings: DCB is enabled. PFC and ETS are globally enabled by default.
The show dcb command has been enhanced to display the following additional buffer-related information: Dell(conf)#do show dcb dcb Status : Enabled PFC Queue Count : 2 --Indicate the PFC queue configured.
To honor a PFC pause frame multiplied by the number of PFC-enabled ingress ports, the minimum link delay must be greater than the round-trip transmission time the peer requires. NOTE: You cannot enable PFC and link-level flow control at the same time on an interface. The Dell Networking OS does not support MACsec Bypass Capability (MBC).
The range is from 0 to 3. Separate the queue values with a comma; specify a priority range with a dash; for example, pfc nodrop queues 1,3 or pfc no-drop queues 2-3. The default: No lossless queues are configured. NOTE: Dell Networking OS Behavior: By default, no lossless queues are configured on a port. A limit of two lossless queues is supported on a port. If the amount of priority traffic that you configure to be paused exceeds the two lossless queues, an error message displays.
Priority-Based Flow Control Using Dynamic Buffer Method In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion. When PFC detects congestion on a queue for a specified priority, it sends a pause frame for the 802.1p priority traffic to the transmitting device.
Configure Enhanced Transmission Selection ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic. Different traffic types have different service needs. Using ETS, you can create groups within an 802.1p priority class to configure different treatment for traffic with different bandwidth, latency, and best-effort needs. For example, storage traffic is sensitive to frame loss; interprocess communication (IPC) traffic is latency-sensitive.
PRIORITY-GROUP mode priority-list value The range is from 0 to 7. The default is none. Separate priority values with a comma. Specify a priority range with a dash. For example, priority-list 3,5-7. 4. Exit priority-group configuration mode. PRIORITY-GROUP mode exit 5. Repeat Steps 1 to 4 to configure all remaining dot1p priorities in an ETS priority group. Dell Networking OS Behavior: A priority group consists of 802.
Configuring Bandwidth Allocation for DCBx CIN After you apply an ETS output policy to an interface, if the DCBx version used in your data center network is CIN, you may need to configure a QoS output policy to overwrite the default CIN bandwidth allocation. This default setting divides the bandwidth allocated to each port queue equally between the dot1p priority traffic assigned to the queue. For more information, refer to Allocating Bandwidth to Queue.
Hierarchical Scheduling in ETS Output Policies ETS supports up to three levels of hierarchical scheduling. For example, you can apply ETS output policies with the following configurations: Priority group 1 Assigns traffic to one priority queue with 20% of the link bandwidth and strict-priority scheduling. Priority group 2 Assigns traffic to one priority queue with 30% of the link bandwidth.
Using PFC and ETS to Manage Data Center Traffic The following shows examples of using PFC and ETS to manage your data center traffic. In the following example: • Incoming SAN traffic is configured for priority-based flow control. • Outbound LAN, IPC, and SAN traffic is mapped into three ETS priority groups and configured for enhanced traffic selection (bandwidth allocation and scheduling). • One lossless queue is used. Figure 31.
dot1p Value in Incoming Frame Queue Assignment 0 0 1 0 2 0 3 1 4 2 5 3 6 3 7 3 The following describes the dot1p-priority class group assignment dot1p Value in the Incoming Frame Priority Group Assignment 0 LAN 1 LAN 2 LAN 3 SAN 4 IPC 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment.
Applying DCB Policies in a Switch Stack You can apply a DCB policy with PFC configuration to all stacked ports in a switch stack or on a stacked switch. You can apply different DCB policies to different stacked switches. To apply DCB policies in a switch stack, use the following command. • Apply the specified DCB policy on all ports of the switch stack or a single stacked switch.
When an auto-upstream port (besides the configuration source) receives and overwrites its configuration with internally propagated information, one of the following actions is taken: • If the peer configuration received is compatible with the internally propagated port configuration, the link with the DCBx peer is enabled.
NOTE: On a DCBx port, application priority TLV advertisements are handled as follows: • The application priority TLV is transmitted only if the priorities in the advertisement match the configured PFC priorities on the port. • On auto-upstream and auto-downstream ports: – If a configuration source is elected, the ports send an application priority TLV based on the application priority TLV received on the configuration-source port.
Propagation of DCB Information When an auto-upstream or auto-downstream port receives a DCB configuration from a peer, the port acts as a DCBx client and checks if a DCBx configuration source exists on the switch. • If a configuration source is found, the received configuration is checked against the currently configured values that are internally propagated by the configuration source.
Figure 32. DCBx Sample Topology DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
2. Configure server-facing interfaces as auto-downstream ports. 3. Configure a port to operate in a configuration-source role. 4. Configure ports to operate in a manual role. 1. Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port 2. Enter LLDP Configuration mode to enable DCBx operation. INTERFACE mode [no] protocol lldp 3. Configure the DCBx version used on the interface, where: auto configures the port to operate using the DCBx version received from a peer.
PROTOCOL LLDP mode [no] advertise DCBx-appln-tlv {fcoe | iscsi} • fcoe: enables the advertisement of FCoE in Application Priority TLVs. • iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled to advertise FCoE and iSCSI. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-applntlv iscsi.
PROTOCOL LLDP mode [no] advertise DCBx-appln-tlv {fcoe | iscsi} • fcoe: enables the advertisement of FCoE in Application Priority TLVs. • iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled and advertise FCoE and iSCSI. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-applntlv iscsi.
– all: enables all DCBx debugging operations. – auto-detect-timer: enables traces for DCBx auto-detect timers. – config-exchng: enables traces for DCBx configuration exchanges. – fail: enables traces for DCBx failures. – mgmt: enables traces for DCBx management frames. – resource: enables traces for DCBx system resource frames. – sem: enables traces for the DCBx state machine. – tlv: enables traces for DCBx TLVs.
Example of the show dot1p-queue mapping Command Example of the show dcb Command Example of the show interfaces pfc summary Command Example of the show interface pfc statistics Command Example of the show interface ets summary Command Example of the show interface ets detail Command Example of the show stack-unit all stack-ports all pfc details Command Example of the show stack-unit all stack-ports all ets details Command Example of the show interface DCBx detail Command Dell(conf)# show dot1p-queue-mapping
The following table describes the show interface pfc summary command fields. Table 11. show interface pfc summary Command Description Fields Description Interface Interface type with stack-unit and port number. Admin mode is on; Admin is enabled PFC Admin mode is on or off with a list of the configured PFC priorities . When PFC admin mode is on, PFC advertisements are enabled to be sent and received from peers; received PFC configuration takes effect.
Fields Description PFC TLV Statistics: Input TLV pkts Number of PFC TLVs received. PFC TLV Statistics: Output TLV pkts Number of PFC TLVs transmitted. PFC TLV Statistics: Error pkts Number of PFC error packets received. PFC TLV Statistics: Pause Tx pkts Number of PFC pause frames transmitted.
Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Pkts TSA ETS ETS ETS ETS ETS ETS ETS ETS Pkts, 0 Error Conf TLV Pkts Traffic Class TLV Pkts, 0 Error Traffic Class TLV The following table describes the show interface ets detail command fields.
6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Pkts ETS ETS Pkts, 0 Error Conf TLV Pkts Traffic Class TLV Pkts, 0 Error Traffic Class TLV Table 12. show interface ets detail Command Description Field Description Interface Interface type with stack-unit and port number. Max Supported TC Group Maximum number of priority groups supported.
stack unit 0 stack-port all Admin mode is On Admin is enabled, Priority list is 4-5 Local is enabled, Priority list is 4-5 Link Delay 45556 pause quantum 0 Pause Tx pkts, 0 Pause Rx pkts stack unit 1 stack-port all Admin mode is On Admin is enabled, Priority list is 4-5 Local is enabled, Priority list is 4-5 Link Delay 45556 pause quantum 0 Pause Tx pkts, 0 Pause Rx pkts Dell(conf)# show stack-unit all stack-ports all ets details Stack unit 0 stack port all Max Supported TC Groups is 4 Number of Traffic Cla
Local DCBX Compatibility mode is CEE Local DCBX Configured mode is CEE Peer Operating version is CEE Local DCBX TLVs Transmitted: ErPfi Local DCBX Status ----------------DCBX Operational Version is 0 DCBX Max Version Supported is 0 Sequence Number: 2 Acknowledgment Number: 2 Protocol State: In-Sync Peer DCBX Status: ---------------DCBX Operational Version is 0 DCBX Max Version Supported is 255 Sequence Number: 2 Acknowledgment Number: 2 Total DCBX Frames transmitted 27 Total DCBX Frames received 6 Total DCB
Field Description Peer DCBx Status: DCBx Operational Version DCBx version advertised in Control TLVs received from peer device. Peer DCBx Status: DCBx Max Version Supported Highest DCBx version supported in Control TLVs received from peer device. Peer DCBx Status: Sequence Number Sequence number transmitted in Control TLVs received from peer device. Peer DCBx Status: Acknowledgment Number Acknowledgement number transmitted in Control TLVs received from peer device.
dot1p Value in the Incoming Frame Egress Queue Assignment 7 3 NOTE: If you reconfigure the global dot1p-queue mapping, an automatic re-election of the DCBX configuration source port is performed (refer to Configuration Source Election). Configuring the Dynamic Buffer Method To configure the dynamic buffer capability, perform the following steps: 1. Enable the DCB application. By default, DCB is enabled and link-level flow control is disabled on all interfaces.
Dell(conf)# qos-policy-buffer test Dell (conf-qos-policy-buffer)#queue 0 pause no-drop buffer-size 128000 pause-threshold 103360 resume-threshold 83520 Dell (conf-qos-policy-buffer)# queue 4 pause no-drop buffer-size 128000 pause-threshold 103360 resume-threshold 83520 Data Center Bridging (DCB) 257
13 Debugging and Diagnostics This chapter describes debugging and diagnostics for the MXL switch. Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, Level 0 diagnostics verify the identification registers of the components on the board.
the unit will be operationally down, except for running Diagnostics. Please make sure that stacking/fanout not configured for Diagnostics execution. Also reboot/online command is necessary for normal operation after the offline command is issued. Proceed with Offline [confirm yes/no]:yes Dell#Dec 15 03:58:37: %STKUNIT0-M:CP %CHMGR-2-STACKUNIT_DOWN: Stack unit 0 down - stack unit offline 2. Confirm the offline status.
Example of theshow file flash:\\ command (Standalone Unit) Dell#show file flash://TestReport-SU-0.txt *******************************BLADE IOM DIAGNOSTICS******************************* Board CPU Version Stack Unit Board Temp Stack Unit Number Board Serial Number Board Type CPLD Revision Image Build Version : : : : : : : : Blade IOM Dell Inc.
Trace Logs In addition to the syslog buffer, the Dell Networking OS buffers trace messages which are continuously written by various software tasks to report hardware and software events and status information. Each trace message provides the date, time, and name of the Dell Networking OS process. All messages are stored in a ring buffer. You can save the messages to a file either manually or automatically after failover.
• show hardware stack-unit {0-5} buffer unit {0-1} port {1-64 | all} buffer-info View the forwarding plane statistics containing the packet buffer statistics per COS per port. EXEC Privilege mode • show hardware stack-unit {0-5} buffer unit {0-1} port {1-64} queue {0-14 | all} bufferinfo View input and output statistics on the party bus, which carries inter-process communication traffic between CPUs.
• Enable environmental monitoring. enable optic-info-update interval Example of the show interfaces transceiver Command Dell#show int ten 0/49 transceiver SFP is present SFP 49 Serial Base ID fields SFP 49 Id = 0x03 SFP 49 Ext Id = 0x04 SFP 49 Connector = 0x07 SFP 49 Transceiver Code = 0x00 0x00 0x00 0x01 0x20 0x40 0x0c 0x01 SFP 49 Encoding = 0x01 SFP 49 BR Nominal = 0x0c SFP 49 Length(9um) Km = 0x00 SFP 49 Length(9um) 100m = 0x00 SFP 49 Length(50um) 10m = 0x37 SFP 49 Length(62.
Recognize an Over-Temperature Condition An overtemperature condition occurs, for one of two reasons: the card genuinely is too hot or a sensor has malfunctioned. Inspect cards adjacent to the one reporting the condition to discover the cause. • If directly adjacent cards are not normal temperature, suspect a genuine overheating condition. • If directly adjacent cards are normal temperature, suspect a faulty sensor. When the system detects a genuine over-temperature condition, it powers off the card.
Recognize an Under-Voltage Condition If the system detects an under-voltage condition, it sends an alarm. To recognize this condition, look for the following system message: %CHMGR-1-CARD_SHUTDOWN: Major alarm: Line card 2 down - auto-shutdown due to under voltage. This message indicates that the specified card is not receiving enough power. In response, the system first shuts down Power over Ethernet (PoE).
• • • • • • • • • • • • • show hardware stack-unit 0-5 stack-port 33–56 show hardware stack-unit 0-5 unit 0-0 {counters | details | port-stats [detail] | register | ipmc-replication | table-dump}: show hardware {layer2| layer3} {eg acl |in acl} stack-unit 0-5 port-set 0-0 show hardware drops interface [range] interface show hardware stack-unit buffer-stats-snapshot unit resource x show hardware buffer inteface interface{priority-group { id | all } | queue { id| all} ] buffer-info show hardware bu
Policy Discards : Packets dropped by FP : (L2+L3) Drops : Port bitmap zero Drops : Rx VLAN Drops : --- Ingress MAC counters--Ingress FCSDrops : Ingress MTUExceeds : --- MMU Drops --HOL DROPS(TOTAL) : HOL DROPS on COS0 : HOL DROPS on COS1 : HOL DROPS on COS2 : HOL DROPS on COS3 : HOL DROPS on COS4 : HOL DROPS on COS5 :
txPkt(COS7) txPkt(UNIT0) :0 :0 The show hardware stack-unit cpu party-bus statistics command displays input and output statistics on the party bus, which carries inter-process communication traffic between CPUs Dell#sh hardware stack-unit 2 cpu party-bus statistics Input Statistics: 27550 packets, 2559298 bytes 0 dropped, 0 errors Output Statistics: 1649566 packets, 1935316203 bytes 0 errors Display Stack Port Statistics The show hardware stack-unit stack-port command displays input and output statistics
RUC.cpu0 : TDBGC6.
RX - PFC Frame Priority 5 RX - PFC Frame Priority 6 RX - PFC Frame Priority 7 RX - Debug Counter 0 RX - Debug Counter 1 RX - Debug Counter 2
flash: 3104256 bytes total (2959872 bytes free) Dell# VALID MAGIC -----------------PANIC STRING ----------------panic string is : ---------------STACK TRACE START--------------0035d60c : 00274f8c : 0024e2b0 : 0024dee8 : 0024d9c4 : 002522b0 : 0026a8d0 : 0026a00c : ----------------STACK TRACE END-----------------------------------FREE MEMORY--------------uvmexp.
Dell(conf)#no disable You must enable this utility to be able to configure the parameters for buffer statistics tracking. By default, buffer statistics tracking is disabled. 2. To view the buffer statistics tracking resource information depending on the type of buffer information, such as device-level details, port-level counters, queue-based snapshots, or priority group-level snapshot in the egress and ingress direction of traffic, use . EXEC/EXEC Privilege mode 3.
14 Dynamic Host Configuration Protocol (DHCP) The dynamic host configuration protocol (DHCP) is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS. IP Address Lease Time Option 51 DHCP Message Type Option 53 Specifies the amount of time that the client is allowed to use an assigned IP address.
Assign an IP Address using DHCP The following section describes DHCP and the client in a network. When a client joins a network: 1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters.
attempt to apply an access list to the VLAN, the system displays the first line in the following message. If you first apply an ACL to a VLAN and then attempt enable IP source address validation on one of its member ports, the system displays the second line in the following message. % Error: Vlan member has access-list configured. % Error: Vlan has an access-list configured.
ip dhcp server 2. Create an address pool and give it a name. DHCP mode pool name 3. Specify the range of IP addresses from which the DHCP server may assign addresses. DHCP mode network network/prefix-length • network: the subnet address. • prefix-length: specifies the number of bits used for the network portion of the address you specify. The prefix-length range is from 17 to 31. 4. Display the current pool configuration.
lease {days [hours] [minutes] | infinite} The default is 24 hours. Specifying a Default Gateway The IP address of the default router should be on the same subnet as the client. To specify a default gateway, follow this step. • Specify default gateway(s) for the clients on the subnet, in order of preference. DHCP default-router address Enabling the DHCP Server To set up the DHCP Server, you must first enable it. The DHCP server is disabled by default. 1. Enter the DHCP command-line context.
Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1. Create a domain. DHCP domain-name name 2. Specify in order of preference the DNS servers that are available to a DHCP client.
Debugging the DHCP Server To debug the DHCP server, use the following command. • Display debug information for DHCP server. EXEC Privilege mode debug ip dhcp server [events | packets] Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. • Clear DHCP binding entries for the entire binding table. EXEC Privilege mode. clear ip dhcp binding • Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode.
Figure 36. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command Dell#show ip int tengig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (the Dell Networking OS version and a configuration file). BMP is enabled as a factory-default setting on a switch.
acquire a new IP address, use the renew DHCP command in EXEC Privilege mode or the ip address dhcp command in INTERFACE Configuration mode. To manually configure a static IP address on an interface, use the ip address command. A prompt displays to release an existing dynamically acquired IP address. If you confirm, the ability to receive a DHCP server-assigned IP address is removed.
• To display log message on DHCP client interfaces for IP address acquisition, IP address release, IP address and lease time renewal, and release an IP address, use the [no] debug ip dhcp client events [interface type slot/port] command.
0/1 : DHCP DISABLED CMD sent to Dell in state START Dell#release dhcp int Te 0/1 Dell#May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT- LOG: DHCLIENT_DBG_EVT: Interface Te 0/1 :DHCP RELEASE CMD Received in state BOUND May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_PKT: DHCP RELEASE sent in Interface Te 0/1 May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_EVT: Interface Te 0/1 :Transitioned to state STOPPED May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT
• Management routes added by a DHCP client display with Route Source as DHCP in the show ip management route and show ip management-route dynamic command output. • Management routes added by DHCP are automatically reinstalled if you configure a static IP route with the ip route command that replaces a management route added by the DHCP client. If you remove the statically configured IP route using the no ip route command, the management route is reinstalled.
To use the router as the VRRP owner, if you enable a DHCP client on an interface that is added to a VRRP group, assign a priority less than 255 but higher than any other priority assigned in the group. Configure Secure DHCP DHCP as defined by RFC 2131 provides no authentication or security mechanisms. Secure DHCP is a suite of features that protects networks that use dynamic address allocation from spoofing and attacks.
do not pass this check are forwarded to the server for validation. This checkpoint prevents an attacker from spoofing a client and declining or releasing the real client’s address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on a not trusted port are also dropped. This checkpoint prevents an attacker from acting as an imposter as a DHCP server to facilitate a man-in-the-middle attack.
• Add a static entry in the binding table. EXEC Privilege mode ip dhcp snooping binding mac Adding a Static IPV6 DHCP Snooping Binding Table To add a static entry in the snooping database, use the following command. • Add a static entry in the snooping binding table. EXEC Privilege mode ipv6 dhcp snooping binding mac address vlan-id vlan-id ipv6 ipv6-address interface interface-type | interface-number lease value Clearing the Binding Table To clear the binding table, use the following command.
DHCP Binding File Details Invalid File Invalid Binding Entry Binding Entry lease expired : 0 : 0 : 0 Displaying the Contents of the DHCPv6 Binding Table To display the contents of the DHCP IPv6 binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ipv6 dhcp snooping biniding Example of the show ipv6 dhcp snooping binding Command View the DHCP snooping statistics with the show ipv6 dhcp snooping command.
DHCP relay tries to get ip address for the client, through configured primary address filling giaddr (relay address) 10.1.1.1. If there is no OFFER from DHCP Server, for three DISCOVER retries. Since secondary-subnet enabled, DHCP Relay Agent tries to get ip address through secondary ip address filling giaddr (relay address) 11.1.1.1. 3.
NOTE: Dynamic ARP inspection (DAI) uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM entry is required for every DAI-enabled VLAN. You can enable DAI on up to 16 VLANs on a system. However, the ExaScale default CAM profile allocates only nine entries to the L2SysFlow region for DAI. You can configure 10 to 16 DAIenabled VLANs by allocating more CAM space to the L2SysFlow region before enabling DAI. SystemFlow has 102 entries by default.
• Specify an interface as trusted so that ARPs are not validated against the binding table. INTERFACE mode arp inspection-trust Dell Networking OS Behavior: Introduced in the Dell Networking OS version 8.2.1.0, DAI was available for Layer 3 only. However, the Dell Networking OS version 8.2.1.1 extends DAI to Layer 2. Source Address Validation Using the DHCP binding table, the Dell Networking OS can perform three types of source address validation (SAV). Table 16.
Enabling IP+MAC Source Address Validation IP source address validation (SAV) validates the IP source address of an incoming packet against the DHCP snooping binding table. IP+MAC SAV ensures that the IP source address and MAC source address are a legitimate pair, rather than validating each attribute individually. You cannot configure IP+MAC SAV with IP SAV. 1. Allocate at least one FP block to the ipmacacl CAM region. CONFIGURATION mode cam-acl l2acl 2. Save the running-config to the startup-config.
15 Equal Cost Multi-Path (ECMP) Dell Networking OS supports equal cost multi-path (ECMP). ECMP for Flow-Based Affinity Dell Networking OS supports ECMP for flow-based affinity. NOTE: IPv6 /128 routes having multiple paths do not form ECMPs. The /128 route is treated as a host entry and finds its place in the host table. NOTE: Using XOR algorithms results in imbalanced loads across an ECMP/LAG when the number of members in said ECMP/LAG is a multiple of 4.
NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indexes are generated in even numbers (0, 2, 4, 6... 1022) and are for information only. To enable the link bundle monitoring feature, for link bundle monitoring with ECMP, use the ecmp-group command. You can configure the ecmp-group with id 2, enabled for link bundle monitoring.
Load Balancing Configuration for tunnels ipv4-over-ipv4 Payload header ipv4-over-ipv6 Payload header ipv6-over-ipv6 Payload header ipv6-over-ipv4 Payload header ipv4-over-gre-ipv4 Payload header ipv6-over-gre-ipv4 Payload header ipv4-over-gre-ipv6 Payload header ipv6-over-gre-ipv6 Payload header • • • mac-in-mac header based hashing is disabled TcpUdp Load Balancing Enabled Dell(conf)# Packet Header parameters for the first portion of the RTAG7 hash can be controlled.
Router B performs the same hash as router A and all the traffic goes through the same path to router D, while no traffic is redirected to router E. The following figure explains the traffic polarization effect: Figure 37. Before Polarization Effect . Router B performs the same hash as router A and all the traffic goes through the same path to router D, while no traffic is redirected to router E.
crc16cc crc32MSB crc32LSB xor1 bits of xor1 xor2 bits of xor2 xor4 bits of xor4 xor8 bits of xor8 xor16 CRC16_CCITT - 16 bit CRC16 using CRC16-CCITT polynomial CRC32_UPPER - MSB 16 bits of computed CRC32 CRC32_LOWER - LSB 16 bits of computed CRC32 CRC16_BISYNC_AND_XOR1 - Upper 8 bits of CRC16-BISYNC and lower 8 CRC16_BISYNC_AND_XOR2 - Upper 8 bits of CRC16-BISYNC and lower 8 CRC16_BISYNC_AND_XOR4 - Upper 8 bits of CRC16-BISYNC and lower 8 CRC16_BISYNC_AND_XOR8 - Upper 8 bits of CRC16-BISYNC and lower 8 CR1
16 FC FLEXIO FPORT Dell Networking OS supports FC FlexIO FPort. FC FLEXIO FPORT The switch is a blade switch which is plugged into the Dell M1000 Blade server chassis. The blade module contains two slots for pluggable flexible module. With single FC Flex IO module, 4 ports are supported, whereas 8 ports are supported with both FC Flex IO modules. Each port can operate in 2G, 4G or 8G Fiber Channel speed. The topology-wise, FC Flex IOM is directly connected to a FC Storage.
Configuring Switch Mode to FCF Port Mode To configure switch mode to Fabric services, use the following commands. 1. Configure Switch mode to FCF Port. CONFIGURATION mode feature fc fport domain id 2 NOTE: Enable remote-fault-signaling rx off command in FCF FPort mode on interfaces connected to the Compellent and MDF storage devices. 2. Create an FCoE map with the parameters used in the communication between servers and a SAN fabric. CONFIGURATION mode fcoe-map map-name 3.
• N_Port sends a Port Login (PLOGI) to inform the Fabric Name Server of its personality and capabilities, this includes WWNN, WWPN. • N_Port sends PLOGI to address 0xFFFFFC to register this address with the name server. Command Description show fc ns switch Display all the devices in name server database of the switch. show fc ns switch brief Displays the local name server entries — brief version.
The values for the FCoE VLAN, fabric ID, and FC-MAP must be unique. Apply an FCoE map on downstream server-facing Ethernet ports and upstream fabric-facing Fibre Channel ports. 1. Create an FCoE map which contains parameters used in the communication between servers and a SAN fabric. CONFIGURATION mode fcoe-map map-name 2. Configure the association between the dedicated VLAN and the fabric where the desired storage arrays are installed.
The default is 8 seconds. Zoning Dell Networking OS supports the zoning configurations for Fabric FCF Port mode operation. In FCF Port mode, the fcoe-map fabric map-name has the default Zone mode set to deny. This setting denies all the fabric connections unless included in an active zoneset. To change this setting, use the default-zone-allow command. Changing this setting to all allows all the fabric connections without zoning.
Example of Creating a Zone Alias and Adding Members Dell(conf)#fc alias al1 Dell(conf-fc-alias-al1)#member 030303 Dell(conf-fc-alias-al1)#exit Dell(conf)#fc zone z1 Dell(conf-fc-zone-z1)#member al1 Dell(conf-fc-zone-z1)#exit Creating Zonesets A zoneset is a grouping or configuration of zones. To create a zoneset and zones into the zoneset, use the following steps. 1. Create a zoneset. CONFIGURATION mode fc zoneset zoneset_name 2. Add zones into a zoneset.
Command Description show config Displays the fabric parameters. show fcoe-map Displays the fcoe-map. show fc ns switch Display all the devices in name server database of the switch. show fc ns switch brief Display all the devices in name server database of the switch - brief version. show fc zoneset Displays the zoneset. show fc zoneset active Displays the active zoneset. show fc zone Displays the configured zone. show fc alias Displays the configured alias.
Switch Name Domain Id Switch Port FC-Id Port Name Node Name Class of Service Symbolic Port Name Symbolic Node Name Port Type 28:4e:55:4c:4c:29:00:00 2 4 02:04:03 20:01:d4:ae:52:44:37:b2 20:00:d4:ae:52:44:37:b2 8 Broadcom Port0 pWWN 20:01:d4:ae:52:44:37:b2 Broadcom BCM57810 FCoE 7.6.3.0 7.6.59.
Switch WWN : 10:00:aa:00:00:00:00:ac Dell(conf)# 308 FC FLEXIO FPORT
17 FCoE Transit Dell Networking OS supports the Fibre Channel over Ethernet (FCoE) Transit feature. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FCoE transit is not supported on Fibre Channel interfaces. Fibre Channel over Ethernet FCoE provides a converged Ethernet network that allows the combination of storage-area network (SAN) and LAN traffic on a Layer 2 link by encapsulating Fibre Channel data into Ethernet frames.
