Dell Networking Configuration Guide for the MXL 10/40GbE Switch I/O Module 9.8(0.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Copyright © 2015 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents 1 About this Guide............................................................................................................ 30 Audience.......................................................................................................................................................................... 30 Conventions.....................................................................................................................................................................
Upgrading and Downgrading the Dell Networking OS...................................................................................................... 53 Using Hashes to Validate Software Images...................................................................................................................... 53 4 Management.................................................................................................................55 Configuring Privilege Levels.......................................
Recovering from a Failed Start......................................................................................................................................... 76 5 802.1X........................................................................................................................... 77 The Port-Authentication Process..................................................................................................................................... 78 EAP over RADIUS......................
Applying an IP ACL......................................................................................................................................................... 103 Counting ACL Hits.......................................................................................................................................................... 104 Configure Ingress ACLs..........................................................................................................................................
Configure BFD for Static Routes..................................................................................................................................... 131 Related Configuration Tasks.......................................................................................................................................131 Establishing Sessions for Static Routes.....................................................................................................................
BGP Attributes............................................................................................................................................................... 155 Best Path Selection Criteria......................................................................................................................................155 Weight..................................................................................................................................................................
Enabling Data Center Bridging........................................................................................................................................ 219 Configuring DCB Maps and its Attributes.................................................................................................................220 Data Center Bridging: Default Configuration...................................................................................................................
Displaying Drop Counters.......................................................................................................................................... 261 Dataplane Statistics.................................................................................................................................................. 261 Display Stack Port Statistics....................................................................................................................................
Creating an FCoE Map...................................................................................................................................................292 Zoning............................................................................................................................................................................ 293 Creating Zone and Adding Members..............................................................................................................................
Clearing the FRRP Counters.................................................................................................................................... 323 Viewing the FRRP Configuration..............................................................................................................................323 Viewing the FRRP Information................................................................................................................................. 323 Troubleshooting FRRP.......
Loopback Interfaces....................................................................................................................................................... 347 Null Interfaces................................................................................................................................................................ 348 Port Channel Interfaces......................................................................................................................................
23 Internet Protocol Security (IPSec)............................................................................ 370 Configuring IPSec ..........................................................................................................................................................370 24 IPv4 Routing..............................................................................................................372 IP Addresses............................................................................
Source Address (128 bits)........................................................................................................................................ 390 Destination Address (128 bits)..................................................................................................................................390 Extension Header Fields.................................................................................................................................................
Graceful Restart.............................................................................................................................................................. 411 Timers....................................................................................................................................................................... 411 Implementation Information.................................................................................................................................
Optional TLVs.................................................................................................................................................................455 Management TLVs...................................................................................................................................................455 TIA-1057 (LLDP-MED) Overview...................................................................................................................................
Preventing MSDP from Caching a Remote Source......................................................................................................... 491 Preventing MSDP from Advertising a Local Source........................................................................................................ 491 Logging Changes in Peership States.............................................................................................................................. 492 Terminating a Peership...............
35 Open Shortest Path First (OSPFv2 and OSPFv3)..................................................... 524 Protocol Overview..........................................................................................................................................................524 Autonomous System (AS) Areas.............................................................................................................................. 524 Area Types...............................................................
Configuring PIM-SM...................................................................................................................................................... 574 Related Configuration Tasks..................................................................................................................................... 575 Enable PIM-SM..............................................................................................................................................................
Influencing PVST+ Root Selection........................................................................................................................... 605 Modifying Global PVST+ Parameters............................................................................................................................. 606 Modifying Interface PVST+ Parameters......................................................................................................................... 607 Configuring an EdgePort....
Implementation Information............................................................................................................................................ 651 Fault Recovery................................................................................................................................................................651 Setting the rmon Alarm.............................................................................................................................................
Configuring When to Re-generate an SSH Key ....................................................................................................... 682 Configuring the SSH Server Key Exchange Algorithm..............................................................................................682 Configuring the HMAC Algorithm for the SSH Server..............................................................................................682 Configuring the SSH Server Cipher List.............................
Enabling and Disabling sFlow...........................................................................................................................................718 Enabling and Disabling sFlow on an Interface............................................................................................................ 718 Enabling sFlow Max-Header Size Extended.................................................................................................................... 718 sFlow Show Commands.....
Add Tagged and Untagged Ports to a VLAN.............................................................................................................742 Enabling and Disabling a Port using SNMP..................................................................................................................... 743 Fetch Dynamic MAC Entries using SNMP...................................................................................................................... 744 Deriving Interface Indices.............
Configuring Storm Control from CONFIGURATION Mode........................................................................................772 52 Spanning Tree Protocol (STP)................................................................................... 773 Protocol Overview..........................................................................................................................................................773 Configure Spanning Tree.....................................................
How Uplink Failure Detection Works...............................................................................................................................799 UFD and NIC Teaming....................................................................................................................................................800 Important Points to Remember......................................................................................................................................
Connecting a VLT Domain........................................................................................................................................836 PVST+ Configuration..................................................................................................................................................... 839 Sample PVST+ Configuration...................................................................................................................................
Network Management................................................................................................................................................... 873 MIB Location.................................................................................................................................................................. 876 61 FC Flex IO Modules.................................................................................................... 877 FC Flex IO Modules..................
1 About this Guide This guide describes the supported protocols and software features, and provides configuration instructions and examples, for the Dell Networking MXL 10/40GbE Switch IO Module. The MXL 10/40GbE Switch IO Module is installed in a Dell PowerEdge M1000e Enclosure. For information about how to install and perform the initial switch configuration, refer to the Getting Started Guides on the Dell Support website at http://support.dell.com/ manuals.
Related Documents For more information about the Dell Networking MXL 10/40GbE Switch IO Module, refer to the following documents: • Dell Networking OS Command Reference • Dell Quick Start Guide • Dell Networking OS Release Notes About this Guide 31
2 Configuration Fundamentals The Dell Networking operating system command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. In the Dell Networking OS, after you enable a command, it is entered into the running configuration file.
• INTERFACE sub-mode is the mode in which you configure Layer 2 and Layer 3 protocols and IP services specific to an interface. An interface can be physical (Management interface, 10 Gigabit Ethernet, 40 Gigabit Ethernet, or synchronous optical network technologies [SONET]) or logical (Loopback, Null, port channel, or virtual local area network [VLAN]). • LINE sub-mode is the mode in which you to configure the console and virtual terminal lines.
CLI Command Mode CONFIGURATION Prompt Dell(conf)# Access Command • From any other mode, use the end command. • From EXEC privilege mode, enter the configure command. • From every mode except EXEC and EXEC Privilege, enter the exit command. NOTE: Access all of the following modes from CONFIGURATION mode.
CLI Command Mode Prompt Access Command ROUTER BGP Dell(conf-router_bgp)# router bgp BGP ADDRESS-FAMILY Dell(conf-router_bgp_af)# (for IPv4) Dell(conf-routerZ_bgpv6_af)# (for IPv6) address-family {ipv4 multicast | ipv6 unicast} (ROUTER BGP Mode) ROUTER ISIS Dell(conf-router_isis)# router isis ISIS ADDRESS-FAMILY Dell(conf-router_isisaf_ipv6)# address-family ipv6 unicast (ROUTER ISIS Mode) ROUTER OSPF Dell(conf-router_ospf)# router ospf ROUTER OSPFV3 Dell(conf-ipv6router_ospf)# ipv6 router
CLI Command Mode Prompt Access Command QOS POLICY Dell(conf-qos-policy-outets)# qos-policy-output VLT DOMAIN Dell(conf-vlt-domain)# vlt domain VRRP Dell(conf-if-interface-typeslot/port-vrid-vrrp-groupid)# vrrp-group u-Boot Dell(=>)# Press any key when the following line appears on the console during a system boot: Hit any key to stop autoboot: UPLINK STATE GROUP Dell(conf-uplink-state-groupgroupID)# uplink-state-group The following example shows how to change the command mode from CONFIGUR
Example of Viewing Disabled Commands Dell(conf)#interface gigabitethernet 4/17 Dell(conf-if-gi-4/17)#ip address 192.168.10.1/24 Dell(conf-if-gi-4/17)#show config ! interface GigabitEthernet 4/17 ip address 192.168.10.1/24 no shutdown Dell(conf-if-gi-4/17)#no ip address Dell(conf-if-gi-4/17)#show config ! interface GigabitEthernet 4/17 no ip address no shutdown Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command.
Short-Cut Key Combination Action CNTL-A Moves the cursor to the beginning of the command line. CNTL-B Moves the cursor back one character. CNTL-D Deletes character at cursor. CNTL-E Moves the cursor to the end of the line. CNTL-F Moves the cursor forward one character. CNTL-I Completes a keyword. CNTL-K Deletes all characters from the cursor to the end of the command line. CNTL-L Re-enters the previous command.
• show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and “ethernet.” The grep command displays only the lines containing specified text. The following shows this command used in combination with the do show stack-unit all stack-ports pfc details | grep 0 command.
• On the system that telnets into the switch, this message appears: % Warning: The following users are currently configuring the system: User "" on line console0 • On the system that is connected over the console, this message appears: % Warning: User "" on line vty0 "10.11.130.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) during which the route processor module (RPM), switch fabric module (SFM), and line card status light emitting diodes (LEDs) blink green. The system then loads the Dell Networking operating system. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption.
Console Access The MXL 10/40GbE Switch IO Module has two management ports available for system access: a serial console port and an out-ofbounds (OOB) port. Serial Console A universal serial bus (USB) (A-Type) connector is located at the front panel. The USB can be defined as an External Serial Console (RS-232) port, and is labeled on the MXL 10/40GbE Switch IO Module chassis. The USB is present on the lower side, as you face the I/O side of the chassis, as shown.
Serial Console Getting Started 43
External Serial Port with a USB Connector The following table listes the pin assignments. Table 2. Pin Assignments USB Pin Number Signal Name Pin 1 RTS Pin 2 RX Pin 3 TX Pin 4 CTS Pin 5, 6 GND RxD Chassis GND Accessing the CLI Interface and Running Scripts Using SSH In addition to the capability to access a device using a console connection or a Telnet session, you can also use SSH for secure, protected communication with the device.
Execution of commands on CLI over SSH does not notice the errors that have occurred while executing the command. As a result, you cannot identify, whether a command has failed to be processed. The console output though is redirected back over SSH. Boot Process After you follow the Installation Procedure in the Getting Started Guide, the MXL switch boots up. The MXL switch with the Dell Networking OS version 8.3.16.1 requires boot flash version 4.0.1.0 and boot selector version 4.0.0.0.
Initialized eMMC Host Controller Detected SD Card Now running in RAM - U-Boot [N64 ABI, Big-Endian] at: ffffffff8c100000 Flash: 256 MB PCIE (B0:D01:F0) : Link up. PCIE (B0:D01:F1) : No Link.
Configuring a Host Name The host name appears in the prompt. The default host name is Dell. • Host names must start with a letter and end with a letter or digit. • Characters within the string can be letters, digits, and hyphens. To create a host name, use the following command. • Create a host name. CONFIGURATION mode hostname name Example of the hostname Command Dell(conf)#hostname R1 R1(conf)# Accessing the System Remotely You can configure the system to access it remotely by Telnet or SSH.
Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port. To configure a management route, use the following command. • Configure a management route to the network from which you are accessing the system. CONFIGURATION mode management route ip-address/mask gateway – ip-address: the network address in dotted-decimal format (A.B.C.
* 5 is for inputting a password that is already encrypted using an MD5 hash. Obtain the encrypted password from the configuration file of another Dell Networking system. You can only use this for the enable secret password. Configuration File Management Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the system from EXEC Privilege mode.
Example of Copying a File to an FTP Server Example of Importing a File to the Local System The bold flash shows the local location and the bold ftp shows the remote location. Dell#copy flash://FTOS-EF-8.2.1.0.bin ftp://myusername:mypassword@10.10.10.10/ /FTOS/FTOS-EF-8.2.1.0 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 27952672 bytes successfully copied core1#$//copy ftp://myusername:mypassword@10.10.10.10//FTOS/ FTOS-EF-8.2.1.0.bin flash:// Destination file name [FTOS-EF-8.
restore your original startup-configuration in this situation, overwrite the new startup-configuration with the original one using the copy startup-config.bak startup-config command. Viewing Files You can only view file information and content on local file systems. To view a list of files or the contents of a file, use the following commands. • View a list of files on the internal flash. EXEC Privilege mode dir flash: • View a list of files on the usbflash.
View Configuration Files Configuration files have three commented lines at the beginning of the file, as shown in the following example, to help you track the last time any user made a change to the file, which user made the changes, and when the file was last saved to the startupconfiguration.
! 3998 bytes successfully copied DellS#dir Directory of usbflash: 1 2 3 4 drwx drwx -rwx -rwx 4096 2048 1272 3998 Jan May Apr May 01 02 29 11 1980 2012 2011 2011 00:00:00 07:05:06 16:15:14 23:36:12 +00:00 +00:00 +00:00 +00:00 . .. startup-config test View the Command History The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer.
the local copy is exactly the same as the published software image. This validation procedure, and the verify {md5 | sha256} command to support it, can prevent the installation of corrupted or modified images. The verify {md5 | sha256} command calculates and displays the hash of any file on the specified local flash drive. You can compare the displayed hash against the appropriate hash published on i-Support.
4 Management Management is supported on the Dell Networking MXL 10/40GbE Switch IO Module. This chapter describes the different protocols or services used to manage the Dell Networking system. Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 15 privilege levels, of which two are pre-defined. The default privilege level is 1.
Allowing Access to INTERFACE, LINE, ROUTE-MAP, and ROUTER Mode 1. Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE, ROUTE-MAP, and ROUTER modes, first allow access to the command that enters you into the mode. For example, allow a user to enter INTERFACE mode using the privilege configure level level interface gigabitethernet command. 2.
Current privilege level is 3. Dell#? capture Capture packet configure Configuring from terminal disable Turn off privileged commands enable Turn on privileged commands exit Exit from the EXEC ip Global IP subcommands monitor Monitoring feature mtrace Trace reverse multicast path from destination to source ping Send echo messages quit Exit from the EXEC show Show running system information [output omitted] Dell#config [output omitted] Dell(conf)#do show priv Current privilege level is 3.
Configuring Logging The Dell Networking operating system tracks changes in the system using event and error messages. By default, the system logs these messages on: • • • the internal buffer console and terminal lines any configured syslog servers To disable logging, use the following commands. • Disable all logging except on the console. CONFIGURATION mode • no logging on Disable logging to the logging buffer. CONFIGURATION mode • no logging buffer Disable logging to terminal lines.
The security log contains security events and information. RBAC restricts access to audit and security logs based on the CLI sessions’ user roles. The types of information in this log consist of the following: • Establishment of secure traffic flows, such as SSH. • Violations on secure flows or certificate issues. • Adding and deleting of users.
Configuring Logging Format To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version [0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.
1. On the switch, enable the SSH server 2. On the syslog server, create a reverse SSH tunnel from the syslog server to FTOS switch, using following syntax: Dell(conf)#ip ssh server enable ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is 10.16.131.141 and the listening port is 5140 ssh -R 5140:10.156.166.48:5141 admin@10.16.131.141 -nNf 3.
Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
In the previous lines, local7 is the logging facility level and debugging is the severity level. Changing System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands, you control the number of system messages logged. To specify the system logging settings, use the following commands.
Display the Logging Buffer and the Logging Configuration To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered based on the user roles. Only the security administrator and the system administrator can view the security logs.
– local0 (for local use) – local1 (for local use) – local2 (for local use) – local3 (for local use) – local4 (for local use) – local5 (for local use) – local6 (for local use) – local7 (for local use) – lpr (for line printer system messages) – mail (for mail system messages) – news (for USENET news messages) – sys9 (system use) – sys10 (system use) – sys11 (system use) – sys12 (system use) – sys13 (system use) – sys14 (system use) – syslog (for syslog messages) – user (for user programs) – uucp (UNIX to UNIX
You can configure multiple virtual terminals at one time by entering a number and an end-number. 2. Configure a level and set the maximum number of messages to print. LINE mode logging synchronous [level severity-level | all] [limit] Configure the following optional parameters: • level severity-level: the range is from 0 to 7. The default is 2. Use the all keyword to include all messages. • limit: the range is from 20 to 300. The default is 20.
• Enable FTP on the system. CONFIGURATION mode ftp-server enable Example of Viewing FTP Configuration Dell#show running ftp ! ftp-server enable ftp-server username nairobi password 0 zanzibar Dell# Configuring FTP Server Parameters After you enable the FTP server on the system, you can configure different parameters. To specify the system logging settings, use the following commands. • Specify the directory for users using FTP to reach the system.
• Enter a username to use on the FTP client. CONFIGURATION mode ip ftp username name To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for Enabling the FTP Server. Terminal Lines You can access the system remotely and restrict access to the system by creating user profiles. Terminal lines on the system provide different means of accessing the system. The virtual terminal lines (VTYs) connect you through Telnet to the system.
Beginning in Dell OS version 7.4.2.0, only an ACL is required, and users are denied access before they are prompted for a username and password. Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user on a terminal line. A combination of authentication methods is called a method list.
Setting Time Out of EXEC Privilege Mode EXEC time-out is a basic security feature that returns the Dell Networking OS to EXEC mode after a period of inactivity on the terminal lines. To set time out, use the following commands. • Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the time-out period to 0. LINE mode • exec-timeout minutes [seconds] Return to the default time-out values.
FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin Dell# Lock CONFIGURATION Mode The systems allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2). You can set two types of locks: auto and manual. • Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode.
Restrictions for Limiting the Number of Concurrent Sessions These restrictions apply for limiting the number of concurrent sessions: • Only the system and security administrators can limit the number of concurrent sessions and enable the clear-line option. • Users can clear their existing sessions only if the system is configured with the login concurrent-session clearline enable command.
Password: Maximum concurrent sessions for the user reached. Current VTY sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 4 vty 2 10.14.1.97 5 vty 3 10.14.1.97 Kill existing session? [line number/Enter to cancel]: Track Login Activity Dell Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events.
Display Login Statistics To view the login statistics, use the show login statistics command. Example of the show login statistics Command The show login statistics command displays the successful and failed login details of the current user in the last 30 days or the custom defined time period. Dell#show login statistics -----------------------------------------------------------------User: admin Last login time: Mon Feb 16 04:40:00 2015 Last login location: Line vty0 ( 10.14.1.
3. Hit any key to abort the boot process. You enter uBoot immediately, as indicated by the => prompt. (during bootup) hit any key 4. Set the system parameters to ignore the startup configuration file when the system reloads. uBoot mode setenv stconfigignore true 5. To save the changes, use the saveenv command. uBoot mode saveenv 6. Reload the system. uBoot mode reset 7. Copy startup-config.bak to the running config. EXEC Privilege mode copy flash://startup-config.bak running-config 8.
uBoot mode reset 6. Configure a new enable password. CONFIGURATION mode enable {secret | password} 7. Save the running-config to the startup-config. EXEC Privilege mode copy running-config startup-config Recovering from a Failed Start A system that does not start correctly might be attempting to boot from a corrupted Dell Networking OS image or from a misspecified location. In this case, you can restart the system and interrupt the boot process to point the system to another boot location.
5 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 2. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
6. If the identity information provided by the supplicant is valid, the authentication server sends an Access-Accept frame in which network privileges are specified. The authenticator changes the port state to authorized and forwards an EAP Success frame. If the identity information is invalid, the server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator forwards an EAP Failure frame. Figure 3. EAP Port-Authentication EAP over RADIUS 802.
RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 5 NAS-Port: the physical port number by which the authenticator is connected to the supplicant. Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 5 indicates Ethernet.
Enabling 802.1X Enable 802.1X globally and at a interface level. Figure 5. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on an interface or a range of interfaces. INTERFACE mode dot1x authentication Example of Verifying that 802.1X is Enabled Globally Example of Verifying 802.1X is Enabled on an Interface Verify that 802.
The bold lines show that 802.1X is enabled. Dell#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface GigabitEthernet 2/1 ip address 2.2.2.2/24 dot1x authentication no shutdown ! interface GigabitEthernet 2/2 ip address 1.0.0.1/24 dot1x authentication no shutdown --More-View 802.1X configuration information for an interface using the show dot1x interface command. The bold lines show that 802.1X is enabled on all ports unauthorized by default.
dot1x tx-period number The range is from 1 to 65535 (1 year) • The default is 30. Configure a maximum number of times the authenticator re-transmits a Request Identity frame. INTERFACE mode dot1x max-eap-req number The range is from 1 to 10. The default is 2. The example in Configuring a Quiet Period after a Failed Authentication shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits a maximum of 10 times.
Max-EAP-Req: Auth Type: Auth PAE State: Backend State: 10 SINGLE_HOST Initialize Initialize Forcibly Authorizing or Unauthorizing a Port IEEE 802.1X requires that a port can be manually placed into any of three states: • • • ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network. Placing the port in this state is same as disabling 802.1X on the port.
To configure re-authentication time settings, use the following commands. • Configure the authenticator to periodically re-authenticate the supplicant. INTERFACE mode dot1x reauthentication [interval] seconds The range is from 1 to 65535. • The default is 3600. Configure the maximum number of times that the supplicant can be re-authenticated. INTERFACE mode dot1x reauth-max number The range is from 1 to 10. The default is 2.
• Terminate the authentication process due to an unresponsive authentication server. INTERFACE mode dot1x server-timeout seconds The range is from 1 to 300. The default is 30. Example of Viewing Configured Server Timeouts The example shows configuration information for a port for which the authenticator terminates the authentication process for an unresponsive supplicant or server after 15 seconds. The bold lines show the new supplicant and server timeouts.
Figure 6. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration in Dynamic VLAN Assignment with Port Authentication). 2. Make the interface a switchport so that it can be assigned to a VLAN. 3. Create the VLAN to which the interface will be assigned. 4. Connect the supplicant to the port configured for 802.1X. 5.
• • If the supplicant fails authentication a specified number of times, the authenticator places the port in the Authentication-fail VLAN. If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of the Guest VLAN and the authentication process begins. Configuring a Guest VLAN If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period), the system assumes that the host does not have 802.
Dot1x Status: Port Control: Port Auth Status: Re-Authentication: Untagged VLAN id: Guest VLAN: Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: Enable FORCE_AUTHORIZED UNAUTHORIZED Disable None Enable 200 Enable 100 5 90 seconds 120 seconds 10 15 seconds 15 seconds 7200 seconds 10 SINGLE_HOST Initialize Initialize 802.
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This chapter describes the access control list (ACL) VLAN group and content addressable memory (CAM) enhancements. Optimizing CAM Utilization During the Attachment of ACLs to VLANs You can enable and configure the ACL CAM optimization functionality to minimize the number of entries in CAM while ACLs are applied on a VLAN or a set of VLANs, and also while ACLs are applied on a set of ports.
• A line card returns to the active state after going down, and this line card contains a VLAN that is a member of an ACL group. • The ACL VLAN group is deleted and it contains VLAN members. The ACL manager does not notify the ACL agent in the following cases: • The ACL VLAN group is created. • The ACL VLAN group is deleted and it does not contain any VLAN members. • The ACL is applied or removed from a group, and the ACL group does not contain a VLAN member.
increases the CAM space utilization. Attaching an ACL individually to VLAN interfaces is similar to the behavior of ACL-VLAN mapping storage in CAM prior to the implementation of the ACL VLAN group functionality. 1. Create an ACL VLAN group CONFIGURATION mode acl-vlan-group {group name} You can have up to eight different ACL VLAN groups at any given time. 2. Add a description to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode description description 3.
CONFIGURATION mode cam-acl-vlan vlaniscsi <0-2> 3. Allocate the number of FP blocks for ACL VLAN optimization feature. CONFIGURATION mode cam-acl-vlan vlanaclopt <0-2> 4. View the number of flow processor (FP) blocks that is allocated for the different VLAN services.
The following sample output displays the CAM space utilization when Layer 2 and Layer 3 ACLs are configured: Dell#show cam-usage acl Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============ 11 | 0 | IN-L2 ACL | 1008 | 0 | 1008 | | IN-L3 ACL | 12288 | 2 | 12286 | | OUT-L2 ACL | 1024 | 2 | 1022 | | OUT-L3 ACL | 1024 | 0 | 1024 The following sample output displays the CAM space utilization for Layer 2 ACLs: Dell#show cam
To display the number of FP blocks that is allocated for the different VLAN services, you can use the show cam-acl-vlan command. After CAM configuration for ACL VLAN groups is performed, reboot the system to enable the settings to be stored in nonvolatile storage. During the initialization of CAM, the chassis manager reads the NVRAM and allocates the dynamic VCAP regions.
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, ACLs, prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
Implementing ACL on the Dell Networking OS You can assign one IP ACL per interface with the Dell Networking OS. If you do not assign an IP ACL to an interface, it is not used by the software in any other capacity. The number of entries allowed per ACL is hardware-dependent. For detailed specification on entries allowed per ACL, refer to your line card documentation. If you enable counters on IP ACL rules that are already configured, those counters are reset when a new rule is inserted or prepended.
Dell(conf)#class-map match-all cmap1 Dell(conf-class-map)#match ip access-group acl1 Dell(conf-class-map)#exit Dell(conf)#class-map match-all cmap2 Dell(conf-class-map)#match ip access-group acl2 Dell(conf-class-map)#exit Dell(conf)#policy-map-input pmap Dell(conf-policy-map-in)#service-queue 7 class-map cmap1 Dell(conf-policy-map-in)#service-queue 4 class-map cmap2 Dell(conf-policy-map-in)#exit Dell(conf)#interface gig 1/0 Dell(conf-if-gi-1/0)#service-policy input pmap IP Fragment Handling The Dell Networ
• FO = 0 means it is either the first fragment or the packet is a non-fragment. • FO > 0 means it is dealing with the fragments of the original packet. Permit an ACL line with L3 information only, and the fragments keyword is present: If a packet’s L3 information matches the L3 information in the ACL line, the packet's FO is checked. • If a packet's FO > 0, the packet is permitted. • If a packet's FO = 0, the next ACL entry is processed.
To view the rules of a particular ACL configured on a particular interface, use the show ip accounting access-list ACLname interface interface command in EXEC Privilege mode. Example of Viewing the Rules of a Specific ACL on an Interface Example of the seq Command to Order Filters Dell#show ip accounting access-list ToOspf interface gig 1/6 Standard IP access list ToOspf seq 5 deny any seq 10 deny 10.2.0.0 /16 seq 15 deny 10.3.0.0 /16 seq 20 deny 10.4.0.0 /16 seq 25 deny 10.5.0.0 /16 seq 30 deny 10.6.0.
seq 5 permit 10.1.0.0/16 Dell(config-std-nacl)# To view all configured IP ACLs, use the show ip accounting access-list command in EXEC Privilege mode. Dell#show ip accounting access example interface gig 4/12 Extended IP access list example seq 15 deny udp any any eq 111 seq 20 deny udp any any eq 2049 seq 25 deny udp any any eq 31337 seq 30 deny tcp any any range 12345 12346 seq 35 permit udp host 10.21.126.225 10.4.5.0 /28 seq 40 permit udp host 10.21.126.226 10.4.5.0 /28 seq 45 permit udp 10.8.0.
Configuring Filters Without a Sequence Number If you are creating an extended ACL with only one or two filters, you can let the system assign a sequence number based on the order in which the filters are configured. The system assigns filters in multiples of five. To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the following commands: • Configure a deny or permit filter to examine IP packets.
For the following features, if you enable counters on rules that have already been configured and a new rule is either inserted or prepended, all the existing counters are reset: • L2 ingress access list • L3 egress access list • L2 egress access list • L3 ingress access list If a rule is simply appended, existing counters are not affected. Table 4. L2 and L3 Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Deny Deny L3 ACL denies.
NOTE: The number of entries allowed per ACL is hardware-dependent. For detailed specification about entries allowed per ACL, refer to your line card documentation. 4. Apply rules to the new ACL. INTERFACE mode ip access-list [standard | extended] name To view which IP ACL is applied to an interface, use the show config command in INTERFACE mode, or use the show running-config command in EXEC mode.
Dell(conf-ext-nacl)#permit tcp any any Dell(conf-ext-nacl)#deny icmp any any Dell(conf-ext-nacl)#permit 1.1.1.2 Dell(conf-ext-nacl)#end Dell#show ip accounting access-list ! Extended Ingress IP access list abcd on tengigethernet 0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.2 Configure Egress ACLs Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack — malicious and incidental — by explicitly allowing only authorized traffic.
ip control-plane [egress filter] 2. Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic. CONFIG-NACL mode permit ip {source mask | any | host ip-address} {destination mask | any | host ipaddress} count Dell Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group management protocol (IGMP) packets are not affected when you enable egress ACL filtering for CPU traffic.
• Use a prefix list for route redistribution For a complete listing of all commands related to prefix lists, refer to the Dell Networking OS Command Line Interface Reference Guide. Creating a Prefix List To create a prefix list, use the following commands. 1. Create a prefix list and assign it a unique name. You are in PREFIX LIST mode. CONFIGURATION mode ip prefix-list prefix-name 2. Create a prefix list with a sequence number and a deny or permit action.
CONFIGURATION mode ip prefix-list prefix-name 2. Create a prefix list filter with a deny or permit action. CONFIG-NPREFIXL mode {deny | permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] The optional parameters are: • ge min-prefix-length: is the minimum prefix length to be matched (from 0 to 32). • le max-prefix-length: is the maximum prefix length to be matched (from 0 to 32).
Dell> Dell>show ip prefix summary Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 Dell> Applying a Prefix List for Route Redistribution To pass traffic through a configured prefix list, use the prefix list in a route redistribution command. Apply the prefix list to all traffic redistributed into the routing process.
• Apply a configured prefix list to incoming routes. You can specify which type of routes are affected. If you enter the name of a non-existent prefix list, all routes are forwarded. CONFIG-ROUTER-OSPF mode distribute-list prefix-list-name out [connected | rip | static] Example of Viewing Configured Prefix Lists (ROUTER OSPF mode) To view the configuration, use the show config command in ROUTER OSPF mode, or the show running-config ospf command in EXEC mode.
EXEC mode • resequence access-list {ipv4 | mac} {access-list-name StartingSeqNum Step-to-Increment} Resequence an IPv4 prefix-list. EXEC mode resequence prefix-list {ipv4} {prefix-list-name StartingSeqNum Step-to-Increment} Example of Resequencing ACLs When Remarks and Rules Have the Same Number Example of Resequencing ACLs When Remarks and Rules Have Different Numbers The example shows the resequencing of an IPv4 access-list beginning with the number 2 and incrementing by 2.
remark 8 this remark corresponds to permit ip any host 1.1.1.2 seq 8 permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.3 seq 12 permit ip any host 1.1.1.4 Route Maps Similar to ACLs and prefix lists, route maps are composed of a series of commands that contain a matching criterion and an action; however, route maps can change the packets meeting the criterion. ACLs and prefix lists can only drop or forward the packet or traffic. Route maps process routes for route redistribution.
The default is permit. The optional seq keyword allows you to assign a sequence number to the route map instance. Example of Viewing a Configured Route Map Example of Multiple Instances of a Route-Map Example of Deleting One Instance of a Route Map Example of Viewing All Instances of a Specified Route Map The default action is permit and the default sequence number starts at 10. When you use the keyword deny in configuring a route map, routes that meet the match filters are not redistributed.
tag 3444 Dell# To delete a route map, use the no route-map map-name command in CONFIGURATION mode. Configure Route Map Filters Within ROUTE-MAP mode, there are match and set commands. • match commands search for a certain criterion in the routes. • set commands change the characteristics of routes, either adding something or specifying a level. When there are multiple match commands with the same parameter under one instance of route-map, the system does a match between all of those match commands.
match interface interface The parameters are: – For a Loopback interface, enter the keyword loopback then a number between zero (0) and 16383. – For a 10-Gigabit Ethernet interface, enter the keyword tengigabitEthernet then the slot/port information. – For a VLAN, enter the keyword vlan then a number from 1 to 4094. • – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Match destination routes specified in a prefix list (IPv4).
CONFIG-ROUTE-MAP mode • set metric-type {external | internal | type-1 | type-2} Assign an IP address as the route’s next hop. CONFIG-ROUTE-MAP mode • set next-hop ip-address Specify a tag for the redistributed routes. CONFIG-ROUTE-MAP mode set tag tag-value To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the number of set filters in a route map low. Set commands do not require a corresponding match command.
Example of the redistribute Command Using a Route Tag ! router rip redistribute ospf 34 metric 1 route-map torip ! route-map torip permit 10 match route-type internal set tag 34 ! Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed. If you configure the continue command at the end of a module, the next module (or a specified module) is processed even after a match is found.
The ACL application sends the ACL logging configuration information and other details, such as the action, sequence number, and the ACL parameters that pertain to that ACL entry. The ACL service collects the ACL log and records the following attributes per log message. • For non-IP packets, the ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses, EtherType, and ingress interface are the logged attributes.
NOTE: This example describes the configuration of ACL logging for standard IP access lists. You can enable the logging capability for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and extended MAC ACLs. 1. Specify the maximum number of ACL logs or the threshold that can be generated by using the threshold-in-msgs count option with the seq, permit, or deny commands. Upon exceeding the specified maximum limit, the generation of ACL logs is terminated.
seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte]] [monitor] If the number of monitoring sessions increases, inter-process communication (IPC) bandwidth utilization will be high. The ACL manager might require a large bandwidth when you assign an ACL, with many entries, to an interface. The ACL agent module saves monitoring details in its local database and also in the CAM region to monitor packets that match the specified criterion.
Ingress IPv6 access list kar on GigabitEthernet 10/0 Total cam count 1 seq 5 permit ipv6 22::/24 33::/24 monitor Enabling Flow-Based Monitoring Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead of all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 2 and Layer 3 ingress and egress traffic. You can specify traffic using standard or extended access-lists. 1.
8 Bidirectional Forwarding Detection (BFD) Bidirectional forwarding detection (BFD) is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 7. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description My Discriminator A random number generated by the local system to identify the session. Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
Administratively Down The local system does not participate in a particular session. Down The remote system is not sending control packets or at least not within the detection time for a particular session. Init The local system is communicating. Up Both systems are exchanging control packets. The session is declared down if: • A control packet is not received within the detection time. • Sufficient echo packets are lost.
Figure 8.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 9. Session State Changes Important Points to Remember • BFD for line card ports is hitless, but is not hitless for VLANs because they are instantiated on the RPM.
• Configure BFD for OSPF • Configure BFD for OSPFv3 • Configure BFD for BGP • Configure BFD for VRRP • Configure BFD for VLANs • Configuring Protocol Liveness • Troubleshooting BFD Configure BFD for Physical Ports BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
Establishing a Session on Physical Ports To establish a session, enable BFD at the interface level on both ends of the link, as shown in the following illustration. The configuration parameters do not need to match. Figure 10. Establishing a BFD Session on Physical Ports 1. Enter interface mode. CONFIGURATION mode interface 2. Assign an IP address to the interface if one is not already assigned. INTERFACE mode ip address ip-address 3.
