Dell EMC Configuration Guide for the S3100 Series 9.14.2.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2019 - 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents 1 About this Guide..........................................................................................................................31 Audience................................................................................................................................................................................ 31 Conventions.................................................................................................................................................................
Removing a Command from EXEC Mode.................................................................................................................. 57 Moving a Command from EXEC Privilege Mode to EXEC Mode........................................................................... 57 Allowing Access to CONFIGURATION Mode Commands....................................................................................... 57 Allowing Access to Different Modes.........................................................
Configuring the Static MAB and MAB Profile ................................................................................................................ 84 Configuring Critical VLAN ................................................................................................................................................. 85 Configuring Request Identity Re-Transmissions.............................................................................................................
ACL Remarks.......................................................................................................................................................................117 Configuring a Remark...................................................................................................................................................118 Deleting a Remark..............................................................................................................................................
Configuring AS4 Number Representations...............................................................................................................172 Configuring a BGP peer...............................................................................................................................................173 Example-Configuring BGP routing between peers.................................................................................................. 174 BGP peer group............................
Configuring CoPP for CPU Queues.......................................................................................................................... 229 CoPP for OSPFv3 Packets........................................................................................................................................ 230 Configuring CoPP for OSPFv3..................................................................................................................................
Link Bundle Monitoring.....................................................................................................................................................259 Managing ECMP Group Paths.................................................................................................................................. 259 Creating an ECMP Group Bundle.............................................................................................................................
Software Resiliency.......................................................................................................................................................... 280 Software Component Health Monitoring.................................................................................................................280 System Health Monitoring.........................................................................................................................................
Configuring Management Interfaces.........................................................................................................................313 Configuring a Management Interface on an Ethernet Port....................................................................................315 VLAN Interfaces.................................................................................................................................................................315 Loopback Interfaces.............
21 IPv4 Routing........................................................................................................................... 343 IP Addresses...................................................................................................................................................................... 344 Configuration Tasks for IP Addresses............................................................................................................................
Path MTU discovery.........................................................................................................................................................365 IPv6 Neighbor Discovery..................................................................................................................................................366 IPv6 Neighbor Discovery of MTU Packets..............................................................................................................
Configuration Tasks for IS-IS.....................................................................................................................................388 Configuring the Distance of a Route........................................................................................................................ 395 Changing the IS-Type.................................................................................................................................................
Configure Redundant Pairs.............................................................................................................................................. 423 Far-End Failure Detection................................................................................................................................................ 426 FEFD State Changes..................................................................................................................................................
Limiting the Source-Active Messages from a Peer......................................................................................................465 Preventing MSDP from Caching a Local Source..........................................................................................................465 Preventing MSDP from Caching a Remote Source..................................................................................................... 465 Preventing MSDP from Advertising a Local Source.........
Understanding Multicast Traceroute (mtrace)........................................................................................................501 Printing Multicast Traceroute (mtrace) Paths.........................................................................................................501 Supported Error Codes.............................................................................................................................................. 503 mtrace Scenarios........................
Setting OSPF Adjacency with Cisco Routers..........................................................................................................533 Configuration Information................................................................................................................................................ 533 Configuration Task List for OSPFv2 (OSPF for IPv4)........................................................................................... 534 OSPFv3 NSSA..............................
Enabling PIM-SSM............................................................................................................................................................ 577 Use PIM-SSM with IGMP Version 2 Hosts....................................................................................................................577 Electing an RP using the BSR Mechanism.....................................................................................................................
Implementation Information..............................................................................................................................................615 Configure Per-VLAN Spanning Tree Plus.......................................................................................................................615 Enabling PVST+.................................................................................................................................................................
44 Routing Information Protocol (RIP)......................................................................................... 650 Protocol Overview............................................................................................................................................................ 650 RIPv1............................................................................................................................................................................. 650 RIPv2...............
Configure RADIUS attributes 8, 87 and 168............................................................................................................. 691 RADIUS-assigned dynamic access control lists....................................................................................................... 691 Support for Change of Authorization and Disconnect Messages packets..........................................................696 TACACS+.....................................................................
Enabling Drop Eligibility............................................................................................................................................... 740 Honoring the Incoming DEI Value..............................................................................................................................740 Marking Egress Packets with a DEI Value................................................................................................................
Copy a Binary File to the Startup-Configuration.....................................................................................................766 Additional MIB Objects to View Copy Statistics..................................................................................................... 766 Obtaining a Value for MIB Objects............................................................................................................................
Virtual IP........................................................................................................................................................................797 Failover Roles............................................................................................................................................................... 798 MAC Addressing on Stacks................................................................................................................................
Configuring Loop Guard.............................................................................................................................................. 831 Displaying STP Guard Configuration............................................................................................................................... 831 55 SupportAssist........................................................................................................................
59 Upgrade Procedures............................................................................................................... 860 60 Virtual LANs (VLANs).............................................................................................................. 861 Default VLAN......................................................................................................................................................................861 Port-Based VLANs.......................................
Troubleshooting VLT........................................................................................................................................................ 909 Reconfiguring Stacked Switches as VLT........................................................................................................................910 Specifying VLT Nodes in a PVLAN..................................................................................................................................
VRRP Configuration......................................................................................................................................................... 956 Configuration Task List...............................................................................................................................................956 Setting VRRP Initialization Delay...............................................................................................................................
Information about Creating Certificate Signing Requests (CSR)............................................................................. 1005 Creating Certificate Signing Requests (CSR)....................................................................................................... 1005 Information about installing trusted certificates..........................................................................................................1006 Installing trusted certificates.........................
1 About this Guide This guide describes the protocols and features the Dell EMC Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell EMC Command Line Reference Guide for your system. The S3100 series consists of S3124, S3124F, S3148, S3124P, S3148P platforms. The S3124, S3124F, S3124P, S3148P platforms are available with Dell EMC Networking OS version 9.8(2.0) and later.
2 Configuration Fundamentals The Dell EMC Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
• • EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password section in the Getting Started chapter.
ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP uBoot Navigating CLI Modes The Dell EMC Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode. Move linearly through the command modes, except for the end command which takes you directly to EXEC Privilege mode and the exit command which moves you up one command mode level.
CLI Command Mode Prompt Access Command IP COMMUNITY-LIST DellEMC(config-community-list)# ip community-list AUXILIARY DellEMC(config-line-aux)# line (LINE Modes) CONSOLE DellEMC(config-line-console)# line (LINE Modes) VIRTUAL TERMINAL DellEMC(config-line-vty)# line (LINE Modes) STANDARD ACCESS-LIST DellEMC(config-std-macl)# mac access-list standard (MAC ACCESS-LIST Modes) EXTENDED ACCESS-LIST DellEMC(config-ext-macl)# mac access-list extended (MAC ACCESS-LIST Modes) MULTIPLE SPANNING TREE
CLI Command Mode Prompt Access Command OPENFLOW INSTANCE DellEMC(conf-of-instance-ofid)# openflow of-instance PORT-CHANNEL FAILOVER-GROUP DellEMC(conf-po-failover-grp)# port-channel failover-group PRIORITY GROUP DellEMC(conf-pg)# priority-group PROTOCOL GVRP DellEMC(config-gvrp)# protocol gvrp QOS POLICY DellEMC(conf-qos-policy-outets)# qos-policy-output SUPPORTASSIST DellEMC(support-assist)# support-assist VLT DOMAIN DellEMC(conf-vlt-domain)# vlt domain VRRP DellEMC(conf-if-interfa
Undoing Commands When you enter a command, the command line is added to the running configuration file (running-config). To disable a command and remove it from the running-config, enter the no command, then the original command. For example, to delete an IP address configured on an interface, use the no ip address ip-address command. NOTE: Use the help or ? command as described in Obtaining Help.
• • • The UP and DOWN arrow keys display previously entered commands (refer to Command History). The BACKSPACE and DELETE keys erase the previous letter. Key combinations are available to move quickly across the command line. The following table describes these short-cut key combinations. Short-Cut Key Action Combination CNTL-A Moves the cursor to the beginning of the command line. CNTL-B Moves the cursor back one character. CNTL-D Deletes character at cursor.
The grep command displays only the lines containing specified text. The following example shows this command used in combination with the show system brief command. Example of the grep Keyword DellEMC(conf)#do show system brief | grep 0 0 not present NOTE: Dell EMC Networking OS accepts a space or no space before and after the pipe. To filter a phrase with spaces, underscores, or ranges, enclose the phrase with double quotation marks. The except keyword displays text that does not match the specified text.
Multiple Users in Configuration Mode Dell EMC Networking OS notifies all users when there are multiple users logged in to CONFIGURATION mode. A warning message indicates the username, type of connection (console or VTY), and in the case of a VTY connection, the IP address of the terminal on which the connection was established.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell EMC Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
Console Access The device has one RJ-45/RS-232 console port, an out-of-band (OOB) Ethernet port, and a micro USB-B console port. Serial Console The RJ-45/RS-232 console port is labeled on the upper right-hand side, as you face the I/O side of the chassis. Figure 1. RJ-45 Console Port 1. RJ-45 console port. Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1.
Console Port RJ-45 to RJ-45 Rollover Cable RJ-45 to RJ-45 Rollover Cable RJ-45 to DB-9 Adapter Terminal Server Device Signal RJ-45 Pinout RJ-45 Pinout DB-9 Pin Signal GND 4 5 5 GND GND 5 4 5 GND RxD 6 3 3 TxD NC 7 2 4 DTR CTS 8 1 7 RTS Accessing the CLI Interface and Running Scripts Using SSH In addition to the capability to access a device using a console connection or a Telnet session, you can also use SSH for secure, protected communication with the device.
Default Configuration Although a version of Dell EMC Networking OS is pre-loaded onto the system, the system is not configured when you power up the system first time (except for the default hostname, which is DellEMC). You must configure the system using the CLI. Configuring a Host Name The host name appears in the prompt. The default host name is DellEMC. • • Host names must start with a letter and end with a letter or digit. Characters within the string can be letters, digits, and hyphens.
management route ip-address/mask gateway • • • ip-address: the network address in dotted-decimal format (A.B.C.D). mask: a subnet mask in /prefix-length format (/ xx). gateway: the next hop for network traffic originating from the management port. Configuring a Username and Password To access the system remotely, configure a system username and password. To configure a system username and password, use the following command. • Configure a username and password to access the system remotely.
enable [password | secret | sha256-password] [level level] [encryption-type] password • • level: is the privilege level, is 15 by default, and is not required. encryption-type: specifies how you input the password, is 0 by default, and is not required. • • 0 is to input the password in clear text. 5 is to input a password that is already encrypted using MD5 encryption method. Obtain the encrypted password from the configuration file of another device.
Mounting an NFS File System This feature enables you to quickly access data on an NFS mounted file system. You can perform file operations on an NFS mounted file system using supported file commands. This feature allows an NFS mounted device to be recognized as a file system. This file system is visible on the device and you can execute all file commands that are available on conventional file systems such as a Flash file system.
! 15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:///username/snoop.pcap ! 24 bytes successfully copied DellEMC# DellEMC#copy tftp://10.16.127.35/username/dv-maa-test ? flash: Copy to local file system ([flash://]filepath) nfsmount: Copy to nfs mount file system (nfsmount:///filepath) running-config remote host: Destination file name [test.
• EXEC Privilege mode show running-config View the startup-configuration. EXEC Privilege mode show startup-config The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.
Table 6.
Uncompressed Compressed ! interface Vlan 5 tagged te 1/1 no ip address shutdown ! interface Vlan 100 no ip address no shutdown ! interface Vlan 1000 ip address 1.1.1.1/16 no shutdown Uncompressed config size – 52 lines write memory compressed The write memory compressed CLI will write the operating configuration to the startup-config file in the compressed mode. In stacking scenario, it will also take care of syncing it to all the standby and member units.
To change the default directory, use the following command. • Change the default directory. EXEC Privilege mode cd directory Enabling Software Features on Devices Using a Command Option The capability to activate software applications or components on a device using a command is supported on this platform. Starting with Release 9.4(0.0), you can enable or disable specific software features or applications that need to run on a device by using a command attribute in the CLI interface.
[May 17 15:38:55]: CMD-(CLI):[service timestamps log datetime]by default from console [May 17 15:41:40]: CMD-(CLI):[write memory]by default from console - Repeated 1 time.
[May [May [May [May [May 17 17 17 17 17 15:54:54]: 15:55:00]: 15:55:12]: 15:55:22]: 15:55:27]: CMD-(CLI):[end]by default from console CMD-(CLI):[show logging]by default from console CMD-(CLI):[show clock]by default from console CMD-(CLI):[show running-config]by default from console CMD-(CLI):[show command-history]by default from console Upgrading Dell EMC Networking OS To upgrade Dell EMC Networking Operating System (OS), refer to the Release Notes for the version you want to load on the system.
SHA256 DellEMC# verify sha256 flash://file-name e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933 Using HTTP for File Transfers Stating with Release 9.3(0.1), you can use HTTP to copy files or configuration details to a remote server. To transfer files to an external server, use the copy source-file-url http://host[:port]/file-path command. Enter the following source-file-url keywords and information: • • • • To copy a file from the internal FLASH, enter flash:// followed by the filename.
4 Management This chapter describes the different protocols or services used to manage the Dell EMC Networking system.
Removing a Command from EXEC Mode To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each command you wish to restrict.
privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword} Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. • CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...
DellEMC(conf-if-group-vl-1-2,gi-1/1)# no shutdown DellEMC(conf-if-group-vl-1-2,gi-1/1)# end Applying a Privilege Level to a Username To set the user privilege level, use the following command. • Configure a privilege level for a user. CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command. • Configure a privilege level for a user.
Enabling Audit and Security Logs You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode. This command is available with or without RBAC enabled. For information about RBAC, see Role-Based Access Control. Audit Logs The audit log contains configuration events and information.
line vty0 ( 10.14.1.91 ) Clearing Audit Logs To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is enabled, only the system administrator user role can issue this command. Example of the clear logging auditlog Command DellEMC# clear logging auditlog Configuring Logging Format To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version {0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.
Setting Up a Secure Connection to a Syslog Server You can use reverse tunneling with the port forwarding to securely connect to a syslog server. Figure 2. Setting Up a Secure Connection to a Syslog Server Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server DellEMC(conf)#ip ssh server enable 2.
Sending System Messages to a Syslog Server To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP. • Specify the server to which you want to send system messages. You can configure up to eight syslog servers.
-----------------------------------------------------------------User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.
The following is sample output of the show login statistics unsuccessful-attempts time-period days command. DellEMC# show login statistics unsuccessful-attempts time-period 15 There were 0 unsuccessful login attempt(s) for user admin in last 15 day(s). The following is sample output of the show login statistics unsuccessful-attempts user login-id command. DellEMC# show login statistics unsuccessful-attempts user admin There were 3 unsuccessful login attempt(s) for user admin in last 12 day(s).
NOTE: If the maximum number of VTY lines are more than the concurrent sessions and the same user is attempting to login second time or more, the system displays the Maximum concurrent sessions for the user reached message. You are allowed to clear the existing session and login. If you do not want to clear any of the existing session, the system does not allow any attempt to login since maximum concurrent sessions have reached even though more VTY lines are available.
Configuration Task List for System Log Management There are two configuration tasks for system log management: • • Disable System Logging Send System Messages to a Syslog Server Disabling System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the console, and the syslog servers. To disable system logging, use the following commands. • Disable all logging except on the console.
• Specify the minimum severity level for logging to the console. • CONFIGURATION mode logging console level Specify the minimum severity level for logging to terminal lines. • CONFIGURATION mode logging monitor level Specify the minimum severity level for logging to a syslog server. • CONFIGURATION mode logging trap level Specify the minimum severity level for logging to the syslog history table. • CONFIGURATION mode logging history level Specify the size of the logging buffer.
Oct 12 20:29:12: %STKUNIT1-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 To view any changes made, use the show running-config logging command in EXEC privilege mode. Configuring a UNIX Logging Facility Level You can save system log messages with a UNIX system logging facility. To configure a UNIX logging facility level, use the following command. • Specify one of the following parameters.
1. Enter LINE mode. CONFIGURATION mode line {console 0 | vty number [end-number] | aux 0} Configure the following parameters for the virtual terminal lines: • • number: the range is from zero (0) to 8. end-number: the range is from 1 to 8. You can configure multiple virtual terminals at one time by entering a number and an end-number. 2. Configure a level and set the maximum number of messages to print.
[May 17 15:43:22]: CMD-(CLI):[show command-history]by default from console DellEMC# DellEMC#show logging Syslog logging: enabled Console logging: disabled Monitor logging: level debugging Buffer logging: level debugging, 7 Messages Logged, Size (40960 bytes) Trap logging: level informational Last logging buffer cleared: May 17 15:38:38 May 17 15:43:08 %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from console May 17 15:42:52 %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config in flash by default May 17
[1d0h24m]: [1d0h24m]: [1d0h24m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: CMD-(CLI):[interface gigabitethernet 1/1]by default from console CMD-(CLI):[shutdown]by default from console CMD-(CLI):[no shutdown]by default from console CMD-(CLI):[end]by default from console CMD-(CLI):[write memory]by default from console Repeated 1 time.
File Transfer Services With Dell EMC Networking OS, you can configure the system to transfer files over the network using the file transfer protocol (FTP). One FTP application is copying the system image files over an interface on to the system; however, FTP is not supported on virtual local area network (VLAN) interfaces. If you want the FTP or TFTP server to use a VRF table that is attached to an interface, you must configure the FTP or TFTP server to use a specific routing table.
To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode. Configuring FTP Client Parameters To configure FTP client parameters, use the following commands. • Enter the following keywords and the interface information: • • • • • For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
To view the configuration, use the show config command in LINE mode. DellEMC(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 DellEMC(config-std-nacl)#line vty 0 DellEMC(config-line-vty)#show config line vty 0 access-class myvtyacl DellEMC(conf-ipv6-acl)#do show run acl ! ip access-list extended testdeny seq 10 deny ip 30.1.1.
password In the following example, VTY lines 0-2 use a single authentication method, line.
Login: Login: admin Password: DellEMC>exit DellEMC#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin DellEMC# Lock CONFIGURATION Mode Dell EMC Networking OS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2).
Enter the stack-unit keyword and the stack unit number to view the reason for the last system reboot for that stack unit. Enter the stack-unit keyword and the keyword all to view the reason for the last system reboot of all stack units in the stack.
5 802.1X 802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example). 802.
• • • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network. It translates and forwards requests and responses between the authentication server and the supplicant.
Figure 5. EAP Port-Authentication EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 6. EAP Over RADIUS RADIUS Attributes for 802.1X Support Dell EMC Networking systems include the following RADIUS attributes in all 802.
Related Configuration Tasks • • • • • • Configuring Request Identity Re-Transmissions Forcibly Authorizing or Unauthorizing a Port Re-Authenticating a Port Configuring Timeouts Configuring a Guest VLAN Configuring an Authentication-Fail VLAN Important Points to Remember • • • • • Dell EMC Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP. All platforms support only RADIUS as the authentication server.
1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. In the following example, the bold lines show that 802.1X is enabled.
CONFIGURATION mode dot1x profile {profile-name} profile—name — Enter the dot1x profile name. The profile name length is limited to 32 characters. DellEMC(conf)#dot1x profile test DellEMC(conf-dot1x-profile)# DellEMC#show dot1x profile 802.1x profile information ----------------------------Dot1x Profile test Profile MACs 00:00:00:00:01:11 Configuring MAC addresses for a do1x Profile To configure a list of MAC addresses for a dot1x profile, use the mac command. You can configure 1 to 6 MAC addresses.
Port Auth Status: Re-Authentication: Untagged VLAN id: Guest VLAN: Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts:3 Critical VLAN: Critical VLAN id: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: AUTHORIZED(STATIC-MAB) Disable None Enable 100 Enable 200 Enable 300 Disable Enable Sample 90 seconds 120 seconds 10 30 seconds 30 secon
Host Mode: Auth PAE State: Backend State: SINGLE_HOST Authenticated Idle Configuring Request Identity Re-Transmissions When the authenticator sends a Request Identity frame and the supplicant does not respond, the authenticator waits for 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator retransmits can be configured.
Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Forcibly Authorizing or Unauthorizing a Port The 802.1X ports can be placed into any of the three states: • • • ForceAuthorized — an authorized state.
• Configure the authenticator to periodically re-authenticate the supplicant. INTERFACE mode dot1x reauthentication [interval] seconds The range is from 1 to 31536000. The default is 3600. Configure the maximum number of times the supplicant can be re-authenticated. • INTERFACE mode dot1x reauth-max number The range is from 1 to 10. The default is 2. The bold lines show that re-authentication is enabled and the new maximum and re-authentication time period.
----------------------------Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Guest VLAN: Disable Guest VLAN id: NONE Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 15 seconds Server Timeout: 15 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: Auth PAE State: Backend State: SINGLE_HOST Initialize
Figure 8. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2. Make the interface a switchport so that it can be assigned to a VLAN. 3. Create the VLAN to which the interface will be assigned. 4. Connect the supplicant to the port configured for 802.1X. 5.
Configuring a Guest VLAN If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN. NOTE: For more information about configuring timeouts, refer to Configuring Timeouts. Configure a port to be placed in the Guest VLAN after failing to respond within the timeout period using the dot1x guest-vlan command from INTERFACE mode.
Re-Authentication: Untagged VLAN id: Guest VLAN: Disabled Guest VLAN id: 200 Auth-Fail VLAN: Disabled Auth-Fail VLAN id: 100 Auth-Fail Max-Attempts: 5 Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Disable None Auth PAE State: Backend State: Initialize Initialize 92 802.
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) Optimizing CAM Utilization During the Attachment of ACLs to VLANs To minimize the number of entries in CAM, enable and configure the ACL CAM feature. Use this feature when you apply ACLs to a VLAN (or a set of VLANs) and when you apply ACLs to a set of ports. The ACL CAM feature allows you to effectively use the Layer 3 CAM space with VLANs and Layer 2 and Layer 3 CAM space with ports.
• • • • • • • The maximum number of members in an ACL VLAN group is determined by the type of switch and its hardware capabilities. This scaling limit depends on the number of slices that are allocated for ACL CAM optimization. If one slice is allocated, the maximum number of VLAN members is 256 for all ACL VLAN groups. If two slices are allocated, the maximum number of VLAN members is 512 for all ACL VLAN groups.
1,1000 DellEMC# Configuring FP Blocks for VLAN Parameters To allocate the number of FP blocks for the various VLAN processes on the system, use the cam-acl-vlan command. To reset the number of FP blocks to the default, use the no version of this command. By default, 0 groups are allocated for the ACL in VLAN contentaware processor (VCAP). ACL VLAN groups or CAM optimization is not enabled by default. You also must allocate the slices for CAM optimization. 1.
| | IPMAC ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL Codes: * - cam usage is above 90%.
Allocating FP Blocks for VLAN Processes The VLAN contentaware processor (VCAP) application is a pre-ingress CAP that modifies the VLAN settings before packets are forwarded. To support ACL CAM optimization, the CAM carving feature is enhanced. A total of four VCAP groups are present: two fixed groups and two dynamic groups. Of the two dynamic groups, you can allocate zero, one, or two FP blocks to iSCSI Counters, Open Flow, and ACL Optimization. You can configure only two of these features at a time.
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
• • • • • • • • • Applying an IP ACL Configure Ingress ACLs Configure Egress ACLs IP Prefix Lists ACL Remarks ACL Resequencing Route Maps Logging of ACL Processes Flow-Based Monitoring IP Access Control Lists (ACLs) In Dell EMC Networking switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet.
Test CAM Usage This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs. To determine whether sufficient ACL CAM space is available to enable a service-policy, use this command. To verify the actual CAM space required, create a class map with all the required ACL rules, then execute the test cam-usage command in Privilege mode. The following example shows the output when executing this command.
ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8. Therefore (without the keyword order), packets within the range 20.1.1.0/24 match positive against cmap1 and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be buffered in queue 4. In cases where class-maps with overlapping ACL rules are applied to different queues, use the order keyword to specify the order in which you want to apply ACL rules.
CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] The default is permit. The optional seq keyword allows you to assign a sequence number to the route map instance. The default action is permit and the default sequence number starts at 10. When you use the keyword deny in configuring a route map, routes that meet the match filters are not redistributed. To view the configuration, use the show config command in ROUTE-MAP mode.
• set commands change the characteristics of routes, either adding something or specifying a level. When there are multiple match commands with the same parameter under one instance of route-map, Dell EMC Networking OS does a match between all of those match commands. If there are multiple match commands with different parameters, Dell EMC Networking OS does a match ONLY if there is a match among ALL the match commands.
• CONFIG-ROUTE-MAP mode match ip address prefix-list-name Match destination routes specified in a prefix list (IPv6). • CONFIG-ROUTE-MAP mode match ipv6 address prefix-list-name Match next-hop routes specified in a prefix list (IPv4). • CONFIG-ROUTE-MAP mode match ip next-hop {access-list-name | prefix-list prefix-list-name} Match next-hop routes specified in a prefix list (IPv6).
• set metric-type {external | internal | type-1 | type-2} Assign an IP address as the route’s next hop. • CONFIG-ROUTE-MAP mode set next-hop ip-address Assign an IPv6 address as the route’s next hop. • CONFIG-ROUTE-MAP mode set ipv6 next-hop ip-address Assign an ORIGIN attribute. • CONFIG-ROUTE-MAP mode set origin {egp | igp | incomplete} Specify a tag for the redistributed routes. • CONFIG-ROUTE-MAP mode set tag tag-value Specify a value as the route’s weight.
Example of the redistribute Command Using a Route Tag ! router rip redistribute ospf 34 metric 1 route-map torip ! route-map torip permit 10 match route-type internal set tag 34 ! Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed. If you configure the continue command at the end of a module, the next module (or a specified module) is processed even after a match is found.
Example of Denying Second and Subsequent Fragments DellEMC(conf)#ip access-list extended ABC DellEMC(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments DellEMC(conf-ext-nacl)#permit ip any 10.1.1.1/32 DellEMC(conf-ext-nacl) Layer 4 ACL Rules Examples The following examples show the ACL commands for Layer 4 packet filtering. Permit an ACL line with L3 information only, and the fragments keyword is present: If a packet’s L3 information matches the L3 information in the ACL line, the packet's FO is checked.
A standard IP ACL uses the source IP address as its match criterion. 1. Enter IP ACCESS LIST mode by naming a standard IP access list. CONFIGURATION mode ip access-list standard access-listname 2. Configure a drop or forward filter. CONFIG-STD-NACL mode seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte] [dscp] [order] [monitor [session-id]] [fragments] NOTE: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter.
they were configured (for example, the first filter was given the lowest sequence number). The show config command in IP ACCESS LIST mode displays the two filters with the sequence numbers 5 and 10. DellEMC(config-route-map)#ip access standard acl1 DellEMC(config-std-nacl)#permit 10.1.0.0/16 monitor 177 DellEMC(config-std-nacl)#show config ! ip access-list standard acl1 seq 5 permit 10.1.0.
seq sequence-number {deny | permit} tcp {source mask | any | host ip-address} [count [byte]] [order] [monitor [session-id]] [fragments] Configure Filters, UDP Packets To create a filter for UDP packets with a specified sequence number, use the following commands. 1. Create an extended IP ACL and assign it a unique name. CONFIGURATION mode ip access-list extended access-list-name 2. Configure an extended IP ACL filter for UDP packets.
seq 5 deny tcp host 123.55.34.0 any seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.0 monitor 111 DellEMC(config-ext-nacl)# To view all configured IP ACLs and the number of packets processed through the ACL, use the show ip accounting accesslist command in EXEC Privilege mode, as shown in the first example in Configure a Standard IP ACL Filter. Configure Layer 2 and Layer 3 ACLs Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode.
3. Apply an IP ACL to traffic entering or exiting an interface. INTERFACE mode ip access-group access-list-name {in} [implicit-permit] [vlan vlan-range | vrf vrf-range] [layer3] NOTE: • The number of entries allowed per ACL is hardware-dependent. For detailed specification about entries allowed per ACL, refer to your line card documentation. • One of the usage scenarios is to avoid ACL being applied on the L2 traffic which comes in via ICL. The layer 3 keyword can be used at the VLAN level. 4.
DellEMC(config-ext-nacl)#permit tcp any any DellEMC(config-ext-nacl)#deny icmp any any DellEMC(config-ext-nacl)#permit 1.1.1.2 DellEMC(config-ext-nacl)#end DellEMC#show ip accounting access-list ! Extended Ingress IP access list abcd on gigabitethernet 1/1 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.2 Configure Egress ACLs Egress ACLs are applied to line cards and affect the traffic leaving the system.
Applying Egress Layer 3 ACLs (Control-Plane) By default, packets originated from the system are not filtered by egress ACLs. For example, if you initiate a ping session from the system and apply an egress ACL to block this type of traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and CPU-forwarded traffic.
Configuration Task List for Prefix Lists To configure a prefix list, use commands in PREFIX LIST, ROUTER RIP, ROUTER OSPF, and ROUTER BGP modes. Create the prefix list in PREFIX LIST mode and assign that list to commands in ROUTER RIP, ROUTER OSPF and ROUTER BGP modes. The following list includes the configuration tasks for prefix lists, as described in the following sections.
The optional parameters are: • • ge min-prefix-length: is the minimum prefix length to be matched (0 to 32). le max-prefix-length: is the maximum prefix length to be matched (0 to 32). The example shows a prefix list in which the sequence numbers were assigned by the software. The filters were assigned sequence numbers based on the order in which they were configured (for example, the first filter was given the lowest sequence number).
• CONFIGURATION mode router rip Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a nonexistent prefix list, all routes are forwarded. • CONFIG-ROUTER-RIP mode distribute-list prefix-list-name in [interface] Apply a configured prefix list to outgoing routes. You can specify an interface or type of route. If you enter the name of a non-existent prefix list, all routes are forwarded.
To remove a remark, use the no remark command with the remark string and with or without the sequence number. If there is a matching string, the system deletes the remark. Configuring a Remark To write a remark for an ACL, follow these steps: 1. Create either an extended IPv4 or IPv6 ACL. CONFIGURATION mode ip access-list {extended | standard} access-list-name ipv6 access-list {extended | standard} access-list-name 2. Define the ACL rule.
ACL Resequencing ACL resequencing allows you to re-number the rules and remarks in an access or prefix list. The placement of rules within the list is critical because packets are matched against rules in sequential order. To order new rules using the current numbering scheme, use resequencing whenever there is no opportunity. For example, the following table contains some rules that are numbered in increments of 1.
DellEMC# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.1 remark 6 this remark has no corresponding rule remark 8 this remark corresponds to permit ip any host 1.1.1.2 seq 8 permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.3 seq 12 permit ip any host 1.1.1.4 Remarks that do not have a corresponding rule are incremented as a rule.
When ACL logging is configured, and a frame reaches an ACL-enabled interface and matches the ACL, a log is generated to indicate that the ACL entry matched the packet. When you enable ACL log messages, at times, depending on the volume of traffic, it is possible that a large number of logs might be generated that can impact the system performance and efficiency. To avoid an overload of ACL logs from being recorded, you can configure the rate-limiting functionality.
Configuring ACL Logging This functionality is supported on the platform. To configure the maximum number of ACL log messages to be generated and the frequency at which these messages must be generated, perform the following steps: NOTE: This example describes the configuration of ACL logging for standard IP access lists. You can enable the logging capability for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and extended MAC ACLs. 1.
TCP packets. The ACL rule describes the traffic that you want to monitor, and the ACL in which you are creating the rule is applied to the monitored interface. Flow monitoring is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs.
flow-based enable 2. Define access-list rules that include the keyword monitor. Dell Networking OS only considers port monitoring traffic that matches rules with the keyword monitor. CONFIGURATION mode ip access-list For more information, see Access Control Lists (ACLs). 3. Apply the ACL to the monitored port. INTERFACE mode ip access-group access-list To view an access-list that you applied to an interface, use the show ip accounting access-list command from EXEC Privilege mode.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 9. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
State Description Up Both systems are exchanging control packets. The session is declared down if: • • • A control packet is not received within the detection time. Sufficient echo packets are lost. Demand mode is active and a control packet is not received in response to a poll packet. BFD Three-Way Handshake A three-way handshake must take place between the systems that participate in the BFD session.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 11.
• Configuring Protocol Liveness Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
TX: 100ms, RX: 100ms, Multiplier: 4 Role: Passive Delete session on Down: False Client Registered: CLI Uptime: 00:09:06 Statistics: Number of packets received from neighbor: 4092 Number of packets sent to neighbor: 4093 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 7 Disabling and Re-Enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured.
Establishing Sessions for Static Routes for Default VRF Sessions are established for all neighbors that are the next hop of a static route on the default VRF. Figure 12. Establishing Sessions for Static Routes To establish a BFD session, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route.
ip route bfd vrf vrf2 ip route bfd vrf vrf1 prefix-list p4_le The following example shows that sessions are created for static routes for the default VRF. Dell#show bfd neighbors * Ad Dn B C I O O3 R M V VT - Active session role Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 11.1.1.1 RemoteAddr 11.1.1.2 Interface Gi 1/1 State Rx-int Tx-int Mult Clients Up 200 200 3 R * 21.1.1.1 21.1.1.2 Vl 100 Up 200 200 3 R * 31.1.1.1 31.1.1.
• If other destination prefixes in the prefix-list are pointing to the same neighbor, then the no permit or the deny option on a particular destination prefix neither creates a BFD session on a neighbor nor removes the static routes from the unicast database. BFD sessions created using any one IP prefix list are active at any given point in time. If a new prefix list is assigned, then BFD sessions corresponding to the older (existing) prefix list are replaced with the newer ones.
R1(conf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down B - BGP C - CLI I - ISIS O - OSPF O3 - OSPFv3 R - Static Route (RTM) M - MPLS V - VRRP VT - Vxlan Tunnel LocalAddr * 11::1 RemoteAddr 11::2 Interface Gi 1/1 State Rx-int Tx-int Mult Clients Up 200 200 3 R To view detailed session information, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information.
Ad Dn B C I O O3 R M V VT - Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 13::1 RemoteAddr 13::2 Interface Gi 1/1 State Rx-int Tx-int Mult VRF Clients Up 200 200 3 2 R * 23::1 23::2 Vl 300 Up 200 200 3 2 R * 33::1 33::2 Vl 301 Up 200 200 3 2 R Changing IPv6 Static Route Session Parameters BFD sessions are configured with default intervals and a default role.
Establishing Sessions with OSPF Neighbors for the Default VRF BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 13. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Enable BFD globally.
* - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Gi 2/1 Up 100 100 3 O * 2.2.3.1 2.2.3.2 Gi 2/2 Up 100 100 3 O Establishing Sessions with OSPF Neighbors for nondefault VRFs To configure BFD in a nondefault VRF, follow this procedure: • Enable BFD globally. • CONFIGURATION mode bfd enable Establish sessions with all OSPF neighbors in a specific VRF.
Configured parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Neighbor parameters: TX: 250ms, RX: 300ms, Multiplier: 4 Actual parameters: TX: 300ms, RX: 250ms, Multiplier: 3 Role: Active Delete session on Down: False Client Registered: CLI Uptime: 00:02:04 Statistics: Number of packets received from neighbor: 376 Number of packets sent to neighbor: 314 Number of state changes: 2 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 6 DellEMC# Changing OS
Related Configuration Tasks • • Changing OSPFv3 Session Parameters Disabling BFD for OSPFv3 Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface. Sessions are only established when the OSPFv3 adjacency is in the Full state. To establish BFD with all OSPFv3 neighbors or with OSPFv3 neighbors on a single interface, use the following commands. • Establish sessions with all OSPFv3 neighbors.
NOTE: You can create upto a maximum of 128 BFD sessions (combination of OSPFv2 and OSPFv3 with a timer of 300*300*3) for both default and nondefault VRFs.
• ROUTER-OSPFv3 mode bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] Change parameters for OSPFv3 sessions on a single interface. INTERFACE mode ipv6 ospf bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] Disabling BFD for OSPFv3 If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 14. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. • ROUTER-ISIS mode bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface. If you change a parameter globally, the change affects all IS-IS neighbors sessions.
Figure 15. Establishing Sessions with BGP Neighbors The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: • • By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peer-group-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number 4. Enable the BGP neighbor. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group-name} no shutdown 5. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ipv6-address | peer-group name} remote-as as-number 6. Enable the BGP neighbor.
3. Specify the address family as IPv4. CONFIG-ROUTERBGP mode address-family ipv4 vrf vrf-name 4. Add an IPv4 BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ip-address | peer-group name} remote-as as-number 5. Enable the BGP neighbor. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ip-address | peer-group-name} no shutdown 6. Add an IPv6 BGP neighbor or peer group in a remote AS.
Disabling BFD for BGP You can disable BFD for BGP. To disable a BFD for BGP session with a specified neighbor, use the first command. To remove the disabled state of a BFD for BGP session with a specified neighbor, use the second command. The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the bfd allneighbors command or configured for the peer group to which the neighbor belongs. • Disable a BFD for BGP session with a specified neighbor.
* 2.2.2.3 * 3.3.3.3 2.2.2.2 3.3.3.2 Gi 6/2 Gi 6/3 Up Up 200 200 200 200 3 3 B B The following example shows viewing BFD neighbors with full detail. The bold lines show the BFD session parameters: TX (packet transmission), RX (packet reception), and multiplier (maximum number of missed packets). R2# show bfd neighbors detail Session Discriminator: 9 Neighbor Discriminator: 10 Local Addr: 1.1.1.3 Local MAC Addr: 00:01:e8:66:da:33 Remote Addr: 1.1.1.
1.1.1.2 2.2.2.2 3.3.3.2 1 1 1 282 273 282 281 273 281 0 0 0 0 0 0 0 (0) 0 00:38:12 04:32:26 00:38:12 0 0 0 The following example shows viewing BFD information for a specified neighbor. The bold lines show the message displayed when you enable a BFD session with different configurations: • • • Message displays when you enable a BFD session with a BGP neighbor that inherits the global BFD session settings configured with the global bfd all-neighbors command.
Peer active in peer-group outbound optimization ... Configure BFD for VRRP When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the route processor module (RPM). BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred. Configuring BFD for VRRP is a three-step process: 1. Enable BFD globally.
Establishing VRRP Sessions on VRRP Neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. VRRP BFD sessions on the backup router cannot change to the UP state. Configure the master router to establish an individual VRRP session the backup router. To establish a session with a particular VRRP neighbor, use the following command. • Establish a session with a particular VRRP neighbor.
Disabling BFD for VRRP If you disable any or all VRRP sessions, the sessions are torn down. A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to the Down state. To disable all VRRP sessions on an interface, sessions for a particular VRRP group, or for a particular VRRP session on an interface, use the following commands. • Disable all VRRP sessions on an interface. • INTERFACE mode no vrrp bfd all-neighbors Disable all VRRP sessions in a VRRP group.
9 Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) is an interdomain routing protocol that manages routing between edge routers. BGP uses an algorithm to exchange routing information between switches enabled with BGP. BGP determines a path to reach a particular destination using certain attributes while avoiding routing loops. BGP selects a single path as the best path to a destination network or host. You can also influence BGP to select different path by altering some of the BGP attributes.
Figure 17. BGP Topology with autonomous systems (AS) BGP version 4 (BGPv4) supports classless interdomain routing (CIDR) and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 18. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. AS4 Number Representation Dell EMC Networking OS supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If 4-Byte AS numbers are not implemented, only ASPLAIN representation is supported.
• AS Numbers larger than 65535 is represented using ASDOT notation as .. For example: AS 65546 is represented as 1.10. ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS numbers less than 65536 appear in integer format (asplain); AS numbers equal to or greater than 65536 appear in the decimal format (asdot+). For example, the AS number 65526 appears as 65526 and the AS number 65546 appears as 1.10.
DellEMC(conf-router_bgp)#no bgp four-octet-as-support DellEMC(conf-router_bgp)#sho conf ! router bgp 100 neighbor 172.30.1.250 local-as 65057 DellEMC(conf-router_bgp)#do show ip bgp BGP table version is 28093, local router ID is 172.30.1.57 Four-Byte AS Numbers You can use the 4-Byte (32-bit) format when configuring autonomous system numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN message.
State Description If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state. OpenSent After successful OpenSent transition, the router sends an Open message and waits for one in return. OpenConfirm After the Open message parameters are agreed between peers, the neighbor relation is established and is in the OpenConfirm state.
mode, Dell EMC Networking OS compares MED between the adjacent paths within an AS group because all paths in the AS group are from the same AS. NOTE: The bgp bestpath as-path multipath-relax command is disabled by default, preventing BGP from loadbalancing a learned route across two or more eBGP peers. To enable load-balancing across different eBGP peers, enable the bgp bestpath as-path multipath-relax command.
c. the paths were received from IBGP or EBGP neighbor respectively. 10. If the bgp bestpath router-id ignore command is enabled and: a. if the Router-ID is the same for multiple paths (because the routes were received from the same route) skip this step. b. if the Router-ID is NOT the same for multiple paths, prefer the path that was first received as the Best Path. The path selection algorithm returns without performing any of the checks detailed here. 11.
Figure 20. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 21. Multi-Exit Discriminators NOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
Example of Viewing AS Paths DellEMC#show ip bgp paths Total 30655 Paths Refcount Metric Path 3 18508 701 3549 19421 i 3 18508 701 7018 14990 i 3 18508 209 4637 1221 9249 9249 i 2 18508 701 17302 i 26 18508 209 22291 i 75 18508 209 3356 2529 i 2 18508 209 1239 19265 i 1 18508 701 2914 4713 17935 i 162 18508 209 i 2 18508 701 19878 ? 31 18508 209 18756 i 2 18508 209 7018 15227 i 10 18508 209 3356 13845 i 3 18508 209 701 6347 7781 i 1 18508 701 3561 9116 21350 i Next Hop The next hop is the IP address used to
IPv4 and IPv6 address family The IPv4 address family configuration in Dell EMC Networking OS is used for identifying routing sessions for protocols that use IPv4 address. You can specify multicast within the IPv4 address family. The default of address family configuration is IPv4 unicast. You can configure the VRF instances for IPv4 address family configuration. The IPv6 address family configuration is used for identifying routing sessions for protocols that use IPv6 address.
Item Default reuse = 750 suppress = 2000 max-suppress-time = 60 minutes Distance external distance = 20 internal distance = 200 local distance = 200 Timers keepalive = 60 seconds holdtime = 180 seconds Add-path Disabled Implement BGP with Dell EMC Networking OS The following sections describe how to implement BGP on Dell EMC Networking OS.
Ignore Router-ID in Best-Path Calculation You can avoid unnecessary BGP best-path transitions between external paths under certain conditions. The bgp bestpath routerid ignore command reduces network disruption caused by routing and forwarding plane changes and allows for faster convergence. AS Number Migration With this feature you can transparently change the AS number of an entire BGP network and ensure that the routes are propagated throughout the network while the migration is in progress.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances support for BGP management information base (MIB) with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
Configuration Information The software supports BGPv4 as well as the following: • • • • deterministic multi-exit discriminator (MED) (default) a path with a missing MED is treated as worst path and assigned an MED value of (0xffffffff) the community format follows RFC 1998 delayed configuration (the software at system boot reads the entire configuration file prior to sending messages to start BGP peer sessions) The following are not yet supported: • • auto-summarization (the default is no auto-summary) s
CONFIGURATION mode router bgp as-number • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format). Only one AS is supported per system. NOTE: If you enter a 4-Byte AS number, 4-Byte AS support is enabled automatically. 2. Add a BGP neighbor or peer and AS number.
NOTE: The showconfig command in CONFIGURATION ROUTER BGP mode gives the same information as the show running-config bgp command. The following example displays two neighbors: one is an external internal BGP neighbor and the second one is an internal BGP neighbor. The first line of the output for each neighbor displays the AS number and states whether the link is an external or internal (shown in bold). The third line of the show ip bgp neighbors output contains the BGP State.
The following example shows the show ip bgp summary command output (4–byte AS number displays). R2#show ip bgp summary BGP router identifier 1.1.1.1, local 80000 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 1 neighbor(s) using 40960 bytes of memory Neighbor 20.20.20.1 AS 200 MsgRcvd 0 MsgSent 0 TblVer 0 InQ 0 OutQ Up/Down State/Pfx 0 00:00:00 0 Changing a BGP router ID BGP uses the configured router ID to identify the devices in the network.
• Enable ASPLAIN AS Number representation. • CONFIG-ROUTER-BGP mode bgp asnotation asplain NOTE: ASPLAIN is the default method Dell EMC Networking OS uses and does not appear in the configuration display. Enable ASDOT AS Number representation. • CONFIG-ROUTER-BGP mode bgp asnotation asdot Enable ASDOT+ AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot+ The following example shows the bgp asnotation asplain command output.
• Enter the router configuration mode and the AS number. • CONFIG mode router bgp as-number Add the IP address of the neighbor for the specified autonomous system. • CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6–address | peer-group-name} remote-as as-number Enable the neighbor. • CONFIG-ROUTERBGP mode neighbor ip-address | ipv6-address | peer-group-name no shutdown Specify the IPv4 address family configuration.
To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes. Example-Configuring BGP routing between peers Example of enabling BGP in Router A Following is an example to enable BGP configuration in the router A. RouterA# configure terminal RouterA(conf)# router bgp 40000 RouterA(conf-router_bgp)# bgp router-id 10.1.1.99 RouterA(conf-router_bgp)# timers bgp 80 130 RouterA(conf-router_bgp)# neighbor 192.
• • • • • • • You must create a peer group first before adding the neighbors in the peer group. If you remove any configuration parameters from a peer group, it will apply to all the neighbors configured under that peer group. If you have not configured a parameter for an individual neighbor in the peer group, the neighbor uses the value configured in the peer group. If you reset any parameter for an individual neighbor, it will override the value set in the peer group.
• • • • • • neighbor neighbor neighbor neighbor neighbor neighbor distribute-list out filter-list out next-hop-self route-map out route-reflector-client send-community A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates.
The following illustration shows the configurations described on the following examples. These configurations show how to create BGP areas using physical and virtual links. They include setting up the interfaces and peers groups with each other. Figure 24. BGP peer group example configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/32 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.
R1(conf-router_bgp)#neighbor 192.168.128.2 no shut R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 R1(conf-router_bgp)#neighbor 10.0.3.33 remote 100 R1(conf-router_bgp)#neighbor 10.0.3.33 no shut R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 10.0.3.33 no shutdown neighbor 10.0.3.
R3(conf-if-gi-3/21)#show config ! interface GigabitEthernet 3/21 ip address 10.0.2.3/24 no shutdown R3(conf-if-gi-3/21)# R3(conf-if-gi-3/21)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#neighbor 10.0.3.31 remote 99 R3(conf-router_bgp)#neighbor 10.0.3.31 no shut R3(conf-router_bgp)#neighbor 10.0.2.2 remote 99 R3(conf-router_bgp)#neighbor 10.0.2.2 no shut R3(conf-router_bgp)#show config ! router bgp 100 neighbor 10.0.3.31 remote 99 neighbor 10.0.3.31 no shut neighbor 10.
R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.3 no shut R2(conf-router_bgp)#show conf ! router bgp 99 network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 peer-group CCC neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.
Advanced BGP configuration tasks The following sections describe how to configure the advanced (optional) BGP configuration tasks. Route-refresh and Soft-reconfiguration BGP soft-reconfiguration allows for faster and easier route changing. Changing routing policies typically requires a reset of BGP sessions (the TCP connection) for the policies to take effect. Such resets cause undue interruption to traffic due to hard reset of the BGP cache and the time it takes to re-establish the session.
Route-refresh This section explains how the soft-reconfiguration and route-refresh works. Soft-reconfiguration has to be configured explicitly for a neighbor unlike route refresh, which is automatically negotiated between BGP peers when establishing a peer session. The route-refresh updates will be sent, only if the neighbor soft-reconfiguration inbound command is not configured in a BGP neighbor and when you do a soft reset using clear ip bgp {neighbor-address | peer-group-name} soft in command.
neighbor 20.1.1.2 no shutdown neighbor 20::2 remote-as 200 neighbor 20::2 no shutdown ! address-family ipv6 unicast redistribute connected neighbor 20::2 activate exit-address-family ! DellEMC(conf-router_bgp)#do clear ip bgp 20.1.1.2 soft in May 8 15:28:11 : BGP: 20.1.1.2 sending ROUTE_REFRESH AFI/SAFI (1/1) May 8 15:28:12 : BGP: 20.1.1.2 UPDATE rcvd packet len 56 May 8 15:28:12 : BGP: 20.1.1.2 rcvd UPDATE w/ attr: origin ?, path 200, nexthop 20.1.1.
Configuring BGP aggregate routes To create an aggregate route entry in the BGP routing table, use the following commands. The aggregate route is advertised from the autonomous system. • Enter the router configuration mode and the AS number for the specific BGP routing process. • CONFIG mode router bgp as-number Create an aggregate entry in the BGP routing table.
Following is the sample configuration to suppress the advertisement of specific aggregate routes to all neighbors. DellEMC# configure terminal DellEMC(conf)# router bgp 100 DellEMC(conf-router_bgp)# aggregate-address 10.1.1.0 255.255.255.0 summary-only DellEMC(conf-router_bgp)# exit DellEMC(conf)# Filtering BGP The following section describes the methods used to filter the updates received from BGP neighbors.
DellEMC(conf-router_bgp)#neigh AAA no shut DellEMC(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown DellEMC(conf-router_bgp)#neigh 10.155.15.
1. Create a prefix list and assign it a name. CONFIGURATION mode ip prefix-list prefix-name 2. Create multiple prefix list filters with a deny or permit action. CONFIG-PREFIX LIST mode seq sequence-number {deny | permit} {any | ip-prefix [ge | le] } • • ge: minimum prefix length to be matched. le: maximum prefix length to me matched. For information about configuring prefix lists, refer to Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-PREFIX LIST mode exit 4. Enter ROUTER BGP mode.
For information about configuring route maps, see Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Filter routes based on the criteria in the configured route map.
CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} filter-list as-path-name {in | out} If you assign an non-existent or empty AS-PATH ACL, the software allows all routes. To view all BGP path attributes in the BGP database, use the show ip bgp paths command in EXEC Privilege mode.
DellEMC(conf)# exit DellEMC# In the above example, add a BGP neighbor to the AS 400 and the route-map called route2 applied to inbound routes from the BGP neighbor at 10.10.10.1. A route map route2 is created with a permit clause and the route’s community attribute is matched to communities in community list 1. A community list 1 that permits routes with a communities attribute of 100. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
fall-over enabled Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dropped 5 Last reset 00:19:37, due to Reset by peer Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 20.20.20.2, Local port: 65519 Foreign host: 10.10.10.
neighbor peer-group-name subnet subnet-number mask The peer group responds to OPEN messages sent on this subnet. 3. Enable the peer group. CONFIG-ROUTER-BGP mode neighbor peer-group-name no shutdown 4. Create and specify a remote peer for BGP neighbor. CONFIG-ROUTER-BGP mode neighbor peer-group-name remote-as as-number Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED.
The below example configuration shows how to enable the BGP graceful restart. DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# bgp graceful-restart DellEMC(conf-router_bgp)# exit Redistributing Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the BGP process. You can configure the device to redistribute ISIS, OSPF, static, or directly connected routes into BGP process using the redistribute command.
ROUTER BGP, ROUTER BGP-address-family, ROUTER BGP-address-family-IPv6, IPv4 VRF mode, and IPv6 Unicast VRF mode bgp redistribute-internal The following is an example configuration of redistributing iBGP routes into OSPF with the default VRF: ! router ospf 100 router-id 1.1.1.1 network 10.10.10.0/24 area 0 redistribute bgp 65535 route-map bgp2ospf4 ! ipv6 router ospf 1 router-id 1.1.1.1 redistribute bgp 65535 route-map bgp2ospf6 ! router bgp 65535 maximum-paths ibgp 8 bgp redistribute-internal neighbor 20.
The following is an example configuration of redistributing iBGP routes into IS-IS with the default VRF: router isis 100 advertise level2-into-level1 isis_static is-type level-1 net 49.1000.6000.6006.00 redistribute static level-1 redistribute connected MAA-S3048-6592# router isis 100 metric-style wide level-1 metric-style wide level-2 net 49.1000.6000.6006.
Enabling Additional Paths The additional path allows the advertisement of more paths in addition to the best path. Enabling additional path allows the advertisement of multiple paths for the same address prefix without the new paths replacing any previous paths. The additional path feature is disabled by default. NOTE: Dell EMC Networking OS recommends not to use multipath and add path simultaneously in a route reflector. To allow multiple paths sent to peers, use the following commands. 1.
ip community-list community-list-name 2. Configure a community list by denying or permitting specific community numbers or types of community. CONFIG-COMMUNITYLIST mode {deny | permit} {community-number | local-AS | no-advertise | no-export | quote-regexp regular-expression-list | regexp regular-expression} • • • • • • community-number: use AA:NN format where AA is the AS number (2 Bytes or 4 Bytes) and NN is a value specific to that autonomous system.
deny 701:20 deny 702:20 deny 703:20 deny 704:20 deny 705:20 deny 14551:20 deny 701:112 deny 702:112 deny 703:112 deny 704:112 deny 705:112 deny 14551:112 deny 701:667 deny 702:667 deny 703:667 deny 704:666 deny 705:666 deny 14551:666 DellEMC# Configure BGP attributes Following sections explain how to configure the BGP attributes such as MED, COMMUNITY, WEIGHT, and LOCAL_PREFERENCE.
1. Enter ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2. Configure a set filter to delete all COMMUNITY numbers in the IP community list. CONFIG-ROUTE-MAP mode set comm-list community-list-name delete OR set community {community-number | local-as | no-advertise | no-export | none} Configure a community list by denying or permitting specific community numbers or types of community.
Changing the LOCAL_PREFERENCE Attribute In Dell EMC Networking OS, you can change the value of the LOCAL_PREFERENCE attribute, so that the preferred path can be changed. To change the default values of this attribute for all routes received by the router, use the following command. • Change the LOCAL_PREF value. CONFIG-ROUTER-BGP mode bgp default local-preference value value: the range is from 0 to 4294967295. The default is 100.
Configuring the local System or a Different System to be the Next Hop for BGP-Learned Routes You can configure the local router or a different router as the next hop for BGP-learned routes. To change how the NEXT_HOP attribute is used, enter the first command. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. You can also use route maps to change this and other BGP attributes.
maximum-paths {ebgp | ibgp} number Configure the following parameters: • • • ebgp: Enable multipath support for external BGP routes. ibgp: Enable multipath support for internal BGP routes. number: Maximum number of parallel paths. The range is from 2 to 64.
Configure clusters of routers where one router is a concentration router and the others are clients who receive their updates from the concentration router. To configure a route reflector, use the following commands. • Assign a cluster ID or an IP address to a router reflector cluster. CONFIG-ROUTER-BGP mode bgp cluster-id ip-address | number • • • ip-address: IP address as the route reflector cluster ID. number: A route reflector cluster ID as a number from 1 to 4294967295.
• • reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is less than the reuse value, the flapping route is once again advertised (or no longer suppressed). Withdrawn routes are removed from history state. The default is 750. • suppress: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value.
route-map Route-map to specify criteria for dampening To view a count of dampened routes, history routes, and penalized routes when you enable route dampening, look at the seventh line of the show ip bgp summary command output, as shown in the following example (bold). DellEMC>show ip bgp summary BGP router identifier 10.114.8.
In the above example configuration, the BGP timers are set with keepalive time as 80 seconds with which the system sends keepalive messages to the BGP peer and holdtime as 120 seconds with which the system waits for a message from the BGP peer before concluding that the peer is dead. To view non-default values, use the show config command in CONFIGURATION ROUTER BGP mode or the show runningconfig bgp command in EXEC Privilege mode.
1. Enter the router bgp mode using the following command: CONFIGURATION Mode router bgp as-number 2. Shut down the BGP neighbors corresponding to IPv4 multicast address family using the following command: ROUTER-BGP Mode shutdown address-family-ipv4-multicast To enable or disable BGP neighbors corresponding to the IPv6 unicast address family: 1. Enter the router bgp mode using the following command: CONFIGURATION Mode router bgp as-number 2.
• If the next route map entry does not contain a continue clause, the route map evaluates normally. If a match does not occur, the route map does not continue and falls-through to the next sequence number, if one exists Set a Clause with a Continue Clause If the route-map entry contains sets with the continue clause, the set actions operation is performed first followed by the continue clause jump to the specified route map entry.
• Specify the number of prefixes that can be received from a neighbor. CONFIG-ROUTER-BGP-AF mode neighbor {ip-address | ipv6–address | peer-group-name} maximum—prefix maximum [threshold] [warning-only]as-number The following are the sample steps performed to configure a VRF, and VRF address families for IPv4 (unicast and multicast) and IPv6.
• • • peer-group-name: 16 characters. AS-number: 0 to 65535 (2-Byte) or 1 to 4294967295 (4-Byte) or 0.1 to 65535.65535 (Dotted format). No Prepend: specifies that local AS values are not prepended to announcements from the neighbor. Format: IPv4 Address: A.B.C.D and IPv6 address: X:X:X:X::X. You must Configure Peer Groups before assigning it to an AS. This feature is not supported on passive peer groups. The first line in bold shows the actual AS number.
neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 allowas-in 9 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.
CONFIG-ROUTER-BGP mode address-family ipv6 [unicast | vrf vrf-name] unicast — Specifies the IPv6 unicast address family. The default address-family is IPv6 unicast. • vrf vrf-name — Specifies the name of VRF instance associated with the IPv6 address-family configuration. Enable the neighbor to exchange prefixes for IPv6 unicast address family.
If you do not want a neighbor to exchange IPv4 unicast prefixes, you have to manually deactivate the peer with the no neighbor activate command under the CONFIGURATION-ROUTER-BGP mode. If any neighbor is already activated to exchange IPv4 multicast or IPv6 unicast prefixes, exchanging of prefixes can be deactivated using no neighbor activate command under the IPv4 multicast or IPv6 unicast address family.
Neighbor 20.20.20.1 2001::1 AS 10 10 MsgRcvd 10 40 MsgSent 20 45 TblVer 0 0 InQ 0 0 OutQ Up/Down State/Pfx 0 00:06:11 0 0 00:03:14 0 Following is the sample output of show ip bgp ipv4 multicast summary command. R2# show ip bgp ipv4 multicast summary BGP router identifier 2.2.2.2, local AS number 200 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 1 neighbor(s) using 24576 bytes of memory Neighbor 20.20.20.
Example configuration performed in R1 DellEMC# configure terminal DellEMC(conf)# router bgp 655 DellEMC(conf-router_bgp)# neighbor 10.1.1.2 remote-as 20 DellEMC(conf-router_bgp)# neighbor 10.1.1.2 auto-local-address DellEMC(conf-router_bgp)# neighbor 10.1.1.2 no shutdown DellEMC(conf-router_bgp)# bgp router-id 1.1.1.1 DellEMC(conf-router_bgp)# address-family ipv6 unicast DellEMC(conf-router_bgpv6_af)# neighbor 10.1.1.
BGP Regular Expression Optimization Dell EMC Networking OS optimizes processing time when using regular expressions by caching and re-using regular expression evaluated results, at the expense of some memory in RP1 processor. BGP policies that contain regular expressions to match against as-paths and communities might take a lot of CPU processing time, thus affect BGP routing convergence.
Example of the show ip bgp neighbor Command to View Last and Bad PDUs DellEMC(conf-router_bgp)#do show ip bgp neighbors 1.1.1.2 BGP neighbor is 1.1.1.2, remote AS 2, external link BGP version 4, remote router ID 2.4.0.
10 Content Addressable Memory (CAM) CAM Allocation CAM Allocation for Ingress To allocate the space for regions such has L2 ingress ACL, IPV4 ingress ACL, IPV6 ingress ACL, IPV4 QoS, L2 QoS, PBR, VRF ACL, and so forth, use the cam-acl command in CONFIGURATION mode. The CAM space is allotted in field processor (FP) blocks. The total space allocated must equal FP blocks. The following table lists the default CAM allocation settings.
Table 13. Additional Default CAM Allocation Settings Additional CAM Allocation Setting FCoE ACL (fcoeacl) 0 ISCSI Opt ACL (iscsioptacl) 0 You must enter the ipv6acl and vman-dual-qos allocations as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges. NOTE: You can only have one odd number of blocks in the CLI configuration; the other blocks must be in factors of 2.
Example of the test cam-usage Command DellEMC#test cam-usage service-policy input test-cam-usage stack-unit 1 po 0 Stack-Unit| Portpipe|CAM Partition|Available CAM|Estimated CAM per Port|Status -----------------------------------------------------------------------------------2 | 0 |IPv4Flow |192 |3 |Allowed (64) DellEMC# View CAM-ACL Settings The show cam-acl command shows the cam-acl setting that will be loaded after the next reload.
L2Acl Ipv4Acl Ipv6Acl Ipv4Qos L2Qos L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : : : : : : : : : 1 block = 128 entries 6 4 0 2 1 0 0 0 0 0 0 0 0 0 0 0 -- Stack unit 0 -Current Settings(in block sizes) 1 block = 128 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsiOptAcl : 0 ipv4pbr : 0 vrfv4Acl : 0 Openflow : 0 fedgovacl : 0 -- Stack unit 7 -Cu
0 | | | | | | | 7 0 | | | | | | Codes: * - cam usage DellEMC# | | | | | | | | | | | | 0 IN-L3 ACL | IN-V6 ACL | IN-L2 ACL | OUT-L3 ACL | IN-L3 ECMP GRP| OUT-V6 ACL | OUT-L2 ACL | IN-L3 ACL | IN-V6 ACL | IN-L2 ACL | OUT-L3 ACL | OUT-V6 ACL | OUT-L2 ACL | is above 90%.
Table 14. Possible Scenarios of Syslog Warning Old CAM Threshold New CAM Threshold Current CAM Usage Syslog 90 80 85 90 95 91 98 100 100 No syslog 95 80 10 No syslog 92 90 89 No syslog DellEMC(conf)#Nov 5 19:55:12 %S6000:0 %ACL_AGENT-4ACL_AGENT_CAM_USAGE_OVER_THE_THRESHOLD: The Ipv4Acl cam region on stack-unit 0 Portpipe 0 Pipeline 0 is more than 80% Full.
1. Verify that you have configured a CAM profile that allocates 24 K entries to the IPv4 system flow region. 2. Allocate more entries in the IPv4Flow region to QoS. Dell EMC Networking OS supports the ability to view the actual CAM usage before applying a service-policy. The test cam-usage service-policy command provides this test framework. For more information, refer to Pre-Calculating Available QoS CAM Space.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 28. CoPP Implemented Versus CoPP Not Implemented Topics: • Configure Control Plane Policing Configure Control Plane Policing The system can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
DellEMC(conf)#ipv6 access-list ipv6-icmp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit icmp DellEMC(conf-ipv6-acl-cpuqos)#exit DellEMC(conf)#ipv6 access-list ipv6-vrrp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit vrrp DellEMC(conf-ipv6-acl-cpuqos)#exit The following example shows creating the QoS input policy.
2. Create an input policy-map to assign the QoS policy to the desired service queues.l. CONFIGURATION mode policy-map--input name cpu-qos service-queue queue-number qos-policy name 3. Enter Control Plane mode. CONFIGURATION mode control-plane-cpuqos 4. Assign a CPU queue-based service policy on the control plane in cpu-qos mode. Enabling this command sets the queue rates according to those configured.
queues are shared to multiple protocols. So, increasing the number of CMIC queues will reduce the contention among the protocols for the queue bandwidth. Currently, there are 4 Queues for data and 4 for control in both front-end and back-plane ports. In stacked systems, the control streams that reach standby or slave units will be tunneled through the backplane ports across stack-units to reach the CPU of the master unit.
• • VLT peer routing enable cases each VLT node will have route entry for link local address of both self and peer VLT node. Peer VLT link local entry will have egress port as ICL link. And Actual link local address will have entry to CopyToCpu. But NDP packets destined to peer VLT node needs to be taken to CPU and tunneled to the peer VLT node.. NDP packets in VLT peer routing disable case • NDP packets intended to peer VLT chassis taken to CPU and tunnel to peer.
1. Create an IPv6 ACL for control-plane traffic policing for ospfv3. CONFIGURATION mode Dell(conf)#ipv6 access-list ospfv3 cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit ospf 2. Create a QoS input policy for the router and assign the policing. CONFIGURATION mode Dell(conf)#qos-policy-input ospfv3_rate cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 1500 16 peak 1500 16 3. Create a QoS class map to differentiate the control-plane traffic and assign to the ACL.
UDP (DHCP-R) TCP (FTP) ICMP IGMP TCP (MSDP) UDP (NTP) OSPF PIM UDP (RIP) TCP (SSH) TCP (TELNET) VRRP DellEMC# 67 any any any any/639 any any any any any any any 67 21 any any 639/any 123 any any 520 22 23 any _ _ _ _ _ _ _ _ _ _ _ _ Q10 Q6 Q6 Q11 Q11 Q6 Q9 Q11 Q9 Q6 Q6 Q10 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ To view the queue mapping for the MAC protocols, use the show mac protocol-queue-mapping command.
12 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters. Multiple servers might respond to a single DHCPDISCOVER; the client might wait a period of time and then act on the most preferred offer.
NOTE: If the DHCP server is on the top of rack (ToR) and the VLTi (ICL) is down due to a failed link, when a VLT node is rebooted in BMP (Bare Metal Provisioning) mode, it is not able to reach the DHCP server, resulting in BMP failure. Configure the System to be a DHCP Server A DHCP server is a network device that has been programmed to provide network configuration parameters to clients upon request. Servers typically serve many clients, making host management much more organized and efficient.
After an IP address is leased to a client, only that client may release the address. Dell EMC Networking OS performs a IP + MAC source address validation to ensure that no client can release another clients address. This validation is a default behavior and is separate from IP +MAC source address validation.
DHCP domain-name name 2. Specify in order of preference the DNS servers that are available to a DHCP client. DHCP dns-server address Using NetBIOS WINS for Address Resolution Windows internet naming service (WINS) is a name resolution service that Microsoft DHCP clients use to correlate host names to IP addresses within a group of networks. Microsoft DHCP clients can be one of four types of NetBIOS nodes: broadcast, peer-to-peer, mixed, or hybrid. 1.
• Clear DHCP binding entries for the entire binding table. • EXEC Privilege mode. clear ip dhcp binding Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode. clear ip dhcp binding ip address Configure the System to be a Relay Agent DHCP clients and servers request and offer configuration information via broadcast DHCP messages.
To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gigabitethernet 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
• • • Release the IP address dynamically acquired from a DHCP server from the interface. Disable the DHCP client on the interface so it cannot acquire a dynamic IP address from a DHCP server. Stop DHCP packet transactions on the interface. When you enter the release dhcp command, the IP address dynamically acquired from a DHCP server is released from an interface. The ability to acquire a new DHCP server-assigned address remains in the running configuration for the interface.
• • • • • Management routes added by a DHCP client display with Route Source as DHCP in the show ip management route and show ip management-route dynamic command output. Management routes added by DHCP are automatically reinstalled if you configure a static IP route with the ip route command that replaces a management route added by the DHCP client. If you remove the statically configured IP route using the no ip route command, the management route is reinstalled.
DHCP Relay When DHCP Server and Client are in Different VRFs When the DHCP server and DHCP clients belong to different VRFs on the relay agent, you can configure the system to leak routes across VRFs. You can configure the system to leak the following routes across VRFs: • • • Connected routes The complete routing table Selective routes The following illustration depicts the topology in which routes are leaked between VRFs in the relay agent.
ip route-export 1:1 ! ! route-map map1 permit 10 match ip address ip1 ! route-map map2 permit 20 match ip address ip2 ! ip prefix-list ip1 seq 5 permit 20.0.0.0/24 <----- This is needed for data forwarding seq 10 permit 20.0.0.2/32 <---- This is specific to internal operation of DHCP relay ! ip prefix-list ip2 seq 5 permit 10.0.0.0/24 Non-default VRF configuration for DHCPv6 helper address The ipv6 helper-address command is enhanced to provide support for configuring VRF for DHCPv6 relay helper address.
To configure the loopback interface as IPv4 or IPv6 DHCP relay source interface, enter the following commands in the CONFIGURATION MODE. Dell(conf)# ip dhcp relay source-interface loopback 1 Dell(conf)# ipv6 dhcp relay source-interface loopback 1 When you configure the above commands in the CONFIGURATION MODE, it will configure the loopback interface as the DHCP relay source interface for forwarding the DHCP packets from DHCP client to server.
Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# tagged fortyGigE 0/4 ip helper-address vrf vrf1 100.0.0.1 ipv6 helper-address vrf vrf1 100::1 ip dhcp relay source-interface loopback 3 ipv6 dhcp relay source-interface loopback 3 3. In the below configuration, the DHCP relay source interface is not configured in the VLAN interface.