Table 17. FIP Functions FIP Function Description FIP VLAN discovery FCoE devices (ENodes) discover the FCoE VLANs on which to transmit and receive FIP and FCoE traffic. FIP discovery FCoE end-devices and FCFs are automatically discovered. Initialization FCoE devices learn ENodes from the FLOGI and FDISC to allow immediate login and create a virtual link with an FCoE switch. Maintenance A valid virtual link between an FCoE device and an FCoE switch is maintained and the LOGO functions properly.
Global ACLs These are applied on server-facing ENode ports. Port-based ACLs These ACLs are applied on all three port modes: on ports directly connected to an FCF, server-facing ENode ports, and bridge-to-bridge links. Port-based ACLs take precedence over global ACLs. FCoE-generated ACLs These take precedence over user-configured ACLs. A user-configured ACL entry cannot deny FCoE and FIP snooping frames.
• To assign a MAC address to an FCoE end-device (server ENode or storage device) after a server successfully logs in, set the FCoE MAC address prefix (FC-MAP) value an FCF uses. • To provide more port security on ports that are directly connected to an FCF and have links to other FIP snooping bridges, set the FCF or Bridge-to-Bridge Port modes. • To ensure that they are operationally active, check FIP snooping-enabled VLANs.
compatible DCB configurations are synchronized. By default, all FCoE and FIP frames are dropped unless specifically permitted by existing FIP snooping-generated ACLs. You can reconfigure any of the FIP snooping settings. If you disable FCoE transit, FIP and FCoE traffic are handled as normal Ethernet frames and no FIP snooping ACLs are generated. The VLAN-specific and FIP snooping configuration is disabled and stored until you re-enable FCoE transit and the configurations are re-applied.
Table 18. Impact of Enabling FIP Snooping Impact Description MAC address learning MAC address learning is not performed on FIP and FCoE frames, which are denied by ACLs dynamically created by FIP snooping on server-facing ports in ENode mode. MTU auto-configuration MTU size is set to mini-jumbo (2500 bytes) when a port is in Switchport mode, the FIP snooping feature is enabled on the switch, and FIP snooping is enabled on all or individual VLANs.
feature fip-snooping 2. Enable FIP snooping on all VLANs or on a specified VLAN. CONFIGURATION mode or VLAN INTERFACE mode. fip-snooping enable By default, FIP snooping is disabled on all VLANs. 3. Configure the FC-MAP value used by FIP snooping on all VLANs. CONFIGURATION VLAN or INTERFACE mode fip-snooping fc-map fc-map-value The default is 0x0EFC00. The valid values are from 0EFC00 to 0EFCFF. 4. Enter interface configuration mode to configure the port for FIP snooping links.
Command Output show fip-snooping statistics [interface vlan vlan-id| interface port-type port/slot | interface port-channel port-channel-number] Displays statistics on the FIP packets snooped on all interfaces, including VLANs, physical ports, and port channels. clear fip-snooping statistics [interface vlan Clears the statistics on the FIP packets snooped on all VLANs, a vlan-id | interface port-type port/slot | specified VLAN, or a specified port interface.
---100 ------TRUE -------0X0EFC00 Example of the show fip-snooping enode Command Dell# show fip-snooping enode Enode MAC Enode Interface FCF MAC VLAN ----------------------- ---------d4:ae:52:1b:e3:cd Te 0/11 54:7f:ee:37:34:40 100 FC-ID ----62:00:11 The following table describes the show fip-snooping enode command fields. Table 21. show fip-snooping enode Command Description Field Description ENode MAC MAC address of the ENode.
Number of Multicast Discovery Advertisement Number of Unicast Discovery Advertisement Number of FLOGI Accepts Number of FLOGI Rejects Number of FDISC Accepts Number of FDISC Rejects Number of FLOGO Accepts Number of FLOGO Rejects Number of CVL Number of FCF Discovery Timeouts Number of VN Port Session Timeouts Number of Session failures due to Hardware Config Dell(conf)# :4437 :2 :2 :0 :16 :0 :0 :0 :0 :0 :0 :0 Dell# show fip-snooping statistics int tengigabitethernet 0/11 Number of Vlan Requests :1 Number
Table 23. show fip-snooping statistics Command Description Field Description Number of VLAN Requests Number of FIP-snooped VLAN request frames received on the interface. Number of VLAN Notifications Number of FIP-snooped VLAN notification frames received on the interface. Number of Multicast Discovery Solicits Number of FIP-snooped multicast discovery solicit frames received on the interface.
NOTE: NPIV sessions are included in the number of FIP-snooped sessions displayed. Example of the show fip-snooping vlan Command Dell# show fip-snooping vlan * = Default VLAN VLAN ---*1 100 FC-MAP -----0X0EFC00 FCFs ---1 Enodes -----2 Sessions -------17 FCoE Transit Configuration Example The following illustration shows an MXL switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway.
The DCBx configuration on the FCF-facing port is detected by the server-facing port and the DCB PFC configuration on both ports is synchronized. For more information about how to configure DCBx and PFC on a port, refer to the Data Center Bridging (DCB) chapter. The following example shows how to configure FIP snooping on FCoE VLAN 10, on an FCF-facing port (0/50), on an ENode serverfacing port (0/1), and to configure the FIP snooping ports as tagged members of the FCoE VLAN enabled for FIP snooping.
18 FIPS Cryptography Dell Networking OS supports federal information processing standard (FIPS) cryptography. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms. This feature provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce.
NOTE: Under certain unusual circumstances, it is possible for the fips enable command to indicate a failure. • • This failure occurs if any of the self-tests fail when you enable FIPS mode. This failure occurs if there were existing SSH/Telnet sessions that could not be closed successfully in a reasonable amount of time.
Dell Version Jumbo Capable POE Capable FIPS Mode Burned In MAC No Of MACs ... : : : : : : XML-8-3-7-1061 yes no enabled 00:01:e8:8a:ff:0c 3 Disabling FIPS Mode The following describes disabling FIPS mode. When you disable FIPS mode, the following changes occur: • The SSH server disables. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, close. • Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. • FIPS mode disables.
19 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
Figure 42. Normal Operating FRRP Topology A virtual LAN (VLAN) is configured on all node ports in the ring. All ring ports must be members of the Member VLAN and the Control VLAN. The Member VLAN is the VLAN used to transmit data as described earlier. The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass through all ports in the ring, including the secondary port of the Master node.
its own forwarding table, and sends a control frame to the Transit nodes, instructing them to clear their forwarding tables and relearn the topology. During the time between the Transit node detecting that its link is restored and the Master node detecting that the ring is restored, the Master node’s Secondary port is still forwarding traffic. This can create a temporary loop in the topology.
Figure 43. Multiple Rings Connected by a Single Switch Example Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. • The Master node transmits ring status check frames at specified intervals. • You can run multiple physical rings on the same switch.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose. Member VLAN Each ring maintains a list of member VLANs.
Implementing FRRP • FRRP is media and speed independent. • FRRP is a Dell proprietary protocol that does not interoperate with any other vendor. • You must disable the spanning tree protocol (STP) on both the Primary and Secondary interfaces before you can enable FRRP. • All ring ports must be Layer 2 ports. This is required for both Master and Transit nodes. • A VLAN configured as a control VLAN for a ring cannot be configured as a control or member VLAN for any other ring.
• A control VLAN can belong to one FRRP group only. • Tag control VLAN ports. • All ports on the ring must use the same VLAN ID for the control VLAN. • You cannot configure a VLAN as both a control VLAN and member VLAN on the same ring. • Only two interfaces can be members of a control VLAN (the Master Primary and Secondary ports). • Member VLANs across multiple rings are not supported in Master nodes.
no disable Configuring and Adding the Member VLANs Control and member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to the Layer 2 chapter. Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • Tag control VLAN ports. Member VLAN ports, except the Primary/Secondary interface, can be tagged or untagged.
VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. 6. Enable this FRRP group on this switch. CONFIG-FRRP mode. no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time 3 times the Hello-Interval. • Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode. timer {hello-interval|dead-interval} milliseconds – Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500).
Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • • • • • Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only. Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP.
! interface Vlan 101 no ip address tagged GigabitEthernet 1/24,34 no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 1/24,34 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 1/24 secondary GigabitEthernet 1/34 control-vlan 101 member-vlan 201 mode master no disable interface GigabitEthernet 2/14 no ip address switchport no shutdown ! interface GigabitEthernet 2/31 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 2/14,31 no shu
mode transit no disable 336 Force10 Resilient Ring Protocol (FRRP)
20 GARP VLAN Registration Protocol (GVRP) Dell Networking OS supports GARP VLAN registration protocol (GVRP). Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GVRP, defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other.
Figure 45. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2. Enabling GVRP on a Layer 2 Interface Related Configuration Tasks • • Configure GVRP Registration Configure a GARP Timer Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch.
no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. • Enable GVRP on a Layer 2 interface.
no shutdown Dell(conf-if-gi-1/21)# Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings. • Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The default is 200ms.
21 Internet Group Management Protocol (IGMP) Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. IGMP is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast routing protocols (such as protocolindependent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. • Responding to an IGMP Query – One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet.
Figure 47. IGMP Version 3 Packet Structure Figure 48. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 49. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
Figure 50. Membership Queries: Leaving and Staying IGMP Snooping IGMP snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers. Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device.
Configuring IGMP Snooping Configuring IGMP snooping is a one-step process. To enable, view, or disable IGMP snooping, use the following commands. • Enable IGMP snooping on a switch. CONFIGURATION mode ip igmp snooping enable • View the configuration. CONFIGURATION mode show running-config • Disable snooping on a VLAN.
Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. On the MXL Switch, when you configure no ip igmp snooping flood, the system forwards the frames on the mrouter ports for first 96 IGMP snooping-enabled VLANs. For all other VLANs, the unregistered multicast packets are dropped.
When an IGMP snooping switch is not acting as a querier, it sends out the general query in response to the MSTP triggered link-layer topology change, with the source IP address of 0.0.0.0 to avoid triggering querier election. Designating a Multicast Router Interface To designate an interface as a multicast router interface, use the following command.
22 Interfaces This chapter describes 100/1000/10000 Mbps Ethernet, 10 Gigabit Ethernet, and 40 Gigabit Ethernet interface types, both physical and logical, and how to configure them with the Dell Networking operating software (OS).
Interface Type Modes Possible Default Mode Requires Creation Default State Loopback L3 L3 Yes No Shutdown (enabled) Null N/A N/A No Enabled Port Channel L2, L3 L3 Yes Shutdown (disabled) VLAN L2, L3 L2 Yes (except default) L2 - No Shutdown (enabled) L3 - Shutdown (disabled) View Basic Interface Information To view basic interface information, use the following command. You have several options for viewing interface status and configuration parameters.
0 CRC, 0 overrun, 0 discarded Output Statistics: 44329 packets, 4722779 bytes, 0 underruns 0 64-byte pkts, 44329 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 44329 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
Configuring the Default Interface You can reset the configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1. View the configurations applied on an interface. INTERFACE mode show config Dell(conf-if-te-1/5)#show config ! interface TenGigabitEthernet 1/5 no ip address portmode hybrid switchport rate-interval 8 mac learning-limit 10 no-station-move no shutdown 2. Reset the interface to the factory default state.
To confirm that the interface is enabled, use the show config command in INTERFACE mode. To leave INTERFACE mode, use the exit command or end command. You cannot delete a physical interface. Physical Interfaces The switch interfaces support Layer 2 and Layer 3 traffic over the 100/1000/10000, 10-Gigabit, and 40-Gigabit Ethernet interfaces. These interfaces can also become part of virtual interfaces such as virtual local area networks (VLANs) or port channels.
Configuring Layer 2 (Data Link) Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface unless the interface has been set to Layer 2 mode. To set Layer 2 data transmissions through an individual interface, use the following command. • Enable Layer 2 data transmissions through an individual interface.
Example of Error Due to Issuing a Layer 3 Command on a Layer 2 Interface If an interface is in the incorrect layer mode for a given command, an error message displays (shown in bold). In the following example, the ip address command triggered an error message because the interface is in Layer 2 mode and the ip address command is a Layer 3 command only. Dell(conf-if)#show config ! interface GigabitEthernet 1/2 no ip address switchport no shutdown Dell(conf-if)#ip address 10.10.1.
Management Interfaces The IOM management interface has both a public IP and private IP address on the internal fabric D interface. The public IP address is exposed to the outside world for Web GUI configurations/WSMAN and other proprietary traffic. You can statically configure the public IP address or obtain the IP address dynamically using the dynamic host configuration protocol (DHCP). NOTE: When you shut down a management interface, connectivity to the interface’s private IP address is disabled.
Example of the show interface Command To display the configuration for a given port, use the show interface command from EXEC Privilege mode, as shown in the following example. To display the routing table for a given port, use the show ip route command from EXEC Privilege mode.
INTERFACE mode ip address ip-address mask [secondary] – ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in slash format (/24). – secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Example of a Configuration for a VLAN Participating in an OSPF Process interface Vlan 10 ip address 1.1.1.
Port Channel Interfaces Port channel interfaces support link aggregation, as described in IEEE Standard 802.3ad. This section covers the following topics: • Port Channel Definition and Standards • Port Channel Benefits • Port Channel Implementation • Configuration Tasks for Port Channel Interfaces Port Channel Definition and Standards Link aggregation is defined by IEEE 802.
if the first operational interface in the port channel is a Gigabit Ethernet interface, all interfaces at 1000 Mbps are kept up, and all 100/1000/10000 interfaces that are not set to 1000 speed or auto negotiate are disabled. 100/1000/10000 Mbps Interfaces in Port Channels When both 100/1000/10000 interfaces and TenGigabitEthernet interfaces are added to a port channel, the interfaces must share a common speed.
Adding a Physical Interface to a Port Channel You can add any physical interface to a port channel if the interface configuration is minimal. NOTE: Port channels can contain a mix of 100/1000/10000 Ethernet interfaces and 10 Gigabit Ethernet interface, but the Dell Networking OS disables the interfaces that are not the same speed of the first channel member in the port channel (refer to 100/1000/10000 Mbps Interfaces in Port Channels).
ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:05:44 Queueing strategy: fifo Input Statistics: 0 packets, 0 bytes 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 0 packets, 0 bytes, 0 underruns 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkt
channel-member interface Example of Moving an Interface to a New Port Channel The following example shows moving the TenGigabitEthernet 1/8 interface from port channel 4 to port channel 3.
no tagged port-channel id number or no untagged port-channel id number • Identify which port channels are members of VLANs. EXEC Privilege mode show vlan Assigning an IP Address to a Port Channel You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols. To assign an IP address, use the following command. • Configure an IP address and mask on the interface.
Changing the Hash Algorithm The load-balance command selects the hash criteria applied to port channels. If you do not obtain even distribution with the load-balance command, you can use the hash-algorithm command to select the hash scheme for LAG, ECMP and NH-ECMP. You can rotate or shift the 12–bit Lag Hash until the desired hash is achieved. To change to another algorithm, use the second command. • Change the default (0) to another algorithm and apply it to ECMP, LAG hashing, or a particular line card.
Server Ports By default, the MXL switch allows the server ports to come up as switch ports in no shut mode, ready to switch traffic. Default Configuration without Start-up Config This feature is enabled by default and can be enabled on reload by deleting the start-up config file. On reload, all the server ports (1-32) come up as switch ports in No Shut mode. Uplinks remain in Shut mode ensuring that there are no network loops.
To display the running configuration only for interfaces that are part of interface range, use the show configuration command in Interface Range mode. You can avoid specifying spaces between the range of interfaces, separated by commas, that you configure by using the interface range command. For example, if you enter a list of interface ranges, such as interface range fo 2/0-1,te 10/0,gi 3/0,fa 0/0, this configuration is considered valid.
Overlap Port Ranges The following is an example showing how the interface-range prompt extends a port range from the smallest start port number to the largest end port number when port ranges overlap. handles overlapping port ranges.
Example of Using a Macro to Change the Interface Range Configuration Mode The following example shows how to change to the interface-range configuration mode using the interface-range macro named “test.” Dell(config)# interface range macro test Dell(config-if)# Monitoring and Maintaining Interfaces Monitor interface statistics with the monitor interface command. This command displays an ongoing list of the interface status (up/down), number of packets, traffic statistics, and so on.
m l T q - Change mode Page up Increase refresh interval Quit c - Clear screen a - Page down t - Decrease refresh interval Dell Maintenance Using TDR The time domain reflectometer (TDR) is supported on all Dell Networking switch/routers. TDR is an assistance tool to resolve link issues that helps detect obvious open or short conditions within any of the four copper pairs. TDR sends a signal onto the physical cable and examines the reflection of the signal that returns.
– portmode quad: Identifies the uplink port as a split 10GbE SFP+ port. To display the stack-unit number, enter the show system brief command. • Save the configuration and reload the switch. CONFIGURATION mode write memory reload Merging SFP+ Ports to QSFP 40G Ports To remove FANOUT mode in 40G QSFP Ports, use the following commands. 1. Merge 4-10G ports to a single 40G port. CONFIGURATION mode no stack-unit port number portmode quad 2.
Table 26. Layer 2 Overhead Transmission Media MTU Range (in bytes) Ethernet 594-12000 = link MTU 576-11982 = IP MTU Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port You can convert a QSFP or QSFP+ port to an SFP or SFP+ port using the Quad to Small Form Factor Pluggable Adapter (QSA). QSA provides smooth connectivity between devices that use Quad Lane Ports (such as the 40 Gigabit Ethernet adapters) and 10 Gigabit hardware that uses SFP+ based cabling.
For these configurations, the following examples show the command output that the show interfaces tengigbitethernet transceiver, show interfaces tengigbitethernet, and show inventory media commands displays: NOTE: In the following show interfaces tengigbitethernet commands, the ports 1,2, and 3 are inactive and no physical SFP or SFP+ connection actually exists on these ports.
NOTE: After you disable DCB, if link-level flow control is not automatically enabled on an interface, to enable flow control, manually shut down the interface (shutdown command) and re-enable it (no shutdown command). To enable pause frames, use the following command. • Control how the system responds to and generates 802.3x pause frames on 10 Gig ports.
• Members can have different Link MTU values. Tagged members must have a link MTU 4–bytes higher than untagged members to account for the packet tag. • The VLAN link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values configured on the VLAN members. For example, the VLAN contains tagged members with Link MTU of 1522 and IP MTU of 1500 and untagged members with Link MTU of 1518 and IP MTU of 1500.
speed {100 | 1000 | 10000 | auto} NOTE: If you use an active optical cable (AOC), you can convert the QSFP+ port to a 10 Gigabit SFP+ port or 1 Gigabit SFP port. You can use the speed command to enable the required speed. 6. Optionally, set full- or half-duplex. INTERFACE mode duplex {half | full} 7. Disable auto-negotiation on the port. INTERFACE mode no negotiation auto If the speed was set to 1000, do not disable auto-negotiation. 8. Verify configuration changes.
Set Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/ forced slave after you enable auto-negotiation. CAUTION: Ensure that only one end of the node is configured as forced-master and the other is configured as forcedslave. If both are configured the same (that is, both as forced-master or both as forced-slave), the show interface command flaps between an auto-neg-error and forced-master/slave states.
802.1QTagged: True Vlan membership: Vlan 2 Name: TenGigabitEthernet 13/1 802.1QTagged: True Vlan membership: Vlan 2 Name: TenGigabitEthernet 13/2 802.1QTagged: True Vlan membership: Vlan 2 Name: TenGigabitEthernet 13/3 802.1QTagged: True Vlan membership: Vlan 2 --More-- Configuring the Interface Sampling Size You can enter any value between five and 299 seconds (the default). If you enter 1 to 5 seconds, software polling is done at 5 second intervals.
TenGigabitEthernet 10/0 is down, line protocol is down Hardware is Dell Force10Eth, address is 00:01:e8:01:9e:d9 Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 1d23h45m Queueing strategy: fifo 0 packets input, 0 bytes Input 0 IP Packets, 0 Vlans 0 MPLS 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input sy
– For a Port Channel interface, enter the keywords port-channel then a number from 1 to 128. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. – For a VLAN, enter the keyword vlan then a number from 1 to 4094. – (OPTIONAL) To clear statistics for all VRRP groups configured, enter the keyword vrrp. Enter a number from 1 to 255 as the vrid.
23 Internet Protocol Security (IPSec) IPSec is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and file transfer protocols (FTPs) and can operate in Transport mode. In Transport mode, IPSec encrypts only the packet payload; the IP header is unchanged. This is the default mode.
crypto ipsec policy myCryptoPolicy 10 ipsec-manual transform-set myXform-set session-key inbound esp 256 auth encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 21 match 1 tcp a::1 /128 21 a::2 /128 0 match 2 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 3 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3. Apply the crypto policy to management traffic.
24 IPv4 Routing The Dell Networking OS supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking operating system (OS). IP Feature Default DNS Disabled Directed Broadcast Disabled Proxy ARP Enabled ICMP Unreachable Disabled ICMP Redirect Disabled IP Addresses The Dell Networking OS supports IP version 4, as described in RFC 791.
For a complete listing of all commands related to IP addressing, refer to the Dell Networking OS Command Line Interface Reference Guide. Assigning IP Addresses to an Interface Assign primary and secondary IP addresses to physical or logical (for example, [virtual local area network [VLAN] or port channel) interfaces to enable IP communication between the system and hosts connected to that interface. In the system, you can assign one primary address and up to 255 secondary IP addresses to each interface. 1.
Configuring Static Routes A static route is an IP address that you manually configure and that the routing protocol does not learn, such as open shortest path first (OSPF). Often, static routes are used as backup routes in case other dynamically learned routes are unreachable. You can enter as many static IP addresses as necessary. To configure a static route, use the following command. • Configure a static IP address.
• • • When the interface comes up, the system re-installs the route. When the recursive resolution is “broken,” the system withdraws the route. When the recursive resolution is satisfied, the system re-installs the route. Configure Static Routes for the Management Interface When an IP address that a protocol uses and a static management route exists for the same prefix, the protocol route takes precedence over the static management route.
command in Interface mode. When a ping or traceroute packet from an endpoint or a device arrives at the null 0 interface configured with a static route, it is discarded. In such cases, you can configure Internet Control Message Protocol (ICMP) unreachable messages to be sent to the transmitting device. Configuring the ICMP Source Interface You can enable the ICMP error and unreachable messages to contain the configured IP address of the source device instead of the previous hop's IP address.
To view the configuration, use the show config command in INTERFACE mode. Resolution of Host Names Domain name service (DNS) maps host names to IP addresses. This feature simplifies such commands as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default. Unless you enable the feature, the system resolves only host names entered into the host table with the ip host command.
ip domain-name name • Enter up to 63 characters to configure names to complete unqualified host names. CONFIGURATION mode ip domain-list name Configure this command up to six times to specify a list of possible domain names. The Dell Networking OS searches the domain names in the order they were configured until a match is found or the list is exhausted. Configuring DNS with Traceroute To configure your switch to perform DNS with traceroute, use the following commands.
In the Dell Networking OS, Proxy ARP enables hosts with knowledge of the network to accept and forward packets from hosts that contain no knowledge of the network. Proxy ARP makes it possible for hosts to be ignorant of the network, including subnetting. For more information about Proxy ARP, refer to RFC 925, Multi-LAN Address Resolution, and RFC 1027, Using ARP to Implement Transparent Subnet Gateways.
Clearing ARP Cache To clear the ARP cache of dynamically learnt ARP information, use the following command. • Clear the ARP caches for all interfaces or for a specific interface by entering the following information. EXEC privilege clear arp-cache [interface | ip ip-address] [no-refresh] – ip ip-address (OPTIONAL): enter the keyword ip then the IP address of the ARP entry you wish to clear. – no-refresh (OPTIONAL): enter the keywords no-refresh to delete the ARP entry from CAM.
Figure 51. ARP Learning via ARP Request Beginning with the Dell Networking OS version 8.3.1.0, when you enable ARP learning via gratuitous ARP, the system installs a new ARP entry, or updates an existing entry for all received ARP requests. Figure 52. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP.
arp backoff-time The default is 30. • The range is from 1 to 3600. Display all ARP entries learned via gratuitous ARP. EXEC Privilege mode show arp retries ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP error messages inform the router of problems in a particular packet. These messages are sent only on unicast traffic.
– UDP broadcast traffic with port number 67 or 68 are unicast to the dynamic host configuration protocol (DHCP) server per the ip helper-address configuration whether or not the UDP port list contains those ports. – If the UDP port list contains ports 67 or 68, UDP broadcast traffic is forwarded on those ports. Enabling UDP Helper To enable UDP helper, use the following command. • Enable UPD helper.
3. Packet 2 is also forwarded to the ingress interface with an unchanged destination address because it does not have broadcast address configured. Figure 53. UDP Helper with Broadcast-All Addresses UDP Helper with Subnet Broadcast Addresses When the destination IP address of an incoming packet matches the subnet broadcast address of any interface, the system changes the address to the configured broadcast address and sends it to matching interface.
Figure 55. UDP Helper with Configured Broadcast Addresses UDP Helper with No Configured Broadcast Addresses The following describes UDP helper with no broadcast addresses configured. • If the incoming packet has a broadcast destination IP address, the unaltered packet is routed to all Layer 3 interfaces. • If the Incoming packet has a destination IP address that matches the subnet broadcast address of any interface, the unaltered packet is routed to the matching interfaces.
25 IPv6 Addressing Dell Networking OS supports Internet protocol version 6 (IPv6). NOTE: The IPv6 basic commands are supported on all platforms. However, not all features are supported on all platforms, nor for all releases. To determine the Dell Networking OS version supporting which features and platforms, refer to Implementing IPv6 with the Dell Networking OS. IPv6 is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage.
NOTE: The Dell Networking OS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS). By default, RA response messages are sent when an RS message is received. The Dell Networking OS manipulation of IPv6 stateless autoconfiguration supports the router side only. Neighbor discovery (ND) messages are advertised so the neighbor can use this information to auto-configure its address.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 56. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Value Description 0 Hop-by-Hop option header 4 IPv4 6 TCP 8 Exterior Gateway Protocol (EGP) 41 IPv6 43 Routing header 44 Fragmentation header 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current listing, refer to the Internet Assigned Numbers Authority (IANA) web page.
Hop-by-Hop Options Header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path. It follows the IPv6 header and is designated by the Next Header value 0 (zero). When a Hop-by-Hop Options header is not included, the router knows that it does not have to process any router specific information and immediately processes the packet to its final destination.
• 2001:db8::1428:57ab IPv6 networks are written using classless inter-domain routing (CIDR) notation. An IPv6 network (or subnet) is a contiguous group of IPv6 addresses the size of which must be a power of two; the initial bits of addresses, which are identical for all hosts in the network, are called the network's prefix. A network is denoted by the first address in the network and the size in bits of the prefix (in decimal), separated with a slash.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location IPv6 ping 9.2(0.0) ICMPv6 in this chapter IPv6 traceroute 9.2(0.0) ICMPv6 in this chapter Static routing 9.2(0.0) Assigning a Static IPv6 Route in this chapter Route redistribution 9.2(0.0) OSPF, IS-IS, and IPv6 BGP chapters in the Dell Networking OS Command Line Reference Guide. Multiprotocol BGP extensions for IPv6 9.2(0.0) IPv6 BGP in the Dell Networking OS Command Line Reference Guide.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location IPv6 PIM in the Dell Networking OS Command Line Reference Guide. MLDv1/v2 N/A IPv6 Multicast in this chapter Multicast IPv6 in the Dell Networking OS Command Line Reference Guide. MLDv1 Snooping N/A IPv6 Multicast in this chapter Multicast IPv6 in the Dell Networking OS Command Line Reference Guide.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location IS-IS for IPv6 support for redistribution 9.9(0.0) Intermediate System to Intermediate System (IS-IS) IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide. ISIS for IPv6 support for distribute lists and administrative distance 9.9(0.0) OSPF for IPv6 (OSPFv3) 9.9(0.0) Equal Cost Multipath for IPv6 9.9(0.0) IPv6 Services and Management 9.9(0.