Remote MAC Addr: 00:01:e8:06:95:a2 Int: GigabitEthernet 4/24 State: Up Configured parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Neighbor parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Actual parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Role: Active Delete session on Down: False Client Registered: CLI Uptime: 00:03:57 Statistics: Number of packets received from neighbor: 1775 Number of packets sent to neighbor: 1775 Number of state changes: 1 Number of messages from IFA about port state change: 0 Numbe
Client Registered: CLI Uptime: 00:09:06 Statistics: Number of packets received from neighbor: 4092 Number of packets sent to neighbor: 4093 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 7 Disabling and Re-Enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured.
Establishing Sessions for Static Routes Sessions are established for all neighbors that are the next hop of a static route. Figure 11. Establishing Sessions for Static Routes To establish a BFD session, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route. CONFIGURATION mode ip route bfd Example of the show bfd neighbors Command to Verify Static Routes To verify that sessions have been created for static routes, use the show bfd neighbors command.
ip route bfd interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command, as shown in the examples in \Displaying BFD for BGP Information. Disabling BFD for Static Routes If you disable BFD, all static route BFD sessions are torn down. A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change to the Down state. To disable BFD for static routes, use the following command.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 12. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Establish sessions with all OSPF neighbors.
The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 * 2.2.3.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Gi 2/1 Up 100 100 3 O 2.2.3.2 Gi 2/2 Up 100 100 3 O Changing OSPF Session Parameters Configure BFD sessions with default intervals and a default role.
Configuring BFD for OSPFv3 is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPFv3 neighbors. Related Configuration Tasks • Changing OSPFv3 Session Parameters • Disabling BFD for OSPFv3 Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface. Sessions are only established when the OSPFv3 adjacency is in the Full state.
• Disable BFD sessions with all OSPFv3 neighbors. ROUTER-OSPFv3 mode no bfd all-neighbors • Disable BFD sessions with OSPFv3 neighbors on a single interface. INTERFACE mode ipv6 ospf bfd all-neighbors disable Configure BFD for BGP In a BGP core network, bidirectional forwarding detection (BFD) provides rapid detection of communication failures in BGP fastforwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence.
Figure 13. Establishing Sessions with BGP Neighbors The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: • By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). • By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peer-group-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
CONFIGURATION mode router bgp as-number 3. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number 4. Enable the BGP neighbor. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group-name} no shutdown 5. Configure parameters for a BFD session established with all neighbors discovered by BGP. OR Establish a BFD session with a specified BGP neighbor or peer group using the default BFD session parameters.
• Explicitly enabled (the neighbor ip-address bfd command) • Explicitly disabled (the neighbor ip-address bfd disable command) • Inherited (neither explicitly enabled or disabled) according to the current BFD configuration of the peer group. For information about BGP peer groups, refer to Configuring Peer Groups.
neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors R2# show bfd neighbors * - Active session role Ad Dn - Admin Down B - BGP C - CLI I - ISIS O - OSPF R - Static Route (RTM) M - MPLS V - VRRP LocalAddr * 1.1.1.3 * 2.2.2.3 * 3.3.3.3 RemoteAddr 1.1.1.2 2.2.2.2 3.3.3.
Delete session on Down: True Client Registered: BGP Uptime: 00:02:22 Statistics: Number of packets received from neighbor: 1428 Number of packets sent to neighbor: 1428 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 R2# show bfd counters bgp Interface TenGigabitEthernet 6/0 Protocol BGP Messages: Registration De-registration Init Up Down Admin Down : : : : : : 5 4 0 6 0 2 Interface TenGigabitEthernet 6/1 Protocol
• Message displayed when you enable a BGP neighbor in a peer group for which you enabled a BFD session using the neighbor peer-group-name bfd command R2# show ip bgp neighbors 2.2.2.2 BGP neighbor is 2.2.2.2, remote AS 1, external link BGP version 4, remote router ID 12.0.0.
Configure BFD for VRRP When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the route processor module (RPM). BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred. Configuring BFD for VRRP is a three-step process: 1. Enable BFD globally. Refer to Enabling BFD Globally. 2.
Establishing VRRP Sessions on VRRP Neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. VRRP BFD sessions on the backup router cannot change to the UP state. Configure the master router to establish an individual VRRP session the backup router. To establish a session with a particular VRRP neighbor, use the following command. • Establish a session with a particular VRRP neighbor.
vrrp bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] • Change parameters for a particular VRRP session. INTERFACE mode vrrp bfd neighbor ip-address interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command, as shown in the example in Verifying BFD Sessions with BGP Neighbors Using the show bfd neighbors command example in Displaying BFD for BGP Information.
Establish Sessions with VLAN Neighbors To establish a session, enable BFD at interface level on both ends of the link, as shown in the following illustration. The session parameters do not need to match. Figure 15. Establishing Sessions with VLAN Neighbors To establish a BFD session with a VLAN neighbor, follow this step. • Establish sessions with a VLAN neighbor.
Disabling BFD for VLANs If you disable BFD on an interface, sessions on the interface are torn down. A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to the Down state. To disable BFD on a VLAN interface, use the following command. • Disable all sessions on a VLAN interface. INTERFACE VLAN mode no bfd enable Configure BFD for Port-Channels BFD on port-channels is analogous to BFD on physical ports.
To establish a session on a port-channel, use the bfd neighbor ip-address command in INTERFACE PORT-CHANNEL mode. View the established sessions using the show bfd neighbors command, as shown in Changing Port-Channel Session Parameters. Viewing Established Sessions for VLAN Neighbors R2(conf-if-po-1)#bfd neighbors 2.2.2.
Troubleshooting BFD To troubleshoot BFD, use the following commands and examples. To control packet field values or to examine the control packets in hexadecimal format, use the following command. • Examine control packet field values. CONFIGURATION mode debug bfd detail • Examine the control packets in hexadecimal format.
9 Border Gateway Protocol IPv4 (BGPv4) This chapter provides a general description of BGPv4 as it is supported in the Dell Networking operating system. BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
Figure 17. Interior BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 18. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor. Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies.
State Description Idle BGP initializes all resources, refuses all inbound BGP connection attempts, and initiates a TCP connection to the peer. Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state.
Figure 19. BGP Router Rules 1. Router B receives an advertisement from Router A through eBGP. Because the route is learned through eBGP, Router B advertises it to all its iBGP peers: Routers C and D. 2. Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B. 3.
they were received from the neighbors because MED may or may not get compared between the adjacent paths. In deterministic mode, the system compares MED between the adjacent paths within an AS group because all paths in the AS group are from the same AS. NOTE: In the Dell Networking OS version 8.3.11.4, the bgp bestpath as-path multipath-relax command is disabled by default, preventing BGP from load-balancing a learned route across two or more eBGP peers.
6. Prefer the path with the lowest multi-exit discriminator (MED) attribute. The following criteria apply: a. This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs are compared only if the first AS in the AS_SEQUENCE is the same for both paths. b. If you entered the bgp always-compare-med command, MEDs are compared for all paths. c. Paths with no MED are treated as “worst” and assigned a MED of 4294967295. 7.
Figure 21. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 22. Multi-Exit Discriminators NOTE: With the Dell Networking OS version 8.3.1.0, configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
Example of Viewing AS Paths Dell#show ip bgp paths Total 30655 Paths Address Hash Refcount Metric 0x4014154 0 3 18508 0x4013914 0 3 18508 0x5166d6c 0 3 18508 0x5e62df4 0 2 18508 0x3a1814c 0 26 18508 0x567ea9c 0 75 18508 0x6cc1294 0 2 18508 0x6cc18d4 0 1 18508 0x5982e44 0 162 18508 0x67d4a14 0 2 18508 0x559972c 0 31 18508 0x59cd3b4 0 2 18508 0x7128114 0 10 18508 0x536a914 0 3 18508 0x2ffe884 0 1 18508 Path 701 3549 19421 i 701 7018 14990 i 209 4637 1221 9249 9249 i 701 17302 i 209 22291 i 209 3356 2529 i 20
Advertise IGP Cost as MED for Redistributed Routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value. The Dell Networking OS version 8.3.1.
Traditional Format DOT Format 65001 0.65501 65536 1.0 100000 1.34464 4294967295 65535.65535 When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte identified routers. You cannot mix them. Configure 4-byte AS numbers with the four-octet-support command. AS4 Number Representation The Dell Networking OS version 8.2.1.0 supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot.
Dell(conf-router_bgp)#do show ip bgp BGP table version is 24901, local router ID is 172.30.1.57
connection with Router C without immediately updating Router C’s configuration. Local-AS allows this behavior to happen by allowing Router B to appear as if it still belongs to Router B’s old network (AS 200) as far as communicating with Router C is concerned. Figure 23. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances Dell Networking OS BGP management information base (MIB) support with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
Traps (notifications) specified in the BGP4 MIB draft are not supported. Such traps (bgpM2Established and bgpM2BackwardTransition) are supported as part of RFC 1657.
Item Default Timers keepalive = 60 seconds holdtime = 180 seconds Add-path Disabled Enabling BGP By default, BGP is not enabled on the system. The Dell Networking OS supports one autonomous system (AS) and assigns the AS number (ASN). To establish BGP sessions and route traffic, configure at least one BGP neighbor or peer. In BGP, routers with an established TCP connection are called neighbors or peers.
2. Add a neighbor as a remote AS. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group name} remote-as as-number • peer-group name: 16 characters • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format) Formats: IP Address A.B.C.D You must use Configuring Peer Groups before assigning them a remote AS. 3. Enable the BGP neighbor.
For the router’s identifier, the system uses the highest IP address of the Loopback interfaces configured. Because Loopback interfaces are virtual, they cannot go down, thus preventing changes in the router ID. If you do not configure Loopback interfaces, the highest IP address of any interface is used as the router ID. To view the status of BGP neighbors, use the show ip bgp neighbors command in EXEC Privilege mode as shown in the first example.
network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.
neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 Dell(conf-router_bgp)#bgp asnotation asdot Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp asnotation asdot bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.
CONFIG-ROUTERBGP mode neighbor ip-address peer-group peer-group-name 6. Add a neighbor as a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number Formats: IP Address A.B.C.D • Peer-Group Name: 16 characters. • as-number: the range is from 0 to 65535 (2-Byte) or 1 to 4294967295 | 0.1 to 65535.65535 (4-Byte) or 0.1 to 65535.
To enable a peer group, use the neighbor peer-group-name no shutdown command in CONFIGURATION ROUTER BGP mode (shown in bold). Dell(conf-router_bgp)#neighbor zanzibar no shutdown Dell(conf-router_bgp)#show config ! router bgp 45 bgp fast-external-fallover bgp log-neighbor-changes neighbor zanzibar peer-group neighbor zanzibar no shutdown neighbor 10.1.1.1 remote-as 65535 neighbor 10.1.1.1 shutdown To disable a peer group, use the neighbor peer-group-name shutdown command in CONFIGURATION ROUTER BGP mode.
To enable the BGP fast fail-over feature, use the following command. To disable fast fail-over, use the [no] neighbor [neighbor | peer-group] fail-over command in CONFIGURATION ROUTER BGP mode. • Enable BGP Fast Fail-Over.
Dell# router bgp neighbor neighbor neighbor 65517 test peer-group test fail-over test no shutdown Configuring Passive Peering When you enable a peer-group, the software sends an OPEN message to initiate a TCP connection. If you enable passive peering for the peer group, the software does not send an OPEN message, but it responds to an OPEN message.
– No Prepend: specifies that local AS values are not prepended to announcements from the neighbor. Format: IP Address: A.B.C.D. You must use Configuring Peer Groups before assigning it to an AS. This feature is not supported on passive peer groups. Example of the Verifying that Local AS Numbering is Disabled The first line in bold shows the actual AS number. The second two lines in bold show the local AS number (6500) maintained during migration.
network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.
• Local router supports graceful restart as a receiver only. CONFIG-ROUTER-BGP mode bgp graceful-restart [role receiver-only] Enabling Neighbor Graceful Restart BGP graceful restart is active only when the neighbor becomes established. Otherwise, it is disabled. Graceful-restart applies to all neighbors with established adjacency. With the graceful restart feature, the system enables the receiving/restarting mode by default.
This is the filter that is used to match the AS-path. The entries can be any format, letters, numbers, or regular expressions. You can enter this command multiple times if multiple filters are desired. For accepted expressions, refer to Regular Expressions as Filters. 3. Return to CONFIGURATION mode. AS-PATH ACL mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Use a configured AS-PATH ACL for route filtering and manipulation.
Regular Expression Definition ^ (caret) Matches the beginning of the input string. Alternatively, when used as the first character within brackets [^ ], this matches any number except the ones specified within the brackets. $ (dollar) Matches the end of the input string. . (period) Matches any single character, including white space. * (asterisk) Matches 0 or more sequences of the immediately previous character or pattern.
neighbor 10.155.15.2 filter-list 1 in neighbor 10.155.15.2 shutdown Dell(conf-router_bgp)#ex Redistributing Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the BGP process. With the redistribute command, you can include ISIS, OSPF, static, or directly connected routes in the BGP process. To add routes from other routing instances or protocols, use any of the following commands in ROUTER BGP mode.
neighbor add-path 3. Configure the maximum number of parallel routes (multipath support) BGP supports. CONFIG-ROUTER-BGP mode max-path number The range is from 2 to 64. Configuring IP Community Lists Within the Dell Networking OS, you have multiple methods of manipulating routing attributes. One attribute you can manipulate is the COMMUNITY attribute. This attribute is an optional attribute that is defined for a group of destinations.
deny deny deny deny deny deny deny 705:20 14551:20 701:112 702:112 703:112 704:112 705:112 Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1. Create a extended community list and enter the EXTCOMMUNITY-LIST mode. CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2. Two types of extended communities are supported.
match {community community-list-name [exact] | extcommunity extcommunity-list-name [exact]} 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number AS-number: 0 to 65535 (2-Byte) or 1 to 4294967295 (4-Byte) or 0.1 to 65535.65535 (Dotted format) 5. Apply the route map to the neighbor or peer group’s incoming or outgoing routes.
3. • no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE and are not advertised. • no-export: routes with the COMMUNITY attribute of NO_EXPORT. • none: remove the COMMUNITY attribute. • additive: add the communities to already existing communities. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter the ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Apply the route map to the neighbor or peer group’s incoming or outgoing routes.
– confed: Chooses the bestpath MED comparison of paths learned from BGP confederations. – missing-as-best: Treat a path missing an MED as the most preferred one. To view the nondefault values, use the show config command in CONFIGURATION ROUTER BGP mode. Changing the LOCAL_PREFERENCE Attribute In the Dell Networking OS, you can change the value of the LOCAL_PREFERENCE attribute. To change the default values of this attribute for all routes received by the router, use the following command.
CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} next-hop-self • Sets the next hop address. CONFIG-ROUTE-MAP mode set next-hop ip-address Changing the WEIGHT Attribute To change how the WEIGHT attribute is used, enter the first command. You can also use route maps to change this and other BGP attributes. For example, you can include the second command in a route map to specify the next hop address. • Assign a weight to the neighbor connection.
• AS-PATH ACLs (using the neighbor filter-list command) • route maps (using the neighbor route-map command) Prior to filtering BGP routes, create the prefix list, AS-PATH ACL, or route map. For configuration information about prefix lists, AS-PATH ACLs, and route maps, refer to Access Control Lists (ACLs). NOTE: When you configure a new set of BGP policies, to ensure the changes are made, always reset the neighbor or peer group by using the clear ip bgp command in EXEC Privilege mode.
Filtering BGP Routes Using Route Maps To filter routes using a route map, use these commands. 1. Create a route map and assign it a name. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2. Create multiple route map filters with a match or set action. CONFIG-ROUTE-MAP mode {match | set} For information about configuring route maps, refer to Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode.
5. Filter routes based on the criteria in the configured route map. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} filter-list as-path-name {in | out} Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • as-path-name: enter the name of a configured AS-PATH ACL. • in: apply the AS-PATH ACL map to inbound routes. • out: apply the AS-PATH ACL to outbound routes.
Example of Viewing Aggregated Routes In the show ip bgp command, aggregates contain an ‘a’ in the first column (shown in bold) and routes suppressed by the aggregate contain an ‘s’ in the first column. Dell#show ip bgp BGP table version is 0, local router ID is 10.101.15.13 Status codes: s suppressed, d damped, h history, * valid, > best Path source: I - internal, a - aggregate, c - confed-external, r - redistributed, n network Origin codes: i - IGP, e - EGP, ? - incomplete Network *> 7.0.0.0/29 *> 7.0.0.
• Attribute change When dampening is applied to a route, its path is described by one of the following terms: • history entry — an entry that stores information on a downed route • dampened path — a path that is no longer advertised • penalized path — a path that is assigned a penalty To configure route flap dampening parameters, set dampening parameters using a route map, clear information on route dampening and return suppressed routes to active state, view statistics on route flapping, or change
• with the most recent). Furthermore, in non-deterministic mode, the software may not compare MED attributes though the paths are from the same AS. Change the best path selection method to non-deterministic. CONFIG-ROUTER-BGP mode bgp non-deterministic-med NOTE: When you change the best path selection method, path selection for existing paths remains unchanged until you reset it by entering the clear ip bgp command in EXEC Privilege mode.
When two neighbors, configured with different keepalive and holdtime values, negotiate for new values, the resulting values are as follows: • the lower of the holdtime values is the new holdtime value, and • whichever is the lower value; one-third of the new holdtime value, or the configured keepalive value is the new keepalive value. • Configure timer values for a BGP neighbor or peer group.
clear ip bgp {* | neighbor-address | AS Numbers | ipv4 | peer-group-name} [soft [in | out]] – *: Clears all peers. – neighbor-address: Clears the neighbor with this IP address. – AS Numbers: Peers’ AS numbers to be cleared. – ipv4: Clears information for the IPv4 address family. • – peer-group-name: Clears all members of the specified peer group. Enable soft-reconfiguration for the BGP neighbor specified.
Enabling MBGP Configurations Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing. The routes associated with multicast routing are used by the protocol independent multicast (PIM) to build data distribution trees. The Dell Networking OS MBGP is implemented per RFC 1858. You can enable the MBGP feature per router and/or per peer/peergroup. The default is IPv4 Unicast routes.
• debug ip bgp dampening [in | out] View information about local BGP state changes and other BGP events. EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] events [in | out] View information about BGP KEEPALIVE messages. EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] keepalive [in | out] View information about BGP notifications received from or sent to neighbors.
MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) For address family: IPv4 Unicast BGP table version 1395, neighbor version 1394 Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by peer Prefixes advertised 0, rejected 0, 0 withdrawn from peer Connections established 3; dropped 2 Last reset 00:00:12, due to Missing well known attribute Notification History 'UPDATE error/Missing well-
Figure 24. Sample Configurations Example of Enabling BGP (Router 1) Example of Enabling BGP (Router 2) Example of Enabling BGP (Router 3) Example of Enabling Peer Groups (Router 1) Example of Enabling Peer Groups (Router 2) Example of Enabling Peer Groups (Router 3) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.
interface GigabitEthernet 1/31 ip address 10.0.3.31/24 no shutdown R1(conf-if-gi-1/31)#router bgp 99 R1(conf-router_bgp)#network 192.168.128.0/24 R1(conf-router_bgp)#neighbor 192.168.128.2 remote 99 R1(conf-router_bgp)#neighbor 192.168.128.2 no shut R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 R1(conf-router_bgp)#neighbor 192.168.128.3 remote 100 R1(conf-router_bgp)#neighbor 192.168.128.3 no shut R1(conf-router_bgp)#neighbor 192.168.128.
R2(conf-router_bgp)#neighbor 192.168.128.1 no shut R2(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0 R2(conf-router_bgp)#neighbor 192.168.128.3 remote 100 R2(conf-router_bgp)#neighbor 192.168.128.3 no shut R2(conf-router_bgp)#neighbor 192.168.128.3 update loop 0 R2(conf-router_bgp)#show config ! router bgp 99 bgp router-id 192.168.128.2 network 192.168.128.0/24 bgp graceful-restart neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.
R3(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R3(conf-router_bgp)#neighbor 192.168.128.1 no shut R3(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0 R3(conf-router_bgp)#neighbor 192.168.128.2 remote 99 R3(conf-router_bgp)#neighbor 192.168.128.2 no shut R3(conf-router_bgp)#neighbor 192.168.128.2 update loop 0 R3(conf-router_bgp)#show config ! router bgp 100 network 192.168.128.0/24 neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.
Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.2 99 23 24 1 0 (0) 00:00:17 1 192.168.128.3 100 30 29 1 0 (0) 00:00:14 1 ! R1#show ip bgp neighbors BGP neighbor is 192.168.128.2, remote AS 99, internal link Member of peer-group AAA for session parameters BGP version 4, remote router ID 192.168.128.
BGP table version 1, neighbor version 1 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Connections established 4; dropped 3 Last reset 00:00:54, due to user reset R1# R2#conf R2(conf)#router bgp 99 R2(conf-router_bgp)# neighbor CCC peer-group R2(conf-router_bgp)# neighbor CC no shutdown R2(conf-router_bgp)# neighbor BBB peer-group R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.
R3#conf R3(conf)#router bgp 100 R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# AAA peer-group AAA no shutdown CCC peer-group CCC no shutdown 192.168.128.2 peer-group BBB 192.168.128.2 no shutdown 192.168.128.1 peer-group BBB 192.168.128.
Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 2, neighbor version 2 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Connections established 6; dropped 5 Last reset 00:12:01, due to Closed by neighbor Notification History 'HOLD error/Timer expired
10 Content Addressable Memory (CAM) Content addressable memory (CAM) is a type of memory that stores information in the form of a lookup table. On Dell Networking systems, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. CAM Allocation Allocate space for IPV4 ACLs and quality of service (QoS) regions by using the cam-acl command in CONFIGURATION mode. The CAM space is allotted in filter processor (FP) blocks.
NOTE: Selecting default resets the CAM entries to the default settings. Select l2acl to allocate space for the ACLs and QoS regions. 2. Enter the number of FP blocks for each region. EXEC Privilege mode l2acl number ipv4acl number ipv6acl number, ipv4qos number l2qos number, l2pt number ipmacacl number ecfmacl number nlbcluster number[vman-qos | vman-dual-qos number 3. Reload the system. EXEC Privilege mode reload 4. Verify that the new settings will be written to the CAM on the next boot.
Ipv4Qos L2Qos L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl Dell# : : : : : : : : : 2 1 0 0 0 0 0 0 2 CAM Optimization When you enable this command, if a Policy Map containing classification rules (ACL and/or dscp/ ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only 1 FP entry is used). When you disable this command, the system behaves as described in this chapter.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) is supported on the MXL switch. CoPP uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 26. CoPP Implemented Versus CoPP Not Implemented Configure Control Plane Policing The MXL switch can process maximum of 4200 PPS (packets per second). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though Per Protocol CoPP is applied. This happens because Queue-Based Rate Limiting is applies first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs)Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
Dell(conf)#ip access-list extended bgp cpu-qos Dell(conf-ip-acl-cpuqos)#permit bgp Dell(conf-ip-acl-cpuqos)#exit Dell(conf)#mac access-list extended lacp cpu-qos Dell(conf-mac-acl-cpuqos)#permit lacp Dell(conf-mac-acl-cpuqos)#exit Dell(conf)#ipv6 access-list ipv6-icmp cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit icmp Dell(conf-ipv6-acl-cpuqos)#exit Dell(conf)#ipv6 access-list ipv6-vrrp cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit vrrp Dell(conf-ipv6-acl-cpuqos)#exit Dell(conf)#qos-policy-in rate_limit_200k cpu-qo
The basics for creating a CoPP service policy is to create QoS policies for the desired CPU bound queue and associate it with a particular rate-limit. The QoS policies are assigned to a control-plane service policy for each port-pipe. 1. Create a QoS input policy for the router and assign the policing. CONFIGURATION mode qos-policy-input name cpu-qos 2. Create an input policy-map to assign the QoS policy to the desired service queues.l.
Q1 Q2 Q3 Q4 Q5 Q6 Q7 Dell# 300 300 300 2000 400 400 1100 To view the queue mapping for each configured protocol, use the show ip protocol-queue-mapping command.
12 Data Center Bridging (DCB) Data center bridging (DCB) is supported on the FC Flex IO module installed in the MXL 10/40GbE Switch. Ethernet Enhancements in Data Center Bridging The following section describes DCB.
• Data Center Bridging Exchange (DCBx) protocol NOTE: In the Dell Networking OS version 8.3.12.0, only the PFC, ETS, and DCBx features are supported in data center bridging. Priority-Based Flow Control In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion.
bandwidth. For example, you can prioritize low-latency storage or server cluster traffic in a traffic class to receive more bandwidth and restrict best-effort LAN traffic assigned to a different traffic class. Although you can configure strict-priority queue scheduling for a priority group, ETS introduces flexibility that allows the bandwidth allocated to each priority group to be dynamically managed according to the amount of LAN, storage, and server traffic in a flow.
Data Center Bridging Exchange Protocol (DCBx) DCBx allows a switch to automatically discover DCB-enabled peers and exchange configuration information. PFC and ETS use DCBx to exchange and negotiate parameters with peer devices. DCBx capabilities include: • Discovery of DCB capabilities on peer-device connections. • Determination of possible mismatch in DCB configuration on a peer link. • Configuration of a peer device over a DCB link.
For DCB to operate effectively, you can classify ingress traffic according to its dot1p priority so that it maps to different data queues. The dot1p-queue assignments used are shown in the following table. On the MXL Switch, by default, DCB is enabled and MMU buffers are reserved to achieve no-drop traffic handling for PFC. Disabling DCB does not release the buffers reserved by default.
Step Task 3 Specify the dot1p priority-to-priority group mapping for each priority. Priority-group range: 0 to 7. All priorities that map to the same queue must be in the same priority group. Command priority-pgid dot1p0_group_num dot1p1_group_num dot1p2_group_num dot1p3_group_num Leave a space between each priority group number.
Step Task Command Command Mode 1 Enter interface configuration mode on an Ethernet port. interface {tengigabitEthernet slot/port | fortygigabitEthernet slot/port} CONFIGURATION 2 Enable PFC on specified priorities. Range: 0-7. Default: None. pfc priority priorityrange INTERFACE Maximum number of lossless queues supported on an Ethernet port: 2. Separate priority values with a comma. Specify a priority range with a dash, for example: pfc priority 3,5-7 1.
Step Task Command Command Mode 6 Configure the port queues that still function as no-drop queues for lossless traffic. pfc no-drop queuesqueue-range INTERFACE The maximum number of lossless queues globally supported on a port is 2. You cannot configure PFC no-drop queues on an interface on which a DCB map with PFC enabled has been applied, or which is already configured for PFC using the pfc priority command. Range: 0-3.
%Error: Deprecated command is not supported on interfaces with dcb-buffer-threshold configured You must not modify the service-class dot1p mappings when any buffer-threshold-policy is configured on the system. Dell(conf)#service-class dot1p-mapping dot1p0 3 % Error: PFC buffer-threshold policies conflict with dot1p mappings. Please remove all dcbbuffer-threshold policies to change mappings.
Priority group range is from 0 to 7. All priorities that map to the same queue must be in the same priority group. Leave a space between each priority group number. For example: priority-pgid 0 0 0 1 2 4 4 4 in which priority group 0 maps to dot1p priorities 0, 1, and 2; priority group 1 maps to dot1p priority 3; priority group 2 maps to dot1p priority 4; priority group 4 maps to dot1p priorities 5, 6, and 7.
INTERFACE mode pfc no-drop queues queue-range For the dot1p-queue assignments, refer to the dot1p Priority-Queue Assignment table. The maximum number of lossless queues globally supported on the switch is four. The range is from 0 to 3. Separate the queue values with a comma; specify a priority range with a dash; for example, pfc nodrop queues 1,3 or pfc no-drop queues 2-3. The default: No lossless queues are configured.
If you configure the PFC buffer on all stack units, delete the startup configuration on both the master and standby, and reload the stack, the new master (previously standby) generates the following syslog message for each stack unit when it boots up: PFC_BUFFER_CONFIG_CHANGED is generated for all stack units.
This default behavior is impacted if you modify the total buffer available for PFC or assign static buffer configurations to the individual PFC queues. Configure Enhanced Transmission Selection ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic. Different traffic types have different service needs. Using ETS, you can create groups within an 802.
3. Configure the 802.1p priorities for the traffic on which you want to apply an ETS output policy. PRIORITY-GROUP mode priority-list value The range is from 0 to 7. The default is none. Separate priority values with a comma. Specify a priority range with a dash. For example, priority-list 3,5-7. 4. Exit priority-group configuration mode. PRIORITY-GROUP mode exit 5. Repeat Steps 1 to 4 to configure all remaining dot1p priorities in an ETS priority group.
If you configure only the priority group in an ETS output policy or only the dot1p priority for strict-priority scheduling, the flow is handled with group strict priority. Configuring Bandwidth Allocation for DCBx CIN After you apply an ETS output policy to an interface, if the DCBx version used in your data center network is CIN, you may need to configure a QoS output policy to overwrite the default CIN bandwidth allocation.
Hierarchical Scheduling in ETS Output Policies ETS supports up to three levels of hierarchical scheduling. For example, you can apply ETS output policies with the following configurations: Priority group 1 Assigns traffic to one priority queue with 20% of the link bandwidth and strict-priority scheduling. Priority group 2 Assigns traffic to one priority queue with 30% of the link bandwidth.
Using PFC and ETS to Manage Data Center Traffic The following shows examples of using PFC and ETS to manage your data center traffic. In the following example: • Incoming SAN traffic is configured for priority-based flow control. • Outbound LAN, IPC, and SAN traffic is mapped into three ETS priority groups and configured for enhanced traffic selection (bandwidth allocation and scheduling). • One lossless queue is used. Figure 30.
dot1p Value in Incoming Frame Queue Assignment 0 0 1 0 2 0 3 1 4 2 5 3 6 3 7 3 The following describes the dot1p-priority class group assignment dot1p Value in the Incoming Frame Priority Group Assignment 0 LAN 1 LAN 2 LAN 3 SAN 4 IPC 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment.
Example of Applying DCB PFC Input Policy and ETS Output Policy in a Switch Stack dcb-map stack-unit all stack-ports all Applying DCB Policies in a Switch Stack You can apply a DCB policy with PFC configuration to all stacked ports in a switch stack or on a stacked switch. You can apply different DCB policies to different stacked switches. To apply DCB policies in a switch stack, use the following command.
The first auto-upstream that is capable of receiving a peer configuration is elected as the configuration source. The elected configuration source then internally propagates the configuration to other autoupstream and auto-downstream ports. A port that receives an internally propagated configuration overwrites its local configuration with the new parameter values.
On a DCBx port in a manual role, all PFC, application priority, ETS recommend, and ETS configuration TLVs are enabled. The default for the DCBx port role is manual. NOTE: On a DCBx port, application priority TLV advertisements are handled as follows: • The application priority TLV is transmitted only if the priorities in the advertisement match the configured PFC priorities on the port.
Propagation of DCB Information When an auto-upstream or auto-downstream port receives a DCB configuration from a peer, the port acts as a DCBx client and checks if a DCBx configuration source exists on the switch. • If a configuration source is found, the received configuration is checked against the currently configured values that are internally propagated by the configuration source.
Figure 31. DCBx Sample Topology DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
2. Configure server-facing interfaces as auto-downstream ports. 3. Configure a port to operate in a configuration-source role. 4. Configure ports to operate in a manual role. 1. Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port 2. Enter LLDP Configuration mode to enable DCBx operation. INTERFACE mode [no] protocol lldp 3. Configure the DCBx version used on the interface, where: auto configures the port to operate using the DCBx version received from a peer.
PROTOCOL LLDP mode [no] advertise DCBx-appln-tlv {fcoe | iscsi} • fcoe: enables the advertisement of FCoE in Application Priority TLVs. • iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled to advertise FCoE and iSCSI. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-applntlv iscsi.
PROTOCOL LLDP mode [no] advertise DCBx-appln-tlv {fcoe | iscsi} • fcoe: enables the advertisement of FCoE in Application Priority TLVs. • iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled and advertise FCoE and iSCSI. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-applntlv iscsi.
– all: enables all DCBx debugging operations. – auto-detect-timer: enables traces for DCBx auto-detect timers. – config-exchng: enables traces for DCBx configuration exchanges. – fail: enables traces for DCBx failures. – mgmt: enables traces for DCBx management frames. – resource: enables traces for DCBx system resource frames. – sem: enables traces for the DCBx state machine. – tlv: enables traces for DCBx TLVs.
Example of the show dot1p-queue mapping Command Example of the show dcb Command Example of the show interfaces pfc summary Command Example of the show interface pfc statistics Command Example of the show interface ets summary Command Example of the show interface ets detail Command Example of the show stack-unit all stack-ports all pfc details Command Example of the show stack-unit all stack-ports all ets details Command Example of the show interface DCBx detail Command Dell(conf)# show dot1p-queue-mapping
Local FCOE PriorityMap is 0x8 Local ISCSI PriorityMap is 0x10 Remote FCOE PriorityMap is 0x8 Remote ISCSI PriorityMap is 0x8 0 Input TLV pkts, 1 Output TLV pkts, 0 Error pkts, 0 Pause Tx pkts, 0 Pause Rx pkts The following table describes the show interface pfc summary command fields. Table 11. show interface pfc summary Command Description Fields Description Interface Interface type with stack-unit and port number.
Fields Description Application Priority TLV: Remote FCOE Priority Map Status of FCoE advertisements in application priority TLVs from remote peer port: enabled or disabled. Application Priority TLV: Remote ISCSI Priority Map Status of iSCSI advertisements in application priority TLVs from remote peer port: enabled or disabled. PFC TLV Statistics: Input TLV pkts Number of PFC TLVs received. PFC TLV Statistics: Output TLV pkts Number of PFC TLVs transmitted.
0 1 2 3 4 5 6 7 0,1,2,3,4,5,6,7 100% 0% 0% 0% 0% 0% 0% 0% Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Pkts ETS ETS ETS ETS ETS ETS ETS ETS TSA ETS ETS ETS ETS ETS ETS ETS ETS Pkts, 0 Error Conf TLV Pkts Traffic Class TLV Pkts, 0 Error Traffic Class TLV The following table describes the show interface ets det
6 7 0% 0% Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Pkts ETS ETS TSA ETS ETS ETS ETS ETS ETS ETS ETS Pkts, 0 Error Conf TLV Pkts Traffic Class TLV Pkts, 0 Error Traffic Class TLV Table 12.