Table 17. Circuit ID Format VLAN ID LAG ID Slot ID Port Str 723 0 1 1 The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server. The server can use this information to: • • • Track the number of address requests per relay agent. Restricting the number of addresses available per relay agent can harden a server against address exhaustion attacks.
port are also dropped. This checkpoint prevents an attacker from acting as an imposter as a DHCP server to facilitate a man-in-the-middle attack. Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE, DHCPNACK, or DHCPDECLINE. DHCP snooping is supported on Layer 2 and Layer 3 traffic. DHCP snooping on Layer 2 interfaces does not require a relay agent.
3. Enable IPv6 DHCP snooping on a VLAN or range of VLANs. CONFIGURATION mode ipv6 dhcp snooping vlan vlan-id Adding a Static Entry in the Binding Table To add a static entry in the binding table, use the following command. • Add a static entry in the binding table.
Database write-delay (In minutes) : 0 DHCP packets information Relay Information-option packets Relay Trust downstream packets Snooping packets : 0 : 0 : 0 Packets received on snooping disabled L3 Ports Snooping packets processed on L2 vlans : 0 : 142 DHCP Binding File Details Invalid File Invalid Binding Entry Binding Entry lease expired List of Trust Ports List of DHCP Snooping Enabled Vlans List of DAI Trust ports : 0 : 0 : 0 :Gi 1/4 :Vl 10 :Gi 1/4 View the DHCP snooping binding table using the s
10.1.1.11 10.1.1.25 00:00:a0:00:00:00 00:00:a0:00:00:00 39736 162 S D Vl 200 Vl 200 Po 10 Po 10 Displaying the Contents of the DHCPv6 Binding Table To display the contents of the DHCP IPv6 binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ipv6 dhcp snooping biniding View the DHCP snooping statistics with the show ipv6 dhcp snooping command.
Dynamic ARP Inspection Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism. Network devices accept ARP requests and replies from any device. ARP replies are accepted even when no request was sent.
Configuring dynamic ARP inspection-limit To configure dynamic ARP inspection rate limit on a port, perform the following task. 1. Enter into global configuration mode. EXEC Privilege mode configure terminal 2. Select the interface to be configured. CONFIGURATION mode interface interface-name 3. Configure ARP packet inspection rate limiting. INTERFACE CONFIGURATION mode arp inspection-limit {rate pps [interval seconds]} The rate packet per second (pps) range is from 1 to 2048. The default is 15.
The DHCP binding table associates addresses the DHCP servers assign with the port or the port channel interface on which the requesting client is attached and the VLAN the client belongs to. When you enable IP source address validation on a port, the system verifies that the source IP address is one that is associated with the incoming port and optionally that the client belongs to the permissible VLAN.
Dell EMC Networking OS creates an ACL entry for each IP+MAC address pair and optionally with its VLAN ID in the binding table and applies it to the interface. To display the IP+MAC ACL for an interface for the entire system, use the show ip dhcp snooping source-addressvalidation [interface] command in EXEC Privilege mode. Viewing the Number of SAV Dropped Packets The following output of the show ip dhcp snooping source-address-validation discard-counters command displays the number of SAV dropped packets.
13 Equal Cost Multi-Path (ECMP) ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features. To adjust the ExaScale behavior to match TeraScale, use the following command. • Change the ExaScale hash-algorithm for LAG, ECMP, and NH-ECMP to match TeraScale. CONFIGURATION mode.
NOTE: You cannot separate LAG and ECMP, but you can use different algorithms across the chassis with the same seed. If LAG member ports span multiple port-pipes and line cards, set the seed to the same value on each port-pipe to achieve deterministic behavior. NOTE: If you remove the hash algorithm configuration, the hash seed does not return to the original factory default setting. To configure the hash algorithm seed, use the following command. • Specify the hash algorithm seed. CONFIGURATION mode.
ip ecmp-group path-fallback DellEMC(conf)#ip ecmp-group maximum-paths 3 User configuration has been changed. Save the configuration and reload to take effect DellEMC(conf)# Creating an ECMP Group Bundle Within each ECMP group, you can specify an interface. If you enable monitoring for the ECMP group, the utilization calculation is performed when the average utilization of the link-bundle (as opposed to a single link within the bundle) exceeds 60%. 1. Create a user-defined ECMP group bundle.
14 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell EMC Networking platforms.
• • • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed. Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. FIPS mode is enabled. • • If you enable the SSH server when you enter the fips mode enable command, it is re-enabled for version 2 only. If you re-enable the SSH server, a new RSA host key-pair is generated automatically. You can also manually create this key-pair using the crypto key generate command.
Hardware Rev : 5.0 Num Ports : 30 Up Time : 1 wk, 5 day, 21 hr, 40 min Dell Networking OS Version : 9-8(2-126) Jumbo Capable : yes POE Capable : yes FIPS Mode : enabled Burned In MAC : f8:b1:56:82:de:6e No Of MACs : 3 ... Disabling FIPS Mode When you disable FIPS mode, the following changes occur: • • • • • • • The SSH server disables. All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, close.
15 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) and may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
Figure 32. Example of Multiple Rings Connected by Single Switch Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. • • • • • • • • • • The Master node transmits ring status check frames at specified intervals. You can run multiple physical rings on the same switch.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202, as shown in the illustration in Member VLAN Spanning Two Rings Connected by One Switch. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose.
• Each ring has only one Master node; all others are transit nodes. FRRP Configuration These are the tasks to configure FRRP.
CONFIG-FRRP mode. interface primary interface secondary interface control-vlan vlan id Interface: • • For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. 4. Configure the Master node. CONFIG-FRRP mode. mode master 5. Identify the Member VLANs for this FRRP group. CONFIG-FRRP mode.
VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. 6. Enable this FRRP group on this switch. CONFIG-FRRP mode. no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time 3 times the Hello-Interval. • Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode. timer {hello-interval|dead-interval} milliseconds • • Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500).
Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • • • • • Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only. Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP.
interface Vlan 201 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 2/14 secondary GigabitEthernet 2/31 control-vlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface GigabitEthernet 3/14 no ip address switchport no shutdown ! interface GigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 3/14,21 no shutdown ! interface Vlan 201 no ip address tagged GigabitEt
16 GARP VLAN Registration Protocol (GVRP) The generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and deregister attribute values, such as VLAN IDs, with each other.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-byswitch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 33. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
gvrp enable DellEMC(conf)#protocol gvrp DellEMC(config-gvrp)#no disable DellEMC(config-gvrp)#show config ! protocol gvrp no disable DellEMC(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. • Enable GVRP on a Layer 2 interface.
Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings. • • • Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The Dell EMC Networking OS default is 200ms.
17 High Availability (HA) High availability (HA) is supported on Dell EMC Networking OS. HA is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. To support all the features within the HA collection, you should have the latest boot code. The following table lists the boot code requirements as of this Dell EMC Networking OS release. Table 19. Boot Code Requirements Component Boot Code S3124 1 2.0.
-- PEER Stack-unit Status ------------------------------------------------Stack-unit State: Standby Peer Stack-unit ID: 5 Stack-unit SW Version: 1-0(0-4679) -- Stack-unit Redundancy Configuration ------------------------------------------------Primary Stack-unit: mgmt-id 1 Auto Data Sync: Full Failover Type: Hot Failover Auto reboot Stack-unit: Enabled Auto failover limit: 3 times in 60 minutes -- Stack-unit Failover Record ------------------------------------------------Failover Count: 0 Last failover time
redundancy disable-auto-reboot Pre-Configuring a Stack Unit Slot You may also pre-configure an empty stack unit slot with a logical stack unit. To pre-configure an empty stack unit slot, use the following command. • Pre-configure an empty stack unit slot with a logical stack unit. CONFIGURATION mode stack-unit unit_id provision S3124 After creating the logical stack unit, you can configure the interfaces on the stack unit as if it is present.
Graceful Restart Graceful restart (also known as non-stop forwarding) is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change. Packet loss is non-zero, but trivial, and so is still called hitless.
• Kernel core dump is the central component of an operating system that manages system processors and memory allocation and makes these facilities available to applications. A kernel core dump is the contents of the memory in use by the kernel at the time of an exception. System Log Event messages provide system administrators diagnostics and auditing information. Dell EMC Networking OS sends event messages to the internal buffer, all terminal lines, the console, and optionally to a syslog server.
18 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 34. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
• • To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered. An additional query type, the Group-and-Source-Specific Query, keeps track of state changes, while the Group-Specific and General queries still refresh the existing state.
3. The host’s third message indicates that it is only interested in traffic from sources 10.11.1.1 and 10.11.1.2. Because this request again prevents all other sources from reaching the subnet, the router sends another group-and-source query so that it can satisfy all other hosts. There are no other interested hosts so the request is recorded. Figure 37.
Figure 38. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1. Enable multicast routing using the ip multicast-routing command. 2. Enable a multicast routing protocol.
• View IGMP-enabled IPv4 interfaces. • EXEC Privilege mode show ip igmp interface View IGMP-enabled IPv6 interfaces. EXEC Privilege mode show ipv6 mld interface DellEMC#show ip igmp interface GigabitEthernet 3/10 Inbound IGMP access group is not set Internet address is 165.87.34.
Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command. • View both learned and statically configured IGMP groups. EXEC Privilege mode show ip igmp groups show ipv6 mld groups DellEMC#show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface 225.1.1.1 GigabitEthernet 1/1 225.1.2.
• Interface mode ipv6 mld query-max-response-time Adjust the last member query interval. • INTERFACE mode ip igmp last-member-query-interval Adjust the amount of time the querier waits, for the initial query response, before sending the next IPv6 query.
Figure 39. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 20. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.
Location Description 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.2/24 no shutdown 3/21 • • • • Interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.
IGMP Snooping IGMP snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers. Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device.
show config DellEMC(conf-if-vl-100)#show config ! interface Vlan 100 no ip address ip igmp snooping fast-leave shutdown DellEMC(conf-if-vl-100)# Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. When you configure the no ip igmp snooping flood command, the system drops the packets immediately.
ip igmp snooping last-member-query-interval Fast Convergence after MSTP Topology Changes When a port transitions to the Forwarding state as a result of an STP or MSTP topology change, Dell EMC Networking OS sends a general query out of all ports except the multicast router ports. The host sends a response to the general query and the forwarding database is updated without having to wait for the query interval to expire.
Application Name Port Number Client Server FTP 20/21 Supported Supported Syslog 514 Supported Telnet 23 Supported TFTP 69 Supported Radius 1812,1813 Supported Tacacs 49 Supported HTTP 80 for httpd Supported Supported 443 for secure httpd 8008 HTTP server port for confd application 8888 secure HTTP server port for confd application If you configure a source interface is for any EIS management application, EIS might not coexist with that interface and the behavior is undefined in su
• • • • For all non-management applications, traffic exits out of either front-end data port or management port based on route lookup in default routing table. Ping and traceroute are always non-management applications and route lookup for these applications is done in the default routing table only. For ping and traceroute utilities that are initiated from the switch, if reachability needs to be tested through routes in the management EIS routing table, you must configure ICMP as a management application.
• • Therefore, a separate control over clearing the ARP entries learned via routes in the EIS table is not present. If the ARP entry for a destination is cleared in the default routing table, then if an ARP entry for the destination exists in the EIS table, that entry is also cleared. Because fallback support is removed, if the management port is down or the route lookup in EIS table fails packets are dropped.
Traffic type / Application type Non-EIS management application Switch initiated traffic Switch-destined traffic Transit Traffic route lookup fails, packets are dropped. on route lookup in EIS table. If management port management port is is down or route lookup fails, packets are blocked dropped Front-end default route will take higher precedence over management default route and SSH session to an unknown destination uses the front-end default route only. No change in the existing behavior.
Protocol Behavior when EIS is Enabled Behavior when EIS is Disabled ftp EIS Behavior Default Behavior ntp EIS Behavior Default Behavior radius EIS Behavior Default Behavior Sflow-collector Default Behavior Snmp (SNMP Mib response and SNMP Traps) EIS Behavior Default Behavior ssh EIS Behavior Default Behavior syslog EIS Behavior Default Behavior tacacs EIS Behavior Default Behavior telnet EIS Behavior Default Behavior tftp EIS Behavior Default Behavior icmp (ping and tracerout
Interworking of EIS With Various Applications Stacking • • • The management EIS is enabled on the master and the standby unit. Because traffic can be initiated from the Master unit only, the preference to management EIS table for switch-initiated traffic and all its related ARP processing is done in the Master unit only. ARP-related processing for switch-destined traffic is done by both master and standby units. VLT VLT feature is for the front-end port only.
19 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell EMC Networking Operating System (OS). The system supports 1 Gigabit Ethernet and 10 Gigabit Ethernet interfaces.
• • • • • • • • • • • • Defining Interface Range Macros Monitoring and Maintaining Interfaces Link Dampening Link Bundle Monitoring Using Ethernet Pause Frames for Flow Control Configure the MTU Size on an Interface Port-Pipes Auto-Negotiation on Ethernet Interfaces Provisioning Combo Ports View Advanced Interface Information Configuring the Traffic Sampling Size Globally Dynamic Counters Interface Types The following table describes different interface types. Table 25.
NOTE: The CLI output may be incorrectly displayed as 0 (zero) for the Rx/Tx power values. To obtain the correct power information, perform a simple network management protocol (SNMP) query. The following example shows the configuration and status information for one interface. DellEMC#show interfaces gigabitethernet 1/1 GigabitEthernet 1/1 is up, line protocol is up Hardware is Force10Eth, address is 00:01:e8:05:f3:6a Current address is 00:01:e8:05:f3:6a Pluggable media present, XFP type is 10GBASE-LR.
interface GigabitEthernet 2/8 no ip address shutdown ! interface GigabitEthernet 2/9 no ip address shutdown Resetting an Interface to its Factory Default State You can reset the configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1. View the configurations applied on an interface. INTERFACE mode show config 2. Reset an interface to its factory default state. CONFIGURATION mode default interface interface-type] 3.
show interfaces interface-type slot/port eee • show interfaces interface-type slot/port-range eee List the statistical information of eee on all the interfaces, on a specified port, or on a range of ports. EXEC mode EXEC PRIVILEGE mode show interfaces eee statistics show interfaces interface-type slot/port eee statistics • show interfaces interface-type slot/port-range eee statistics List the hardware counters on a specified interface or a specified stack unit.
The following example shows the hardware counters on a specified interface.
TX - Control Frame Counter TX - Pause Control Frame Counter TX - Oversized Frame Counter TX - Jabber Counter TX - VLAN Tag Frame Counter TX - Double VLAN Tag Frame Counter TX - RUNT Frame Counter TX - Fragment Counter TX - PFC Frame Priority 0 TX - PFC Frame Priority 1 TX - PFC Frame Priority 2 TX - PFC Frame Priority 3 TX - PFC Frame Priority 4 TX - PFC Frame Priority 5 TX - PFC Frame Priority 6 TX - PFC Frame Priority 7 TX - Debug Counter 0 TX - Debug Counter 1 TX - Debug Counter 2 TX - Debug Counter 3 TX
RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - PFC Frame Priority 3 PFC Frame Priority 4 PFC Frame Priority 5 PFC Frame Priority 6 PFC Frame Priority 7 Debug Counter 0 Debug Counter 1 Debug Counter 2 Debug Counter 3 Debug Counter 4 Debug Counter 5 Debug Counter 6 Debug Counter 7 Debug Counter 8 EEE LPI Event Counter EEE LPI Duration Counter 64 Byte Frame Counter 65 t
• clear counters eee Clear the EEE counters on the specified port. • EXEC Privilege mode clear counters interface-type slot/port eee Clear the EEE counters on the specified range of ports. EXEC Privilege mode clear counters interface-type slot/port-range eee When you use this command, confirm that you want Dell EMC Networking OS to clear the EEE counters.
• • • Auto-Negotiation on Ethernet Interfaces Adjusting the Keepalive Timer Clearing Interface Counters Overview of Layer Modes On all systems running Dell EMC Networking OS, you can place physical interfaces, port channels, and VLANs in Layer 2 mode or Layer 3 mode. By default, VLANs are in Layer 2 mode. Table 26.
Configuring Layer 3 (Network) Mode When you assign an IP address to a physical interface, you place it in Layer 3 mode. To enable Layer 3 mode on an individual interface, use the following commands. In all interface types except VLANs, the shutdown command prevents all traffic from passing through the interface. In VLANs, the shutdown command prevents Layer 3 traffic from passing through the interface. Layer 2 traffic is unaffected by the shutdown command.
ICMP unreachables are not sent IP unicast RPF check is not supported Automatic recovery of an Err-disabled interface The Dell EMC Networking OS attempts to recover the interface from the Err-disabled state automatically based on the cause of the error.
Following is the sample steps to configure the recovery cause and the timer interval for automatic recovery of an interface. DellEMC# configure termimal DellEMC(conf)# errdisable recovery cause fefd DellEMC(conf)# errdisable recovery interval 30 DellEMC(conf)# Egress Interface Selection (EIS) EIS allows you to isolate the management and front-end port domains by preventing switch-initiated traffic routing between the two domains.
CONFIGURATION mode interface managementethernet interface The slot range is 1. The port range is 1. Configure an IP address and mask on a Management interface. • INTERFACE mode ip address ip-address mask • ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in /prefix format (/x). You can configure two global IPv6 addresses on the system in EXEC Privilege mode. To view the addresses, use the show interface managementethernet command, as shown in the following example.
• Primary and secondary management interface IP and virtual IP must be in the same subnet. To view the Primary RPM Management port, use the show interface Managementethernet command in EXEC Privilege mode. If there are two RPMs, you cannot view information on that interface. Configuring a Management Interface on an Ethernet Port You can manage the system through any port using remote access such as Telnet. To configure an IP address for the port, use the following commands.
Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Because this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability. You can place Loopback interfaces in default Layer 3 mode. To configure, view, or delete a Loopback interface, use the following commands. • Enter a number as the Loopback interface.
Port Channel Interfaces Port channel interfaces support link aggregation, as described in IEEE Standard 802.3ad. This section covers the following topics: • • • • Port Channel Definition and Standards Port Channel Benefits Port Channel Implementation Configuration Tasks for Port Channel Interfaces Port Channel Definition and Standards Link aggregation is defined by IEEE 802.
Interfaces in Port Channels When interfaces are added to a port channel, the interfaces must share a common speed. When interfaces have a configured speed different from the port channel speed, the software disables those interfaces. The common speed is determined when the port channel is first enabled. Then, the software checks the first interface listed in the port channel configuration. If you enabled that interface, its speed configuration becomes the common speed of the port channel.
• • shutdown/no shutdown mtu NOTE: A logical port channel interface cannot have flow control. Flow control can only be present on the physical interfaces if they are part of a port channel. NOTE: The system supports jumbo frames by default (the default maximum transmission unit (MTU) is 1554 bytes). To configure the MTU, use the mtu command from INTERFACE mode.
When more than one interface is added to a Layer 2-port channel, Dell EMC Networking OS selects one of the active interfaces in the port channel to be the primary port. The primary port replies to flooding and sends protocol data units (PDUs). An asterisk in the show interfaces port-channel brief command indicates the primary port. As soon as a physical interface is added to a port channel, the properties of the port channel determine the properties of the physical interface.
Configuring the Minimum Oper Up Links in a Port Channel You can configure the minimum links in a port channel (LAG) that must be in “oper up” status to consider the port channel to be in “oper up” status. To set the “oper up” status of your links, use the following command. • Enter the number of links in a LAG that must be in “oper up” status. INTERFACE mode minimum-links number The default is 1.
Codes: U x G i - Untagged, T - Tagged Dot1x untagged, X - Dot1x tagged GVRP tagged, M - Trunk, H - VSN tagged Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged Name: GigabitEthernet 1/1 802.1QTagged: True Vlan membership: Q Vlans T 2-5,100,4010 DellEMC# Assigning an IP Address to a Port Channel You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols. To assign an IP address, use the following command.
• Replace the default IP 4-tuple method of balancing traffic over a port channel. CONFIGURATION mode [no] load-balance {ip-selection [dest-ip | source-ip]} | {mac [dest-mac | source-dest-mac | source-mac]} | {tcp-udp enable} {ipv6-selection} {tunnel}| {ingress-port} You can select one, two, or all three of the following basic hash methods: • • • • • • ip-selection [dest-ip | source-ip] — Distribute IP traffic based on the IP destination or source address.
• • • xor4 —Upper 8 bits of CRC16-BISYNC and lower 8 bits of xor4 xor8 — Upper 8 bits of CRC16-BISYNC and lower 8 bits of xor8 xor16 — uses 16 bit XOR. Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range.
Create a Multiple-Range The following is an example of multiple range. Example of the interface range Command (Multiple Ranges) DellEMC(conf)#interface range gigabitethernet 1/5 - 1/10 , gigabitethernet 1/1 , vlan 1 DellEMC(conf-if-range-gi-1/1,gi-1/5-1/10,vl-1)# Exclude Duplicate Entries The following is an example showing how duplicate entries are omitted from the interface-range prompt.
To define an interface-range macro, use the following command. • Defines the interface-range macro and saves it in the running configuration file.
Output bytes: Input packets: Output packets: 64B packets: Over 64B packets: Over 127B packets: Over 255B packets: Over 511B packets: Over 1023B packets: Error statistics: Input underruns: Input giants: Input throttles: Input CRC: Input IP checksum: Input overrun: Output underruns: Output throttles: m l T q - 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Bps pps pps pps pps pps pps pps pps 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 pps pps pps pps pps pps pps pps 0 0 0 0 0 0 0 0 Change mode Page up In
You configure link dampening using the dampening [[[[half-life] [reuse-threshold]] [suppress-threshold]] [max-suppress-time]] command on the interface. Following is the detailed explanation of interface state change events: • • • • suppress-threshold— The suppress threshold is a value that triggers a flapping interface to dampen. The system adds penalty when the interface state goes up and down.
Figure 40. Interface State Change Consider an interface periodically flaps as shown above. Every time the interface goes down, a penalty (1024) is added. In the above example, during the first interface flap (flap 1), the penalty is added to 1024. And, the accumulated penalty will exponentially decay based on the set half-life, which is set as 10 seconds in the above example. During the second interface flap (flap 2), again the penalty (1024) is accumulated.
Enabling Link Dampening To enable link dampening, use the following command. • Enable link dampening. INTERFACE mode dampening To view the link dampening configuration on an interface, use the show config command. R1(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode.
Configure MTU Size on an Interface In Dell EMC Networking OS, Maximum Transmission Unit (MTU) is defined as the entire Ethernet packet (Ethernet header + FCS + payload). The following table lists the range for each transmission media. Transmission Media MTU Range (in bytes) Ethernet 594-12000 = link MTU 576-9234 = IP MTU Link Bundle Monitoring Monitoring linked LAG bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time.
Control how the system responds to and generates 802.3x pause frames on Ethernet interfaces. The default is rx off tx off. INTERFACE mode. flowcontrol rx [off | on] tx [off | on]| [monitor session-ID] Where: rx on: Processes the received flow control frames on this port. rx off: Ignores the received flow control frames on this port. tx on: Sends control frames from this port to the connected device when a higher rate of traffic is received.
Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: • • All members must have the same link MTU value and the same IP MTU value. The port channel link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values configured on the channel members. For example, if the members have a link MTU of 2100 and an IP MTU 2000, the port channel’s MTU values cannot be higher than 2100 for link MTU or 2000 bytes for IP MTU.
4. Access the port. CONFIGURATION mode interface interface-type 5. Set the local port speed. INTERFACE mode speed {10 | 100 | 1000 | 10000 | auto} NOTE: If you use an active optical cable (AOC), you can convert the QSFP+ port to a 10 Gigabit SFP+ port or 1 Gigabit SFP port. You can use the speed command to enable the required speed. 6. Disable auto-negotiation on the port. INTERFACE mode no negotiation auto If the speed was set to 1000, do not disable auto-negotiation. 7. Verify configuration changes.
DellEMC(conf-if-gi-1/1)#duplex full DellEMC(conf-if-gi-1/1)#no negotiation auto DellEMC(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 no ip address speed 100 duplex full no shutdown Set Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/ forced slave once autonegotiation is enabled. CAUTION: Ensure that only one end of the node is configured as forced-master and the other is configured as forcedslave.
Provisioning Combo Ports The device has two combo ports of 1G SFP. By default, the combo ports are in Hybrid mode. You can provision the combo ports to act as a copper or fiber medium. The speed and negotiation auto commands are not available on the combo ports in the Hybrid mode. To apply these commands on combo ports, provision the ports as individual medium. You can use the combo-port-type command to provision the combo ports as copper or fiber medium.
Name: GigabitEthernet 3/3 802.1QTagged: True Vlan membership: Vlan 2 Name: GigabitEthernet 3/4 802.1QTagged: True Vlan membership: Vlan 2 --More-- Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG.
0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 100 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Time since last interface status change: 1d23h42m Configuring the Traffic Sampling Size Globally You can configure the traffic sampling size for an interface in the global configuration mode.
Hardware address is 4c:76:25:f4:ab:02, Current address is 4c:76:25:f4:ab:02 Interface index is 1258301440 Minimum number of links to bring Port-channel up is 1 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :4c7625f4ab02 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 80000 Mbit Members in this channel: Fo 1/1/7/1(U) Fo 1/1/8/1(U) ARP type: ARPA, ARP Timeout 04:00:00 Queueing strategy: fifo Input Statistics: 13932 packets, 1111970 bytes 5588 64-byte pkts, 8254 over 64-byte pkt
• • • • • • For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. For the Management interface on the stack-unit, enter the keyword ManagementEthernet then the slot/port information. For a port channel interface, enter the keywords port-channel then a number.
20 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3. Apply the crypto policy to management traffic.
21 IPv4 Routing The Dell EMC Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell EMC Networking OS.
IP Addresses Dell EMC Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks. Supernetting, which increases the number of subnets, is also supported. To subnet, you add a mask to the IP address to separate the network and host portions of the IP address.
• secondary: add the keyword secondary if the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. To view the configuration, use the show config command in INTERFACE mode or use the show ip interface command in EXEC privilege mode, as shown in the second example. DellEMC(conf-if)#show conf ! interface GigabitEthernet 1/1 ip address 10.11.1.
Direct, Lo 0 --More-Dell EMC Networking OS installs a next hop that is on the directly connected subnet of current IP address on the interface. Dell EMC Networking OS also installs a next hop that is not on the directly connected subnet but which recursively resolves to a next hop on the interface's configured subnet. • • • • When the interface goes down, Dell EMC Networking OS withdraws the route. When the interface comes up, Dell EMC Networking OS re-installs the route.
To view the configured static routes for the management port, use the show ip management-route command in EXEC privilege mode. DellEMC#show ip management-route Destination ----------10.16.0.0/16 172.16.1.0/24 Gateway ------ManagementEthernet 1/1 10.16.151.
Configure the source to send the configured source interface IP address instead of using its front-end IP address in the ICMP unreachable messages and in the traceroute command output. Use the ip icmp source-interface interface or the ipv6 icmp source-interface interface commands in Configuration mode to enable the ICMP error messages to be sent with the source interface IP address. This functionality is supported on loopback, VLAN, port channel, and physical interfaces for IPv4 and IPv6 messages.
Name server, Domain name, and Domain list are VRF specific. The maximum number of Name servers and Domain lists per VRF is six. Enabling Dynamic Resolution of Host Names By default, dynamic resolution of host names (DNS) is disabled. To enable DNS, use the following commands. • Enable dynamic resolution of host names. • CONFIGURATION mode ip domain-lookup Specify up to six name servers. CONFIGURATION mode ip name-server ip-address [ip-address2 ...
• Specify up to six name servers. CONFIGURATION mode ip name-server ip-address [ip-address2 ... ip-address6] • The order you entered the servers determines the order of their use. When you enter the traceroute command without specifying an IP address (Extended Traceroute), you are prompted for a target and source IP address, timeout in seconds (default is 5), a probe count (default is 3), minimum TTL (default is 1), maximum TTL (default is 30), and port number (default is 33434).
• Configure an IP address and MAC address mapping for an interface. CONFIGURATION mode arp vrf vrf-name ip-address mac-address interface • • • • vrf vrf-name: use the VRF option to configure a static ARP on that particular VRF. ip-address: IP address in dotted decimal format (A.B.C.D). mac-address: MAC address in nnnn.nnnn.nnnn format. interface: enter the interface type slot/port information. These entries do not age and can only be removed manually.
In the request, the host uses its own IP address in the Sender Protocol Address and Target Protocol Address fields. Enabling ARP Learning via Gratuitous ARP To enable ARP learning via gratuitous ARP, use the following command. • Enable ARP learning via gratuitous ARP. CONFIGURATION mode arp learn-enable ARP Learning via ARP Request In Dell EMC Networking OS versions prior to 8.3.1.
Configuring ARP Retries You can configure the number of ARP retries. The default backoff interval remains at 20 seconds. On the device, the time between ARP resend is configurable. This timer is an exponential backoff timer. Over the specified period, the time between ARP requests increases. This time increase reduces the potential for the system to slow down while waiting for a multitude of ARP responses. To set and display ARP retries, use the following commands. • Set the number of ARP retries.
ICMP Redirects When a host sends a packet to a destination, it sends the packet to the configured default gateway. If the gateway router finds that a better route is available through a different router in the same network, that is, the same data link, the gateway router sends the source host an ICMP redirect message with the better route. The gateway router routes the packet to its destination and the host sends subsequent packets to that particular destination through the correct router.
Important Points to Remember • • • • The existing ip directed broadcast command is rendered meaningless if you enable UDP helper on the same interface. The broadcast traffic rate should not exceed 200 packets per second when you enable UDP helper. You may specify a maximum of 16 UDP ports.
Input Statistics: 0 packets, 0 bytes Time since last interface status change: 00:07:44 Configurations Using UDP Helper When you enable UDP helper and the destination IP address of an incoming packet is a broadcast address, Dell EMC Networking OS suppresses the destination address of the packet. The following sections describe various configurations that employ UDP helper to direct broadcasts.
UDP Helper with Subnet Broadcast Addresses When the destination IP address of an incoming packet matches the subnet broadcast address of any interface, the system changes the address to the configured broadcast address and sends it to matching interface. In the following illustration, Packet 1 has the destination IP address 1.1.1.255, which matches the subnet broadcast address of VLAN 101.
UDP Helper with No Configured Broadcast Addresses The following describes UDP helper with no broadcast addresses configured. • • If the incoming packet has a broadcast destination IP address, the unaltered packet is routed to all Layer 3 interfaces. If the Incoming packet has a destination IP address that matches the subnet broadcast address of any interface, the unaltered packet is routed to the matching interfaces.
22 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell EMC Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
• Prefix Renumbering — Useful in transparent renumbering of hosts in the network when an organization changes its service provider. NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration. NOTE: Dell EMC Networking OS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS).
Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities. Routers understand the priority settings and handle them appropriately during conditions of congestion.
Source Address (128 bits) The Source Address field contains the IPv6 address for the packet originator. Destination Address (128 bits) The Destination Address field contains the intended recipient’s IPv6 address. This can be either the ultimate destination or the address of the next hop router. Extension Header Fields Extension headers are used only when necessary. Due to the streamlined nature of the IPv6 header, adding extension headers do not severely impact performance.
Addressing IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab is a valid IPv6 address. If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons(::). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab can be shortened to 2001:0db8::1428:57ab. Only one set of double colons is supported in a single address.
Feature and Functionality Dell EMC Networking OS Release Introduction Documentation and Chapter Location S3100 series IPv6 Basic Addressing IPv6 address types: Unicast 9.7.(0.1) Extended Address Space IPv6 neighbor discovery 9.7.(0.1) IPv6 Neighbor Discovery IPv6 stateless autoconfiguration 9.7.(0.1) Stateless Autoconfiguration IPv6 MTU path discovery 9.7.(0.1) Path MTU Discovery IPv6 ICMPv6 9.7.(0.1) ICMPv6 IPv6 ping 9.7.(0.1) ICMPv6 IPv6 traceroute 9.7.(0.1) ICMPv6 IPv6 SNMP 9.7.
Feature and Functionality Dell EMC Networking OS Release Introduction Documentation and Chapter Location S3100 series Command Line Reference Guide. Telnet server over IPv6 (inbound Telnet) 9.7.(0.1) Configuring Telnet with IPv6 Secure Shell (SSH) client support over IPv6 (outbound SSH) Layer 3 only 9.7.(0.1) Secure Shell (SSH) Over an IPv6 Transport Secure Shell (SSH) server support over IPv6 (inbound SSH) Layer 3 only 9.7.(0.
Figure 48. Path MTU discovery process IPv6 Neighbor Discovery The IPv6 neighbor discovery protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In place of address resolution protocol (ARP), NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes.
Figure 49. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
ND reachable time is 20120 milliseconds ND base reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 198 to 600 seconds ND router advertisements live for 1800 seconds ND advertised hop limit is 64 IPv6 hop limit for originated packets is 64 ND dns-server address is 1000::1 with lifetime of 1 seconds ND dns-server address is 3000::1 with lifetime of 1 seconds ND dns-server address is 200
To have the changes take effect, save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings. • Allocate space for IPV6 ACLs. Enter the CAM profile name then the allocated amount. CONFIGURATION mode cam-acl { ipv6acl } When not selecting the default option, enter all of the profiles listed and a range for each. The total space allocated must equal 13. • The ipv6acl range must be a factor of 2. Show the current CAM settings.
Enter the keyword interface then the type of interface and slot/port information: • • • • • • For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. For a port channel interface, enter the keywords port-channel then a number.
rpf DellEMC# RPF table Displaying an IPv6 Interface Information To view the IPv6 configuration for a specific interface, use the following command. • Show the currently running configuration for the specified interface. EXEC mode show ipv6 interface interface {slot/port} Enter the keyword interface then the type of interface and slot/port information: • • • • • • • For all brief summary of IPv6 status and configuration, enter the keyword brief.
• • • • • • To display information about Border Gateway Protocol (BGP) routes, enter bgp. To display information about ISO IS-IS routes, enter isis. To display information about Open Shortest Path First (OSPF) routes, enter ospf. To display information about Routing Information Protocol (RIP), enter rip. To display information about static IPv6 routes, enter static. To display information about an IPv6 Prefix lists, enter list and the prefix-list name.
interface GigabitEthernet 2/2 no ip address ipv6 address 3:4:5:6::8/24 shutdown DellEMC# Clearing IPv6 Routes To clear routes from the IPv6 routing table, use the following command. • Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} • • • *: all routes. ipv6 address: the format is x:x:x:x::x. mask: the prefix length is from 0 to 128.