ICMPv6 Dell Networking OS supports ICMPv6. ICMP for IPv6 combines the roles of ICMP, IGMP and ARP in IPv4. Similar to IPv4, it provides functions for reporting delivery and forwarding errors, and provides a simple echo service for troubleshooting. The Dell Networking OS implementation of ICMPv6 is based on RFC 4443. Generally, ICMPv6 uses two message types: • • Error reporting messages indicate when the forwarding or delivery of the packet failed at the destination or intermediate node.
NOTE: If a neighboring node does not have an IPv6 address assigned, it must be manually pinged to allow the IPv6 device to determine the relationship of the neighboring node. NOTE: To avoid problems with network discovery, Dell Networking recommends configuring the static route last or assigning an IPv6 address to the interface and assigning an address to the peer (the forwarding router’s address) less than 10 seconds apart. With ARP, each node broadcasts ARP requests on the entire link.
• multicast addresses • invalid host addresses If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed. Example for Configuring an IPv6 Recursive DNS Server The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second. Debugging IPv6 RDNSS Information Sent to the Host To verify that the IPv6 RDNSS information sent to the host is configured correctly, use the debug ipv6 nd command in EXEC Privilege mode.
Secure Shell (SSH) Over an IPv6 Transport Dell Networking OS supports IPv6 secure shell (SSH). The Dell Networking OS supports both inbound and outbound SSH sessions using IPv6 addressing. Inbound SSH supports accessing the system through the management interface as well as through a physical Layer 3 interface. For SSH configuration details, refer to the Security chapter in the Dell Networking OS Command Line Interface Reference Guide.
• Provides information on FP groups allocated for the egress acl. CONFIGURATION mode show cam-acl-egress Allocate at least one group for L2ACL and IPv4 ACL. The total number of groups is 4. Assigning an IPv6 Address to an Interface Dell Networking OS supports IPv6 addresses. Essentially, IPv6 is enabled in the Dell Networking OS simply by assigning IPv6 addresses to individual router interfaces. You can use IPv6 and IPv4 together on a system, but be sure to differentiate that usage carefully.
– For a Loopback interface, enter the keyword loopback then the loopback number. – For a port-channel interface, enter the keywords port-channel then the port-channel number. – For a VLAN interface, enter the keyword vlan then the VLAN ID. – For a Null interface, enter the keyword null then the Null interface number. Configuring Telnet with IPv6 Dell Networking OS supports IPv6 telnet. The Telnet client and server in the Dell Networking OS supports IPv6 connections.
neighbors ospf pim prefix-list route rpf Dell# IPv6 neighbor information OSPF information PIM V6 information List IPv6 prefix lists IPv6 routing information RPF table Showing an IPv6 Interface To view the IPv6 configuration for a specific interface, use the following command. • Show the currently running configuration for the specified interface.
Route Source connected static Total Active Routes Non-active Routes 5 0 0 0 5 0 Dell#show ipv6 route Codes: C - connected, L - local, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, Gateway of last resort is not set Des
– *: all routes. – ipv6 address: the format is x:x:x:x::x. – mask: the prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing.
26 iSCSI Optimization The MXL switch enables internet small computer system interface (iSCSI) optimization with default iSCSI parameter settings and is auto-provisioned to support the following features. • Detection and Auto-Configuration for Dell EqualLogic Arrays • Configuring Detection and Ports for Dell Compellent Arrays To display information on iSCSI configuration and sessions, use the show commands. iSCSI optimization enables quality-of-service (QoS) treatment for iSCSI traffic.
the MXL is configured to use dot1p priority-queue assignments to ensure that iSCSI traffic in these sessions receives priority treatment when forwarded on MXL hardware. Figure 59. iSCSI Optimization Example Monitoring iSCSI Traffic Flows The switch snoops iSCSI session-establishment and termination packets by installing classifier rules that trap iSCSI protocol packets to the CPU for examination. Devices that initiate iSCSI sessions usually use well-known TCP ports 3260 or 860 to contact targets.
• Target’s IP Address • Initiator defined session identifier (ISID) • Initiator’s iSCSI qualified name (IQN) • Target’s IQN • Initiator’s TCP Port • Target’s TCP Port If no iSCSI traffic is detected for a session during a user-configurable aging period, the session data is cleared.
• iSCSI LLDP monitoring starts to automatically detect EqualLogic arrays. The following message displays when you enable iSCSI on a switch and describes the configuration changes that are automatically performed: %STKUNIT0-M:CP %IFMGR-5-IFM_ISCSI_ENABLE: iSCSI has been enabled causing flow control to be enabled on all interfaces.
Session aging time: 10 Maximum number of connections is 256 -----------------------------------------------iSCSI Targets and TCP Ports: -----------------------------------------------TCP Port Target IP Address 3260 860 VLT PEER1 Dell#show isci session Session 0: ----------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0e70c2002-10a0018426a48c94-iom010 Initiator: iqn.1991-05.com.
27 Intermediate System to Intermediate System Dell Networking OS supports intermediate system to intermediate system (IS-IS). • The IS-IS protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. • The IS-IS protocol standards are listed in the Standards Compliance chapter.
Figure 60. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases. Use this feature to place a virtual physical topology into logical routing domains, which can each support different routing and security policies. All routers on a LAN or point-to-point must have at least one common supported topology when operating in Multi-Topology IS-IS mode.
neighbor within its LSPs. The local router does not form an adjacency if both routers do not have at least one common MT over the interface. Graceful Restart Dell Networking OS supports Graceful Restart for both Helper and Restart modes. Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets.
• MT Reachable IPv6 Prefixes TLV — appears for each IPv6 an IS announces for a given MT ID. Its structure is aligned with the extended IS Reachability TLV Type 236 and add an MT ID. By default, the system supports dynamic host name exchange to assist with troubleshooting and configuration. By assigning a name to an IS-IS NET address, you can track IS-IS information on that address easier. The system does not support ISO CLNS routing; however, the ISO NET format is supported for addressing.
• Changing the IS-Type • Controlling Routing Updates • Configuring Authentication Passwords • Setting the Overload Bit • Debugging IS-IS Enabling IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process and assign a NET address. To exchange protocol information with neighbors, enable IS-IS on an interface, instead of on a network as with other routing protocols.
INTERFACE mode ipv6 address ipv6-address mask • ipv6 address: x:x:x:x::x • mask: The prefix length is from 0 to 128. The IPv6 address must be on the same subnet as other IS-IS neighbors, but the IP address does not need to relate to the NET address. 6. Enable IS-IS on the IPv4 interface. ROUTER ISIS mode ip router isis [tag] If you configure a tag variable, it must be the same as the tag variable assigned in step 1. 7. Enable IS-IS on the IPv6 interface.
IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: Dell# Level-2 LSPs CSNPs (sent/rcvd) : 1534/0 Level-1 LSPs PSNPs (sent/rcvd) : 0/0 Level-2 LSPs PSNPs (sent/rcvd) : 0/0 Level-1 DR Elections : 2 Level-2 DR Elections : 2 Level-1 SPF Calculations : 29 Level-2 SPF Calculations : 29 LSP checksum errors received : 0 LSP authentication failures : 0 You can assign more NET addresses, but the System ID portion of the NET address must remain the same.
ROUTER-ISIS mode graceful-restart ietf • Configure the time during which the graceful restart attempt is prevented. ROUTER-ISIS mode graceful-restart interval minutes The range is from 1 to 120 minutes. • The default is 5 minutes. Enable the graceful restart maximum wait time before a restarting peer comes up. ROUTER-ISIS mode graceful-restart restart-wait seconds When implementing this command, be sure to set the T3 timer to adjacency on the restarting router. The range is from 1 to 120 minutes.
Example of the show isis graceful-restart detail Command Example of the show isis interface Command NOTE: If this timer expires before the synchronization has completed, the restarting router sends the overload bit in the LSP. The overload bit is an indication to the receiving router that database synchronization did not complete at the restarting router. To view all graceful restart-related configurations, use the show isis graceful-restart detail command in EXEC Privilege mode.
Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary. To change the defaults, use any or all of the following commands. • Set interval between LSP generation. ROUTER ISIS mode lsp-gen-interval [level-1 | level-2] seconds – seconds: the range is from 0 to 120.
By default, the system generates and receives narrow metric values. Matrixes or costs higher than 63 are not supported. To accept or generate routes with a higher metric, you must change the metric style of the IS-IS process. For example, if you configure the metric as narrow, and a link state PDU (LSP) with wide metrics is received, the route is not installed. The Dell Networking OS supports the following IS-IS metric styles. Table 32.
• Assign an IS-IS metric. INTERFACE mode isis metric default-metric [level-1 | level-2] – default-metric: the range is from 0 to 63 if the metric-style is narrow, narrow-transition, or transition. The range is from 0 to 16777215 if the metric style is wide or wide transition. • The default is 10. Assign a metric for an IPv6 link or interface. INTERFACE mode isis ipv6 metric default-metric [level-1 | level-2] – default-metric: the range is from 0 to 63 for narrow and transition metric styles.
• Change the IS-type for the IS-IS process. ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2} Example of the show isis database Command to View Level 1-2 Link State Databases To view which IS-type is configured, use the show isis protocol command in EXEC Privilege mode. The show config command in ROUTER ISIS mode displays only non-default information, so if you do not change the IS-type, the default value (level-1-2) is not displayed. The default is Level 1-2 router.
ROUTER ISIS mode distribute-list prefix-list-name in [interface] – Enter the type of interface and slot/port information: – For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. – For a port channel, enter the keywords port-channel then a number from 1 to 255. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
– ospf process-id: for OSPF routes only. – rip: for RIP routes only. – static: for user-configured routes. – bgp: for BGP routes only. • Deny RTM download for pre-existing redistributed IPv6 routes. ROUTER ISIS-AF IPV6 mode distribute-list redistributed-override in Redistributing IPv4 Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the IS-IS process.
ROUTER ISIS mode redistribute {bgp as-number | connected | rip | static} [level-1 level-1-2 | level-2] [metric metric-value] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: – level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. – metric-value: the range is from 0 to 16777215. The default is 0. – metric-type: choose either external or internal. The default is internal.
To remove a password, use either the no area-password or no domain-password commands in ROUTER ISIS mode. Setting the Overload Bit Another use for the overload bit is to prevent other routers from using this router as an intermediate hop in their shortest path first (SPF) calculations. For example, if the IS-IS routing database is out of memory and cannot accept new LSPs, the system sets the overload bit and IS-IS traffic continues to transit the system.
– interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. • View IS-IS SNP packets, include CSNPs and PSNPs. EXEC Privilege mode debug isis snp-packets [interface] To view specific information, enter the following optional parameter: – interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. • View the events that triggered IS-IS shortest path first (SPF) events for debugging purposes.
Metric Style Correct Value Range for the isis metric Command narrow 0 to 63 wide transition 0 to 16777215 narrow transition 0 to 63 transition 0 to 63 Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value wide transition wide original value wide transition narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Level-1 Metric Style Level-2 Metric Style Resulting Metric Value wide wide transition original value wide transition truncated value narrow transition wide original value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value transition wide original value transition narrow original value transition wide transition original value transition narrow transition original value wide transition wide or
Figure 61. IPv6 IS-IS Sample Topography IS-IS Sample Configuration — Router 1 IS-IS Sample Configuration — Router 2 IS-IS Sample Configuration — Router 3 The following is a sample configuration for enabling IPv6 IS-IS. R1(conf)#interface Loopback 0 R1(conf-if-lo-0)#ip address 192.168.1.1/24 R1(conf-if-lo-0)#ipv6 address 2001:db8:9999:1::/48 R1(conf-if-lo-0)#ip router isis 9999 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#router isis 9999 R1(conf-router_isis)#is-type level-1 R1(conf-router_isis)#net FF.
L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change --------------------------- ----------C 10.0.12.0/24 Direct, Gi 1/21 0/0 00:00:57 C 192.168.1.0/24 Direct, Lo 0 0/0 00:04:19 S 192.168.1.2/32 via 10.0.12.2, Gi 1/21 1/0 00:00:57 R1#show isis data IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 * 0x0000000F 0x3A6C 1176 0/0/0 R1.
C C C S S 10.10.92.0/24 172.21.212.0/24 192.168.1.0/24 192.168.1.1/32 192.168.1.3/32 Direct, Po 4 Direct, Vl 212 Direct, Lo 0 via 10.0.12.1, Gi 2/11 via 10.0.23.3, Gi 2/31 0/0 0/0 0/0 1/0 1/0 6d9h 2d20h 01:11:48 00:00:51 00:00:39 R2#show isis data IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R2.
IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R3.00-00 * 0x00000008 0xC09C 1199 0/0/0 R3#show isis neigh System Id Interface State Type Priority Uptime Circuit Id R1 Gi 3/14 Init L1 64 00:00:02 R1.03 R2 Gi 3/21 Up L1 64 00:00:14 A101.
28 Link Aggregation Control Protocol (LACP) Link aggregation control protocol (LACP) is supported on the MXL switch platform. Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. The benefits and constraints are basically the same, as described in Port Channel Interfaces in the Interfaces chapter.
• You can configure a maximum of 128 port-channels with up to 16 members per channel. LACP Modes The Dell Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. • Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. • Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state.
LACP Configuration Tasks The following are LACP configuration tasks. • Creating a LAG • Configuring the LAG Interfaces as Dynamic • Setting the LACP Long Timeout • Monitoring and Debugging LACP • Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. • Create a dynamic port channel (LAG). CONFIGURATION mode • interface port-channel Create a dynamic port channel (LAG).
... Dell(conf)#interface Gigabitethernet 4/16 Dell(conf-if-gi-4/16)#no shutdown Dell(conf-if-gi-4/16)#port-channel-protocol lacp Dell(conf-if-gi-4/16-lacp)#port-channel 32 mode active The port-channel 32 mode active command shown here may be successfully issued as long as there is no existing static channelmember configuration in LAG 32. Setting the LACP Long Timeout PDUs are exchanged between port channel (LAG) interfaces to maintain LACP sessions.
Shared LAG State Tracking Shared LAG state tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG. As shown in the following illustration, the line-rate traffic from R1 destined for R4 follows the lowest-cost route via R2. Traffic is equally distributed between LAGs 1 and 2.
port-channel failover-group group 1 port-channel 1 port-channel 2 As shown in the following illustration, LAGs 1 and 2 are members of a failover group. LAG 1 fails and LAG 2 is brought down after the failure. This effect is logged by Message 1, in which a console message declares both LAGs down at the same time. Figure 63.
LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 64. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
0 Vlans 0 64-byte pkts, 12 over 64-byte pkts, 120 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 132 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unicasts 0 Vlans, 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Ra
Figure 66.
Figure 67.
Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp Bravo(conf-if-gi-3/21-lacp)#port-channel 10 mode active Bravo(conf-if-gi-3/21-lacp)#no shut Bravo(conf-if-gi-3/21)#end ! interface GigabitEthernet 3/21 no ip address ! port-channel-protocol LACP port-channel 10 mode active no shutdown Bra
Figure 68.
Figure 69.
Figure 70. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
29 Layer 2 Layer 2 features are supported on the MXL switch platform. Manage the MAC Address Table The Dell Networking OS provides the following management activities for the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
Configuring mac-address-table station-move time-interval 500 solves this limitation. Reducing the scanning interval to the minimum (500 milliseconds), increases the detection speed, which results in the system clearing entries closer to the actual desired aging time. Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table.
Setting the MAC Learning Limit To set a MAC learning limit on an interface, use the following command. • Specify the number of MAC addresses that the system can learn off a Layer 2 interface. INTERFACE mode mac learning-limit address_limit Three options are available with the mac learning-limit command: NOTE: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations.
• Shut down the first port to learn the MAC address. INTERFACE mode • station-move-violation shutdown-original Shut down the second port to learn the MAC address. INTERFACE mode • station-move-violation shutdown-offending Shut down both the first and second port to learn the MAC address. INTERFACE mode • station-move-violation shutdown-both Display a list of all of the interfaces configured with MAC learning limit or station move violation.
mac-address-table disable-learning If you don’t use any option, the mac-address-table disable-learning command disables source MAC address learning from both LACP and LLDP BPDUs. NOTE: You can use the mac-address-table disable-learning command only in Full–Switch mode.
Figure 72. Configuring the mac-address-table station-move refresh-arp Command MAC Move Optimization MAC move optimization is supported only on the E-Series platform. Station-move detection takes 5000ms because this is the interval at which the detection algorithm runs. The threshold option is the number of times a station move must be detected in a single interval in order to trigger a system log message.
30 Link Layer Discovery Protocol (LLDP) The link layer discovery protocol (LLDP) is supported on the MXL switch platform. 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Type TLV Description 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live A value that tells the receiving agent how long the information contained in the TLV Value field is valid. — Optional Includes sub-types of TLVs that advertise specific configuration information. These sub-types are Management TLVs, IEEE 802.1, IEEE 802.3, and TIA-1057 Organizationally Specific TLVs. Figure 74.
IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Networking system to advertise any or all of these TLVs. Table 37. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. The Dell Networking OS does not currently support this TLV.
Type TLV Description via MDI TLV be not implemented, and therefore Dell Networking implements Extended Power via MDI TLV only. 127 Link Aggregation Indicates whether the link is capable of being aggregated, whether it is currently in a LAG, and the port identification of the LAG. The Dell Networking OS does not currently support this TLV. 127 Maximum Frame Size Indicates the maximum frame size capability of the MAC and PHY.
Type SubType TLV Description • LLDP device class 127 2 Network Policy Indicates the application type, VLAN ID, Layer 2 Priority, and DSCP value. 127 3 Location Identification Indicates that the physical location of the device expressed in one of three possible formats: • • • 127 4 Inventory Management TLVs Implementation of this set of TLVs is optional in LLDP-MED devices. None or all TLVs must be supported. The Dell Networking OS does not currently support these TLVs.
When you enable LLDP-MED in Dell Networking OS (using the advertise med command), the system begins transmitting this TLV. Figure 76. LLDP-MED Capabilities TLV Table 39. Dell Networking OS LLDP-MED Capabilities Bit Position TLV Dell Networking OS Support 0 LLDP-MED Capabilities Yes 1 Network Policy Yes 2 Location Identification Yes 3 Extended Power via MDI-PSE Yes 4 Extended Power via MDI-PD No 5 Inventory No 6–15 reserved No Table 40.
Table 41. Network Policy Applications Type Application Description 0 Reserved — 1 Voice Specify this application type for dedicated IP telephony handsets and other appliances supporting interactive voice services. 2 Voice Signaling Specify this application type only if voice control packets use a separate network policy than voice data.
• Power Source — there are two possible power sources: primary and backup. The Dell Networking system is a primary power source, which corresponds to a value of 1, based on the TIA-1057 specification. • Power Priority — there are three possible priorities: Low, High, and Critical. On Dell Networking systems, the default power priority is High, which corresponds to a value of 2 based on the TIA-1057 specification. You can configure a different power priority through the CLI.
Example of the protocol lldp Command (CONFIGURATION Level) R1(conf)#protocol lldp R1(conf-lldp)#? advertise Advertise TLVs dcbx Configure Dcbx Parameters disable Disable LLDP protocol globally end Exit from configuration mode exit Exit from LLDP configuration mode fcoe Configure priority bits for FCoE traffic hello LLDP hello configuration iscsi Configure priority bits for ISCSI traffic mode LLDP mode configuration (default = rx and tx) multiplier LLDP multiplier configuration no Negate a command or set its
Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces. • If you configure the system globally, all interfaces send LLDPDUs with the specified TLVs. • If you configure an interface, only the interface sends LLDPDUs with the specified TLVs. • If you configure LLDP both globally and at interface level, the interface level configuration overrides the global configuration. To advertise TLVs, use the following commands. 1. Enter LLDP mode.
Figure 79. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration.
• Display all of the information that neighbors are advertising.
• Configure a non-default transmit interval.
R1(conf-lldp)#mode ? rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description mode tx no disable R1(conf-lldp)#no mode R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf
Debugging LLDP You can view the TLVs that your system is sending and receiving. To view the TLVs, use the following commands. • View a readable version of the TLVs. debug lldp brief • View a readable version of the TLVs plus a hexadecimal version of the entire LLDPDU. debug lldp detail Figure 80. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects Dell Networkings OS supports all IEEE 802.1AB MIB objects.
Table 42. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value. msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs.
TLV Type TLV Name TLV Variable System LLDP MIB Object 4 Port Description port description Local lldpLocPortDesc Remote lldpRemPortDesc Local lldpLocSysName Remote lldpRemSysName Local lldpLocSysDesc Remote lldpRemSysDesc Local lldpLocSysCapSupported Remote lldpRemSysCapSupported Local lldpLocSysCapEnabled Remote lldpRemSysCapEnabled Local lldpLocManAddrLen Remote lldpRemManAddrLen Local lldpLocManAddrSubtype Remote lldpRemManAddrSubtype Local lldpLocManAddr Remote lldp
TLV Type 127 TLV Name VLAN Name TLV Variable System LLDP MIB Object PPVID Local lldpXdot1LocProtoVlanId Remote lldpXdot1RemProtoVlanId Local lldpXdot1LocVlanId Remote lldpXdot1RemVlanId Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName VID VLAN name length VLAN name Table 45.
TLV Sub-Type TLV Name TLV Variable DSCP Value 3 Location Identifier Location Data Format Location ID Data 4 Extended Power via MDI Power Device Type Power Source System LLDP-MED MIB Object Remote lldpXMedRemMediaPolicy Priority Local lldpXMedLocMediaPolicy Dscp Remote lldpXMedRemMediaPolicy Dscp Local lldpXMedLocLocationSubt ype Remote lldpXMedRemLocationSub type Local lldpXMedLocLocationInfo Remote lldpXMedRemLocationInfo Local lldpXMedLocXPoEDevice Type Remote lldpXMedRemXPo
31 Microsoft Network Load Balancing Network Load Balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems. NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
With multicast NLB mode, the data is forwarded to all the servers based on the port specified using the Layer 2 multicast command, which is the mac-address-table static multicast vlan output-range , command in CONFIGURATION mode. Limitations With Enabling NLB on Switches The following limitations apply to switches on which you configure NLB: • The NLB unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN.
resolved through ARP packets, which had the Ethernet MAC SA different from the MAC information inside the ARP packet. This unicast data traffic flooding occurs only for those packets that use these ARP entries. CONFIGURATION mode ip vlan-flooding Multicast NLB Mode To enable a switch for multicast NLB mode of functioning, perform the following steps: 1.
32 Multicast Source Discovery Protocol (MSDP) Dell Networking OS supports multicast source discovery protocol (MSDP). Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 81. Multicast Source Discovery Protocol (MSDP) RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected.
Figure 82. MSDP SA Message Format Anycast RP Using MSDP, anycast RP provides load sharing and redundancy in PIM-SM networks. Anycast RP allows two or more rendezvous points (RPs) to share the load for source registration and the ability to act as hot backup routers for each other. Anycast RP allows you to configure two or more RPs with the same IP address on Loopback interfaces. The Anycast RP Loopback address are configured with a 32-bit mask, making it a host address.
The MSDP Sample Configurations show the PIM-SM configuration in this chapter for MSDP. Also, refer to PIM Sparse-Mode (PIM-SM). 3. Enabling MSDP. 4. Peer the RPs in each routing domain with each other. Refer to Enabling MSDP. Related Configuration Tasks The following lists related MSDP configuration tasks.
Figure 83.
Figure 84.
Figure 85.
Figure 86. Configuring MSDP Enabling MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source Example of Configuring MSDP Example of Viewing Peer Information R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.
R3_E600(conf)#do show ip msdp summary Peer Addr Local Addr State Source 192.168.0.1 192.168.0.3 Established Lo 0 SA 1 Up/Down Description 00:05:29 To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3_E600#show ip msdp peer Peer Addr: 192.
If the total number of active sources is already larger than the limit when limiting is applied, the sources that are already in the system are not discarded. To enforce the limit in such a situation, use the clear ip msdp sa-cache command to clear all existing entries. Clearing the Source-Active Cache To clear the source-active cache, use the following command. • Clear the SA cache of all, local, or rejected entries, or entries for a specific group.
Figure 87.
Figure 88.
Figure 89.
Figure 90. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
229.0.50.2 229.0.50.3 229.0.50.4 24.0.50.2 24.0.50.3 24.0.50.4 200.0.0.50 200.0.0.50 200.0.0.50 10.0.50.2 10.0.50.2 10.0.50.2 Dell#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 73 73 73 00:13:49 00:13:49 00:13:49 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.
R1_E600(conf)#do show ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 1 rejected SAs received, cache-size 1000 UpTime GroupAddr SourceAddr RPAddr LearnedFrom 00:02:20 239.0.0.1 10.11.4.2 192.168.0.1 local Reason Redistribute Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1. OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache. CONFIGURATION mode ip msdp cache-rejected-sa 2.
Example of Verifying the System is not Advertising Local Sources In the following example, R1 stops advertising source 10.11.4.2. Because it is already in the SA cache of R3, the entry remains there until it expires. [Router 1] R1_E600(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.3 list mylocalfilter R1_E600(conf)#do show run acl ! ip access-list extended mylocalfilter seq 5 deny ip host 239.0.0.1 host 10.11.4.
Input (S,G) filter: myremotefilter Output (S,G) filter: none [Router 1] R1_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.3 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:03 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Clearing Peer Statistics To clear the peer statistics, use the following command. • Reset the TCP connection to the peer and clear all peer statistics.
03:17:09 : MSDP-0: Peer 192.168.0.3, 03:17:10 : MSDP-0: Peer 192.168.0.3, 03:17:27 : MSDP-0: Peer 192.168.0.3, Input (S,G) filter: none Output (S,G) filter: none sent Keepalive msg rcvd Keepalive msg sent Source Active msg MSDP with Anycast RP Anycast RP uses MSDP with PIM-SM to allow more than one active group to use RP mapping.
Figure 91. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2. Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3.
CONFIGURATION mode ip msdp peer 5. Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group.
router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.22 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.22 ip msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.
interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.
router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.0.1/32 area 0 network 10.11.3.0/24 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.
no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.
33 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). Protocol Overview MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. In contrast, PVST+ allows a spanning tree instance for each VLAN.
Spanning Tree Variations The Dell Networking operating system (OS) supports four variations of spanning tree, as shown in the following table. Table 46. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multicast Source Discovery Protocol (MSDP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information The following describes the MSTP implementation information.
Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. • Within an MSTI, only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports. 1. Enter PROTOCOL MSTP mode. CONFIGURATION mode protocol spanning-tree mstp 2.
To view the forwarding/discarding state of the ports participating in an MSTI, use the show spanning-tree msti command from EXEC Privilege mode. Dell#show spanning-tree msti 1 MSTI 1 VLANs mapped 100 Root Identifier has priority 32768, Address 0001.e806.953e Root Bridge hello time 2, max age 20, forward delay 15, max hops 19 Bridge Identifier has priority 32768, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15, max hops 20 Current root has priority 32768, Address 0001.e806.