Field Description Conf TLV Tx Status Status of ETS Configuration TLV advertisements: enabled or disabled. ETS TLV Statistic: Input Conf TLV pkts Number of ETS Configuration TLVs received. ETS TLV Statistic: Output Conf TLV pkts Number of ETS Configuration TLVs transmitted. ETS TLV Statistic: Error Conf TLV pkts Number of ETS Error Configuration TLVs received.
Dell(conf)# show interface tengigabitethernet 0/49 dcbx detail Dell#show interface te 0/49 dcbx detail E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disabled I-Application priority for iSCSI enabled i-Application Priority for iSCSI disabled ------------------------------------------------
Field Description Local DCBx Configured mode DCBx version configured on the port: CEE, CIN, IEEE v2.5, or Auto (port auto-configures to use the DCBx version received from a peer). Peer Operating version DCBx version that the peer uses to exchange DCB parameters. Local DCBx TLVs Transmitted Transmission status (enabled or disabled) of advertised DCB TLVs (see TLV code at the top of the show command output). Local DCBx Status: DCBx Operational Version DCBx version advertised in Control TLVs.
NOTE: Dell Networking does not recommend mapping all ingress traffic to a single queue when using PFC and ETS. However, Dell Networking does recommend using Ingress traffic classification using the service-class dynamic dot1p command (honor dot1p) on all DCB-enabled interfaces.
For each priority, you can specify the shared buffer threshold limit, the ingress buffer size, buffer limit for pausing the acceptance of packets, and the buffer offset limit for resuming the acceptance of received packets. 4. Configure the profile name for the DCB buffer threshold CONFIGURATION mode Dell(conf)#dcb-buffer-threshold test 5. DCB-BUFFER-THRESHOLD mode Dell(conf-dcb-buffer-thr)# priority 0 buffer-size 52 pause-threshold 16 resume-offset 10 shared-threshold-weight 7 6.
13 Debugging and Diagnostics This chapter describes debugging and diagnostics for the MXL switch. Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, Level 0 diagnostics verify the identification registers of the components on the board.
the unit will be operationally down, except for running Diagnostics. Please make sure that stacking/fanout not configured for Diagnostics execution. Also reboot/online command is necessary for normal operation after the offline command is issued. Proceed with Offline [confirm yes/no]:yes Dell#Dec 15 03:58:37: %STKUNIT0-M:CP %CHMGR-2-STACKUNIT_DOWN: Stack unit 0 down - stack unit offline 2. Confirm the offline status.
Example of theshow file flash:\\ command (Standalone Unit) Dell#show file flash://TestReport-SU-0.txt *******************************BLADE IOM DIAGNOSTICS******************************* Board CPU Version Stack Unit Board Temp Stack Unit Number Board Serial Number Board Type CPLD Revision Image Build Version : : : : : : : : Blade IOM Dell Inc.
Trace Logs In addition to the syslog buffer, the Dell Networking OS buffers trace messages which are continuously written by various software tasks to report hardware and software events and status information. Each trace message provides the date, time, and name of the Dell Networking OS process. All messages are stored in a ring buffer. You can save the messages to a file either manually or automatically after failover.
• show hardware stack-unit {0-5} buffer unit {0-1} port {1-64 | all} buffer-info View the forwarding plane statistics containing the packet buffer statistics per COS per port. EXEC Privilege mode • show hardware stack-unit {0-5} buffer unit {0-1} port {1-64} queue {0-14 | all} bufferinfo View input and output statistics on the party bus, which carries inter-process communication traffic between CPUs.
• Enable environmental monitoring. enable optic-info-update interval Example of the show interfaces transceiver Command Dell#show int ten 0/49 transceiver SFP is present SFP 49 Serial Base ID fields SFP 49 Id = 0x03 SFP 49 Ext Id = 0x04 SFP 49 Connector = 0x07 SFP 49 Transceiver Code = 0x00 0x00 0x00 0x01 0x20 0x40 0x0c 0x01 SFP 49 Encoding = 0x01 SFP 49 BR Nominal = 0x0c SFP 49 Length(9um) Km = 0x00 SFP 49 Length(9um) 100m = 0x00 SFP 49 Length(50um) 10m = 0x37 SFP 49 Length(62.
Recognize an Over-Temperature Condition An overtemperature condition occurs, for one of two reasons: the card genuinely is too hot or a sensor has malfunctioned. Inspect cards adjacent to the one reporting the condition to discover the cause. • If directly adjacent cards are not normal temperature, suspect a genuine overheating condition. • If directly adjacent cards are normal temperature, suspect a faulty sensor. When the system detects a genuine over-temperature condition, it powers off the card.
Recognize an Under-Voltage Condition If the system detects an under-voltage condition, it sends an alarm. To recognize this condition, look for the following system message: %CHMGR-1-CARD_SHUTDOWN: Major alarm: Line card 2 down - auto-shutdown due to under voltage. This message indicates that the specified card is not receiving enough power. In response, the system first shuts down Power over Ethernet (PoE).
• • • • • • • • • show hardware stack-unit 0-5 stack-port 33–56 show hardware stack-unit 0-5 unit 0-0 {counters | details | port-stats [detail] | register | ipmc-replication | table-dump}: show hardware {layer2| layer3} {eg acl |in acl} stack-unit 0-5 port-set 0-0 show hardware layer3 qos stack-unit 0-5 port-set 0-0 show hardware system-flow layer2 stack-unit 0-5 port-set 0-1 [counters] clear hardware stack-unit 0-5 counters clear hardware stack-unit 0-5 cpu data-plane statistics clear hardware stack-unit
Example of Viewing Dataplane Statistics Example of Viewing Party Bus Statistics Dell#show hardware stack-unit 2 cpu data-plane statistics bc pci driver statistics for device: rxHandle :0 noMhdr :0 noMbuf :0 noClus :0 recvd :0 dropped :0 recvToNet :0 rxError :0 rxDatapathErr :0 rxPkt(COS0) :0 rxPkt(COS1) :0 rxPkt(COS2) :0 rxPkt(COS3) :0 rxPkt(COS4) :0 rxPkt(COS5) :0 rxPkt(COS6) :0 rxPkt(COS7) :0 rxPkt(UNIT0) :0 rxPkt(UNIT1) :0 rxPkt(UNIT2) :0 rxPkt(UNIT3) :0 transmitted :0 txRequested :0 noTxDesc :0 txError
0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 1649714 packets, 1948622676 bytes, 0 underruns 0 64-byte pkts, 27234 over 64-byte pkts, 107970 over 127-byte pkts 34 over 255-byte pkts, 504838 over 511-byte pkts, 1009638 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 1649714 Unicasts 0 throttles, 0 discarded, 0 collisions Rate info (interval 45 seconds): Input 00.00 Mbits/sec, 2 packets/sec, 0.00% of line-rate Output 00.06 Mbits/sec, 8 packets/sec, 0.
Mini Core Dumps The Dell Networking OS supports mini core dumps on the application and kernel crashes. The mini core dump applies to Master, Standby, and Member units. Application and kernel mini core dumps are always enabled. The mini core dumps contain the stack space and some other minimal information that you can use to debug a crash. These files are small files and are written into flash until space is exhausted. When the flash is full, the write process is stopped.
Enabling TCP Dumps A TCP dump captures CPU-bound control plane traffic to improve troubleshooting and system manageability. When you enable TCP dump, it captures all the packets on the local CPU, as specified in the CLI. You can save the traffic capture files to flash, FTP, SCP, or TFTP. The files saved on the flash are located in the flash:// TCP_DUMP_DIR/Tcpdump_/ directory and labeled tcpdump_*.pcap. There can be up to 20 Tcpdump_ directories.
14 Dynamic Host Configuration Protocol (DHCP) The dynamic host configuration protocol (DHCP) is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS. IP Address Lease Time Option 51 DHCP Message Type Option 53 Specifies the amount of time that the client is allowed to use an assigned IP address.
Assign an IP Address using DHCP The following section describes DHCP and the client in a network. When a client joins a network: 1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters.
attempt to apply an access list to the VLAN, the system displays the first line in the following message. If you first apply an ACL to a VLAN and then attempt enable IP source address validation on one of its member ports, the system displays the second line in the following message. % Error: Vlan member has access-list configured. % Error: Vlan has an access-list configured.
ip dhcp server 2. Create an address pool and give it a name. DHCP mode pool name 3. Specify the range of IP addresses from which the DHCP server may assign addresses. DHCP mode network network/prefix-length • network: the subnet address. • prefix-length: specifies the number of bits used for the network portion of the address you specify. The prefix-length range is from 17 to 31. 4. Display the current pool configuration.
lease {days [hours] [minutes] | infinite} The default is 24 hours. Specifying a Default Gateway The IP address of the default router should be on the same subnet as the client. To specify a default gateway, follow this step. • Specify default gateway(s) for the clients on the subnet, in order of preference. DHCP default-router address Enabling the DHCP Server To set up the DHCP Server, you must first enable it. The DHCP server is disabled by default. 1. Enter the DHCP command-line context.
Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1. Create a domain. DHCP domain-name name 2. Specify in order of preference the DNS servers that are available to a DHCP client.
Debugging the DHCP Server To debug the DHCP server, use the following command. • Display debug information for DHCP server. EXEC Privilege mode debug ip dhcp server [events | packets] Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. • Clear DHCP binding entries for the entire binding table. EXEC Privilege mode. clear ip dhcp binding • Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode.
Figure 35. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command Dell#show ip int tengig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (the Dell Networking OS version and a configuration file). BMP is enabled as a factory-default setting on a switch.
acquire a new IP address, use the renew DHCP command in EXEC Privilege mode or the ip address dhcp command in INTERFACE Configuration mode. To manually configure a static IP address on an interface, use the ip address command. A prompt displays to release an existing dynamically acquired IP address. If you confirm, the ability to receive a DHCP server-assigned IP address is removed.
• To display log message on DHCP client interfaces for IP address acquisition, IP address release, IP address and lease time renewal, and release an IP address, use the [no] debug ip dhcp client events [interface type slot/port] command.
0/1 : DHCP DISABLED CMD sent to Dell in state START Dell#release dhcp int Te 0/1 Dell#May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT- LOG: DHCLIENT_DBG_EVT: Interface Te 0/1 :DHCP RELEASE CMD Received in state BOUND May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_PKT: DHCP RELEASE sent in Interface Te 0/1 May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_EVT: Interface Te 0/1 :Transitioned to state STOPPED May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT
• Management routes added by a DHCP client display with Route Source as DHCP in the show ip management route and show ip management-route dynamic command output. • Management routes added by DHCP are automatically reinstalled if you configure a static IP route with the ip route command that replaces a management route added by the DHCP client. If you remove the statically configured IP route using the no ip route command, the management route is reinstalled.
To use the router as the VRRP owner, if you enable a DHCP client on an interface that is added to a VRRP group, assign a priority less than 255 but higher than any other priority assigned in the group. Configure Secure DHCP DHCP as defined by RFC 2131 provides no authentication or security mechanisms. Secure DHCP is a suite of features that protects networks that use dynamic address allocation from spoofing and attacks.
do not pass this check are forwarded to the server for validation. This checkpoint prevents an attacker from spoofing a client and declining or releasing the real client’s address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on a not trusted port are also dropped. This checkpoint prevents an attacker from acting as an imposter as a DHCP server to facilitate a man-in-the-middle attack.
• Add a static entry in the binding table. EXEC Privilege mode ip dhcp snooping binding mac Adding a Static IPV6 DHCP Snooping Binding Table To add a static entry in the snooping database, use the following command. • Add a static entry in the snooping binding table. EXEC Privilege mode ipv6 dhcp snooping binding mac address vlan-id vlan-id ipv6 ipv6-address interface interface-type | interface-number lease value Clearing the Binding Table To clear the binding table, use the following command.
DHCP Binding File Details Invalid File Invalid Binding Entry Binding Entry lease expired : 0 : 0 : 0 Displaying the Contents of the DHCPv6 Binding Table To display the contents of the DHCP IPv6 binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ipv6 dhcp snooping biniding Example of the show ipv6 dhcp snooping binding Command View the DHCP snooping statistics with the show ipv6 dhcp snooping command.
10.1.1.252 10.1.1.253 10.1.1.254 00:00:4d:57:e6:f6 00:00:4d:57:f8:e8 00:00:4d:69:e8:f2 172800 172740 172740 D D D Vl 10 Vl 10 Vl 10 Gi 0/1 Gi 0/3 Te 0/50 Total number of Entries in the table : 4 Dynamic ARP Inspection Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism.
Configuring Dynamic ARP Inspection To enable dynamic ARP inspection, use the following commands. 1. Enable DHCP snooping. 2. Validate ARP frames against the DHCP snooping binding table. INTERFACE VLAN mode arp inspection Example of Viewing the ARP Database Example of Viewing ARP Packets To view entries in the ARP database, use the show arp inspection database command.
Source Address Validation Using the DHCP binding table, the Dell Networking OS can perform three types of source address validation (SAV). Table 16. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table.
EXEC Privilege mode copy running-config startup-config 3. Reload the system. EXEC Privilege reload 4. Enable IP+MAC SAV. INTERFACE mode ip dhcp source-address-validation ipmac The system creates an ACL entry for each IP+MAC address pair in the binding table and applies it to the interface. To display the IP+MAC ACL for an interface for the entire system, use the show ip dhcp snooping source-addressvalidation [interface] command in EXEC Privilege mode.
15 Equal Cost Multi-Path (ECMP) Equal cost multi-path (ECMP) is supported on the MXL switch. ECMP for Flow-Based Affinity ECMP for flow-based affinity is available on the MXL switch. NOTE: IPv6 /128 routes having multiple paths do not form ECMPs. The /128 route is treated as a host entry and finds its place in the host table. NOTE: Using XOR algorithms results in imbalanced loads across an ECMP/LAG when the number of members in said ECMP/LAG is a multiple of 4.
NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indexes are generated in even numbers (0, 2, 4, 6... 1022) and are for information only. To enable the link bundle monitoring feature, for link bundle monitoring with ECMP, use the ecmp-group command. You can configure the ecmp-group with id 2, enabled for link bundle monitoring.
16 FC FLEXIO FPORT FC FlexIO FPort is now supported on the MXL switch platform. FC FLEXIO FPORT The MXL blade switch is a Trident+ based switch which is plugged into the Dell M1000 Blade server chassis. The blade module contains two slots for pluggable flexible module. The goal is to provide support for direct connectivity to FC equipments through Fibre channel ports by FC Flex IO optional module. The FC Flex IO utilizes Broadcom Montreal (BCM84757) FC/FCOE mapper to provide FCOE to FC functionality.
Name Server Each participant in the FC environment has a unique ID, which is called the World Wide Name (WWN). This WWN is a 64-bit address. A Fibre Channel fabric uses another addressing scheme to address the ports in the switched fabric. Each port in the switched fabric is assigned a 24-bit address by the FC switch.
After you apply an FCoE map on an FC port, when you enable the port (using the no shutdown command), the NPG starts sending FIP multicast advertisements on behalf of the FC port to downstream servers to advertise the availability of a new FCF port on the FCoE VLAN. The FIP advertisement also contains a keepalive message to maintain connectivity between a SAN fabric and downstream servers.
5. Configure the priority used by a server CNA to select the FCF for a fabric login (FLOGI). FCoE MAP mode fcf-priority priority The range is from 1 to 255. The default is 128. 6. Enable the monitoring FIP keep-alive messages (if it is disabled) to detect if other FCoE devices are reachable. FCoE MAP mode keepalive The default is FIP keep-alive monitoring is enabled. 7. Configure the time interval (in seconds) used to transmit FIP keepalive advertisements.
Example of Creating a Zone and Adding Members Dell(conf)#fc zone z1 Dell(conf-fc-zone-z1)#member 11:11:11:11:11:11:11:11 Dell(conf-fc-zone-z1)#member 020202 Dell(conf-fc-zone-z1)#exit Creating Zone Alias and Adding Members To create a zone alias and add devices to the alias, follow these steps. 1. Create a zone alias name. CONFIGURATION mode fc alias ZoneAliasName 2. Add devices to an alias.
By default, the fcoe-map fabric map-namedoes not have any active zonesets. 1. Enter enter the fc-fabric command in fcoe-map to active or de-activate the zoneset. Dell(conf-fcoe-map)#fc-fabric Example: Dell(conf)#fcoe-map map Dell(conf-fcoe-map)#fc-fabric Dell(conf-fmap-map-fcfabric)#active-zoneset set Dell(conf-fmap-map-fcfabric)#no active-zoneset? active-zoneset Dell(conf-fmap-map-fcfabric)#no active-zoneset ? Dell(conf-fmap-map-fcfabric)#no active-zoneset 2. View the active zoneset.
Vlan priority 3 FC-MAP 0efc00 FKA-ADV-Period 8 Fcf Priority 128 Config-State ACTIVE Oper-State UP ======================================================= Switch Config Parameters ======================================================= DomainID 2 ======================================================= Switch Zoning Parameters ======================================================= Default Zone Mode: Deny Active Zoneset: set ======================================================= Members Fc 0/41 Te 0/29 =====
Dell# 10:00:8c:7c:ff:21:5f:8d 20:02:00:11:0d:03:00:00 Example of the show fc zone Command Dell#show fc zone ZoneName ZoneMember ============================== brcd_sanb brcd_cna1_wwpn1 sanb_p2tgt1_wwpn Dell# Example of the show fc alias Command Dell(conf)#do show fc alias ZoneAliasName ZoneMember ======================================================= test 20:02:d4:ae:52:44:38:4f 20:34:78:2b:cb:6f:65:57 Example of the show fc switch Command Dell(conf)#do show fc switch Switch Mode : FPORT Switch WWN : 10:
17 FCoE Transit The Fibre Channel over Ethernet (FCoE) Transit feature is supported on the MXL 10/40GbE switch. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FCoE transit is not supported on Fibre Channel interfaces. Fibre Channel over Ethernet FCoE provides a converged Ethernet network that allows the combination of storage-area network (SAN) and LAN traffic on a Layer 2 link by encapsulating Fibre Channel data into Ethernet frames.
Table 17. FIP Functions FIP Function Description FIP VLAN discovery FCoE devices (ENodes) discover the FCoE VLANs on which to transmit and receive FIP and FCoE traffic. FIP discovery FCoE end-devices and FCFs are automatically discovered. Initialization FCoE devices learn ENodes from the FLOGI and FDISC to allow immediate login and create a virtual link with an FCoE switch. Maintenance A valid virtual link between an FCoE device and an FCoE switch is maintained and the LOGO functions properly.
Global ACLs These are applied on server-facing ENode ports. Port-based ACLs These ACLs are applied on all three port modes: on ports directly connected to an FCF, server-facing ENode ports, and bridge-to-bridge links. Port-based ACLs take precedence over global ACLs. FCoE-generated ACLs These take precedence over user-configured ACLs. A user-configured ACL entry cannot deny FCoE and FIP snooping frames.
• To assign a MAC address to an FCoE end-device (server ENode or storage device) after a server successfully logs in, set the FCoE MAC address prefix (FC-MAP) value an FCF uses. • To provide more port security on ports that are directly connected to an FCF and have links to other FIP snooping bridges, set the FCF or Bridge-to-Bridge Port modes. • To ensure that they are operationally active, check FIP snooping-enabled VLANs.
compatible DCB configurations are synchronized. By default, all FCoE and FIP frames are dropped unless specifically permitted by existing FIP snooping-generated ACLs. You can reconfigure any of the FIP snooping settings. If you disable FCoE transit, FIP and FCoE traffic are handled as normal Ethernet frames and no FIP snooping ACLs are generated. The VLAN-specific and FIP snooping configuration is disabled and stored until you re-enable FCoE transit and the configurations are re-applied.
Table 18. Impact of Enabling FIP Snooping Impact Description MAC address learning MAC address learning is not performed on FIP and FCoE frames, which are denied by ACLs dynamically created by FIP snooping on server-facing ports in ENode mode. MTU auto-configuration MTU size is set to mini-jumbo (2500 bytes) when a port is in Switchport mode, the FIP snooping feature is enabled on the switch, and FIP snooping is enabled on all or individual VLANs.
To enable FCoE transit on the switch and configure the FCoE transit parameters on ports, follow these steps. 1. Enable the FCoE transit feature on a switch. CONFIGURATION mode. feature fip-snooping 2. Enable FIP snooping on all VLANs or on a specified VLAN. CONFIGURATION mode or VLAN INTERFACE mode. fip-snooping enable By default, FIP snooping is disabled on all VLANs. 3. Configure the FC-MAP value used by FIP snooping on all VLANs.
Command Output VLAN ID, FC-MAP value, FKA advertisement period, and number of ENodes connected. clear fip-snooping database interface vlan Clears FIP snooping information on a VLAN for a specified FCoE vlan-id {fcoe-mac-address | enode-mac-address MAC address, ENode MAC address, or FCF MAC address, and | fcf-mac-address} removes the corresponding ACLs generated by FIP snooping.
Field Description FCF Interface Slot/ port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FCoE MAC MAC address of the FCoE session assigned by the FCF. FC-ID Fibre Channel ID assigned by the FCF. Port WWPN Worldwide port name of the CNA port. Port WWNN Worldwide node name of the CNA port.
Field Description ENode Interface Slot/number of the interface connected to the ENode. FKA_ADV_PERIOD Period of time (in milliseconds) during which FIP keep-alive advertisements are transmitted. No of ENodes Number of ENodes connected to the FCF. FC-ID Fibre Channel session ID assigned by the FCF.
Number Number Number Number Number Number Number Number Number Number Number Number Number of of of of of of of of of of of of of VN Port Keep Alive Multicast Discovery Advertisement Unicast Discovery Advertisement FLOGI Accepts FLOGI Rejects FDISC Accepts FDISC Rejects FLOGO Accepts FLOGO Rejects CVL FCF Discovery Timeouts VN Port Session Timeouts Session failures due to Hardware Config :0 :4451 :2 :2 :0 :16 :0 :0 :0 :0 :0 :0 :0 The following table describes the show fip-snooping statistics command fie
Field Description Number of FCF Discovery Timeouts Number of FCF discovery timeouts that occurred on the interface. Number of VN Port Session Timeouts Number of VN port session timeouts that occurred on the interface. Number of Session failures due to Hardware Config Number of session failures due to hardware configuration that occurred on the interface.
Figure 38. FIP Snooping on an MXL 10/40GbE Switch Configuration Example • A server-facing port is configured for DCBx in an auto-downstream role. • An FCF-facing port is configured for DCBx in an auto-upstream or configuration-source role. The DCBx configuration on the FCF-facing port is detected by the server-facing port and the DCB PFC configuration on both ports is synchronized. For more information about how to configure DCBx and PFC on a port, refer to the Data Center Bridging (DCB) chapter.
Dell(conf)# interface vlan 10 Dell(conf-if-vl-10)# fip-snooping enable Dell(conf-if-vl-10)# fip-snooping fc-map 0xOEFC01 NOTE: Configuring an FC-MAP value is only required if you do not use the default FC-MAP value (0x0EFC00). Dell(conf)# interface tengigabitethernet 0/1 Dell(conf-if-te-0/1)# portmode hybrid Dell(conf-if-te-0/1)# switchport NOTE: A port is enabled by default for bridge-ENode links.
18 FIPS Cryptography Federal information processing standard (FIPS) cryptography is supported on the MXL switch platform. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms. This feature provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce.
NOTE: Under certain unusual circumstances, it is possible for the fips enable command to indicate a failure. • • This failure occurs if any of the self-tests fail when you enable FIPS mode. This failure occurs if there were existing SSH/Telnet sessions that could not be closed successfully in a reasonable amount of time.
Hardware Rev Num Ports Up Time Dell Version Jumbo Capable POE Capable FIPS Mode Burned In MAC No Of MACs ... : : : : : : : : : 3.0 64 7 hr, 3 min XML-8-3-7-1061 yes no enabled 00:01:e8:8a:ff:0c 3 Disabling FIPS Mode The following describes disabling FIPS mode. When you disable FIPS mode, the following changes occur: • The SSH server disables. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, close.
19 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
Figure 39. Normal Operating FRRP Topology A virtual LAN (VLAN) is configured on all node ports in the ring. All ring ports must be members of the Member VLAN and the Control VLAN. The Member VLAN is the VLAN used to transmit data as described earlier. The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass through all ports in the ring, including the secondary port of the Master node.
its own forwarding table, and sends a control frame to the Transit nodes, instructing them to clear their forwarding tables and relearn the topology. During the time between the Transit node detecting that its link is restored and the Master node detecting that the ring is restored, the Master node’s Secondary port is still forwarding traffic. This can create a temporary loop in the topology.
Figure 40. Multiple Rings Connected by a Single Switch Example Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. • The Master node transmits ring status check frames at specified intervals. • You can run multiple physical rings on the same switch.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose. Member VLAN Each ring maintains a list of member VLANs.
Implementing FRRP • FRRP is media and speed independent. • FRRP is a Dell proprietary protocol that does not interoperate with any other vendor. • You must disable the spanning tree protocol (STP) on both the Primary and Secondary interfaces before you can enable FRRP. • All ring ports must be Layer 2 ports. This is required for both Master and Transit nodes. • A VLAN configured as a control VLAN for a ring cannot be configured as a control or member VLAN for any other ring.
• A control VLAN can belong to one FRRP group only. • Tag control VLAN ports. • All ports on the ring must use the same VLAN ID for the control VLAN. • You cannot configure a VLAN as both a control VLAN and member VLAN on the same ring. • Only two interfaces can be members of a control VLAN (the Master Primary and Secondary ports). • Member VLANs across multiple rings are not supported in Master nodes.
no disable Configuring and Adding the Member VLANs Control and member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to the Layer 2 chapter. Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • Tag control VLAN ports. Member VLAN ports, except the Primary/Secondary interface, can be tagged or untagged.
VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. 6. Enable this FRRP group on this switch. CONFIG-FRRP mode. no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time 3 times the Hello-Interval. • Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode. timer {hello-interval|dead-interval} milliseconds – Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500).
Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • • • • • Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only. Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP.
no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 1/24,34 no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 1/24,34 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 1/24 secondary GigabitEthernet 1/34 control-vlan 101 member-vlan 201 mode master no disable interface GigabitEthernet 2/14 no ip address switchport no shutdown ! interface GigabitEthernet 2/31 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 2/
interface primary GigabitEthernet 3/21 secondary GigabitEthernet 3/14 control-vlan 101 member-vlan 201 mode transit no disable 326 Force10 Resilient Ring Protocol (FRRP)
20 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP) is supported on the MXL switch platform. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GVRP, defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches.
Figure 42. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2. Enabling GVRP on a Layer 2 Interface Related Configuration Tasks • • Configure GVRP Registration Configure a GARP Timer Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch.
protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. • Enable GVRP on a Layer 2 interface.
gvrp registration fixed 34-35 gvrp registration forbidden 45-46 no shutdown Dell(conf-if-gi-1/21)# Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings. • Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The default is 200ms.
21 Internet Group Management Protocol (IGMP) Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. IGMP is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast routing protocols (such as protocolindependent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. • Responding to an IGMP Query – One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet.
Figure 44. IGMP Version 3 Packet Structure Figure 45. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 46. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
Figure 47. Membership Queries: Leaving and Staying IGMP Snooping IGMP snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers. Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device.
Configuring IGMP Snooping Configuring IGMP snooping is a one-step process. To enable, view, or disable IGMP snooping, use the following commands. • Enable IGMP snooping on a switch. CONFIGURATION mode ip igmp snooping enable • View the configuration. CONFIGURATION mode show running-config • Disable snooping on a VLAN.
Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. On the MXL Switch, when you configure no ip igmp snooping flood, the system forwards the frames on the mrouter ports for first 96 IGMP snooping-enabled VLANs. For all other VLANs, the unregistered multicast packets are dropped.
When an IGMP snooping switch is not acting as a querier, it sends out the general query in response to the MSTP triggered link-layer topology change, with the source IP address of 0.0.0.0 to avoid triggering querier election. Designating a Multicast Router Interface To designate an interface as a multicast router interface, use the following command.
22 Interfaces This chapter describes 100/1000/10000 Mbps Ethernet, 10 Gigabit Ethernet, and 40 Gigabit Ethernet interface types, both physical and logical, and how to configure them with the Dell Networking operating software (OS).
Interface Type Modes Possible Default Mode Requires Creation Default State VLAN L2, L3 L2 Yes (except default) L2 - No Shutdown (enabled) L3 - Shutdown (disabled) View Basic Interface Information To view basic interface information, use the following command. You have several options for viewing interface status and configuration parameters. • Lists all configurable interfaces on the chassis.
44329 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
Enabling a Physical Interface After determining the type of physical interfaces available, to enable and configure the interfaces, enter INTERFACE mode by using the interface interface slot/port command. 1. Enter the keyword interface then the type of interface and slot/port information. CONFIGURATION mode interface interface-type 2. • For the Management interface on the RPM, enter the keyword ManagementEthernet then the slot/port information.
Type of Interface Possible Modes Requires Creation Default State 10/100/1000 Ethernet, Gigabit Ethernet, 10 Gigabit Ethernet Layer 2 No Shutdown (disabled) Management N/A No Shutdown (disabled) Loopback Layer 3 Yes No shutdown (enabled) Null interface N/A No Enabled Port Channel Layer 2 Yes Shutdown (disabled) Yes, except for the default VLAN.
Configuring Layer 3 (Network) Mode When you assign an IP address to a physical interface, you place it in Layer 3 mode. To enable Layer 3 mode on an individual interface, use the following commands. In all interface types except VLANs, the shutdown command prevents all traffic from passing through the interface. In VLANs, the shutdown command prevents Layer 3 traffic from passing through the interface. Layer 2 traffic is unaffected by the shutdown command.
Example of the show ip interface Command You can only configure one primary IP address per interface. You can configure up to 255 secondary IP addresses on a single interface. To view all interfaces to see with an IP address assigned, use the show ip interfaces brief command in EXEC mode as shown in View Basic Interface Information. To view IP information on an interface in Layer 3 mode, use the show ip interface command in EXEC Privilege mode.
You can manage the MXL Switch from any port. Configure an IP address for the port using the ip address command. Enable the IP address for the port using the no shutdown command. You can use the description command from INTERFACE mode to note that the interface is the management interface. There is no separate management routing table, so you must configure all routes in the IP routing table (use the ip route command). • Enter the slot and the port (0) to configure a Management interface.
VLAN Interfaces VLANs are logical interfaces and are, by default, in Layer 2 mode. Physical interfaces and port channels can be members of VLANs. For more information about VLANs and Layer 2, refer to Layer 2 and Virtual LANs (VLANs). NOTE: To monitor VLAN interfaces, use Management Information Base for Network Management of TCP/IP-based internets: MIB-II (RFC 1213). NOTE: You cannot simultaneously use egress rate shaping and ingress rate policing on the same VLAN.
show interface loopback number • Delete a Loopback interface. CONFIGURATION mode no interface loopback number Many of the same commands found in the physical interface are also found in the Loopback interfaces. For more information, refer to Access Control Lists (ACLs). Null Interfaces The Null interface is another virtual interface. There is only one Null interface. It is always up, but no traffic is transmitted through this interface.
Port Channel Implementation The Dell Networking OS supports static and dynamic port channels. • Static — Port channels that are statically configured. • Dynamic — Port channels that are dynamically configured using the link aggregation control protocol (LACP). For details, refer to Link Aggregation Control Protocol (LACP). There are 128 port-channels with 16 members per channel. As soon as you configure a port channel, the system treats it like a physical interface. For example, IEEE 802.
• Configuring the Minimum Oper Up Links in a Port Channel (optional) • Adding or Removing a Port Channel from a VLAN (optional) • Assigning an IP Address to a Port Channel (optional) • Deleting or Disabling a Port Channel (optional) Creating a Port Channel You can create up to 128 port channels with 16 port members per group on an MXL switch. To configure a port channel, use the following commands. 1. Create a port channel. CONFIGURATION mode interface port-channel id-number 2.
Example of the show interfaces port-channel brief Command Example of the show interface port-channel Command Example of Error Due to an Attempt to Configure an Interface that is Part of a Port Channel To view the port channel’s status and channel members in a tabular format, use the show interfaces port-channel brief command in EXEC Privilege mode, as shown in the following example.
interface Port-channel 1 no ip address channel-member TenGigabitEthernet 0/16 shutdown Dell(conf-if-po-1)# Dell(conf-if-po-1)#int tengig 1/6 Dell(conf-if)#ip address 10.56.4.4 /24 % Error: Te 1/6 Port is part of a LAG. Dell(conf-if)# Reassigning an Interface to a New Port Channel An interface can be a member of only one port channel. If the interface is a member of a port channel, remove it from the first port channel and then add it to the second port channel.
Example of Configuring the Minimum Oper Up Links in a Port Channel Dell#config t Dell(conf)#int po 1 Dell(conf-if-po-1)#minimum-links 5 Dell(conf-if-po-1)# Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to a VLAN, place the port channel in Layer 2 mode (by using the switchport command). To add or remove a VLAN port channel and to view VLAN port channel members, use the following commands.
• Disable a port channel. shutdown When you disable a port channel, all interfaces within the port channel are operationally down also. Load Balancing through Port Channels Dell Networking OS uses hash algorithms for distributing traffic evenly over channel members in a port channel (LAG). The hash algorithm distributes traffic among ECMP paths and LAG members. The distribution is based on a flow, except for packet-based hashing. A flow is identified by the hash and is assigned to one link.
Change the default (0) to another algorithm and apply it to ECMP, LAG hashing, or a particular line card. CONFIGURATION mode hash-algorithm {algorithm-number} | {ecmp {checksum|crc|xor} [number]} lag {checksum|crc| xor][number]}nh-ecmp {[checksum|crc|xor] [number]}}| {linecard number ip-sa-mask value ipda-mask value} NOTE: To achieve the functionality of hash-align on the ExaScale platform, do not use CRC as an hash-algorithm method.
• If a new stack unit is added to an existing stack, by default, the server side interfaces always start in Shut mode. If the startup configuration is deleted after a stack unit was added to a stack and the stack is reloaded, on reboot the entire logical switch comes up with all server ports as Layer2 switch ports in No Shut mode. Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces.
Create a Multiple-Range The following is an example of multiple range. Example of the interface range Command (Multiple Ranges) Dell(conf)#interface range tengigabitethernet 3/0 , tengigabitethernet 2/1 - 47 , vlan 1000 Dell(conf-if-range-te-2/1-47)# Exclude Duplicate Entries The following is an example showing how duplicate entries are omitted from the interface-range prompt.
• Defines the interface-range macro and saves it in the running configuration file. CONFIGURATION mode define interface-range macro_name {vlan vlan_ID - vlan_ID} | {{tengigabitethernet | fortyGigE} slot/ interface - interface} [ , {vlan vlan_ID - vlan_ID} {{tengigabitethernet | fortyGigE} slot/interface - interface}] Define the Interface Range The following example shows how to define an interface-range macro named “test” to select Fast Ethernet interfaces 5/1 through 5/4.