Use the keyword router to set the device role as router. 5. Set the hop count limit. POLICY LIST CONFIGURATION mode hop-limit {maximum | minimum limit} The hop limit range is from 0 to 254. 6. Set the managed address configuration flag. POLICY LIST CONFIGURATION mode managed-config-flag {on | off} 7. Enable verification of the sender IPv6 address in inspected messages from the authorized device source access list.
Configuring IPv6 RA Guard on an Interface To configure the IPv6 Router Advertisement (RA) guard on an interface, perform the following steps: 1. Configure the terminal to enter the Interface mode. CONFIGURATION mode interface interface-type slot/port 2. Apply the IPv6 RA guard to a specific interface. INTERFACE mode ipv6 nd ra-guard attach policy policy-name [vlan [vlan 1, vland 2, vlan 3.....]] 3. Display the configurations applied on all the RA guard policies or a specific RA guard policy.
23 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
configured to use dot1p priority-queue assignments to ensure that iSCSI traffic in these sessions receives priority treatment when forwarded on stacked switch hardware. Figure 50. iSCSI Optimization Example Monitoring iSCSI Traffic Flows The switch snoops iSCSI session-establishment and termination packets by installing classifier rules that trap iSCSI protocol packets to the CPU for examination. Devices that initiate iSCSI sessions usually use well-known TCP ports 3260 or 860 to contact targets.
NOTE: On a switch in which a large proportion of traffic is iSCSI, CoS queue assignments may interfere with other network control-plane traffic, such as ARP or LACP. Balance preferential treatment of iSCSI traffic against the needs of other critical data in the network. Information Monitored in iSCSI Traffic Flows iSCSI optimization examines the following data in packets and uses the data to track the session and create the classifier entries that enable QoS treatment.
The following syslog message is generated the first time an EqualLogic array is detected: %STKUNIT0-M:CP %LLDP-5-LLDP_EQL_DETECTED: EqualLogic Storage Array detected on interface Te 1/ 43 • • • At the first detection of an EqualLogic array, the maximum supported MTU is enabled on all ports and port-channels (if it has not already been enabled). Spanning-tree portfast is enabled on the interface LLDP identifies. Unicast storm control is disabled on the interface LLDP identifies.
• • • Link-level flow control is globally enabled, if it is not already enabled, and PFC is disabled. iSCSI session snooping is enabled. iSCSI LLDP monitoring starts to automatically detect EqualLogic arrays. The following message displays when you enable iSCSI on a switch and describes the configuration changes that are automatically performed: %STKUNIT0-M:CP %IFMGR-5-IFM_ISCSI_ENABLE: iSCSI has been enabled causing flow control to be enabled on all interfaces.
NOTE: Content addressable memory (CAM) allocation is optional. If CAM is not allocated, the following features are disabled: • session monitoring • aging • class of service You can enable iSCSI even when allocated with zero (0) CAM blocks. However, if no CAM blocks are allocated, session monitoring is disabled and this information the show iscsi command displays this information. 2. Enable iSCSI. CONFIGURATION mode iscsi enable 3. For a DCB environment: Configure DCB and iSCSI. 4.
The default is 10 minutes. 9. (Optional) Configures the advertised priority bitmap in iSCSI application TLVs. LLDP CONFIGURATION mode [no] iscsi priority-bits. The default is 4 (0x10 in the bitmap). 10. (Optional) Configures the auto-detection of Compellent arrays on a port. INTERFACE mode [no] iscsi profile-compellent. The default is: Compellent disk arrays are not detected. Displaying iSCSI Optimization Information To display information on iSCSI optimization, use the following show commands.
Target:iqn.2010-11.com.ixia:ixload:iscsi-TG1 Initiator:iqn.2010-11.com.ixia.ixload:initiator-iscsi-2c Up Time:00:00:01:28(DD:HH:MM:SS) Time for aging out:00:00:09:34(DD:HH:MM:SS) ISID:806978696102 Initiator Initiator Target Target Connection IP Address TCP Port IP Address TCPPort ID 10.10.0.44 33345 10.10.0.101 3260 0 VLT PEER2 Session 0: ------------------------------------------------------------Target:iqn.2010-11.com.ixia:ixload:iscsi-TG1 Initiator:iqn.2010-11.com.ixia.
24 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell EMC Networking supports both IPv4 and IPv6 versions of IS-IS.
Figure 51. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases. Use this feature to place a virtual physical topology into logical routing domains, which can each support different routing and security policies. All routers on a LAN or point-to-point must have at least one common supported topology when operating in Multi-Topology IS-IS mode.
Graceful Restart Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change. Normally, when an IS-IS router is restarted, temporary disruption of routing occurs due to events in both the restarting router and the neighbors of the restarting router.
• Accepts external IPv6 information and advertises this information in the PDUs. The following table lists the default IS-IS values. Table 31.
1. Create an IS-IS routing process. CONFIGURATION mode router isis [tag] tag: (optional) identifies the name of the IS-IS process. 2. Configure an IS-IS network entity title (NET) for a routing process. ROUTER ISIS mode net network-entity-title Specify the area address and system ID for an IS-IS routing process. The last byte must be 00. For more information about configuring a NET, refer to IS-IS Addressing. 3. Enter the interface configuration mode.
Redistributing: Distance: 115 Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: DellEMC# level-1-2 level-1-2 none none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
Configuring IS-IS Graceful Restart To enable IS-IS graceful restart globally, use the following commands. Additionally, you can implement optional commands to enable the graceful restart settings. • Enable graceful restart on ISIS processes. • ROUTER-ISIS mode graceful-restart ietf Configure the time during which the graceful restart attempt is prevented. ROUTER-ISIS mode graceful-restart interval minutes The range is from 1 to 120 minutes. • The default is 5 minutes.
T1 Timeout Value Adjacency wait time : 5, retry count: 1 : 30 Operational Timer Value ====================== Current Mode/State : T3 Time left : T2 Time left : Restart ACK rcv count : Restart Req rcv count : Suppress Adj rcv count : Restart CSNP rcv count : Database Sync count : Normal/RUNNING 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 (level-2) (level-2) (level-2) (level-2) (level-2) (level-2) Circuit GigabitEthernet 2/10: Mode: Normal L1-State:NORMAL,
• • size: the range is from 128 to 9195. The default is 1497. Set the LSP refresh interval. ROUTER ISIS mode lsp-refresh-interval seconds • • seconds: the range is from 1 to 65535. The default is 900 seconds. Set the maximum time LSPs lifetime. ROUTER ISIS mode max-lsp-lifetime seconds • seconds: the range is from 1 to 65535. The default is 1200 seconds. To view the configuration, use the show config command in ROUTER ISIS mode or the show running-config isis command in EXEC Privilege mode.
The default is Level 1 and Level 2 (level-1–2) To view which metric types are generated and received, use the show isis protocol command in EXEC Privilege mode. The IS-IS matrixes settings are in bold. Example of Viewing IS-IS Metric Types DellEMC#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
Configuring the Distance of a Route To configure the distance for a route, use the following command. • Configure the distance for a route. ROUTER ISIS mode distance Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router.
Distribute Routes Another method of controlling routing information is to filter the information through a prefix list. Prefix lists are applied to incoming or outgoing routes and routes must meet the conditions of the prefix lists or Dell EMC Networking OS does not install the route in the routing table. The prefix lists are globally applied on all interfaces running IS-IS. Configure the prefix list in PREFIX LIST mode prior to assigning it to the IS-IS process.
distribute-list prefix-list-name out [bgp as-number | connected | ospf process-id | rip | static] You can configure one of the optional parameters: • • connected: for directly connected routes. • ospf process-id: for OSPF routes only. • rip: for RIP routes only. • static: for user-configured routes. • bgp: for BGP routes only. Deny RTM download for pre-existing redistributed IPv6 routes.
redistribute {bgp as-number | connected | rip | static} [level-1 level-1-2 | level-2] [metric metric-value] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: • • level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. • metric-value: the range is from 0 to 16777215. The default is 0. • metric-type: choose either external or internal. The default is internal. • map-name: enter the name of a configured route map.
set-overload-bit • This setting prevents other routers from using it as an intermediate hop in their shortest path first (SPF) calculations. Remove the overload bit. ROUTER ISIS mode no set-overload-bit When the bit is set, a 1 is placed in the OL column in the show isis database command output. The overload bit is set in both the Level-1 and Level-2 database because the IS type for the router is Level-1-2. DellEMC#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.
Dell EMC Networking OS displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode. To disable a specific debug command, enter the keyword no then the debug command. For example, to disable debugging of IS-IS updates, use the no debug isis updates-packets command. To disable all IS-IS debugging, use the no debug isis command. To disable all debugging, use the undebug all command.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value metric value is displayed in the show config and show running-config commands and is used if you change back to transition metric style. NOTE: A truncated value is a value that is higher than 63, but set back to 63 because the higher value is not supported. wide narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Beginning Metric Style Next Metric Style Resulting Metric Value Next Metric Style Final Metric Value wide transition truncated value narrow transition default value (10). A message is sent to the logging buffer transition Leaks from One Level to Another In the following scenarios, each IS-IS level is configured with a different metric style. Table 35.
You can configure IPv6 IS-IS routes in one of the following three different methods: • • • Congruent Topology — You must configure both IPv4 and IPv6 addresses on the interface. Enable the ip router isis and ipv6 router isis commands on the interface. Enable the wide-metrics parameter in router isis configuration mode. Multi-topology — You must configure the IPv6 address. Configuring the IPv4 address is optional. You must enable the ipv6 router isis command on the interface.
DellEMC(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.00 ! address-family ipv6 unicast multi-topology exit-address-family DellEMC(conf-router_isis)# IS-IS Sample Configuration — Multi-topology Transition DellEMC(conf-if-gi-3/17)#show config ! interface GigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown DellEMC(conf-if-gi-3/17)# DellEMC(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
25 Link Aggregation Control Protocol (LACP) Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel by Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. The benefits and constraints are basically the same, as described in Port Channel Interfaces in the Interfaces chapter.
• Passive — In this state, the interface is not in an active negotiating state, but LACP runs on the link. A port in Passive state also responds to negotiation requests (from ports in Active state). Ports in Passive state respond to LACP packets. Dell EMC Networking OS supports LAGs in the following cases: • • A port in Active state can set up a port channel (LAG) with another port in Active state. A port in Active state can set up a LAG with another port in Passive state.
switchport DellEMC(conf)#interface port-channel 32 DellEMC(conf-if-po-32)#no shutdown DellEMC(conf-if-po-32)#switchport The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the tagged command on the LAG. DellEMC(conf)#interface vlan 10 DellEMC(conf-if-vl-10)#tagged port-channel 32 Configuring the LAG Interfaces as Dynamic After creating a LAG, configure the dynamic LAG interfaces. To configure the dynamic LAG interfaces, use the following command.
DellEMC# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.a12b Partner System ID: Priority 32768, Address 0001.e801.
Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group. NOTE: If a LAG interface is part of a redundant pair, you cannot use it as a member of a failover group created for shared LAG state tracking. 1. Enter port-channel failover group mode. CONFIGURATION mode port-channel failover-group 2. Create a failover group and specify the two port-channels that will be members of the group.
Members in this channel: Gi 1/17(U) ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:01:28 Queueing strategy: fifo NOTE: The set of console messages shown above appear only if you configure shared LAG state tracking on that router (you can configure the feature on one or both sides of a link). For example, as previously shown, if you configured shared LAG state tracking on R2 only, no messages appear on R4 regarding the state of LAGs in a failover group.
Example of Viewing a LAG Port Configuration Alpha#sh int GigabitEthernet 2/31 GigabitEthernet 2/31 is up, line protocol is up Port is part of Port-channel 10 Hardware is DellEMCEth, address is 00:01:e8:06:95:c0 Current address is 00:01:e8:06:95:c0 Interface Index is 109101113 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit, Mode full duplex, Slave Flowcontrol rx on tx on ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "
Figure 57.
Figure 58.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp Bravo(conf-if-gi-3/21-lacp)#port-channel 10 mode active Bravo(conf-if-gi-3/21-lacp)#no shut Bravo(conf-if-gi-3/21)#end ! interface GigabitEthernet 3/21 no ip address ! port-channel-
Figure 59.
Figure 60.
Figure 61. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
26 Layer 2 Manage the MAC Address Table You can perform the following management tasks in the MAC address table. • • • • Clearing the MAC Address Table Setting the Aging Time for Dynamic Entries Configuring a Static MAC Address Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command. • Clear a MAC address table of dynamic entries.
Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table. EXEC Privilege mode show mac-address-table [address | aging-time [vlan vlan-id]| count | dynamic | interface | static | vlan] • • • • • • • address: displays the specified entry. aging-time: displays the configured aging-time. count: displays the number of dynamic and static entries for all VLANs, and the total number of entries.
• • • dynamic no-station-move station-move NOTE: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations. mac learning-limit Dynamic The MAC address table is stored on the Layer 2 forwarding information base (FIB) region of the CAM. The Layer 2 FIB region allocates space for static MAC address entries and dynamic MAC address entries.
the violation only when you configure the mac learning-limit station-move-violation log, as shown in the following example.
NOTE: Alternatively, you can reset the interface by shutting it down using the shutdown command and then re-enabling it using the no shutdown command. • Reset interfaces in the ERR_Disabled state caused by a learning limit violation or station move violation. • EXEC Privilege mode mac learning-limit reset Reset interfaces in the ERR_Disabled state caused by a learning limit violation.
Figure 62. Redundant NICs with NIC Teaming When you use NIC teaming, consider that the server MAC address is originally learned on Port 0/1 of the switch (shown in the following) and Port 0/5 is the failover port. When the NIC fails, the system automatically sends an ARP request for the gateway or host NIC to resolve the ARP and refresh the egress interface.
Assign a backup interface to an interface using the switchport backup command. The backup interface remains in a Down state until the primary fails, at which point it transitions to Up state. If the primary interface fails, and later comes up, it becomes the backup interface for the redundant pair. Dell EMC Networking OS supports Gigabit, 10 Gigabit, and 40-Gigabit interfaces as backup interfaces.
• • • The active or backup interface can be a LAG, but it cannot be a member port of a LAG. The active and standby do not have to be of the same type (1G, 10G, and so on). You may not enable any Layer 2 protocol on any interface of a redundant pair or to ports connected to them. As shown in the above illustration, interface 3/41 is a backup interface for 3/42, and 3/42 is in the Down state. If 3/41 fails, 3/42 transitions to the Up state, which makes the backup link active.
DellEMC# DellEMC(conf-if-po-1)#switchport backup interface gigabitethernet 1/2 Apr 9 00:16:29: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Gi 1/2 DellEMC(conf-if-po-1)# Far-End Failure Detection Far-end failure detection (FEFD) is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval. You can enable FEFD globally or locally on an interface basis.
4. If the FEFD enabled system is configured to use FEFD in Normal mode and neighboring echoes are not received after three intervals, (you can set each interval can be set between 3 and 300 seconds) the state changes to unknown. 5. If the FEFD system has been set to Aggressive mode and neighboring echoes are not received after three intervals, the state changes to Err-disabled.
To display information about the state of each interface, use the show fefd command in EXEC privilege mode. DellEMC#show fefd FEFD is globally 'ON', interval is 3 seconds, mode is 'Normal'.
• Display output whenever events occur that initiate or disrupt an FEFD enabled connection. • EXEC Privilege mode debug fefd events Provide output for each packet transmission over the FEFD enabled connection.
27 Link Layer Discovery Protocol (LLDP) 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices. The collected information is stored in a management information base (MIB) on each device, and is accessible via simple network management protocol (SNMP).
Type TLV Description — Optional Includes sub-types of TLVs that advertise specific configuration information. These sub-types are Management TLVs, IEEE 802.1, IEEE 802.3, and TIA-1057 Organizationally Specific TLVs. Figure 67. LLDPDU Frame Optional TLVs The Dell EMC Networking OS supports these optional TLVs: management TLVs, IEEE 802.1 and 802.3 organizationally specific TLVs, and TIA-1057 organizationally specific TLVs. Management TLVs A management TLV is an optional TLVs sub-type.
Type TLV Description 7 System capabilities Identifies the chassis as one or more of the following: repeater, bridge, WLAN Access Point, Router, Telephone, DOCSIS cable device, end station only, or other. 8 Management address Indicates the network address of the management interface. Dell EMC Networking OS does not currently support this TLV. 127 Port-VLAN ID On Dell EMC Networking systems, indicates the untagged VLAN to which a port belongs.
• • • • manage inventory manage Power over Ethernet (PoE) identify physical location identify network policy LLDP-MED is designed for, but not limited to, VoIP endpoints. TIA Organizationally Specific TLVs The Dell EMC Networking system is an LLDP-MED Network Connectivity Device (Device Type 4).
Type SubType TLV Description 127 10 Inventory — Model Name Indicates the model of the LLDP-MED device. 127 11 Inventory — Asset ID Indicates a user specified device number to manage inventory. 127 12–255 Reserved — LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV.
• • • VLAN tagged or untagged status Layer 2 priority DSCP value An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED network policy TLV is generated for each application type that you specify with the Dell EMC Networking OS CLI (Advertising TLVs).
• through the CLI. Dell EMC Networking also honors the power priority value the powered device sends; however, the CLI configuration takes precedence. Power Value — Dell EMC Networking advertises the maximum amount of power that can be supplied on the port. By default the power is 15.4W, which corresponds to a power value of 130, based on the TIA-1057 specification. You can advertise a different power value using the max-milliwatts option with the power inline auto | static command.
Example of the protocol lldp Command (CONFIGURATION Level) R1(conf)#protocol lldp R1(conf-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol globally end Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode configuration (default = rx and tx) multiplier LLDP multiplier configuration no Negate a command or set its defaults show Show LLDP configuration DellEMC(conf-lldp)#exit DellEMC(conf)#interface gigabitethernet 1/3 DellEMC(conf-if-gi
management-interface 3. Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP on Management Ports To disable or undo LLDP on management ports, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION mode. protocol lldp 2. Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode. management-interface 3. Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no.
Figure 72. Configuring LLDP Storing and Viewing Unrecognized LLDP TLVs Dell EMC Networking OS provides support to store unrecognized (reserved and organizational specific) LLDP TLVs. Also, support is extended to retrieve the stored unrecognized TLVs using SNMP. When the incoming TLV from LLDP neighbors is not recognized, the TLV is categorized as unrecognized TLV. The unrecognized TLVs is categorized into two types: 1. Reserved unrecognized LLDP TLV 2.
Viewing Unrecognized LLDP TLVs You can view or retrieve the stored unrecognized (reserved and organizational specific) TLVs using the show lldp neighbor details command. View all the LLDP TLV information including unrecognized TLVs, using the snmpwalk and snmpget commands. Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration. CONFIGURATION or INTERFACE mode show config The following example shows viewing an LLDP global configuration.
Gi 1/1 GigabitEthernet 1/5 Gi 1/2 GigabitEthernet 1/6 Ma 1/1 swlab2-maa-tor-...GigabitEthernet 1/3 DellEMC(conf-if-gi-1/3)# 00:01:e8:05:40:46 00:01:e8:05:40:46 d8:9e:f3:b2:61:20 The length of the LLDP neighbors (Remote host) name is truncated if it is above 15 characters.
Total TLVs Discarded: 16 Next packet will be sent after 9 seconds The neighbors are given below: ----------------------------------------------------------------------Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 00:00:00:00:00:01 Remote Port Subtype: Interface name (5) Remote Port ID: TenGigabitEthernEt 1/40 Local Port ID: GigabitEthernet 1/1 Locally assigned remote Neighbor Index: 1 Remote TTL: 120 Information valid for next 44 seconds Time since last information change of this neighbor: 0
Time since last information change of this neighbor: 00:01:39 UnknownTLVList: OrgUnknownTLVList: ((00-01-66),127, 4) ((00-01-66),126, 4) ((00-01-66),125, 4) ((00-01-66),124, ((00-01-66),122, 4) ((00-01-66),121, 4) ((00-01-66),120, 4) ((00-01-66),119, --------------------------------------------------------------------------Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 4c:76:25:f4:ab:03 Remote Port Subtype: Interface name (5) Remote Port ID: fortyGigE 1/2/8/1 Local Port ID: GigabitEthernet 1/
• CLI — Through the snmp-notification-interval CLI. • • Example: snmp-notification-interval [5–3600] SNMP — Through the snmpset command. • • Example: snmpset —c public —v2c 10.16.127.10 LLDP-MIB::lldpNotificationInterval.0 I 20 REST API — Through configuring by REST API method. Configuring Transmit and Receive Mode After you enable LLDP, the system transmits and receives LLDPDUs by default. To configure the system to transmit or receive only and return to the default, use the following commands.
CONFIGURATION mode or INTERFACE mode.
Figure 73. The debug lldp detail Command — LLDPDU Packet Dissection Example of debug lldp Command Output with Unrecognized Reserved and Organizational Specific LLDP TLVs The following is an example of LLDPDU with both (Reserved and Organizational specific) unrecognized TLVs.
Table 43. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value. msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs.
TLV Type 7 TLV Name System Capabilities 8 Management Address TLV Variable system capabilities enabled capabilities management address length management address subtype management address interface numbering subtype interface number OID System LLDP MIB Object Remote lldpRemSysDesc Local lldpLocSysCapSupported Remote lldpRemSysCapSupported Local lldpLocSysCapEnabled Remote lldpRemSysCapEnabled Local lldpLocManAddrLen Remote lldpRemManAddrLen Local lldpLocManAddrSubtype Remote
Table 46.
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object lldpXMedLocXPoEPDPowe rSource Remote lldpXMedRemXPoEPSEPo werSource lldpXMedRemXPoEPDPow erSource Power Priority Local lldpXMedLocXPoEPDPowe rPriority lldpXMedLocXPoEPSEPort PDPriority Remote lldpXMedRemXPoEPSEPo werPriority lldpXMedRemXPoEPDPow erPriority Power Value Local lldpXMedLocXPoEPSEPort PowerAv lldpXMedLocXPoEPDPowe rReq Remote lldpXMedRemXPoEPSEPo werAv lldpXMedRemXPoEPDPow erReq 450 Link Layer Discovery Protocol (LLD
28 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
• • • The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN. When a large volume of traffic is processed, the clustering performance might be impacted in a small way. This limitation is applicable to switches that perform unicast flooding in the software. The ip vlan-flooding command applies globally across the system and for all VLANs.
This setting causes the multicast MAC address to be mapped to the Cluster IP address for the NLB mode of operation of the switch. NOTE: While configuring static ARP for the Cluster IP, provide any one of the interfaces that is used in the static multicast MAC configuration, where the Cluster host is connected. As the switch does not accept only one ARPinterface pair, if you configure static ARP with each egress interface, the switch overwrites the previous egressinterface configuration. 2.
29 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell EMC Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 75.
Implementation Information The Dell EMC Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process. 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Refer to the following figures. The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP.
Figure 76.
Figure 77.
Figure 78.
Figure 79. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error. • Cache rejected sources. CONFIGURATION mode ip msdp cache-rejected-sa Accept Source-Active Messages that Fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check.
Figure 81.
Figure 82. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check. DellEMC(conf)#ip msdp peer 10.0.50.
3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Reason Rpf-Fail Rpf-Fail Rpf-Fail Limiting the Source-Active Messages from a Peer To limit the source-active messages from a peer, use the following commands. 1. OPTIONAL: Store sources that are received after the limit is reached in the rejected SA cache.
2. Prevent the system from caching remote sources learned from a specific peer based on source and group. CONFIGURATION mode ip msdp sa-filter list out peer list ext-acl As shown in the following example, R1 is advertising source 10.11.4.2. It is already in the SA cache of R3 when an ingress SA filter is applied to R3. The entry remains in the SA cache until it expires and is not stored in the rejected SA cache. [Router 3] R3(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.
To display the configured SA filters for a peer, use the show ip msdp peer command from EXEC Privilege mode. Logging Changes in Peership States To log changes in peership states, use the following command. • Log peership state changes. CONFIGURATION mode ip msdp log-adjacency-changes Terminating a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639.
R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:04 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none Debugging MSDP To debug MSDP, use the following command. • Display the information exchanged between peers.
Figure 83. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2. Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3.
network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group. A mesh in this context is a topology in which each RP in a set of RPs has a peership with all other RPs in the set.
The following example shows an R2 configuration for MSDP with Anycast RP. ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.
network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.11 connect-source Loopback 0 ip msdp peer 192.168.0.22 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.22 ! ip route 192.168.0.1/32 10.11.0.
! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.2/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.
! ip route 192.168.0.2/32 10.11.0.23 MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface GigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface GigabitEthernet 4/22 ip address 10.10.42.1/24 no shutdown ! interface GigabitEthernet 4/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.4/32 no shutdown ! router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.168.0.
30 Multicast Listener Discovery Protocol Dell Networking OS Supports Multicast Listener Discovery (MLD) protocol. Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
Destination Address field). To avoid duplicate reporting, any host that hears a report from another host for the same group in which it itself is interested cancels its report for that group. A host does not have to wait for a General Query to join a group. If a host wants to become a member of a group for which the router is not currently forwarding traffic, it should send an unsolicited report.
| | * * | | +. -+ . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version 2 multicast listener reports are sent by IP nodes to report (to neighboring routers) the current multicast listening state, or changes in the multicast listening state, of their interfaces.
| | * Source Address [2] * | | * * | | +-+ . . . . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Auxiliary Data . . .
INTERFACE Mode ipv6 mld version {1 | 2} If you do not configure the MLD version, the system defaults to version 2. The ipv6 mld version command is applicable for MLD snooping-enabled interfaces. Clearing MLD groups Clear a specific group or all groups on an interface from the multicast routing table. To clear MLD groups, use the following command: EXEC Privilege clear ipv6 mld groups Debugging MLD Display Dell Networking OS messages about the MLD process.
Group Address Ff08::12 Interface Vlan 10 Mode MLDv2 Uptime 00:00:12 Expires 00:02:05 Displaying MLD Interfaces Display MLD interfaces.
31 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview MSTP — specified in IEEE 802.
• • • • • • Modifying the Interface Parameters Setting STP path cost as constant Configuring an EdgePort Flush MAC Addresses after a Topology Change MSTP Sample Configurations Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell EMC Networking OS supports four variations of spanning tree, as shown in the following table. Table 47. Spanning Tree Variations Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .
Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. • • Within an MSTI, only one path from any bridge to any other bridge is enabled. Bridges block a redundant path by disabling one of the link ports. 1. Enter PROTOCOL MSTP mode. CONFIGURATION mode protocol spanning-tree mstp 2. Enable MSTP.
To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode. DellEMC(conf-mstp)#name my-mstp-region DellEMC(conf-mstp)#exit DellEMC(conf)#do show spanning-tree mst config MST region name: my-mstp-region Revision: 0 MSTI VID 1 100 2 200-300 To view the forwarding/discarding state of the ports participating in an MSTI, use the show spanning-tree msti command from EXEC Privilege mode.
no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 MSTI 2 bridge-priority 0 Interoperate with Non-Dell Bridges Dell EMC Networking OS supports only one MSTP region. A region is a combination of three unique qualities: • • • Name is a mnemonic string you assign to the region. The default region name is null. Revision is a 2-byte number. The default revision number OS is 0. VLAN-to-instance mapping is the placement of a VLAN in an MSTI.
forward-delay seconds The range is from 4 to 30. The default is 15 seconds. 2. Change the hello-time parameter. PROTOCOL MSTP mode hello-time seconds NOTE: With large configurations (especially those configurations with more ports) Dell EMC Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. 3. Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4. Change the max-hops parameter.
Port Cost Default Value 100-Gigabit Ethernet interfaces 200 Port Channel with 100 Mb/s Ethernet interfaces 100000 Port Channel with 1-Gigabit Ethernet interfaces 10000 Port Channel with 10-Gigabit Ethernet interfaces 1000 Port Channel with 25-Gigabit Ethernet interfaces 400 Port Channel with 50-Gigabit Ethernet interfaces 200 Port Channel with 100-Gigabit Ethernet interfaces 100 To change the port cost or priority of an interface, use the following commands. 1.
Dell EMC Networking OS Behavior: Regarding bpduguard shutdown-on-violation behavior: • • • • If the interface to be shut down is a port channel, all the member ports are disabled in the hardware. When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware.
Figure 85. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
no shutdown ! (Step 3) interface Vlan 100 no ip address tagged GigabitEthernet 3/11,21 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 3/11,21 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 3/11,21 no shutdown SFTOS Example Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3.
Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • • Display BPDUs. EXEC Privilege mode debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages. debug spanning-tree mstp events To ensure all the necessary parameters match (region name, region version, and VLAN to instance mapping), examine your individual routers. To show various portions of the MSTP configuration, use the show spanning-tree mst commands.
Name: Tahiti, Rev: 123 (MSTP region name and revision), Int Root Path Cost: 0 Rem Hops: 19, Bridge Id: 32768:0001.e8d5.cbbd 4w0d4h : INST 1 (MSTP Instance): Flags: 0x78, Reg Root: 32768:0001.e806.953e, Int Root Cost: 0 Brg/Port Prio: 32768/128, Rem Hops: 19 INST 2 (MSTP Instance): Flags: 0x78, Reg Root: 32768:0001.e806.
32 Multicast Features NOTE: Multicast routing is supported on secondary IP addresses; it is not supported on IPv6. NOTE: Multicast routing is supported across default and non-default virtual routing and forwarding (VRFs).
• • If you enable multicast routing, egress Layer 3 ACL is not applied to multicast data traffic. Multicast traffic can be forwarded to a maximum of 15 VLANs with the same outgoing interface. Dell EMC Networking OS does not support multicast routing in the following VLT scenarios: • • In a VLT enabled PIM router, multicast routing is not supported when there are multiple PIM spanned paths to reach source or RP.
Preventing a Host from Joining a Group You can prevent a host from joining a particular group by blocking specific IGMP reports using an extended access list containing the permissible source-group pairs. NOTE: For rules in IGMP access lists, source is the multicast source, not the source of the IGMP packet. For IGMPv2, use the keyword any for source (as shown in the following example) because the IGMPv2 hosts do not know in advance who the source is for the group in which they are interested.
Figure 86. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 49. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.
Location Description 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.2/24 no shutdown 3/21 • • • • Interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.
interfaces are listed. R2 has no filter, so it is allowed to forward both groups. As a result, Receiver 1 receives only one transmission, while Receiver 2 receives duplicate transmissions. Figure 87. Preventing a Source from Transmitting to a Group The following table lists the location and description shown in the previous illustration. Table 50.
Location Description • • ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
Understanding Multicast Traceroute (mtrace) Multicast Traceroute (mtrace) is a multicast diagnostic facility used for tracing multicast paths. Mtrace enables you to trace the path that a multicast packet takes from its source to the destination. When you initiate mtrace from a source to a destination, an mtrace Query packet with IGMP type 0x1F is sent to the last-hop multicast router for the given destination. The mtrace query packet is forwarded hop-by-hop untill it reaches the last-hop router.
To print the network path, use the following command. • Print the network path that a multicast packet takes from a multicast source to receiver, for a particular group.
Command Output Description • • • -4 103.103.103.3 --> Source o (PIM) Multicast protocol used at the node to retrieve the information o (Reached RP/Core) Forwarding code in mtrace to denote that RP node is reached o (103.103.103.0/24) Source network and mask. In case (*G) tree is used, this field will have the value as (shared tree).
Scenario Output ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 1.1.1.1 --> Destination -1 1.1.1.1 PIM Reached RP/Core 103.103.103.0/24 -2 101.101.101.102 PIM 103.103.103.0/24 -3 2.2.2.1 PIM 103.103.103.0/24 -4 103.103.103.
Scenario Output From source (?) to destination (?) ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 1.1.1.1 --> Destination -1 1.1.1.1 PIM 103.103.103.0/24 -2 101.101.101.102 PIM 103.103.103.0/24 -3 2.2.2.1 PIM 103.103.103.0/24 -4 103.103.103.
Scenario command output, the entry for that node in the Source Network/Mask column displays the value as default. If a multicast tree is not formed due to a configuration issue (for example, PIM is not enabled on one of the interfaces on the path), you can invoke a weak mtrace to identify the location in the network where the error has originated.
Scenario mtrace request. The following message appears when the system performs a hopby-hop search: “switching to hop-by-hop:” Output ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 1.1.1.1 --> Destination -1 1.1.1.1 PIM 99.99.0.0/16 -2 101.101.101.102 PIM 99.99.0.0/16 -3 2.2.2.1 PIM 99.99.0.
Scenario Output -146 17.17.17.17 PIM No space in packet 99.99.0.0/16 ----------------------------------------------------------------- In a valid scenario, mtrace request packets are expected to be received on the OIF of the node. However, due to incorrect formation of the multicast tree, the packet may be received on a wrong interface. In such a scenario, a corresponding error message is displayed. R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort. Querying reverse path for source 6.6.6.6 to destination 4.
33 Multicast Listener Discovery Protocol Dell Networking OS Supports Multicast Listener Discovery (MLD) protocol. Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
Destination Address field). To avoid duplicate reporting, any host that hears a report from another host for the same group in which it itself is interested cancels its report for that group. A host does not have to wait for a General Query to join a group. If a host wants to become a member of a group for which the router is not currently forwarding traffic, it should send an unsolicited report.
| | * * | | +. -+ . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version 2 multicast listener reports are sent by IP nodes to report (to neighboring routers) the current multicast listening state, or changes in the multicast listening state, of their interfaces.
| | * Source Address [2] * | | * * | | +-+ . . . . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Auxiliary Data . . .
To clear MLD groups, use the following command: EXEC Privilege clear ipv6 mld groups Debugging MLD Display Dell Networking OS messages about the MLD process. To display debugging messages, use the following command: EXEC Privilege debug ipv6 mld Explicit Tracking If the Querier does not receive a response to a Multicast-Address-Specific Query, it sends another. Then, after no response, it removes the group entry from the group membership table.
show ipv6 mld interface vlan 20 Dell#show ipv6 mld interface vlan 20 Vlan 20 is up, line protocol is up Inbound MLD access group is not set Internet address is fe80::92b1:1cff:fef4:9b63/64 MLD is enabled on interface MLD query interval is 60 seconds MLD querier timeout is 125 seconds MLD max query response time is 10 seconds MLD last member query response interval is 1000 ms MLD immediate-leave is enabled for all groups MLD activity: 0 joins MLD querying router is 35::1 (this system) MLD version is 2 MLD S
Specify port as connected to multicast router To statically specify or view a port in a VLAN, use the following commands: 1. Statically specify a port in a VLAN as connected to a multicast router. INTERFACE VLAN mode ipv6 mld snooping mrouter 2. View the ports that are connected to multicast routers. EXEC Privilege mode show ipv6 mld snooping mrouter Enable Snooping Explicit Tracking The switch can be a querier, and therefore also has an option of updating the group table through explicit-tracking.