• Name is a mnemonic string you assign to the region. The default region name is null. • Revision is a 2-byte number. The default revision number is 0. • VLAN-to-instance mapping is the placement of a VLAN in an MSTI. For a bridge to be in the same MSTP region as another, all three of these qualities must match exactly. The default values for name and revision match on all Dell Networking OS equipment.
PROTOCOL MSTP mode forward-delay seconds The range is from 4 to 30. The default is 15 seconds. 2. Change the hello-time parameter. PROTOCOL MSTP mode hello-time seconds NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. 3. Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4.
PROTOCOL MSTP mode edge-port bpdu filter default Figure 93. BPDU Filtering Enabled Globally Modifying the Interface Parameters You can adjust two interface parameters to increase or decrease the probability that a port becomes a forwarding port. • Port cost is a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port.
The range is from 0 to 200000. For the default, refer to the default values shown in the table. 2. Change the port priority of an interface. INTERFACE mode spanning-tree msti number priority priority The range is from 0 to 240, in increments of 16. The default is 128. To view the current values for these interface parameters, use the show config command from INTERFACE mode. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner.
no shutdown Dell(conf-if-gi-3/41)# Flush MAC Addresses after a Topology Change The Dell Networking OS has an optimized MAC address flush mechanism for RSTP, MSTP, and PVST+ that flushes addresses only when necessary, which allows for faster convergence during topology changes. However, you may activate the flushing mechanism defined by 802.1Q-2003 using the tc-flush-standard command, which flushes MAC addresses after every topology change notification.
no shutdown ! interface GigabitEthernet 1/31 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged GigabitEthernet 1/21,31 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 1/21,31 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2.
Router 3 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
exit interface 1/0/32 no shutdown spanning-tree port mode enable switchport protected 0 exit (Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs. EXEC Privilege mode debug spanning-tree mstp bpdu • Display MSTP-triggered topology change messages.
– Is the Region name blank? That may mean that a name was configured on one router and but was not configured or was configured differently on another router (spelling and capitalization counts). • MSTP Instances. – To verify the VLAN to MSTP instance mapping, use the show commands. – Are there “extra” MSTP instances in the Sending or Received logs? This may mean that an additional MSTP instance was configured on one router but not the others.
34 Multicast Features Dell Networking OS supports multicast features. The Dell Networking OS supports the following multicast protocols: • PIM Sparse-Mode (PIM-SM) • PIM Source-Specific Mode (PIM-SSM) • Internet Group Management Protocol (IGMP) • Multicast Source Discovery Protocol (MSDP) Enabling IP Multicast Prior to enabling any multicast protocols, you must enable multicast routing. • Enable multicast routing.
First Packet Forwarding for Lossless Multicast Beginning with the Dell Networking OS version version 8.3.1.0, all initial multicast packets are forwarded to receivers to achieve lossless multicast. In previous versions, when the Dell Networking system is an RP, all initial packets are dropped until PIM creates an (S,G) entry.
• Limit the total number of multicast routes on the system. CONFIGURATION mode ip multicast-limit The range if from 1 to 50000. The default is 15000. NOTE: The IN-L3-McastFib CAM partition is used to store multicast routes and is a separate hardware limit that exists per port-pipe. Any software-configured limit may supersede by this hardware space limitation.
Figure 95. Preventing a Host from Joining a Group Table 48. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.
Location Description • no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
Preventing a PIM Router from Forming an Adjacency To prevent a router from participating in PIM (for example, to configure stub multicast routing), use the following command. • Prevent a router from participating in protocol independent multicast (PIM). INTERFACE mode ip pim neighbor-filter Preventing a Source from Registering with the RP To prevent the PIM source DR from sending register packets to RP for the specified multicast source and group, use the following command.
Figure 96. Preventing a Source from Transmitting to a Group Table 49. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.
Location Description • no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
ip pim join-filter Multicast Features 533
35 Object Tracking IPv4 or IPv6 object tracking is available on Dell Networking OS. Object tracking allows the Dell Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell Networking OS release version 9.7(0.0), object tracking is supported only on VRRP.
Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface. In this type of object tracking, the link-level operational status (UP or DOWN) of the interface is monitored. When the link-level status goes down, the tracked resource status is considered to be DOWN; if the link-level status goes up, the tracked resource status is considered to be UP.
Object Tracking Configuration You can configure three types of object tracking for a client. • Track Layer 2 Interfaces • Track Layer 3 Interfaces • Track an IPv4/IPv6 Route For a complete listing of all commands related to object tracking, refer to the Dell Networking OS Command Line Interface Reference Guide. Tracking a Layer 2 Interface You can create an object that tracks the line-protocol state of a Layer 2 interface and monitors its operational status (UP or DOWN).
Dell(conf-track-100)#description San Jose data center Dell(conf-track-100)#end Dell#show track 100 Track 100 Interface TenGigabitEthernet 7/1 line-protocol Description: San Jose data center Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface. You can track the routing status of any of the following Layer 3 interfaces: • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
Examples of Configuring Object Tracking for an IPv4 or IPv6 Interface Examples of Configuring Object Tracking for an IPv4 or IPv6 Interface The following is an example of configuring object tracking for an IPv4 interface: Dell(conf)#track 101 interface tengigabitethernet 7/2 ip routing Dell(conf-track-101)#delay up 20 Dell(conf-track-101)#description NYC metro Dell(conf-track-101)#end Dell#show track 101 Track 101 Interface TenGigabitEthernet 7/2 ip routing Description: NYC metro The following is an example
– If the scaled metric for a route is greater than or equal to the DOWN threshold or the route is not entered in the routing table, the state of a route is DOWN. The UP and DOWN thresholds are user-configurable for each tracked route. The default UP threshold is 254; the default DOWN threshold is 255. The notification of a change in the state of a tracked object is sent when a metric value crosses a configured threshold.
3 changes, last change 00:03:30 Tracked by: Example of the show track brief Command Router# show track brief ResId State 1 Resource LastChange IP route reachability Parameter 10.16.0.
36 Open Shortest Path First (OSPFv2 and OSPFv3) Dell Networking OS supports open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6). This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell Networking operating system (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 98. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. The backbone is the only area with a default area number. All other areas can have their Area ID assigned in the configuration.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Figure 99. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
Internal Router (IR) The internal router (IR) has adjacencies with ONLY routers in the same area, as Router E, M, and I shown in the previous example. Designated and Backup Designated Routers OSPF elects a designated router (DR) and a backup designated router (BDR). Among other things, the DR is responsible for generating LSAs for the entire multiaccess network. Designated routers allow a reduction in network traffic and in the size of the topological database.
• 1: point-to-point connection to another router/neighboring router. • 2: connection to a transit network IP address of the DR. • 3: connection to a stub network IP network/subnet number. LSA Throttling LSA throttling provides configurable interval timers to improve OSPF convergence times. The default OSPF static timers (5 seconds for transmission, 1 second for acceptance) ensures sufficient time for sending and resending LSAs and for system acceptance of arriving LSAs.
Figure 100. Priority and Cost Examples OSPF with the Dell Networking OS The Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2. Within that 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. The Dell Networking OS version 7.8.1.0 and later supports multiple OSPF processes (OSPF MP). The MXL switch supports up to 16 processes simultaneously. On OSPFv3, the system supports only one process at a time for all platforms.
Graceful Restart Graceful restart for OSPFv2 and OSPFv3 are supported in Helper and Restart modes. When a router goes down without a graceful restart, there is a possibility for loss of access to parts of the network due to ongoing network topology changes. Additionally, LSA flooding and reconvergence can cause substantial delays. It is, therefore, desirable that the network maintains a stable topology if it is possible for data flow to continue uninterrupted.
Fast Convergence (OSPFv2, IPv4 Only) Fast convergence allows you to define the speeds at which LSAs are originated and accepted, and reduce OSPFv2 end-to-end convergence time. The Dell Networking OS allows you to accept and originate LSAa as soon as they are available to speed up route information propagation. NOTE: The faster the convergence, the more frequent the route calculations and updates. This impacts CPU utilization and may impact adjacency stability in larger topologies.
Hello due in 00:00:04 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 1.1.1.1 (Backup Designated Router) Dell (conf-if-gi-2/2)# Configuration Information The interfaces must be in Layer-3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode.
Enabling OSPFv2 To enable Layer 3 routing, assign an IP address to an interface (physical or Loopback). By default, OSPF, similar to all routing protocols, is disabled. You must configure at least one interface for Layer 3 before enabling OSPFv2 globally. 1. Assign an IP address to an interface. CONFIG-INTERFACE mode ip address ip-address mask The format is A.B.C.D/M. If you are using a Loopback interface, refer to Loopback Interfaces. 2. Enable the interface. CONFIG-INTERFACE mode no shutdown 3.
Supports only single TOS (TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 Dell# Assigning an OSPFv2 Area After you enable OSPFv2, assign the interface to an OSPF area. Set up OSPF areas and enable OSPFv2 on an interface with the network command. You must have at least one AS area: Area 0. This is the backbone area. If your OSPF network contains more than one area, configure a backbone area (Area ID 0.0.0.0).
To view the configuration, use the show config command in CONFIGURATION ROUTER OSPF mode. OSPF, by default, sends hello packets out to all physical interfaces assigned an IP address that is a subset of a network on which OSPF is enabled. To view currently active interfaces and the areas assigned to them, use the show ip ospf interface command. Dell>show ip ospf 1 interface TenGigabitEthernet 12/17 is up, line protocol is up Internet Address 10.2.2.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.
show ip ospf process-id database database-summary 2. Enter CONFIGURATION mode. EXEC Privilege mode configure 3. Enter ROUTER OSPF mode. CONFIGURATION mode router ospf process-id Process ID is the ID assigned when configuring OSPFv2 globally. 4. Configure the area as a stub area. CONFIG-ROUTER-OSPF-id mode area area-id stub [no-summary] Use the keywords no-summary to prevent transmission into the area of summary ASBR LSAs. Area ID is the number or IP address assigned when creating the area.
• arrival-time: set the interval between receiving the same LSA repeatedly, to allow sufficient time for the system to accept the LSA. The range is from 0 to 600,000 milliseconds. Enabling Passive Interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface.
Enabling Fast-Convergence The fast-convergence CLI sets the minimum origination and arrival LSA parameters to zero (0), allowing rapid route calculation. When you disable fast-convergence, origination and arrival LSA parameters are set to 5 seconds and 1 second, respectively. Setting the convergence parameter (from 1 to 4) indicates the actual convergence level.
• Change the cost associated with OSPF traffic on the interface. CONFIG-INTERFACE mode ip ospf cost • – cost: The range is from 1 to 65535 (the default depends on the interface speed). Change the time interval the router waits before declaring a neighbor dead. CONFIG-INTERFACE mode ip ospf dead-interval seconds – seconds: the range is from 1 to 65535 (the default is 40 seconds). The dead interval must be four times the hello interval.
Example of Changing and Verifying the cost Parameter and Viewing Interface Status To view interface configurations, use the show config command in CONFIGURATION INTERFACE mode. To view interface status in the OSPF process, use the show ip ospf interface command in EXEC mode. The bold lines in the example show the change on the interface. The change is reflected in the OSPF configuration. Dell(conf-if)#ip ospf cost 45 Dell(conf-if)#show config ! interface TenGigabitEthernet 0/0 ip address 10.1.2.100 255.255.
• mode — the situation or situations that trigger a graceful restart. • role — the role or roles the configured router can perform. NOTE: By default, OSPFv2 graceful restart is disabled. To enable and configure OSPFv2 graceful restart, use the following commands. 1. Enable OSPFv2 graceful-restart globally and set the grace period. CONFIG-ROUTEROSPF- id mode graceful-restart grace-period seconds The seconds range is from 40 and 3000.
network 10.0.2.0/24 area 0 Dell# Creating Filter Routes To filter routes, use prefix lists. OSPF applies prefix lists to incoming or outgoing routes. Incoming routes must meet the conditions of the prefix lists. If they do not, OSPF does not add the route to the routing table. Configure the prefix list in CONFIGURATION PREFIX LIST mode prior to assigning it to the OSPF process. • Create a prefix list and assign it a unique name.
– route-map map-name: enter a name of a configured route map. – tag tag-value: the range is from 0 to 4294967295. Example of Viewing OSPF Configuration after Redistributing Routes To view the current OSPF configuration, use the show running-config ospf command in EXEC mode or the show config command in ROUTER OSPF mode. Dell(conf-router_ospf)#show config ! router ospf 34 network 10.1.2.32 0.0.0.255 area 2.2.2.2 network 10.1.3.24 0.0.0.255 area 3.3.3.
EXEC Privilege mode show ip ospf timers rate-limit • View debug messages. EXEC Privilege mode debug ip ospf process-id [event | packet | spf | database-timers rate-limit] To view debug messages for a specific OSPF process ID, use the debug ip ospf process-id command. If you do not enter a process ID, the command applies to the first OSPF process. To view debug messages for a specific operation, enter one of the optional keywords: – event: view OSPF event messages. – packet: view OSPF packet information.
Figure 101. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Gl 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface GigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Gl 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.
ip address 192.168.100.20/24 no shutdown ! interface GigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface GigabitEthernet 2/2 ip address 10.2.22.2/24 no shutdown Configuration Task List for OSPFv3 (OSPF for IPv6) The configuration options of OSPFv3 are the same as those options for OSPFv2, but you may configure OSPFv3 with differently labeled commands. Specify process IDs and areas and include interfaces and addresses in the process. Define areas as stub or totally stubby.
Applying cost for OSPFv3 Change in bandwidth directly affects the cost of OSPF routes. • Explicitly specify the cost of sending a packet on an interface. INTERFACE mode ipv6 ospf interface-cost • – interface-cost:The range is from 1 to 65535. Default cost is based on the bandwidth. Specify how the OSPF interface cost is calculated based on the reference bandwidth method. The cost of an interface is calculated as Reference Bandwidth/Interface speed.
Assigning OSPFv3 Process ID and Router ID Globally To assign, disable, or reset OSPFv3 globally, use the following commands. • Enable the OSPFv3 process globally and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID} • The range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} – number: the IPv4 address. The format is A.B.C.D. NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. • Disable OSPF.
– For a port channel, enter the keywords port-channel then a number from 1 to 255 (for example, passive-interface po 100) – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information (for example, passive-interface ten 2/3). – For a 40-Gigabit Ethernet interface, enter the keyword FortyGigabitEthernet then the slot/port information. – For a VLAN, enter the keyword vlan then a number from 1 to 4094 (for example, passive-interface vlan 2222).
By default, OSPFv3 graceful restart is disabled and functions only in a helper role to help restarting neighbor routers in their graceful restarts when it receives a Grace LSA. To enable OSPFv3 graceful restart, enter the ipv6 router ospf process-id command to enter OSPFv3 configuration mode. Then configure a grace period using the graceful-restart grace-period command. The grace period is the time that the OSPFv3 neighbors continue to advertise the restarting router as though it is fully adjacent.
EXEC Privilege mode show ipv6 ospf database database-summary Example of the show run ospf Command Example of the show ipv6 ospf database database-summary Command Example of the show ipv6 ospf database grace-lsa Command Dell#show run ospf ! router ospf 1 router-id 200.1.1.1 log-adjacency-changes graceful-restart grace-period 180 network 20.1.1.0/24 area 0 network 30.1.1.
OSPFv3 Authentication Using IPsec Dell Networking OS supports OSPFv3 authentication using IP security (IPsec). Starting in Dell Networking OS version 8.4.2.0, OSPFv3 uses IPsec to provide authentication for OSPFv3 packets. IPsec authentication ensures security in the transmission of OSPFv3 packets between IPsec-enabled routers. IPsec is a set of protocols developed by the internet engineering task force (IETF) to support secure exchange of packets at the IP layer.
• Manual key configuration is supported in an authentication or encryption policy (dynamic key configuration using the internet key exchange [IKE] protocol is not supported). • In an OSPFv3 authentication policy: – AH is used to authenticate OSPFv3 headers and certain fields in IPv6 headers and extension headers. – MD5 and SHA1 authentication types are supported; encrypted and unencrypted keys are supported. • In an OSPFv3 encryption policy: – Both encryption and authentication are used.
• Display the configuration of IPsec authentication policies on the router. show crypto ipsec policy • Display the security associations set up for OSPFv3 interfaces in authentication policies. show crypto ipsec sa ipv6 Configuring IPsec Encryption on an Interface To configure, remove, or display IPsec encryption on an interface, use the following commands.
If you have enabled IPSec encryption in an OSPFv3 area using the area encryption command, you cannot use the area authentication command in the area at the same time. The configuration of IPSec authentication on an interface-level takes precedence over an area-level configuration. If you remove an interface configuration, an area authentication policy that has been configured is applied to the interface. • Enable IPSec authentication for OSPFv3 packets in an area.
– key-encryption-type: (optional) specifies if the key is encrypted. Valid values: 0 (key is not encrypted) or 7 (key is encrypted). – authentication-algorithm: specifies the authentication algorithm to use for encryption. The valid values are MD5 or SHA1. – key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted).
Inbound AH Key Outbound AH Key Transform set : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e : ah-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-0-501 Policy refcount : 1 Inbound ESP SPI : 501 (0x1F5) Outbound ESP SPI : 501 (0x1F5) Inbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb7c0c30808825fb5 Outbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9
Troubleshooting OSPFv3 The Dell Networking OS has several tools to make troubleshooting easier. Consider the following information as these are typical issues that interrupt the OSPFv3 process. NOTE: The following troubleshooting section is not meant to be a comprehensive list, only examples of typical troubleshooting checks.
– For a VLAN, enter the keyword vlan then a number from 1 to 4094 (for example, passive-interface vlan 2222). The system supports 4094 VLANs.
37 Policy-based Routing (PBR) Dell Networking OS supports policy-based routing. This chapter covers the following topics: • Overview • Implementing Policy-based Routing with Dell Networking OS • Configuration Task List for Policy-based Routing • Sample Configuration Overview Policy-based Routing (PBR) enables you to make routing decisions based on policies applied to a specific interface.
To enable a PBR, you create a Redirect List. Redirect lists are defined by rules, or routing policies.
Ingress and egress Hot Lock PBR allow you to add or delete new rules into an existing policy (already written into CAM) without disruption to traffic flow. Existing entries in CAM are adjusted to accommodate the new entries. Hot Lock PBR is enabled by default. Configuration Task List for Policy-based Routing To enable the PBR: • Create a Redirect List • Create a Rule for a Redirect-list • Create a Track-id list. For complete tracking information, refer to Object Tracking chapter.
The below step shows a step-by-step example of how to create a rule for a redirect list by configuring: • • • • IP address of the next-hop router in the forwarding route IP protocol number Source address with mask information Destination address with mask information Creating a Rule Example: Dell(conf-redirect-list)#redirect ? A.B.C.D Forwarding router's address Dell(conf-redirect-list)#redirect 3.3.3.
PBR Exceptions (Permit) Use the command permit to create an exception to a redirect list. Exceptions are used when a forwarding decision should be based on the routing table rather than a routing policy. Dell Networking OS assigns the first available sequence number to a rule configured without a sequence number and inserts the rule into the PBR CAM region next to the existing entries. Since the order of rules is important, ensure that you configure any necessary sequence numbers.
shutdown Dell(conf-if-te-1/0)# In addition to supporting multiple redirect-lists in a redirect-group, multiple redirect-groups are supported on a single interface. Dell Networking OS has the capability to support multiple groups on an interface for backup purposes. Show Redirect List Configuration To view the configuration redirect list configuration, use the following command in EXEC mode: 1. View the redirect list configuration and the associated interfaces.
NOTE: If, the redirect-list is applied to an interface, the output of show ip redirect-list redirect-list-name command displays reachability and ARP status for the specified next-hop.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-3/23)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.254 ip 192.
IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23), ARP resolved seq 10 redirect 10.99.99.254 ip 192.168.2.0/24 any, Next-hop reachable (via Te 3/23), ARP resolved seq 15 permit ip any any Applied interfaces: Te 2/11 EDGE_ROUTER# Configuration Tasks for Creating a PBR list using Explicit Track Objects for Redirect IP's Create Track Objects to track the Redirect IP's: Dell#configure terminal Dell(conf)#track 3 ip host 42.1.1.
Te 2/28 Dell# Configuration Tasks for Creating a PBR list using Explicit Track Objects for Tunnel Interfaces Creating steps for Tunnel Interfaces: Dell#configure terminal Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#tunnel destination 40.1.1.2 Dell(conf-if-tu-1)#tunnel source 40.1.1.1 Dell(conf-if-tu-1)#tunnel mode ipip Dell(conf-if-tu-1)#tunnel keepalive 60.1.1.2 Dell(conf-if-tu-1)#ip address 60.1.1.
Verify the Applied Redirect Rules: Dell#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.0/24, Track 1 [up], Next-hop reachable (via Te 1/32) seq 10 redirect tunnel 1 track 1 tcp any any, Track 1 [up], Next-hop reachable (via Te 1/32) seq 15 redirect tunnel 1 track 1 udp 155.55.0.0/16 host 144.144.144.144, Track 1 [up], Next-hop reachable (via Te 1/32) seq 20 redirect tunnel 2 track 2 tcp 155.55.2.0/24 222.22.2.
38 PIM Sparse-Mode (PIM-SM) Dell Networking OS supports protocol-independent multicast sparse-mode (PIM-SM). PIM-SM is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information Be aware of the following PIM-SM implementation information.
Refuse Multicast Traffic A host requesting to leave a multicast group sends an IGMP Leave message to the last-hop DR. If the host is the only remaining receiver for that group on the subnet, the last-hop DR is responsible for sending a PIM Prune message up the RPT to prune its branch to the RP. 1. After receiving an IGMP Leave message, the gateway removes the interface on which it is received from the outgoing interface list of the (*,G) entry.
ip multicast-routing Related Configuration Tasks The following are related PIM-SM configuration tasks. • • • • Configuring S,G Expiry Timers Configuring a Static Rendezvous Point Configuring a Designated Router Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1. Enable multicast routing on the system. CONFIGURATION mode ip multicast-routing 2. Enable PIM-Sparse mode.
Incoming interface: GigabitEthernet 4/12, RPF neighbor 10.87.3.5 Outgoing interface list: GigabitEthernet 4/11 GigabitEthernet 7/13 (10.87.31.5, 192.1.2.1), uptime 00:01:24, expires 00:02:26, flags: FT Incoming interface: GigabitEthernet 7/11, RPF neighbor 0.0.0.0 Outgoing interface list: GigabitEthernet 4/11 GigabitEthernet 4/12 GigabitEthernet 7/13 --More-- Configuring S,G Expiry Timers By default, S, G entries expire in 210 seconds.
! ip access-list extended SGtimer seq 5 permit ip 10.1.2.0/24 225.1.1.0/24 seq 10 permit ip any 232.1.1.0/24 seq 15 permit ip 100.1.0.0/16 any Dell(config-ext-nacl)#exit Dell(conf)#ip pim sparse-mode sg-expiry-timer 1800 sg-list SGtimer To display the expiry time configuration, use the show running-configuration [acl | pim] command from EXEC Privilege mode.
Configuring a Designated Router Multiple PIM-SM routers might be connected to a single local area network (LAN) segment. One of these routers is elected to act on behalf of directly connected hosts. This router is the designated router (DR). The DR is elected using hello messages. Each PIM router learns about its neighbors by periodically sending a hello message out of each PIM-enabled interface. Hello messages contain the IP address of the interface out of which it is sent and a DR priority value.
39 PIM Source-Specific Mode (PIM-SSM) Dell Networking OS supports PIM source-specific mode (PIM-SSM). PIM-SSM is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name Enabling PIM-SSM To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode. R1(conf)#do show run pim ! ip pim rp-address 10.11.12.
R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:07 Member Ports: Gi 1/1 239.0.0.1 Vlan 400 INCLUDE 00:00:10 Never 10.11.4.
40 Port Monitoring Port monitoring is supported on the MXL switch platform. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
source TenGigabitEthernet 0/0 destination TenGigabitEthernet 0/2 direction both Dell (conf-mon-sess-2)# ! Configuring Port Monitoring To configure port monitoring, use the following commands. 1. Verify that the intended monitoring port has no configuration other than no shutdown, as shown in the following example. EXEC Privilege mode show interface 2. Create a monitoring session using the command monitor session from CONFIGURATION mode, as shown in the following example.
In the following example, the host and server are exchanging traffic which passes through the uplink interface 1/1. Port 1/1 is the monitored port and port 1/42 is the destination port, which is configured to only monitor traffic received on tengigabitethernet 1/1 (host-originated traffic). Figure 102. Port Monitoring Example Enabling Flow-Based Monitoring Flow-based monitoring is supported only on the S-Series platform.
Example of the flow-based enable Command To view an access-list that you applied to an interface, use the show ip accounting access-list command from EXEC Privilege mode. Dell(conf)#monitor session 0 Dell(conf-mon-sess-0)#flow-based enable Dell(conf)#ip access-list ext testflow Dell(config-ext-nacl)#seq 5 permit icmp any any count bytes monitor Dell(config-ext-nacl)#seq 10 permit ip 102.1.1.
Figure 103. Remote Port Mirroring Example Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
In the reserved L2 VLAN used for remote port mirroring: • MAC address learning in the reserved VLAN is automatically disabled. • The reserved VLAN for remote port mirroring can be automatically configured in intermediate switches by using GVRP. • There is no restriction on the VLAN IDs used for the reserved remote-mirroring VLAN. Valid VLAN IDs are from 2 to 4094. The default VLAN ID is not supported.
To display the currently configured source and destination sessions for remote port mirroring on a switch, enter the show monitor session command in EXEC Privilege mode.
Configuring the sample Source Remote Port Mirroring Dell(conf)#interface vlan 10 Dell(conf-if-vl-10)#mode remote-port-mirroring Dell(conf-if-vl-10)#tagged te 0/4 Dell(conf-if-vl-10)#exit Dell(conf)#monitor session 1 type rpm Dell(conf-mon-sess-1)#source te 0/5 destination remote-vlan 10 dir rx Dell(conf-mon-sess-1)#no disable Dell(conf-mon-sess-1)#exit Dell(conf)#inte vlan 100 Dell(conf-if-vl-100)#tagged te 0/7 Dell(conf-if-vl-100)#exit Dell(conf)#interface vlan 20 Dell(conf-if-vl-20)#mode remote-port-mirro
Configuring the sample Source Remote Port Mirroring Dell(conf)#inte te 0/0 Dell(conf-if-te-0/0)#switchport Dell(conf-if-te-0/0)#no shutdown Dell(conf-if-te-0/0)#exit Dell(conf)#interface te 0/1 Dell(conf-if-te-0/1)#switchport Dell(conf-if-te-0/1)#no shutdown Dell(conf-if-te-0/1)#exit Dell(conf)#interface te 0/2 Dell(conf-if-te-0/2)#switchport Dell(conf-if-te-0/2)#no shutdown Dell(conf-if-te-0/2)#exit Dell(conf)#inte vlan 10 Dell(conf-if-vl-10)#mode remote-port-mirroring Dell(conf-if-vl-10)#tagged te 0/0 Del
Configuring the Encapsulated Remote Port Mirroring The ERPM session copies traffic from the source ports/lags or source VLANs and forwards the traffic using routable GREencapsulated packets to the destination ip address specified in the session. Important: The steps to be followed for the ERPM Encapsulation : • Dell Networking OS supports ERPM Source session only. The Encapsulated packets terminate at the destination ip or at the analyzer.