• q — Quit Dell#monitor interface tengig 3/1 Dell Networking uptime is 1 day(s), 4 hour(s), 31 minute(s) Monitor time: 00:00:00 Refresh Intvl.
show tdr tengigabitethernet / Splitting QSFP Ports to SFP+ Ports The MXL 10/40GbE switch supports splitting a 40GbE port on the base module or a 2-Port 40GbE QSFP+ module into four 10GbE SFP+ ports using a 4x10G breakout cable. NOTE: By default, the 40GbE ports on a 2-Port 40GbE QSFP+ module come up in 4x10GbE (quad) mode as eight 10GbE ports. On the base module, you must convert the 40GbE ports to 4x10GbE mode as described in the following section.
• Split ports cannot be a part of any stacked system. • The quad port must be in a default configuration before it can be split into 4x10G ports. • The 40G port is lost in the configuration when the port is split; be sure the port is also removed from other L2/L3 feature configurations. • The system must be reloaded after issuing the CLI for the change to take effect. Configure the MTU Size on an Interface The link MTU is the frame size of a packet. The IP MTU size is used for IP fragmentation.
NOTE: Trident2 chip sets do not work at 1G speeds with auto-negotiation enabled. As a result, when you peer any device using SFP, the link does not come up if auto-negotiation is enabled. Therefore, disable auto-negotiation on platforms that currently use Trident2 chip sets (S6000 and Z9000). This limitation applies only when you convert QSFP to SFP using the QSA. This constraint does not apply for QSFP to SFP+ conversions using the QSA.
NOTE: If a port is over-subscribed, Ethernet Pause Frame flow control does not ensure no loss behavior. The following error message appears when trying to enable flow control when you already configured half duplex: Can’t configure flowcontrol when half duplex is configure, config ignored. The following error message appears when trying to enable half duplex and flow control configuration is on: Can’t configure half duplex when flowcontrol is on, config ignored.
Layer 2 Overhead Difference Between Link MTU and IP MTU Tagged Packet with VLAN-Stack Header 26 bytes Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: • All members must have the same link MTU value and the same IP MTU value. • The port channel link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values configured on the channel members.
show interfaces [interface] status 2. Determine the remote interface status. EXEC mode or EXEC Privilege mode [Use the command on the remote system that is equivalent to the first command.] 3. Access CONFIGURATION mode. EXEC Privilege mode config 4. Access the port. CONFIGURATION mode interface interface slot/port 5. Set the local port speed. INTERFACE mode speed {100 | 1000 | 10000 | auto} 6. Optionally, set full- or half-duplex. INTERFACE mode duplex {half | full} 7.
Dell#configure Dell(config)#interface tengig 0/1 Dell(conf-if-te-0/1)#speed 100 Dell(conf-if-te-0/1)#duplex full Dell(conf-if-te-0/1)#no negotiation auto Dell(conf-if-te-0/1)#show config ! interface TenGigabitEthernet 0/1 no ip address speed 100 duplex full no shutdown Set Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/ forced slave after you enable auto-negotiation.
Dell#show Dell#show Dell#show Dell#show Dell#show Dell#show Dell#show ip interface configured ip interface tengigabitEthernet 1 configured interfaces fortygigabitEthernet 0 configured ip interface fortygigabitEthernet 1 configured ip interface brief configured running-config interfaces configured running-config interface tengigabitEthernet 1 configured In EXEC mode, the show interfaces switchport command displays only interfaces in Layer 2 mode and their relevant configuration information.
0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
Clearing Interface Counters The counters in the show interfaces command are reset by the clear counters command. This command does not clear the counters any SNMP program captures. To clear the counters, use the following the command. • Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones. Without an interface specified, the command clears all interface counters.
23 Internet Protocol Security (IPSec) IPSec is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and file transfer protocols (FTPs) and can operate in Transport mode. In Transport mode, IPSec encrypts only the packet payload; the IP header is unchanged. This is the default mode.
crypto ipsec policy myCryptoPolicy 10 ipsec-manual transform-set myXform-set session-key inbound esp 256 auth encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 21 match 1 tcp a::1 /128 21 a::2 /128 0 match 2 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 3 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3. Apply the crypto policy to management traffic.
24 IPv4 Routing The Dell Networking OS supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking operating system (OS). IP Feature Default DNS Disabled Directed Broadcast Disabled Proxy ARP Enabled ICMP Unreachable Disabled ICMP Redirect Disabled IP Addresses The Dell Networking OS supports IP version 4, as described in RFC 791.
For a complete listing of all commands related to IP addressing, refer to the Dell Networking OS Command Line Interface Reference Guide. Assigning IP Addresses to an Interface Assign primary and secondary IP addresses to physical or logical (for example, [virtual local area network [VLAN] or port channel) interfaces to enable IP communication between the system and hosts connected to that interface. In the system, you can assign one primary address and up to 255 secondary IP addresses to each interface. 1.
Configuring Static Routes A static route is an IP address that you manually configure and that the routing protocol does not learn, such as open shortest path first (OSPF). Often, static routes are used as backup routes in case other dynamically learned routes are unreachable. You can enter as many static IP addresses as necessary. To configure a static route, use the following command. • Configure a static IP address.
• When the interface comes up, the system re-installs the route. • When the recursive resolution is “broken,” the system withdraws the route. • When the recursive resolution is satisfied, the system re-installs the route. Configure Static Routes for the Management Interface When an IP address that a protocol uses and a static management route exists for the same prefix, the protocol route takes precedence over the static management route.
Using the Configured Source IP Address in ICMP Messages ICMP error or unreachable messages are now sent with the configured IP address of the source interface instead of the front-end port IP address as the source IP address. Enable the generation of ICMP unreachable messages through the ip unreachable command in Interface mode. When a ping or traceroute packet from an endpoint or a device arrives at the null 0 interface configured with a static route, it is discarded.
Enabling Directed Broadcast By default, the system drops directed broadcast packets destined for an interface. This default setting provides some protection against denial of service (DoS) attacks. To enable the system to receive directed broadcasts, use the following command. • Enable directed broadcast. INTERFACE mode ip directed-broadcast To view the configuration, use the show config command in INTERFACE mode. Resolution of Host Names Domain name service (DNS) maps host names to IP addresses.
To view the current configuration, use the show running-config resolve command. Specifying the Local System Domain and a List of Domains If you enter a partial domain, the system can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. The Dell Networking OS searches the host table first to resolve the partial domain.
1 10.11.199.190 001.000 ms 001.000 ms 002.000 ms 2 gwegress-sjc-02.force10networks.com (10.11.30.126) 005.000 ms 001.000 ms 001.000 ms 3 fw-sjc-01.force10networks.com (10.11.127.254) 000.000 ms 000.000 ms 000.000 ms 4 www.force10networks.com (10.11.84.18) 000.000 ms 000.000 ms 000.000 ms Dell# ARP The Dell Networking OS uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP.
Internet 10.11.68.14 94 Internet 10.11.209.254 0 Dell# 00:01:e9:45:00:03 00:01:e9:45:00:03 Ma 0/0 Ma 0/0 - CP CP Enabling Proxy ARP By default, Proxy ARP is enabled. To disable Proxy ARP, use the no proxy-arp command in the interface mode. To re-enable Proxy ARP, use the following command. • Re-enable Proxy ARP. INTERFACE mode ip proxy-arp To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode.
ARP Learning via ARP Request In the Dell Networking OS versions prior to 8.3.1.0, the system learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address. If the target IP does not match the incoming interface, the packet is dropped. If there is an existing entry for the requesting host, it is updated. Figure 48.
CONFIGURATION mode arp retries number The default is 5. • The range is from 1 to 20. Set the exponential timer for resending unresolved ARPs. CONFIGURATION mode arp backoff-time The default is 30. • The range is from 1 to 3600. Display all ARP entries learned via gratuitous ARP.
1. Enable UDP helper and specify the UDP ports for which traffic is forwarded. Refer to Enabling UDP Helper. Important Points to Remember • The existing ip directed broadcast command is rendered meaningless if you enable UDP helper on the same interface. • The broadcast traffic rate should not exceed 200 packets per second when you enable UDP helper. • You may specify a maximum of 16 UDP ports.
1. Packet 1 is dropped at ingress if you did not configure UDP helper address. 2. If you enable UDP helper (using the ip udp-helper udp-port command), and the UDP destination port of the packet matches the UDP port configured, the system changes the destination address to the configured broadcast 1.1.255.255 and routes the packet to VLANs 100 and 101.
UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces. In the following illustration, Packet 1 has a destination IP address that matches the configured broadcast address of VLAN 100 and 101. If you enabled UDP helper and the UDP port number matches, the packet is flooded on both VLANs with an unchanged destination address. Packet 2 is sent from a host on VLAN 101.
172.21.50.193 BOOTP Request, XID = 0x9265f901, secs = 0 hwaddr = 00:02:2D:8D:46:DC, giaddr = 0.0.0.0, hops = 2 2005-11-05 11:59:35 %RELAY-I-BOOTREQUEST, Forwarded BOOTREQUEST for 00:02:2D:8D:46:DC to 137.138.17.6 2005-11-05 11:59:36 %RELAY-I-PACKET, BOOTP REPLY (Unicast) received at interface 194.12.129.98 BOOTP Reply, XID = 0x9265f901, secs = 0 hwaddr = 00:02:2D:8D:46:DC, giaddr = 172.21.50.193, hops = 2 2005-07-05 11:59:36 %RELAY-I-BOOTREPLY, Forwarded BOOTREPLY for 00:02:2D:8D:46:DC to 128.141.128.
25 IPv6 Addressing Internet protocol version 6 (IPv6) is supported on the MXL switch platform. NOTE: The IPv6 basic commands are supported on all platforms. However, not all features are supported on all platforms, nor for all releases. To determine the Dell Networking OS version supporting which features and platforms, refer to Implementing IPv6 with the Dell Networking OS. IPv6 is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage.
NOTE: The Dell Networking OS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS). By default, RA response messages are sent when an RS message is received. The Dell Networking OS manipulation of IPv6 stateless autoconfiguration supports the router side only. Neighbor discovery (ND) messages are advertised so the neighbor can use this information to auto-configure its address.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 53. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Value Description 0 Hop-by-Hop option header 4 IPv4 6 TCP 8 Exterior Gateway Protocol (EGP) 41 IPv6 43 Routing header 44 Fragmentation header 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current listing, refer to the Internet Assigned Numbers Authority (IANA) web page.
Hop-by-Hop Options Header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path. It follows the IPv6 header and is designated by the Next Header value 0 (zero). When a Hop-by-Hop Options header is not included, the router knows that it does not have to process any router specific information and immediately processes the packet to its final destination.
• 2001:db8::1428:57ab IPv6 networks are written using classless inter-domain routing (CIDR) notation. An IPv6 network (or subnet) is a contiguous group of IPv6 addresses the size of which must be a power of two; the initial bits of addresses, which are identical for all hosts in the network, are called the network's prefix. A network is denoted by the first address in the network and the size in bits of the prefix (in decimal), separated with a slash.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location MXL IPv6 ping 9.2(0.0) ICMPv6 in this chapter IPv6 traceroute 9.2(0.0) ICMPv6 in this chapter Static routing 9.2(0.0) Assigning a Static IPv6 Route in this chapter Route redistribution 9.2(0.0) OSPF, IS-IS, and IPv6 BGP chapters in the Dell Networking OS Command Line Reference Guide. Multiprotocol BGP extensions for IPv6 9.2(0.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location MXL IPv6 Access Control Lists 9.2(0.0) IPv6 Access Control Lists in the Dell Networking OS Command Line Reference Guide. N/A IPv6 Multicast in this chapter IPv6 Multicast PIM-SM for IPv6 IPv6 PIM in the Dell Networking OS Command Line Reference Guide. PIM-SSM for IPv6 N/A IPv6 Multicast in this chapter IPv6 PIM in the Dell Networking OS Command Line Reference Guide.
The recommended MTU for IPv6 is 1280. Greater MTU settings increase processing efficiency because each packet carries more data while protocol overheads (for example, headers) or underlying per-packet delays remain fixed. Figure 54. Path MTU Discovery Process IPv6 Neighbor Discovery IPv6 neighbor discovery protocol (NDP) is supported on the MXL swtich platform. NDP is a top-level protocol for neighbor discovery on an IPv6 network.
Figure 55. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets With the Dell Networking OS version 8.3.1.0, you can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
Debugging IPv6 RDNSS Information Sent to the Host To verify that the IPv6 RDNSS information sent to the host is configured correctly, use the debug ipv6 nd command in EXEC Privilege mode. Example of Debugging IPv6 RDNSS Information Sent to the Host The following example debugs IPv6 RDNSS information sent to the host. The last 3 lines indicate that the IPv6 RDNSS information was configured correctly.
Configuration Task List for IPv6 The following are configuration tasks for the IPv6 protocol. • Adjusting Your CAM-Profile • Assigning an IPv6 Address to an Interface • Assigning a Static IPv6 Route • Configuring Telnet with IPv6 • SNMP over IPv6 • Showing IPv6 Information • Clearing IPv6 Routes Adjusting Your CAM-Profile The cam-acl command is supported on the MXL switch platform.
Assigning an IPv6 Address to an Interface IPv6 addresses are supported on the MXL switch platform. Essentially, IPv6 is enabled in the Dell Networking OS simply by assigning IPv6 addresses to individual router interfaces. You can use IPv6 and IPv4 together on a system, but be sure to differentiate that usage carefully. To assign an IPv6 address to an interface, use the ipv6 address command.
Configuring Telnet with IPv6 IPv6 telnet is supported on the MXL switch platform. The Telnet client and server in the Dell Networking OS supports IPv6 connections. You can establish a Telnet session directly to the router using an IPv6 Telnet client, or you can initiate an IPv6 Telnet connection from the router. NOTE: Telnet to link local addresses is supported on the MXL switch. • Enter the IPv6 Address for the device.
rpf Dell# RPF table Showing an IPv6 Interface To view the IPv6 configuration for a specific interface, use the following command. • Show the currently running configuration for the specified interface. EXEC mode show ipv6 interface type {slot/port} Enter the keyword interface then the type of interface and slot/port information: – For all brief summary of IPv6 status and configuration, enter the keyword brief. – For all IPv6 configured interfaces, enter the keyword configured.
Example of the show ipv6 route summary Command Example of the show ipv6 route Command Example of the show ipv6 route static Command Dell#show ipv6 route summary Route Source connected static Total Active Routes Non-active Routes 5 0 0 0 5 0 Dell#show ipv6 route Codes: C - connected, L - local, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1,
shutdown Dell# Clearing IPv6 Routes To clear routes from the IPv6 routing table, use the following command. • Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} – *: all routes. – ipv6 address: the format is x:x:x:x::x. – mask: the prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:).
26 iSCSI Optimization The MXL switch enables internet small computer system interface (iSCSI) optimization with default iSCSI parameter settings and is auto-provisioned to support the following features. • Detection and Auto-Configuration for Dell EqualLogic Arrays • Configuring Detection and Ports for Dell Compellent Arrays To display information on iSCSI configuration and sessions, use the show commands. iSCSI optimization enables quality-of-service (QoS) treatment for iSCSI traffic.
the MXL is configured to use dot1p priority-queue assignments to ensure that iSCSI traffic in these sessions receives priority treatment when forwarded on MXL hardware. Figure 56. iSCSI Optimization Example Monitoring iSCSI Traffic Flows The switch snoops iSCSI session-establishment and termination packets by installing classifier rules that trap iSCSI protocol packets to the CPU for examination. Devices that initiate iSCSI sessions usually use well-known TCP ports 3260 or 860 to contact targets.
• Target’s IP Address • Initiator defined session identifier (ISID) • Initiator’s iSCSI qualified name (IQN) • Target’s IQN • Initiator’s TCP Port • Target’s TCP Port If no iSCSI traffic is detected for a session during a user-configurable aging period, the session data is cleared.
• iSCSI LLDP monitoring starts to automatically detect EqualLogic arrays. The following message displays when you enable iSCSI on a switch and describes the configuration changes that are automatically performed: %STKUNIT0-M:CP %IFMGR-5-IFM_ISCSI_ENABLE: iSCSI has been enabled causing flow control to be enabled on all interfaces.
Session aging time: 10 Maximum number of connections is 256 -----------------------------------------------iSCSI Targets and TCP Ports: -----------------------------------------------TCP Port Target IP Address 3260 860 VLT PEER1 Dell#show isci session Session 0: ----------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0e70c2002-10a0018426a48c94-iom010 Initiator: iqn.1991-05.com.
27 Intermediate System to Intermediate System Intermediate system to intermediate system (Is-IS) is supported on the MXL switch platform. • The IS-IS protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. • The IS-IS protocol standards are listed in the Standards Compliance chapter.
Figure 57. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases. Use this feature to place a virtual physical topology into logical routing domains, which can each support different routing and security policies. All routers on a LAN or point-to-point must have at least one common supported topology when operating in Multi-Topology IS-IS mode.
neighbor within its LSPs. The local router does not form an adjacency if both routers do not have at least one common MT over the interface. Graceful Restart Graceful Restart is supported on MXL platforms for both Helper and Restart modes. Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets.
• MT Reachable IPv6 Prefixes TLV — appears for each IPv6 an IS announces for a given MT ID. Its structure is aligned with the extended IS Reachability TLV Type 236 and add an MT ID. By default, the system supports dynamic host name exchange to assist with troubleshooting and configuration. By assigning a name to an IS-IS NET address, you can track IS-IS information on that address easier. The system does not support ISO CLNS routing; however, the ISO NET format is supported for addressing.
• Controlling Routing Updates • Configuring Authentication Passwords • Setting the Overload Bit • Debugging IS-IS Enabling IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process and assign a NET address. To exchange protocol information with neighbors, enable IS-IS on an interface, instead of on a network as with other routing protocols. In IS-IS, neighbors form adjacencies only when they are same IS type.
ipv6 address ipv6-address mask • ipv6 address: x:x:x:x::x • mask: The prefix length is from 0 to 128. The IPv6 address must be on the same subnet as other IS-IS neighbors, but the IP address does not need to relate to the NET address. 6. Enable IS-IS on the IPv4 interface. ROUTER ISIS mode ip router isis [tag] If you configure a tag variable, it must be the same as the tag variable assigned in step 1. 7. Enable IS-IS on the IPv6 interface.
IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: Dell# Level-2 LSPs PSNPs (sent/rcvd) : 0/0 Level-1 DR Elections : 2 Level-2 DR Elections : 2 Level-1 SPF Calculations : 29 Level-2 SPF Calculations : 29 LSP checksum errors received : 0 LSP authentication failures : 0 You can assign more NET addresses, but the System ID portion of the NET address must remain the same. The Dell Networking OS supports up to six area addresses.
• Configure the time during which the graceful restart attempt is prevented. ROUTER-ISIS mode graceful-restart interval minutes The range is from 1 to 120 minutes. • The default is 5 minutes. Enable the graceful restart maximum wait time before a restarting peer comes up. ROUTER-ISIS mode graceful-restart restart-wait seconds When implementing this command, be sure to set the T3 timer to adjacency on the restarting router. The range is from 1 to 120 minutes. • The default is 30 seconds.
To view all graceful restart-related configurations, use the show isis graceful-restart detail command in EXEC Privilege mode.
• Set interval between LSP generation. ROUTER ISIS mode lsp-gen-interval [level-1 | level-2] seconds – seconds: the range is from 0 to 120. The default is 5 seconds. • The default level is Level 1. Set the LSP size. ROUTER ISIS mode lsp-mtu size – size: the range is from 128 to 9195. • The default is 1497. Set the LSP refresh interval. ROUTER ISIS mode lsp-refresh-interval seconds – seconds: the range is from 1 to 65535. • The default is 900 seconds. Set the maximum time LSPs lifetime.
Table 28. Metric Styles Metric Style Characteristics Cost Range Supported on IS-IS Interfaces narrow Sends and accepts narrow or old TLVs (Type, Length, Value). 0 to 63 wide Sends and accepts wide or new TLVs. 0 to 16777215 transition Sends both wide (new) and narrow (old) TLVs. 0 to 63 narrow transition Sends narrow (old) TLVs and accepts both narrow (old) and wide (new) TLVs. 0 to 63 wide transition Sends wide (new) TLVs and accepts both narrow (old) and wide (new) TLVs.
– default-metric: the range is from 0 to 63 if the metric-style is narrow, narrow-transition, or transition. The range is from 0 to 16777215 if the metric style is wide or wide transition. • The default is 10. Assign a metric for an IPv6 link or interface. INTERFACE mode isis ipv6 metric default-metric [level-1 | level-2] – default-metric: the range is from 0 to 63 for narrow and transition metric styles. The range is from 0 to 16777215 for wide metric styles. The default is 10.
Example of the show isis database Command to View Level 1-2 Link State Databases To view which IS-type is configured, use the show isis protocol command in EXEC Privilege mode. The show config command in ROUTER ISIS mode displays only non-default information, so if you do not change the IS-type, the default value (level-1-2) is not displayed. The default is Level 1-2 router. When the IS-type is Level 1-2, the software maintains two Link State databases, one for each level.
– Enter the type of interface and slot/port information: – For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. – For a port channel, enter the keywords port-channel then a number from 1 to 255. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a 40-Gigabit Ethernet interface, enter the keyword FortyGigabitEthernet then the slot/port information.
• – bgp: for BGP routes only. Deny RTM download for pre-existing redistributed IPv6 routes. ROUTER ISIS-AF IPV6 mode distribute-list redistributed-override in Redistributing IPv4 Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the IS-IS process. With the redistribute command syntax, you can include BGP, OSPF, RIP, static, or directly connected routes in the IS-IS process.
– level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. – metric-value: the range is from 0 to 16777215. The default is 0. – metric-type: choose either external or internal. The default is internal. • – map-name: enter the name of a configured route map. Include specific OSPF routes in IS-IS.
Setting the Overload Bit Another use for the overload bit is to prevent other routers from using this router as an intermediate hop in their shortest path first (SPF) calculations. For example, if the IS-IS routing database is out of memory and cannot accept new LSPs, the system sets the overload bit and IS-IS traffic continues to transit the system. To set or remove the overload bit manually, use the following commands. • Set the overload bit in LSPs.
– interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. • View IS-IS SNP packets, include CSNPs and PSNPs. EXEC Privilege mode debug isis snp-packets [interface] To view specific information, enter the following optional parameter: – interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. • View the events that triggered IS-IS shortest path first (SPF) events for debugging purposes.
Metric Style Correct Value Range for the isis metric Command narrow 0 to 63 wide transition 0 to 16777215 narrow transition 0 to 63 transition 0 to 63 Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value wide transition wide original value wide transition narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Level-1 Metric Style Level-2 Metric Style Resulting Metric Value wide transition truncated value narrow transition wide original value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value transition wide original value transition narrow original value transition wide transition original value transition narrow transition original value wide transition wide original value wide transition narrow
Figure 58. IPv6 IS-IS Sample Topography IS-IS Sample Configuration — Router 1 IS-IS Sample Configuration — Router 2 IS-IS Sample Configuration — Router 3 The following is a sample configuration for enabling IPv6 IS-IS. R1(conf)#interface Loopback 0 R1(conf-if-lo-0)#ip address 192.168.1.1/24 R1(conf-if-lo-0)#ipv6 address 2001:db8:9999:1::/48 R1(conf-if-lo-0)#ip router isis 9999 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#router isis 9999 R1(conf-router_isis)#is-type level-1 R1(conf-router_isis)#net FF.
L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change --------------------------- ----------C 10.0.12.0/24 Direct, Gi 1/21 0/0 00:00:57 C 192.168.1.0/24 Direct, Lo 0 0/0 00:04:19 S 192.168.1.2/32 via 10.0.12.2, Gi 1/21 1/0 00:00:57 R1#show isis data IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 * 0x0000000F 0x3A6C 1176 0/0/0 R1.
C C C C S S 10.0.23.0/24 10.10.92.0/24 172.21.212.0/24 192.168.1.0/24 192.168.1.1/32 192.168.1.3/32 Direct, Gi 2/31 Direct, Po 4 Direct, Vl 212 Direct, Lo 0 via 10.0.12.1, Gi 2/11 via 10.0.23.3, Gi 2/31 0/0 0/0 0/0 0/0 1/0 1/0 00:01:53 6d9h 2d20h 01:11:48 00:00:51 00:00:39 R2#show isis data IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R2.
R2.00-00 R2.03-00 * 0x00000007 * 0x00000001 0x51F6 0x5A9C 1198 1200 0/0/0 0/0/0 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R3.00-00 * 0x00000008 0xC09C 1199 0/0/0 R3#show isis neigh System Id Interface State Type Priority Uptime Circuit Id R1 Gi 3/14 Init L1 64 00:00:02 R1.03 R2 Gi 3/21 Up L1 64 00:00:14 A101.
28 Link Aggregation Control Protocol (LACP) Link aggregation control protocol (LACP) is supported on the MXL switch platform. Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. The benefits and constraints are basically the same, as described in Port Channel Interfaces in the Interfaces chapter.
• You can configure a maximum of 128 port-channels with up to 16 members per channel. LACP Modes The Dell Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. • Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. • Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state.
LACP Configuration Tasks The following are LACP configuration tasks. • Creating a LAG • Configuring the LAG Interfaces as Dynamic • Setting the LACP Long Timeout • Monitoring and Debugging LACP • Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. • Create a dynamic port channel (LAG). CONFIGURATION mode • interface port-channel Create a dynamic port channel (LAG).
Dell(conf-if-gi-4/15)#no shutdown Dell(conf-if-gi-4/15)#port-channel-protocol lacp Dell(conf-if-gi-4/15-lacp)#port-channel 32 mode active ... Dell(conf)#interface Gigabitethernet 4/16 Dell(conf-if-gi-4/16)#no shutdown Dell(conf-if-gi-4/16)#port-channel-protocol lacp Dell(conf-if-gi-4/16-lacp)#port-channel 32 mode active The port-channel 32 mode active command shown here may be successfully issued as long as there is no existing static channelmember configuration in LAG 32.
Shared LAG State Tracking Shared LAG state tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG. As shown in the following illustration, the line-rate traffic from R1 destined for R4 follows the lowest-cost route via R2. Traffic is equally distributed between LAGs 1 and 2.
Dell#show running-config po-failover-group ! port-channel failover-group group 1 port-channel 1 port-channel 2 As shown in the following illustration, LAGs 1 and 2 are members of a failover group. LAG 1 fails and LAG 2 is brought down after the failure. This effect is logged by Message 1, in which a console message declares both LAGs down at the same time. Figure 60.
LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 61. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
Input statistics: 132 packets, 163668 bytes 0 Vlans 0 64-byte pkts, 12 over 64-byte pkts, 120 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 132 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unicasts 0 Vlans, 0 throttle
Figure 63.
Figure 64.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp Bravo(conf-if-gi-3/21-lacp)#port-channel 10 mode active Bravo(conf-if-gi-3/21-lacp)#no shut Bravo(conf-if-gi-3/21)#end ! interface GigabitEthernet 3/21 no ip address ! port-channel-
Figure 65.
Figure 66.
Figure 67. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
29 Layer 2 Layer 2 features are supported on the MXL switch platform. Manage the MAC Address Table The Dell Networking OS provides the following management activities for the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
Configuring mac-address-table station-move time-interval 500 solves this limitation. Reducing the scanning interval to the minimum (500 milliseconds), increases the detection speed, which results in the system clearing entries closer to the actual desired aging time. Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table.
Setting the MAC Learning Limit To set a MAC learning limit on an interface, use the following command. • Specify the number of MAC addresses that the system can learn off a Layer 2 interface. INTERFACE mode mac learning-limit address_limit Three options are available with the mac learning-limit command: NOTE: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations.
• Shut down the first port to learn the MAC address. INTERFACE mode station-move-violation shutdown-original • Shut down the second port to learn the MAC address. INTERFACE mode station-move-violation shutdown-offending • Shut down both the first and second port to learn the MAC address. INTERFACE mode station-move-violation shutdown-both • Display a list of all of the interfaces configured with MAC learning limit or station move violation.
Figure 68. Redundant NICs with NIC Teaming When you use NIC teaming, consider that the server MAC address is originally learned on Port 0/1 of the switch (shown in the following) and Port 0/5 is the failover port. When the NIC fails, the system automatically sends an ARP request for the gateway or host NIC to resolve the ARP and refresh the egress interface.
Figure 69. Configuring the mac-address-table station-move refresh-arp Command MAC Move Optimization MAC move optimization is supported only on the E-Series platform. Station-move detection takes 5000ms because this is the interval at which the detection algorithm runs. The threshold option is the number of times a station move must be detected in a single interval in order to trigger a system log message.
30 Link Layer Discovery Protocol (LLDP) The link layer discovery protocol (LLDP) is supported on the MXL switch platform. 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Type TLV Description 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live A value that tells the receiving agent how long the information contained in the TLV Value field is valid. — Optional Includes sub-types of TLVs that advertise specific configuration information. These sub-types are Management TLVs, IEEE 802.1, IEEE 802.3, and TIA-1057 Organizationally Specific TLVs. Figure 71.
IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Networking system to advertise any or all of these TLVs. Table 33. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. The Dell Networking OS does not currently support this TLV.
Type TLV Description via MDI TLV be not implemented, and therefore Dell Networking implements Extended Power via MDI TLV only. 127 Link Aggregation Indicates whether the link is capable of being aggregated, whether it is currently in a LAG, and the port identification of the LAG. The Dell Networking OS does not currently support this TLV. 127 Maximum Frame Size Indicates the maximum frame size capability of the MAC and PHY.
Type SubType TLV Description • LLDP device class 127 2 Network Policy Indicates the application type, VLAN ID, Layer 2 Priority, and DSCP value. 127 3 Location Identification Indicates that the physical location of the device expressed in one of three possible formats: • • • 127 4 Inventory Management TLVs Implementation of this set of TLVs is optional in LLDP-MED devices. None or all TLVs must be supported. The Dell Networking OS does not currently support these TLVs.
When you enable LLDP-MED in Dell Networking OS (using the advertise med command), the system begins transmitting this TLV. Figure 73. LLDP-MED Capabilities TLV Table 35. Dell Networking OS LLDP-MED Capabilities Bit Position TLV Dell Networking OS Support 0 LLDP-MED Capabilities Yes 1 Network Policy Yes 2 Location Identification Yes 3 Extended Power via MDI-PSE Yes 4 Extended Power via MDI-PD No 5 Inventory No 6–15 reserved No Table 36.
Table 37. Network Policy Applications Type Application Description 0 Reserved — 1 Voice Specify this application type for dedicated IP telephony handsets and other appliances supporting interactive voice services. 2 Voice Signaling Specify this application type only if voice control packets use a separate network policy than voice data.
Figure 75. Extended Power via MDI TLV Configure LLDP Configuring LLDP is a two-step process. 1. Enable LLDP globally. 2. Advertise TLVs out of an interface. Related Configuration Tasks • Viewing the LLDP Configuration • Viewing Information Advertised by Adjacent LLDP Agents • Configuring LLDPDU Intervals • Configuring Transmit and Receive Mode • Configuring a Time to Live • Debugging LLDP Important Points to Remember • LLDP is enabled by default.
iscsi Configure priority bits for ISCSI traffic mode LLDP mode configuration (default = rx and tx) multiplier LLDP multiplier configuration no Negate a command or set its defaults show Show LLDP configuration R1(conf-lldp)#exit R1(conf)#interface tengigabitethernet 1/31 R1(conf-if-te-1/31)#protocol lldp R1(conf-if-te-1/31-lldp)#? advertise Advertise TLVs dcbx Configure Dcbx Parameters disable Disable LLDP protocol on this interface end Exit from configuration mode exit Exit from LLDP configuration mode hell
protocol lldp 2. Advertise one or more TLVs. PROTOCOL LLDP mode advertise {management-tlv | dot1-tlv | dot3-tlv | med | dcbx-appln-tlv | dcbx-tlv | interface-port-desc} Include the keyword for each TLV you want to advertise. • For management TLVs: system-capabilities, system-description. • For 802.1 TLVs: port-protocol-vlan-id, port-vlan-id . • For 802.3 TLVs: max-frame-size.
Example of Viewing LLDP Global Configurations Example of Viewing LLDP Interface Configurations R1(conf)#protocol lldp R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description hello 10 no disable R1(conf-lldp)# R1(conf-lldp)#exit R1(conf)#interface gigabitethernet 1/31 R1(conf-if-gi-1/31)#show config ! interface GigabitEthernet 1/31 no ip address switchport no shutdown R1(c
Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 00:00:c9:b1:3b:82 Remote Port Subtype: Mac address (3) Remote Port ID: 00:00:c9:b1:3b:82 Local Port ID: TenGigabitEthernet 0/2 Locally assigned remote Neighbor Index: 7 Remote TTL: 120 Information valid for next 105 seconds Time since last information change of this neighbor: 1d21h56m Remote System Desc: Emulex OneConnect 10Gb Multi function Adapter Existing System Capabilities: Station only Enabled System Capabilities: Station only -------------
no disable R1(conf-lldp)#no mode R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Configuring Transmit and Receive Mode After you enable LLDP, Dell Networking systems transmit and receive LLDPDUs by default. To configure the system to transmit or receive only and return to the default, use the following commands. • Transmit only.
Configuring a Time to Live The information received from a neighbor expires after a specific amount of time (measured in seconds) called a time to live (TTL). The TTL is the product of the LLDPDU transmit interval (hello) and an integer called a multiplier. The default multiplier is 4, which results in a default TTL of 120 seconds. • Adjust the TTL value. CONFIGURATION mode or INTERFACE mode. multiplier • Return to the default multiplier value. CONFIGURATION mode or INTERFACE mode.
Figure 77. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects Dell Networkings OS supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: • received and transmitted TLVs • the LLDP configuration on the local agent • IEEE 802.1AB Organizationally Specific TLVs • received and transmitted LLDP-MED TLVs Table 38.
MIB Object Category LLDP Statistics LLDP Variable LLDP MIB Object Description mibMgmtAddrInstanceTxEnable lldpManAddrPortsTxEnable The management addresses defined for the system and the ports through which they are enabled for transmission. statsAgeoutsTotal lldpStatsRxPortAgeoutsTotal Total number of times that a neighbor’s information is deleted on the local system due to an rxInfoTTL timer expiration.
TLV Type TLV Name TLV Variable management address length management address subtype management address interface numbering subtype interface number OID System LLDP MIB Object Remote lldpRemSysCapEnabled Local lldpLocManAddrLen Remote lldpRemManAddrLen Local lldpLocManAddrSubtype Remote lldpRemManAddrSubtype Local lldpLocManAddr Remote lldpRemManAddr Local lldpLocManAddrIfSubtype Remote lldpRemManAddrIfSubtyp e Local lldpLocManAddrIfId Remote lldpRemManAddrIfId Local lldpLoc
Table 41.