34 Object Tracking IPv4 or IPv6 object tracking is available on Dell EMC Networking OS. Object tracking allows the Dell EMC Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell EMC Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 88. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • • UP and DOWN thresholds used to report changes in a route metric. A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
A tracked route matches a route in the routing table only if the exact address and prefix length match an entry in the routing table. For example, when configured as a tracked route, 10.0.0.0/24 does not match the routing table entry 10.0.0.0/8. If no route-table entry has the exact address and prefix length, the tracked route is considered to be DOWN.
VRRP Object Tracking As a client, VRRP can track up to 20 objects (including route entries, and Layer 2 and Layer 3 interfaces) in addition to the 12 tracked interfaces supported for each VRRP group. You can assign a unique priority-cost value from 1 to 254 to each tracked VRRP object or group interface. The priority cost is subtracted from the VRRP group priority if a tracked VRRP object is in a DOWN state.
Track 100 Interface GigabitEthernet 1/1 line-protocol Description: San Jose data center Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface. You can track the routing status of any of the following Layer 3 interfaces: • • • • For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
The following is an example of configuring object tracking for an IPv6 interface: DellEMC(conf)#track 103 interface gigabitethernet 1/11 ipv6 routing DellEMC(conf-track-103)#description Austin access point DellEMC(conf-track-103)#end DellEMC#show track 103 Track 103 Interface GigabitEthernet 7/11 ipv6 routing Description: Austin access point Track an IPv4/IPv6 Route You can create an object that tracks the reachability or metric of an IPv4 or IPv6 route.
CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} reachability [vrf vrf-name] Valid object IDs are from 1 to 500. Enter an IPv4 address in dotted decimal format; valid IPv4 prefix lengths are from / 0 to /32. Enter an IPv6 address in X:X:X:X::X format; valid IPv6 prefix lengths are from / 0 to /128. (Optional) E-Series only: For an IPv4 route, you can enter a VRF name to specify the virtual routing table to which the tracked route belongs. 2.
To change the refresh interval for tracking an IPv4 or IPv6 route, use the following command. Change the reachability refresh interval for tracking of an IPv4 or IPv6 route. CONFIGURATION mode track reachability refresh interval The refresh interval range is from 0 to 60 seconds. The default is 60 seconds.
The following example configures object tracking on the metric threshold of an IPv4 route: DellEMC(conf)#track 6 ip route 2.1.1.0/24 metric threshold DellEMC(conf-track-6)#delay down 20 DellEMC(conf-track-6)#delay up 20 DellEMC(conf-track-6)#description track ip route metric DellEMC(conf-track-6)#threshold metric down 40 DellEMC(conf-track-6)#threshold metric up 40 DellEMC(conf-track-6)#exit DellEMC(conf)#track 10 ip route 3.1.1.
Example of the show track brief Command Router# show track brief ResId State 1 Resource LastChange IP route reachability Parameter 10.16.0.0/16 Example of the show track resolution Command DellEMC#show track resolution IP Route Resolution ISIS 1 OSPF 1 IPv6 Route Resolution ISIS 1 Example of the show track vrf Command DellEMC#show track vrf red Track 5 IP route 192.168.0.
35 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell EMC Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell EMC Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 89. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. NOTE: If you configure two non-backbone areas, then you must enable the B bit in OSPF.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
• • • • • (for example, the ASBR where the Type 5 advertisement originated. The link-state ID for Type 4 LSAs is the router ID of the described ASBR). Type 5: LSA — These LSAs contain information imported into OSPF from other routing processes. They are flooded to all areas, except stub areas. The link-state ID of the Type 5 LSA is the external network number.
Figure 91. Priority and Cost Examples OSPF with Dell EMC Networking OS The Dell EMC Networking OS supports up to 16,000 OSPF routes for OSPFv2. Dell EMC Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell EMC Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell EMC Networking OS supports only one OSPFv3 process per VRF. OSPFv2 and OSPFv3 can co-exist but you must configure them individually.
RPM have been downloaded into the forwarding information base (FIB) on the line cards (the data plane) and are still resident. For packets that have existing FIB/CAM entries, forwarding between ingress and egress ports/VLANs, and so on, can continue uninterrupted while the control plane OSPF process comes back to full functionality and rebuilds its routing tables.
Processing SNMP and Sending SNMP Traps Only the process in default vrf can process the SNMP requests and send SNMP traps. NOTE: SNMP gets request corresponding to the OspfNbrOption field in the OspfNbrTable returns a value of 66. OSPF ACK Packing The OSPF ACK packing feature bundles multiple LS acknowledgements in a single packet, significantly reducing the number of ACK packets transmitted when the number of LSAs increases.
NOTE: By default, OSPF is disabled. Configuration Task List for OSPFv2 (OSPF for IPv4) You can perform the following tasks to configure Open Shortest Path First version 2 (OSPF for IPv4) on the switch. Two of the tasks are mandatory; others are optional.
If you are using a Loopback interface, refer to Loopback Interfaces. 2. Enable the interface. CONFIG-INTERFACE mode no shutdown 3. Return to CONFIGURATION mode to enable the OSPFv2 process globally. CONFIGURATION mode router ospf process-id [vrf {vrf name}] • vrf name: enter the keyword VRF and the instance name to tie the OSPF instance to the VRF. All network commands under this OSPF instance are later tied to the VRF instance. The range is from 0 to 65535.
You can assign the area in the following step by a number or with an IP interface address. • Enable OSPFv2 on an interface and assign a network address range to a specific OSPF area. CONFIG-ROUTER-OSPF-id mode network ip-address mask area area-id The IP Address Format is A.B.C.D/M. The area ID range is from 0 to 65535 or A.B.C.D/M. Enable OSPFv2 on Interfaces Enable and configure OSPFv2 on each interface (configure for Layer 3 protocol), and not shutdown.
Adjacent with neighbor 13.1.1.1 (Designated Router) DellEMC> Loopback interfaces also help the OSPF process. OSPF picks the highest interface address as the router-id and a Loopback interface address has a higher precedence than other interface addresses. Example of Viewing OSPF Status on a Loopback Interface DellEMC#show ip ospf 1 int GigabitEthernet 1/23 is up, line protocol is up Internet Address 10.168.0.1/24, Area 0.0.0.1 Process ID 1, Router ID 10.168.253.
3.3.3.3 1 DellEMC# 0 0 0 0 1 To view information on areas, use the show ip ospf process-id command in EXEC Privilege mode. Enabling Passive Interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface. Although the passive interface does not send or receive routing updates, the network on that interface is still included in OSPF updates sent via other interfaces.
To enable or disable fast-convergence, use the following command. • Enable OSPF fast-convergence and specify the convergence level. CONFIG-ROUTEROSPF- id mode fast-convergence {number} The parameter range is from 1 to 4. The higher the number, the faster the convergence. When disabled, the parameter is set at 0. NOTE: A higher convergence level can result in occasional loss of OSPF adjacency. Generally, convergence level 1 meets most convergence requirements.
ip ospf hello-interval seconds • • seconds: the range is from 1 to 65535 (the default is 10 seconds). The hello interval must be the same on all routers in the OSPF network. Use the MD5 algorithm to produce a message digest or key, which is sent instead of the key. CONFIG-INTERFACE mode ip ospf message-digest-key keyid md5 key • • keyid: the range is from 1 to 255. Key: a character string. NOTE: Be sure to write down or otherwise record the key. You cannot learn the key after it is configured.
CONFIG-INTERFACE mode ip ospf authentication-key key Configure a key that is a text string no longer than eight characters. • All neighboring routers must share password to exchange OSPF information. Set the authentication change wait time in seconds between 0 and 300 for the interface. CONFIG-INTERFACE mode ip ospf auth-change-wait-time seconds This setting is the amount of time OSPF has available to change its interface authentication type.
NOTE: The Helper mode is enabled by default on the device. To enable the restart mode also on the device, you must configure the grace period using the graceful-restart grace-period command. After you enable restart mode the router advertises the neighbor as fully adjacent during a restart. For more information about OSPF graceful restart, refer to the Dell EMC Networking OS Command Line Reference Guide.
Configure the following required and optional parameters: • • • • • bgp, connected, isis, rip, static: enter one of the keywords to redistribute those routes. metric metric-value: the range is from 0 to 4294967295. metric-type metric-type: 1 for OSPF external route type 1. 2 for OSPF external route type 2. route-map map-name: enter a name of a configured route map. tag tag-value: the range is from 0 to 4294967295.
debug ip ospf process-id [event | packet | spf | database-timers rate-limit] To view debug messages for a specific OSPF process ID, use the debug ip ospf process-id command. If you do not enter a process ID, the command applies to the first OSPF process. To view debug messages for a specific operation, enter one of the optional keywords: • • • • event: view OSPF event messages. packet: view OSPF packet information. spf: view SPF information. database-timers rate-limit: view the LSAs currently in the queue.
no shutdown ! interface GigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.0.23.0/24 area 0 ! interface Loopback 30 ip address 192.168.100.100/24 no shutdown ! interface GigabitEthernet 3/1 ip address 10.1.13.3/24 no shutdown ! interface GigabitEthernet 3/2 ip address 10.2.13.
2. No-redistribute – To restrict Type-7 LSAs — When NSSA ASBR is also an ABR, redistributed external routes need not be translated from Type-7 to Type-5 LSAs. ABR will directly inject external routes through Type-5 LSAs into the OSPF domain. It does not send Type-7 LSAs into the NSSA area. 3. No-summary – To act as totally stubby area — NSSA area can be converted intoa totally stubby area to reduce the number of Type-3 LSAs.
Applying cost for OSPFv3 Change in bandwidth directly affects the cost of OSPF routes. • Explicitly specify the cost of sending a packet on an interface. INTERFACE mode ipv6 ospf interface-cost • • interface-cost:The range is from 1 to 65535. Default cost is based on the bandwidth. Specify how the OSPF interface cost is calculated based on the reference bandwidth method. The cost of an interface is calculated as Reference Bandwidth/Interface speed.
router-id {number} • number: the IPv4 address. The format is A.B.C.D. NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. • Disable OSPF. • CONFIGURATION mode no ipv6 router ospf process-id Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Assigning OSPFv3 Process ID and Router ID to a VRF To assign, disable, or reset OSPFv3 on a non-default VRF, use the following commands. • Enable the OSPFv3 process on a non-default VRF and enter OSPFv3 mode.
• • • • For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a port channel interface, enter the keywords port-channel then a number. For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. To enable both receiving and sending routing updates, use the no passive-interface interface command.
When you enable the helper-reject role on an interface using the ipv6 ospf graceful-restart helper-reject command, you reconfigure OSPFv3 graceful restart to function in a restarting-only role. OSPFv3 does not participate in the graceful restart of a neighbor. NOTE: Enter the ipv6 ospf graceful-restart helper-reject command in Interface configuration mode. NOTE: For graceful-restart configuration to work, you must configure grace-period. Use graceful-restart graceperiod command to configure grace-period.
The following example shows the show ipv6 ospf database database-summary command. DellEMC#show ipv6 ospf database database-summary ! OSPFv3 Router with ID (200.1.1.
• • HA — IPsec authentication header is used in packet authentication to verify that data is not altered during transmission and ensures that users are communicating with the intended individual or organization. Insert the authentication header after the IP header with a value of 51. AH provides integrity and validation of data origin by authenticating every OSPFv3 packet. For detailed information about the IP AH protocol, refer to RFC 4302.
Configuring IPsec Authentication on an Interface To configure, remove, or display IPsec authentication on an interface, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
• • • • • key-authentication-type: (optional) specifies if the authentication key is encrypted. The valid values are 0 or 7. Remove an IPsec encryption policy from an interface. no ipv6 ospf encryption ipsec spi number Remove null encryption on an interface to allow the interface to inherit the encryption policy configured for the OSPFv3 area. no ipv6 ospf encryption null Display the configuration of IPsec encryption policies on the router.
CONF-IPV6-ROUTER-OSPF mode area area-id encryption ipsec spi number esp encryption-algorithm [key-encryption-type] key authentication-algorithm [key-authentication-type] key • • • • • • • • • • area area-id: specifies the area for which OSPFv3 traffic is to be encrypted. For area-id, enter a number or an IPv6 prefix. spi number: is the security policy index (SPI) value. The range is from 256 to 4294967295. esp encryption-algorithm: specifies the encryption algorithm used with ESP.
Policy name Policy refcount Inbound AH SPI Outbound AH SPI Inbound AH Key Outbound AH Key Transform set : : : : : : : OSPFv3-1-500 2 500 (0x1F4) 500 (0x1F4) bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e ah-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-0-501 Policy refcount : 1 Inbound ESP SPI : 501 (0x1F5) Outbound ESP SPI : 501 (0x1F5) Inbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759
Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3 operation on the switch. This section describes typical, OSPFv3 troubleshooting scenarios. NOTE: The following troubleshooting section is meant to be a comprehensive list, but only to provide some examples of typical troubleshooting checks.
MIB Object OID Description ospfv3AsLsdbEntry 1.3.6.1.2.1.191.1.3.1 Contains OSPFv3 process’s AS-scope link state database. The LSDB contains the ASscope link state advertisements. ospfv3AreaLsdbEntry 1.3.6.1.2.1.191.1.4.1 Contains OSPFv3 process’s Area-scope link state database. The LSDB contains the Areas-scope link state advertisements. ospfv3LinkLsdbEntry 1.3.6.1.2.1.191.1.5.1 Contains OSPFv3 process’s Link-scope LSDB for non-virtual interfaces. ospfv3IfEntry 1.3.6.1.2.1.191.1.7.
36 Policy-based Routing (PBR) Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria: size, source, protocol type, destination, and so on.
• • Dell EMC Networking OS supports multiple next-hop entries in the redirect lists. Redirect-lists are applied at Ingress. PBR with Redirect-to-Tunnel Option: You can provide a tunnel ID for a redirect rule. In this case, the resolved next hop is the tunnel interface IP. The qualifiers of the rule pertain to the inner IP details. You must provide a tunnel ID for the next hop to be a tunnel interface.
Create a Redirect List To create a redirect list, use the following commands. Create a redirect list by entering the list name. CONFIGURATION mode ip redirect-list redirect-list-name redirect-list-name: 16 characters. To delete the redirect list, use the no ip redirect-list command. The following example creates a redirect list by the name of xyz.
DellEMC(conf-redirect-list)#redirect 3.3.3.3 ip ? A.B.C.D Source address any Any source host host A single source host DellEMC(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 ? Mask A.B.C.D or /nn Mask in dotted decimal DellEMC(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 /32 A.B.C.D Destination address any Any destination host host A single destination host DellEMC(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 /32 Mask A.B.C.D or /nn Mask in dotted decimal DellEMC(conf-redirect-list)#redirect 3.
NOTE: You can apply the l2–switch option to redirect Layer2 traffic only on a VLAN interface. This VLAN interface must be configured with an IP address for ARP resolution. The Layer2 PBR option matches the layer2 traffic flow. If you unconfigure this option, then the Layer2 traffic is not matched.The Layer3 routing is not affected on the same interface on which Layer2 PBR is applied. The port from which Layer2 packets egress and the destination MAC are re-written from static ARP.
Use the show ip redirect-list (without the list name) to display all the redirect-lists configured on the device. DellEMC#show ip redirect-list IP redirect-list rcl0: Defined as: seq 5 permit ip 200.200.200.200 200.200.200.200 199.199.199.199 199.199.199.199 seq 10 redirect 1.1.1.2 tcp 234.224.234.234 255.234.234.234 222.222.222.
Create the Redirect-List GOLD Assign Redirect-List GOLD to Interface 2/11 View Redirect-List GOLD Creating a PBR list using Explicit Track Objects for Redirect IPs Create Track Objects to track the Redirect IPs: DellEMC#configure terminal DellEMC(conf)#track 3 ip host 42.1.1.2 reachability DellEMC(conf-track-3)#probe icmp DellEMC(conf-track-3)#track 4 ip host 43.1.1.
Verify the Status of the Track Objects (Up/Down): DellEMC#show track brief ResId 1 2 3 4 Resource Interface ip routing Interface ipv6 routing IP Host reachability IP Host reachability Parameter Tunnel 1 Tunnel 2 42.1.1.2/32 43.1.1.
Verify the Status of the Track Objects (Up/Down): DellEMC#show track brief ResId Resource 1 Interface ip routing 2 Interface ipv6 routing DellEMC# Parameter Tunnel 1 Tunnel 2 State Up Up LastChange 00:00:00 00:00:00 Create a Redirect-list with Track Objects pertaining to Tunnel Interfaces: DellEMC#configure terminal DellEMC(conf)#ip redirect-list explicit_tunnel DellEMC(conf-redirect-list)#redirect tunnel 1 track DellEMC(conf-redirect-list)#redirect tunnel 1 track DellEMC(conf-redirect-list)#redirect tu
37 PIM Sparse-Mode (PIM-SM) Implementation Information The following information is necessary for implementing PIM-SM. • • • • • The Dell EMC Networking implementation of PIM-SM is based on IETF Internet Draft draft-ietf-pim-sm-v2-new-05. The platform supports a maximum of 95 IPv4 and IPv6 PIM interfaces and 2000 multicast entries including (*,G), and (S,G) entries. The maximum number of PIM neighbors is the same as the maximum number of PIM-SM interfaces.
Send Multicast Traffic With PIM-SM, all multicast traffic must initially originate from the RP. A source must unicast traffic to the RP so that the RP can learn about the source and create an SPT to it. Then the last-hop DR may create an SPT directly to the source. 1. The source gateway router (first-hop DR) receives the multicast packets and creates an (S,G) entry in its multicast routing table. The first-hop DR encapsulates the initial multicast packets in PIM Register packets and unicasts them to the RP.
INTERFACE mode {ip | ipv6} pim sparse-mode To display which interfaces are enabled with PIM-SM, use the show {ip | ipv6} pim interface command from EXEC Privilege mode. Following is an example of show ip pim interface command output: DellEMC#show ip pim interface Address Interface Ver/ Mode 165.87.34.5 Gi 1/10 v2/S 10.1.1.2 Vl 10 v2/S 20.1.1.5 Vl 20 v2/S 165.87.31.200 Vl 30 v2/S Nbr Count 0 1 1 1 Query Intvl 30 30 30 30 DR Prio 1 1 1 1 DR 165.87.34.5 10.1.1.2 20.1.1.5 165.87.31.
(*, 192.1.2.1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.6, flags: SCJ Incoming interface: GigabitEthernet 1/12, RPF neighbor 10.87.3.5 Outgoing interface list: GigabitEthernet 1/11 GigabitEthernet 1/13 (10.87.31.5, 192.1.2.1), uptime 00:01:24, expires 00:02:26, flags: FT Incoming interface: GigabitEthernet 1/10, RPF neighbor 0.0.0.
Configuring a Static Rendezvous Point The rendezvous point (RP) is a PIM-enabled interface on a router that acts as the root a group-specific tree; every group must have an RP. • Identify an RP by the IP address of a PIM-enabled or Loopback interface. {ip | ipv6} pim rp-address address group-address group-address mask [override] Following is an example of IPv4 configuration: DellEMC#show running-configuration interface loop0 ! interface Loopback 0 ip address 1.1.1.
Following is an example of show ip pim rp mapping command output: DellEMC#show ip pim rp mapping PIM Group-to-RP Mappings Group(s): 224.0.0.0/4, Static RP: 165.87.50.5, v2 Following is an example of show ipv6 pim rp mapping command output: Dell#show ipv6 pim rp mapping PIM Group-to-RP Mappings Group(s): ff00::/8, Static RP: 2001:100::1, v2 Dell# Configuring a Designated Router Multiple PIM-SM routers might be connected to a single local area network (LAN) segment.
0/0 0/0 0/0 0/0 State-Refresh messages sent/received MSDP updates sent/received Null Register messages sent/received Register-stop messages sent/received Data path event summary: 0 no-cache messages received 0 last-hop switchover messages received 0/0 pim-assert messages sent/received 0/0 register messages sent/received DellEMC# Following is an example of show ipv6 pim interface command output: Dell#show ipv6 pim interface Interface Ver/ Nbr Query DR Mode Count Intvl Prio Gi 1/3 v2/S 1 30 1 Address : fe80
3. If you configure a secondary VLT peer as an E-BSR and in case of ICL flap or failover, the VLT lag will be down resulting a BSM timeout in the PIM domain and a new BSR will be elected. Hence, it is recommended to configure the primary VLT peer as E-BSR. NOTE: BSR configuration in the multicast topology should ensure that secondary VLT node is not selected as E-BSR. If selected as E-BSR during ICL flap or VLT failover, traffic disruption will be reported.
38 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode. R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.
R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:07 Member Ports: Te 1/1 239.0.0.1 Vlan 400 INCLUDE 00:00:10 Never 10.11.4.2 R1(conf)#do show ip igmp ssm-map IGMP Connected Group Membership Group Address Interface Mode Uptime 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:36 Member Ports: Te 1/1 R1(conf)#do show ip igmp ssm-map 239.0.0.
3. If you configure a secondary VLT peer as an E-BSR and in case of ICL flap or failover, the VLT lag will be down resulting a BSM timeout in the PIM domain and a new BSR will be elected. Hence, it is recommended to configure the primary VLT peer as E-BSR. NOTE: BSR configuration in the multicast topology should ensure that secondary VLT node is not selected as E-BSR. If selected as E-BSR during ICL flap or VLT failover, traffic disruption will be reported.
ip pim [vrf vrf-name] rp-Candidate interface [priority] [acl-name] The specified acl-list is associated to the rp-candidate. NOTE: You can create the ACL list of multicast prefix using the ip access-list standard command.
39 Power over Ethernet (PoE) The PoE feature supports electrical power and transmission of data on Ethernet cabling. A single cable can provide both data connection and electrical power to the attached devices such as wireless access points or IP cameras. Power over Ethernet (PoE), as described by IEEE 802.3af specifies that a maximum of 15.4 watts can be transmitted to Ethernet devices over the signal pairs of an unshielded twisted pair (UTP) cable.
• • To view the amount of power that a port is consuming, use the show power inline command in the EXEC Privilege mode. See Display the Power Details. To disable the PoE/PoE+ on a port, use the no power inline command in the INTERFACE mode. Upgrading the PoE Controller To upgrade the PoE controller firmware, use the following command. You can upgrade the PoE controller firmware using the firmware packaged with the Dell Networking OS. After the upgrade is successful, the stack unit reloads automatically.
Manage Ports using Power Priority and Power Budget The allocation and return of power on ports depends on the total inline power available in the system and the power priority calculation. You can manage the power prioritization and the power allocation to the ports by using the power inline priority and power budget commands. For more information about the commands, see the Dell Networking OS Command Line Reference Guide.
Manage Inline Power By default, PoE/PoE+ is disabled. To manage the inline power supplied to the ports, use the power inline mode command in Configuration mode. This command has the following parameters. • • class — When you configure class mode, the maximum power for the particular class of device is allocated. Class mode supports power allocation through Layer 2 classification and power negotiation by the LLDP 802.3at standard. You can use this mode to configure port priority.
Power Allocation to Ports When PoE/PoE+ is enabled, the power allocated to a port depends on how the PoE/PoE+ is enabled on the port and whether a device is connected to the port. • • • • • • When you configure a port using the power inline command without setting the max_milliwatts power limit option, the Dell Networking OS does not allocate any power to the port unless a device is connected and there is no limit to the amount of power consumed by the powered device.
Example: Dell#power inline suspend stack-unit 1 Use the following command to check the suspended state. Dell#show power inline stack-unit 1 % Error: Power to stack-unit 1 is in suspended state. Dell# To restore the power again, you can use the power inline restore stack-unit unit number command. See Restore Power Delivery on a Port. Restore Power Delivery on a Port You can temporarily disable and then restore power on a port. To disable the power delivery, see Suspend Power Delivery on a Port.
1 Dell# 1100 150 0 10 95 0 0 95 Power over Ethernet (PoE) 587
40 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session. The platform supports multiple source-destination statements in a single monitor session. The maximum number of source ports that can be supported in a session is 128. The maximum number of destination ports that can be supported depends on the port mirroring directions as follows: • • • 4 per port pipe, if the four destination ports mirror in one direction, either rx or tx.
N/A No N/A N/A No 300 Gi 1/17 Gi 1/4 N/A No N/A N/A No DellEMC(conf-mon-sess-300)# tx Port N/A N/A N/A Example of Viewing a Monitoring Session In the example below, 0/25 and 0/26 belong to Port-pipe 1. This port-pipe has the same restriction of only four destination ports, new or used.
CONFIGURATION mode monitor session monitor session type rpm/erpm type is an optional keyword, required only for rpm and erpm 3. Specify the source and destination port and direction of traffic, as shown in the following example. MONITOR SESSION mode source To display information on currently configured port-monitoring sessions, use the show monitor session command from EXEC Privilege mode.
Figure 94. Port Monitoring Example Configuring Monitor Multicast Queue To configure monitor QoS multicast queue ID, use the following commands. 1. Configure monitor QoS multicast queue ID. CONFIGURATION mode monitor multicast-queue queue-id DellEMC(conf)#monitor multicast-queue 7 2. Verify information about monitor configurations.
MONITOR SESSION mode flow-based enable 3. Specify the source and destination port and direction of traffic. MONITOR SESSION mode source source—port destination destination-port direction rx 4. Define IP access-list rules that include the monitor keyword. For port monitoring, Dell EMC Networking OS only considers traffic matching rules with the monitor keyword. CONFIGURATION mode ip access-list To define access lists, see the Access Control Lists (ACLs) chapter. 5.
In a remote-port mirroring session, monitored traffic is tagged with a VLAN ID and switched on a user-defined, non-routable L2 VLAN. The VLAN is reserved in the network to carry only mirrored traffic, which is forwarded on all egress ports of the VLAN. Each intermediate switch that participates in the transport of mirrored traffic must be configured with the reserved L2 VLAN.
• • • • • • • • • • A remote port mirroring session mirrors monitored traffic by prefixing the reserved VLAN tag to monitored packets so that they are copied to the reserve VLAN. Mirrored traffic is transported across the network using 802.1Q-in-802.1Q tunneling. The source address, destination address and original VLAN ID of the mirrored packet are preserved with the tagged VLAN header. Untagged source packets are tagged with the reserve VLAN ID.
• On a source switch on which you configure source ports for remote port mirroring, you can add only one port to the dedicated RPM VLAN which is used to transport mirrored traffic. You can configure multiple ports for the dedicated RPM VLAN on intermediate and destination switches. Displaying Remote-Port Mirroring Configurations To display the current configuration of remote port mirroring for a specified session, enter the show config command in MONITOR SESSION configuration mode.
CONFIGURATION mode interface vlan vlan-id 3. Configure the RSPAN VLAN to be used to transport mirrored traffic in RPM. VLAN INTERFACE mode mode remote-port-mirroring 4. Configure a tagged port to carry mirrored traffic in the VLAN. VLAN INTERFACE mode tagged interface You can repeat this command to configure additional tagged ports for the VLAN. Configuring a source session Following are the steps for configuring a source session on a switch.
Configuration Example of Remote Port Mirroring This example provides a sample configuration of remote port mirroring (RPM) on a source switch, an intermediate switch, and a destination switch based on the following illustration. Figure 96.
Following is a sample configuration of RPM on an a destination switch.
Configuration Example of RPM for port-channel This example provides a sample configuration of remote port mirroring for the port-channel source interface. Configuring Remote Port Mirroring on source switch The below configuration example shows that the source is a source port-channel and the destination is the reserved VLAN (for example, remote-vlan 30).
• Configure the system MTU to accommodate the increased size of the ERPM mirrored packet. • The maximum number of source ports you can define in a session is 128. • The system encapsulates the complete ingress or egress data under GRE header, IP header, and outer MAC header and sends it out at the next hop interface as pointed by the routing table. • Specify flow-based enable in case of source as VLAN or where you need monitoring on a per-flow basis.
No 0 No 1 No Enabled Po 1 remote-ip Enabled Vl 11 remote-ip Enabled tx Port 1.1.1.1 7.1.1.2 0 255 No 100 111 rx Flow 5.1.1.1 3.1.1.2 0 255 No 100 139 The next example shows the configuration of an ERPM session in which VLAN 11 is monitored as the source interface and a MAC ACL filters the monitored ingress traffic.
Decapsulation of ERPM packets at the Destination IP/ Analyzer • In order to achieve the decapsulation of the original payload from the ERPM header. The below two methods are suggested : 1. Using Network Analyzer • Install any well-known Network Packet Analyzer tool which is open source and free to download. • • Start capture of ERPM packets on the Sniffer and save it to the trace file (for example : erpmwithheader.pcap). The Header that gets attached to the packet is 38 bytes long.
VLT Non-fail over Scenario Consider a scenario where port monitoring is configured to mirror traffic on a VLT device's port or LAG to a destination port on some other device (TOR) on the network. When there is no fail over to the VLT peer, the VLTi link (ICL LAG) also receives the mirrored traffic as the VLTi link is added as an implicit member of the RPM vlan. As a result, the mirrored traffic also reaches the peer VLT device effecting VLTi link's bandwidth usage.
Scenario RPM Restriction Recommended Solution orphan port on the secondary VLT device through the ICL LAG. The port analyzer is connected to the secondary VLT device. device:source orphan port destination remote vlan direction rx/tx/both.The following example shows the configuration on the secondary VLT device:source remote vlan destination orphan port.
41 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on Dell EMC Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell EMC Networking OS Command Line Reference Guide. Private VLANs extend the Dell EMC Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
PVLAN port types include: • • Community port — a port that belongs to a community VLAN and is allowed to communicate with other ports in the same community VLAN and with promiscuous ports. Host port — in the context of a private VLAN, is a port in a secondary VLAN: • • • The port must first be assigned that role in INTERFACE mode. • A port assigned the host role cannot be added to a regular VLAN.
Configuration Task List The following sections contain the procedures that configure a private VLAN. • • • • Creating PVLAN Ports Creating a Primary VLAN Creating a Community VLAN Creating an Isolated VLAN Creating PVLAN ports PVLAN ports are ports that will be assigned to the PVLAN. 1. Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2. Enable the port. INTERFACE mode no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4.
2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 4. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • • • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). Specified with this command even before they have been created.
Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make an isolated VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to isolated. INTERFACE VLAN mode private-vlan mode isolated 4. Add one or more host ports to the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 98. Sample Private VLAN Topology The following configuration is based on the example diagram for the Z9500: • • • • • Te 1/1 and Te 1/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. Te 1/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. Te 1/24 and Te 1/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
• • The S4810 ports would have the same intra-switch communication characteristics as described for the Z9500. For transmission between switches, tagged packets originating from host PVLAN ports in one secondary VLAN and destined for host PVLAN ports in the other switch travel through the promiscuous ports in the local VLAN 4000 and then through the trunk ports (1/25 in each switch). Inspecting the Private VLAN Configuration The standard methods of inspecting configurations also apply in PVLANs.
* 1 100 P 200 I 201 Inactive Inactive Inactive Inactive primary VLAN in PVLAN T Gi 1/19-20 isolated VLAN in VLAN 200 T Gi 1/21 The following example shows viewing a private VLAN configuration.
42 Per-VLAN Spanning Tree Plus (PVST+) Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 99. Per-VLAN Spanning Tree The Dell EMC Networking OS supports three other variations of spanning tree, as shown in the following table. Table 58.
Implementation Information • • • The Dell EMC Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. The Dell EMC Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table). Other implementations use IEEE 802.1w costs as the default costs. If you are using Dell EMC Networking systems in a multivendor network, verify that the costs are values you intended. You can enable PVST+ on 254 VLANs.
To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode. Dell_E600(conf-pvst)#show config verbose ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Influencing PVST+ Root Selection As shown in the previous per-VLAN spanning tree illustration, all VLANs use the same forwarding topology because R2 is elected the root, and all TenGigabitEthernet ports have the same cost.
To display the PVST+ forwarding topology, use the show spanning-tree pvst [vlan vlan-id] command from EXEC Privilege mode. Dell_E600(conf)#do show spanning-tree pvst vlan 100 VLAN 100 Root Identifier has priority 4096, Address 0001.e80d.b6d6 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 4096, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15 We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.
Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
shut down when it receives a BPDU. When you only implement bpduguard, although the interface is placed in an Error Disabled state when receiving the BPDU, the physical interface remains up and spanning-tree drops packets in the hardware after a BPDU violation. BPDUs are dropped in the software after receiving the BPDU violation. This feature is the same as PortFast mode in spanning tree. CAUTION: Configure EdgePort only on links connecting to an end station.
Figure 101. PVST+ with Extend System ID • Augment the bridge ID with the VLAN ID. PROTOCOL PVST mode extend system-id DellEMC(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
! interface Vlan 300 no ip address tagged GigabitEthernet 1/22,32 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface GigabitEthernet 2/12 no ip address switchport no shutdown ! interface GigabitEthernet 2/32 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged GigabitEthernet 2/12,32 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 2/12,32 no shutdown ! interface Vlan 300 no ip addres
43 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 60.
Feature Direction Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 102.
• • Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class Sample configuration to mark non-ecn packets as “yellow” with single traffic class Implementation Information The Dell EMC Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
Honoring dot1p Priorities on Ingress Traffic By default, Dell EMC Networking OS does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries.
Configuring Port-Based Rate Shaping Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted. If any stream exceeds the configured bandwidth on a continuous basis, it can consume all of the buffer space that is allocated to the port. Dell EMC Networking OS Behavior: Rate shaping is effectively rate limiting because of its smaller buffer size.
Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell EMC Networking OS matches packets against match criteria in the order that you configure them. Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value or IP precedence, and characteristics defined in an IP ACL.
The following example matches the IPv4 and IPv6 traffic with a precedence value of 3: DellEMC(conf)# class-map match-any test1 DellEMC(conf-class-map)#match ip-any precedence 3 Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the classmap command. A Layer 2 class map differentiates traffic according to 802.1p value and/or VLAN and/or characteristics defined in a MAC ACL..
The following example shows incorrect traffic classifications.
Configuring Policy-Based Rate Policing To configure policy-based rate policing, use the following command. • Configure rate police ingress traffic. QOS-POLICY-IN mode rate-police Setting a dot1p Value for Egress Packets To set a dot1p value for egress packets, use the following command. • Set a dscp or dot1p value for egress packets. QOS-POLICY-IN mode set mac-dot1p Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1. Create an output QoS policy.
NOTE: For multi-cast queue, 7th queue will be shared for both data and control packets. When you assign a percentage to one queue, note that this change also affects the amount of bandwidth that is allocated to other queues. Therefore, whenever you are allocating bandwidth to one queue, Dell EMC Networking recommends evaluating your bandwidth requirements for all other queues as well. • Assign each queue a bandwidth percentage ranging from 1 to 100%, in increments of 1%.