The following example shows a sample configuration . Dell(conf)#monitor session 0 type erpm Dell(conf-mon-sess-0)#source tengigabitethernet 0/9 direction rx Dell(conf-mon-sess-0)#source port-channel 1 direction tx Dell(conf-mon-sess-0)#erpm source-ip 1.1.1.1 dest-ip 7.1.1.2 Dell(conf-mon-sess-0)#no disable Dell(conf)#monitor session 1 type erpm Dell(conf-mon-sess-1)#source vlan 11 direction rx Dell(conf-mon-sess-1)#erpm source-ip 5.1.1.1 dest-ip 3.1.1.
Figure 104. ERPM Packets If the sniffer does not support IP interface, a destination switch will be needed to receive the encapsulated ERPM packet and locally mirror the whole packet to the Sniffer or a Linux Server. Decapsulation of ERPM packets at the Destination IP/ Analyzer • In order to achieve the decapsulation of the original payload from the ERPM header. The below two methods are suggested : a.
– This script erpm.zip is available for download at the following location: http://en.community.dell.com/techcenter/ networking/m/force10_networking_scripts/20438882.aspx – Unzip the erpm.zip and copy the erpm.py file to the Linux server. – Run the python script using the following command: python erpm.py -i -o erpm.py : This is the script downloaded from the script store.
41 Private VLANs (PVLAN) Dell Networking OS supports private VLAN (PVLAN) feature. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell Networking OS Command Line Reference Guide. Private VLANs extend the Dell Networking operating system (OS) security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
– There are two types of secondary VLAN — community VLAN and isolated VLAN. PVLAN port types include: • Community port — a port that belongs to a community VLAN and is allowed to communicate with other ports in the same community VLAN and with promiscuous ports. • Host port — in the context of a private VLAN, is a port in a secondary VLAN: – The port must first be assigned that role in INTERFACE mode. – A port assigned the host role cannot be added to a regular VLAN.
EXEC mode or EXEC Privilege mode • show vlan private-vlan mapping Set the PVLAN mode of the selected port. INTERFACE switchport mode private-vlan {host | promiscuous | trunk} NOTE: Secondary VLANs are Layer 2 VLANs, so even if they are operationally down while primary VLANs are operationally up, Layer 3 traffic is still transmitted across secondary VLANs. NOTE: The outputs of the show arp and show vlan commands are augmented in the Dell Networking OS version 7.8.1.0 to provide PVLAN data.
Dell(conf-if-te-2/1)#switchport mode private-vlan promiscuous Dell(conf)#interface TenGigabitEthernet 2/2 Dell(conf-if-te-2/2)#switchport mode private-vlan host Dell(conf)#interface TenGigabitEthernet 2/3 Dell(conf-if-te-2/3)#switchport mode private-vlan trunk Dell(conf)#interface TenGigabitEthernet 2/2 Dell(conf-if-te-2/2)#switchport mode private-vlan host Creating a Primary VLAN A primary VLAN is a port-based VLAN that is specifically enabled as a primary VLAN to contain the promiscuous ports and PVLAN t
NOTE: If a promiscuous or host port is untagged in a VLAN and it receives a tagged packet in the same VLAN, the packet is NOT dropped. Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a private VLAN. The ports in a community VLAN can talk to each other and with the promiscuous ports in the primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make a community VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN.
Example of Configuring Private VLAN Members The following example shows the use of the PVLAN commands that are used in VLAN INTERFACE mode to configure the PVLAN member VLANs (primary, community, and isolated VLANs).
• TenGig 4/24 and TenGig 4/47 are configured as host ports and assigned to community VLAN 4002. The result is that: • The ports in community VLAN 4001 can communicate directly with each other and with promiscuous ports. • The ports in community VLAN 4002 can communicate directly with each other and with promiscuous ports. • The ports in isolated VLAN 4003 can only communicate with the promiscuous ports in the primary VLAN 4000.
Example of the show vlan private-vlan mapping Command S50-1#show vlan private-vlan mapping Private Vlan: Primary : 4000 Isolated : 4003 Community : 4001 NOTE: In the following example, notice the addition of the PVLAN codes – P, I, and C – in the left column.
42 Per-VLAN Spanning Tree Plus (PVST+) Dell Networking OS supports per-VLAN spanning tree plus (PVST+). Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 106.
Dell Networking Term IEEE Specification Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table). Other implementations use IEEE 802.1w costs as the default costs.
disable • Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst Example of Viewing PVST+ Configuration To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
• Assign a bridge priority. PROTOCOL PVST mode vlan bridge-priority The range is from 0 to 61440. The default is 32768. Example of the show spanning-tree pvst vlan Command To display the PVST+ forwarding topology, use the show spanning-tree pvst [vlan vlan-id] command from EXEC Privilege mode. Dell(conf-if-te-5/41)#do show spanning-tree pvst vlan 2 VLAN 2 Root Identifier has priority 32768, Address 001e.c9f1.
PROTOCOL PVST mode vlan forward-delay The range is from 4 to 30. • The default is 15 seconds. Change the hello-time parameter. PROTOCOL PVST mode vlan hello-time NOTE: With large configurations (especially those configurations with more ports), Dell Networking recommends increasing the hello-time. The range is from 1 to 10. • The default is 2 seconds. Change the max-age parameter. PROTOCOL PVST mode vlan max-age The range is from 6 to 40. The default is 20 seconds.
To change the port cost or port priority of an interface, use the following commands. • Change the port cost of an interface. INTERFACE mode spanning-tree pvst vlan cost. The range is from 0 to 200000. • Refer to the table for the default values. Change the port priority of an interface. INTERFACE mode spanning-tree pvst vlan priority. The range is from 0 to 240, in increments of 16. The default is 128.
– Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). – Disabling global spanning tree (the no spanning-tree command in CONFIGURATION mode). PVST+ in Multi-Vendor Networks Some non-Dell Networking systems which have hybrid ports participating in PVST+ transmit two kinds of BPDUs: an 802.1D BPDU and an untagged PVST+ BPDU. Dell Networking systems do not expect PVST+ BPDU (tagged or untagged) on an untagged port.
Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.73f7 We are the root of Vlan 5 Configured hello time 2, max age 20, forward delay 15 PVST+ Sample Configurations The following examples provide the running configurations for the topology shown in the previous illustration.
! protocol spanning-tree pvst no disable vlan 200 bridge-priority 4096 interface TenGigabitEthernet 3/12 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/22 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 3/12,22 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 3/12,22 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 3/12,22 no shutdown ! protocol spanning-tree pvst no disable vlan 300 brid
edge-port bpdu filter default Figure 109.
43 Quality of Service (QoS) Dell Networking OS supports quality of service (QoS). Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. The switch traffic has four data queues per port. All queues are serviced using the Weighted Round Robin scheduling algorithm. You can only manage prioritize queuing on egress.
Feature Direction Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress QoS Rate Adjustment Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 110. Dell Networking QoS Architecture Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
Port-Based QoS Configurations You can configure the following QoS features on an interface. NOTE: You cannot simultaneously use egress rate shaping and ingress rate policing on the same virtual local area network (VLAN). • • • Setting dot1p Priorities for Incoming Traffic Configuring Port-Based Rate Policing Configuring Port-Based Rate Shaping Setting dot1p Priorities for Incoming Traffic Change the priority of incoming traffic on the interface using the dot1p-priority command from INTERFACE mode.
NOTE: You cannot configure service-policy input and service-class dynamic dot1p on the same interface. • Honor dot1p priorities on ingress traffic. INTERFACE mode service-class dynamic dot1p Example of Configuring an Interface to Honor dot1p Priorities on Ingress Traffic Dell#config t Dell(conf)#interface tengigabitethernet 1/0 Dell(conf-if)#service-class dynamic dot1p Dell(conf-if)#end Dell# Priority-Tagged Frames on the Default VLAN Priority-tagged frames are 802.1Q tagged frames with VLAN ID 0.
Example of rate—shape Command Dell#config Dell(conf)#interface tengigabitethernet 1/0 Dell(conf-if)#rate shape 500 50 Dell(conf-if)#end Dell# Guidelines for Configuring ECN for Classifying and Color-Marking Packets Keep the following points in mind while configuring the marking and mapping of incoming packets using ECN fields in IPv4 headers: • Currently Dell Networking OS supports matching only the following TCP flags: – ACK – FIN – SYN – PSH – RST – URG In the existing software, ECE/CWR TCP flag qualif
Classifying Incoming Packets Using ECN and Color-Marking Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded. If you configure ECN for WRED, devices employ this functionality of ECN to mark the packets and reduce the rate of sending packets in a congested, heavily-loaded network.
• ACK • FIN • SYN • PSH • RST • URG You can now use the ‘ecn’ match qualifier along with the above TCP flag for classification.
ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40 ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50 ! policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Approach wi
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 111. Constructing Policy-Based QoS Configurations DSCP Color Maps This section describes how to configure color maps and how to display the color map and color map configuration.
The default setting for each DSCP value (0-63) is green (low drop precedence). The DSCP color map allows you to set the number of specific DSCP values to yellow or red. Traffic marked as yellow delivers traffic to the egress interface, which will either transmit or drop the packet based on configured queuing behavior. Traffic marked as red (high drop precedence) is dropped. Important Points to Remember • All DSCP values that are not specified as yellow or red are colored green (low drop precedence).
Display a specific DSCP color map. Dell# show qos dscp-color-map mapTWO Dscp-color-map mapTWO yellow 16,55 Displaying a DSCP Color Policy Configuration To display the DSCP color policy configuration for one or all interfaces, use the show qos dscp-color-policy {summary [interface] | detail {interface}} command in EXEC mode. summary: Displays summary information about a color policy on one or more interfaces.
POLICY MAP mode service-queue Example of Creating a Layer 3 Class Map Dell(conf)#ip access-list standard acl1 Dell(conf-std-nacl)#permit 20.0.0.0/8 Dell(conf-std-nacl)#exit Dell(conf)#ip access-list standard acl2 Dell(conf-std-nacl)#permit 20.1.1.
POLICY MAP mode service-queue Determining the Order in Which ACLs are Used to Classify Traffic When you link class-maps to queues using the service-queue command, the system matches the class-maps according to queue priority (queue numbers closer to 0 have lower priorities). For example, as described in the previous example, class-map cmap2 is matched against ingress packets before cmap1. ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.
EXEC Privilege mode show qos class-map Examples of Traffic Classifications The following example shows incorrect traffic classifications.
Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. There are two types of input QoS policies: Layer 3 and Layer 2. Output QoS policies regulate egress traffic. The regulation mechanisms for output QoS policies are bandwidth percentage, scheduler strict, rate shaping, and WRED.
Setting a dot1p Value for Egress Packets To set a dot1p value for egress packets, use the following command. • Set a dot1p value for egress packets. QOS-POLICY-IN mode set mac-dot1p Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1. Create an output QoS policy. CONFIGURATION mode qos-policy-output 2.
Setting DSCP Values for Egress Packets Based on Flow Match-any Layer 3 flows may have several match criteria. All flows that match at least one of the match criteria are mapped to the same queue because they are in the same class map. Setting a DSCP value from QOS-POLICY-IN mode (refer to Setting a DSCP Value for Egress Packets) assigns the same DSCP value to all of the matching flows in the class-map. The flow-based DSCP marking feature allows you to assign different DSCP to each match criteria.
Honoring dot1p Values on Ingress Packets Enabling Fall Back to Trust Diffserve or dot1p 3. Apply the input policy map to an interface. Applying a Class-Map or Input QoS Policy to a Queue To apply a class-map or input QoS policy to a queue, use the following command. • Assign an input QoS policy to a queue. POLICY-MAP-IN mode service-queue Applying an Input QoS Policy to an Input Policy Map To apply an input QoS policy to an input policy map, use the following command.
Table 57. Default dot1p to Queue Mapping dot1p Queue ID 0 0 1 0 2 0 3 1 4 2 5 3 6 3 7 3 The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN. • Enable the trust dot1p feature.
2. Match packets against match-any qos-AF3. If a match exists, queue the packet as AF3 in Queue 3, and if no match exists, go to the next class map. 3. Match packets against match-all qos-BE1. If a match exists, queue the packet as BE1, and if no match exists, queue the packets to the default queue, Queue 0. 4. You can optionally classify packets using their DSCP marking, instead of placing packets in Queue 0, if no match occurs.
Specify the keyword layer2 if the policy map you are applying a Layer 2 policy map; in this case, INTERFACE mode must be in Switchport mode. Creating Output Policy Maps 1. Create an output policy map. CONFIGURATION mode policy-map-output 2. After you create an output policy map, do one or more of the following: Applying an Output QoS Policy to a Queue Specifying an Aggregate QoS Policy Applying an Output Policy Map to an Interface 3. Apply the policy map to an interface.
• Payload: (variable) • Cyclic redundancy check (CRC): 4 bytes • Inter-frame gap (IFG): (variable) You can optionally include overhead fields in rate metering calculations by enabling QoS rate adjustment. QoS rate adjustment is disabled by default, and no qos-rate-adjust is listed in the running-configuration • Include a specified number of bytes of packet overhead to include in rate limiting, policing, and shaping calculations.
Figure 112. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Table 58. Pre-Defined WRED Profiles Default Profile Name Minimum Threshold Maximum Threshold Maximum Drop Rate wred_drop 0 0 100 wred_teng_y 467 4671 100 wred_teng_g 467 4671 50 wred_fortyg_y 467 4671 50 wred_fortyg_g 467 4671 25 Creating WRED Profiles To create WRED profiles, use the following commands. 1. Create a WRED profile.
• If you do not configure the system to honor DSCP values on ingress (refer to Honoring DSCP Values on Ingress Packets), all traffic defaults to green drop precedence. • Assign a WRED profile to either yellow or green traffic. QOS-POLICY-OUT mode wred Displaying Default and Configured WRED Profiles To display the default and configured WRED profiles, use the following command. • Display default and configured WRED profiles and their threshold values.
Queue# Q# Type TxPkts TxBytes DroppedPkts DroppedBytes --------------------------------------------------------------------------------0 UCAST 0 0 0 0 1 UCAST 0 0 0 0 2 UCAST 0 0 0 0 3 UCAST 0 0 0 0 4 UCAST 0 0 0 0 5 UCAST 0 0 0 0 6 UCAST 0 0 0 0 7 UCAST 0 0 0 0 8 UCAST 204 13056 0 0 9 MCAST 0 0 0 0 10 MCAST 0 0 0 0 11 MCAST 0 0 0 0 12 MCAST 0 0 0 0 13 MCAST 0 0 0 0 14 MCAST 0 0 0 0 15 MCAST 0 0 0 0 16 MCAST 0 0 0 0 17 MCAST 0 0 0 0 Dell# Classifying Layer 2 Traffic on Layer 3 Interfaces To process Layer 3
in a Layer 2 class map and the Layer 3 attribute, DSCP value, in a Layer 3 class map. However, it was not possible to configure both dot1p or MAC VLAN, and DSCP values in the same Layer 2 or Layer 3 class map. All class maps are Layer 3 by default. You can now configure a Layer 3 class map to differentiate traffic according to the IP VLAN value and the DSCP value.
44 Routing Information Protocol (RIP) The routing information protocol (RIP) is based on a distance-vector algorithm and tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter. Protocol Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2). These versions are documented in RFCs 1058 and 2453.
Feature Default • Transmit RIPv1 RIP timers • • • • update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Auto summarization Enabled ECMP paths supported 16 Configuration Information By default, RIP is disabled in the system. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
The Dell Networking OS default is to send RIPv1 and to receive RIPv1 and RIPv2. To change the RIP version globally, use the version command in ROUTER RIP mode. To view the global RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. Dell(conf-router_rip)#show config ! router rip network 10.0.0.0 Dell(conf-router_rip)# When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes.
To control the source of RIP route information, use the following commands. • Define a specific router to exchange RIP information between it and the Dell Networking system. ROUTER RIP mode neighbor ip-address • You can use this command multiple times to exchange RIP information with as many RIP networks as you want. Disable a specific interface from sending or receiving RIP routing information.
distribute-list prefix-list-name out To view the current RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. Setting the Send and Receive Version To change the RIP version globally or on an interface in the system, use the following command. To specify the RIP version, use the version command in ROUTER RIP mode.
To configure an interface to receive or send both versions of RIP, include 1 and 2 in the command syntax. The command syntax for sending both RIPv1 and RIPv2 and receiving only RIPv2 is shown in the following example. Dell(conf-if)#ip rip send version 1 2 Dell(conf-if)#ip rip receive version 2 The following example of the show ip protocols command confirms that both versions are sent out that interface.
NOTE: If you enable the ip split-horizon command on an interface, the system does not advertise the summarized address. Controlling Route Metrics As a distance-vector protocol, RIP uses hop counts to determine the best route, but sometimes the shortest hop count is a route over the lowest-speed link. To manipulate RIP routes so that the routing protocol prefers a different route, manipulate the route by using the offset command.
RIP Configuration Example The examples in this section show the command sequence to configure RIPv2 on the two routers shown in the following illustration — Core 2 and Core 3. The host prompts used in the following example reflect those names. The examples are divided into the following groups of command sequences: • RIP Configuration on Core2 • Core 2 RIP Output • RIP Configuration on Core3 • Core 3 RIP Output • RIP Configuration Summary Figure 113.
10.11.30.0/24 [120/1] via 10.11.20.1, 00:00:03, TenGigabitEthernet 2/31 10.300.10.0/24 directly connected,TenGigabitEthernet 2/42 10.200.10.0/24 directly connected,TenGigabitEthernet 2/41 10.11.20.0/24 directly connected,TenGigabitEthernet 2/31 10.11.10.0/24 directly connected,TenGigabitEthernet 2/11 10.0.0.0/8 auto-summary 192.168.1.0/24 [120/1] via 10.11.20.1, 00:00:03, TenGigabitEthernet 2/31 192.168.1.0/24 auto-summary 192.168.2.0/24 [120/1] via 10.11.20.1, 00:00:03, TenGigabitEthernet 2/31 192.168.2.
RIP Configuration on Core3 The following example shows how to configure RIPv2 on a host named Core3. Example of Configuring RIPv2 on Core3 Core3(conf-if-gi-3/21)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.0 Core3(conf-router_rip)#network 192.168.2.0 Core3(conf-router_rip)#network 10.11.30.0 Core3(conf-router_rip)#network 10.11.20.0 Core3(conf-router_rip)#show config ! router rip network 10.0.0.0 network 192.168.1.0 network 192.168.2.
C 192.168.1.0/24 Direct, TenGig C 192.168.2.
ip address 10.11.20.1/24 no shutdown ! interface TenGigabitEthernet 3/43 ip address 192.168.1.1/24 no shutdown ! interface TenGigabitEthernet 3/44 ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
45 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
[no] rmon alarm number variable interval {delta | absolute} rising-threshold [value event-number] falling-threshold value event-number [owner string] OR [no] rmon hc-alarm number variable interval {delta | absolute} rising-threshold value event-number falling-threshold value event-number [owner string] Configure the alarm using the following optional parameters: – number: alarm number, an integer from 1 to 65,535, the value must be unique in the RMON Alarm Table.
– description string: (Optional) specifies a description of the event, which is identical to the event description in the eventTable of the RMON MIB. The default is a null-terminated string. – owner string: (Optional) owner of this event, which is identical to the eventOwner in the eventTable of the RMON MIB. Default is a null-terminated string. Example of the rmon event Command To disable RMON on the interface, use the no form of this command.
– interval: (Optional) specifies the number of seconds in each polling cycle. – seconds: (Optional) the number of seconds in each polling cycle. The value is ranged from 5 to 3,600 (Seconds). The default is 1,800 (as defined in RFC-2819). Example of the rmon collection history Command To remove a specified RMON history group of statistics collection, use the no form of this command.
46 Rapid Spanning Tree Protocol (RSTP) Dell Networking OS supports rapid spanning tree protocol (RSTP). Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). The Dell operating system (OS) supports three other variations of spanning tree, as shown in the following table. Table 60.
• Adding a group of ports to a range of VLANs sends multiple messages to the rapid spanning tree protocol (RSTP) task, avoid using the range command. When using the range command, Dell Networking recommends limiting the range to five ports and 40 VLANs. Configuring Interfaces for Layer 2 Mode To configure and enable interfaces in Layer 2 mode, use the following commands. All interfaces on all bridges that participate in Rapid Spanning Tree must be in Layer 2 and enabled. 1.
Example of Verifying that RSTP is Enabled Dell(conf-rstp)#show config ! protocol spanning-tree rstp no disable Dell(conf-rstp)# Figure 114. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output.
Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.378, designated path cost 0 Number of transitions to forwarding state 1 BPDU : sent 121, received 2 The port is not in the Edge port mode, bpdu filter is disabled Port 379 (TenGigabitethernet 2/3) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.379 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.
Modifying Global Parameters You can modify RSTP parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in the Rapid Spanning Tree group. • • • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state. Hello-time — the time interval in which the bridge sends RSTP BPDUs.
The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode. Enable BPDU Filtering Globally The enabling of BPDU Filtering stops transmitting of BPDUs on the operational port fast enabled ports by default. When BPDUs are received, the spanning tree is automatically prepared. By default global bpdu filtering is disabled.
• Change the port priority of an interface. INTERFACE mode spanning-tree rstp priority priority-value The range is from 0 to 240. The default is 128. To view the current values for interface parameters, use the show spanning-tree rstp command from EXEC privilege mode. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner.
shutdown Dell(conf-if-te-2/0)# Influencing RSTP Root Selection RSTP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority or designate it as the primary or secondary root. PROTOCOL SPANNING TREE RSTP mode bridge-priority priority-value – priority-value The range is from 0 to 65535.
NOTE: The hello time is encoded in BPDUs in increments of 1/256ths of a second. The standard minimum hello time in seconds is 1 second, which is encoded as 256. Millisecond. hello times are encoded using values less than 256; the millisecond hello time equals (x/1000)*256. When you configure millisecond hellos, the default hello interval of 2 seconds is still used for edge ports; the millisecond hello interval is not used.
47 Security Security features are supported on the MXL switch platform. This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide. AAA Accounting Accounting, authentication, and authorization (AAA) accounting is part of the AAA security model.
– system: sends accounting information of any other AAA configuration. – default | name: enter the name of a list of accounting methods. – start-stop: use for more accounting information, to send a start-accounting notice at the beginning of the requested event and a stop-accounting notice at the end. – wait-start: ensures that the TACACS+ security server acknowledges the start notice before granting the user's process request.
Monitoring AAA Accounting The Dell Networking OS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command. • Step through all active sessions and print all the accounting records for the actively accounted functions.
Configuring AAA Authentication Login Methods To configure an authentication method and method list, use the following commands. Dell Networking OS Behavior: If you use a method list on the console port in which RADIUS or TACACS is the last authentication method, and the server is not reachable, the system allows access even though the username and password credentials cannot be verified.
If you do not set the default list, only the local enable is checked. This setting has the same effect as issuing an aaa authentication enable default enable command. Enabling AAA Authentication — RADIUS To enable authentication from the RADIUS server, and use TACACS as a backup, use the following commands. 1. Enable RADIUS and set up TACACS as backup. CONFIGURATION mode aaa authentication enable default radius tacacs 2. Establish a host address and password. CONFIGURATION mode radius-server host x.x.x.
Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network. However, at times, you might need to allow others access to the router and you can limit that access to a subset of commands. In the Dell Networking OS, you can configure a privilege level for users who need limited access to the system. Every command in the Dell Networking OS is assigned a privilege level of 0, 1, or 15. You can configure up to 16 privilege levels.
– access-class access-list-name: Restrict access by access-class. – nopassword: Require password for the user to login. – encryption-type: Enter 0 for plain text or 7 for encrypted text. – password: Enter a string. Specify the password for the user. – privilege level: The range is from 0 to 15. – secret: Specify the secret for the user. To view username, use the show users command in EXEC Privilege mode.
2. • encryption-type: enter 0 for plain text or 7 for encrypted text. • password: enter a text string. • secret: specify the secret for the user. Configure a password for privilege level. CONFIGURATION mode enable password [level level] [encryption-mode] password Configure the optional and required parameters: • level level: specify a level from 0 to 15. Level 15 includes all levels. • encryption-type: enter 0 for plain text or 7 for encrypted text.
username john password 0 john privilege 8 ! The following example shows the Telnet session for user john. The show privilege command output confirms that john is in privilege level 8. In EXEC Privilege mode, john can access only the commands listed. In CONFIGURATION mode, john can access only the snmp-server commands. apollo% telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'.
• Move to a lower privilege level. EXEC Privilege mode disable level-number – level-number: The level-number you wish to set. If you enter disable without a level-number, your security level is 1. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol. This protocol transmits authentication, authorization, and configuration information between a central RADIUS server and a RADIUS client (the Dell Networking system).
ACL Configuration Information The RADIUS server can specify an ACL. If an ACL is configured on the RADIUS server, and if that ACL is present, the user may be allowed access based on that ACL. If the ACL is absent, authorization fails, and a message is logged indicating this. RADIUS can specify an ACL for the user if both of the following are true: • • If an ACL is absent. If there is a very long delay for an entry, or a denied entry because of an ACL, and a message is logged.
• Enter a text string (up to 16 characters long) as the name of the method list you wish to use with the RADIUS authentication method. CONFIGURATION mode • aaa authentication login method-list-name radius Create a method list with RADIUS and TACACS+ as authorization methods. CONFIGURATION mode aaa authorization exec {method-list-name | default} radius tacacs+ Typical order of methods: RADIUS, TACACS+, Local, None.
If you want to change an optional parameter setting for a specific host, use the radius-server host command. To change the global communication settings to all RADIUS server hosts, refer to Setting Global Communication Parameters for all RADIUS Server Hosts. To view the RADIUS configuration, use the show running-config radius command in EXEC Privilege mode. To delete a RADIUS server host, use the no radius-server host {hostname | ip-address} command.
TACACS+ The Dell Networking OS supports terminal access controller access control system (TACACS+) client, including support for login authentication. Configuration Task List for TACACS+ The following list includes the configuration task for TACACS+ functions.
authentication method. In the following example, the TACACS+ is incorrect, but the user is still authenticated by the secondary method. First bold line: Server key purposely changed to incorrect value. Second bold line: User authenticated using the secondary method.
Example of Specifying a TACACS+ Server Host Dell# Dell(conf)# Dell(conf)#ip access-list standard deny10 Dell(conf-std-nacl)#permit 10.0.0.0/8 Dell(conf-std-nacl)#deny any Dell(conf)# Dell(conf)#aaa authentication login tacacsmethod tacacs+ Dell(conf)#aaa authentication exec tacacsauthorization tacacs+ Dell(conf)#tacacs-server host 25.1.1.
If rejected by the AAA server, the command is not added to the running config, and a message displays: 04:07:48: %RPM0-P:CP %SEC-3-SEC_AUTHORIZATION_FAIL: Authorization failure Command authorization failed for user (denyall) on vty0 ( 10.11.9.209 ) Protection from TCP Tiny and Overlapping Fragment Attacks Tiny and overlapping fragment attack is a class of attack where configured ACL entries — denying TCP port-specific traffic — is bypassed and traffic is sent to its destination although denied by the ACL.