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object 4 Extended Power via MDI Power Device Type Local lldpXMedLocXPoEDevice Type Remote lldpXMedRemXPoEDevice Type Local lldpXMedLocXPoEPSEPo werSource Power Source lldpXMedLocXPoEPDPow erSource Remote lldpXMedRemXPoEPSEP owerSource lldpXMedRemXPoEPDPo werSource Power Priority Local lldpXMedLocXPoEPDPow erPriority lldpXMedLocXPoEPSEPor tPDPriority Remote lldpXMedRemXPoEPSEP owerPriority lldpXMedRemXPoEPDPo werPriority Power Value
31 Microsoft Network Load Balancing Network Load Balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems. NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
With multicast NLB mode, the data is forwarded to all the servers based on the port specified using the Layer 2 multicast command, which is the mac-address-table static multicast vlan output-range , command in CONFIGURATION mode. Limitations With Enabling NLB on Switches The following limitations apply to switches on which you configure NLB: • The NLB unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN.
resolved through ARP packets, which had the Ethernet MAC SA different from the MAC information inside the ARP packet. This unicast data traffic flooding occurs only for those packets that use these ARP entries. CONFIGURATION mode ip vlan-flooding To enable a switch for multicast NLB mode of functioning, perform the following steps: 1.
32 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on the MXL switch platform. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 78. Multicast Source Discovery Protocol (MSDP) RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected.
Figure 79. MSDP SA Message Format Anycast RP Using MSDP, anycast RP provides load sharing and redundancy in PIM-SM networks. Anycast RP allows two or more rendezvous points (RPs) to share the load for source registration and the ability to act as hot backup routers for each other. Anycast RP allows you to configure two or more RPs with the same IP address on Loopback interfaces. The Anycast RP Loopback address are configured with a 32-bit mask, making it a host address.
The MSDP Sample Configurations show the PIM-SM configuration in this chapter for MSDP. Also, refer to PIM Sparse-Mode (PIM-SM). 3. Enabling MSDP. 4. Peer the RPs in each routing domain with each other. Refer to Enabling MSDP. Related Configuration Tasks The following lists related MSDP configuration tasks.
Figure 80.
Figure 81.
Figure 82.
Figure 83. Configuring MSDP Enabling MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains.
Example of Configuring MSDP Example of Viewing Peer Information R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.1 connect-source Loopback 0 R3_E600(conf)#do show ip msdp summary Peer Addr Local Addr State Source 192.168.0.1 192.168.0.3 Established Lo 0 SA 1 Up/Down Description 00:05:29 To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache).
To limit the number of sources that SA cache stores, use the following command. • Limit the number of sources that can be stored in the SA cache. EXEC Privilege mode show ip msdp sa-limit If the total number of active sources is already larger than the limit when limiting is applied, the sources that are already in the system are not discarded. To enforce the limit in such a situation, use the clear ip msdp sa-cache command to clear all existing entries.
Figure 84.
Figure 85.
Figure 86.
Figure 87. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
GroupAddr 229.0.50.2 229.0.50.3 229.0.50.4 SourceAddr 24.0.50.2 24.0.50.3 24.0.50.4 RPAddr 200.0.0.50 200.0.0.50 200.0.0.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Dell#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 Expire 73 73 73 UpTime 00:13:49 00:13:49 00:13:49 LearnedFrom 10.0.50.2 10.
seq 10 deny ip any any R1_E600(conf)#do show ip msdp sa-cache R1_E600(conf)#do show ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 1 rejected SAs received, cache-size 1000 UpTime GroupAddr SourceAddr RPAddr LearnedFrom 00:02:20 239.0.0.1 10.11.4.2 192.168.0.1 local Reason Redistribute Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1. OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache.
Example of Verifying the System is not Advertising Local Sources In the following example, R1 stops advertising source 10.11.4.2. Because it is already in the SA cache of R3, the entry remains there until it expires. [Router 1] R1_E600(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.3 list mylocalfilter R1_E600(conf)#do show run acl ! ip access-list extended mylocalfilter seq 5 deny ip host 239.0.0.1 host 10.11.4.
SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none [Router 1] R1_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.3 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:03 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Clearing Peer Statistics To clear the peer statistics, use the following command.
03:16:09 : MSDP-0: Peer 192.168.0.3, 03:16:27 : MSDP-0: Peer 192.168.0.3, 03:16:38 : MSDP-0: Peer 192.168.0.3, 03:16:39 : MSDP-0: Peer 192.168.0.3, 03:17:09 : MSDP-0: Peer 192.168.0.3, 03:17:10 : MSDP-0: Peer 192.168.0.3, 03:17:27 : MSDP-0: Peer 192.168.0.
Figure 88. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2. Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3.
CONFIGURATION mode ip msdp peer 5. Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group.
! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.22 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.22 ip msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.
ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.
ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.0.1/32 area 0 network 10.11.3.0/24 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.
ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.
33 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). Protocol Overview MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. In contrast, PVST+ allows a spanning tree instance for each VLAN.
Spanning Tree Variations The Dell Networking operating system (OS) supports four variations of spanning tree, as shown in the following table. Table 42. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multicast Source Discovery Protocol (MSDP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information The following describes the MSTP implementation information.
Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. • Within an MSTI, only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports. 1. Enter PROTOCOL MSTP mode. CONFIGURATION mode protocol spanning-tree mstp 2.
To view the forwarding/discarding state of the ports participating in an MSTI, use the show spanning-tree msti command from EXEC Privilege mode. Dell#show spanning-tree msti 1 MSTI 1 VLANs mapped 100 Root Identifier has priority 32768, Address 0001.e806.953e Root Bridge hello time 2, max age 20, forward delay 15, max hops 19 Bridge Identifier has priority 32768, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15, max hops 20 Current root has priority 32768, Address 0001.e806.
Interoperate with Non-Dell Networking OS Bridges The Dell Networking OS supports only one MSTP region. A region is a combination of three unique qualities: • Name is a mnemonic string you assign to the region. The default region name is null. • Revision is a 2-byte number. The default revision number is 0. • VLAN-to-instance mapping is the placement of a VLAN in an MSTI. For a bridge to be in the same MSTP region as another, all three of these qualities must match exactly.
• Max-hops — the maximum number of hops a BPDU can travel before a receiving switch discards it. NOTE: Dell Networking recommends that only experienced network administrators change MSTP parameters. Poorly planned modification of MSTP parameters can negatively affect network performance. To change the MSTP parameters, use the following commands on the root bridge. 1. Change the forward-delay parameter. PROTOCOL MSTP mode forward-delay seconds The range is from 4 to 30. The default is 15 seconds. 2.
Enable BPDU Filtering Globally The enabling of BPDU Filtering stops transmitting of BPDUs on the operational port fast enabled ports by default. When BPDUs are received, the spanning tree is automatically prepared. By default global bpdu filtering is disabled. Enable BPDU Filter globally to filter transmission of BPDU port fast enabled interfaces. PROTOCOL MSTP mode edge-port bpdu filter default Figure 90.
Port Cost Default Value Port Channel with two 40-Gigabit Ethernet interfaces 600 To change the port cost or priority of an interface, use the following commands. 1. Change the port cost of an interface. INTERFACE mode spanning-tree msti number cost cost The range is from 0 to 200000. For the default, refer to the default values shown in the table. 2. Change the port priority of an interface. INTERFACE mode spanning-tree msti number priority priority The range is from 0 to 240, in increments of 16.
* Disable spanning tree on the interface (using the no spanning-tree command in INTERFACE mode). * Disabling global spanning tree (using the no spanning-tree command in CONFIGURATION mode). Example of Enabling an EdgePort on an Interface To verify that EdgePort is enabled, use the show config command from INTERFACE mode.
1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
interface Vlan 100 no ip address tagged GigabitEthernet 2/11,31 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 2/11,31 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 2/11,31 no shutdown Router 3 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3.
3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
To monitor and verify that the MSTP configuration is connected and communicating as desired, use the debug spanning-tree mstp bpdu command. Key items to look for in the debug report include: • MSTP flags indicate communication received from the same region. • – As shown in the following, the MSTP routers are located in the same region. – Does the debug log indicate that packets are coming from a “Different Region”? If so, one of the key parameters is not matching. MSTP Region Name and Revision.
CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.953e, CIST Port Id: 128:470 Msg Age: 0, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver Name: Tahiti, Rev: 123, Int Root Path Cost: 0 Rem Hops: 20, Bridge Id: 32768:0001.e8d5.cbbd 4w0d4h : INST 1: Flags: 0x70, Reg Root: 32768:0001.e8d5.cbbd, Int Brg/Port Prio: 32768/128, Rem Hops: 20 INST 2: Flags: 0x70, Reg Root: 32768:0001.e8d5.
34 Multicast Features Multicast features are supported on the MXL switch platform. The Dell Networking operating system (OS) supports the following multicast protocols: • PIM Sparse-Mode (PIM-SM) • PIM Source-Specific Mode (PIM-SSM) • Internet Group Management Protocol (IGMP) • Multicast Source Discovery Protocol (MSDP) Enabling IP Multicast Prior to enabling any multicast protocols, you must enable multicast routing. • Enable multicast routing.
First Packet Forwarding for Lossless Multicast Beginning with the Dell Networking OS version version 8.3.1.0, all initial multicast packets are forwarded to receivers to achieve lossless multicast. In previous versions, when the Dell Networking system is an RP, all initial packets are dropped until PIM creates an (S,G) entry.
• Limit the total number of multicast routes on the system. CONFIGURATION mode ip multicast-limit The range if from 1 to 50000. The default is 15000. NOTE: The IN-L3-McastFib CAM partition is used to store multicast routes and is a separate hardware limit that exists per port-pipe. Any software-configured limit may supersede by this hardware space limitation.
Figure 92. Preventing a Host from Joining a Group Table 44. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.
Location Description • no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
Preventing a PIM Router from Forming an Adjacency To prevent a router from participating in PIM (for example, to configure stub multicast routing), use the following command. • Prevent a router from participating in protocol independent multicast (PIM). INTERFACE mode ip pim neighbor-filter Preventing a Source from Registering with the RP To prevent the PIM source DR from sending register packets to RP for the specified multicast source and group, use the following command.
Figure 93. Preventing a Source from Transmitting to a Group Table 45. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.
Location Description • no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
ip pim join-filter Multicast Features 523
35 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on the MXL switch platform. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell Networking operating system (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 94. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. In this case, backbone connectivity must be restored through virtual links. Virtual links are configured between any backbone routers that share a link to a non-backbone area and function as if they were direct links.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Figure 95. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
Internal Router (IR) The internal router (IR) has adjacencies with ONLY routers in the same area, as Router E, M, and I shown in the previous example. Designated and Backup Designated Routers OSPF elects a designated router (DR) and a backup designated router (BDR). Among other things, the DR is responsible for generating LSAs for the entire multiaccess network. Designated routers allow a reduction in network traffic and in the size of the topological database.
• 1: point-to-point connection to another router/neighboring router. • 2: connection to a transit network IP address of the DR. • 3: connection to a stub network IP network/subnet number. • 4: virtual link neighboring router ID. LSA Throttling LSA throttling provides configurable interval timers to improve OSPF convergence times.
Figure 96. Priority and Cost Examples OSPF with the Dell Networking OS The Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2. Within that 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. The Dell Networking OS version 7.8.1.0 and later supports multiple OSPF processes (OSPF MP). The MXL switch supports up to 16 processes simultaneously. On OSPFv3, the system supports only one process at a time for all platforms.
• Grace LSA, OSPFv3 only (type 11) Graceful Restart Graceful restart for OSPFv2 and OSPFv3 are supported in Helper and Restart modes. When a router goes down without a graceful restart, there is a possibility for loss of access to parts of the network due to ongoing network topology changes. Additionally, LSA flooding and reconvergence can cause substantial delays. It is, therefore, desirable that the network maintains a stable topology if it is possible for data flow to continue uninterrupted.
Fast Convergence (OSPFv2, IPv4 Only) Fast convergence allows you to define the speeds at which LSAs are originated and accepted, and reduce OSPFv2 end-to-end convergence time. The Dell Networking OS allows you to accept and originate LSAa as soon as they are available to speed up route information propagation. NOTE: The faster the convergence, the more frequent the route calculations and updates. This impacts CPU utilization and may impact adjacency stability in larger topologies.
00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.2 aid:1500 chk:0xdbee aut:0 auk: keyid:0 from:Vl 1000 LSType:Type-5 AS External id:160.1.1.0 adv:6.1.0.0 seq:0x8000000c LSType:Type-5 AS External id:160.1.2.0 adv:6.1.0.0 seq:0x8000000c 00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.2 aid:1500 chk:0xdbee aut:0 auk: keyid:0 from:Vl 100 LSType:Type-5 AS External id:160.1.1.0 adv:6.1.0.0 seq:0x8000000c LSType:Type-5 AS External id:160.1.2.0 adv:6.1.0.
Dell(conf-if-te-2/2)# In the following example, the dead interval is set at 4x the hello interval (shown in bold). Dell (conf-if-te-2/2)#ip ospf dead-interval 20 Dell (conf-if-te-2/2)#do show ip os int tengig 1/3 TenGigabitEthernet 2/2 is up, line protocol is up Internet Address 20.0.0.1/24, Area 0 Process ID 10, Router ID 1.1.1.2, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 1.1.1.2, Interface address 30.0.0.1 Backup Designated Router (ID) 1.1.1.
Dell(conf)#router ospf 1 Dell(conf-router_ospf-1)#timer spf 2 5 Dell(conf-router_ospf-1)# Dell(conf-router_ospf-1)#show config ! router ospf 1 timers spf 2 5 Dell(conf-router_ospf-1)# Dell(conf-router_ospf-1)#end Dell# For a complete list of the OSPF commands, refer to the OSPF section in the Dell Networking OS Command Line Reference Guide document. Enabling OSPFv2 To enable Layer 3 routing, assign an IP address to an interface (physical or Loopback).
CONFIG-ROUTER-OSPF-id mode router-id ip address • Disable OSPF. CONFIGURATION mode no router ospf process-id • Reset the OSPFv2 process. EXEC Privilege mode clear ip ospf process-id • View the current OSPFv2 status. EXEC mode show ip ospf process-id Example of Viewing the Current OSPFv2 Status Dell#show ip ospf 55555 Routing Process ospf 55555 with ID 10.10.10.
Assigning an OSPFv2 Area After you enable OSPFv2, assign the interface to an OSPF area. Set up OSPF areas and enable OSPFv2 on an interface with the network command. You must have at least one AS area: Area 0. This is the backbone area. If your OSPF network contains more than one area, configure a backbone area (Area ID 0.0.0.0). Any area besides Area 0 can have any number ID assigned to it. The OSPFv2 process evaluates the network commands in the order they are configured.
OSPF, by default, sends hello packets out to all physical interfaces assigned an IP address that is a subset of a network on which OSPF is enabled. To view currently active interfaces and the areas assigned to them, use the show ip ospf interface command. Dell>show ip ospf 1 interface TenGigabitEthernet 12/17 is up, line protocol is up Internet Address 10.2.2.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.
show ip ospf process-id database database-summary 2. Enter CONFIGURATION mode. EXEC Privilege mode configure 3. Enter ROUTER OSPF mode. CONFIGURATION mode router ospf process-id Process ID is the ID assigned when configuring OSPFv2 globally. 4. Configure the area as a stub area. CONFIG-ROUTER-OSPF-id mode area area-id stub [no-summary] Use the keywords no-summary to prevent transmission into the area of summary ASBR LSAs. Area ID is the number or IP address assigned when creating the area.
• arrival-time: set the interval between receiving the same LSA repeatedly, to allow sufficient time for the system to accept the LSA. The range is from 0 to 600,000 milliseconds. Enabling Passive Interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface.
Enabling Fast-Convergence The fast-convergence CLI sets the minimum origination and arrival LSA parameters to zero (0), allowing rapid route calculation. When you disable fast-convergence, origination and arrival LSA parameters are set to 5 seconds and 1 second, respectively. Setting the convergence parameter (from 1 to 4) indicates the actual convergence level.
To change OSPFv2 parameters on the interfaces, use any or all of the following commands. • Change the cost associated with OSPF traffic on the interface. CONFIG-INTERFACE mode ip ospf cost • – cost: The range is from 1 to 65535 (the default depends on the interface speed). Change the time interval the router waits before declaring a neighbor dead. CONFIG-INTERFACE mode ip ospf dead-interval seconds – seconds: the range is from 1 to 65535 (the default is 40 seconds).
– seconds: the range is from 1 to 65535 (the default is 1 second). The transmit delay must be the same on all routers in the OSPF network. Example of Changing and Verifying the cost Parameter and Viewing Interface Status To view interface configurations, use the show config command in CONFIGURATION INTERFACE mode. To view interface status in the OSPF process, use the show ip ospf interface command in EXEC mode. The bold lines in the example show the change on the interface.
• • • • grace period — the length of time the graceful restart process can last before OSPF terminates it. helper-reject neighbors — the router ID of each restart router that does not receive assistance from the configured router. mode — the situation or situations that trigger a graceful restart. role — the role or roles the configured router can perform. NOTE: By default, OSPFv2 graceful restart is disabled. To enable and configure OSPFv2 graceful restart, use the following commands. 1.
graceful-restart mode unplanned-only graceful-restart helper-reject 10.1.1.1 graceful-restart helper-reject 20.1.1.1 network 10.0.2.0/24 area 0 Dell# Creating Filter Routes To filter routes, use prefix lists. OSPF applies prefix lists to incoming or outgoing routes. Incoming routes must meet the conditions of the prefix lists. If they do not, OSPF does not add the route to the routing table. Configure the prefix list in CONFIGURATION PREFIX LIST mode prior to assigning it to the OSPF process.
– metric metric-value: the range is from 0 to 4294967295. – metric-type metric-type: 1 for OSPF external route type 1. 2 for OSPF external route type 2. – route-map map-name: enter a name of a configured route map. – tag tag-value: the range is from 0 to 4294967295. Example of Viewing OSPF Configuration after Redistributing Routes To view the current OSPF configuration, use the show running-config ospf command in EXEC mode or the show config command in ROUTER OSPF mode.
show ip ospf neighbor • View the LSAs currently in the queue. EXEC Privilege mode show ip ospf timers rate-limit • View debug messages. EXEC Privilege mode debug ip ospf process-id [event | packet | spf | database-timers rate-limit] To view debug messages for a specific OSPF process ID, use the debug ip ospf process-id command. If you do not enter a process ID, the command applies to the first OSPF process.
Figure 97. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Gl 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface GigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Gl 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.
ip address 192.168.100.20/24 no shutdown ! interface GigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface GigabitEthernet 2/2 ip address 10.2.22.2/24 no shutdown Configuration Task List for OSPFv3 (OSPF for IPv6) The configuration options of OSPFv3 are the same as those options for OSPFv2, but you may configure OSPFv3 with differently labeled commands. Specify process IDs and areas and include interfaces and addresses in the process. Define areas as stub or totally stubby.
Assigning IPv6 Addresses on an Interface To assign IPv6 addresses to an interface, use the following commands. 1. Assign an IPv6 address to the interface. CONF-INT-type slot/port mode ipv6 address ipv6 address IPv6 addresses are normally written as eight groups of four hexadecimal digits; separate each group by a colon (:). The format is A:B:C::F/128. 2. Bring up the interface.
CONFIGURATION mode no ipv6 router ospf process-id • Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Configuring Stub Areas To configure IPv6 stub areas, use the following command. • Configure the area as a stub area. CONF-IPV6-ROUTER-OSPF mode area area-id stub [no-summary] – no-summary: use these keywords to prevent transmission in to the area of summary ASBR LSAs. – Area ID: a number or IP address assigned when creating the area.
redistribute {bgp | connected | static} [metric metric-value | metric-type type-value] [route-map map-name] [tag tag-value] Configure the following required and optional parameters: – bgp | connected | static: enter one of the keywords to redistribute those routes. – metric metric-value: The range is from 0 to 4294967295. – metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. – route-map map-name: enter a name of a configured route map.
• Specify the operating mode and type of events that trigger a graceful restart. CONF-IPV6-ROUTER-OSPF mode graceful-restart mode [planned-only | unplanned-only] – Planned-only: the OSPFv3 router supports graceful restart only for planned restarts. A planned restart is when you manually enter a redundancy force-failover rpm command to force the primary RPM over to the secondary RPM. During a planned restart, OSPFv3 sends out a Grace LSA before the system switches over to the secondary RPM.
Admin Status Area Bdr Rtr Status AS Bdr Rtr Status AS Scope LSA Count AS Scope LSA Cksum sum Originate New LSAS Rx New LSAS Ext LSA Count Rte Max Eq Cost Paths GR grace-period GR mode 1 0 1 0 0 73 114085 0 5 180 planned and unplanned Area 0 database summary Type Brd Rtr Count AS Bdr Rtr Count LSA count Summary LSAs Rtr LSA Count Net LSA Count Inter Area Pfx LSA Count Inter Area Rtr LSA Count Group Mem LSA Count Count/Status 2 2 12010 1 4 3 12000 0 0 Dell#show ipv6 ospf database grace-lsa ! Type-11 Grace
• ESP — encapsulating security payload encapsulates data, enabling the protection of data that follows in the datagram. ESP provides authentication and confidentiality of every packet. The ESP extension header is designed to provide a combination of security services for both IPv4 and IPv6. Insert the ESP header after the IP header and before the next layer protocol header in Transport mode.
– Displaying OSPFv3 IPsec Security Policies Configuring IPsec Authentication on an Interface To configure, remove, or display IPsec authentication on an interface, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (refer to Configuration Task List for OSPFv2 (OSPF for IPv4)).
– esp encryption-algorithm: specifies the encryption algorithm used with ESP. The valid values are 3DES, DES, AESCBC, and NULL. For AES-CBC, only the AES-128 and AES-192 ciphers are supported. – key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information.
Configuring IPsec Encryption for an OSPFv3 Area To configure, remove, or display IPsec encryption in an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec encryption in an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)). The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router.
EXEC Privilege show crypto ipsec sa ipv6 [interface interface] To display information on the SAs used on a specific interface, enter interface interface, where interface is one of the following values: – For a Port Channel interface, enter the keywords port-channel number. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a 40-Gigabit Ethernet interface, enter the keyword FortyGigabitEthernet then the slot/port information.
in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound ah sas spi : 500 (0x1f4) transform : ah-md5-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE inbound esp sas outbound esp sas Interface: TenGigabitEthernet 0/1 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection suppor
Viewing Summary Information To get general route, configuration, links status, and debug information, use the following commands. • View the summary information of the IPv6 routes. EXEC Privilege mode show ipv6 route summary • View the summary information for the OSPFv3 database. EXEC Privilege mode show ipv6 ospf database • View the configuration of OSPFv3 neighbors. EXEC Privilege mode show ipv6 ospf neighbor • View debug messages for all OSPFv3 interfaces.
36 Policy-based Routing (PBR) Policy-based Routing is supported on the MXL platform. This chapter covers the following topics: • Overview • Implementing Policy-based Routing with Dell Networking OS • Configuration Task List for Policy-based Routing • Sample Configuration Overview Policy-based Routing (PBR) enables you to make routing decisions based on policies applied to a specific interface.
To enable a PBR, you create a Redirect List. Redirect lists are defined by rules, or routing policies.
Ingress and egress Hot Lock PBR allow you to add or delete new rules into an existing policy (already written into CAM) without disruption to traffic flow. Existing entries in CAM are adjusted to accommodate the new entries. Hot Lock PBR is enabled by default. Configuration Task List for Policy-based Routing To enable the PBR: • Create a Redirect List • Create a Rule for a Redirect-list • Create a Track-id list. For complete tracking information, refer to Object Tracking chapter.
destination ip-address or any or host ip-address is the Destination’s IP address FORMAT: A.B.C.D/NN, or ANY or HOST IP address Delete a rule with the no redirect command.
seq 20 redirect 10.1.1.3 ip 20.1.1.0/24 any Dell(conf-redirect-list)# NOTE: Starting in release 9.4(0.0), Dell Networking OS supports the use of multiple recursive routes with the same source-address and destination-address combination in a redirect policy on an router. A recursive route is a route for which the immediate next-hop address is learned dynamically through a routing protocol and acquired through a route lookup in the routing table.
Applying a Redirect-list to an Interface Example: Dell(conf-if-te-4/0)#ip redirect-group xyz Dell(conf-if-te-4/0)# Applying a Redirect-list to an Interface Example: Dell(conf-if-te-1/0)#ip redirect-group test Dell(conf-if-te-1/0)#ip redirect-group xyz Dell(conf-if-te-1/0)#show config ! interface TenGigabitEthernet 1/0 no ip address ip redirect-group test ip redirect-group xyz shutdown Dell(conf-if-te-1/0)# In addition to supporting multiple redirect-lists in a redirect-group, multiple redirect-groups are su
Use the show ip redirect-list (without the list name) to display all the redirect-lists configured on the device. Dell#show ip redirect-list IP redirect-list rcl0: Defined as: seq 5 permit ip 200.200.200.200 200.200.200.200 199.199.199.199 199.199.199.199 seq 10 redirect 1.1.1.2 tcp 234.224.234.234 255.234.234.234 222.222.222.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-3/23)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.254 ip 192.
IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23), ARP resolved seq 10 redirect 10.99.99.254 ip 192.168.2.0/24 any, Next-hop reachable (via Te 3/23), ARP resolved seq 15 permit ip any any Applied interfaces: Te 2/11 EDGE_ROUTER# Configuration Tasks for Creating a PBR list using Explicit Track Objects for Redirect IP's Create Track Objects to track the Redirect IP's: Dell#configure terminal Dell(conf)#track 3 ip host 42.1.1.
Te 2/28 Dell# Configuration Tasks for Creating a PBR list using Explicit Track Objects for Tunnel Interfaces Creating steps for Tunnel Interfaces: Dell#configure terminal Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#tunnel destination 40.1.1.2 Dell(conf-if-tu-1)#tunnel source 40.1.1.1 Dell(conf-if-tu-1)#tunnel mode ipip Dell(conf-if-tu-1)#tunnel keepalive 60.1.1.2 Dell(conf-if-tu-1)#ip address 60.1.1.
Verify the Applied Redirect Rules: Dell#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.0/24, Track 1 [up], Next-hop reachable (via Te 1/32) seq 10 redirect tunnel 1 track 1 tcp any any, Track 1 [up], Next-hop reachable (via Te 1/32) seq 15 redirect tunnel 1 track 1 udp 155.55.0.0/16 host 144.144.144.144, Track 1 [up], Next-hop reachable (via Te 1/32) seq 20 redirect tunnel 2 track 2 tcp 155.55.2.0/24 222.22.2.
37 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is supported on the MXL switch platform. PIM-SM is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information Be aware of the following PIM-SM implementation information.
Refuse Multicast Traffic A host requesting to leave a multicast group sends an IGMP Leave message to the last-hop DR. If the host is the only remaining receiver for that group on the subnet, the last-hop DR is responsible for sending a PIM Prune message up the RPT to prune its branch to the RP. 1. After receiving an IGMP Leave message, the gateway removes the interface on which it is received from the outgoing interface list of the (*,G) entry.
ip multicast-routing Related Configuration Tasks The following are related PIM-SM configuration tasks. • • • • Configuring S,G Expiry Timers Configuring a Static Rendezvous Point Configuring a Designated Router Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1. Enable multicast routing on the system. CONFIGURATION mode ip multicast-routing 2. Enable PIM-Sparse mode.
Interface state: Interface, next-Hop, State/Mode (*, 192.1.2.1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.6, flags: SCJ Incoming interface: GigabitEthernet 4/12, RPF neighbor 10.87.3.5 Outgoing interface list: GigabitEthernet 4/11 GigabitEthernet 7/13 (10.87.31.5, 192.1.2.1), uptime 00:01:24, expires 00:02:26, flags: FT Incoming interface: GigabitEthernet 7/11, RPF neighbor 0.0.0.
Dell(conf)#ip access-list extended SGtimer Dell(config-ext-nacl)#permit ip 10.1.2.3/24 225.1.1.0/24 Dell(config-ext-nacl)#permit ip any 232.1.1.0/24 Dell(config-ext-nacl)#permit ip 100.1.1.0/16 any Dell(config-ext-nacl)#show conf ! ip access-list extended SGtimer seq 5 permit ip 10.1.2.0/24 225.1.1.0/24 seq 10 permit ip any 232.1.1.0/24 seq 15 permit ip 100.1.0.
Group(s): 224.0.0.0/4, Static RP: 165.87.50.5, v2 Configuring a Designated Router Multiple PIM-SM routers might be connected to a single local area network (LAN) segment. One of these routers is elected to act on behalf of directly connected hosts. This router is the designated router (DR). The DR is elected using hello messages. Each PIM router learns about its neighbors by periodically sending a hello message out of each PIM-enabled interface.
38 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is supported on the MXL switch platform. PIM-SSM is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name Enabling PIM-SSM To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode. R1(conf)#do show run pim ! ip pim rp-address 10.11.12.
ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:07 Never Member Ports: Gi 1/1 239.0.0.1 Vlan 400 INCLUDE 00:00:10 Never 10.11.4.
39 Port Monitoring Port monitoring is supported on the MXL switch platform. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
source TenGigabitEthernet 0/0 destination TenGigabitEthernet 0/2 direction both Dell (conf-mon-sess-2)# ! Configuring Port Monitoring To configure port monitoring, use the following commands. 1. Verify that the intended monitoring port has no configuration other than no shutdown, as shown in the following example. EXEC Privilege mode show interface 2. Create a monitoring session using the command monitor session from CONFIGURATION mode, as shown in the following example.
In the following example, the host and server are exchanging traffic which passes through the uplink interface 1/1. Port 1/1 is the monitored port and port 1/42 is the destination port, which is configured to only monitor traffic received on tengigabitethernet 1/1 (host-originated traffic). Figure 98. Port Monitoring Example Enabling Flow-Based Monitoring Flow-based monitoring is supported only on the S-Series platform.
Dell(conf)#monitor session 0 Dell(conf-mon-sess-0)#flow-based enable Dell(conf)#ip access-list ext testflow Dell(config-ext-nacl)#seq 5 permit icmp any any count bytes monitor Dell(config-ext-nacl)#seq 10 permit ip 102.1.1.
Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
• MAC address learning in the reserved VLAN is automatically disabled. • The reserved VLAN for remote port mirroring can be automatically configured in intermediate switches by using GVRP. • There is no restriction on the VLAN IDs used for the reserved remote-mirroring VLAN. Valid VLAN IDs are from 2 to 4094. The default VLAN ID is not supported.
To display the currently configured source and destination sessions for remote port mirroring on a switch, enter the show monitor session command in EXEC Privilege mode.
Dell(conf-mon-sess-1)#no disable Dell(conf-mon-sess-1)#exit Dell(conf)#inte vlan 100 Dell(conf-if-vl-100)#tagged te 0/7 Dell(conf-if-vl-100)#exit Dell(conf)#interface vlan 20 Dell(conf-if-vl-20)#mode remote-port-mirroring Dell(conf-if-vl-20)#tagged te 0/6 Dell(conf-if-vl-20)#exit Dell(conf)#monitor session 2 type rpm Dell(conf-mon-sess-2)#source vlan 100 destination remote-vlan 20 dir rx Dell(conf-mon-sess-2)#no disable Dell(conf-mon-sess-2)#flow-based enable Dell(conf-mon-sess-2)#exit Dell(conf)#mac access
Dell(conf)#interface te 0/2 Dell(conf-if-te-0/2)#switchport Dell(conf-if-te-0/2)#no shutdown Dell(conf-if-te-0/2)#exit Dell(conf)#inte vlan 10 Dell(conf-if-vl-10)#mode remote-port-mirroring Dell(conf-if-vl-10)#tagged te 0/0 Dell(conf-if-vl-10)#exit Dell(conf)#inte vlan 20 Dell(conf-if-vl-20)#mode remote-port-mirroring Dell(conf-if-vl-20)#tagged te 0/1 Dell(conf-if-vl-20)#exit Dell(conf)#interface vlan 30 Dell(conf-if-vl-30)#mode remote-port-mirroring Dell(conf-if-vl-30)#tagged te 0/2 Dell(conf-if-vl-30)#exi
Configuring the Encapsulated Remote Port Mirroring The ERPM session copies traffic from the source ports/lags or source VLANs and forwards the traffic using routable GREencapsulated packets to the destination ip address specified in the session. Important: The steps to be followed for the ERPM Encapsulation : • • • • • • • • • • • Dell Networking OS supports ERPM Source session only. The Encapsulated packets terminate at the destination ip or at the analyzer.
Dell#show running-config interface vlan 11 ! interface Vlan 11 no ip address tagged TenGigabitEthernet 0/1-3 mac access-group flow in <<<<<<<<<<<<<< Only ingress packets are supported for mirroring shutdown Dell# ERPM Behavior on a typical Dell Networking OS The Dell Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported.
– The Header that gets attached to the packet is 38 bytes long. In case of a packet with L3 VLAN, it would be 42 bytes long. The original payload /original mirrored data starts from the 39th byte in a given ERPM packet. The first 38/42 bytes of the header needs to be ignored/ chopped off. – Some tools support options to edit the capture file. We can make use of such features (for example: editcap ) and chop the ERPM header part and save it to a new trace file. This new file (i.e.
40 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on the MXL switch platform. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell Networking OS Command Line Reference Guide. Private VLANs extend the Dell Networking operating system (OS) security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
– There are two types of secondary VLAN — community VLAN and isolated VLAN. PVLAN port types include: • Community port — a port that belongs to a community VLAN and is allowed to communicate with other ports in the same community VLAN and with promiscuous ports. • Host port — in the context of a private VLAN, is a port in a secondary VLAN: – The port must first be assigned that role in INTERFACE mode. – A port assigned the host role cannot be added to a regular VLAN.
EXEC mode or EXEC Privilege mode • show vlan private-vlan mapping Set the PVLAN mode of the selected port. INTERFACE switchport mode private-vlan {host | promiscuous | trunk} NOTE: Secondary VLANs are Layer 2 VLANs, so even if they are operationally down while primary VLANs are operationally up, Layer 3 traffic is still transmitted across secondary VLANs. NOTE: The outputs of the show arp and show vlan commands are augmented in the Dell Networking OS version 7.8.1.0 to provide PVLAN data.