Table 63.
Guaranteeing Bandwidth to dot1p-Based Service Queues To guarantee bandwidth to dot1p-based service queues, use the following command. Apply this command in the same way as the bandwidth-percentage command in an output QoS policy (refer to Allocating Bandwidth to Queue). The bandwidth-percentage command in QOS-POLICY-OUT mode supersedes the service-class bandwidthpercentage command. • Guarantee a minimum bandwidth to queues globally.
You can apply the same policy map to multiple interfaces, and you can modify a policy map after you apply it. DSCP Color Maps This section describes how to configure color maps and how to display the color map and color map configuration.
Displaying DSCP Color Maps To display DSCP color maps, use the show qos dscp-color-map command in EXEC mode. Examples for Creating a DSCP Color Map Display all DSCP color maps. DellEMC# show qos dscp-color-map Dscp-color-map mapONE yellow 4,7 red 20,30 Dscp-color-map mapTWO yellow 16,55 Display a specific DSCP color map.
• • • • Ethernet Type/Length: 2 bytes Payload: (variable) Cyclic redundancy check (CRC): 4 bytes Inter-frame gap (IFG): (variable) You can optionally include overhead fields in rate metering calculations by enabling QoS rate adjustment. QoS rate adjustment is disabled by default. • Specify the number of bytes of packet overhead to include in rate limiting, policing, and shaping calculations.
Figure 104. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Table 65. Pre-Defined WRED Profiles Default Profile Name Minimum Threshold Maximum Threshold Maximum Drop Rate wred_drop 0 0 100 wred_teng_y 467 4671 100 wred_teng_g 467 4671 50 wred_fortyg_y 467 4671 50 wred_fortyg_g 467 4671 25 Creating WRED Profiles To create WRED profiles, use the following commands. 1. Create a WRED profile. CONFIGURATION mode wred-profile 2.
QOS-POLICY-OUT mode wred Displaying Default and Configured WRED Profiles To display the default and configured WRED profiles, use the following command. • Display default and configured WRED profiles and their threshold values. EXEC mode show qos wred-profile Example of the show qos wred-profile Command.
Pre-Calculating Available QoS CAM Space Before Dell EMC Networking OS version 7.3.1, there was no way to measure the number of CAM entries a policy-map would consume (the number of CAM entries that a rule uses is not predictable; from 1 to 16 entries might be used per rule depending upon its complexity). Therefore, it was possible to apply to an interface a policy-map that requires more entries than are available.
In a best-effort network topology, data packets are transmitted in a manner in which latency or throughput is not maintained to be at an effective level. Packets are dropped when the network experiences a large traffic load. This best-effort network deployment is not suitable for applications that are time-sensitive, such as video on demand (VoD) or voice over IP (VoIP) applications. In such cases, you can use ECN in conjunction with WRED to resolve the dropping of packets under congested conditions.
Queue Configuration Service-Pool Configuration WRED Threshold Relationship Expected Functionality Q threshold = Q-T, Service pool threshold = SP-T No ECN marking 1 1 0 X X Queue-based ECN marking above queue threshold. 1 X Q-T < SP-T ECN marking to shared buffer limits of the service-pool and then packets are tail dropped. SP-T < Q-T Same as above but ECN marking starts above SP-T.
In the existing software, ECE/CWR TCP flag qualifiers are not supported. • • • Because this functionality forcibly marks all the packets matching the specific match criteria as ‘yellow’, Dell EMC Networking OS does not support Policer based coloring and this feature concurrently.
As a part of this feature, the 2-bit ECN field of the IPv4 packet will also be available to be configured as one of the match qualifier. This way the entire 8-bit ToS field of the IPv4 header shall be used to classify traffic. The Dell EMC Networking OS Release 9.3(0.0) supports the following QOS actions in the ingress policy based QOS: 1. Rate Policing 2. Queuing 3. Marking For the L3 Routed packets, the DSCP marking is the only marking action supported in the software.
Sample configuration to mark non-ecn packets as “yellow” with single traffic class Consider the use case where the packet with DSCP value “40” need to be enqueued in queue#2 and packets with DSCP value as 50 need to be enqueued in queue#3. And all the packets with ecn value as ‘0’ must be marked as ‘yellow’. The above requirement can be achieved using either of the two approaches. The above requirement can be achieved using either of the two approaches.
service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Applying Layer 2 Match Criteria on a Layer 3 Interface To process Layer 3 packets that contain a dot1p (IEEE 802.1p) VLAN Layer 2 header, configure VLAN tags on a Layer 3 port interface which is configured with an IP address but has no VLAN associated with it. You can also configure a VLAN sub-interface on the port interface and apply a policy map that classifies packets using the dot1p VLAN ID.
Dell(conf-qos-policy-in)#set ip-dscp 5 6. Create an input policy map. CONFIGURATION mode Dell(conf)#policy-map-input pp_policmap 7. Create a service queue to associate the class map and QoS policy map.
• • • • SYN PSH RST URG You can now use the ‘ecn’ match qualifier along with the above TCP flag for classification.
Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class Consider the example where there are no different traffic classes that is all the packets are egressing on the default ‘queue0’. Dell EMC Networking OS can be configured as below to mark the non-ecn packets as yellow packets.
! ip access-list standard dscp_40_ecn seq 5 permit any dscp 40 ecn 1 seq 10 permit any dscp 40 ecn 2 seq 15 permit any dscp 40 ecn 3 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40_ecn ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-g
44 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter.
Feature Default • Transmit RIPv1 RIP timers • • • • update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Auto summarization Enabled ECMP paths supported 16 Configuration Information By default, RIP is disabled in Dell EMC Networking OS. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
network 10.0.0.0 DellEMC(conf-router_rip)# When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes. DellEMC#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 1/49 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 1/49 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 1/49 4.0.0.0/8 auto-summary 8.0.0.0/8 [120/1] via 29.10.10.
Assigning a Prefix List to RIP Routes Another method of controlling RIP (or any routing protocol) routing information is to filter the information through a prefix list. A prefix list is applied to incoming or outgoing routes. Those routes must meet the conditions of the prefix list; if not, Dell EMC Networking OS drops the route. Prefix lists are globally applied on all interfaces running RIP. Configure the prefix list in PREFIX LIST mode prior to assigning it to the RIP process.
• ROUTER RIP mode version {1 | 2} Set the RIP versions received on that interface. • INTERFACE mode ip rip receive version [1] [2] Set the RIP versions sent out on that interface. INTERFACE mode ip rip send version [1] [2] To see whether the version command is configured, use the show config command in ROUTER RIP mode. The following example shows the RIP configuration after the ROUTER RIP mode version command is set to RIPv2.
DellEMC# Generating a Default Route Traffic is forwarded to the default route when the traffic’s network is not explicitly listed in the routing table. Default routes are not enabled in RIP unless specified. Use the default-information originate command in ROUTER RIP mode to generate a default route into RIP. In Dell EMC Networking OS, default routes received in RIP updates from other routes are advertised if you configure the default-information originate command.
• • offset: the range is from 0 to 16. interface: the type, slot, and number of an interface. To view the configuration changes, use the show config command in ROUTER RIP mode. Debugging RIP The debug ip rip command enables RIP debugging. When you enable debugging, you can view information on RIP protocol changes or RIP routes. To enable RIP debugging, use the following command. • debug ip rip [interface | database | events | trigger] EXEC privilege mode Enable debugging of RIP.
network 10.0.0.0 version 2 Core2(conf-router_rip)# Core 2 RIP Output The examples in the section show the core 2 RIP output. • • • To display Core 2 RIP database, use the show ip rip database command. To display Core 2 RIP setup, use the show ip route command. To display Core 2 RIP activity, use the show ip protocols command. The following example shows the show ip rip database command to view the learned RIP routes on Core 2.
Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution metric is 1 Default version control: receive version 2, send version 2 Interface Recv Send GigabitEthernet 2/4 2 2 GigabitEthernet 2/5 2 2 GigabitEthernet 2/3 2 2 GigabitEthernet 2/11 2 2 Routing for Networks: 10.300.10.0 10.200.10.0 10.11.20.0 10.11.10.0 Routing Information Sources: Gateway Distance Last Update 10.11.20.
The following command shows the show ip routes command to view the RIP setup on Core 3.
no shutdown ! interface GigabitEthernet 2/5 ip address 10.250.10.1/24 no shutdown router rip version 2 10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.0 The following example shows viewing the RIP configuration on Core 3. ! interface GigabitEthernet 3/1 ip address 10.11.30.1/24 no shutdown ! interface GigabitEthernet 3/2 ip address 10.11.20.1/24 no shutdown ! interface GigabitEthernet 3/4 ip address 192.168.1.1/24 no shutdown ! interface GigabitEthernet 3/5 ip address 192.168.2.
45 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell EMC Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
[no] rmon hc-alarm number variable interval {delta | absolute} rising-threshold value eventnumber falling-threshold value event-number [owner string] Configure the alarm using the following optional parameters: • • • • • • • • • • number: alarm number, an integer from 1 to 65,535, the value must be unique in the RMON Alarm Table. variable: the MIB object to monitor — the variable must be in SNMP OID format; for example, 1.3.6.1.2.1.1.3.
Configuring RMON Collection Statistics To enable RMON MIB statistics collection on an interface, use the RMON collection statistics command in INTERFACE CONFIGURATION mode. • Enable RMON MIB statistics collection. CONFIGURATION INTERFACE (config-if) mode [no] rmon collection statistics {controlEntry integer} [owner ownername] • • • • controlEntry: specifies the RMON group of statistics using a value. integer: a value from 1 to 65,535 that identifies the RMON Statistics Table.
46 Rapid Spanning Tree Protocol (RSTP) Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). The Dell EMC Networking OS supports three other variations of spanning tree, as shown in the following table. Table 68.
RSTP and VLT Virtual link trunking (VLT) provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures. Spanning tree topology changes are distributed to the entire Layer 2 network, which can cause a network-wide flush of learned media access control (MAC) and address resolution protocol (ARP) addresses, requiring these addresses to be re-learned.
protocol spanning-tree rstp 2. Enable RSTP. PROTOCOL SPANNING TREE RSTP mode no disable To disable RSTP globally for all Layer 2 interfaces, enter the disable command from PROTOCOL SPANNING TREE RSTP mode. To verify that RSTP is enabled, use the show config command from PROTOCOL SPANNING TREE RSTP mode. The bold line indicates that RSTP is enabled. DellEMC(conf-rstp)#show config ! protocol spanning-tree rstp no disable DellEMC(conf-rstp)# Figure 106.
Port 378 (GigabitEthernet 2/2) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.378 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
• • • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state. Hello-time — the time interval in which the bridge sends RSTP BPDUs. Max-age — the length of time the bridge maintains configuration information before it refreshes that information by recomputing the RST topology. NOTE: Dell EMC Networking recommends that only experienced network administrators change the Rapid Spanning Tree group parameters.
snmp-server enable traps xstp Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • • Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states. The bpduguard shutdown-on-violation option causes the interface hardware to be shut down when it receives a BPDU.
The range is from 50 to 950 milliseconds. DellEMC(conf-rstp)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e811.2233 Root Bridge hello time 50 ms, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e811.2233 We are the root Configured hello time 50 ms, max age 20, forward delay 15 NOTE: The hello time is encoded in BPDUs in increments of 1/256ths of a second.
47 Software-Defined Networking (SDN) 672 Software-Defined Networking (SDN)
48 Security This chapter describes several ways to provide security to the Dell EMC Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide.
aaa accounting {commands level | dot1x | exec | rest | suppress | system} {default | name} {start-stop | wait-start | stop-only} {radius | tacacs+} The variables are: • • • • • • • • • • • system: sends accounting information of any other AAA configuration. exec: sends accounting information when a user has logged in to EXEC mode. dot1x: sends accounting information when a dot1x user has logged in to EXEC mode. command level: sends accounting of commands executed at the specified privilege level.
Monitoring AAA Accounting Dell EMC Networking OS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command. • Step through all active sessions and print all the accounting records for the actively accounted functions.
Acct-Multi-Session-Id = "1e-3c-39-b3-00-00-00-11-33-44-77-88-6c-b3-d5-5cc" Acct-Status-Type = Start Event-Timestamp = "May 10 2019 12:20:43 CDT" Tmp-String-9 = "ai:" Acct-Unique-Session-Id = "2d6c5beef615d18fa21bbde29411f6d5" Timestamp = 1557508843 EAP STOP accounting record: Fri May 10 12:22:15 2019 NAS-IP-Address = 10.16.133.
RADIUS Accounting attributes The following tables describe the various types of attributes that identify the supplicant sessions: Table 70. RADIUS Accounting Start Record Attributes for CLI user RADIUS Attribute code RADIUS Attribute Description 4 NAS-IP-Address IPv4 address of the NAS. 95 NAS-IPv6–Address IPv6 address of the NAS. NAS Identification Attributes Session Identification Attributes 1 User-Name User name. 5 NAS-Port Port on which session is connected (CLI Session-Id).
CLI event Accounting type Attributes CLI user session disconnects due to Dynamic authorization Stop Stop record attributes with termination cause as Admin Reset (6). Table 73. RADIUS Accounting Start Record Attributes for dot1x supplicant RADIUS Attribute code RADIUS Attribute Description 4 NAS-IP-Address IPv4 address of the NAS. 95 NAS-IPv6–Address IPv6 address of the NAS.
RADIUS Attribute code RADIUS Attribute Description 51 Acct-Link-Count 1 46 Acct-Session Time Time the user has received the service. 49 Acct-Terminate-Cause Reason for session termination. 61 NAS-Port-Type Ethernet NOTE: During the administrative initiated reload and system failover events, the accounting Stop records for the 802.1x authorized supplicants are not sent to RADIUS server. Table 75.
AAA Authentication Dell EMC Networking OS supports a distributed client/server system implemented through authentication, authorization, and accounting (AAA) to help secure networks against unauthorized access.
CONFIGURATION mode line {aux 0 | console 0 | vty number [... end-number]} 3. Assign a method-list-name or the default list to the terminal line. LINE mode login authentication {method-list-name | default} To view the configuration, use the show config command in LINE mode or the show running-config in EXEC Privilege mode. NOTE: Dell EMC Networking recommends using the none method only as a backup. This method does not authenticate users. The none and enable methods do not work with secure shell (SSH).
Server-Side Configuration Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or RADIUS server. • • TACACS+ — When using TACACS+, Dell EMC Networking sends an initial packet with service type SVC_ENABLE, and then sends a second packet with just the password. The TACACS server must have an entry for username $enable$.
If you are using role-based access control (RBAC), only the system administrator and security administrator roles can enable the service obscure-password command. To enable the obscuring of passwords and keys, use the following command. • Turn on the obscuring of passwords and keys in the configuration. CONFIGURATION mode service obscure-passwords Example of Obscuring Password and Keys DellEMC(config)# service obscure-passwords AAA Authorization Dell EMC Networking OS enables AAA new-model by default.
Configuring a Username and Password In Dell EMC Networking OS, you can assign a specific username to limit user access to the system. To configure a username and password, use the following command. • Assign a user name and password. CONFIGURATION mode username name [access-class access-list-name] [nopassword | password [encryption-type] password] [privilege level][secret] Configure the optional and required parameters: • • • • • • • name: Enter a text string up to 63 characters long.
Configure the optional and required parameters: • • • • • • • name: Enter a text string up to 63 characters(maximum) long. access-class access-list-name: Restrict access by access-class.. privilege level: The range is from 0 to 15. nopassword: No password is required for the user to log in. encryption-type: Enter 0 for plain text or 7 for encrypted text. password: Enter a string. Specify the password for the user. Secret: Specify the secret for the user. 2. Configure a password for privilege level.
The following example shows the Telnet session for user john. The show privilege command output confirms that john is in privilege level 8. In EXEC Privilege mode, john can access only the commands listed. In CONFIGURATION mode, john can access only the snmpserver commands. apollo% telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'.
If you enter disable without a level-number, your security level is 1. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol. This protocol transmits authentication, authorization, and configuration information between a central RADIUS server and a RADIUS client (the Dell EMC Networking system). The system sends user information to the RADIUS server and requests authentication of the user and password.
Auto-Command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line. The auto-command command is executed when the user is authenticated and before the prompt appears to the user. • Automatically execute a command. auto-command Privilege Levels Through the RADIUS server, you can configure a privilege level for the user to enter into when they connect to a session. This value is configured on the client system. • Set a privilege level.
• line {aux 0 | console 0 | vty number [end-number]} Enable AAA login authentication for the specified RADIUS method list. LINE mode login authentication {method-list-name | default} • This procedure is mandatory if you are not using default lists. To use the method list.
CONFIGURATION mode radius-server retransmit retries • • retries: the range is from 0 to 100. Default is 3 retries. Configure the time interval the system waits for a RADIUS server host response. CONFIGURATION mode radius-server timeout seconds • seconds: the range is from 0 to 1000. Default is 5 seconds. To view the configuration of RADIUS communication parameters, use the show running-config command in EXEC Privilege mode.
Configure RADIUS attributes 8, 87 and 168 Dell EMC Networking OS supports RADIUS attribute provisioning to indicate RADIUS server with IP address to be assigned to a supplicant and port to which the supplicant is connected. A supplicant is a device attempting to access the network. Attribute 8 The RADIUS attribute 8 (Framed-IP-Address) indicates the RADIUS server with the IPv4 address that needs to be assigned to a supplicant connected to the switch.
Standard compliance Dell EMC Networking OS complies to the following standards: • • RFC4849 for RADIUS NAS-Filter-Rule attribute RFC2865 For Filter-Id attribute Configuration notes Consider the following when configuring RADIUS-assigned DACL in the switch: • • • • • • • • • • RADIUS-assigned DACLs are applicable only for the inbound traffic on a specific port of the switch or supplicant. NAS supports unique session based on RADIUS-assigned DACLs using the MAC address of the 802.1x client.
fedgovacl nlbclusteracl radiusv4acl : : : 0 0 2 Configure RADIUS-assigned DACL The switch assigns a RADIUS-assigned DACL to a port or user regardless of any statically configured ACLs on a port or VLAN to which the port is assigned. NAS applies RADIUS-assigned DACLs using two ways: 1. RADIUS NAS-Filter-Rule attribute - The RADIUS server pushes the defined DACLs when a supplicant gets authenticated. The ACLs are not pre-provisioned in the NAS. 2.
seq 37 permit ip host 1.1.1.1 host 2.2.2.2 dscp 63 ecn 3 fragments log monitor no-drop order 254 seq 42 permit ip any host 150.0.0.100 dscp 63 ecn 3 seq 47 permit ip 100.0.0.0/28 200.0.0.0/23 seq 52 permit ip 100.0.0.0/16 any seq 57 permit icmp host 1.1.1.1 200.0.0.0/23 seq 62 permit icmp any 200.0.0.0/27 seq 67 permit icmp host 1.1.1.1 any seq 72 permit udp 1.1.1.1 1.1.1.1 eq 65535 2.2.2.2 2.2.2.
Max-Supplicants: 128 Port status and State info for Supplicant: 06:32:42:61:00:00 Port Auth Status: Untagged VLAN id: ACL Name: Auth PAE State: Backend State: AUTHORIZED None __Rad_3_632426100 Authenticated Idle Filter-Id attribute The NAS dynamically applies the ACLs that are created using a OS9 CLI to a supplicant after authentication. Dell EMC Networking OS allows to apply the same filter for user ACL and RADIUS ACL on different interfaces.
seq 47 permit ip 100.0.0.0/28 200.0.0.0/23 seq 52 permit ip 100.0.0.0/16 any seq 57 permit icmp host 1.1.1.1 200.0.0.0/23 seq 62 permit icmp any 200.0.0.0/27 seq 67 permit icmp host 1.1.1.1 any seq 72 permit udp 1.1.1.1 1.1.1.1 eq 65535 2.2.2.2 2.2.2.2 eq 65535 ! Extended Ingress IP access list test1 on GigabitEthernet 2/1(Radius-ACL)Supplicant MAC-38:8f:17:91:00:00 Total cam count 3 seq 5 permit ip host 10.10.10.10 host 20.20.20.20 count (0 packets) seq 10 permit ip host 100.0.0.1 host 200.0.0.
Table 76. NAS Identification Attributes Attribute code Attribute Description 4 NAS-IP-Address IPv4 address of the NAS. 95 NAS-IPv6–Address IPv6 address of the NAS. Table 77. Change of Authorization (CoA) Attribute Attribute code Attribute Description 5 NAS-Port Port associated with the session to be processed for EAP or MAB users or the VTY ID for AAA sessions. Table 78.
Radius Attribute code Radius Attribute Description Mandatory 5 NAS-Port Port on which session is terminated Yes, If Calling-Station-Id attribute is not provided 31 Calling-Station-Id The link address from which session is connected. Yes, If NAS-Port attribute is not provided t=26(vendor-specific);l=length;vendor-identificationattribute;Length=value; Data=”cmd=re-authenticate” Yes Description Mandatory Authorization Attributes 26 Vendor-Specific Table 82.
Table 85. DM AAA Session(s) disconnect Radius Attribute code Radius Attribute Description Mandatory NAS Identification Attributes 4 NAS-IP-Address IPv4 address of the NAS. No 95 NAS-IPv6–Address IPv6 address of the NAS.
• • • • responds with CoA-Nak, if no matching session is found for the session identification attributes in CoA; Error-Cause value is “Session Context Not Found” (503). responds with CoA-Nak, for any internal processing error in NAS; Error-Cause value is “Resources Unavailable” (506). ignores attributes that are supported as per RFC but irrelevant to the CoA operations.
Disconnect Message Processing This section lists various actions that the NAS performs during DM processing. The following activities are performed by NAS: • • • • • • • responds with DM-Nak, if no matching session is found in NAS for the session identification attributes in DM; Error-Cause value is “Session Context Not Found” (503). responds with DM-Nak for any internal processing error in NAS; Error-Cause value is “Resources Unavailable” (506).
• • NAS server listens on the Management IP UDP port 3799 (default) or the port configured through CLI. AAA session for the user is active. NAS uses the user-name or both the user-name as well as the NAS-Port attribute to identify the AAA user session. NAS disconnects all sessions related to the user, if the user-name is provided without NAS-port. 1. Enter the following command to configure the dynamic authorization feature: radius dynamic-auth 2. Enter the following command to terminate the 802.
• The user is logged-in through 802.1X enabled physical port and successfully authenticated with Radius Server. To initiate 802.1x session re-authentication, the DAC sends a standard CoA request that contains one or more session identification attributes. NAS uses the calling-station-id or the NAS-port attributes to identify a 802.1x user session. In case of the EAP or MAB users, the MAC address is the calling-station-id of the supplicant and the NAS-port is the interface identifier.
Disabling 802.1x enabled port Dell EMC Networking OS provides RADIUS extension commands that enables you to disable 802.1x enabled ports. This command administratively shuts down the port causing the termination of the dot1x user session. This command is useful when a port is known to cause issue in the network and needs to be disabled. Before disabling the 802.1x enabled port, ensure that the following prerequisites are satisfied: • • • Shared key is configured in NAS for DAC.
Configuring replay protection NAS enables you to configure the replay protection window period. NAS drops the packets if duplicate packets are received within replay protection window period. The default value is 5 minutes. Enter the following command to configure replay protection: replay-prot-window minutes NAS considers the new replay protection window value from next window period. The range is from 1 to 10 minutes. The default is 5 minutes.
To select TACACS+ as the login authentication method, use the following commands. 1. Configure a TACACS+ server host. CONFIGURATION mode tacacs-server host {ip-address | host} Enter the IP address or host name of the TACACS+ server. Use this command multiple times to configure multiple TACACS+ server hosts. 2. Enter a text string (up to 16 characters long) as the name of the method list you wish to use with the TACAS+ authentication method.
Monitoring TACACS+ To view information on TACACS+ transactions, use the following command. • View TACACS+ transactions to troubleshoot problems. EXEC Privilege mode debug tacacs+ TACACS+ Remote Authentication The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet sizes.
Command Authorization The AAA command authorization feature configures Dell EMC Networking OS to send each configuration command to a TACACS server for authorization before it is added to the running configuration. By default, the AAA authorization commands configure the system to check both EXEC mode and CONFIGURATION mode commands. Use the no aaa authorization config-commands command to enable only EXEC mode command checking.
sha2-256-96. SSH server kex algorithms : diffie-hellman-group-exchange-sha1,diffie-hellman-group1sha1,diffie-hellman-group14-sha1. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. Vty Encryption HMAC Remote IP DellEMC(conf)# To disable SSH server functions, use the no ip ssh server enable command.
Removing the RSA Host Keys and Zeroizing Storage Use the crypto key zeroize rsa command to delete the host key pairs, both the public and private key information for RSA 1 and or RSA 2 types. Note that when FIPS mode is enabled there is no RSA 1 key pair. Any memory currently holding these keys is zeroized (written over with zeroes) and the NVRAM location where the keys are stored for persistence across reboots is also zeroized.
Configuring the HMAC Algorithm for the SSH Server To configure the HMAC algorithm for the SSH server, use the ip ssh server mac hmac-algorithm command in CONFIGURATION mode. hmac-algorithm: Enter a space-delimited list of keyed-hash message authentication code (HMAC) algorithms supported by the SSH server.
CONFIGURATION mode [no] ip ssh server dns enable To disable the DNS in the SSH server configuration, use the no version of this command. To view the status of DNS in the SSH server configuration, use the show running-config ip ssh command from EXEC mode.
If you provide the username, the Dell EMC Networking OS installs the public key for that specific user. In case, no user is associated with the current logged-in session, the system displays the following error message. NOTE: If no user is associated with the current logged-in session, the system displays the following error message. % Error: No username set for this term. admin@Unix_client#ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/admin/.
The following example shows creating rhosts. admin@Unix_client# ls id_rsa id_rsa.pub rhosts shosts admin@Unix_client# cat rhosts 10.16.127.201 admin Using Client-Based SSH Authentication To SSH from the chassis to the SSH client, use the following command. If the SSH port is a non-default value, use the ip ssh server port number command to change the default port number. You may only change the port number when SSH is disabled. Then use the -p option with the ssh command.
Authentication Method VTY access-class support? Username access-class support? Remote authorization support? TACACS+ YES NO YES (with version 5.2.1.0 and later) RADIUS YES NO YES (with version 6.1.1.0 and later) provides several ways to configure access classes for VTY lines, including: • • VTY Line Local Authentication and Authorization VTY Line Remote Authentication and Authorization VTY Line Local Authentication and Authorization retrieves the access class from the local database.
DellEMC(conf)# DellEMC(conf)#line vty 0 9 DellEMC(config-line-vty)#login authentication tacacsmethod DellEMC(config-line-vty)# DellEMC(config-line-vty)#access-class deny10 DellEMC(config-line-vty)#end (same applies for radius and line authentication) VTY MAC-SA Filter Support supports MAC access lists which permit or deny users based on their source MAC address. With this approach, you can implement a security policy based on the source MAC address.
flexibility in assigning permissions for each command to each role and as a result, it is easier and much more efficient to administer user rights. If a user’s role matches one of the allowed user roles for that command, then command authorization is granted. A constrained RBAC model provides for separation of duty and as a result, provides greater security than the hierarchical RBAC model.
line console 0 login authentication test authorization exec test exec-timeout 0 0 line vty 0 login authentication test authorization exec test line vty 1 login authentication test authorization exec test To enable role-based only AAA authorization, enter the following command in Configuration mode: DellEMC(conf)#aaa authorization role-only System-Defined RBAC User Roles By default, the Dell EMC Networking OS provides 4 system defined user roles. You can create up to 8 additional user roles.
• • permissions. The security administrator and roles inherited by security administrator can only modify permissions for commands they already have access to. Make sure you select the correct role you want to inherit. If you inherit a user role, you cannot modify or delete the inheritance. If you want to change or remove the inheritance, delete the user role and create it again. If the user role is in use, you cannot delete the user role. 1.
The following example denies the netadmin role from using the show users command and then verifies that netadmin cannot access the show users command in exec mode. Note that the netadmin role is not listed in the Role access: secadmin,sysadmin, which means the netadmin cannot access the show users command.
By default, the system defined role, secadmin, is not allowed to configure protocols. The following example first grants the secadmin role to configure protocols and then removes access to configure protocols. DellEMC(conf)#role configure addrole secadmin protocol DellEMC(conf)#role configure deleterole secadmin protocol Example: Resets Only the Security Administrator role to its original setting. The following example resets only the secadmin role to its original setting.
NOTE: Authentication services only validate the user ID and password combination. To determine which commands are permitted for users, configure authorization. For information about how to configure authorization for roles, see Configure AAA Authorization for Roles. To configure AAA authentication, use the aaa authentication command in CONFIGURATION mode.
login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 4 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 5 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 6 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 7 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 8 login authenticat
Role Accounting This section describes how to configure role accounting and how to display active sessions for roles. This sections consists of the following topics: • • • Configuring AAA Accounting for Roles Applying an Accounting Method to a Role Displaying Active Accounting Sessions for Roles Configuring AAA Accounting for Roles To configure AAA accounting for roles, use the aaa accounting command in CONFIGURATION mode.
Displaying User Roles To display user roles using the show userrole command in EXEC Privilege mode, use the show userroles and show users commands in EXEC privilege mode.
• If the credentials are valid: • • RADIUS server sends a request to the SMS–OTP daemon to generate an OTP for the user. • A challenge authentication is sent from the RADIUS server as Reply–Message attribute. • If the Reply–Message attribute is not sent from the RADIUS server, the default text is the Response. • 2FA is successful only on providing the correct OTP. If the credentials are invalid, the authentication fails. NOTE: 2FA does not support RADIUS authentications done with REST, Web UI, and OMI.
This module requires NAS for handling the access challenge from the RADIUS server. NAS sends the input OTP in an Access-Request to the RADIUS server, and the user authentication succeeds or fails depending upon the Access-Accept or Access-Reject response received at NAS from the RADIUS server. Configuring the System to Drop Certain ICMP Reply Messages You can configure the Dell EMC Networking OS to drop ICMP reply messages.
ICMPv6 message types Who are you request (139) Who are you reply (140) Mtrace response (200) Mtrace messages (201) NOTE: The Dell EMC Networking OS does not suppress the following ICMPv6 message types: • • • • • • • • • • • • • • Packet too big (2) Echo request (128) Multicast listener query (130) Multicast listener report (131) Multicast listener done (132) Router solicitation (133) Router advertisement (134) Neighbor solicitation (135) Neighbor advertisement (136) Redirect (137) Router renumbering (138)
verified boot 2. Verify the hash checksum of the current OS image file on the local file system. EXEC Privilege verified boot hash system-image {A: | B:} hash-value You can get the hash value for your hashing algorithm from the Dell EMC iSupport page. You can use the MD5, SHA1, or SHA256 hash and the Dell EMC Networking OS automatically detects the type of hash. NOTE: The verified boot hash command is only applicable for OS images in the local file system. 3. Save the configuration.
Enabling and Configuring Startup Configuration Hash Verification To enable and configure startup configuration hash verification, follow these steps: 1. Enable the startup configuration hash verification feature. CONFIGURATION mode verified startup-config 2. Generate the hash checksum for your startup configuration file. EXEC Privilege generate hash {md5 | sha1 | sha256} {flash://filename | startup-config} 3. Verify the hash checksum of the current startup configuration on the local file system.
Enter the duration in minutes.
49 Service Provider Bridging VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. Using only 802.
Figure 107. VLAN Stacking in a Service Provider Network Important Points to Remember • • • • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. Dell EMC Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
• • • Configuring Dell EMC Networking OS Options for Trunk Ports Debugging VLAN Stacking VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. • • Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN.
DellEMC# M Te 3/13 Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. • Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100. To display the S-Tag TPID for a VLAN, use the show running-config command from EXEC privilege mode. Dell EMC Networking OS displays the S-Tag TPID only if it is a non-default value.
NUM * 1 100 101 103 Status Inactive Inactive Inactive Inactive Description Q Ports U Gi 1/1 T Gi 1/1 M Gi 1/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. • Debug the internal state and membership of a VLAN and its ports. debug member The port notations are as follows: • • • • • MT — stacked trunk MU — stacked access port T — 802.1Q trunk port U — 802.
Figure 108.
Figure 109.
Figure 110. Single and Double-Tag TPID Mismatch The following table details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the S-Series. Table 90. Behaviors for Mismatched TPID Network Position Incoming Packet TPID Ingress Access Point untagged single-tag (0x8100) Core untagged System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Network Position Egress Access Point Incoming Packet TPID untagged System TPID Match Type 0xQRST double-tag mismatch switch to default VLAN switch to default VLAN 0xUVWX — switch to default VLAN switch to default VLAN double-tag match switch to VLAN switch to VLAN double-tag 0xUVWX 0xUVWX Pre-Version 8.2.1.0 Version 8.2.1.
dei honor {0 | 1} {green | red | yellow} You may enter the command once for 0 and once for 1. Packets with an unmapped DEI value are colored green. To display the DEI-honoring configuration, use the show interface dei-honor [interface slot/port] in EXEC Privilege mode.
Figure 111. Statically and Dynamically Assigned dot1p for VLAN Stacking When configuring Dynamic Mode CoS, you have two options: • • Mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. In this case, you must have other dot1p QoS configurations; this option is classic dot1p marking. Mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p.
! interface GigabitEthernet 1/21 no ip address switchport vlan-stack access vlan-stack dot1p-mapping c-tag-dot1p 0-3 sp-tag-dot1p 7 service-policy input in layer2 no shutdown Mapping C-Tag to S-Tag dot1p Values To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly, use the following commands. 1. Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag.
Figure 112. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 113. VLAN Stacking with L2PT Implementation Information • • • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. No protocol packets are tunneled when you enable VLAN stacking. L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2.
protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell EMC Networking OS uses a Dell EMC Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command. • Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network.
The same is true for GARP VLAN registration protocol (GVRP). 802.1ad specifies that provider bridges participating in GVRP use a reserved destination MAC address called the Provider Bridge GVRP Address, 01-80-C2-00-00-0D, to exchange GARP PDUs instead of the GVRP Address, 01-80-C2-00-00-21, specified in 802.1Q. Only bridges in the service provider network use this destination MAC address so these bridges treat GARP PDUs originating from the customer network as normal data frames, rather than consuming them.
50 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
Important Points to Remember • • • • • • • • • • The Dell EMC Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. By default, sFlow collection is supported only on data ports. If you want to enable sFlow collection through management ports, use the management egress-interface-selection and application sflow-collector commands in Configuration and EIS modes respectively. Dell EMC Networking OS exports all sFlow packets to the collector.