To disable SSH server functions, use the no ip ssh server enable command. Using SCP with SSH to Copy a Software Image To use secure copy (SCP) to copy a software image through an SSH connection from one switch to another, use the following commands. 1. On Chassis One, set the SSH port number (port 22 by default). CONFIGURATION mode ip ssh server port number 2. On Chassis One, enable SSH. CONFIGURATION mode ip ssh server enable 3. On Chassis Two, invoke SCP. CONFIGURATION mode copy scp: flash: 4.
zeroized (written over with zeroes) and the NVRAM location where the keys are stored for persistence across reboots is also zeroized. To remove the generated RSA host keys and zeroize the key storage location, use the crypto key zeroize rsa command in CONFIGURATION mode. Dell(conf)#crypto key zeroize rsa Configuring When to Re-generate an SSH Key You can configure the time-based or volume-based rekey threshold for an SSH session.
The following example shows you how to configure a key exchange algorithm. Dell(conf)# ip ssh server sha1 kex diffie-hellman-group-exchange-sha1 diffie-hellman-group14- Configuring the HMAC Algorithm for the SSH Server To configure the HMAC algorithm for the SSH server, use the ip ssh server mac hmac-algorithm command in CONFIGURATION mode. hmac-algorithm: Enter a space-delimited list of keyed-hash message authentication code (HMAC) algorithms supported by the SSH server.
• hmac-sha2-256 • hmac-sha1 • hmac-sha1-96 • hmac-md5 • hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256, hmac-sha1, hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list. Dell(conf)# ip ssh mac hmac-sha1-96 Configuring the SSH Server Cipher List To configure the cipher list supported by the SSH server, use the ip ssh server cipher cipher-list command in CONFIGURATION mode.
• aes256-ctr The default cipher list is in the given order: aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc. Example of Configuring a Cipher List The following example shows you how to configure a cipher list. Dell(conf)#ip ssh cipher aes128-ctr aes128-cbc 3des-cbc Configuring the SSH Client Cipher List To configure the cipher list supported by the SSH client, use the ip ssh cipher cipher-list command in CONFIGURATION mode.
• Enable SSH password authentication. CONFIGURATION mode ip ssh password-authentication enable Example of Enabling SSH Password Authentication To view your SSH configuration, use the show ip ssh command from EXEC Privilege mode. Dell(conf)#ip ssh server enable % Please wait while SSH Daemon initializes ... done. Dell(conf)#ip ssh password-authentication enable Dell#sh ip ssh SSH server : enabled. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled.
3. Create a list of IP addresses and usernames that are permitted to SSH in a file called rhosts. Refer to the second example. 4. Copy the file shosts and rhosts to the Dell Networking system. 5. Disable password authentication and RSA authentication, if configured CONFIGURATION mode or EXEC Privilege mode no ip ssh password-authentication or no ip ssh rsa-authentication 6. Enable host-based authentication. CONFIGURATION mode ip ssh hostbased-authentication enable 7.
-p -v SSH server port option (default 22) SSH protocol version Troubleshooting SSH To troubleshoot SSH, use the following information. You may not bind id_rsa.pub to RSA authentication while logged in via the console. In this case, this message displays:%Error: No username set for this term. Enable host-based authentication on the server (Dell Networking system) and the client (Unix machine). The following message appears if you attempt to log in via SSH and host-based is disabled on the client.
You can assign line authentication on a per-VTY basis; it is a simple password authentication, using an access-class as authorization. Configure local authentication globally and configure access classes on a per-user basis. The Dell Networking OS can assign different access classes to different users by username. Until users attempt to log in, the system does not know if they will be assigned a VTY line.
Example of Configuring VTY Authorization Based on MAC ACL for the Line (Per MAC Address) Dell(conf)#mac access-list standard sourcemac Dell(config-std-mac)#permit 00:00:5e:00:01:01 Dell(config-std-mac)#deny any Dell(conf)# Dell(conf)#line vty 0 9 Dell(config-line-vty)#access-class sourcemac Dell(config-line-vty)#end Role-Based Access Control With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role.
can modify the permissions specific to that command and/or command option. For more information, see Modifying Command Permissions for Roles . NOTE: When you enter a user role, you have already been authenticated and authorized. You do not need to enter an enable password because you will be automatically placed in EXEC Priv mode. For greater security, the ability to view event, audit, and security system log is associated with user roles. For information about these topics, see Audit and Security Logs.
line console 0 login authentication test authorization exec test exec-timeout 0 0 line vty 0 login authentication test authorization exec test line vty 1 login authentication test authorization exec test To enable role-based only AAA authorization: Dell(conf)#aaa authorization role-only System-Defined RBAC User Roles By default, the Dell Networking OS provides 4 system defined user roles. You can create up to 8 additional user roles. NOTE: You cannot delete any system defined roles.
role’s command permissions from scratch. You then restrict commands or add commands to that role. For more information about this topic, see Modifying Command Permissions for Roles. NOTE: You can change user role permissions on system pre-defined user roles or user-defined user roles. Important Points to Remember Consider the following when creating a user role: • Only the system administrator and user-defined roles inherited from the system administrator can create roles and user names.
If you add or delete command permissions using the role command, those changes only apply to the specific user role. They do not apply to other roles that have inheritance from that role. Authorization and accounting only apply to the roles specified in that configuration. When you modify a command for a role, you specify the role, the mode, and whether you want to restrict access using the deleterole keyword or grant access using the addrole keyword followed by the command you are controlling access.
secadmin sysadmin Exec Config Interface Line Exec Config Interface Line Router IP RouteMap Protocol MAC Example: Remove Security Administrator Access to Line Mode. The following example removes the secadmin access to LINE mode and then verifies that the security administrator can no longer access LINE mode, using the show role mode configure line command in EXEC Privilege mode.
AAA Authentication and Authorization for Roles This section describes how to configure AAA Authentication and Authorization for Roles.
The following configuration example applies a method list: TACACS+, RADIUS and local: ! radius-server host 10.16.150.203 key ! tacacs-server host 10.16.150.203 key ! aaa authentication login ucraaa tacacs+ radius local aaa authorization exec ucraaa tacacs+ radius local aaa accounting commands role netadmin ucraaa start-stop tacacs+ ! The following configuration example applies a method list other than default to each VTY line.
“attribute” and “value” are an attribute-value (AV) pair defined in the Dell Network OS TACACS+ specification, and “sep” is “=”. These attributes allow the full set of features available for TACACS+ authorization and are authorized with the same attributes for RADIUS. Example for Configuring a VSA Attribute for a Privilege Level 15 The following example configures an AV pair which allows a user to login from a network access server with a privilege level of 15, to have access to EXEC commands.
The following example applies the accounting default method to the user role secadmin (security administrator). Dell(conf-vty-0)# accounting commands role secadmin default Displaying Active Accounting Sessions for Roles To display active accounting sessions for each user role, use the show accounting command in EXEC mode.
Dell##show role mode configure password-attributes Role access: secadmin,sysadmin Dell#show role mode configure interface Role access: netadmin, sysadmin Dell#show role mode configure line Role access: netadmin,sysadmin Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the show users command in EXEC Privilege mode. The output displays privilege level and/or user role.
48 Service Provider Bridging Dell Networking OS supports service provider bridging. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. VLAN stacking enables service providers to use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. Using only 802.
Figure 116. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. • Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN. Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1.
• Debugging VLAN Stacking • VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. • Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN. • Trunk port — a port on a service provider bridge that connects to another service provider bridge and is a member of multiple service provider VLANs.
NUM * 1 2 3 4 5 6 Status Active Inactive Inactive Inactive Inactive Active Dell# Q Ports U Gi 13/0-5,18 M Po1(Gi 13/14-15) M Gi 13/13 Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. • Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100.
Dell(conf-if-vl-103)#vlan-stack compatible Dell(conf-if-vl-103-stack)#member gigabitethernet 0/1 Dell(conf-if-vl-103-stack)#do show vlan Codes: Q: U x G - * - Default VLAN, G - GVRP VLANs Untagged, T - Tagged Dot1x untagged, X - Dot1x tagged GVRP tagged, M - Vlan-stack NUM * 1 100 101 103 Status Inactive Inactive Inactive Inactive Description Q Ports U Gi 0/1 T Gi 0/1 M Gi 0/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command.
You can configure the first 8 bits of the TPID using the vlan-stack protocol-type command. The TPID is global. Ingress frames that do not match the system TPID are treated as untagged. This rule applies for both the outer tag TPID of a double-tagged frame and the TPID of a single-tagged frame. For example, if you configure TPID 0x9100, the system treats 0x8100 and untagged traffic the same and maps both types to the default VLAN, as shown by the frame originating from Building C.
Figure 118.
Figure 119. Single and Double-Tag TPID Mismatch Table 63. Behaviors for Mismatched TPID Network Position Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Network Position Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Precedence Description Green High-priority packets that are the least preferred to be dropped. Yellow Lower-priority packets that are treated as best-effort. Red Lowest-priority packets that are always dropped (regardless of congestion status). • Honor the incoming DEI value by mapping it to the Dell Networking OS drop precedence. INTERFACE mode dei honor {0 | 1} {green | red | yellow} You may enter the command once for 0 and once for 1. Packets with an unmapped DEI value are colored green.
Figure 120. Statically and Dynamically Assigned dot1p for VLAN Stacking When configuring Dynamic Mode CoS, you have two options: • Mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. In this case, you must have other dot1p QoS configurations; this option is classic dot1p marking. • Mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p.
qos-policy-input 3 layer2 rate-police 30 ! interface GigabitEthernet 0/21 no ip address switchport vlan-stack access vlan-stack dot1p-mapping c-tag-dot1p 0-3 sp-tag-dot1p 7 service-policy input in layer2 no shutdown Mapping C-Tag to S-Tag dot1p Values To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly, use the following commands. 1. Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag.
Figure 121. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 122. VLAN Stacking with L2PT Implementation Information • • • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. No protocol packets are tunneled when you enable VLAN stacking. L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2.
3. Tunnel BPDUs the VLAN. INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, the Dell Networking OS uses a Dell Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command. • Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network.
Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. 802.
49 sFlow Dell Networking OS supports configuring sFlow. Overview The Dell Networking operating system (OS) supports sFlow version 5. sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers. sFlow uses two types of sampling: • Statistical packet-based sampling of switched or routed packet flows.
• 802.1P source priority field is not filled in extended switch element in sFlow datagram. • Only Destination and Destination Peer AS number are packed in the dst-as-path field in extended gateway element. • If the packet being sampled is redirected using policy-based routing (PBR), the sFlow datagram may contain incorrect extended gateway/router information. • The source virtual local area network (VLAN) field in the extended switch element is not packed in case of routed packet.
Counter polling interval Extended max header size Samples rcvd from h/w :20 :256 :0 Example of the show sflow command The bold line shows the sFlow default maximum header size: Dell#show sflow sFlow services are enabled Egress Management Interface sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 20 Global default extended maximum header size: 128 bytes Global extended information enabled: none 1 collectors configured Collector IP addr: 100.1.1.
• Displaying Show sFlow on an Interface • Displaying Show sFlow on a Stack Unit Displaying Show sFlow Global To view sFlow statistics, use the following command. • Display sFlow configuration information and statistics. EXEC mode show sflow Example of Viewing sFlow Configuration (Global) The first bold line indicates sFlow is globally enabled.
UDP packets dropped Dell# :0 Configuring Specify Collectors The sflow collector command allows identification of sFlow collectors to which sFlow datagrams are forwarded. You can specify up to two sFlow collectors. If you specify two collectors, the samples are sent to both. • Identify sFlow collectors to which sFlow datagrams are forwarded. CONFIGURATION mode sflow collector ip-address agent-addr ip-address [number [max-datagram-size number] ] | [max-datagram-size number ] The default UDP port is 6343.
Sub-Sampling The sFlow sample rate is not the frequency of sampling, but the number of packets that are skipped before the next sample is taken. Therefore, the sFlow agent uses sub-sampling to create multiple sampling rates per port-pipe. To achieve different sampling rates for different ports in a port-pipe, the sFlow agent takes the lowest numerical value of the sampling rate of all the ports within the portpipe and configures all the ports to this value.
• By default packing of any of the extended information in the datagram is disabled. Confirm that extended information packing is enabled. show sflow Example of Verifying Extended sFlow is Enabled Example of Verifying Extended sFlow Disabled The bold line shows that extended sFlow settings are enabled on all three types.
50 Simple Network Management Protocol (SNMP) Simple network management protocol (SNMP) is supported on the MXL switch platform. Network management stations use SNMP to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a management information base (MIB).
• Manage VLANs using SNMP • Enabling and Disabling a Port using SNMP • Fetch Dynamic MAC Entries using SNMP • Deriving Interface Indices • Monitor Port-Channels • Troubleshooting SNMP Operation Important Points to Remember • Typically, 5-second timeout and 3-second retry values on an SNMP server are sufficient for both LAN and WAN applications.
enable or disable FIPS mode only if SNMPv3 users are not previously set up. If previously configured users exist on the system, you must delete the existing users before you change the FIPS mode. Keep the following points in mind when you configure the AES128-CFB algorithm for SNMPv3: 1. SNMPv3 authentication provides only the sha option when the FIPS mode is enabled. 2. SNMPv3 privacy provides only the aes128 privacy option when the FIPS mode is enabled. 3.
Setting Up User-Based Security (SNMPv3) When setting up SNMPv3, you can set users up with one of the following three types of configuration for SNMP read/write operations. Users are typically associated to an SNMP group with permissions provided, such as OID view. • noauth — no password or privacy. Select this option to set up a user with no password or privacy privileges. This setting is the basic configuration. Users must have a group and profile that do not require password privileges.
Select a User-based Security Type Dell(conf)#snmp-server host 1.1.1.1 traps {oid tree} version 3 ? auth Use the SNMPv3 authNoPriv Security Level noauth Use the SNMPv3 noAuthNoPriv Security Level priv Use the SNMPv3 authPriv Security Level Dell(conf)#snmp-server host 1.1.1.1 traps {oid tree} version 3 noauth ? WORD SNMPv3 user name Reading Managed Object Values You may only retrieve (read) managed object values if your management station is a member of the same community as the SNMP agent.
IP-MIB::ip.34.1.4.1.4.2.1.1.1 = INTEGER: 1 IP-MIB::ip.34.1.4.2.16.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.1 = INTEGER: 1 Writing Managed Object Values You may only alter (write) a managed object value if your management station is a member of the same community as the SNMP agent, and the object is writable. Use the following command to write or write-over the value of a managed object. • To write or write-over the value of a managed object. snmpset -v version -c community agent-ip {identifier.instance | descriptor.
The default is None. Subscribing to Managed Object Value Updates using SNMP By default, the Dell Networking system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system. The Dell Networking OS supports the following three sets of traps: • RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss.
Enabling a Subset of SNMP Traps You can enable a subset of Dell Networking enterprise-specific SNMP traps using one of the following listed command options. To enable a subset of Dell Networking enterprise-specific SNMP traps, use the following command. • Enable a subset of SNMP traps. snmp-server enable traps NOTE: The envmon option enables all environment traps including those traps that are enabled with the envmon supply, envmon temperature, and envmon fan options.
INTEGER: 1 10.16.130.140 [10.16.130.140]: Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (625882) 1:44:18.82, SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkUp, IF-MIB::ifIndex.45158657 = INTEGER: 45158657, SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_UP: Changed interface state to up: Te 0/43", SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 14 10.16.130.140 [10.16.130.140]: Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (645746) 1:47:37.46, SNMPv2-MIB::snmpTrapOID.
NOTE: If a syslog server failure event is generated before the SNMP agent service starts, then SNMP trap is not sent successfully. To enable an SNMP agent to send a trap when the syslog server is not reachable, use the following command: CONFIGURATION MODE snmp-server enable traps snmp syslog-unreachable To enable an SNMP agent to send a trap when the syslog server resumes connectivity, use the following command: CONFIGURATION MODE snmp-server enable traps snmp syslog-reachable Table 66.
Table 67. MIB Objects for Copying Configuration Files via SNMP MIB Object OID Object Values Description copySrcFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.2 1 = Dell Networking OS file Specifies the type of file to copy from. The range is: 2 = running-config • 3 = startup-config • copySrcFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.3 1 = flash 2 = n/a If copySrcFileType is running-config or startupconfig, the default copySrcFileLocation is flash.
MIB Object OID Object Values Description must also specify copyUserName and copyUserPassword. copyUserName .1.3.6.1.4.1.6027.3.5.1.1.1.1.9 Username for the server. Username for the FTP, TFTP, or SCP server. • copyUserPassword .1.3.6.1.4.1.6027.3.5.1.1.1.1.10 Password for the server. If you specify copyUserName, you must also specify copyUserPassword. Password for the FTP, TFTP, or SCP server. Copying a Configuration File To copy a configuration file, use the following commands. 1.
Copying Configuration Files via SNMP To copy the running-config to the startup-config from the UNIX machine, use the following command. • Copy the running-config to the startup-config from the UNIX machine. snmpset -v 2c -c public —m ./f10–copy-config.mif force10system-ip-address copySrcFileType.index i 2 copyDestFileType.
• precede the values for copyUsername and copyUserPassword by the keyword s. Example of Copying Configuration Files via FTP From a UNIX Machine > snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.110 i 2 copyDestFileName.110 s /home/startup-config copyDestFileLocation.110 i 4 copyServerAddress. 110 a 11.11.11.11 copyUserName.110 s mylogin copyUserPassword.110 s mypass FORCE10-COPY-CONFIG-MIB::copySrcFileType.
Additional MIB Objects to View Copy Statistics Dell Networking provides more MIB objects to view copy statistics, as shown in the following table. Table 68. Additional MIB Objects for Copying Configuration Files via SNMP MIB Object OID Values Description copyState .1.3.6.1.4.1.6027.3.5.1.1.1.1.11 1= running Specifies the state of the copy operation. 2 = successful 3 = failed copyTimeStarted .1.3.6.1.4.1.6027.3.5.1.1.1.1.
• To view the available flash memory using SNMP, use the following command. snmpget -v2c -c public 192.168.60.120 .1.3.6.1.4.1.6027.3.10.1.2.9.1.6.1 enterprises.6027.3.10.1.2.9.1.5.1 = Gauge32: 24 The output above displays that 24% of the flash memory is used. MIB Support to Display the Software Core Files Generated by the System Dell Networking provides MIB objects to display the software core files generated by the system.
enterprises.6027.3.10.1.2.10.1.4.1.2 enterprises.6027.3.10.1.2.10.1.4.1.3 enterprises.6027.3.10.1.2.10.1.4.2.1 enterprises.6027.3.10.1.2.10.1.5.1.1 enterprises.6027.3.10.1.2.10.1.5.1.2 enterprises.6027.3.10.1.2.10.1.5.1.3 enterprises.6027.3.10.1.2.10.1.5.2.1 = = = = = = = 1 1 0 "flashmntr" "l2mgr" "vrrp" Hex: 76 72 72 70 "sysd" Hex: 73 79 73 64 The output above displays that the software core files generated by the system.
Assigning a VLAN Alias Write a character string to the dot1qVlanStaticName object to assign a name to a VLAN. Example of Assigning a VLAN Alias using SNMP [Unix system output] > snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.1.1107787786 s "My VLAN" SNMPv2-SMI::mib-2.17.7.1.4.3.1.1.
• Each position in the 8-character string is for one port, starting with Port 1 at the left end of the string, and ending with Port 8 at the right end. A 0 indicates that the port is not a member of the VLAN; a 1 indicates VLAN membership. All hex pairs are 00, indicating that no ports are assigned to VLAN 10. In the following example, Port 0/2 is added to VLAN 10 as untagged; the first hex pair changes from 00 to 04.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 In the following example, Port 0/2 is added as a tagged member of VLAN 10. >snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 x "40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" .1.3.6.1.2.1.17.7.1.4.3.1.4.
Table 71. MIB Objects for Fetching Dynamic MAC Entries in the Forwarding Database MIB Object OID MIB Description dot1dTpFdbTable .1.3.6.1.2.1.17.4.3 Q-BRIDGE MIB List the learned unicast MAC addresses on the default VLAN. dot1qTpFdbTable .1.3.6.1.2.1.17.7.1.2. 2 Q-BRIDGE MIB List the learned unicast MAC addresses on non-default VLANs. dot3aCurAggFdb Table .1.3.6.1.4.1.6027.3.2. 1.1.5 F10-LINK-AGGREGATION MIB List the learned MAC addresses of aggregated links (LAG).
>snmpwalk -v 2c -c techpubs 10.11.131.162 .1.3.6.1.4.1.6027.3.2.1.1.5 SNMPv2-SMI::enterprises.6027.3.2.1.1.5.1.1.1000.0.1.232.6.149.172.1 = SNMPv2-SMI::enterprises.6027.3.2.1.1.5.1.2.1000.0.1.232.6.149.172.1 = 06 95 AC SNMPv2-SMI::enterprises.6027.3.2.1.1.5.1.3.1000.0.1.232.6.149.172.1 = SNMPv2-SMI::enterprises.6027.3.2.1.1.5.1.4.1000.0.1.232.6.149.172.
Interface index is 72925242 [output omitted] Monitor Port-Channels To check the status of a Layer 2 port-channel, use f10LinkAggMib (.1.3.6.1.4.1.6027.3.2). In the following example, Po 1 is a switchport and Po 2 is in Layer 3 mode. Example of SNMP Trap for Monitored Port-Channels Example of Viewing Status of Learned MAC Addresses Example of Viewing Changed Interface State for Monitored Ports [senthilnathan@lithium ~]$ snmpwalk -v 2c -c public 10.11.1.1 .1.3.6.1.4.1.6027.3.2.1.1 SNMPv2-SMI::enterprises.
SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500934) 23:36:49.34 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkUp IF-MIB::ifIndex.1107755009 = INTEGER: 1107755009 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_UP: Changed interface state to up: Po 1" BMP Functionality Using SNMP SET To enable or disable BMP, use SNMP SET. Table 73. List of BMP MIBS that have both read/write access MIB Object OID Description f10bmpMib .1.3.6.1.4.1.6027.3.23 NODE bmpEntry .1.3.6.1.4.1.6027.3.23.
The status for the MIBS is as follows: vijayakrishnan@tapti[3:42pm] : /tftpboot > 1.3.6.1.2.1.47.1.1.1.1.2 SNMPv2-SMI::mib-2.47.1.1.1.1.2.1 = "" SNMPv2-SMI::mib-2.47.1.1.1.1.2.2 = STRING: SNMPv2-SMI::mib-2.47.1.1.1.1.2.3 = STRING: SNMPv2-SMI::mib-2.47.1.1.1.1.2.4 = STRING: SNMPv2-SMI::mib-2.47.1.1.1.1.2.5 = STRING: SNMPv2-SMI::mib-2.47.1.1.1.1.2.6 = STRING: SNMPv2-SMI::mib-2.47.1.1.1.1.2.7 = STRING: SNMPv2-SMI::mib-2.47.1.1.1.1.2.8 = STRING: SNMPv2-SMI::mib-2.47.1.1.1.1.2.
51 Stacking Stacking is supported on the MXL switch platform. Stacking is supported on a MXL 10/40GbE switch on the 40GbE ports (for the base module) or a 2-Port 40GbE QSFP+ module. You can connect up to six MXL 10/40GbE switches in a single stack. Stacking provides a single point of management and network interface controller (NIC) teaming for high availability and higher throughput.
Stack Management Roles The stack elects the management units for the stack management. • Stack master — primary management unit, also called the master unit. • Standby — secondary management unit. The master holds the control plane and the other units maintain a local copy of the forwarding databases. From the stack master you can configure: • System-level features that apply to all stack members. • Interface-level features for each stack member.
When an up and running standalone unit or stack is merged with another stack, based on election, the losing stack reloads and the master unit of the winning stack becomes the master of the merged stack. For more details, see sections Adding a Stack Unit and Merging Two Stacks. To ensure a fully synchronised bootup, it is possible to reset individual units to force them to give up the management role; or reload the whole stack from the command line interface (CLI).
NOTE: A ring topology is recommended under normal operation because it provides increased resiliency when compared with a daisy chain topology. In daisy chain topology, any change in a non-edge stack unit causes a split stack. Figure 124. Dual-Ring Stacking Topology for MXL 10/40GbE Switches Example 2: Dual Daisy-Chain Stack Across Multiple Chassis Using two separate, daisy-chained stacks in a stacking topology provides redundancy and increased high availability in case of stack failure.
Figure 125. Dual Daisy-Chain Stacking Topology for MXL 10/40GbE Switches Stack Group/Port Numbers By default, each unit in Standalone mode is numbered stack-unit 0. Stack-unit numbers are assigned to member switches when the stack comes up. The following example shows the stack-group numbers of 40GbE ports on an MXL 10/40GbE switch.
Figure 126. Stack-Group on an MXL 10/40GbE Switch Configuring a Switch Stack Configuring a switch stack is a four step process. To configure and bring up a switch stack, follow these steps: 1. Connect the switches to be stacked with 40G direct attach or QSFP fibre cables. 2. Configure the stacking ports on each switch. 3. All switches must be booted together. 4. (Optional) Configure management priorities, unit numbers, or logical provisioning for stack units.
Master Selection Criteria A Master is elected or re-elected based on the following considerations, in order: 1. The switch with the highest priority at boot time. 2. The switch with the highest MAC address at boot time. 3. A unit is selected as Standby by the administrator, and a fail over action is manually initiated or occurs due to a Master unit failure. No record of previous stack mastership is kept when a stack loses power.
Cabling Stacked Switches Before you configure MXL switches in a stack, connect the 40G direct attach or QSFP cables and transceivers to connect 40GbE ports on switches in the same or different chassis. Cabling Restrictions The following restrictions apply when setting up a stack of MXL 10/40GbE switches. • Only daisy-chain or ring topologies are supported; star and full mesh topologies are not supported.
Password: ***** Dell> enable Dell# configure 3. Configure a 40GbE port for stacking mode. CONFIGURATION mode stack-unit unit-number stack-group group-number The valid values are from 0 to 5. The default value is 0. 4. • stack-unit : is the unit-number of the member stack unit. • stack-group group-number is the number of stacked port on unit. The valid values are from 0 to 1. Save the stacking configuration on the 40GbE ports. EXEC PRIVILEGE mode write memory 5.
The default is 0. To revert the management priority of a stack unit to the default value of 0, use the no form of the stack-unit unit-number priority number command. After you reconfigure the priorities of stacked switches, reload the stack so that a new master and standby election is performed. Renumbering a Stack Unit To renumber a stack unit to reset the unit numbering for a master, standby or member unit, use the following command.
• A stack unit can also enter a Card-Problem state after a split-stack reload in which a unit that was previously neither the master nor standby is elected as the new master and has logical stack-unit provisioning configured for a stack-unit number that creates a mismatch with the stack-unit numbering on other units. Converting 4x10GbE Ports to 40GbE for Stacking Stacking is supported only on 40GbE links by connecting 40GbE ports on the base module or a 2-Port QSFP+ module.
If a standalone switch has no stack groups configured, you can add it to a stack. To add a standalone switch to a stack, follow these steps. 1. Power on the switch. 2. Attach QSFP or direct attach cables to connect 40GbE ports on the switch to one or more switches in the stack. 3. Log on to the CLI and enter global configuration mode. Login: username Password: ***** Dell> enable Dell# configure 4. Configure a 40GbE port for stacking.
• All the units in the losing stack go for a reboot and then merge with the winning stack that has the stack master. • If there is no unit numbering conflict, the stack members retain their previous unit numbers. Otherwise, the stack master assigns new unit numbers, based on the order in which they come online. • The new stack master uses its own startup and running configurations to synchronize the configurations on the new stack members.