Dell(conf-if-te-2/1)#switchport mode private-vlan promiscuous Dell(conf)#interface TenGigabitEthernet 2/2 Dell(conf-if-te-2/2)#switchport mode private-vlan host Dell(conf)#interface TenGigabitEthernet 2/3 Dell(conf-if-te-2/3)#switchport mode private-vlan trunk Dell(conf)#interface TenGigabitEthernet 2/2 Dell(conf-if-te-2/2)#switchport mode private-vlan host Creating a Primary VLAN A primary VLAN is a port-based VLAN that is specifically enabled as a primary VLAN to contain the promiscuous ports and PVLAN t
NOTE: If a promiscuous or host port is untagged in a VLAN and it receives a tagged packet in the same VLAN, the packet is NOT dropped. Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a private VLAN. The ports in a community VLAN can talk to each other and with the promiscuous ports in the primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make a community VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN.
Example of Configuring Private VLAN Members The following example shows the use of the PVLAN commands that are used in VLAN INTERFACE mode to configure the PVLAN member VLANs (primary, community, and isolated VLANs).
• • TenGig 4/0 and TenGig 0/23 are configured as host ports and assigned to the community VLAN, VLAN 4001. TenGig 4/24 and TenGig 4/47 are configured as host ports and assigned to community VLAN 4002. The result is that: • • • • The ports in community VLAN 4001 can communicate directly with each other and with promiscuous ports. The ports in community VLAN 4002 can communicate directly with each other and with promiscuous ports.
------- --------- --------20 Primary 30 Community 40 Isolated Dell# ------ -----------------------------------------Yes Te 1/1,5 Yes Te 1/2 Yes Te 1/3 S50-1#show vlan private-vlan mapping Private Vlan: Primary : 4000 Isolated : 4003 Community : 4001 NOTE: In the following example, notice the addition of the PVLAN codes – P, I, and C – in the left column.
! no shutdown 602 Private VLANs (PVLAN)
41 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is supported on the MXL switch platform. Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 100.
Dell Networking Term IEEE Specification Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table). Other implementations use IEEE 802.1w costs as the default costs.
• disable Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst Example of Viewing PVST+ Configuration To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
• Assign a bridge priority. PROTOCOL PVST mode vlan bridge-priority The range is from 0 to 61440. The default is 32768. Example of the show spanning-tree pvst vlan Command To display the PVST+ forwarding topology, use the show spanning-tree pvst [vlan vlan-id] command from EXEC Privilege mode. Dell(conf-if-te-5/41)#do show spanning-tree pvst vlan 2 VLAN 2 Root Identifier has priority 32768, Address 001e.c9f1.
• Change the forward-delay parameter. PROTOCOL PVST mode vlan forward-delay The range is from 4 to 30. • The default is 15 seconds. Change the hello-time parameter. PROTOCOL PVST mode vlan hello-time NOTE: With large configurations (especially those configurations with more ports), Dell Networking recommends increasing the hello-time. The range is from 1 to 10. • The default is 2 seconds. Change the max-age parameter. PROTOCOL PVST mode vlan max-age The range is from 6 to 40. The default is 20 seconds.
NOTE: The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs. Other implementations use IEEE 802.1w costs as the default costs. If you are using Dell Networking systems in a multi-vendor network, verify that the costs are values you intended. To change the port cost or port priority of an interface, use the following commands. • Change the port cost of an interface. INTERFACE mode spanning-tree pvst vlan cost. The range is from 0 to 200000.
– Disable the shutdown-on-violation command on the interface (the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command). – Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). – Disabling global spanning tree (the no spanning-tree command in CONFIGURATION mode). PVST+ in Multi-Vendor Networks Some non-Dell Networking systems which have hybrid ports participating in PVST+ transmit two kinds of BPDUs: an 802.1D BPDU and an untagged PVST+ BPDU.
VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.73f7 We are the root of Vlan 5 Configured hello time 2, max age 20, forward delay 15 PVST+ Sample Configurations The following examples provide the running configurations for the topology shown in the previous illustration.
no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown ! protocol spanning-tree pvst no disable vlan 200 bridge-priority 4096 interface TenGigabitEthernet 3/12 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/22 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 3/12,22 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 3/12,22 no shutdown ! interface Vlan 300 no ip address tagged
edge-port bpdu filter default Figure 103.
42 Quality of Service (QoS) Quality of service (QoS) is supported on the MXL switch platform. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. The MXL switch traffic has four data queues per port. All queues are serviced using the Weighted Round Robin scheduling algorithm. You can only manage prioritize queuing on egress.
Feature Direction Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress QoS Rate Adjustment Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 104. Dell Networking QoS Architecture Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
Port-Based QoS Configurations You can configure the following QoS features on an interface. NOTE: You cannot simultaneously use egress rate shaping and ingress rate policing on the same virtual local area network (VLAN). • Setting dot1p Priorities for Incoming Traffic • Configuring Port-Based Rate Policing • Configuring Port-Based Rate Shaping Setting dot1p Priorities for Incoming Traffic Change the priority of incoming traffic on the interface using the dot1p-priority command from INTERFACE mode.
You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries. For more information, refer to Mapping dot1p Values to Service Queues. NOTE: You cannot configure service-policy input and service-class dynamic dot1p on the same interface. • Honor dot1p priorities on ingress traffic.
rate shape • Apply rate shaping to a queue.
! policy-map-input ecn_0_pmap service-queue 0 class-map ecn_0_cmap Applying this policy-map “ecn_0_pmap” will mark all the packets with ‘ecn == 0’ as yellow packets on queue0 (default queue). Classifying Incoming Packets Using ECN and Color-Marking Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded.
You can use the ecn keyword with the ip access-list standard, ip access-list extended, seq, and permit commands for standard and extended IPv4 ACLs to match incoming packets with the specified ECN values. Similar to ‘dscp’ qualifier in the existing L3 ACL command, the ‘ecn’ qualifier can be used along with all other supported ACL match qualifiers such as SIP/DIP/TCP/UDP/SRC PORT/DST PORT/ ICMP. Until Release 9.3(0.
Approach without explicit ECN match qualifiers for ECN packets: ! ip access-list standard dscp_50 seq 5 permit any dscp 50 ! ip access-list standard dscp_40 seq 5 permit any dscp 40 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40 ! class-map match-any class_dscp_50 match ip access-group dscp_
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 105. Constructing Policy-Based QoS Configurations DSCP Color Maps This section describes how to configure color maps and how to display the color map and color map configuration.
The default setting for each DSCP value (0-63) is green (low drop precedence). The DSCP color map allows you to set the number of specific DSCP values to yellow or red. Traffic marked as yellow delivers traffic to the egress interface, which will either transmit or drop the packet based on configured queuing behavior. Traffic marked as red (high drop precedence) is dropped. Important Points to Remember • All DSCP values that are not specified as yellow or red are colored green (low drop precedence).
Display a specific DSCP color map. Dell# show qos dscp-color-map mapTWO Dscp-color-map mapTWO yellow 16,55 Displaying a DSCP Color Policy Configuration To display the DSCP color policy configuration for one or all interfaces, use the show qos dscp-color-policy {summary [interface] | detail {interface}} command in EXEC mode. summary: Displays summary information about a color policy on one or more interfaces.
POLICY MAP mode service-queue Example of Creating a Layer 3 Class Map Dell(conf)#ip access-list standard acl1 Dell(conf-std-nacl)#permit 20.0.0.0/8 Dell(conf-std-nacl)#exit Dell(conf)#ip access-list standard acl2 Dell(conf-std-nacl)#permit 20.1.1.
POLICY MAP mode service-queue Determining the Order in Which ACLs are Used to Classify Traffic When you link class-maps to queues using the service-queue command, the system matches the class-maps according to queue priority (queue numbers closer to 0 have lower priorities). For example, as described in the previous example, class-map cmap2 is matched against ingress packets before cmap1. ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.
• Display all class-maps or a specific class map. EXEC Privilege mode show qos class-map Examples of Traffic Classifications The following example shows incorrect traffic classifications.
20419 1 24511 1 10 0 0 0 0x0 0x0 0 0 0 0 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 14 0.0.0.0/0 - 1 0 Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. There are two types of input QoS policies: Layer 3 and Layer 2. Output QoS policies regulate egress traffic.
Setting a dot1p Value for Egress Packets To set a dot1p value for egress packets, use the following command. • Set a dot1p value for egress packets. QOS-POLICY-IN mode set mac-dot1p Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1. Create an output QoS policy. CONFIGURATION mode qos-policy-output 2.
Setting DSCP Values for Egress Packets Based on Flow Match-any Layer 3 flows may have several match criteria. All flows that match at least one of the match criteria are mapped to the same queue because they are in the same class map. Setting a DSCP value from QOS-POLICY-IN mode (refer to Setting a DSCP Value for Egress Packets) assigns the same DSCP value to all of the matching flows in the class-map. The flow-based DSCP marking feature allows you to assign different DSCP to each match criteria.
Honoring DSCP Values on Ingress Packets Honoring dot1p Values on Ingress Packets Enabling Fall Back to Trust Diffserve or dot1p 3. Apply the input policy map to an interface. Applying a Class-Map or Input QoS Policy to a Queue To apply a class-map or input QoS policy to a queue, use the following command. • Assign an input QoS policy to a queue.
Honoring dot1p Values on Ingress Packets The Dell Networking OS honors dot1p values on ingress packets with the Trust dot1p feature. The following table specifies the queue to which the classified traffic is sent based on the dot1p value. Table 51. Default dot1p to Queue Mapping dot1p Queue ID 0 0 1 0 2 0 3 1 4 2 5 3 6 3 7 3 The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN.
The packet classification logic for the configuration shown is as follows: 1. Match packets against match-any qos-AF4. If a match exists, queue the packet as AF4 in Queue 4, and if no match exists, go to the next class map. 2. Match packets against match-any qos-AF3. If a match exists, queue the packet as AF3 in Queue 3, and if no match exists, go to the next class map. 3. Match packets against match-all qos-BE1.
• Apply an input policy map to an interface. INTERFACE mode service-policy input Specify the keyword layer2 if the policy map you are applying a Layer 2 policy map; in this case, INTERFACE mode must be in Switchport mode. Creating Output Policy Maps 1. Create an output policy map. CONFIGURATION mode policy-map-output 2.
• Start frame delimiter (SFD): 1 byte • Destination MAC address: 6 bytes • Source MAC address: 6 bytes • Ethernet Type/Length: 2 bytes • Payload: (variable) • Cyclic redundancy check (CRC): 4 bytes • Inter-frame gap (IFG): (variable) You can optionally include overhead fields in rate metering calculations by enabling QoS rate adjustment.
Figure 106. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Table 52. Pre-Defined WRED Profiles Default Profile Name Minimum Threshold Maximum Threshold Maximum Drop Rate wred_drop 0 0 100 wred_teng_y 467 4671 100 wred_teng_g 467 4671 50 wred_fortyg_y 467 4671 50 wred_fortyg_g 467 4671 25 Creating WRED Profiles To create WRED profiles, use the following commands. 1. Create a WRED profile.
• If you do not configure the system to honor DSCP values on ingress (refer to Honoring DSCP Values on Ingress Packets), all traffic defaults to green drop precedence. • Assign a WRED profile to either yellow or green traffic. QOS-POLICY-OUT mode wred Displaying Default and Configured WRED Profiles To display the default and configured WRED profiles, use the following command. • Display default and configured WRED profiles and their threshold values.
Example of the show qos statistics egress-queue Command Dell#show qos statistics egress-queue Interface Te 1/1 Unicast/Multicast Egress Queue Statistics Queue# Q# Type TxPkts TxBytes DroppedPkts DroppedBytes --------------------------------------------------------------------------------0 UCAST 0 0 0 0 1 UCAST 0 0 0 0 2 UCAST 0 0 0 0 3 UCAST 0 0 0 0 4 UCAST 0 0 0 0 5 UCAST 0 0 0 0 6 UCAST 0 0 0 0 7 UCAST 0 0 0 0 8 UCAST 204 13056 0 0 9 MCAST 0 0 0 0 10 MCAST 0 0 0 0 11 MCAST 0 0 0 0 12 MCAST 0 0 0 0 13 MCAS
The type of the class map is determined during the creation of a class map. In releases of Dell Networking OS earlier than Release 9.2(0.0), you can configure only the dot1p value as the filter criterion in Layer 2 class maps and the DSCP value as the filter parameter in Layer 3 class maps. It was also possible to classify packets using both the Layer 2 attribute, dot1p value or MAC VLAN, in a Layer 2 class map and the Layer 3 attribute, DSCP value, in a Layer 3 class map.
43 Routing Information Protocol (RIP) The routing information protocol (RIP) is based on a distance-vector algorithm and tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter. Protocol Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2). These versions are documented in RFCs 1058 and 2453.
Feature Default • Transmit RIPv1 RIP timers • • • • update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Auto summarization Enabled ECMP paths supported 16 Configuration Information By default, RIP is disabled in the system. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
The Dell Networking OS default is to send RIPv1 and to receive RIPv1 and RIPv2. To change the RIP version globally, use the version command in ROUTER RIP mode. To view the global RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. Dell(conf-router_rip)#show config ! router rip network 10.0.0.0 Dell(conf-router_rip)# When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes.
Controlling RIP Routing Updates By default, RIP broadcasts routing information out all enabled interfaces, but you can configure RIP to send or to block RIP routing information, either from a specific IP address or a specific interface. To control which devices or interfaces receive routing updates, configure a direct update to one router and configure interfaces to block RIP updates from other sources. To control the source of RIP route information, use the following commands.
• Assign a configured prefix list to all incoming RIP routes. ROUTER RIP mode • distribute-list prefix-list-name in Assign a configured prefix list to all outgoing RIP routes. ROUTER RIP mode distribute-list prefix-list-name out To view the current RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. Setting the Send and Receive Version To change the RIP version globally or on an interface in the system, use the following command.
Routing Information Sources: Gateway Distance Last Update Distance: (default is 120) Dell# To configure an interface to receive or send both versions of RIP, include 1 and 2 in the command syntax. The command syntax for sending both RIPv1 and RIPv2 and receiving only RIPv2 is shown in the following example. Dell(conf-if)#ip rip send version 1 2 Dell(conf-if)#ip rip receive version 2 The following example of the show ip protocols command confirms that both versions are sent out that interface.
If you must perform routing between discontiguous subnets, disable automatic summarization. With automatic route summarization disabled, subnets are advertised. The autosummary command requires no other configuration commands. To disable automatic route summarization, enter no autosummary in ROUTER RIP mode. NOTE: If you enable the ip split-horizon command on an interface, the system does not advertise the summarized address.
Dell#debug ip rip RIP protocol debug is ON Dell# To disable RIP, use the no debug ip rip command. RIP Configuration Example The examples in this section show the command sequence to configure RIPv2 on the two routers shown in the following illustration — Core 2 and Core 3. The host prompts used in the following example reflect those names.
• • To display Core 2 RIP setup, use the show ip route command. To display Core 2 RIP activity, use the show ip protocols command. Core2(conf-router_rip)#end 00:12:24: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console Core2#show ip rip database Total number of routes in RIP database: 7 10.11.30.0/24 [120/1] via 10.11.20.1, 00:00:03, TenGigabitEthernet 2/31 10.300.10.0/24 directly connected,TenGigabitEthernet 2/42 10.200.10.0/24 directly connected,TenGigabitEthernet 2/41 10.11.20.
10.11.20.0 10.11.10.0 Routing Information Sources: Gateway Distance Last Update 10.11.20.1 120 00:00:12 Distance: (default is 120) Core2# RIP Configuration on Core3 The following example shows how to configure RIPv2 on a host named Core3. Example of Configuring RIPv2 on Core3 Core3(conf-if-gi-3/21)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.0 Core3(conf-router_rip)#network 192.168.2.0 Core3(conf-router_rip)#network 10.11.30.0 Core3(conf-router_rip)#network 10.11.
E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change ----------- ------- --------------------R 10.11.10.0/24 via 10.11.20.2, TenGig 3/21 120/1 00:01:14 C 10.11.20.0/24 Direct, TenGig 3/21 0/0 00:01:53 C 10.11.30.0/24 Direct, TenGig 3/11 0/0 00:06:00 R 10.200.10.0/24 via 10.11.20.2, TenGig 3/21 120/1 00:01:14 R 10.300.10.
version 2 10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.0 ! interface TenGigabitEthernet 3/11 ip address 10.11.30.1/24 no shutdown ! interface TenGigabitEthernet 3/21 ip address 10.11.20.1/24 no shutdown ! interface TenGigabitEthernet 3/43 ip address 192.168.1.1/24 no shutdown ! interface TenGigabitEthernet 3/44 ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
44 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
[no] rmon alarm number variable interval {delta | absolute} rising-threshold [value event-number] falling-threshold value event-number [owner string] OR [no] rmon hc-alarm number variable interval {delta | absolute} rising-threshold value event-number falling-threshold value event-number [owner string] Configure the alarm using the following optional parameters: – number: alarm number, an integer from 1 to 65,535, the value must be unique in the RMON Alarm Table.
– trap community: (Optional) SNMP community string used for this trap. Configures the setting of the eventType in the RMON MIB for this row as either snmp-trap or log-and-trap. This value is identical to the eventCommunityValue in the eventTable in the RMON MIB. Default is public. – description string: (Optional) specifies a description of the event, which is identical to the event description in the eventTable of the RMON MIB. The default is a null-terminated string.
– buckets: (Optional) specifies the maximum number of buckets desired for the RMON collection history group of statistics. – bucket-number: (Optional) a value associated with the number of buckets specified for the RMON collection history group of statistics. The value is limited to from 1 to 1000. The default is 50 (as defined in RFC-2819). – interval: (Optional) specifies the number of seconds in each polling cycle. – seconds: (Optional) the number of seconds in each polling cycle.
45 Rapid Spanning Tree Protocol (RSTP) Rapid spanning tree protocol (RSTP) is supported on the MXL switch platform. Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). The Dell operating system (OS) supports three other variations of spanning tree, as shown in the following table. Table 54.
• Adding a group of ports to a range of VLANs sends multiple messages to the rapid spanning tree protocol (RSTP) task, avoid using the range command. When using the range command, Dell Networking recommends limiting the range to five ports and 40 VLANs. Configuring Interfaces for Layer 2 Mode To configure and enable interfaces in Layer 2 mode, use the following commands. All interfaces on all bridges that participate in Rapid Spanning Tree must be in Layer 2 and enabled. 1.
Example of Verifying that RSTP is Enabled Example of the show spanning-tree rstp Command Example of the show spanning-tree rstp brief Command To disable RSTP globally for all Layer 2 interfaces, enter the disable command from PROTOCOL SPANNING TREE RSTP mode. To verify that RSTP is enabled, use the show config command from PROTOCOL SPANNING TREE RSTP mode. The bold line indicates that RSTP is enabled. Dell(conf-rstp)#show config ! protocol spanning-tree rstp no disable Dell(conf-rstp)# Figure 108.
Number of transitions to forwarding state 1 BPDU : sent 121, received 9 The port is not in the Edge port mode, bpdu filter is disabled Port 378 (TenGigabitethernet 2/2) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.378 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
• Remove an interface from the Rapid Spanning Tree topology. no spanning-tree 0 For bridge protocol data units (BPDU) filtering behavior, refer to Removing an Interface from the Spanning Tree Group. Modifying Global Parameters You can modify RSTP parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in the Rapid Spanning Tree group.
• Change the max-age parameter. PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode. Enable BPDU Filtering Globally The enabling of BPDU Filtering stops transmitting of BPDUs on the operational port fast enabled ports by default. When BPDUs are received, the spanning tree is automatically prepared.
spanning-tree rstp cost cost The range is from 0 to 65535. • The default is listed in the previous table. Change the port priority of an interface. INTERFACE mode spanning-tree rstp priority priority-value The range is from 0 to 240. The default is 128. To view the current values for interface parameters, use the show spanning-tree rstp command from EXEC privilege mode. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner.
Dell(conf-if-te-2/0)#show config ! interface TenGigabitethernet 2/0 no ip address switchport spanning-tree rstp edge-port shutdown Dell(conf-if-te-2/0)# Influencing RSTP Root Selection RSTP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority or designate it as the primary or secondary root.
Root ID Priority 0, Address 0001.e811.2233 Root Bridge hello time 50 ms, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e811.2233 We are the root Configured hello time 50 ms, max age 20, forward delay 15 NOTE: The hello time is encoded in BPDUs in increments of 1/256ths of a second. The standard minimum hello time in seconds is 1 second, which is encoded as 256. Millisecond. hello times are encoded using values less than 256; the millisecond hello time equals (x/1000)*256.
46 Security Security features are supported on the MXL switch platform. This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide. AAA Accounting Accounting, authentication, and authorization (AAA) accounting is part of the AAA security model.
– system: sends accounting information of any other AAA configuration. – default | name: enter the name of a list of accounting methods. – start-stop: use for more accounting information, to send a start-accounting notice at the beginning of the requested event and a stop-accounting notice at the end. – wait-start: ensures that the TACACS+ security server acknowledges the start notice before granting the user's process request.
Monitoring AAA Accounting The Dell Networking OS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command. • Step through all active sessions and print all the accounting records for the actively accounted functions.
Configuring AAA Authentication Login Methods To configure an authentication method and method list, use the following commands. Dell Networking OS Behavior: If you use a method list on the console port in which RADIUS or TACACS is the last authentication method, and the server is not reachable, the system allows access even though the username and password credentials cannot be verified.
Enabling AAA Authentication — RADIUS To enable authentication from the RADIUS server, and use TACACS as a backup, use the following commands. 1. Enable RADIUS and set up TACACS as backup. CONFIGURATION mode aaa authentication enable default radius tacacs 2. Establish a host address and password. CONFIGURATION mode radius-server host x.x.x.x key some-password 3. Establish a host address and password. CONFIGURATION mode tacacs-server host x.x.x.
• Privilege level 1 — is the default level for EXEC mode. At this level, you can interact with the router, for example, view some show commands and Telnet and ping to test connectivity, but you cannot configure the router. This level is often called the “user” level. One of the commands available in Privilege level 1 is the enable command, which you can use to enter a specific privilege level. • Privilege level 0 — contains only the end, enable, and disable commands.
Configuring the Enable Password Command To configure the Dell Networking OS, use the enable command to enter EXEC Privilege level 15. After entering the command, the system requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level. You can always change a password for any privilege level. To change to a different privilege level, enter the enable command, then the privilege level.
• level level: specify a level from 0 to 15. Level 15 includes all levels. • encryption-type: enter 0 for plain text or 7 for encrypted text. • password: enter a text string up to 32 characters long. To change only the password for the enable command, configure only the password parameter. 3. Configure level and commands for a mode or reset a command’s level.
Connected to 172.31.1.53. Escape character is '^]'.
If you enter disable without a level-number, your security level is 1. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol. This protocol transmits authentication, authorization, and configuration information between a central RADIUS server and a RADIUS client (the Dell Networking system). The system sends user information to the RADIUS server and requests authentication of the user and password.
• If an ACL is absent. • If there is a very long delay for an entry, or a denied entry because of an ACL, and a message is logged. NOTE: The ACL name must be a string. Only standard ACLs in authorization (both RADIUS and TACACS) are supported. Authorization is denied in cases using Extended ACLs. Auto-Command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line.
aaa authorization exec {method-list-name | default} radius tacacs+ Typical order of methods: RADIUS, TACACS+, Local, None. If RADIUS denies authorization, the session ends (RADIUS must not be the last method specified). Applying the Method List to Terminal Lines To enable RADIUS AAA login authentication for a method list, apply it to a terminal line. To configure a terminal line for RADIUS authentication and authorization, use the following commands. • Enter LINE mode.
Setting Global Communication Parameters for all RADIUS Server Hosts You can configure global communication parameters (auth-port, key, retransmit, and timeout parameters) and specific host communication parameters on the same system. However, if you configure both global and specific host parameters, the specific host parameters override the global parameters for that RADIUS server host. To set global communication parameters for all RADIUS server hosts, use the following commands.
• • • TACACS+ Remote Authentication and Authorization Specifying a TACACS+ Server Host Choosing TACACS+ as the Authentication Method For a complete listing of all commands related to TACACS+, refer to the Security chapter in the Dell Networking OS Command Reference Guide. Choosing TACACS+ as the Authentication Method One of the login authentication methods available is TACACS+ and the user’s name and password are sent for authentication to the TACACS hosts specified.
aaa authorization exec default tacacs+ none aaa authorization commands 1 default tacacs+ none aaa authorization commands 15 default tacacs+ none aaa accounting exec default start-stop tacacs+ aaa accounting commands 1 default start-stop tacacs+ aaa accounting commands 15 default start-stop tacacs+ Dell(conf)# Dell(conf)#do show run tacacs+ ! tacacs-server key 7 d05206c308f4d35b tacacs-server host 10.10.10.
Dell(config-line-vty)#access-class deny10 Dell(config-line-vty)#end Specifying a TACACS+ Server Host To specify a TACACS+ server host and configure its communication parameters, use the following command. • Enter the host name or IP address of the TACACS+ server host. CONFIGURATION mode tacacs-server host {hostname | ip-address} [port port-number] [timeout seconds] [key key] Configure the optional communication parameters for the specific host: – port port-number: the range is from 0 to 65535.
Enabling SCP and SSH Secure shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network. The Dell Networking OS is compatible with SSH versions 1.5 and 2, both the client and server modes. SSH sessions are encrypted and use authentication. Starting with Dell Networking OS Release 9.2(0.0), SSH is enabled by default. For details about the command syntax, refer to the Security chapter in the Dell Networking OS Command Line Interface Reference Guide.
ip ssh server port number 2. On Chassis One, enable SSH. CONFIGURATION mode ip ssh server enable 3. On Chassis Two, invoke SCP. CONFIGURATION mode copy scp: flash: 4. On Chassis Two, in response to prompts, enter the path to the desired file and enter the port number specified in Step 1. EXEC Privilege mode Example of Using SCP to Copy from an SSH Server on Another Switch Other SSH-related commands include: • crypto key generate: generate keys for the SSH server.
Configuring When to Re-generate an SSH Key You can configure the time-based or volume-based rekey threshold for an SSH session. If both threshold types are configured, the session rekeys when either one of the thresholds is reached. To configure the time or volume rekey threshold at which to re-generate the SSH key during an SSH session, use the ip ssh rekey [time rekey-interval] [volume rekey-limit] command. CONFIGURATION mode.
hmac-algorithm: Enter a space-delimited list of keyed-hash message authentication code (HMAC) algorithms supported by the SSH server. The following HMAC algorithms are available: • hmac-md5 • hmac-md5-96 • hmac-sha1 • hmac-sha1-96 • hmac-sha2-256 • hmac-sha2-256-96 The default HMAC algorithms are the following: • hmac-md5 • hmac-md5-96 • hmac-sha1 • hmac-sha1-96 • hmac-sha2-256 • hmac-sha2-256-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha1-96.
Secure Shell Authentication Secure Shell (SSH) is disabled by default. Enable SSH using the ip ssh server enable command. SSH supports three methods of authentication: • Enabling SSH Authentication by Password • Using RSA Authentication of SSH • Configuring Host-Based SSH Authentication Important Points to Remember • If you enable more than one method, the order in which the methods are preferred is based on the ssh_config file on the Unix machine.
EXEC Privilege mode ip ssh rsa-authentication my-authorized-keys flash://public_key Example of Generating RSA Keys admin@Unix_client#ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/admin/.ssh/id_rsa): /home/admin/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub.
id_rsa id_rsa.pub shosts admin@Unix_client# cat shosts 10.16.127.201, ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8K7jLZRVfjgHJzUOmXxuIbZx/AyW hVgJDQh39k8v3e8eQvLnHBIsqIL8jVy1QHhUeb7GaDlJVEDAMz30myqQbJgXBBRTWgBpLWwL/ admin@Unix_client# ls id_rsa id_rsa.pub rhosts shosts admin@Unix_client# cat rhosts 10.16.127.201 admin Using Client-Based SSH Authentication To SSH from the chassis to the SSH client, use the following command. This method uses SSH version 1 or version 2.
VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in the Dell Networking OS. These depend on which authentication scheme you use — line, local, or remote. Table 56. VTY Access Authentication Method VTY access-class support? Username access-class support? Remote authorization support? Line YES NO NO Local NO YES NO TACACS+ YES NO YES (with the Dell Networking OS version 5.2.1.0 and later) RADIUS YES NO YES (with the Dell Networking OS version 6.
Dell(config-line-vty)#login authentication localmethod Dell(config-line-vty)#end VTY Line Remote Authentication and Authorization The Dell Newtorking OS retrieves the access class from the VTY line. The Dell Networking OS takes the access class from the VTY line and applies it to ALL users. The system does not need to know the identity of the incoming user and can immediately apply the access class.
• Creating a New User Role • Modifying Command Permissions for Roles • Adding and Deleting Users from a Role • Role Accounting • Configuring AAA Authentication for Roles • Configuring AAA Authorization for Roles • Configuring an Accounting for Roles • Applying an Accounting Method to a Role • Displaying Active Accounting Sessions for Roles • Configuring TACACS+ and RADIUS VSA Attributes for RBAC • Displaying User Roles • Displaying Accounting for User Roles • Displaying Information
using the aaa authorization role-only command in Configuration mode, the Dell Networking OS checks to ensure that you do not lock yourself out and that the user authentication is available for all terminal lines. Pre-requisites Before you enable role-based only AAA authorization: 1. Locally define a system administrator user role. This will give you access to login with full permissions even if network connectivity to remote authentication servers is not available. 2.
The system defined user roles are as follows: • Network Operator (netoperator) - This user role has no privilege to modify any configuration on the switch. You can access Exec mode (monitoring) to view the current configuration and status information. • Network Administrator (netadmin): This user role can configure, display, and debug the network operations on the switch. You can access all of the commands that are available from the network operator user role.
userrole name [inherit existing-role-name] 2. Verify that the new user role has inherited the security administrator permissions. Dell(conf)#do show userroles EXEC Privilege mode 3. After you create a user role, configure permissions for the new user role. See Modifying Command Permissions for Roles. Example of Creating a User Role The configuration in the following example creates a new user role, myrole, which inherits the security administrator (secadmin) permissions.
The following example denies the netadmin role from using the show users command and then verifies that netadmin cannot access the show users command in exec mode. Note that the netadmin role is not listed in the Role access: secadmin,sysadmin, which means the netadmin cannot access the show users command.
Dell(conf)#do show role mode configure line Role access:sysadmin Example: Grant and Remove Security Administrator Access to Configure Protocols By default, the system defined role, secadmin, is not allowed to configure protocols. The following example first grants the secadmin role to configure protocols and then removes access to configure protocols.
the lack of security these methods are not available for role only mode. When the system is in role-only mode, users that have only privilege levels are denied access to the system because they do not have a role. For information about role only mode, see Configuring Role-based Only AAA Authorization. NOTE: Authentication services only validate the user ID and password combination. To determine which commands are permitted for users, configure authorization.
login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 2 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 3 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 4 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 5 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 6 login authenticat
In the following example, you create an AV pair for a system-defined role, sysadmin. Force10-avpair= "shell:role=sysadmin" In the following example, you create an AV pair for a user-defined role. You must also define a role, using the userrole myrole inherit command on the switch to associate it with this AV pair. Force10-avpair= ”shell:role=myrole“ The string, “myrole”, is associated with a TACACS+ user group. The user IDs are associated with the user group.
service=shell Display Information About User Roles This section describes how to display information about user roles. This sections consists of the following topics: • Displaying User Roles • Displaying Information About Roles Logged into the Switch • Displaying Active Accounting Sessions for Roles Displaying User Roles To display user roles using the show userrole command in EXEC Privilege mode, use the show userroles and show users commands in EXEC privilege mode.
*3 vty 1 4 vty 2 sec1 ml1 secadmin netadmin 14 12 idle idle 172.31.1.4 172.31.1.
47 Service Provider Bridging Service provider bridging is supported on the MXL switch platform. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. VLAN stacking enables service providers to use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. Using only 802.
Figure 110. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. • Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN. Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1.
• Debugging VLAN Stacking • VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. • Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN. • Trunk port — a port on a service provider bridge that connects to another service provider bridge and is a member of multiple service provider VLANs.
Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 3 4 5 6 Status Active Inactive Inactive Inactive Inactive Active Dell# Q Ports U Gi 13/0-5,18 M Po1(Gi 13/14-15) M Gi 13/13 Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. • Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100.
Dell(conf-if-vl-100)#interface vlan 101 Dell(conf-if-vl-101)#tagged gigabitethernet 0/1 Dell(conf-if-vl-101)#interface vlan 103 Dell(conf-if-vl-103)#vlan-stack compatible Dell(conf-if-vl-103-stack)#member gigabitethernet 0/1 Dell(conf-if-vl-103-stack)#do show vlan Codes: Q: U x G - * - Default VLAN, G - GVRP VLANs Untagged, T - Tagged Dot1x untagged, X - Dot1x tagged GVRP tagged, M - Vlan-stack NUM * 1 100 101 103 Status Inactive Inactive Inactive Inactive Description Q Ports U Gi 0/1 T Gi 0/1 M Gi 0/1
VLAN Stacking The default TPID for the outer VLAN tag is 0x9100. Beginning with the Dell Networking OS version 8.2.1.0, the system allows you to configure both bytes of the 2 byte TPID. Previous versions allowed you to configure the first byte only, and thus, the systems did not differentiate between TPIDs with a common first byte. For example, 0x8100 and any other TPID beginning with 0x81 were treated as the same TPID, as shown in the following illustration. The Dell Networking OS Versions 8.2.1.
Figure 111.
Figure 112.
Figure 113. Single and Double-Tag TPID Mismatch Table 57. Behaviors for Mismatched TPID Network Position Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Network Position Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Precedence Description Green High-priority packets that are the least preferred to be dropped. Yellow Lower-priority packets that are treated as best-effort. Red Lowest-priority packets that are always dropped (regardless of congestion status). • Honor the incoming DEI value by mapping it to the Dell Networking OS drop precedence. INTERFACE mode dei honor {0 | 1} {green | red | yellow} You may enter the command once for 0 and once for 1. Packets with an unmapped DEI value are colored green.
Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.1p priority bits in the tag to indicate the level of QoS desired. When an S-Tag is added to incoming customer frames, the 802.1p bits on the S-Tag may be configured statically for each customer or derived from the C-Tag using Dynamic Mode CoS. Dynamic Mode CoS maps the C-Tag 802.1p value to a S-Tag 802.1p value. Figure 114.
Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3. All other packets will have outer dot1p 0 and hence are queued to Queue 1. They are therefore policed according to qos-policy-input 1.
Layer 2 Protocol Tunneling Spanning tree bridge protocol data units (BPDUs) use a reserved destination MAC address called the bridge group address, which is 01-80-C2-00-00-00. Only spanning-tree bridges on the local area network (LAN) recognize this address and process the BPDU.
Dell Networking OS Behavior: In the Dell Networking OS versions prior to 8.2.1.0, the MAC address that Dell Networking systems use to overwrite the Bridge Group Address on ingress was non-configurable. The value of the L2PT MAC address was the Dell Networking-unique MAC address, 01-01-e8-00-00-00.
Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2. Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3. Tunnel BPDUs the VLAN.