0 UDP packets dropped 0 sFlow samples collected Example of viewing the sflow max-header-size extended on an Interface Mode DellEMC#show sflow interface gigabitethernet 1/1 Gi 1/1 sFlow type :Ingress Configured sampling rate :16384 Actual sampling rate :16384 Counter polling interval :20 Extended max header size :256 Samples rcvd from h/w :0 Example of the show running-config sflow Command DellEMC#show running-config sflow ! sflow collector 100.1.1.12 agent-addr 100.1.1.
Displaying Show sFlow on an Interface To view sFlow information on a specific interface, use the following command. • Display sFlow configuration information and statistics on a specific interface. EXEC mode show sflow interface interface-name The following example shows the show sflow interface command.
Changing the Polling Intervals The sflow polling-interval command configures the polling interval for an interface in the maximum number of seconds between successive samples of counters sent to the collector. This command changes the global default counter polling (20 seconds) interval. You can configure an interface to use a different polling interval. To configure the polling intervals globally (in CONFIGURATION mode) or by interface (in INTERFACE mode), use the following command.
1 collectors configured Collector IP addr: 100.1.1.1, Agent IP addr: 1.1.1.2, UDP port: 6343 VRF: Default 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected stack-unit 1 Port set 0 Gi 1/1: configured rate 16384, actual rate 16384 DellEMC# If you did not enable any extended information, the show output displays the following (shown in bold).
51 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell EMC Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a management information base (MIB). MIBs are hierarchically structured and use object identifiers to address managed objects, but managed objects also have a textual name called an object descriptor.
Keep the following points in mind when you configure the AES128-CFB algorithm for SNMPv3: 1. SNMPv3 authentication provides only the sha option when the FIPS mode is enabled. 2. SNMPv3 privacy provides only the aes128 privacy option when the FIPS mode is enabled. 3. If you attempt to enable or disable FIPS mode and if any SNMPv3 users are previously configured, an error message is displayed stating you must delete all of the SNMP users before changing the FIPS mode. 4.
Creating a Community For SNMPv1 and SNMPv2, create a community to enable the community-based security in Dell EMC Networking OS. The management station generates requests to either retrieve or alter the value of a management object and is called the SNMP manager. A network element that processes SNMP requests is called an SNMP agent. An SNMP community is a group of SNMP agents and managers that are allowed to interact.
NOTE: To give a user read and write privileges, repeat this step for each privilege type. • Configure an SNMP group (with password or privacy privileges). • CONFIGURATION mode snmp-server group group-name {oid-tree} priv read name write name Configure the user with a secure authorization password and privacy password. • CONFIGURATION mode snmp-server user name group-name {oid-tree} auth md5 auth-password priv des56 priv password Configure an SNMPv3 view.
Writing Managed Object Values You may only alter (write) a managed object value if your management station is a member of the same community as the SNMP agent, and the object is writable. Use the following command to write or write-over the value of a managed object. • To write or write-over the value of a managed object. snmpset -v version -c community agent-ip {identifier.instance | descriptor.instance}syntax value > snmpset -v 2c -c mycommunity 10.11.131.161 sysName.0 s "R5" SNMPv2-MIB::sysName.
• • • RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss. Dell EMC Networking enterpriseSpecific environment traps — fan, supply, and temperature. Dell EMC Networking enterpriseSpecific protocol traps — bgp, ecfm, stp, and xstp. To configure the system to send SNMP notifications, use the following commands. 1. Configure the Dell EMC Networking system to send notifications to an SNMP server.
CPU_THRESHOLD_CLR: Cpu %s usage drops below threshold. Cpu5SecUsage (%d) MEM_THRESHOLD: Memory %s usage above threshold. MemUsage (%d) MEM_THRESHOLD_CLR: Memory %s usage drops below threshold. MemUsage (%d) DETECT_STN_MOVE: Station Move threshold exceeded for Mac %s in vlan %d CAM-UTILIZATION: Enable SNMP envmon CAM utilization traps.
SNMP Copy Config Command Completed %RPM0-P:CP %SNMP-4-RMON_RISING_THRESHOLD: STACKUNIT0 rising threshold alarm from SNMP OID %RPM0-P:CP %SNMP-4-RMON_FALLING_THRESHOLD: STACKUNIT0 falling threshold alarm from SNMP OID %RPM0-P:CP %SNMP-4-RMON_HC_RISING_THRESHOLD: STACKUNIT0 high-capacity rising threshold alarm from SNMP OID Enabling an SNMP Agent to Notify Syslog Server Failure You can configure a network device to send an SNMP trap if an audit processing failure occurs due to loss of
Following is the sample audit log message that other syslog servers that are reachable receive: Oct 21 05:26:04: dv-fedgov-s4810-6: %EVL-6-REACHABLE:Syslog server 10.11.226.121 (port: 9140) is reachable Copy Configuration Files Using SNMP To do the following, use SNMP from a remote client.
MIB Object OID Object Values Description 3 = tftp • 4 = ftp 5 = scp If copyDestFileLocation is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. copyDestFileName .1.3.6.1.4.1.6027.3.5.1.1.1.1.7 Path (if the file is not in the default directory) and filename. Specifies the name of destination file. copyServerAddress .1.3.6.1.4.1.6027.3.5.1.1.1.1.8 IP Address of the server. The IP address of the server. • copyUserName .1.3.6.1.4.1.6027.3.5.1.1.1.1.
The following examples show the snmpset command to copy a configuration. These examples assume that: • • • • the server OS is UNIX you are using SNMP version 2c the community name is public the file f10-copy-config.mib is in the current directory or in the snmpset tool path Copying Configuration Files via SNMP To copy the running-config to the startup-config from the UNIX machine, use the following command. • Copy the running-config to the startup-config from the UNIX machine.
• • precede server-ip-address by the keyword a. precede the values for copyUsername and copyUserPassword by the keyword s. > snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.110 i 2 copyDestFileName.110 s /home/startup-config copyDestFileLocation.110 i 4 copyServerAddress.110 a 11.11.11.11 copyUserName.110 s mylogin copyUserPassword.110 s mypass FTOS-COPY-CONFIG-MIB::copySrcFileType.110 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileName.
MIB Object OID Values Description copyTimeCompleted .1.3.6.1.4.1.6027.3.5.1.1.1.1.13 Time value Specifies the point in the uptime clock that the copy operation completed. copyFailCause .1.3.6.1.4.1.6027.3.5.1.1.1.1.14 1 = bad filename Specifies the reason the copy request failed. 2 = copy in progress 3 = disk full 4 = file exists 5 = file not found 6 = timeout 7 = unknown copyEntryRowStatus .1.3.6.1.4.1.6027.3.5.1.1.1.1.15 Row status Specifies the state of the copy operation.
MIB Support to Display Reason for Last System Reboot Dell EMC Networking provides MIB objects to display the reason for the last system reboot. The dellNetProcessorResetReason object contains the reason for the last system reboot. The following table lists the related MIB objects. Table 97. MIB Objects for Displaying Reason for Last System Reboot MIB Object OID Description dellNetProcessorResetReason 1.3.6.1.4.1.6027.3.26.1.4.3.1.7 This is the table that contains the reason for last system reboot.
SNMP Walk Example Output snmpwalk -v 2c -c public 10.16.131.156 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.5 SNMPv2-SMI::enterprises.674.10895.3000.1.2.110.7.2.1.5.10 = INTEGER: 48 snmpwalk -v 2c -c public 10.16.131.156 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.6 SNMPv2-SMI::enterprises.674.10895.3000.1.2.110.7.2.1.6.10 = INTEGER: 31 snmpwalk -v 2c -c public 10.16.131.156 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.7 SNMPv2-SMI::enterprises.674.10895.3000.1.2.110.7.2.1.7.
MIB Object OID Description chSysCoresStackUnitNumber 1.3.6.1.4.1.6027.3.10.1.2.10.1.4 Contains information that includes which stack unit or processor the core file was originated from. chSysCoresProcess 1.3.6.1.4.1.6027.3.10.1.2.10.1.5 Contains information that includes the process names that generated each core file. Viewing the Software Core Files Generated by the System • To view the software core files generated by the system, use the following command. snmpwalk -v2c -c public 192.168.60.
SNMPv2-SMI::enterprises.6027.3.27.1.3.1.6.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.7.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.8.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.9.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.10.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.11.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.12.2107012 = Counter64: 357782091 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.13.
.1.3.6.1.4.1.6027.3.26.1.4.8.1.3.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.2 .1.3.6.1.4.1.6027.3.
MIB Support to ECMP Group Count Dell EMC Networking OS provides MIB objects to display the information of the ECMP group count information. The following table lists the related MIB objects: Table 104. MIB Objects to display ECMP Group Count MIB Object OID Description dellNetInetCidrECMPGrpMax 1.3.6.1.4.1.6027.3.9.1.6 Total CAM for ECMP group. dellNetInetCidrECMPGrpUsed 1.3.6.1.4.1.6027.3.9.1.7 Used CAM for ECMP group. dellNetInetCidrECMPGrpAvl 1.3.6.1.4.1.6027.3.9.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.30.1.1.0.24.0.0.0.0 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.30.1.1.1.32.1.4.30.1.1.1.1.4.30.1.1.1 = HexSTRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.30.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.70.70.70.0.24.0.0.0.0 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.70.70.70.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.70.70.70.2.32.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.20.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.30.1.1.0.24.0.0.0.0 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.30.1.1.1.32.1.4.30.1.1.1.1.4.30.1.1.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.30.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.70.70.70.0.24.0.0.0.0 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.
snmpwalk -v 2c -c public -On 10.16.150.97 1.3.6.1.2.1.47.1.3.2.1 .1.3.6.1.2.1.47.1.3.2.1.2.5.0 = OID: .1.3.6.1.2.1.2.2.1.1.2097157 .1.3.6.1.2.1.47.1.3.2.1.2.9.0 = OID: .1.3.6.1.2.1.2.2.1.1.2097669 .1.3.6.1.2.1.47.1.3.2.1.2.13.0 = OID: .1.3.6.1.2.1.2.2.1.1.2098181 .1.3.6.1.2.1.47.1.3.2.1.2.17.0 = OID: .1.3.6.1.2.1.2.2.1.1.2098693 .1.3.6.1.2.1.47.1.3.2.1.2.21.0 = OID: .1.3.6.1.2.1.2.2.1.1.2099205 .1.3.6.1.2.1.47.1.3.2.1.2.25.0 = OID: .1.3.6.1.2.1.2.2.1.1.2099717 .1.3.6.1.2.1.47.1.3.2.1.2.29.0 = OID: .1.3.6.1.
MIB Object OID Description dot3adAggPartnerOperKey 1.2.840.10006.300.43.1.1.1.1.9 Contains the current operational value of the key for the Aggregator’s current protocol partner. dot3adAggCollectorMaxDelay 1.2.840.10006.300.43.1.1.1.1.10 Contains a 16–bit read–write attribute defining the maximum delay, in tens of microseconds, that may be imposed by the frame collector between receiving a frame from an Aggregator Parser, and either delivering the frame to its MAC Client or discarding the frame.
MIB Object OID Description lldpRemUnknownTLVInfo 1.0.8802.1.1.2.1.4.3.1.2 Contains value extracted from the value field of the TLV. Viewing the Details of Reserved Unrecognized LLDP TLVs • To view the information of reserved unrecognized LLDP TLVs using SNMP, use the following commands. snmpwalk -v2c -c mycommunity 10.16.150.83 1.0.8802.1.1.2.1.4 iso.0.8802.1.1.2.1.4.1.1.6.0.2113029.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.3161092.6 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.3161605.
MIB Object OID Description lldpRemOrgDefInfo 1.0.8802.1.1.2.1.4.4.1.4 Contains the string value used to identify the organizationally defined information of the remote system. Viewing the Details of Organizational Specific Unrecognized LLDP TLVs • To view the information of organizational specific unrecognized LLDP TLVs using SNMP, use the following commands. snmpwalk -v2c -c public 10.16.150.83 1.0.8802.1.1.2.1.4.4.1.4 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.1.133 iso.0.8802.1.1.2.1.4.4.1.4.
Table 110. Interface level MIB Objects for Port Security MIB Object OID Access or Permission Description dellNetPortSecIfPortSecurityEn able 1.3.6.1.4.1.6027.3.31.1.2.1.1.1 read-only Specifies if the port security feature is enabled or disabled on an interface. dellNetPortSecIfPortSecuritySta 1.3.6.1.4.1.6027.3.31.1.2.1.1.2 tus read-only Represents the port security status of an interface. dellNetPortSecIfSecureMacLimit 1.3.6.1.4.1.6027.3.31.1.2.1.1.
• • • MAC Address (Octet string of length 6 and MAC address ( in decimal) as value VLAN ID Interface Index NOTE: MAC addresses cannot be retrieved using dellNetPortSecSecureStaticMacAddrTable and dellNetPortSecSecureMacAddrTable. These tables are valid only if port security feature is enabled globally in the system. Table 111. MIB Objects for configuring MAC addresses MIB Object OID dellNetPortSecIfSecureStaticMa 1.3.6.1.4.1.6027.3.31.1.2.2.1.
Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object. The snmpset operation shown in the following example creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. > snmpset -v2c -c mycommunity 123.45.6.78 .1.3.6.1.2.1.17.7.1.4.3.1.5.10 i 4 SNMPv2-SMI::mib-2.17.7.1.4.3.1.5.
The table that the Dell EMC Networking system sends in response to the snmpget request is a table that contains hexadecimal (hex) pairs, each pair representing a group of eight ports. • Seven hex pairs represent a stack unit. Seven pairs accommodate the greatest number of ports available — 64 ports on the device. The last stack unit begins on the 66th bit. The first hex pair, 00 in the previous example, represents ports 1 to 7 in Stack Unit 1. The next pair to the right represents ports 8 to 15.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Example of Adding a Tagged Port to a VLAN using SNMP In the following example, Port 0/2 is added as a tagged member of VLAN 10. >snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.
snmpset with descriptor: snmpset -v version -c community agent-ip ifAdminStatus.ifindex i {1 | 2} snmpset with OID: snmpset -v version -c community agent-ip .1.3.6.1.2.1.2.2.1.7.ifindex i {1 | 2} Choose integer 1 to change the admin status to Up, or 2 to change the admin status to Down. Fetch Dynamic MAC Entries using SNMP Dell EMC Networking supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. NOTE: The 802.1q Q-BRIDGE MIB defines VLANs regarding 802.1d, as 802.
Example of Fetching MAC Addresses Learned on a Port-Channel Using SNMP Use dot3aCurAggFdbTable to fetch the learned MAC address of a port-channel. The instance number is the decimal conversion of the MAC address concatenated with the port-channel number.
To map the context to a VRF instance for SNMPv2c, follow these steps: 1. Create a community and map a VRF to it. Create a context and map the context and community, to a community map. • sho run snmp • snmp-server community public ro • snmp-server community public ro • snmp-server community vrf1 ro • snmp-server community vrf2 ro • snmp-server context context1 • snmp-server context context2 • snmp mib community-map vrf1 context context1 • snmp mib community-map vrf1 context context2 2.
Example of SNMP Walk Output for BGP timer configured for vrf1 (SNMPv2c) snmpwalk -v 2c -c vrf1 10.16.131.125 1.3.6.1.4.1.6027.20.1.2.3 SNMPv2-SMI::enterprises.6027.20.1.2.3.1.1.1.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.1.1.2.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.1.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.2.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.3.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.
dot3aCurAggMacAddr SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.2.1.0.0.0.0.0.1.1 = Hex-STRING: 00 00 00 00 00 01 dot3aCurAggIndex SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.3.1.0.0.0.0.0.1.1 = INTEGER: 1 dot3aCurAggStatus SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.4.1.0.0.0.0.0.1.1 = INTEGER: 1 << Status active, 2 – status inactive Layer 3 LAG does not include this support. SNMP trap works for the Layer 2 / Layer 3 / default mode LAG.
The following example shows the SNMP trap that is sent when connectivity to the syslog server is lost: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (19738) 0:03:17.38 SNMPv2MIB::snmpTrapOID.0 = OID: SNMPv2SMI::enterprises.6027.3.30.1.1.1 SNMPv2-SMI::enterprises.6027.3.30.1.1 = STRING: "NOT_REACHABLE: Syslog server 10.11.226.121 (port: 9140) is not reachable" SNMPv2-SMI::enterprises.6027.3.6.1.1.2.
SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.14.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.15.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.16.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.17.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.18.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.19.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.20.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.21.2113540 = = = = = = = = "" "" STRING: "29.109375" STRING: "3.286000" STRING: "7.
router-id 10.10.10.
52 Stacking Using the Dell EMC Networking OS stacking feature, you can interconnect multiple switch units with stacking ports . The stack becomes manageable as a single switch through the stack management unit. The system accepts Unit ID numbers from 1 to 12 and it supports stacking up to twelve units.
The master synchronizes the following information with the standby unit: • • • Stack unit topology Stack running configuration (which includes ACL, LACP, STP, SPAN, and so on.) Logs.
Required Type : S3124 - 28-port GE/TE (S3100) Current Type : S3124 - 28-port GE/TE (S3100) Master priority : 0 Hardware Rev : 5.
Jumbo Capable POE Capable FIPS Mode Burned In MAC No Of MACs : : : : : yes yes disabled f8:10:20:30:40:6e 3 -- Module 1 -Status : not present -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) --------------------------------------------------------------------------4 1 absent absent 0 4 2 up AC up 7920 -- Fan Status -Unit Bay TrayStatus Fan1 Speed Fan2 Speed -----------------------------------------------------------------------------------4 1 up up 7058 up 7058 Speed in RPM
6 7 8 9 10 11 12 1 1 1 1 1 1 1 not present not present not present not present online not present online No Module No Module No Module No Module S3148P-10GE-2SFP+ No Module S3148P-10GE-2SFP+ 0 0 0 0 2 0 2 -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) --------------------------------------------------------------------------1 1 up UNKNOWN up NA 1 2 absent absent NA 2 1 absent absent NA 2 2 up AC up NA 3 1 absent absent NA 3 2 up AC up NA 4 1 absent absent 0 4 2 up AC up 7888 5 1 up AC
Failover Roles If the stack master fails (for example, is powered off), it is removed from the stack topology. The standby unit detects the loss of peering communication and takes ownership of the stack management, switching from the standby role to the master role. The distributed forwarding tables are retained during the failover, as is the stack MAC address. The lack of a standby unit triggers an election within the remaining units for a standby role.
Master priority : 0 -----------STACK BEFORE CONNECTION---------------Dell#show system brief Stack MAC Reload-Type : f8:b1:56:29:fc:2b : normal-reload [Next boot : normal-reload] -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports -----------------------------------------------------------------------------------1 Standby online S3124F S3124F 1-0(0-4679) 30 2 Management online S3148P S3148P 1-0(0-4679) 54 3 Member not present 4 Member not present 5 Member not present 6 Member not present 7 Memb
00:06:48: 00:06:58: 00:07:01: 00:07:02: %S3148P:2 %IFAGT-5-STACK_PORT_LINK_UP: Changed stack port state to up: 2/54 %STKUNIT2-M:CP %CHMGR-5-STACKUNIT_DETECTED: stack-unit 4 present %STKUNIT2-M:CP %CHMGR-5-CHECKIN: Checkin from stack-unit 4 (type S3148P, 54 ports) %STKUNIT2-M:CP %CHMGR-5-STACKUNIT_UP: stack-unit 4 is up Dell#show system brief Stack MAC Reload-Type : f8:b1:56:29:fc:2b : normal-reload [Next boot : normal-reload] -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports --------------
Supported Stacking Topologies The device supports stacking in a ring or a daisy chain topology. Dell EMC Networking recommends the ring topology when stacking the switches to provide redundant connectivity. Figure 114. Supported Stacking Topologies High Availability on Stacks Stacks have master and standby management units analogous to Dell EMC Networking route processor modules (RPM).
Stack-unit Redundancy Role: Stack-unit State: Stack-unit SW Version: Link to Peer: Primary Active 1-0(0-4697) Up -- PEER Stack-unit Status ------------------------------------------------Stack-unit State: Standby Peer Stack-unit ID: 2 Stack-unit SW Version: 1-0(0-4697) -- Stack-unit Redundancy Configuration ------------------------------------------------Primary Stack-unit: mgmt-id 1 Auto Data Sync: Full Failover Type: Hot Failover Auto reboot Stack-unit: Enabled Auto failover limit: 3 times in 60 minutes
terminal upload Dell(standby)# Set terminal line parameters Upload file -----------------CONSOLE ACCESS ON A MEMBER---------------------------Dell(stack-member-1)#? reset-self Reset this unit alone show Show running system information You can connect two units with two or more stacking cables in case of a stacking port or cable failure. Removal of only one of the cables does not trigger a reset. Important Points to Remember • • • • • You can stack up to twelve systems.
Figure 115. Creating a new stack In the above example, stack unit 1 is the master management unit, stack unit 2 is the standby unit. The cables are connected to each unit. Reload each unit in the stack. After the reload is complete, the four units come up as a stack with unit 1 as the management unit, unit 2 as the standby unit, and the remaining units as stack-members. All units in the stack can be accessed from the management unit.
3 4 5 6 7 8 9 10 11 12 1 1 1 1 1 1 1 1 1 1 not present not present online not present not present not present not present online not present online No Module No Module S3148-10GE-2X10BaseT No Module No Module No Module No Module S3148-10GE-2SFP+ No Module S3148-10GE-2SFP+ 0 0 2 0 0 0 0 2 0 2 -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) --------------------------------------------------------------------------1 1 up UNKNOWN up NA 1 2 absent absent NA 2 1 absent absent NA 2 2 up AC up
• • If you add a unit that has a stack number that conflicts with the stack, the stack assigns the first available stack number. If the stack has a provision for the stack-number that will be assigned to the new unit, the provision must match the unit type, or Dell EMC Networking OS generates a type mismatch error. After the new unit loads, it synchronizes its running and startup configurations with the stack.
The following example shows adding a stack unit with a conflicting stack number (after).
Merge Two Stacks You may merge two stacks while they are powered and online. To merge two stacks, connect one stack to the other using the mini-SAS cables from the stacking ports. • • • • Dell EMC Networking OS selects a master stack manager from the two existing managers based on the priority of the stack. Dell EMC Networking OS resets all the units in the losing stack; they all become stack members. If there is no unit numbering conflict, the stack members retain their previous unit numbers.
Creating a Virtual Stack Unit on a Stack Use virtual stack units to configure ports on the stack before adding a new unit. • Create a virtual stack unit. CONFIGURATION mode stack-unit stack-unit-number provision S4048–ON Displaying Information about a Stack To display information about the stack, use the following command. • Display for stack-identity, status, and hardware information on every unit in a stack.
-- Unit 2 -Unit Type : Standby Unit Status : online Next Boot : online Required Type : S3124 - 28-port GE/TE (S3100) Current Type : S3124 - 28-port GE/TE (S3100) Master priority : 13 Hardware Rev : 5.
Reload-Type : normal-reload [Next boot : normal-reload] -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports -----------------------------------------------------------------------------------1 Member online S3124F S3124F 1-0(0-4697) 30 2 Standby online S3124 S3124 1-0(0-4697) 30 3 Member online S3124 S3124 1-0(0-4697) 30 4 Member online S3148P S3148P 1-0(0-4697) 54 5 Member online S3148P S3148P 1-0(0-4697) 54 6 Member online S3148P S3148P 1-0(0-4697) 54 7 Member online S3124F S3124F 1-0(0-4697
9 10 11 12 1 1 1 1 up up up up up up up up 7058 6956 7164 7058 up up up up 7058 7164 7164 7058 Speed in RPM DellEMC# The following example shows the show system stack-ports command.
Managing Redundancy on a Stack Use the following commands to manage the redundancy on a stack. • Reset the current management unit and make the standby unit the new master unit. EXEC Privilege mode redundancy force-failover stack-unit • A new standby is elected. When the former stack master comes back online, it becomes a member unit. Prevent the stack master from rebooting after a failover.
3/30 4/53 4/54 5/53 5/54 6/53 6/54 7/29 7/30 8/29 8/30 9/29 9/30 10/53 10/54 11/29 11/30 12/53 12/54 DellEMC# 7/29 5/54 2/30 12/54 4/53 11/30 12/53 3/30 8/29 7/30 9/29 8/30 10/54 11/29 9/30 10/53 6/53 6/54 5/53 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up The following example shows the parameters for the management unit in the stack.
Removing a Unit from a Stack The running-configuration and startup-configuration are synchronized on all stack units. A stack member that is disconnected from the stack maintains this configuration. To remove a stack member from the stack, disconnect the stacking cables from the unit. You may do this at any time, whether the unit is powered or unpowered, online or offline.
Unit UnitType Status ReqTyp CurTyp Version Ports -----------------------------------------------------------------------------------1 Member not present 2 Management online S3148P S3148P 1-0(0-4679) 54 3 Standby online S3148P S3148P 1-0(0-4679) 54 4 Member not present 5 Member not present 6 Member not present 7 Member not present 8 Member not present 9 Member not present 10 Member not present 11 Member not present 12 Member not present -- Module Info -Unit Module No Status Module Type Ports ----------------
00:42:48: 00:42:48: 00:42:52: 00:42:52: 00:42:53: 00:42:53: 00:42:55: 00:42:55: 00:42:56: %S3148P:4 %S3148P:2 %S3148P:4 %S3148P:2 %S3148P:2 %S3148P:4 %S3148P:4 %S3148P:2 %S3148P:2 %IFAGT-5-STACK_PORT_LINK_DOWN: Changed stack port state to down: 4/53 %IFAGT-5-STACK_PORT_LINK_DOWN: Changed stack port state to down: 2/54 %IFAGT-5-STACK_PORT_LINK_UP: Changed stack port state to up: 4/53 %IFAGT-5-STACK_PORT_LINK_UP: Changed stack port state to up: 2/54 %IFAGT-5-STACK_PORT_LINK_DOWN: Changed stack port state to
53 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell EMC Networking Operating System (OS) Behavior: Dell EMC Networking OS supports unknown-unicast, muticast, and broadcast control for Layer 2 and Layer 3 traffic. Dell EMC Networking OS Behavior: The minimum number of packets per second (PPS) that storm control can limit on the device is two.
Configuring Storm Control from CONFIGURATION Mode To configure storm control from CONFIGURATION mode, use the following command. From CONFIGURATION mode you can configure storm control for ingress and egress traffic. Do not apply per-virtual local area network (VLAN) quality of service (QoS) on an interface that has storm-control enabled (either on an interface or globally). • Configure storm control. • CONFIGURATION mode Configure the packets per second of broadcast traffic allowed in the network.
54 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell EMC Networking OS.
• • • • • Enabling PortFast Prevent Network Disruptions with BPDU Guard STP Root Guard Enabling SNMP Traps for Root Elections and Topology Changes Configuring Spanning Trees as Hitless Important Points to Remember • • • • • STP is disabled by default. The Dell EMC Networking OS supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+). You may only enable one flavor of spanning tree at any one time.
1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface. INTERFACE mode no shutdown To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode.
CONFIGURATION mode protocol spanning-tree 0 2. Enable STP. PROTOCOL SPANNING TREE mode no disable To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP.
Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. • • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost. The default values are listed in Modifying Global Parameters.
Prevent Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
Figure 118. Enabling BPDU Guard Dell EMC Networking OS Behavior BPDU guard: • • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. drops the BPDU after it reaches the RP and generates a console message. Example of Blocked BPDUs Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root.
STP Root Guard Use the STP root guard feature in a Layer 2 network to avoid bridging loops. In STP, the switch in the network with the lowest priority (as determined by STP or set with the bridge-priority command) is selected as the root bridge. If two switches have the same priority, the switch with the lower MAC address is selected as the root. All other switches in the network use the root bridge as the reference used to calculate the shortest forwarding path.
• • • • • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port. Root guard is supported on a port in any Spanning Tree mode: • Spanning Tree Protocol (STP) • Rapid Spanning Tree Protocol (RSTP) • Multiple Spanning Tree Protocol (MSTP) • Per-VLAN Spanning Tree Plus (PVST+) When enabled on a port, root guard applies to all VLANs configured on the port. You cannot enable root guard and loop guard at the same time on an STP port.
STP Loop Guard The STP loop guard feature provides protection against Layer 2 forwarding loops (STP loops) caused by a hardware failure, such as a cable failure or an interface fault. When a cable or interface fails, a participating STP link may become unidirectional (STP requires links to be bidirectional) and an STP port does not receive BPDUs. When an STP blocking port does not receive BPDUs, it transitions to a Forwarding state. This condition can create a loop in the network.
Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. The following conditions apply to a port enabled with loop guard: • • Loop guard is supported on any STP-enabled port or port-channel interface.
55 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell EMC Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell EMC Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell EMC Networking device. For more information on SmartScripts, see Dell EMC Networking Open Automation guide. Figure 121.
Enable the SupportAssist service. CONFIGURATION mode support-assist activate DellEMC(conf)#support-assist activate This command guides you through steps to configure SupportAssist. Configuring SupportAssist Manually To manually configure SupportAssist service, use the following commands. 1. Accept the end-user license agreement (EULA). CONFIGURATION mode eula-consent {support-assist} {accept | reject} NOTE: Once accepted, you do not have to accept the EULA again.
support-assist DellEMC(conf)#support-assist DellEMC(conf-supportassist)# 3. (Optional) Configure the contact information for the company. SUPPORTASSIST mode contact-company name {company-name}[company-next-name] ... [company-next-name] DellEMC(conf)#support-assist DellEMC(conf-supportassist)#contact-company name test DellEMC(conf-supportassist-cmpy-test)# 4. (Optional) Configure the contact name for an individual.
[no] activity {full-transfer|core-transfer|event-transfer} DellEMC(conf-supportassist)#activity full-transfer DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist)#activity core-transfer DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist)#activity event-transfer DellEMC(conf-supportassist-act-event-transfer)# 2. Copy an action-manifest file for an activity to the system.
[no] enable DellEMC(conf-supportassist-act-full-transfer)#enable DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist-act-core-transfer)#enable DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist-act-event-transfer)#enable DellEMC(conf-supportassist-act-event-transfer)# Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company.
SUPPORTASSIST PERSON mode [no] email-address primary email-address [alternate email-address] DellEMC(conf-supportassist-pers-john_doe)#email-address primary jdoe@mycompany.com DellEMC(conf-supportassist-pers-john_doe)# 3. Configure phone numbers of the contact person. SUPPORTASSIST PERSON mode [no] phone primary phone [alternate phone] DellEMC(conf-supportassist-pers-john_doe)#phone primary +919999999999 DellEMC(conf-supportassist-pers-john_doe)# 4. Configure the preferred method for contacting the person.
[no] url uniform-resource-locator DellEMC(conf-supportassist-serv-default)#url https://192.168.1.1/index.htm DellEMC(conf-supportassist-serv-default)# Viewing SupportAssist Configuration To view the SupportAssist configurations, use the following commands: 1. Display information on the SupportAssist feature status including any activities, status of communication, last time communication sent, and so on.
show eula-consent {support-assist | other feature} DellEMC#show eula-consent support-assist SupportAssist EULA has been: Accepted Additional information about the SupportAssist EULA is as follows: By installing SupportAssist, you allow Dell to save your contact information (e.g. name, phone number and/or email address) which would be used to provide technical support for your Dell products and services. Dell may use the information for providing recommendations to improve your IT infrastructure.
56 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell EMC Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell EMC Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell EMC Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks.
To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. DellEMC#show ntp status Clock is synchronized, stratum 4, reference is 10.16.151.117, vrf-id is 0 frequency is -44.862 ppm, stability is 0.050 ppm, precision is -18 reference time deeef7ef.85eeaa10 Tue, Jul 10 2018 9:16:31.523 UTC clock offset is -0.167449 msec, root delay is 149.194 msec root dispersion is 54.557 msec, peer dispersion is 0.
• • • • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. For the Management interface, enter the keyword ManagementEthernet then the slot/port information. For a port channel interface, enter the keywords port-channel then a number. For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. To view the configuration, use the show running-config ntp command in EXEC privilege mode (refer to the example in Configuring NTP Authentication).
To configure the switch as NTP Server use the ntp master command. stratum number identifies the NTP Server's hierarchy. The following example shows configuring an NTP server. Dell EMC(conf)#show running-config ntp ! ntp master ntp server 10.16.127.44 ntp server 10.16.127.86 ntp server 10.16.127.
To view the NTP configuration, use the show running-config ntp command in EXEC privilege mode. The following example shows an encrypted authentication key (in bold). All keys are encrypted. DellEMC#show running ntp ! ntp authenticate ntp authentication-key 345 md5 5A60910F3D211F02 ntp server 11.1.1.1 version 3 ntp trusted-key 345 DellEMC# Configuring NTP control key password The Network Time Protocal daemon (NTPD) design uses NTPQ to configure NTPD.
EXEC Privilege mode clock set time month day year • • • • time: enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format; for example, 17:15:00 is 5:15 pm. month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year.
• • • • • end-month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. end-day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. end-year: enter a four-digit number as the year. The range is from 1993 to 2035. end-time: enter the time in hours:minutes.
pacific Sat Nov 7 2009" NOTE: If you enter after entering the recurring command parameter, and you have already set a one-time daylight saving time/date, the system uses that time and date as the recurring setting. The following example shows the clock summer-time recurring parameters.
57 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): DellEMC(conf)#interface tunnel 3 DellEMC(conf-if-tu-3)#tunnel source 5::5 DellEMC(conf-if-tu-3)#tunnel destination 8::9 DellEMC(conf-if-tu-3)#tunnel mode ipv6 DellEMC(conf-if-tu-3)#ip address 3.1.1.1/24 DellEMC(conf-if-tu-3)#ipv6 address 3::1/64 DellEMC(conf-if-tu-3)#no shutdown DellEMC(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
DellEMC(conf)#interface tunnel 1 DellEMC(conf-if-tu-1)#ip unnumbered gigabitethernet 1/1 DellEMC(conf-if-tu-1)#ipv6 unnumbered gigabitethernet 1/1 DellEMC(conf-if-tu-1)#tunnel source 40.1.1.1 DellEMC(conf-if-tu-1)#tunnel mode ipip decapsulate-any DellEMC(conf-if-tu-1)#no shutdown DellEMC(conf-if-tu-1)#show config ! interface Tunnel 1 ip unnumbered GigabitEthernet 1/1 ipv6 unnumbered GigabitEthernet 1/1 tunnel source 40.1.1.
58 Uplink Failure Detection (UFD) Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity. However, the devices do not receive a direct indication that upstream connectivity is lost because connectivity to the switch is still operational. UFD allows a switch to associate downstream interfaces with upstream interfaces.