• Reload a member unit, from the unit itself. EXEC Privilege mode • reset-self Reset a stack-unit when the unit is in a problem state. EXEC Privilege mode reset stack-unit unit-number hard Verify a Stack Configuration The following lists the status of a stacked switch according to the color of the System Status light emitting diodes (LEDs) on its front panel. • Blue indicates the switch is operating as the stack master or as a standalone unit. • Off indicates the switch is a member or standby unit.
4 5 Member Member online online MXL-10/40GbE MXL-10/40GbE MXL-10/40GbE 9-1-0-853 56 MXL-10/40GbE 9-1-0-853 56 Dell#show system Stack MAC : 00:1e:c9:f1:00:e3 Reload Type : normal-reload [Next boot : normal-reload] -- Unit 0 -Unit Type Status Required Type : Member Unit : not present : MXL-10/40GbE - 34-port GE/TE/FG (XL) -- Unit 1 -Unit Type Status Next Boot Required Type Current Type Master priority Hardware Rev Num Ports Up Time Dell Networking Jumbo Capable POE Capable Burned In MAC No Of MACs : M
0 1 QSFP+ * - Mismatch QSFP+ AUTO Good Dell# show system stack-unit 1 stack-group configured Configured stack groups in stack-unit 1 --------------------------------------0 1 4 5 Dell#show system stack-unit 1 stack-group Stack group Ports -----------------------------0 0/33 1 0/37 2 0/41 3 0/45 4 0/49 5 0/53 Dell# Dell# show system stack-ports Topology: Ring Interface Connection Link Speed (Gb/s) 0/33 1/37 40 0/37 2/33 40 0/41 1/49 40 0/45 2/53 40 1/33 2/37 40 1/37 0/33 40 1/49 0/41 40 1/53 2/49 40 2/33
clear hardware stack-unit unit-number counters Example of the show system stack-ports Command Example of the show redundancy Command Example of the show hardware stack-unit port-stack Command Dell# show system stack-ports Topology: Ring Interface Connection Link Speed (Gb/s) 0/41 2/45 40 0/45 1/41 40 1/41 0/45 40 1/45 2/41 40 2/41 1/45 40 2/45 0/41 40 Admin Status up up up up up up Link Trunk Status Group up up up up up up Dell#show redundancy -- Stack-unit Status ----------------------------------------
Output Statistics: 438 packets, 270449 bytes, 0 underruns 0 64-byte pkts, 57 over 64-byte pkts, 181 over 127-byte pkts 54 over 255-byte pkts, 0 over 511-byte pkts, 146 over 1023-byte pkts 72 Multicasts, 0 Broadcasts, 221 Unicasts 0 throttles, 0 discarded, 0 collisions, 0 wredDrops Rate info (interval 45 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
The following is an example of the stack-link flapping error message. --------------------------------------MANAGMENT UNIT----------------------------------------Error: Stack Port 49 has flapped 5 times within 10 seconds.Shutting down this stack port now. Error: Please check the stack cable/module and power-cycle the stack. 10:55:20: %STKUNIT1-M:CP %KERN-2-INT: Error: Stack Port 50 has flapped 5 times within 10 seconds.Shutting down this stack port now.
2 3 4 5 Standby Member not Member not Member not online present present present MXL-10/40GbE MXL-10/40GbE 8-3-16-79 56 Stack Unit in Card-Problem State Due to Configuration Mismatch • • Problem: A stack unit enters a Card-Problem state because there is a configuration mismatch between the logical provisioning stored for the stack-unit number on the master switch and the newly added unit with the same number. Resolution: The resolution is to reload the stack.
Image upgraded to all Dell# configure Dell(conf)# boot system stack-unit all primary system: A: Dell(conf)# end Dell# write memory Jan 3 14:01:48: %STKUNIT0-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default Synchronizing data to peer Stack-unit !!!! Dell# reload Proceed with reload [confirm yes/no]: yes Upgrading a Single Stack Unit Upgrading a single stacked switch is necessary when the unit was disabled due to an incorrect Dell Networking OS version.
52 Storm Control Storm control is supported on the Dell networking OS. The storm control feature allows you to control unknown-unicast, muticast, and broadcast control traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking OS Behavior: The Dell Networking OS supports broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. The minimum number of packets per second (PPS) that storm control can limit is two.
• Configure the percentage of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. INTERFACE mode storm-control multicast packets_per_second in • Shut down the port if it receives the PFC/LLFC packets more than the configured rate. INTERFACE mode storm-control pfc-llfc pps in shutdown NOTE: PFC/LLFC storm control enabled interface disables the interfaces if it receives continuous PFC/LLFC packets.
53 Spanning Tree Protocol (STP) Dell Networking OS supports spanning tree protocol (STP). Protocol Overview STP is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network. By eliminating loops, the protocol improves scalability in a large network and allows you to implement redundant paths, which can be activated after the failure of active paths.
• All ports in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the spanning tree topology at the time you enable the protocol. • To add interfaces to the spanning tree topology after you enable STP, enable the port and configure it for Layer 2 using the switchport command. • The IEEE Standard 802.1D allows 8 bits for port ID and 8 bits for priority. The 8 bits for port ID provide port IDs for 256 ports.
INTERFACE mode no shutdown Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport no shutdown Dell(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default.
protocol spanning-tree 0 2. Enable STP. PROTOCOL SPANNING TREE mode no disable To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Bridge ID Priority 32768, Address 0001.e80d.2462 Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID -------------- ------ ---- ---- --- ----- -------------------Tengig 1/1 8.496 8 4 DIS 0 32768 0001.e80d.2462 8.496 Tengig 1/2 8.497 8 4 DIS 0 32768 0001.e80d.2462 8.497 Tengig 1/3 8.513 8 4 FWD 0 32768 0001.e80d.2462 8.513 Tengig 1/4 8.514 8 4 FWD 0 32768 0001.e80d.2462 8.
The range is from 4 to 30. • The default is 15 seconds. Change the hello-time parameter (the BPDU transmission interval). PROTOCOL SPANNING TREE mode hello-time seconds NOTE: With large configurations (especially those with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. • the default is 2 seconds. Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology).
Enabling Port Fast The Port Fast feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. Interfaces forward frames by default until they receive a BPDU that indicates that they should behave otherwise; they do not go through the Learning and Listening states. The bpduguard shutdown-on-violation option causes the interface hardware to be shut down when it receives a BPDU.
Dell Networking OS Behavior: Regarding bpduguard shutdown-on-violation behavior: • • • • If the interface to be shut down is a port channel, all the member ports are disabled in the hardware. When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware.
Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- ------- ---- ------ ----------- ------ ------ -----Po 1 8.2 8 1 FWD 0 32768 0001.e88a.fdb3 8.2 Te 3/20 8.317 8 4 EDS 1 32768 001e.c9f1.00cf 8.317 Te 4/20 8.373 8 4 FWD 1 32768 001e.c9f1.00cf 8.373 Te 4/21 8.374 8 4 FWD 1 32768 001e.c9f1.00cf 8.
Figure 131. BPDU Filtering Enabled Globally Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. • Assign a number as the bridge priority or designate it as the root or secondary root.
Because any switch in an STP network with a lower priority can become the root bridge, the forwarding topology may not be stable. The location of the root bridge can change, resulting in unpredictable network behavior. The STP root guard feature ensures that the position of the root bridge does not change. Root Guard Scenario For example, as shown in the following illustration (STP topology 1, upper left) Switch A is the root bridge in the network core.
Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
Example of Viewing STP Guard Configuration Dell#show spanning-tree 0 guard Interface Name Instance Sts Guard type --------- -------- --------- ---------Tengig 0/1 0 INCON(Root) Rootguard Tengig 0/2 0 LIS Loopguard Tengig 0/3 0 EDS (Shut) Bpduguard Dell# 800 Spanning Tree Protocol (STP) Bpdu Filter ---------No No No
54 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell Networking device. For more information on SmartScripts, see Dell Networking Open Automation guide. Figure 133.
Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist. The generated commands are added to the running configuration, including the DNS resolve commands, if configured. This command starts the configuration wizard for the SupportAssist. At any time, you can exit by entering Ctrl-C. If necessary, you can skip some data entry. Enable the SupportAssist service.
connection with SupportAssist. If you are downloading SupportAssist on behalf of a company or other legal entity, you are further certifying to Dell that you have appropriate authority to provide this consent on behalf of that entity. If you do not consent to the collection, transmission and/or use of the Collected Data, you may not download, install or otherwise use SupportAssist. NOTE: This step is not mandatory and you can configure SupportAssist manually without performing this step.
support-assist activity {full-transfer} start now Dell#support-assist activity full-transfer start now Configuring SupportAssist Activity SupportAssist Activity mode allows you to configure and view the action-manifest file for a specific activity. To configure SupportAssist activity, use the following commands. 1. Move to the SupportAssist Activity mode for an activity. Allows you to configure customized details for a specific activity.
SUPPORTASSIST ACTIVITY mode action-manifest show {all} Dell(conf-supportassist-act-full-transfer)#action-manifest show all Dell(conf-supportassist-act-full-transfer)# 6. Enable a specific SupportAssist activity. SUPPORTASSIST ACTIVITY mode [no] enable Dell(conf-supportassist-act-full-transfer)#enable Dell(conf-supportassist-act-full-transfer)# Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company.
SUPPORTASSIST mode [no] contact-person [first ] last Dell(conf-supportassist)#contact-person first john last doe Dell(conf-supportassist-pers-john_doe)# 2. Configure the email addresses to reach the contact person. SUPPORTASSIST PERSON mode [no] email-address primary email-address [alternate email-address] Dell(conf-supportassist-pers-john_doe)#email-address primary jdoe@mycompany.com Dell(conf-supportassist-pers-john_doe)# 3. Configure phone numbers of the contact person.
[no] proxy-ip-address {ipv4-address | ipv6-address}port port-number [ username userid password [encryption-type] password ] Dell(conf-supportassist-serv-default)#proxy-ip-address 10.0.0.1 port 90 username test password 0 test1 Dell(conf-supportassist-serv-default)# 3. Enable communication with the SupportAssist server. SUPPORTASSIST SERVER mode [no] enable Dell(conf-supportassist-serv-default)#enable Dell(conf-supportassist-serv-default)# 4. Configure the URL to reach the SupportAssist remote server.
address city MyCity country MyCountry ! contact-person first john last doe email-address primary jdoe@mycompany.com preferred-method email ! server default enable url https://192.168.1.1/index.htm 3. Display the EULA for the feature.
55 System Time and Date System time and date settings and the network time protocol (NTP) are supported on the MXL switch platform. You can set system times and dates and maintained through the NTP. They are also set through the Dell Networking operating system (OS) command line interfaces (CLIs) and hardware settings. Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients.
synchronize and serve as a client to the NTP host. As soon as a host-client relationship is established, the networking device propagates the time information throughout its local network. Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately.
ntp server ip-address Viewing System Clock State Relative to NTP Example of Viewing Calculated NTP Synchronization Variables To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. Dell(conf)#do show ntp status Clock is synchronized, stratum 2, reference is 192.168.1.1 frequency is -369.623 ppm, stability is 53.319 ppm, precision is 4294967279 reference time is CD63BCC2.0CBBD000 (16:54:26.049 UTC Thu Mar 12 2012) clock offset is 997.
ntp source interface Enter the following keywords and slot/port or number information: – For a Loopback interface, enter the keyword loopback then a number between 0 and 16383. – For a port channel interface, enter the keyword port-channel then a number from 1 to 128. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
– ipv6-address : Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported. – key keyid : Configure a text string as the key exchanged between the NTP server and the client. – prefer: Enter the keyword prefer to set this NTP server as the preferred server. – version number : Enter a number as the NTP version. The range is from 1 to 4. 5. Configure the switch as NTP master .
NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
– time: enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format; for example, 17:15:00 is 5:15 pm. – month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. – day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. – year: enter a four-digit number as the year.
– end-month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. – end-day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. – end-year: enter a four-digit number as the year. The range is from 1993 to 2035. – end-time: enter the time in hours:minutes.
Example of the clock summer-time recurring Command Example of Clock Summer-Time Recurring Parameters Dell(conf)#clock summer-time pacific recurring Mar 14 2012 00:00 Nov 7 2012 00:00 Dell(conf)# NOTE: If you enter after entering the recurring command parameter, and you have already set a one-time daylight saving time/date, the system uses that time and date as the recurring setting.
56 Tunneling Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported. Configuring a Tunnel You can configure a tunnel in IPv6 mode, IPv6IP mode, and IPIP mode. • If the tunnel mode is IPIP or IPv6IP, the tunnel source address and the tunnel destination address must be an IPv4 address.
Dell(conf-if-tu-3)#ip address 3.1.1.1/24 Dell(conf-if-tu-3)#ipv6 address 3::1/64 Dell(conf-if-tu-3)#no shutdown Dell(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.1/24 ipv6 address 3::1/64 tunnel destination 8::9 tunnel source 5::5 tunnel mode ipv6 no shutdown Configuring Tunnel keepalive Configure the tunnel keepalive target, interval and attempts. • By default the tunnel keepalive is disabled.
Dell(conf-if-tu-1)#tunnel mode ipip decapsulate-any Dell(conf-if-tu-1)#no shutdown Dell(conf-if-tu-1)#sho c ! interface Tunnel 1 ip unnumbered TenGigabitEthernet 0/0 ipv6 unnumbered TenGigabitEthernet 0/0 tunnel source 40.1.1.1 tunnel mode ipip decapsulate-any no shutdown Dell(conf-if-tu-1)# Configuring the Tunnel allow-remote You can configure an IPv4 or IPV6 address or prefix whose tunneled packet will be accepted for decapsulation. .
57 Virtual Link Trunking (VLT) Dell Networking OS supports virtual link trunking (VLT). Overview VLT allows physical links between two chassis to appear as a single virtual link to the network core. VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches, and by supporting a loop-free topology. (To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol.
Figure 135. Virtual Link Trunking Multi-domain VLT A multi-domain VLT (mVLT) configuration creates a port channel between two VLT domains by allowing two different VLT domains, using different VLT Domain ID numbers, connected by a standard LACP LAG to form a loop-free Layer 2 topology in the aggregation layer. This configuration supports a maximum of four (4) nodes per mVLT domain, increasing the number of available ports and allowing for dual redundancy of the VLT.
Figure 136. Multi-Domain VLT Example VLT Terminology The following are key VLT terms. • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. • VLT backup link — The backup link monitors the vitality of VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. • VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches.
• If the lacp-ungroup feature is not supported on the ToR, reboot the VLT peers one at a time. After rebooting, verify that VLTi (ICL) is active before attempting DHCP connectivity. • When you enable IGMP snooping on the VLT peers, ensure the value of the delay-restore command is not less than the query interval.
– The system automatically includes the required VLANs in VLTi. You do not need to manually select VLANs. – VLT peer switches operate as separate chassis with independent control and data planes for devices attached to non-VLT ports. – Port-channel link aggregation (LAG) across the ports in the VLT interconnect is required; individual ports are not supported. Dell Networking strongly recommends configuring a static LAG for VLTi.
device and automatically generates a VLT number for port channels on VLT peers that connects to the device. The discovery protocol requires that an attached device always runs LACP over the port-channel interface. – VLT provides a loop-free topology for port channels with endpoints on different chassis in the VLT domain. – VLT uses shortest path routing so that traffic destined to hosts via directly attached links on a chassis does not traverse the chassis-interconnect link.
– In a VLT domain, although both VLT peers actively participate in L3 forwarding as the VRRP master or backup router, the show vrrp command output displays one peer as master and the other peer as backup. • Failure scenarios – On a link failover, when a VLT port channel fails, the traffic destined for that VLT port channel is redirected to the VLTi to avoid flooding.
VLT and IGMP Snooping When configuring IGMP Snooping with VLT, ensure the configurations on both sides of the VLT trunk are identical to get the same behavior on both sides of the trunk. When you configure IGMP snooping on a VLT node, the dynamically learned groups and multicast router ports are automatically learned on the VLT peer node. VLT Port Delayed Restoration With the Dell Networking OS version 8.3.12.
Figure 137. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
You can configure virtual link trunking (VLT) peer nodes as rendezvous points (RPs) in a Protocol Independent Multicast (PIM) domain. If the VLT node elected as the designated router fails, traffic loss occurs until another VLT node is elected the designated router. VLT Multicast VLT multicast provides multiple alternate paths for resiliency against link and node failures.
6. Configure the VLT VLAN routing metrics to prefer VLT VLAN interfaces over non-VLT VLAN interfaces. For more information, refer to Classify Traffic. 7. Configure symmetrical Layer 2 and Layer 3 configurations on both VLT peers for any spanned VLAN. VLT Unicast Routing VLT unicast locally routes packets destined for the L3 endpoint of the VLT peer. This method avoids sub-optimal routing. Peer-routing syncs the MAC addresses of both VLT peers and requires two local DA entries in TCAM.
Additionally, ARP entries resulting from station movements from VLT to non-VLT ports or to different non-VLT ports are learned on the non-VLT port and synced with the peer node. The peer node is updated to use the new non-VLT port. NOTE: ARP entries learned on non-VLT, non-spanned VLANs are not synced with VLT peers. RSTP Configuration RSTP is supported in a VLT domain. Before you configure VLT on peer switches, configure RSTP in the network.
Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 1) Dell_VLTpeer1(conf)#protocol spanning-tree rstp Dell_VLTpeer1(conf-rstp)#no disable Dell_VLTpeer1(conf-rstp)#bridge-priority 4096 Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 2) Dell_VLTpeer2(conf)#protocol spanning-tree rstp Dell_VLTpeer2(conf-rstp)#no disable Dell_VLTpeer2(conf-rstp)#bridge-priority 0 Configuring VLT To configure virtual link trunking and create a VLT domain in which two switches are physically con
5. Repeat Steps 1 to 4 on the VLT peer switch to configure the VLT interconnect. Configuring a VLT Backup Link To configure a VLT backup link, use the following command. 1. Specify the management interface to be used for the backup link through an out-of-band management network. CONFIGURATION mode interface managementethernet slot/ port Enter the slot (0-1) and the port (0). 2. Configure an IPv4 address (A.B.C.D) or IPv6 address (X:X:X:X::X) and mask (/x) on the interface.
The range of domain IDs is from 1 to 1000. 2. (Optional) After you configure the VLT domain on each peer switch on both sides of the interconnect trunk, by default, the system elects a primary and secondary VLT peer device. VLT DOMAIN CONFIGURATION mode primary-priority value To reconfigure the primary role of VLT peer switches, use the primary-priority command. To configure the primary role on a VLT peer, enter a lower value than the priority value of the remote peer.
switchport 4. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 5. • 10-Gigabit Ethernet: enter tengigabitethernet slot/port. • 40-Gigabit Ethernet: enter fortygigabitethernet slot/port. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 6.
CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command. 2. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface specifies one of the following interface types: 3. • 10-Gigabit Ethernet: Enter tengigabitethernet slot/port. • 40-Gigabit Ethernet: Enter fortygigabitethernet slot/port. Enter VLT-domain configuration mode for a specified VLT domain.
You must configure a different unit ID (0 or 1) on each peer switch. Use this command to minimize the time required for the VLT system to determine the unit ID assigned to each peer switch when one peer switch reboots. 8. Configure multi-domain VLT. Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command. 9.
• Display general status information about VLT domains currently configured on the switch. EXEC mode • show vlt brief Display detailed information about the VLT-domain configuration, including local and peer port-channel IDs, local VLT switch status, and number of active VLANs on each port channel. EXEC mode • show vlt detail Display the VLT peer status, role of the local VLT switch, VLT system MAC address and system priority, and the MAC address and priority of the locally-attached VLT device.
UDP Port: 34998 HeartBeat Messages Sent: 1030 HeartBeat Messages Received: 1014 Example of the show vlt brief Command Dell#show vlt br VLT Domain Brief -----------------Domain ID Role Role Priority ICL Link Status HeartBeat Status VLT Peer Status Version Local System MAC address Remote System MAC address Remote system version Delay-Restore timer : Up : Up : Up : : : : Delay-Restore Abort Threshold Peer-Routing Peer-Routing-Timeout timer Multicast peer-routing timeout Dell# : 1 : Secondary : 32768 : 6(3)
vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.18 Dell_VLTpeer2# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.
Po Po Po Po Po 4 100 110 111 120 128.5 128.101 128.111 128.112 128.121 128 128 128 128 128 200000 800 00 200000 2000 DIS 0 FWD(VLTi)0 FWD(vlt) 0 DIS(vlt) 0 FWD(vlt) 0 0 0 0 0 0 0001.e88a.dff8 0001.e88a.dff8 0001.e88a.dff8 0001.e88a.dff8 0001.e88a.dff8 128.5 128.101 128.111 128.112 128.121 Connecting a VLT Domain To connect a VLT domain to an attached access device, use the following commands. For more information, refer to Verifying a VLT Configuration. 1.
EXEC mode or EXEC Privilege show interfaces interface In the following sample VLT configuration steps, VLT peer 1 is MXL-2, VLT peer 2 is MXL-4, and the ToR is MXL-1. NOTE: If you use a third-party ToR unit, Dell Networking recommends using static LAGs with VLT peers to avoid potential problems if the VLT peers are rebooted.
interface TenGigabitEthernet 0/40 no ip address ! port-channel-protocol LACP port-channel 2 mode active no shutdown mxl-2# configuring VLT peer lag in VLT mxl-2#show running-config interface port-channel 2 ! interface Port-channel 2 no ip address switchport vlt-peer-lag port-channel 2 no shutdown mxl-2# mxl-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG Mode Status Uptime L 2 L2L3 up 03:33:14 mxl-2# Ports Te 0/40 (Up) mxl-4#show running-config interface tengigabitethernet 0/40 ! i
switchport no shutdown mxl-1# mxl-1#show interfaces port-channel 100 brief Codes: L - LACP Port-channel LAG Mode Status Uptime Ports L 100 L2 up 03:33:48 Te 0/48 (Up) Te 0/50 (Up) mxl-1# Verify VLT is up.
Primary peer will send the role/state of VLT-LAGs for all VLANs to the Secondary peer. Secondary peer will use this information to program the hardware. PVST+ instance running in Secondary peer will not control the VLT-LAGs. Dell Networking recommends configuring the primary VLT peer as the primary root device for all the configured PVST+ Instances and configuring the secondary VLT peer as the secondary root device for all the configured PVST+ Instances.
Figure 138. mVLT Configuration Example In Domain 1, configure Peer 1 first, then configure Peer 2. When that is complete, perform the same steps for the peer nodes in Domain 2. The interface used in this example is TenGigabitEthernet.
Next, configure the VLT domain and VLTi on Peer 2 Domain_1_Peer2#configure Domain_1_Peer2(conf)#interface port-channel 1 Domain_1_Peer2(conf-if-po-1)#channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer2#no shutdown Domain_1_Peer2(conf)#vlt domain 200 Domain_1_Peer2(conf-vlt-domain)#peer-link port-channel 1 Domain_1_Peer2(conf-vlt-domain)#back-up destination 10.16.130.
Domain_2_Peer4(conf-vlt-domain)#system-mac mac-address 00:0b:00:0b:00:0b Domain_2_Peer4(conf-vlt-domain)#unit-id 1 Configure mVLT on Peer 4 Domain_2_Peer4(conf)#interface port-channel 100 Domain_2_Peer4(conf-if-po-100)#switchport Domain_2_Peer4(conf-if-po-100)#vlt-peer-lag port-channel 100 Domain_2_Peer4(conf-if-po-100)#no shutdown Add links to the mVLT port-channel on Peer 4 Domain_2_Peer4(conf)#interface range tengigabitethernet 0/31 - 32 Domain_2_Peer4(conf-if-range-te-0/16-17)#port-channel-protocol LA
Additional VLT Sample Configurations To configure VLT, configure a backup link and interconnect trunk, create a VLT domain, configure a backup link and interconnect trunk, and connect the peer switches in a VLT domain to an attached access device (switch or server). Review the following examples of VLT configurations. Configuring Virtual Link Trunking (VLT Peer 1) Enable VLT and create a VLT domain with a backup-link and interconnect trunk (VLTi).
Configure the backup link. Dell_VLTpeer2(conf)#interface ManagementEthernet 0/0 Dell_VLTpeer2(conf-if-ma-0/0)#ip address 10.11.206.35/ Dell_VLTpeer2(conf-if-ma-0/0)#no shutdown Dell_VLTpeer2(conf-if-ma-0/0)#exit Configure the VLT interconnect (VLTi).
Description Behavior at Peer Up Behavior During Run Time Action to Take The VLT peer does not boot up. The VLTi is forced to a down state. The VLT peer does not boot up. The VLTi is forced to a down state. Verify the domain ID matches on both VLT peers. A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated. Dell Networking Version mismatch A syslog error message is generated. A syslog error message is generated.
Description Behavior at Peer Up Behavior During Run Time Action to Take VLT LAG VLAN mismatch A syslog error message is generated. A syslog error message is generated. Verify that the VLAN configuration is same for the VLT lags on both peers. Specifying VLT Nodes in a PVLAN VLT enables redundancy without the implementation of Spanning Tree Protocol (STP), and provides a loop-free network with optimal bandwidth utilization.
case, if a PVLAN is present as a VLT PVLAN on at least one of the peers, then symmetric configuration of the PVLAN is validated to cause the VLTi to be a member of that VLAN. Whenever a change in the VLAN mode on one of the peers occurs, the information is synchronized with the other peer and VLTi is either added or removed from the VLAN based on the validation of the VLAN parity. For VLT VLANs, the association between primary VLAN and secondary VLANs is examined on both the peers.
Under such conditions, the IP stack performs the following operations: • The ARP reply is sent with the MAC address of the primary VLAN. • The ARP request packet originates on the primary VLAN for the intended destination IP address. The ARP request received on ICLs are not proxied, even if they are received with a secondary VLAN tag.
VLT LAG Mode PVLAN Mode of VLT VLAN ICL VLAN Membership Mac Synchronization Peer1 Peer2 Peer1 Peer2 Access Access Secondary (Isolated) Secondary (Isolated) Yes Yes - Primary VLAN X - Primary VLAN X Yes Yes Secondary (Isolated) Secondary (Isolated) No No - Primary VLAN X - Primary VLAN Y No No Secondary (Community) Secondary (Community) No No - Primary VLAN Y - Primary VLAN X No No Access Access Access Access Promiscuous Access Primary Secondary No No Trunk Access
5. To configure the VLT interconnect, repeat Steps 1–4 on the VLT peer switch. 6. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 7. Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number The range is from 1 to 128. 8.
private-vlan mode primary 8. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). • Specified with this command even before they have been created. • Amended by specifying the new secondary VLAN to be added to the list.
regardless of the VLAN administrative state. IP address addition and deletion serve as the trigger events for synchronization. When a VLAN state is down, the VLT peer might perform a proxy ARP operation for the IP addresses of that VLAN interface. VLT nodes start performing Proxy ARP when the ICL link goes down. When the VLT peer comes up, proxy ARP will be stopped for the peer VLT IP addresses. When the peer node is rebooted, the IP address synchronized with the peer is not flushed.
peer-link port-channel 1 back-up destination 10.16.151.
Dell(conf-vlt-domain)# Dell#show running-config vlt vlt domain 1 peer-link port-channel 1 back-up destination 10.16.151.
58 Uplink Failure Detection (UFD) Uplink failure detection (UFD) is supported on the MXL switch platform. Feature Description UFD provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 139. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 140. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
To revert to the default setting, use the no downstream disable links command. 4. (Optional) Enable auto-recovery so that UFD-disabled downstream ports in the uplink-state group come up when a disabled upstream port in the group comes back up. UPLINK-STATE-GROUP mode downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5. (Optional) Enters a text description of the uplink-state group.