The default is: no rate limiting. The range is from 64 to 320 kbps. Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.
48 sFlow Configuring sFlow is supported on the MXL switch platform. Overview The Dell Networking operating system (OS) supports sFlow version 5. sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers. sFlow uses two types of sampling: • Statistical packet-based sampling of switched or routed packet flows.
• 802.1P source priority field is not filled in extended switch element in sFlow datagram. • Only Destination and Destination Peer AS number are packed in the dst-as-path field in extended gateway element. • If the packet being sampled is redirected using policy-based routing (PBR), the sFlow datagram may contain incorrect extended gateway/router information. • The source virtual local area network (VLAN) field in the extended switch element is not packed in case of routed packet.
Counter polling interval Extended max header size Samples rcvd from h/w :20 :256 :0 Example of the show sflow command The bold line shows the sFlow default maximum header size: Dell#show sflow sFlow services are enabled Egress Management Interface sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 20 Global default extended maximum header size: 128 bytes Global extended information enabled: none 1 collectors configured Collector IP addr: 100.1.1.
• Displaying Show sFlow on an Interface • Displaying Show sFlow on a Stack Unit Displaying Show sFlow Global To view sFlow statistics, use the following command. • Display sFlow configuration information and statistics. EXEC mode show sflow Example of Viewing sFlow Configuration (Global) The first bold line indicates sFlow is globally enabled.
UDP packets dropped Dell# :0 Configuring Specify Collectors The sflow collector command allows identification of sFlow collectors to which sFlow datagrams are forwarded. You can specify up to two sFlow collectors. If you specify two collectors, the samples are sent to both. • Identify sFlow collectors to which sFlow datagrams are forwarded. CONFIGURATION mode sflow collector ip-address agent-addr ip-address [number [max-datagram-size number] ] | [max-datagram-size number ] The default UDP port is 6343.
Sub-Sampling The sFlow sample rate is not the frequency of sampling, but the number of packets that are skipped before the next sample is taken. Therefore, the sFlow agent uses sub-sampling to create multiple sampling rates per port-pipe. To achieve different sampling rates for different ports in a port-pipe, the sFlow agent takes the lowest numerical value of the sampling rate of all the ports within the portpipe and configures all the ports to this value.
• By default packing of any of the extended information in the datagram is disabled. Confirm that extended information packing is enabled. show sflow Example of Verifying Extended sFlow is Enabled Example of Verifying Extended sFlow Disabled The bold line shows that extended sFlow settings are enabled on all three types.
49 Simple Network Management Protocol (SNMP) Simple network management protocol (SNMP) is supported on the MXL switch platform. Network management stations use SNMP to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a management information base (MIB).
• Manage VLANs using SNMP • Enabling and Disabling a Port using SNMP • Fetch Dynamic MAC Entries using SNMP • Deriving Interface Indices • Monitor Port-Channels • Troubleshooting SNMP Operation Important Points to Remember • Typically, 5-second timeout and 3-second retry values on an SNMP server are sufficient for both LAN and WAN applications.
Keep the following points in mind when you configure the AES128-CFB algorithm for SNMPv3: 1. SNMPv3 authentication provides only the sha option when the FIPS mode is enabled. 2. SNMPv3 privacy provides only the aes128 privacy option when the FIPS mode is enabled. 3. If you attempt to enable or disable FIPS mode and if any SNMPv3 users are previously configured, an error message is displayed stating you must delete all of the SNMP users before changing the FIPS mode. 4.
• noauth — no password or privacy. Select this option to set up a user with no password or privacy privileges. This setting is the basic configuration. Users must have a group and profile that do not require password privileges. • auth — password privileges. Select this option to set up a user with password authentication. • priv — password and privacy privileges. Select this option to set up a user with password and privacy privileges.
Reading Managed Object Values You may only retrieve (read) managed object values if your management station is a member of the same community as the SNMP agent. Dell Networking supports RFC 4001, Textual Conventions for Internet Work Addresses that defines values representing a type of internet address. These values display for ipAddressTable objects using the snmpwalk command. There are several UNIX SNMP commands that read data. • Read the value of a single managed object.
Writing Managed Object Values You may only alter (write) a managed object value if your management station is a member of the same community as the SNMP agent, and the object is writable. Use the following command to write or write-over the value of a managed object. • To write or write-over the value of a managed object. snmpset -v version -c community agent-ip {identifier.instance | descriptor.instance}syntax value Example of Writing the Value of a Managed Object > snmpset -v 2c -c mycommunity 10.11.
The default is None. Subscribing to Managed Object Value Updates using SNMP By default, the Dell Networking system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system. The Dell Networking OS supports the following three sets of traps: • RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss.
Enabling a Subset of SNMP Traps You can enable a subset of Dell Networking enterprise-specific SNMP traps using one of the following listed command options. To enable a subset of Dell Networking enterprise-specific SNMP traps, use the following command. • Enable a subset of SNMP traps. snmp-server enable traps NOTE: The envmon option enables all environment traps including those traps that are enabled with the envmon supply, envmon temperature, and envmon fan options.
INTEGER: 1 10.16.130.140 [10.16.130.140]: Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (625882) 1:44:18.82, SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkUp, IF-MIB::ifIndex.45158657 = INTEGER: 45158657, SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_UP: Changed interface state to up: Te 0/43", SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 14 10.16.130.140 [10.16.130.140]: Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (645746) 1:47:37.46, SNMPv2-MIB::snmpTrapOID.
NOTE: If a syslog server failure event is generated before the SNMP agent service starts, then SNMP trap is not sent successfully. To enable an SNMP agent to send a trap when the syslog server is not reachable, use the following command: CONFIGURATION MODE snmp-server enable traps snmp syslog-unreachable To enable an SNMP agent to send a trap when the syslog server resumes connectivity, use the following command: CONFIGURATION MODE snmp-server enable traps snmp syslog-reachable Table 59.
Table 60. MIB Objects for Copying Configuration Files via SNMP MIB Object OID Object Values Description copySrcFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.2 1 = Dell Networking OS file Specifies the type of file to copy from. The range is: 2 = running-config • 3 = startup-config • copySrcFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.3 1 = flash 2 = n/a If copySrcFileType is running-config or startupconfig, the default copySrcFileLocation is flash.
MIB Object OID Object Values Description must also specify copyUserName and copyUserPassword. copyUserName .1.3.6.1.4.1.6027.3.5.1.1.1.1.9 Username for the server. Username for the FTP, TFTP, or SCP server. • copyUserPassword .1.3.6.1.4.1.6027.3.5.1.1.1.1.10 Password for the server. If you specify copyUserName, you must also specify copyUserPassword. Password for the FTP, TFTP, or SCP server. Copying a Configuration File To copy a configuration file, use the following commands. 1.
Copying Configuration Files via SNMP To copy the running-config to the startup-config from the UNIX machine, use the following command. • Copy the running-config to the startup-config from the UNIX machine. snmpset -v 2c -c public —m ./f10–copy-config.mif force10system-ip-address copySrcFileType.index i 2 copyDestFileType.
• precede the values for copyUsername and copyUserPassword by the keyword s. Example of Copying Configuration Files via FTP From a UNIX Machine > snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.110 i 2 copyDestFileName.110 s /home/startup-config copyDestFileLocation.110 i 4 copyServerAddress. 110 a 11.11.11.11 copyUserName.110 s mylogin copyUserPassword.110 s mypass FORCE10-COPY-CONFIG-MIB::copySrcFileType.
Additional MIB Objects to View Copy Statistics Dell Networking provides more MIB objects to view copy statistics, as shown in the following table. Table 61. Additional MIB Objects for Copying Configuration Files via SNMP MIB Object OID Values Description copyState .1.3.6.1.4.1.6027.3.5.1.1.1.1.11 1= running Specifies the state of the copy operation. 2 = successful 3 = failed copyTimeStarted .1.3.6.1.4.1.6027.3.5.1.1.1.1.
• To view the available flash memory using SNMP, use the following command. snmpget -v2c -c public 192.168.60.120 .1.3.6.1.4.1.6027.3.10.1.2.9.1.6.1 enterprises.6027.3.10.1.2.9.1.5.1 = Gauge32: 24 The output above displays that 24% of the flash memory is used. MIB Support to Display the Software Core Files Generated by the System Dell Networking provides MIB objects to display the software core files generated by the system.
enterprises.6027.3.10.1.2.10.1.4.1.2 enterprises.6027.3.10.1.2.10.1.4.1.3 enterprises.6027.3.10.1.2.10.1.4.2.1 enterprises.6027.3.10.1.2.10.1.5.1.1 enterprises.6027.3.10.1.2.10.1.5.1.2 enterprises.6027.3.10.1.2.10.1.5.1.3 enterprises.6027.3.10.1.2.10.1.5.2.1 = = = = = = = 1 1 0 "flashmntr" "l2mgr" "vrrp" Hex: 76 72 72 70 "sysd" Hex: 73 79 73 64 The output above displays that the software core files generated by the system.
Assigning a VLAN Alias Write a character string to the dot1qVlanStaticName object to assign a name to a VLAN. Example of Assigning a VLAN Alias using SNMP [Unix system output] > snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.1.1107787786 s "My VLAN" SNMPv2-SMI::mib-2.17.7.1.4.3.1.1.
The first hex pair, 00 in the previous example, represents ports 1 to 7 in Stack Unit 0. The next pair to the right represents ports 8 to 15. To resolve the hex pair into a representation of the individual ports, convert the hex pair to binary. Consider the first hex pair 00, which resolves to 0000 0000 in binary: • Each position in the 8-character string is for one port, starting with Port 1 at the left end of the string, and ending with Port 8 at the right end.
SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.1107787786 = Hex-STRING: 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNMPv2-SMI::mib-2.17.7.1.4.3.1.4.
Fetch Dynamic MAC Entries using SNMP Dell Networking supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. NOTE: The 802.1q Q-BRIDGE MIB defines VLANs regarding 802.1d, as 802.1d itself does not define them. As a switchport must belong a VLAN (the default VLAN or a configured VLAN), all MAC address learned on a switchport are associated with a VLAN. For this reason, the Q-Bridge MIB is used for MAC address query.
-----------------------------MAC Addresses on Dell Networking System------------------------------Dell#show mac-address-table VlanId Mac Address Type Interface State 1000 00:01:e8:06:95:ac Dynamic Tengig 1/21 Active ------------------------------Query from Management Station------------------------------->snmpwalk -v 2c -c techpubs 10.11.131.162 .1.3.6.1.2.1.17.7.1.2.2.1 SNMPv2-SMI::mib-2.17.7.1.2.2.1.2.1000.0.1.232.6.149.172 = INTEGER: 118 SNMPv2-SMI::mib-2.17.7.1.2.2.1.3.1000.0.1.232.6.149.
Example of Deriving the Interface Index Number To view the system image on Flash Partition A, use the chSysSwInPartitionAImgVers object or, to view the system image on Flash Partition B, use the chSysSwInPartitionBImgVers object. Table 65. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImgVers 1.3.6.1.4.1.6027.3.10.1.2.8.1.11 List the version string of the Chassis MIB system image in Flash Partition A. chSysSwInPartitionBImgVers 1.3.6.
dot3aCurAggVlanId SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.1.1.0.0.0.0.0.1.1 dot3aCurAggMacAddr SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.2.1.0.0.0.0.0.1.1 dot3aCurAggIndex SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.3.1.0.0.0.0.0.1.1 dot3aCurAggStatus SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.4.1.0.0.0.0.0.1.1 – status inactive = INTEGER: 1 = Hex-STRING: 00 00 00 00 00 01 = INTEGER: 1 = INTEGER: 1 << Status active, 2 Layer 3 LAG does not include this support.
Entity MIBS The Entity MIB provides a mechanism for presenting hierarchies of physical entities using SNMP tables. The Entity MIB contains the following groups, which describe the physical elements and logical elements of a managed system The following tables are implemented for the MXL switch. Physical Entity A physical entity or physical component represents an identifiable physical resource within a managed system. Zero or more logical entities may utilize a physical resource at any given time.
• When you query an IPv4 icmpMsgStatsInPkts object in the ICMP table by using the snmpwalk command, the echo response output may not display. To correctly display ICMP statistics, such as echo response, use the show ip traffic command.
50 Stacking Stacking is supported on the MXL switch platform. Stacking is supported on a MXL 10/40GbE switch on the 40GbE ports (for the base module) or a 2-Port 40GbE QSFP+ module. You can connect up to six MXL 10/40GbE switches in a single stack. Stacking provides a single point of management and network interface controller (NIC) teaming for high availability and higher throughput.
Stack Management Roles The stack elects the management units for the stack management. • Stack master — primary management unit, also called the master unit. • Standby — secondary management unit. The master holds the control plane and the other units maintain a local copy of the forwarding databases. From the stack master you can configure: • System-level features that apply to all stack members. • Interface-level features for each stack member.
When an up and running standalone unit or stack is merged with another stack, based on election, the losing stack reloads and the master unit of the winning stack becomes the master of the merged stack. For more details, see sections Adding a Stack Unit and Merging Two Stacks. To ensure a fully synchronised bootup, it is possible to reset individual units to force them to give up the management role; or reload the whole stack from the command line interface (CLI).
NOTE: A ring topology is recommended under normal operation because it provides increased resiliency when compared with a daisy chain topology. In daisy chain topology, any change in a non-edge stack unit causes a split stack. Figure 118. Dual-Ring Stacking Topology for MXL 10/40GbE Switches Example 2: Dual Daisy-Chain Stack Across Multiple Chassis Using two separate, daisy-chained stacks in a stacking topology provides redundancy and increased high availability in case of stack failure.
Figure 119. Dual Daisy-Chain Stacking Topology for MXL 10/40GbE Switches Stack Group/Port Numbers By default, each unit in Standalone mode is numbered stack-unit 0. Stack-unit numbers are assigned to member switches when the stack comes up. The following example shows the stack-group numbers of 40GbE ports on an MXL 10/40GbE switch.
Figure 120. Stack-Group on an MXL 10/40GbE Switch Configuring a Switch Stack Configuring a switch stack is a four step process. To configure and bring up a switch stack, follow these steps: 1. Connect the switches to be stacked with 40G direct attach or QSFP fibre cables. 2. Configure the stacking ports on each switch. 3. All switches must be booted together. 4. (Optional) Configure management priorities, unit numbers, or logical provisioning for stack units.
Master Selection Criteria A Master is elected or re-elected based on the following considerations, in order: 1. The switch with the highest priority at boot time. 2. The switch with the highest MAC address at boot time. 3. A unit is selected as Standby by the administrator, and a fail over action is manually initiated or occurs due to a Master unit failure. No record of previous stack mastership is kept when a stack loses power.
Cabling Stacked Switches Before you configure MXL switches in a stack, connect the 40G direct attach or QSFP cables and transceivers to connect 40GbE ports on switches in the same or different chassis. Cabling Restrictions The following restrictions apply when setting up a stack of MXL 10/40GbE switches. • Only daisy-chain or ring topologies are supported; star and full mesh topologies are not supported.
Password: ***** Dell> enable Dell# configure 3. Configure a 40GbE port for stacking mode. CONFIGURATION mode stack-unit unit-number stack-group group-number The valid values are from 0 to 5. The default value is 0. 4. • stack-unit : is the unit-number of the member stack unit. • stack-group group-number is the number of stacked port on unit. The valid values are from 0 to 1. Save the stacking configuration on the 40GbE ports. EXEC PRIVILEGE mode write memory 5.
The default is 0. To revert the management priority of a stack unit to the default value of 0, use the no form of the stack-unit unit-number priority number command. After you reconfigure the priorities of stacked switches, reload the stack so that a new master and standby election is performed. Renumbering a Stack Unit To renumber a stack unit to reset the unit numbering for a master, standby or member unit, use the following command.
• A stack unit can also enter a Card-Problem state after a split-stack reload in which a unit that was previously neither the master nor standby is elected as the new master and has logical stack-unit provisioning configured for a stack-unit number that creates a mismatch with the stack-unit numbering on other units. Converting 4x10GbE Ports to 40GbE for Stacking Stacking is supported only on 40GbE links by connecting 40GbE ports on the base module or a 2-Port QSFP+ module.
If a standalone switch has no stack groups configured, you can add it to a stack. To add a standalone switch to a stack, follow these steps. 1. Power on the switch. 2. Attach QSFP or direct attach cables to connect 40GbE ports on the switch to one or more switches in the stack. 3. Log on to the CLI and enter global configuration mode. Login: username Password: ***** Dell> enable Dell# configure 4. Configure a 40GbE port for stacking.
• All the units in the losing stack go for a reboot and then merge with the winning stack that has the stack master. • If there is no unit numbering conflict, the stack members retain their previous unit numbers. Otherwise, the stack master assigns new unit numbers, based on the order in which they come online. • The new stack master uses its own startup and running configurations to synchronize the configurations on the new stack members.
• Reload a member unit, from the unit itself. EXEC Privilege mode • reset-self Reset a stack-unit when the unit is in a problem state. EXEC Privilege mode reset stack-unit unit-number hard Verify a Stack Configuration The following lists the status of a stacked switch according to the color of the System Status light emitting diodes (LEDs) on its front panel. • Blue indicates the switch is operating as the stack master or as a standalone unit. • Off indicates the switch is a member or standby unit.
4 5 Member Member online online MXL-10/40GbE MXL-10/40GbE MXL-10/40GbE 9-1-0-853 56 MXL-10/40GbE 9-1-0-853 56 Dell#show system Stack MAC : 00:1e:c9:f1:00:e3 Reload Type : normal-reload [Next boot : normal-reload] -- Unit 0 -Unit Type Status Required Type : Member Unit : not present : MXL-10/40GbE - 34-port GE/TE/FG (XL) -- Unit 1 -Unit Type Status Next Boot Required Type Current Type Master priority Hardware Rev Num Ports Up Time Dell Networking Jumbo Capable POE Capable Burned In MAC No Of MACs : M
-----------------------------------------0 0 SFP+ SFP+ AUTO Good 0 1 QSFP+ QSFP+ AUTO Good * - Mismatch Dell# show system stack-unit 1 stack-group configured Configured stack groups in stack-unit 1 --------------------------------------0 1 4 5 Dell#show system stack-unit 1 stack-group Stack group Ports -----------------------------0 0/33 1 0/37 2 0/41 3 0/45 4 0/49 5 0/53 Dell# Dell# show system stack-ports Topology: Ring Interface Connection Link Speed (Gb/s) 0/33 1/37 40 0/37 2/33 40 0/41 1/49 40 0/45 2/5
show redundancy 3. Displays input and output flow statistics on a stacked port. show hardware stack-unit unit-number stack-port port-number 4. Clears statistics on the specified stack unit. The valid stack-unit numbers are from 0 to 5.
Dell# show hardware stack-unit 1 stack-port 53 Input Statistics: 7934 packets, 1049269 bytes 0 64-byte pkts, 7793 over 64-byte pkts, 100 over 127-byte pkts 0 over 255-byte pkts, 7 over 511-byte pkts, 34 over 1023-byte pkts 70 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 438 packets, 270449 bytes, 0 underruns 0 64-byte pkts, 57 over 64-byte pkts, 181 over 127-byte pkts 54 over 255-byte pkts, 0 over 511-byte pkts, 146 over 1023-byte pkts 72 Multicast
Stack-Link Flapping Error Problem/Resolution: Stacked MXL 10/40GbE Switches monitor their own stack ports and disable any stack port that flaps five times within 10 seconds. If the stacking ports that flap are on the master or standby, KERN-2-INT error messages note the units To re-enable a downed stacking port, power cycle the stacked switch on which the port is installed. The following is an example of the stack-link flapping error message.
Card Problem — Resolved Dell#show system brief Stack MAC : 00:1e:c9:f1:01:57 Reload Type : normal-reload [Next boot : normal-reload] -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports -----------------------------------------------------------------0 Management online MXL-10/40GbE MXL-10/40GbE 8-3-16-79 56 1 Member online MXL-10/40GbE unknown 56 2 Standby online MXL-10/40GbE MXL-10/40GbE 8-3-16-79 56 3 Member not present 4 Member not present 5 Member not present Stack Unit in Card-Problem Stat
Source file name []: $V-9-1-0/NAVASOTA-DEV-9-1-0-887/Dell-XL-9-1-0-887.bin User name to login remote host: ftp Password to login remote host: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Erasing IOM Primary Image, please wait .!................................................................................. ...................................Writing......................................... ................................................................................... .............
Dell(conf)# boot system stack-unit 2 primary system: A: Dell(conf)# end Dell#Jan 3 14:27:00: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from console Dell# write memory Jan 3 14:27:10: %STKUNIT0-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startupconfig in flash by default Synchronizing data to peer Stack-unit !!!! ....
51 Storm Control Storm control is supported on the MXL switch platform. The storm control feature allows you to control unknown-unicast and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking OS Behavior: The Dell Networking OS supports broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. The minimum number of packets per second (PPS) that storm control can limit is two.
52 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on the MXL switch platform. Protocol Overview STP is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network. By eliminating loops, the protocol improves scalability in a large network and allows you to implement redundant paths, which can be activated after the failure of active paths.
• All ports in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the spanning tree topology at the time you enable the protocol. • To add interfaces to the spanning tree topology after you enable STP, enable the port and configure it for Layer 2 using the switchport command. • The IEEE Standard 802.1D allows 8 bits for port ID and 8 bits for priority. The 8 bits for port ID provide port IDs for 256 ports.
INTERFACE mode no shutdown Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport no shutdown Dell(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default.
protocol spanning-tree 0 2. Enable STP. PROTOCOL SPANNING TREE mode no disable Example of Verifying Spanning Tree is Enabled Example of Viewing Spanning Tree Configuration Example of Verifying a Port Participates in Spanning Tree To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Bridge ID Priority 32768, Address 0001.e80d.2462 Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID -------------- ------ ---- ---- --- ----- -------------------Tengig 1/1 8.496 8 4 DIS 0 32768 0001.e80d.2462 8.496 Tengig 1/2 8.497 8 4 DIS 0 32768 0001.e80d.2462 8.497 Tengig 1/3 8.513 8 4 FWD 0 32768 0001.e80d.2462 8.513 Tengig 1/4 8.514 8 4 FWD 0 32768 0001.e80d.2462 8.
The range is from 4 to 30. • The default is 15 seconds. Change the hello-time parameter (the BPDU transmission interval). PROTOCOL SPANNING TREE mode hello-time seconds NOTE: With large configurations (especially those with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. • the default is 2 seconds. Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology).
Enabling PortFast The PortFast feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. Interfaces forward frames by default until they receive a BPDU that indicates that they should behave otherwise; they do not go through the Learning and Listening states. The bpduguard shutdown-on-violation option causes the interface hardware to be shut down when it receives a BPDU.
Dell Networking OS Behavior: Regarding bpduguard shutdown-on-violation behavior: • • • • If the interface to be shut down is a port channel, all the member ports are disabled in the hardware. When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware.
Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- ------- ---- ------ ----------- ------ ------ -----Po 1 8.2 8 1 FWD 0 32768 0001.e88a.fdb3 8.2 Te 3/20 8.317 8 4 EDS 1 32768 001e.c9f1.00cf 8.317 Te 4/20 8.373 8 4 FWD 1 32768 001e.c9f1.00cf 8.373 Te 4/21 8.374 8 4 FWD 1 32768 001e.c9f1.00cf 8.
Figure 125. BPDU Filtering Enabled Globally Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. • Assign a number as the bridge priority or designate it as the root or secondary root.
STP Root Guard Use the STP root guard feature in a Layer 2 network to avoid bridging loops. In STP, the switch in the network with the lowest priority (as determined by STP or set with the bridge-priority command) is selected as the root bridge. If two switches have the same priority, the switch with the lower MAC address is selected as the root. All other switches in the network use the root bridge as the reference used to calculate the shortest forwarding path.
Figure 126. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
– pvst: enables root guard on a PVST-enabled port. To disable STP root guard on a port or port-channel interface, use the no spanning-tree 0 rootguard command in an interface configuration mode. To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode. SNMP Traps for Root Elections and Topology Changes To enable SNMP traps, use the following commands.
53 System Time and Date System time and date settings and the network time protocol (NTP) are supported on the MXL switch platform. You can set system times and dates and maintained through the NTP. They are also set through the Dell Networking operating system (OS) command line interfaces (CLIs) and hardware settings. Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients.
synchronize and serve as a client to the NTP host. As soon as a host-client relationship is established, the networking device propagates the time information throughout its local network. Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately.
ntp server ip-address Viewing System Clock State Relative to NTP Example of Viewing Calculated NTP Synchronization Variables To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. Dell(conf)#do show ntp status Clock is synchronized, stratum 2, reference is 192.168.1.1 frequency is -369.623 ppm, stability is 53.319 ppm, precision is 4294967279 reference time is CD63BCC2.0CBBD000 (16:54:26.049 UTC Thu Mar 12 2012) clock offset is 997.
• Configure a source IP address for NTP packets. CONFIGURATION mode ntp source interface Enter the following keywords and slot/port or number information: – For a Loopback interface, enter the keyword loopback then a number between 0 and 16383. – For a port channel interface, enter the keyword port-channel then a number from 1 to 128. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
– hostname : Enter the keyword hostname to see the IP address or host name of the remote device. – ipv4-address : Enter an IPv4 address in dotted decimal format (A.B.C.D). – ipv6-address : Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported. – key keyid : Configure a text string as the key exchanged between the NTP server and the client. – prefer: Enter the keyword prefer to set this NTP server as the preferred server.
NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
– time: enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format; for example, 17:15:00 is 5:15 pm. – month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. – day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. – year: enter a four-digit number as the year.
– end-month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. – end-day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. – end-year: enter a four-digit number as the year. The range is from 1993 to 2035. – end-time: enter the time in hours:minutes.
Example of the clock summer-time recurring Command Example of Clock Summer-Time Recurring Parameters Dell(conf)#clock summer-time pacific recurring Mar 14 2012 00:00 Nov 7 2012 00:00 Dell(conf)# NOTE: If you enter after entering the recurring command parameter, and you have already set a one-time daylight saving time/date, the system uses that time and date as the recurring setting.
54 Tunneling Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported. Configuring a Tunnel You can configure a tunnel in IPv6 mode, IPv6IP mode, and IPIP mode. • If the tunnel mode is IPIP or IPv6IP, the tunnel source address and the tunnel destination address must be an IPv4 address.
Dell(conf-if-tu-3)#ip address 3.1.1.1/24 Dell(conf-if-tu-3)#ipv6 address 3::1/64 Dell(conf-if-tu-3)#no shutdown Dell(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.1/24 ipv6 address 3::1/64 tunnel destination 8::9 tunnel source 5::5 tunnel mode ipv6 no shutdown Configuring Tunnel keepalive Configure the tunnel keepalive target, interval and attempts. • By default the tunnel keepalive is disabled.
Dell(conf-if-tu-1)#tunnel mode ipip decapsulate-any Dell(conf-if-tu-1)#no shutdown Dell(conf-if-tu-1)#sho c ! interface Tunnel 1 ip unnumbered TenGigabitEthernet 0/0 ipv6 unnumbered TenGigabitEthernet 0/0 tunnel source 40.1.1.1 tunnel mode ipip decapsulate-any no shutdown Dell(conf-if-tu-1)# Configuring the Tunnel allow-remote You can configure an IPv4 or IPV6 address or prefix whose tunneled packet will be accepted for decapsulation. .
55 Uplink Failure Detection (UFD) Uplink failure detection (UFD) is supported on the MXL switch platform. Feature Description UFD provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 128. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 129. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
To revert to the default setting, use the no downstream disable links command. 4. (Optional) Enable auto-recovery so that UFD-disabled downstream ports in the uplink-state group come up when a disabled upstream port in the group comes back up. UPLINK-STATE-GROUP mode downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5. (Optional) Enters a text description of the uplink-state group.
00:10:12: 00:10:12: 00:10:12: 00:10:12: 00:10:13: 3 00:10:13: Te 0/4 00:10:13: Te 0/5 00:10:13: Te 0/6 00:10:13: 00:10:13: 00:10:13: %STKUNIT0-M:CP %STKUNIT0-M:CP %STKUNIT0-M:CP %STKUNIT0-M:CP %STKUNIT0-M:CP %IFMGR-5-ASTATE_DN: %IFMGR-5-OSTATE_DN: %IFMGR-5-OSTATE_DN: %IFMGR-5-OSTATE_DN: %IFMGR-5-OSTATE_DN: Changed Changed Changed Changed Changed interface Admin state to interface state to down: interface state to down: interface state to down: uplink state group state down: Te 0/3 Te 0/1 Te 0/2 Te 0/3
Example of Viewing Uplink State Group Status (S50) Example of Viewing Interface Status with UFD Information (S50) Examples of Viewing UFD Output Dell# show uplink-state-group Uplink Uplink Uplink Uplink Uplink Uplink State State State State State State Group: Group: Group: Group: Group: Group: 1 Status: Enabled, Up 3 Status: Enabled, Up 5 Status: Enabled, Down 6 Status: Enabled, Up 7 Status: Enabled, Up 16 Status: Disabled, Up Dell# show uplink-state-group 16 Uplink State Group: 16 Status: Disabled, Up
0 throttles, 0 discarded, 0 collisions Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
Uplink State Group: 3 Status: Enabled, Up Dell#show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Te 0/3(Up) Te 0/4(Up) Downstream Interfaces : Te 0/1(Up) Te 0/2(Up) Te 0/5(Up) Te 0/9(Up) Te 0/11(Up) Te 0/12(Up) < After a single uplink port fails > Dell#show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 3 Status: Enabled, Up Upstr
56 Upgrade Procedures To find the upgrade procedures, go to the Dell Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell Networking OS version. To upgrade your system type, follow the procedures in the Dell Networking OS Release Notes. Get Help with Upgrades Direct any questions or concerns about the Dell Networking OS upgrade procedures to the Dell Technical Support Center. You can reach Technical Support: • On the web: http://www.dell.
57 Virtual LANs (VLANs) Virtual LANs (VLANs) are supported on the MXL switch platform. VLANs are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The Dell Networking operating system (OS) supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN. For more information about assigning IP addresses, refer to Assigning an IP Address to a VLAN. • • Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN.
• The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). • Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard. Some devices that are not compliant with IEEE 802.3 may not support the larger frame size.
Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands. To place an interface in Layer 2 mode, use the switchport command. You can further designate these Layer 2 interfaces as tagged or untagged. For more information, refer to the Interfaces chapter and Configuring Layer 2 (Data Link) Mode.
3 Active T Po1(So 0/0-1) T Tengig 3/1 4 Active T Po1(So 0/0-1) Dell# When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN. If the tagged interface is removed from the only VLAN to which it belongs, the interface is placed in the Default VLAN as an untagged interface. Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1.
The only way to remove an interface from the Default VLAN is to place the interface in Default mode by using the no switchport command in INTERFACE mode. Assigning an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces.
Enabling Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured. This presents a vulnerability because both interfaces are initially placed in the native VLAN, VLAN 1, and for that period customers are able to access each other's networks.
58 Virtual Link Trunking (VLT) Virtual link trunking (VLT) is supported on the MXL switch platform. Overview VLT allows physical links between two chassis to appear as a single virtual link to the network core. VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches, and by supporting a loop-free topology.
Figure 131. Virtual Link Trunking Multi-domain VLT A multi-domain VLT (mVLT) configuration creates a port channel between two VLT domains by allowing two different VLT domains, using different VLT Domain ID numbers, connected by a standard LACP LAG to form a loop-free Layer 2 topology in the aggregation layer. This configuration supports a maximum of four (4) nodes per mVLT domain, increasing the number of available ports and allowing for dual redundancy of the VLT.
Figure 132. Multi-Domain VLT Example VLT Terminology The following are key VLT terms. • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. • VLT backup link — The backup link monitors the vitality of VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. • VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches.
• If the lacp-ungroup feature is not supported on the ToR, reboot the VLT peers one at a time. After rebooting, verify that VLTi (ICL) is active before attempting DHCP connectivity. • When you enable IGMP snooping on the VLT peers, ensure the value of the delay-restore command is not less than the query interval.
– The system automatically includes the required VLANs in VLTi. You do not need to manually select VLANs. – VLT peer switches operate as separate chassis with independent control and data planes for devices attached to non-VLT ports. – Port-channel link aggregation (LAG) across the ports in the VLT interconnect is required; individual ports are not supported. Dell Networking strongly recommends configuring a static LAG for VLTi.
device and automatically generates a VLT number for port channels on VLT peers that connects to the device. The discovery protocol requires that an attached device always runs LACP over the port-channel interface. – VLT provides a loop-free topology for port channels with endpoints on different chassis in the VLT domain. – VLT uses shortest path routing so that traffic destined to hosts via directly attached links on a chassis does not traverse the chassis-interconnect link.
– In a VLT domain, although both VLT peers actively participate in L3 forwarding as the VRRP master or backup router, the show vrrp command output displays one peer as master and the other peer as backup. • Failure scenarios – On a link failover, when a VLT port channel fails, the traffic destined for that VLT port channel is redirected to the VLTi to avoid flooding.
VLT and IGMP Snooping When configuring IGMP Snooping with VLT, ensure the configurations on both sides of the VLT trunk are identical to get the same behavior on both sides of the trunk. When you configure IGMP snooping on a VLT node, the dynamically learned groups and multicast router ports are automatically learned on the VLT peer node. VLT Port Delayed Restoration With the Dell Networking OS version 8.3.12.
Figure 133. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
You can configure virtual link trunking (VLT) peer nodes as rendezvous points (RPs) in a Protocol Independent Multicast (PIM) domain. If the VLT node elected as the designated router fails, traffic loss occurs until another VLT node is elected the designated router. VLT Multicast VLT multicast provides multiple alternate paths for resiliency against link and node failures.
6. Configure the VLT VLAN routing metrics to prefer VLT VLAN interfaces over non-VLT VLAN interfaces. For more information, refer to Classify Traffic. 7. Configure symmetrical Layer 2 and Layer 3 configurations on both VLT peers for any spanned VLAN. VLT Unicast Routing VLT unicast locally routes packets destined for the L3 endpoint of the VLT peer. This method avoids sub-optimal routing. Peer-routing syncs the MAC addresses of both VLT peers and requires two local DA entries in TCAM.
Additionally, ARP entries resulting from station movements from VLT to non-VLT ports or to different non-VLT ports are learned on the non-VLT port and synced with the peer node. The peer node is updated to use the new non-VLT port. NOTE: ARP entries learned on non-VLT, non-spanned VLANs are not synced with VLT peers. RSTP Configuration RSTP is supported in a VLT domain. Before you configure VLT on peer switches, configure RSTP in the network.
Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 1) Dell_VLTpeer1(conf)#protocol spanning-tree rstp Dell_VLTpeer1(conf-rstp)#no disable Dell_VLTpeer1(conf-rstp)#bridge-priority 4096 Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 2) Dell_VLTpeer2(conf)#protocol spanning-tree rstp Dell_VLTpeer2(conf-rstp)#no disable Dell_VLTpeer2(conf-rstp)#bridge-priority 0 Configuring VLT To configure virtual link trunking and create a VLT domain in which two MXL switches are physically
5. Repeat Steps 1 to 4 on the VLT peer switch to configure the VLT interconnect. Configuring a VLT Backup Link To configure a VLT backup link, use the following command. 1. Specify the management interface to be used for the backup link through an out-of-band management network. CONFIGURATION mode interface managementethernet slot/ port Enter the slot (0-1) and the port (0). 2. Configure an IPv4 address (A.B.C.D) or IPv6 address (X:X:X:X::X) and mask (/x) on the interface.
The range of domain IDs is from 1 to 1000. 2. (Optional) After you configure the VLT domain on each peer switch on both sides of the interconnect trunk, by default, the system elects a primary and secondary VLT peer device. VLT DOMAIN CONFIGURATION mode primary-priority value To reconfigure the primary role of VLT peer switches, use the primary-priority command. To configure the primary role on a VLT peer, enter a lower value than the priority value of the remote peer.
switchport 4. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 5. • 10-Gigabit Ethernet: enter tengigabitethernet slot/port. • 40-Gigabit Ethernet: enter fortygigabitethernet slot/port. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 6.
CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command. 2. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface specifies one of the following interface types: 3. • 10-Gigabit Ethernet: Enter tengigabitethernet slot/port. • 40-Gigabit Ethernet: Enter fortygigabitethernet slot/port. Enter VLT-domain configuration mode for a specified VLT domain.
You must configure a different unit ID (0 or 1) on each peer switch. Use this command to minimize the time required for the VLT system to determine the unit ID assigned to each peer switch when one peer switch reboots. 8. Configure multi-domain VLT. Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command. 9.
• Display general status information about VLT domains currently configured on the switch. EXEC mode • show vlt brief Display detailed information about the VLT-domain configuration, including local and peer port-channel IDs, local VLT switch status, and number of active VLANs on each port channel. EXEC mode • show vlt detail Display the VLT peer status, role of the local VLT switch, VLT system MAC address and system priority, and the MAC address and priority of the locally-attached VLT device.
HeartBeat Messages Sent: 1026 HeartBeat Messages Received: 1025 Dell_VLTpeer2# show vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.
Local System MAC address: 00:01:e8:8a:df:e6 Local System Role Priority: 32768 Dell_VLTpeer1# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.18 Dell_VLTpeer2# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.
---------- -------- ---- ------- -------- - ------- ------------Po 1 128.2 128 200000 DIS 0 0 0001.e88a.dff8 128.2 Po 3 128.4 128 200000 DIS 0 0 0001.e88a.dff8 128.4 Po 4 128.5 128 200000 DIS 0 0 0001.e88a.dff8 128.5 Po 100 128.101 128 800 FWD(VLTi)0 0 0001.e88a.dff8 128.101 Po 110 128.111 128 00 FWD(vlt) 0 0 0001.e88a.dff8 128.111 Po 111 128.112 128 200000 DIS(vlt) 0 0 0001.e88a.dff8 128.112 Po 120 128.121 128 2000 FWD(vlt) 0 0 0001.e88a.dff8 128.
show vlt brief show vlt detail 10. Verify the VLT LAG is running in both VLT peer units. EXEC mode or EXEC Privilege show interfaces interface Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2 Configure the VLTi between VLT peer 1 and VLT peer 2 Configure the backup link between the VLT peer units. Configure the VLT links between VLT peer 1 and VLT peer 2 to the top of rack unit. In the ToR unit, configure LACP on the physical ports Verify VLT is up.
In the following example, port Te 0/40 in VLT peer 1 is connected to Te 0/48 of TOR and port Te 0/18 in VLT peer 2 is connected to Te 0/50 of TOR. 1. Configure the static LAG/LACP between ports connected from VLT peer 1 and VLT peer 2 to the top of rack unit. 2. Configure the VLT peer link port channel id in VLT peer 1 and VLT peer 2. 3. In the top of rack unit, configure LACP in the physical ports (shown for VLT peer 1 only. Repeat steps for VLT peer 2.
port-channel-protocol LACP port-channel 100 mode active no shutdown mxl-1# mxl-1#show running-config interface port-channel 100 ! interface Port-channel 100 no ip address switchport no shutdown mxl-1# mxl-1#show interfaces port-channel 100 brief Codes: L - LACP Port-channel LAG Mode Status Uptime Ports L 100 L2 up 03:33:48 Te 0/48 (Up) Te 0/50 (Up) mxl-1# Dell#show vlt br VLT Domain Brief -----------------Domain ID Role Role Priority ICL Link Status HeartBeat Status VLT Peer Status Version Local System MAC
determines the PVST+ roles and states on VLT ports and ensures that the VLT interconnect link is never blocked. PVST+ instance in Primary peer will send the role/state of VLT-LAGs for all VLANs to the Secondary peer. Secondary peer will use this information to program the hardware. PVST+ instance running in Secondary peer will not control the VLT-LAGs.
Figure 134. mVLT Configuration Example In Domain 1, configure Peer 1 first, then configure Peer 2. When that is complete, perform the same steps for the peer nodes in Domain 2. The interface used in this example is TenGigabitEthernet.
Next, configure the VLT domain and VLTi on Peer 2 Domain_1_Peer2#configure Domain_1_Peer2(conf)#interface port-channel 1 Domain_1_Peer2(conf-if-po-1)#channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer2#no shutdown Domain_1_Peer2(conf)#vlt domain 200 Domain_1_Peer2(conf-vlt-domain)#peer-link port-channel 1 Domain_1_Peer2(conf-vlt-domain)#back-up destination 10.16.130.
Domain_2_Peer4(conf-vlt-domain)#system-mac mac-address 00:0b:00:0b:00:0b Domain_2_Peer4(conf-vlt-domain)#unit-id 1 Configure mVLT on Peer 4 Domain_2_Peer4(conf)#interface port-channel 100 Domain_2_Peer4(conf-if-po-100)#switchport Domain_2_Peer4(conf-if-po-100)#vlt-peer-lag port-channel 100 Domain_2_Peer4(conf-if-po-100)#no shutdown Add links to the mVLT port-channel on Peer 4 Domain_2_Peer4(conf)#interface range tengigabitethernet 0/31 - 32 Domain_2_Peer4(conf-if-range-te-0/16-17)#port-channel-protocol LA
Additional VLT Sample Configurations To configure VLT, configure a backup link and interconnect trunk, create a VLT domain, configure a backup link and interconnect trunk, and connect the peer switches in a VLT domain to an attached access device (switch or server). Review the following examples of VLT configurations. Configuring Virtual Link Trunking (VLT Peer 1) Enable VLT and create a VLT domain with a backup-link and interconnect trunk (VLTi).
Dell_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.23 Dell_VLTpeer2(conf-vlt-domain)#exit Configure the backup link. Dell_VLTpeer2(conf)#interface ManagementEthernet 0/0 Dell_VLTpeer2(conf-if-ma-0/0)#ip address 10.11.206.35/ Dell_VLTpeer2(conf-if-ma-0/0)#no shutdown Dell_VLTpeer2(conf-if-ma-0/0)#exit Configure the VLT interconnect (VLTi).
Table 69. Troubleshooting VLT Description Behavior at Peer Up Behavior During Run Time Bandwidth monitoring A syslog error message and an SNMP trap is generated when the VLTi bandwidth usage goes above the 80% threshold and when it drops below 80%. A syslog error message and an Depending on the traffic that is SNMP trap is generated when received, the traffic can be the VLTi bandwidth usage goes offloaded inVLTi. above its threshold. Domain ID mismatch The VLT peer does not boot up.
Description Behavior at Peer Up Behavior During Run Time Action to Take VLT LAG ID mismatch The VLT port channel is brought down. The VLT port channel is brought down. A syslog error message is generated. A syslog error message is generated. Perform a mismatch check after the VLT peer is established. A syslog error message is generated. A syslog error message is generated. VLT LAG VLAN mismatch Verify that the VLAN configuration is same for the VLT lags on both peers.
Association of VLTi as a Member of a PVLAN If a VLAN is configured as a non-VLT VLAN on both the peers, the VLTi link is made a member of that VLAN if the VLTi link is configured as a PVLAN or normal VLAN on both the peers. If a PVLAN is configured as a VLT VLAN on one peer and a non-VLT VLAN on another peer, the VLTi is added as a member of that VLAN by verifying the PVLAN parity on both the peers.
Interoperation of VLT Nodes in a PVLAN with ARP Requests When an ARP request is received, and the following conditions are applicable, the IP stack performs certain operations. • The VLAN on which the ARP request is received is a secondary VLAN (community or isolated VLAN). • Layer 3 communication between secondary VLANs in a private VLAN is enabled by using the ip local-proxy-arp command in INTERFACE VLAN configuration mode.
VLT LAG Mode Peer1 PVLAN Mode of VLT VLAN Peer2 ICL VLAN Membership Mac Synchronization Peer1 Peer2 - Secondary (Isolated) - Secondary (Isolated) Yes Yes Promiscuous Trunk Primary Normal No No Promiscuous Trunk Primary Primary Yes No Access Access Secondary (Community) Secondary (Community) Yes Yes - Primary VLAN X - Primary VLAN X Yes Yes Secondary (Isolated) Secondary (Isolated) Yes Yes - Primary VLAN X - Primary VLAN X Yes Yes Secondary (Isolated) Secondary (Isola
channel-member interface interface: specify one of the following interface types: 4. • 1-Gigabit Ethernet: Enter gigabitethernet slot/port. • 10-Gigabit Ethernet: Enter tengigabitethernet slot/port. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 5. To configure the VLT interconnect, repeat Steps 1–4 on the VLT peer switch. 6. Enter VLT-domain configuration mode for a specified VLT domain.
interface vlan vlan-id 6. Enable the VLAN. INTERFACE VLAN mode no shutdown 7. To obtain maximum VLT resiliency, configure the PVLAN IDs and mappings to be identical on both the VLT peer nodes. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 8. Map secondary VLANs to the selected primary VLAN.
installed in the database. Proxy ARP is stopped when the VLT peer's MAC address is removed from the ARP database because of the peer routing timer expiry. The source hardware address in the ARP response contains the VLT peer MAC address. Proxy ARP is supported for both unicast and broadcast ARP requests. Control packets, other than ARP requests destined for the VLT peers that reach the undesired and incorrect VLT node, are dropped if the ICL link is down.
Configure VLT domain Dell(conf)#vlt domain 1 Dell(conf-vlt-domain)#peer-link port-channel 1 Dell(conf-vlt-domain)#back-up destination 10.16.151.116 Dell(conf-vlt-domain)#primary-priority 100 Dell(conf-vlt-domain)#system-mac mac-address 00:00:00:11:11:11 Dell(conf-vlt-domain)#unit-id 0 Dell(conf-vlt-domain)# Dell#show running-config vlt ! vlt domain 1 peer-link port-channel 1 back-up destination 10.16.151.
member Port-channel 10,20 shutdown Dell# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN Sample Configuration of VLAN-Stack Over VLT (Peer 2) Configure VLT domain Dell(conf)#vlt domain 1 Dell(conf-vlt-domain)#peer-link port-channel 1 Dell(conf-vlt-domain)#back-up destination 10.16.151.
Dell#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown Dell# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN 856 Virtual Link Trunking (VLT)
59 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is supported on the MXL switch platform. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN). The MASTER router is chosen from the virtual routers by an election process and forwards packets sent to the next hop IP address.
Figure 135. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables.
processed by the CP processor increases or decreases based on the dynamics of the network, the advertisement intervals in may increase or decrease accordingly. Table 71. Recommended VRRP Advertise Intervals Recommended Advertise Interval Groups/Interface Less than 250 1 second 255 Between 250 and 450 2–3 seconds 255 Between 450 and 600 3–4 seconds 255 VRRP Configuration By default, VRRP is not configured. Configuration Task List The following list specifies the configuration tasks for VRRP.
Dell(conf-if-te-1/1)#show conf ! interface Tengigabitethernet 1/1 ip address 10.10.10.1/24 ! vrrp-group 111 no shutdown Dell(conf-if-te-1/1)# Configuring the VRRP Version for an IPv4 Group For IPv4, you can configure a VRRP group to use one of the following VRRP versions: • VRRPv2 as defined in RFC 3768, Virtual Router Redundancy Protocol (VRRP) • VRRPv3 as defined in RFC 5798, Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6 You can also migrate a IPv4 group from VRRPv2 to VRRP3.
• • – For example, an interface (on which you enable VRRP) contains a primary IP address of 50.1.1.1/24 and a secondary IP address of 60.1.1.1/24. The VRRP group (VRID 1) must contain virtual addresses belonging to either subnet 50.1.1.0/24 or subnet 60.1.1.0/24, but not from both subnets (though the system allows the same). If the virtual IP address and the interface’s primary/secondary IP address are the same, the priority on that VRRP group MUST be set to 255.
10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------Tengigabitethernet 1/2, VRID: 111, Net: 10.10.2.1 State: Master, Priority: 100, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 27, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.
Configuring VRRP Authentication Simple authentication of VRRP packets ensures that only trusted routers participate in VRRP processes. When you enable authentication, the Dell Networking OS includes the password in its VRRP transmission. The receiving router uses that password to verify the transmission.\ NOTE: You must configure all virtual routers in the VRRP group the same: you must enable authentication with the same password or authentication is disabled.
Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)#no preempt Dell(conf-if-te-1/1-vrid-111)#show conf Dell(conf-if-te-1/1-vrid-111)#show conf ! vrrp-group 111 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.
authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 Dell(conf-if-te-1/1-vrid-111)# Track an Interface or Object You can set the Dell Networking OS to monitor the state of any interface according to the virtual group. Each VRRP group can track up to 12 interfaces and up to 20 additional objects, which may affect the priority of the VRRP group.
EXEC mode or EXEC Privilege mode show vrrp • (Optional) Display the configuration of tracked objects in VRRP groups on a specified interface.
Setting VRRP Initialization Delay When configured, VRRP is enabled immediately upon system reload or boot. You can delay VRRP initialization to allow the IGP and EGP protocols to be enabled prior to selecting the VRRP Master. This delay ensures that VRRP initializes with no errors or conflicts. You can configure the delay for up to 15 minutes, after which VRRP enables normally. Set the delay timer on individual interfaces. The delay timer is supported on all physical interfaces, VLANs, and LAGs.
Figure 136. VRRP for IPv4 Topology Example of Configuring VRRP for IPv4 R2(conf)#int tengig 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface Tengigabitethernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#int tengig 3/21 R3(conf-if-te-3/21)#ip address 10.1.1.2/24 R3(conf-if-te-3/21)#vrrp-group 99 R3(conf-if-te-3/21-vrid-99)#virtual 10.1.1.3 R3(conf-if-te-3/21-vrid-99)#no shut R3(conf-if-te-3/21)#show conf ! interface Tengigabitethernet 3/21 ip address 10.1.1.
60 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking Operating System (OS), the system also supports predecessor standards. One way to search for predecessor standards is to use the http:// tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
General Internet Protocols The following table lists the Dell Networking OS support per platform for general internet protocols. Table 72.
RFC# Full Name 1812 Requirements for IP Version 4 Routers 2131 Dynamic Host Configuration Protocol 2338 Virtual Router Redundancy Protocol (VRRP) 3021 Using 31-Bit Prefixes on IPv4 Point-to-Point Links 3046 DHCP Relay Agent Information Option 3069 VLAN Aggregation for Efficient IP Address Allocation 3128 Protection Against a Variant of the Tiny Fragment Attack Border Gateway Protocol (BGP) The following table lists the Dell Networking OS support per platform for BGP protocols. Table 74.
RFC# Full Name 4222 Prioritized Treatment of Specific OSPF Version 2 Packets and Congestion Avoidance Routing Information Protocol (RIP) The following table lists the Dell Networking OS support per platform for RIP protocol. Table 76. Routing Information Protocol (RIP) RFC# Full Name 1058 Routing Information Protocol 2453 RIP Version 2 Network Management The following table lists the Dell Networking OS support per platform for network management protocol. Table 77.
RFC# Full Name 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) 2574 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) 2575 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) 2576 Coexistence Between Version 1, Version 2, and Version 3 of the Internetstandard Network Management Framework 2578 Structure of Management Information Version 2 (SMIv2) 2579 Textual Conventions
RFC# Full Name 4001 Textual Conventions for Internet Network Addresses 4292 IP Forwarding Table MIB 4750 OSPF Version 2 Management Information Base 4520 RMON v2 MIB 5060 Protocol Independent Multicast MIB ANSI/TIA-1057 The LLDP Management Information Base extension module for TIATR41.
RFC# Full Name IEEE 802.1Qaz Management Information Base extension module for IEEE 802.1 organizationally defined discovery information (LDP-EXT-DOT1-DCBXMIB) IEEE 802.1Qbb Priority-based Flow Control module for managing IEEE 802.1Qbb MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.
61 FC Flex IO Modules This part provides a generic, broad-level description of the operations, capabilities, and configuration commands of the Fiber Channel (FC) Flex IO module. FC Flex IO Modules This part provides a generic, broad-level description of the operations, capabilities, and configuration commands of the Fiber Channel (FC) Flex IO module.
bandwidth of up to 64GB. It is possible to connect some of the ports to a different FC SAN fabric to provide access to multiple fabric devices. In a typical Fibre Channel storage network topology, separate network interface cards (NICs) and host bus adapters (HBAs) on each server (two each for redundancy purposes) are connected to LAN and SAN networks respectively. These deployments typically include a ToR SAN switch in addition to a ToR LAN switch.
• Multiple domains are supported in an NPIV proxy gateway (NPG). • You cannot configure the MXL or Aggregator switches in Stacking mode if the switches contain the FC Flex IO module. Similarly, FC Flex IO modules do not function when you insert them in to a stack of MXL or Aggregrator switches. • If the switch does not contain FC Flex modules, you cannot create a stack, and a log message states that stacking is not supported unless the switches contain only FC Flex modules.
• Fc-map: 0x0efc00 • Fcf-priority: 128 • Fka-adv-period: 8000mSec • Keepalive: enable • Vlan priority: 3 • On an IOA, the FCoE virtual local area network (VLAN) is automatically configured. • With FC Flex IO modules on an IOA, the following DCB maps are applied on all of the ENode facing ports.
Processing of Data Traffic The Dell Networking OS determines the module type that is plugged into the slot. Based on the module type, the software performs the appropriate tasks. The FC Flex IO module encapsulates and decapsulates the FCoE frames. The module directly switches any non-FCoE or non-FIP traffic, and only FCoE frames are processed and transmitted out of the Ethernet network.
Installing and Configuring Flowchart for FC Flex IO Modules 882 FC Flex IO Modules
To see if a switch is running the latest Dell Networking OS version, use the show version command. To download a Dell Networking OS version, go to http://support.dell.com. Installation Site Preparation Before installing the switch or switches, make sure that the chosen installation location meets the following site requirements: • Clearance — There is adequate front and rear clearance for operator access. Allow clearance for cabling, power connections, and ventilation.
• Configure the NPIV-related commands on MXL or I/O Aggregator. After you perform the preceding procedure, the following operations take place: • A physical link is established between the FC Flex I/O module and the Cisco MDS switch. • The FC Flex I/O module sends a proxy FLOGI request to the upstream F_Port of the FC switch or the MDS switch. The F_port accepts the proxy FLOGI request for the FC Flex IO virtual N_Port.
Figure 138. Case 2: Deployment Scenario of Configuring FC Flex IO Modules Data Center Bridging (DCB) Data center bridging (DCB) is supported on the FC Flex IO module installed in the MXL 10/40GbE Switch. Ethernet Enhancements in Data Center Bridging The following section describes DCB.
InterProcess Communication (IPC) traffic InterProcess Communication (IPC) traffic within high-performance computing clusters to share information. Server traffic is extremely sensitive to latency requirements. To ensure lossless delivery and latency-sensitive scheduling of storage and service traffic and I/O convergence of LAN, storage, and server traffic over a unified fabric, IEEE data center bridging adds the following extensions to a classical Ethernet network: • 802.
• • – If the negotiation fails and PFC is enabled on the port, any user-configured PFC input policies are applied. If no PFC input policy has been previously applied, the PFC default setting is used (no priorities configured). If you do not enable PFC on an interface, you can enable the 802.3x link-level pause function. By default, the link-level pause is disabled. PFC supports buffering to receive data that continues to arrive on an interface while the remote system reacts to the PFC operation.
• ETS supports groups of 802.1p priorities that have: – PFC enabled or disabled – No bandwidth limit or no ETS processing • Bandwidth allocated by the ETS algorithm is made available after strict-priority groups are serviced. If a priority group does not use its allocated bandwidth, the unused bandwidth is made available to other priority groups. • For ETS traffic selection, an algorithm is applied to priority groups using: – Strict priority shaping – ETS shaping • ETS uses the DCB MIB IEEE 802.
Important Points to Remember • If you remove a dot1p priority-to-priority group mapping from a DCB map (no priority pgid command), the PFC and ETS parameters revert to their default values on the interfaces on which the DCB map is applied. By default, PFC is not applied on specific 802.1p priorities; ETS assigns equal bandwidth to each 802.1p priority. As a result, PFC and lossless port queues are disabled on 802.
Step Task Command Command Mode Maximum number of lossless queues supported on an Ethernet port: 2. Separate priority values with a comma. Specify a priority range with a dash, for example: pfc priority 3,5-7 1. You cannot configure PFC using the pfc priority command on an interface on which a DCB map has been applied or which is already configured for lossless queues (pfc no-drop queues command).
Step Task Command Command Mode Range: 0-3. Separate queue values with a comma; specify a priority range with a dash; for example: pfc nodrop queues 1,3 or pfc no-drop queues 2-3 Default: No lossless queues are configured. Data Center Bridging Exchange Protocol (DCBx) DCBx allows a switch to automatically discover DCB-enabled peers and exchange configuration information. PFC and ETS use DCBx to exchange and negotiate parameters with peer devices.
• FCoE initialization protocol (FIP) snooping DCB processes virtual local area network (VLAN)-tagged packets and dot1p priority values. Untagged packets are treated with a dot1p priority of 0. For DCB to operate effectively, you can classify ingress traffic according to its dot1p priority so that it maps to different data queues. The dot1p-queue assignments used are shown in the following table.
dot1p Value in the Incoming Frame Egress Queue Assignment 2 0 3 1 4 2 5 3 6 3 7 3 NOTE: If you reconfigure the global dot1p-queue mapping, an automatic re-election of the DCBX configuration source port is performed (refer to Configuration Source Election). Configure Enhanced Transmission Selection ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic. Different traffic types have different service needs.
CIN supports only the dot1p priority-queue assignment in a priority group. To configure a dot1p priority flow in a priority group to operate with link strict priority, you configure: The dot1p priority for strict-priority scheduling (strict-priority command; Enabling Strict-Priority Queueing). If you configure only the priority group in an ETS output policy or only the dot1p priority for strict-priority scheduling, the flow is handled with group strict priority.
Configure a DCBx Operation DCB devices use data center bridging exchange protocol (DCBx) to exchange configuration information with directly connected peers using the link layer discovery protocol (LLDP) protocol. DCBx can detect the misconfiguration of a peer DCB device, and optionally, configure peer DCB devices with DCB feature settings to ensure consistent operation in a data center network.
On a DCBX port in an auto-upstream role, the PFC and application priority TLVs are enabled. ETS recommend TLVs are disabled and ETS configuration TLVs are enabled. Auto-downstream The port advertises its own configuration to DCBx peers but is not willing to receive remote peer configuration. The port always accepts internally propagated configurations from a configuration source.
NOTE: On a DCBx port, application priority TLV advertisements are handled as follows: • The application priority TLV is transmitted only if the priorities in the advertisement match the configured PFC priorities on the port. • On auto-upstream and auto-downstream ports: – If a configuration source is elected, the ports send an application priority TLV based on the application priority TLV received on the configuration-source port.
Propagation of DCB Information When an auto-upstream or auto-downstream port receives a DCB configuration from a peer, the port acts as a DCBx client and checks if a DCBx configuration source exists on the switch. • If a configuration source is found, the received configuration is checked against the currently configured values that are internally propagated by the configuration source.
Figure 142. DCBx Sample Topology DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
3. Configure a port to operate in a configuration-source role. 4. Configure ports to operate in a manual role. 1. Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port 2. Enter LLDP Configuration mode to enable DCBx operation. INTERFACE mode [no] protocol lldp 3. Configure the DCBx version used on the interface, where: auto configures the port to operate using the DCBx version received from a peer. PROTOCOL LLDP mode [no] DCBx version {auto | cee | cin | ieee-v2.
[no] advertise DCBx-appln-tlv {fcoe | iscsi} • • fcoe: enables the advertisement of FCoE in Application Priority TLVs. iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled to advertise FCoE and iSCSI. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-applntlv iscsi. For information about how to use FCoE and iSCSI, refer to Fibre Channel over Ethernet and iSCSI Optimization.
• fcoe: enables the advertisement of FCoE in Application Priority TLVs. • iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled and advertise FCoE and iSCSI. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-applntlv iscsi. For information about how to use FCoE and iSCSI, refer to Fibre Channel over Ethernet and iSCSI Optimization. 6.
– config-exchng: enables traces for DCBx configuration exchanges. – fail: enables traces for DCBx failures. – mgmt: enables traces for DCBx management frames. – resource: enables traces for DCBx system resource frames. – sem: enables traces for the DCBx state machine. – tlv: enables traces for DCBx TLVs. Verifying the DCB Configuration To display DCB configurations, use the following show commands. Table 79. Displaying DCB Configurations Command Output show dot1p-queue mapping Displays the current 802.
DCB Status : Enabled PFC Port Count : 56 (current), 56 (configured) PFC Queue Count : 2 (current), 2 (configured) Dell# show interfaces tengigabitethernet 0/49 pfc summary Interface TenGigabitEthernet 0/49 Admin mode is on Admin is enabled Remote is enabled, Priority list is 4 Remote Willing Status is enabled Local is enabled Oper status is Recommended PFC DCBx Oper status is Up State Machine Type is Feature TLV Tx Status is enabled PFC Link Delay 45556 pause quantams Application Priority TLV Parameters :
Fields Description priorities. Willing status of peer device for DCBx exchange (Willing bit received in PFC TLV): enabled or disabled. Local is enabled DCBx operational status (enabled or disabled) with a list of the configured PFC priorities Operational status (local port) DCBx operational status (enabled or disabled) with a list of the configured PFC priorities. Port state for current operational PFC configuration: • Init: Local PFC configuration parameters were exchanged with peer.
0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Dell(conf)# show interfaces te 0/0 ets summary Interface TenGigabitEthernet 0/0 Max Supported TC Groups is 4 Number of Traffic Classes is 8 Admin mode is on Admin Parameters : -----------------Admin is enabled TC-grp Priority# Bandwidth TSA 0 0,1,2,3,4,5,6,7 100% ETS 1 0% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Priority# Bandwidth TSA 0 1 2 3 4 5 6 7 Remote Parameters: ------------------Remote is disabled Local Parameters
The following table describes the show interface ets detail command fields.
Table 81. show interface ets detail Command Description Field Description Interface Interface type with stack-unit and port number. Max Supported TC Group Maximum number of priority groups supported. Number of Traffic Classes Number of 802.1p priorities currently configured. Admin mode ETS mode: on or off. When on, the scheduling and bandwidth allocation configured in an ETS output policy or received in a DCBx TLV from a peer can take effect on an interface.
stack unit 1 stack-port all Admin mode is On Admin is enabled, Priority list is 4-5 Local is enabled, Priority list is 4-5 Link Delay 45556 pause quantum 0 Pause Tx pkts, 0 Pause Rx pkts Dell(conf)# show stack-unit all stack-ports all ets details Stack unit 0 stack port all Max Supported TC Groups is 4 Number of Traffic Classes is 1 Admin mode is on Admin Parameters: -------------------Admin is enabled TC-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,3,4,5,6,7 100% ETS 1
Local DCBX Status ----------------DCBX Operational Version is 0 DCBX Max Version Supported is 0 Sequence Number: 2 Acknowledgment Number: 2 Protocol State: In-Sync Peer DCBX Status: ---------------DCBX Operational Version is 0 DCBX Max Version Supported is 255 Sequence Number: 2 Acknowledgment Number: 2 Total DCBX Frames transmitted 27 Total DCBX Frames received 6 Total DCBX Frame errors 0 Total DCBX Frames unrecognized 0 The following table describes the show interface DCBx detail command fields. Table 82.
Field Description Peer DCBx Status: Sequence Number Sequence number transmitted in Control TLVs received from peer device. Peer DCBx Status: Acknowledgment Number Acknowledgement number transmitted in Control TLVs received from peer device. Total DCBx Frames transmitted Number of DCBx frames sent from local port. Total DCBx Frames received Number of DCBx frames received from remote peer port. Total DCBx Frame errors Number of DCBx frames with errors received.
Figure 143. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
dot1p Value in Incoming Frame Queue Assignment 7 3 The following describes the dot1p-priority class group assignment dot1p Value in the Incoming Frame Priority Group Assignment 0 LAN 1 LAN 2 LAN 3 SAN 4 IPC 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment.
dcb-input or dcb-output commands. Similarly, if the dcb-buffer-threshold configuration is present on a stack port or any interface, the dcb-input or dcb-ouput policies cannot be applied on those interfaces.
NPIV Proxy Gateway Configuration on FC Flex IO Modules The Fibre Channel (FC) Flex IO module is supported on the MXL 10/40GbE Switch and M I/O Aggregator (IOA).
the fabric. An FCoE map virtualizes the upstream SAN fabric as an FCF to downstream CNA ports on FCoE-enabled servers as follows: • As soon as an FC N port comes online (no shutdown command), the NPG starts sending FIP multicast advertisements, which contain the fabric name derived from the 64-bit worldwide name (WWN) of the principal SAN switch. (The principal switch in a fabric is the FC switch with the lowest domain ID.
Term Description CNA port N-port functionality on an FCoE-enabled server port. A converged network adapter (CNA) can use one or more Ethernet ports. CNAs can encapsulate Fibre Channel frames in Ethernet for FCoE transport and de-encapsulate Fibre Channel frames from FCoE to native Fibre Channel. DCB map Template used to configure DCB parameters, including priority-based flow control (PFC) and enhanced transmission selection (ETS), on CEE ports.
• The FC-MAP value used to generate a fabric-provided MAC address. • The association between the FCoE VLAN ID and FC fabric ID where the desired storage arrays are installed. Each Fibre Channel fabric serves as an isolated SAN topology within the same physical network. • The priority used by a server to select an upstream FCoE forwarder (FCF priority) • FIP keepalive (FKA) advertisement timeout NOTE: In each FCoE map, the fabric ID, FC-MAP value, and FCoE VLAN must be unique.
Step Task Command Command Mode 1 Create a DCB map to specify PFC and ETS settings for groups of dot1p priorities. dcb-map name CONFIGURATION 2 Configure the PFC setting (on or off) and the ETS bandwidth percentage allocated to traffic in each priority group. Configure whether the priority group traffic should be handled with strict-priority scheduling. The sum of all allocated bandwidth percentages must be 100 percent. Strict-priority traffic is serviced first.
Step Task Command 1 Enter CONFIGURATION mode on a server-facing port or port channel to apply a DCB map. interface {tengigabitEthernet slot/ port | fortygigabitEthernet You cannot apply a DCB map on a port channel. However, slot/port} you can apply a DCB map on the ports that are members of the port channel. CONFIGURATION 2 Apply the DCB map on an Ethernet port or port channel.
installed. The fabric and VLAN ID numbers must be the same. Fabric and VLAN ID range: 2-4094. For example: fabric id 10 vlan 10 Add a text description of the settings in the FCoE map. 3 description text FCoE MAP fc-map fc-map-value FCoE MAP Maximum: 32 characters. Specify the FC-MAP value used to generate a fabricprovided MAC address, which is required to send FCoE traffic from a server on the FCoE VLAN to the FC fabric specified in Step 2.
Step Task Command Command Mode 3 Enable the port for FCoE transmission using the map settings. no shutdown INTERFACE Applying an FCoE Map on Fabric-facing FC Ports The MXL 10/40GbE Switch and M I/O Aggregator, with the FC Flex IO module FC ports, are configured by default to operate in N port mode to connect to an F port on an FC switch in a fabric. You can apply only one FCoE map on an FC port.
Dell(config)# interface tengigabitethernet 1/0 Dell(config-if-te-0/0)#dcb-map SAN_DCB_MAP 3. Create the dedicated VLAN to be used for FCoE traffic: Dell(conf)#interface vlan 1002 4.
Command Description show qos dcb-map map-name Displays configuration parameters in a specified DCB map. show npiv devices [brief] Displays information on FCoE and FC devices currently logged in to the NPG. show fc switch Displays the FC mode of operation and worldwide node (WWN) name of an MXL 10/40GbE Switch or M I/O Aggregator with the FC Flex IO module.
show fcoe-map Command Examples Dell# show fcoe-map brief Fabric-Name Fabric-Id State fid_1003 1003 fid_1004 1004 Vlan-Id FC-MAP FCF-Priority Config-State Oper- 1003 1004 0efc03 0efc04 128 128 ACTIVE ACTIVE UP DOWN Dell# show fcoe-map fid_1003 Fabric Name Fabric Id Vlan Id Vlan priority FC-MAP FKA-ADV-Period Fcf Priority Config-State Oper-State Members Fc 0/0 Te 0/14 Te 0/16 fid_1003 1003 1003 3 0efc03 8 128 ACTIVE UP Table 86.
Priorities:0 1 2 4 5 6 7 PG:1 TSA:ETS Priorities:3 BW:50 PFC:ON Table 87. show qos dcb-map Field Descriptions Field Description State Complete: All mandatory DCB parameters are correctly configured. In progress: The DCB map configuration is not complete. Some mandatory parameters are not configured. PFC Mode PFC configuration in the DCB map: On (enabled) or Off. PG Priority group configured in the DCB map.
Field Description Login Method Method used by the server CNA to log in to the fabric; for example: FLOGI - ENode logged in using a fabric login (FLOGI). FDISC - ENode logged in using a fabric discovery (FDISC).
Field Description Fabric Map Name of the FCoE map containing the FCoE/FC configuration parameters for the server CNA-fabric connection. Enode WWPN Worldwide port name of the server CNA port. Enode WWNN Worldwide node name of the server CNA. FCoE MAC Fabric-provided MAC address (FPMA). The FPMA consists of the FC-MAP value in the FCoE map and the FC-ID provided by the fabric after a successful FLOGI. In the FPMA, the most significant bytes are the FC-MAP; the least significant bytes are the FC-ID.