00:10:12: 00:10:12: 00:10:12: 00:10:12: 00:10:13: 3 00:10:13: Te 0/4 00:10:13: Te 0/5 00:10:13: Te 0/6 00:10:13: 00:10:13: 00:10:13: %STKUNIT0-M:CP %STKUNIT0-M:CP %STKUNIT0-M:CP %STKUNIT0-M:CP %STKUNIT0-M:CP %IFMGR-5-ASTATE_DN: %IFMGR-5-OSTATE_DN: %IFMGR-5-OSTATE_DN: %IFMGR-5-OSTATE_DN: %IFMGR-5-OSTATE_DN: Changed Changed Changed Changed Changed interface Admin state to interface state to down: interface state to down: interface state to down: uplink state group state down: Te 0/3 Te 0/1 Te 0/2 Te 0/3
Example of Viewing Uplink State Group Status (S50) Example of Viewing Interface Status with UFD Information (S50) Examples of Viewing UFD Output Dell# show uplink-state-group Uplink Uplink Uplink Uplink Uplink Uplink State State State State State State Group: Group: Group: Group: Group: Group: 1 Status: Enabled, Up 3 Status: Enabled, Up 5 Status: Enabled, Down 6 Status: Enabled, Up 7 Status: Enabled, Up 16 Status: Disabled, Up Dell# show uplink-state-group 16 Uplink State Group: 16 Status: Disabled, Up
Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
(Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Te 0/3(Up) Te 0/4(Up) Downstream Interfaces : Te 0/1(Up) Te 0/2(Up) Te 0/5(Up) Te 0/9(Up) Te 0/11(Up) Te 0/12(Up) < After a single uplink port fails > Dell#show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Te 0/3(Dwn) Te 0/4(Up) Downstream Interfaces : Te 0/1(Dis) Te
59 Upgrade Procedures To find the upgrade procedures, go to the Dell Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell Networking OS version. To upgrade your system type, follow the procedures in the Dell Networking OS Release Notes. Get Help with Upgrades Direct any questions or concerns about the Dell Networking OS upgrade procedures to the Dell Technical Support Center. You can reach Technical Support: • On the web: http://www.dell.
60 Virtual LANs (VLANs) Dell Networking OS supports virtual LANs (VLANs). VLANs are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The Dell Networking operating system (OS) supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN. For more information about assigning IP addresses, refer to Assigning an IP Address to a VLAN. • • Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN.
• The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). • Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard. Some devices that are not compliant with IEEE 802.3 may not support the larger frame size.
Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands. To place an interface in Layer 2 mode, use the switchport command. You can further designate these Layer 2 interfaces as tagged or untagged. For more information, refer to the Interfaces chapter and Configuring Layer 2 (Data Link) Mode.
T Tengig 3/1 4 Active T Po1(So 0/0-1) Dell# When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN. If the tagged interface is removed from the only VLAN to which it belongs, the interface is placed in the Default VLAN as an untagged interface. Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1.
The only way to remove an interface from the Default VLAN is to place the interface in Default mode by using the no switchport command in INTERFACE mode. Assigning an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces.
Enabling Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured. This presents a vulnerability because both interfaces are initially placed in the native VLAN, VLAN 1, and for that period customers are able to access each other's networks.
61 Virtual Router Redundancy Protocol (VRRP) Dell Networking OS supports virtual router redundancy protocol (VRRP). VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN). The MASTER router is chosen from the virtual routers by an election process and forwards packets sent to the next hop IP address.
Figure 142. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables.
processed by the CP processor increases or decreases based on the dynamics of the network, the advertisement intervals in may increase or decrease accordingly. Table 78. Recommended VRRP Advertise Intervals Recommended Advertise Interval Groups/Interface Less than 250 1 second 255 Between 250 and 450 2–3 seconds 255 Between 450 and 600 3–4 seconds 255 VRRP Configuration By default, VRRP is not configured. Configuration Task List The following list specifies the configuration tasks for VRRP.
Example of Verifying the VRRP Configuration Dell(conf-if-te-1/1)#show conf ! interface Tengigabitethernet 1/1 ip address 10.10.10.
Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID). A VRRP group does not transmit VRRP packets until you assign the Virtual IP address to the VRRP group. To activate a VRRP group on an interface (so that VRRP group starts transmitting VRRP packets), configure at least one virtual IP address in a VRRP group. The virtual IP address is the IP address of the virtual router and does not require the IP address mask.
vrrp-group 222 no shutdown Dell(conf-if-te-1/1)# The following example shows the same VRRP group (VRID 111) configured on multiple interfaces on different subnets. Example of Verifying the VRRP Group Priority Dell#do show vrrp -----------------Tengigabitethernet 1/1, VRID: 111, Version: 2 Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.
Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------Tengigabitethernet 1/2, VRID: 111, Net: 10.10.2.1 State: Master, Priority: 125, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 601, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.
NOTE: You must configure all virtual routers in the VRRP group the same: you must configure all with preempt enabled or configure all with preempt disabled. Because preempt is enabled by default, disable the preempt function with the following command. • Prevent any BACKUP router with a higher priority from becoming the MASTER router. INTERFACE-VRID mode no preempt Re-enable preempt by entering the preempt command.
Example of the advertise-interval Command Example of Verifying the Configured Advertisement Interval The following example shows how to change the advertise interval using the advertise-interval command.
track interface [priority-cost cost] The cost range is from 1 to 254. • The default is 10. (Optional) Display the configuration and the UP or DOWN state of tracked objects, including the client (VRRP group) that is tracking an object’s state. EXEC mode or EXEC Privilege mode • show track (Optional) Display the configuration and the UP or DOWN state of tracked interfaces and objects in VRRP groups, including the time since the last change in an object’s state.
! interface TenGigabitEthernet 1/3 ip address 10.1.1.1/24 vrrp-group 21 virtual-address 10.1.1.2 no shutdown Dell# Setting VRRP Initialization Delay When configured, VRRP is enabled immediately upon system reload or boot. You can delay VRRP initialization to allow the IGP and EGP protocols to be enabled prior to selecting the VRRP Master. This delay ensures that VRRP initializes with no errors or conflicts. You can configure the delay for up to 15 minutes, after which VRRP enables normally.
support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes. The VRRP topology was created using the CLI configuration shown in the following example. Figure 143. VRRP for IPv4 Topology Example of Configuring VRRP for IPv4 R2(conf)#int tengig 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.
-----------------Tengigabitethernet 2/31, VRID: 99, Net: 10.1.1.1 State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#int tengig 3/21 R3(conf-if-te-3/21)#ip address 10.1.1.2/24 R3(conf-if-te-3/21)#vrrp-group 99 R3(conf-if-te-3/21-vrid-99)#virtual 10.1.1.
62 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking Operating System (OS), the system also supports predecessor standards. One way to search for predecessor standards is to use the http:// tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
General Internet Protocols The following table lists the Dell Networking OS support per platform for general internet protocols. Table 79.
RFC# Full Name 1812 Requirements for IP Version 4 Routers 2131 Dynamic Host Configuration Protocol 2338 Virtual Router Redundancy Protocol (VRRP) 3021 Using 31-Bit Prefixes on IPv4 Point-to-Point Links 3046 DHCP Relay Agent Information Option 3069 VLAN Aggregation for Efficient IP Address Allocation 3128 Protection Against a Variant of the Tiny Fragment Attack Border Gateway Protocol (BGP) The following table lists the Dell Networking OS support per platform for BGP protocols. Table 81.
RFC# Full Name 4222 Prioritized Treatment of Specific OSPF Version 2 Packets and Congestion Avoidance Routing Information Protocol (RIP) The following table lists the Dell Networking OS support per platform for RIP protocol. Table 83. Routing Information Protocol (RIP) RFC# Full Name 1058 Routing Information Protocol 2453 RIP Version 2 Network Management The following table lists the Dell Networking OS support per platform for network management protocol. Table 84.
RFC# Full Name 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) 2574 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) 2575 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) 2576 Coexistence Between Version 1, Version 2, and Version 3 of the Internetstandard Network Management Framework 2578 Structure of Management Information Version 2 (SMIv2) 2579 Textual Conventions
RFC# Full Name 4001 Textual Conventions for Internet Network Addresses 4292 IP Forwarding Table MIB 4750 OSPF Version 2 Management Information Base 4520 RMON v2 MIB 5060 Protocol Independent Multicast MIB ANSI/TIA-1057 The LLDP Management Information Base extension module for TIATR41.
RFC# Full Name IEEE 802.1Qaz Management Information Base extension module for IEEE 802.1 organizationally defined discovery information (LDP-EXT-DOT1-DCBXMIB) IEEE 802.1Qbb Priority-based Flow Control module for managing IEEE 802.1Qbb MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.
63 FC Flex IO Modules This part provides a generic, broad-level description of the operations, capabilities, and configuration commands of the Fiber Channel (FC) Flex IO module. FC Flex IO Modules This part provides a generic, broad-level description of the operations, capabilities, and configuration commands of the Fiber Channel (FC) Flex IO module.
In a typical Fibre Channel storage network topology, separate network interface cards (NICs) and host bus adapters (HBAs) on each server (two each for redundancy purposes) are connected to LAN and SAN networks respectively. These deployments typically include a ToR SAN switch in addition to a ToR LAN switch. By employing converged network adapters (CNAs) that the FC Flex IO module supports, CNAs are used to transmit FCoE traffic from the server instead of separate NIC and HBA devices.
Guidelines for Working with FC Flex IO Modules The following guidelines apply to the FC Flex IO module: • All the ports of FC Flex IO modules operate in FC mode, and do not support Ethernet mode. • FC Flex IO modules are not supported in the chassis management controller (CMC) GUI. • The only supported FCoE functionality is NPIV proxy gateway. Configure the other FCoE services, such as name server, zone server, and login server on an external FC switch.
Installing the Optics The following optical ports are supported on the FC Flex IO module using one of the supported breakout cables: • 4G or 8G Fibre Channel small form-factor pluggable plus (SFP+) optics module and LC connectors over a distance of 150 meters. • 4G or 8G Fibre Channel SFP+ optics module and LC connectors over a distance of 4 km. CAUTION: Electrostatic discharge (ESD) damage can occur if the components are mishandled.
application. The FIP application establishes virtual links to convert FCoE FLOGI accept messages into FIP FLOGI accept messages. The corresponding ACL for the accept message is then applied. If a FIP timeout from ENode or VN_PORT occurs, the NPIV application performs the FC fabric logout to the external FC switch. The NPIV application manages the sessions between the FCoE and the FC domain.
Before installing the switch or switches, make sure that the chosen installation location meets the following site requirements: • Clearance — There is adequate front and rear clearance for operator access. Allow clearance for cabling, power connections, and ventilation. • Cabling — The cabling is routed to avoid sources of electrical noise such as radio transmitters, broadcast amplifiers, power lines, and fluorescent lighting fixtures.
• The FC Flex I/O module sends a proxy FLOGI request to the upstream F_Port of the FC switch or the MDS switch. The F_port accepts the proxy FLOGI request for the FC Flex IO virtual N_Port. The converged network adapters (CNAs) are brought online and the FIP application is run. • Discovery of the VLAN and FCF MAC addresses is completed.
Figure 146. Case 2: Deployment Scenario of Configuring FC Flex IO Modules Data Center Bridging (DCB) Data center bridging (DCB) is supported on the FC Flex IO module installed in the MXL 10/40GbE Switch. Ethernet Enhancements in Data Center Bridging The following section describes DCB.
InterProcess Communication (IPC) traffic InterProcess Communication (IPC) traffic within high-performance computing clusters to share information. Server traffic is extremely sensitive to latency requirements. To ensure lossless delivery and latency-sensitive scheduling of storage and service traffic and I/O convergence of LAN, storage, and server traffic over a unified fabric, IEEE data center bridging adds the following extensions to a classical Ethernet network: • 802.
• • – If the negotiation fails and PFC is enabled on the port, any user-configured PFC input policies are applied. If no PFC input policy has been previously applied, the PFC default setting is used (no priorities configured). If you do not enable PFC on an interface, you can enable the 802.3x link-level pause function. By default, the link-level pause is disabled. PFC supports buffering to receive data that continues to arrive on an interface while the remote system reacts to the PFC operation.
• ETS supports groups of 802.1p priorities that have: – PFC enabled or disabled – No bandwidth limit or no ETS processing • Bandwidth allocated by the ETS algorithm is made available after strict-priority groups are serviced. If a priority group does not use its allocated bandwidth, the unused bandwidth is made available to other priority groups. • For ETS traffic selection, an algorithm is applied to priority groups using: – Strict priority shaping – ETS shaping • ETS uses the DCB MIB IEEE 802.
Important Points to Remember • If you remove a dot1p priority-to-priority group mapping from a DCB map (no priority pgid command), the PFC and ETS parameters revert to their default values on the interfaces on which the DCB map is applied. By default, PFC is not applied on specific 802.1p priorities; ETS assigns equal bandwidth to each 802.1p priority. As a result, PFC and lossless port queues are disabled on 802.
Configuring Lossless Queues DCB also supports the manual configuration of lossless queues on an interface after you disable PFC mode in a DCB map and apply the map on the interface. The configuration of no-drop queues provides flexibility for ports on which PFC is not needed, but lossless traffic should egress from the interface. Lossless traffic egresses out the no-drop queues. Ingress 802.1p traffic from PFC-enabled peers is automatically mapped to the nodrop egress queues.
• • • Discovery of DCB capabilities on peer-device connections. Determination of possible mismatch in DCB configuration on a peer link. Configuration of a peer device over a DCB link. DCBx requires the link layer discovery protocol (LLDP) to provide the path to exchange DCB parameters with peer devices. Exchanged parameters are sent in organizationally specific TLVs in LLDP data units. For more information, refer to Link Layer Discovery Protocol (LLDP).
To disable or re-enable DCB on a switch, enter the following commands. 1. Disable DCB. CONFIGURATION mode no dcb enable 2. Re-enable DCB. CONFIGURATION mode dcb enable NOTE: Dell Networking OS Behavior: DCB is not supported if you enable link-level flow control on one or more interfaces. After you disable DCB, if link-level flow control is not automatically enabled on an interface, to enable flow control, manually shut down the interface (the shutdown command) and re-enable it (the no shutdown command).
NOTE: If you reconfigure the global dot1p-queue mapping, an automatic re-election of the DCBX configuration source port is performed (refer to Configuration Source Election). Configure Enhanced Transmission Selection ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic. Different traffic types have different service needs. Using ETS, you can create groups within an 802.
To create a QoS output policy that allocates different amounts of bandwidth to the different traffic types/ dot1p priorities assigned to a queue and apply the output policy to the interface, follow these steps. 1. Create a QoS output policy. CONFIGURATION mode Dell(conf)#qos-policy-output test12 The maximum 32 alphanumeric characters. 2. Configure the percentage of bandwidth to allocate to the dot1p priority/queue traffic in the associated L2 class map.
• Configure Enhanced Transmission Selection • Configuring FIP Snooping DCBx supports the following versions: CIN, CEE, and IEEE2.5. Prerequisite: For DCBx, enable LLDP on all DCB devices. DCBx Operation DCBx performs the following operations: • Discovers DCB configuration (such as PFC and ETS) in a peer device. • Detects DCB mis-configuration in a peer device; that is, when DCB features are not compatibly configured on a peer device and the local switch.
generated. The network administrator must then reconfigure the peer device so that it advertises a compatible DCB configuration. The internally propagated configuration is not stored in the switch’s running configuration. On a DCBX port in an auto-downstream role, all PFC, application priority, ETS recommend, and ETS configuration TLVs are enabled. Configuration source The port is configured to serve as a source of configuration information on the switch.
Configuration Source Election When an auto-upstream or auto-downstream port receives a DCB configuration from a peer, the port first checks to see if there is an active configuration source on the switch. • If a configuration source already exists, the received peer configuration is checked against the local port configuration. If the received configuration is compatible, the DCBx marks the port as DCBx-enabled.
NOTE: Because DCBx TLV processing is best effort, it is possible that CIN frames may be processed when DCBx is configured to operate in CEE mode and vice versa. In this case, the unrecognized TLVs cause the unrecognized TLV counter to increment, but the frame is processed and is not discarded. Legacy DCBx (CIN and CEE) supports the DCBx control state machine that is defined to maintain the sequence number and acknowledge the number sent in the DCBx control TLVs.
DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
PROTOCOL LLDP mode [no] advertise DCBx-tlv {ets-conf | ets-reco | pfc} [ets-conf | ets-reco | pfc] [etsconf | ets-reco | pfc] • ets-conf: enables the advertisement of ETS Configuration TLVs. • ets-reco: enables the advertisement of ETS Recommend TLVs. • pfc enables: the advertisement of PFC TLVs. The default is All PFC and ETS TLVs are advertised. NOTE: You can configure the transmission of more than one TLV type at a time; for example, advertise DCBx-tlv ets-conf ets-reco.
NOTE: To configure the DCBx port role the interfaces use to exchange DCB information, use the DCBx port-role command in INTERFACE Configuration mode (Step 3). 4. Configure the PFC and ETS TLVs that advertise on unconfigured interfaces with a manual port-role. PROTOCOL LLDP mode [no] advertise DCBx-tlv {ets-conf | ets-reco | pfc} [ets-conf | ets-reco | pfc] [etsconf | ets-reco | pfc] • ets-conf: enables transmission of ETS Configuration TLVs. • ets-reco: enables transmission of ETS Recommend TLVs.
DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs. LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface. DSM_DCBx_PEER_VERSION_CONFLICT: A local port expected to receive the IEEE, CIN, or CEE version in a DCBx TLV from a remote peer but received a different, conflicting DCBx version.
Command Output To clear PFC TLV counters, use the clear pfc counters interface port-type slot/port command. show interface port-type slot/port pfc statistics Displays counters for the PFC frames received and transmitted (by dot1p priority class) on an interface. show interface port-type slot/port ets {summary | detail} Displays the ETS configuration applied to egress traffic on an interface, including priority groups with priorities and bandwidth allocation.
Oper status is recommended PFC DCBx Oper status is Up State Machine Type is Feature TLV Tx Status is enabled PFC Link Delay 45556 pause quanta Application Priority TLV Parameters : -------------------------------------FCOE TLV Tx Status is disabled ISCSI TLV Tx Status is disabled Local FCOE PriorityMap is 0x8 Local ISCSI PriorityMap is 0x10 Remote FCOE PriorityMap is 0x8 Remote ISCSI PriorityMap is 0x8 0 Input TLV pkts, 1 Output TLV pkts, 0 Error pkts, 0 Pause Tx pkts, 0 Pause Rx pkts The following table de
Fields Description Application Priority TLV: ISCSI TLV Tx Status Status of ISCSI advertisements in application priority TLVs from local DCBx port: enabled or disabled. Application Priority TLV: Local FCOE Priority Map Priority bitmap used by local DCBx port in FCoE advertisements in application priority TLVs. Application Priority TLV: Local ISCSI Priority Map Priority bitmap used by local DCBx port in ISCSI advertisements in application priority TLVs.
Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# 0 0,1,2,3,4,5,6,7 1 2 3 4 5 6 7 Bandwidth 100% 0% 0% 0% 0% 0% 0% 0% Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Pkts TSA ETS ETS ETS ETS ETS ETS ETS ETS TSA ETS ETS ETS ETS ETS ETS ETS ETS Pkts, 0 Error Conf TLV Pkts Traff
1 2 3 4 5 6 7 0% 0% 0% 0% 0% 0% 0% Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Pkts ETS ETS ETS ETS ETS ETS ETS TSA ETS ETS ETS ETS ETS ETS ETS ETS Pkts, 0 Error Conf TLV Pkts Traffic Class TLV Pkts, 0 Error Traffic Class TLV Table 88.
Field Description State Machine Type Type of state machine used for DCBx exchanges of ETS parameters: • • Feature: for legacy DCBx versions Asymmetric: for an IEEE version Conf TLV Tx Status Status of ETS Configuration TLV advertisements: enabled or disabled. ETS TLV Statistic: Input Conf TLV pkts Number of ETS Configuration TLVs received. ETS TLV Statistic: Output Conf TLV pkts Number of ETS Configuration TLVs transmitted.
6 7 8 - - Dell(conf)# show interface tengigabitethernet 0/49 dcbx detail Dell#show interface te 0/49 dcbx detail E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disabled I-Application priority for iSCSI enabled i-Application Priority for iSCSI disabled -----------------------------------
Field Description Local DCBx Configured mode DCBx version configured on the port: CEE, CIN, IEEE v2.5, or Auto (port auto-configures to use the DCBx version received from a peer). Peer Operating version DCBx version that the peer uses to exchange DCB parameters. Local DCBx TLVs Transmitted Transmission status (enabled or disabled) of advertised DCB TLVs (see TLV code at the top of the show command output). Local DCBx Status: DCBx Operational Version DCBx version advertised in Control TLVs.
Figure 151. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
dot1p Value in Incoming Frame Queue Assignment 7 3 The following describes the dot1p-priority class group assignment dot1p Value in the Incoming Frame Priority Group Assignment 0 LAN 1 LAN 2 LAN 3 SAN 4 IPC 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment.
Example: When the dcb-buffer-threshold policy is applied on interfaces or stack ports with the dcb-input or dcb-output policies, the following error message is displayed: %Error: dcb-buffer-threshold not supported on interfaces with deprecated commands Example: When the dcb-input or dcb-output policy is configured on interfaces or stack ports with the dcb-buffer threshold policy, the following error message is displayed: %Error: Deprecated command is not supported on interfaces with dcb-buffer-threshold con
NPIV Proxy Gateway Configuration on FC Flex IO Modules The Fibre Channel (FC) Flex IO module is supported on the MXL 10/40GbE Switch. The MXL switch, installed with the FC Flex IO module, function as a top-of-rack edge switch that supports Converged Enhanced Ethernet (CEE) traffic — Fibre Channel over Ethernet (FCoE) for storage, Interprocess Communication (IPC) for servers, and Ethernet local area network (LAN) (IP cloud) for data — as well as FC links to one or more storage area network (SAN) fabrics.
the fabric. An FCoE map virtualizes the upstream SAN fabric as an FCF to downstream CNA ports on FCoE-enabled servers as follows: • As soon as an FC N port comes online (no shutdown command), the NPG starts sending FIP multicast advertisements, which contain the fabric name derived from the 64-bit worldwide name (WWN) of the principal SAN switch. (The principal switch in a fabric is the FC switch with the lowest domain ID.
Term Description Ethernet for FCoE transport and de-encapsulate Fibre Channel frames from FCoE to native Fibre Channel. DCB map Template used to configure DCB parameters, including priority-based flow control (PFC) and enhanced transmission selection (ETS), on CEE ports. Fibre Channel fabric Network of Fibre Channel devices and storage arrays that interoperate and communicate. FCF Fibre Channel forwarder: FCoE-enabled switch that can forward FC traffic to both downstream FCoE and upstream FC devices.
• The association between the FCoE VLAN ID and FC fabric ID where the desired storage arrays are installed. Each Fibre Channel fabric serves as an isolated SAN topology within the same physical network. • The priority used by a server to select an upstream FCoE forwarder (FCF priority) • FIP keepalive (FKA) advertisement timeout NOTE: In each FCoE map, the fabric ID, FC-MAP value, and FCoE VLAN must be unique. Use one FCoE map to access one SAN fabric.
CONFIGURATION mode dcb-map name 2. Configure the PFC setting (on or off) and the ETS bandwidth percentage allocated to traffic in each priority group. Configure whether the priority group traffic should be handled with strict-priority scheduling. The sum of all allocated bandwidth percentages must be 100 percent. Strict-priority traffic is serviced first. Afterward, bandwidth allocated to other priority groups is made available and allocated according to the specified percentages.
2. Apply the DCB map on an Ethernet port or port channel. The port is configured with the PFC and ETS settings in the DCB map. Repeat this step to apply a DCB map to more than one port or port channel. INTERFACE mode dcb-map name Dell# interface tengigabitEthernet 0/0 Dell(config-if-te-0/0)# dcb-map SAN_DCB1 Creating an FCoE VLAN Create a dedicated VLAN to send and receive Fibre Channel traffic over FCoE links between servers and a fabric over an NPG.
FCoE MAP mode description text 4. Specify the FC-MAP value used to generate a fabric-provided MAC address, which is required to send FCoE traffic from a server on the FCoE VLAN to the FC fabric specified in Step 2. Enter a unique MAC address prefix as the FC-MAP value for each fabric. Range: 0EFC00–0EFCFF. Default: None. FCoE MAP mode fc-map fc-map-value 5. Configure the priority used by a server CNA to select the FCF for a fabric login (FLOGI). Range: 1–255. Default: 128.
Applying an FCoE Map on Fabric-facing FC Ports The MXL 10/40GbE Switch, with the FC Flex IO module FC ports, are configured by default to operate in N port mode to connect to an F port on an FC switch in a fabric. You can apply only one FCoE map on an FC port. When you apply an FCoE map on a fabric-facing FC port, the FC port becomes part of the FCoE fabric, whose settings in the FCoE map are configured on the port and exported to downstream server CNA ports.
Dell(conf-dcbx-name)# priority-pgid 0 0 0 1 2 4 4 4 2. Apply the DCB map on a downstream (server-facing) Ethernet port: Dell(config)# interface tengigabitethernet 1/0 Dell(config-if-te-0/0)#dcb-map SAN_DCB_MAP 3. Create the dedicated VLAN to be used for FCoE traffic: Dell(conf)#interface vlan 1002 4.
Command Description Enter the name of an FCoE map to display the FC and FCoE parameters configured in the map to be applied on MXL 10/40GbE Switch with the FC Flex IO module Ethernet (FCoE) and FC ports. show qos dcb-map map-name Displays configuration parameters in a specified DCB map. show npiv devices [brief] Displays information on FCoE and FC devices currently logged in to the NPG.
Duplex Data transmission mode: Full (allows communication in both directions at the same time), Half (allows communication in both directions but not at the same time), Auto (autonegotiated transmission). VLAN VLAN IDs of the VLANs in which the port is a member.
show qos dcb-map Command Examples Dell# show qos dcb-map dcbmap2 State :Complete PfcMode:ON -------------------PG:0 TSA:ETS BW:50 PFC:OFF Priorities:0 1 2 4 5 6 7 PG:1 TSA:ETS Priorities:3 BW:50 PFC:ON Table 94. show qos dcb-map Field Descriptions Field Description State Complete: All mandatory DCB parameters are correctly configured. In progress: The DCB map configuration is not complete. Some mandatory parameters are not configured. PFC Mode PFC configuration in the DCB map: On (enabled) or Off.
Field Description FCoE-Vlan VLAN ID of the dedicated VLAN used to transmit FCoE traffic to and from the fabric. Fabric-Intf Fabric-facing Fibre Channel port (slot/port) on which FC traffic is transmitted to the specified fabric. Fabric-Map Name of the FCoE map containing the FCoE/FC configuration parameters for the server CNA-fabric connection. Login Method Method used by the server CNA to log in to the fabric; for example: FLOGI - ENode logged in using a fabric login (FLOGI).
Field Description Fabric Intf Fabric-facing MXL 10/40GbE Switch with the FC Flex IO module Fibre Channel port (slot/port) on which FCoE traffic is transmitted to the specified fabric. FCoE VLAN ID of the dedicated VLAN used to transmit FCoE traffic from a server CNA to a fabric and configured on both the server-facing MXL 10/40GbE Switch with the FC Flex IO module port and server CNA port.