Figure 123. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 124. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• If you disable an uplink-state group, the downstream interfaces are not disabled regardless of the state of the upstream interfaces. • • If an uplink-state group has no upstream interfaces assigned, you cannot disable downstream interfaces when an upstream link goes down. To enable the debug messages for events related to a specified uplink-state group or all groups, use the debug uplink-stategroup [group-id] command, where the group-id is from 1 to 16.
6. (Optional) Disable upstream-link tracking without deleting the uplink-state group. UPLINK-STATE-GROUP mode no enable The default is upstream-link tracking is automatically enabled in an uplink-state group. To re-enable upstream-link tracking, use the enable command. Clearing a UFD-Disabled Interface You can manually bring up a downstream interface in an uplink-state group that UFD disabled and is in a UFD-Disabled Error state.
Displaying Uplink Failure Detection To display information on the UFD feature, use any of the following commands. • Display status information on a specified uplink-state group or all groups. EXEC mode show uplink-state-group [group-id] [detail] • • group-id: The values are from 1 to 16. • detail: displays additional status information on the upstream and downstream interfaces in each group. Display the current status of a port or port-channel interface assigned to an uplink-state group.
Upstream Interfaces : Gi 1/4(Dwn) Po 8(Dwn) Downstream Interfaces : Gi 1/10(Dwn) The following example shows viewing the interface status with UFD information.
• Verify the configuration with various show commands.
59 Upgrade Procedures To find the upgrade procedures, go to the Dell EMC Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell EMC Networking OS version. To upgrade your system type, follow the procedures in the Dell EMC Networking OS Release Notes. You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.
60 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
• • Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN. Alternatively, use the no switchport command, and Dell EMC Networking OS removes the interface from the Default VLAN. A tagged interface requires an additional step to remove it from Layer 2 mode. Because tagged interfaces can belong to multiple VLANs, remove the tagged interface from all VLANs using the no tagged interface command.
Information contained in the tag header allows the system to prioritize traffic and to forward information to ports associated with a specific VLAN ID. Tagged interfaces can belong to multiple VLANs, while untagged interfaces can belong only to one VLAN. Configuration Task List This section contains the following VLAN configuration tasks.
To tag frames leaving an interface in Layer 2 mode, assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, use the following commands. 1. Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2. Enable an interface to include the IEEE 802.1Q tag header.
untagged interface This command is available only in VLAN interfaces. The no untagged interface command removes the untagged interface from a port-based VLAN and places the interface in the Default VLAN. You cannot use the no untagged interface command in the Default VLAN. The following example shows the steps and commands to move an untagged interface from the Default VLAN to another VLAN. To determine interface status, use the show vlan command.
Configuring Native VLANs Traditionally, ports can be either untagged for membership to one VLAN or tagged for membership to multiple VLANs. You must connect an untagged port to a VLAN-unaware station (one that does not understand VLAN tags), and you must connect a tagged port to a VLAN-aware station (one that generates and understands VLAN tags). Native VLAN support breaks this barrier so that you can connect a port to both VLAN-aware and VLAN-unaware stations. Such ports are referred to as hybrid ports.
61 Virtual Link Trunking (VLT) Overview In a traditional switched topology as shown below, spanning tree protocols (STPs) are used to block one or more links to prevent loops in the network. Although loops are prevented, bandwidth of all links is not effectively utilized by the connected devices. Figure 126. Traditional switched topology VLT not only overcomes this caveat, but also provides a multipath to the connected devices.
To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol. After VLT is established, you may use rapid spanning tree protocol (RSTP) to prevent loops from forming with new links that are incorrectly connected and outside the VLT domain. VLT provides Layer 2 multipathing, creating redundancy through increased bandwidth, enabling multiple parallel paths between nodes, and load-balancing traffic where alternate paths exist.
between the two VLT chassis. IGMP and VLT configurations must be identical on both sides of the trunk to ensure the same behavior on both sides. The following example shows how VLT is deployed. The switches appear as a single virtual switch from the point of view of the switch or server supporting link aggregation control protocol (LACP). VLT Terminology The following are key VLT terms. • • • • • • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches.
If Host 1 from a VLT domain sends a frame to Host 2 in another VLT domain, the frame can use any link shown to reach Host 2. MAC synchronization between VLT peers handles the traffic flow even if it is hashed and forwarded through the other member of the portchannel.
VLT on Core Switches Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode. This example provides the highest form of resiliency, scaling, and load balancing in data center switching networks.
Figure 131. Enhanced VLT Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember • • • • • • • • • • • • • You cannot enable stacking simultaneously with VLT. If you enable both at the same time, unexpected behavior can occur. VLT port channel interfaces must be switch ports. If you include RSTP on the system, configure it before VLT.
• • • • • • • • When you enable IGMP snooping on the VLT peers, ensure the value of the delay-restore command is not less than the query interval. When you enable Layer 3 routing protocols on VLT peers, make sure the delay-restore timer is set to a value that allows sufficient time for all routes to establish adjacency and exchange all the L3 routes between the VLT peers before you enable the VLT ports.
• • One device in the VLT domain is assigned a primary role; the other device takes the secondary role. The primary and secondary roles are required for scenarios when connectivity between the chassis is lost. VLT assigns the primary chassis role according to the lowest MAC address. You can configure the primary role manually. • In a VLT domain, the peer switches must run the same Dell EMC Networking OS software version.
• • • • • • • To connect servers and access switches with VLT peer switches, you use a VLT port channel, as shown in Overview. Up to 48 port-channels are supported; up to 16 member links are supported in each port channel between the VLT domain and an access device. The discovery protocol running between VLT peers automatically generates the ID number of the port channel that connects an access device and a VLT switch.
• • To verify that a VLT peer is consistently configured for either the master or backup role in all VRRP groups, use the show vrrp command on each peer. • Configure the same L3 routing (static and dynamic) on each peer so that the L3 reachability and routing tables are identical on both VLT peers. Both the VRRP master and backup peers must be able to locally forward L3 traffic in the same way.
VLT Bandwidth Monitoring When bandwidth usage of the VLTi (ICL) exceeds 80%, a syslog error message (shown in the following message) and an SNMP trap are generated. %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (portchannel 25) crosses threshold. Bandwidth usage (80 ) When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (shown in the following message) and an SNMP trap.
PIM-Sparse Mode Support on VLT The designated router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. Figure 132.
Each VLT peer runs its own PIM protocol independently of other VLT peers. To ensure the PIM protocol states or multicast routing information base (MRIB) on the VLT peers are synced, if the incoming interface (IIF) and outgoing interface (OIF) are Spanned, the multicast route table is synced between the VLT peers. To verify the PIM neighbors on the VLT VLAN and on the multicast port, use the show ip pim neighbor, show ip igmp snooping mrouter, and show running config commands.
Figure 133. Packets without peer routing enabled If you enable peer routing, a VLT node acts as a proxy gateway for its connected VLT peer as shown in the image below. Even though the gateway address of the packet is different, Peer-1 routes the packet to its destination on behalf of Peer-2 to avoid sub-optimal routing. Figure 134. Packets with peer routing enabled Benefits of Peer Routing • • • • Avoids sub-optimal routing Reduces latency by avoiding another hop in the traffic path.
VLT Unicast Routing VLT unicast routing is a type of VLT peer routing that locally routes unicast packets destined for the L3 endpoint of the VLT peer. This method avoids sub-optimal routing. Peer-routing syncs the MAC addresses of both VLT peers and requires two local DA entries in TCAM. If a VLT node is down, a timer that allows you to configure the amount of time needed for peer recovery provides resiliency. You can enable VLT unicast across multiple configurations using VLT links.
• • When using factory default settings on a new switch deployed as a VLT node, packet loss may occur due to the requirement that all ports must be open. ECMP is not compatible on VLT nodes using VLT multicast. You must use a single VLAN. Configuring VLT Multicast To enable and configure VLT multicast, follow these steps. 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2. Enable peer-routing.
1. Configure RSTP in the core network and on each peer switch as described in Rapid Spanning Tree Protocol (RSTP). Disabling RSTP on one VLT peer may result in a VLT domain failure. 2. Enable RSTP on each peer switch. PROTOCOL SPANNING TREE RSTP mode no disable 3. Configure each peer switch with a unique bridge priority.
1. Configure the VLT interconnect for the VLT domain. The primary and secondary switch roles in the VLT domain are automatically assigned after you configure both sides of the VLTi. NOTE: If you use a third-party ToR unit, to avoid potential problems if you reboot the VLT peers, Dell EMC recommends using static LAGs on the VLTi between VLT peers. 2. Enable VLT and create a VLT domain ID. VLT automatically selects a system MAC address. 3. Configure a backup link for the VLT domain. 4.
3. Configure the port channel to be used as the VLT interconnect between VLT peers in the domain. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 4. Enable peer routing. VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer. 5.
CONFIGURATION mode delay-restore delay-restore-time The range is from 1 to 1200. The default is 90 seconds. Reconfiguring the Default VLT Settings (Optional) To reconfigure the default VLT settings, use the following commands. 1. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2.
channel-member interface interface: specify one of the following interface types: • • For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. 5. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 6. Associate the port channel to the corresponding port channel in the VLT peer for the VLT connection to an attached device.
peer-link port-channel id-number 5. Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages. VLT DOMAIN CONFIGURATION mode back-up destination ip-address [interval seconds] You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds. 6.
peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer. 17. Repeat steps 1 through 16 for the VLT peer node in Domain 1. 18. Repeat steps 1 through 16 for the first VLT node in Domain 2. 19. Repeat steps 1 through 16 for the VLT peer node in Domain 2. To verify the configuration of a VLT domain, use any of the show commands described in Verifying a VLT Configuration. VLT Sample Configuration To review a sample VLT configuration setup, study these steps. 1.
Dell-4(conf)#vlt domain 5 Dell-4(conf-vlt-domain)# Configure the VLTi between VLT peer 1 and VLT peer 2. 1. You can configure the LACP/static LAG between the peer units (not shown). 2. Configure the peer-link port-channel in the VLT domains of each peer unit. Dell-2(conf)#interface port-channel Dell-2(conf-if-po-1)#channel-member Dell-4(conf)#interface port-channel Dell-4(conf-if-po-1)#channel-member 1 GigabitEthernet 1/4-1/7 1 GigabitEthernet 1/4-1/7 Configure the backup link between the VLT peer units.
In the ToR unit, configure LACP on the physical ports.
PVST+ Configuration PVST+ is supported in a VLT domain. Before you configure VLT on peer switches, configure PVST+ in the network. PVST+ is required for initial loop prevention during the VLT startup phase. You may also use PVST+ for loop prevention in the network outside of the VLT port channel. Run PVST+ on both VLT peer switches. A PVST+ instance is created for every VLAN configured in the system. PVST+ instances running in the Primary Peer control the VLT-LAGs on both Primary and Secondary peers.
• • • • • • • Access switch A1 is connected to two VLT peers (Dell-1 and Dell-2). The two VLT peers are connected to an upstream switch R1. OSPF is configured in Dell-1, Dell-2, and R1 switches. Dell-1 is configured as the root bridge. Dell-1 is configured as the VLT primary. As the Router ID of Dell-1 is the highest in the topology (highest loopback address of 172.17.1.1), Dell-1 is the OSPF Designated Router. As the Router ID of Dell-2 is the second highest in the topology (172.16.1.
The following is the configuration in interfaces: DellEMC#1#sh run int ma0/0 interface ManagementEthernet 0/0 description Used_for_VLT_Keepalive ip address 10.10.10.1/24 no shutdown (The management interfaces are part of a default VRF and are isolated from the switch’s data plane.) In Dell-1, te 0/0 and te 0/1 are used for VLTi.
description port-channel_to_access_switch_A1 no ip address portmode hybrid switchport vlt-peer-lag port-channel 2 no shutdown Vlan 20 is used in Dell-1, Dell-2, and R1 to form OSPF adjacency. When OSPF is converged, the routing tables in all devices are synchronized. DellEMC#1#sh run int vlan 20 interface Vlan 20 description OSPF PEERING VLAN ip address 192.168.20.1/29 untagged Port-channel 1 no shutdown ! DellEMC#1#sh run int vlan 800 interface Vlan 800 description Client-VLAN ip address 192.168.8.
HeartBeat Messages Sent: HeartBeat Messages Received: 4 5 Use the show vlt detail command to verify that VLT is functional and that the correct VLANs are allowed. DellEMC#1#sh vlt detail Local LAG Id -----------1 2 Peer LAG Id ----------1 2 Local Status -----------UP UP Peer Status ----------UP UP Active VLANs ------------20 1, 800, 900 The following output displays the OSPF configuration in Dell-1 DellEMC#1#sh run | find router router ospf 1 router-id 172.17.1.1 network 192.168.9.
800 0 0 0 ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff 90:b1:1c:f4:2c:bd 90:b1:1c:f4:29:f3 STATIC STATIC LOCAL_DA LOCAL_DA 00001 00001 00001 00001A The above output shows that the 90:b1:1c:f4:2c:bd MAC address belongs to Dell-1. The 90:b1:1c:f4:29:f3 MAC address belongs to Dell-2. Also note that these MAC addresses are marked with LOCAL_DA. This means, these are the local destination MAC addresses used by hosts when routing is required.
Te 0/4 connects to the access switch A1. Dell-2#sh run int te0/4 interface TenGigabitEthernet 0/4 description To_Access_Switch_A1_fa0/13 no ip address port-channel-protocol LACP port-channel 2 mode active no shutdown Te 0/6 connects to the uplink switch R1. Dell-2#sh run int te0/6 interface TenGigabitEthernet 0/6 description To_CR1_fa0/13 no ip address port-channel-protocol LACP port-channel 1 mode active no shutdown Port channel 1 connects the uplink switch R1.
unit-id 0 peer routing Verify if VLT on Dell-1 is functional Dell-2#sh vlt brief VLT Domain Brief -----------------Domain ID: Role: Role Priority: 1 Secondary 55000 ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: Peer routing : Peer routing-Timeout timer: Multicast peer routing timeout: Up Up Up 1 6(3) 90:b1:1c:f4:29:f1 90:b1:1c:f4:2c:bb 90:b1:1c:f4:0
The following output displays the routes learned using OSPF. Dell-2 also learns the routes to the loopback addresses on R1 through OSPF. Dell-2#show ip route ospf Destination Gateway ----------------O 2.2.2.2/24 via 192.168.20.3, O 3.3.3.2/24 via 192.168.20.3, O 4.4.4.2/24 via 192.168.20.3, O 172.15.1.1/32 via 192.168.20.3, O 172.16.1.2/32 via 192.168.20.
network 172.15.1.0 0.0.0.255 area 0 network 192.168.20.0 0.0.0.7 area 0 CR1#show ip ospf neighbor (R1 is a DROTHER) Neighbor ID Pri State Dead Time Address Interface 172.16.1.2 1 FULL/BDR 00:00:31 192.168.20.2 Port-channel1 172.17.1.1 1 FULL/DR 00:00:38 192.168.20.1 Port-channel1 CR1#show ip route (Output Truncated) 2.0.0.0/24 is subnetted, 1 subnets C 2.2.2.0 is directly connected, Loopback2 3.0.0.0/24 is subnetted, 1 subnets C 3.3.3.0 is directly connected, Loopback3 O 192.168.8.0/24 [110/2] via 192.168.
Figure 136. eVLT Configuration Example eVLT Configuration Step Examples In Domain 1, configure the VLT domain and VLTi on Peer 1. Domain_1_Peer1#configure Domain_1_Peer1(conf)#interface port-channel 1 Domain_1_Peer1(conf-if-po-1)# channel-member GigabitEthernet 1/8-1/9 Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.
Configure eVLT on Peer 2. Domain_1_Peer2(conf)#interface port-channel 100 Domain_1_Peer2(conf-if-po-100)# switchport Domain_1_Peer2(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer2(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 2.
PIM-Sparse Mode Configuration Example The following sample configuration shows how to configure the PIM Sparse mode designated router functionality on the VLT domain with two VLT port-channels that are members of VLAN 4001. For more information, refer to PIM-Sparse Mode Support on VLT. Examples of Configuring PIM-Sparse Mode The following example shows how to enable PIM multicast routing on the VLT node globally.
• Display the current configuration of all VLT domains or a specified group on the switch. • EXEC mode show running-config vlt Display statistics on VLT operation. • • EXEC mode show vlt statistics Display the RSTP configuration on a VLT peer switch, including the status of port channels used in the VLT interconnect trunk and to connect to access devices. EXEC mode show spanning-tree rstp Display the current status of a port or port-channel interface used in the VLT domain.
Multicast peer-routing timeout DellEMC# : 150 seconds The following example shows the show vlt detail command.
HeartBeat Messages Received: 978 ICL Hello's Sent: 89 ICL Hello's Received: 89 The following example shows the show spanning-tree rstp command. The bold section displays the RSTP state of port channels in the VLT domain. Port channel 100 is used in the VLT interconnect trunk (VLTi) to connect to VLT peer2. Port channels 110, 111, and 120 are used to connect to access switches or servers (vlt).
Dell_VLTpeer1(conf-if-ma-1/1)#no shutdown Dell_VLTpeer1(conf-if-ma-1/1)#exit Configure the VLT interconnect (VLTi). Dell_VLTpeer1(conf)#interface port-channel 100 Dell_VLTpeer1(conf-if-po-100)#no ip address Dell_VLTpeer1(conf-if-po-100)#channel-member tenGigE 1/49,50 Dell_VLTpeer1(conf-if-po-100)#no shutdown Dell_VLTpeer1(conf-if-po-100)#exit Configure the port channel to an attached device.
Verify that the port channels used in the VLT domain are assigned to the same VLAN.
Description Behavior at Peer Up Behavior During Run Time Action to Take System MAC mismatch A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated. Verify that the unit ID of VLT peers is not the same on both units and that the MAC address is the same on both units. Unit ID mismatch The VLT peer does not boot up. The VLTi is forced to a down state. The VLT peer does not boot up. The VLTi is forced to a down state.
When a VLTi port in trunk mode is a member of symmetric VLT PVLANs, the PVLAN packets are forwarded only if the PVLAN settings of both the VLT nodes are identical. You can configure the VLTi in trunk mode to be a member of non-VLT PVLANs if the VLTi is configured on both the peers. MAC address synchronization is performed for VLT PVLANs across peers in a VLT domain. Keep the following points in mind when you configure VLT nodes in a PVLAN: • • • Configure the VLTi link to be in trunk mode.
PVLAN Operations When a VLT Peer is Restarted When the VLT peer node is rebooted, the VLAN membership of the VLTi link is preserved and when the peer node comes back online, a verification is performed with the newly received PVLAN configuration from the peer. If any differences are identified, the VLTi link is either added or removed from the VLAN. When the peer node restarts and returns online, all the PVLAN configurations are exchanged across the peers.
VLT LAG Mode PVLAN Mode of VLT VLAN ICL VLAN Membership Mac Synchronization Peer1 Peer2 Peer1 Peer2 Access Access Secondary (Community) Secondary (Isolated) No No • • Yes Yes Promiscuous Promiscuous Primary X Primary X Primary Primary Yes Yes - Secondary (Community) - Secondary (Community) Yes Yes - Secondary (Isolated) - Secondary (Isolated) Yes Yes Promiscuous Trunk Primary Normal No No Promiscuous Trunk Primary Primary Yes No Access Access Secondary (Communi
2. Remove an IP address from the interface. INTERFACE PORT-CHANNEL mode no ip address 3. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: • • For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. 4. Ensure that the port channel is active.
private-vlan mode primary 8. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • • • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). Specified with this command even before they have been created. Amended by specifying the new secondary VLAN to be added to the list.
Proxy ARP is enabled only if you enable peer routing on both the VLT peers. If you disable peer routing by using the no peerroutingcommand in VLT DOMAIN node, a notification is sent to the VLT peer to disable the proxy ARP. If you disable peer routing when ICL link is down, a notification is not sent to the VLT peer and in such a case, the VLT peer does not disable the proxy ARP operation. When you remove the VLT domain on one of the VLT nodes, the peer routing configuration removal is notified to the peer.
show running-config Sample configuration of VLAN-stack over VLT (Peer 1) Configure the VLT domain DellEMC(conf)#vlt domain 1 DellEMC(conf-vlt-domain)#peer-link port-channel 1 DellEMC(conf-vlt-domain)#back-up destination 10.16.151.116 DellEMC(conf-vlt-domain)#primary-priority 100 DellEMC(conf-vlt-domain)#system-mac mac-address 00:00:00:11:11:11 DellEMC(conf-vlt-domain)#unit-id 0 DellEMC(conf-vlt-domain)# DellEMC#show running-config vlt ! vlt domain 1 peer-link port-channel 1 back-up destination 10.16.151.
shutdown DellEMC# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN DellEMC#show vlan id 50 Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C Community, I - Isolated O - Openflow Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack i - Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged NUM 50 Status Active Description De
no shutdown DellEMC# Configure the VLAN as a VLAN-Stack VLAN and add the VLT LAG as members to the VLAN DellEMC(conf)#interface vlan 50 DellEMC(conf-if-vl-50)#vlan-stack compatible DellEMC(conf-if-vl-50-stack)#member port-channel 10 DellEMC(conf-if-vl-50-stack)#member port-channel 20 DellEMC(conf-if-vl-50-stack)# DellEMC#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown DellEMC# Verify that the Port Channels used in the VLT Domain are Assigned
level hashing in the ToR switch, it is routed instead of forwarding the packet to node1. This processing occurs because of the match or hit for the entry in the TCAM of the VLT node2. Synchronization of IPv6 ND Entries in a VLT Domain Because the VLT nodes appear as a single unit, the ND entries learned via the VLT interface are expected to be the same on both VLT nodes. VLT V6 VLAN and neighbor discovery protocol monitor (NDPM) entries synchronization between VLT nodes is performed.
Figure 137. Sample Configuration of IPv6 Peer Routing in a VLT Domain Sample Configuration of IPv6 Peer Routing in a VLT Domain Consider a sample scenario as shown in the following figure in which two VLT nodes, Unit1 and Unit2, are connected in a VLT domain using an ICL or VLTi link. To the south of the VLT domain, Unit1 and Unit2 are connected to a ToR switch named Node B. Also, Unit1 is connected to another node, Node A, and Unit2 is linked to a node, Node C.
Neighbor Solicitation from VLT Hosts Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR. When VLT node1 receives NS from VLT VLAN interface, it unicasts the NA packet on the VLT interface. When NS reaches VLT node2, it is flooded on all interfaces including ICL. When VLT node 1 receives NS on ICL, it floods the NA packet on the VLAN.
When VLT node receives traffic from non-VLT host intended to VLT host, it routes the traffic to VLT interface. If VLT interface is not operationally up VLT node will route the traffic over ICL. Non-VLT host to North Bound traffic flow When VLT node receives traffic from non-VLT host intended to north bound with DMAC as self MAC it routes traffic to next hop.
ToR 1. Enable BFD globally. TOR(conf)# bfd enable 2. Configure a VLT peer LAG. TOR(conf)#interface gigabitethernet 1/1 TOR(conf-if-gi-1/1)#no ip address TOR(conf-if-gi-1/1)#port-channel-protocol lacp TOR(conf-if-gi-1/1)#port-channel 10 mode active TOR(conf-if-gi-1/1)#no shutdown TOR(conf)#interface gigabitethernet 1/2 TOR(conf-if-gi-1/2)#no ip address TOR(conf-if-gi-1/2)#port-channel-protocol lacp TOR(conf-if-gi-1/2)#port-channel 10 mode active TOR(conf-if-gi-1/2)#no shutdown 3.
VLT Primary 1. Enable BFD globally. VLT_Primary(conf)# bfd enable 2. Configure port channel which is used as VLTi link. VLT_Primary(conf)# interface VLT_Primary(conf-if-po-100)# VLT_Primary(conf-if-po-100)# VLT_Primary(conf-if-po-100)# port-channel 100 no ip address channel-member gigabitethernet 1/1, 1/2 no shutdown 3. Enable VLT and configure a VLT domain.
4. Configure a VLT peer LAG. VLT_Primary(conf)#interface gigabitethernet 1/3 VLT_Primary(conf-if-gi-1/3)#no ip address VLT_Primary(conf-if-gi-1/3)#port-channel-protocol lacp VLT_Primary(conf-if-gi-1/3)#port-channel 10 mode active VLT_Primary(conf-if-gi-1/3)#no shutdown VLT_Primary(conf)#interface port-channel 10 VLT_Primary(conf-if-po-10)#no ip address VLT_Primary(conf-if-po-10)#switchport VLT_Primary(conf-if-po-10)#vlt-peer-lag port-channel 10 VLT_Primary(conf-if-po-10)#no shutdown 5.
Remote System MAC address: Remote system version: Delay-Restore timer: Delay-Restore Abort Threshold: Peer-Routing : Peer-Routing-Timeout timer: Multicast peer-routing timeout: f4:8e:38:6a:97:3f 6(9) 90 seconds 60 seconds Enabled 0 seconds 150 seconds Virtual Link Trunking (VLT) 927
62 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Command Line Reference Guide.
Figure 139. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: • • • • • • • • • • • • • Proxy gateway is supported only for VLT; for example, across a VLT domain. You must enable the VLT peer-routing command for the VLT proxy gateway to function.
• • • • When a Virtual Machine (VM) moves from one VLT domain to the another VLT domain, the VM host sends the gratuitous ARP (GARP) , which in-turn triggers a mac movement from the previous VLT domain to the newer VLT domain. After a station move, if the host sends a TTL1 packet destined to its gateway; for example, a previous VLT node, the packet can be dropped.
• LLDP packets fail to reach the remote VLT domain devices (for example, because the system is down, rebooting, or the port’s physical link connection is down). LLDP VLT Proxy Gateway in a Square VLT Topology Figure 140. Sample Configuration for a VLT Proxy Gateway • The preceding figure shows a sample square VLT Proxy gateway topology. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This causes sub-optimal routing.
• You can disable the VLT Proxy Gateway for a particular VLAN using an "Exclude-VLAN" configuration. The configuration has to be done in both the VLT domains [C and D in VLT domain 1 and C1 and D1 in VLT domain 2].
Figure 141. VLT Proxy Gateway Sample Topology VLT Domain Configuration Dell-1 and Dell-2 constitute VLT domain 120. Dell-3 and Dell-4 constitute VLT domain 110. These two VLT domains are connected using a VLT LAG P0 50. To know how to configure the interfaces in VLT domains, see the Configuring VLT section. Dell-1 VLT Configuration vlt domain 120 peer-link port-channel 120 back-up destination 10.1.1.
Note that on the inter-domain link, the switchport command is enabled. On a VLTi link between VLT peers in a VLT domain, the switchport command is not used. VLAN 100 is used as the OSPF peering VLAN between Dell-1 and Dell-2. interface Vlan 100 description OSPF Peering VLAN to Dell-2 ip address 10.10.100.1/30 ip ospf network point-to-point no shutdown VLAN 101 is used as the OSPF peering VLAN between the two VLT domains. interface Vlan 101 description ospf peering vlan across VLTPG_Po50 ip address 10.10.
Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.4 1 FULL/ - 00:00:33 10.10.100.1 Vl 100 0 Dell-3 VLT Configuration vlt domain 110 peer-link port-channel 110 back-up destination 10.1.1.1 primary-priority 4096 system-mac mac-address 02:01:e8:d8:93:02 unit-id 0 peer-routing ! proxy-gateway static remote-mac-address 00:01:e8:d8:93:07 remote-mac-address 00:01:e8:d8:93:e5 These MAC addresses are the system L2 interface addresses for each switch at the remote site, Dell-1 and Dell-2.
Dell-4 VLT Configuration vlt domain 110 peer-link port-channel 110 back-up destination 10.1.1.0 primary-priority 24576 system-mac mac-address 02:01:e8:d8:93:02 unit-id 1 peer-routing ! proxy-gateway static remote-mac-address 00:01:e8:d8:93:07 remote-mac-address 00:01:e8:d8:93:e5 These MAC addresses are the system L2 interface addresses for each switch at the remote site, Dell-1 and Dell-2. interface Vlan 102 description ospf peering vlan to DELL-3 ip address 10.10.102.
63 Virtual Routing and Forwarding (VRF) VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices. Using VRF also increases network security and can eliminate the need for encryption and authentication due to traffic segmentation. Internet service providers (ISPs) often take advantage of VRF to create separate virtual private networks (VPNs) for customers; VRF is also referred to as VPN routing and forwarding.
VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF PBR, L3 QoS on VLANs Yes No NOTE: QoS not supported on VLANs. IPv4 ARP Yes Yes sFlow Yes No VRRP on physical and logical interfaces Yes Yes VRRPV3 Yes Yes Secondary IP Addresses Yes Yes Basic Yes Yes OSPFv3 Yes Yes IS-IS Yes Yes BGP Yes Yes ACL Yes No Multicast No No NDP Yes Yes RAD Yes Yes DHCP DHCP requests are not forwarded across VRF instances.
The VRF ID range is from 1 to 511. 0 is the default VRF ID. Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface. NOTE: You can configure an IP address or subnet on a physical or VLAN interface that overlaps the same IP address or subnet configured on another interface only if the interfaces are assigned to different VRFs.
router ospf process-id vrf vrf name The process-id range is from 0-65535. Configuring VRRP on a VRF Instance You can configure the VRRP feature on interfaces that belong to a VRF instance. In a virtualized network that consists of multiple VRFs, various overlay networks can exist on a shared physical infrastructure. Nodes (hosts and servers) that are part of the VRFs can be configured with IP static routes for reaching specific destinations through a given gateway in a VRF.
interface management When Management VRF is configured, the following interface range or interface group commands are disabled: • • • • • • • • • • • • • • • • ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 nd dad — Duplicated Address Detection nd dns-server — Configure DNS distribution option in RA packets originated by the router nd hop-limit — Set hop limit advertised in RA and used in IPv6 data packets originated by the router nd managed-config-flag — Hosts should use
Figure 143.
Figure 144. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface GigabitEthernet 3/1 no ip address switchport no shutdown ! interface GigabitEthernet 1/1 ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface GigabitEthernet 1/2 ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown ! interface GigabitEthernet 1/3 ip vrf forwarding green ip address 30.0.0.
ip vrf forwarding blue ip address 1.0.0.1/24 tagged GigabitEthernet 3/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged GigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged GigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.0/24 area 0 ! router ospf 2 vrf orange router-id 2.0.0.1 network 2.0.0.0/24 area 0 network 20.0.0.
! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface GigabitEthernet 2/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface GigabitEthernet 2/2 ! ip route vrf green30.0.0.0/24 3.0.0.1 ! The following shows the output of the show commands on Router 1.
C C O Destination ----------2.0.0.0/24 20.0.0.0/24 21.0.0.0/24 Gateway ------Direct, Vl 192 Direct, Gi 1/2 via 2.0.0.
B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set C O C Destination ----------2.0.0.0/24 20.0.0.0/24 21.0.0.0/24 Gateway ------Direct, Vl 192 via 2.0.0.
You can also leak global routes to be made available to VRFs. As the global RTM usually contains a large pool of routes, when the destination VRF imports global routes, these routes will be duplicated into the VRF's RTM. As a result, it is mandatory to use route-maps to filter out leaked routes while sharing global routes with VRFs. Configuring Route Leaking without Filtering Criteria You can use the ip route-export tag command to export all the IPv4 routes corresponding to a source VRF.
A non-default VRF named VRF-blue is created and the interface 1/12 is assigned to it. 7. Configure the import target in VRF-blue. ip route-import 1:1 8. Configure the export target in VRF-blue. ip route-import 3:3 9. Configure VRF-green. ip vrf vrf-green interface-type slot/port ip vrf forwarding VRF-green ip address ip—address mask A non-default VRF named VRF-green is created and the interface is assigned to it. 10.
O C 44.4.4.4/32 144.4.4.0/24 via VRF-shared:144.4.4.4 0/0 Direct, VRF-shared:Gi 1/4 0/0 DellEMC# show ip route vrf VRF-Blue O 22.2.2.2/32 via 122.2.2.2 00:00:11 C O C 122.2.2.0/24 44.4.4.4/32 144.4.4.0/24 00:32:36 00:32:36 110/0 Direct, Gi 1/12 0/0 22:39:61 via vrf-shared:144.4.4.4 0/0 00:32:36 Direct, vrf-shared:Gi 1/4 0/0 00:32:36 DellEMC# show ip route vrf VRF-Green O 33.3.3.3/32 00:00:11 via 133.3.3.3 C Direct, Gi 1/13 0/0 133.3.3.
While importing these routes into VRF-blue, you can further specify match conditions at the import end to define the filtering criteria based on which the routes are imported into VRF-blue. You can define a route-map import_ospf_protocol and then specify the match criteria as OSPF using the match source-protocol ospf command. You can then use the ip route-import route-map command to import routes matching the filtering criteria defined in the import_ospf_protocol route-map.
O 22.2.2.2/32 00:00:11 via 122.2.2.2 O via vrf-red:144.4.4.4 0/0 00:32:36 << only OSPF and BGP leaked from VRF-red 44.4.4.4/32 110/0 Important Points to Remember • • • Only Active routes are eligible for leaking. For example, if VRF-A has two routes from BGP and OSPF, in which the BGP route is not active. In this scenario, the OSPF route takes precedence over BGP.
64 Virtual Router Redundancy Protocol (VRRP) VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN). The MASTER router is chosen from the virtual routers by an election process and forwards packets sent to the next hop IP address.
Figure 145. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. In conjunction with Virtual Link Trunking (VLT), you can configure optimized forwarding with virtual router redundancy protocol (VRRP).
NOTE: In a VLT environment, VRRP configuration acts as active-active and if route is not present in any of the VRRP nodes, the packet to the destination is dropped on that VRRP node. Table 123.
The following examples how to verify the VRRP configuration. DellEMC(conf-if-gi-1/1)#show conf ! interface GigabitEthernet 1/1 ip address 10.10.10.
You can configure up to 12 virtual IP addresses on a single VRRP group (VRID). The following rules apply to virtual IP addresses: • The virtual IP addresses must be in the same subnet as the primary or secondary IP addresses configured on the interface. Though a single VRRP group can contain virtual IP addresses belonging to multiple IP subnets configured on the interface, Dell EMC Networking recommends configuring virtual IP addresses belonging to the same IP subnet for any one VRRP group.
Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------GigabitEthernet 1/2, VRID: 111, Version: 2 Net: 10.10.2.1 VRF: 0 default State: Master, Priority: 100, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 27, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.
Configuring VRRP Authentication Simple authentication of VRRP packets ensures that only trusted routers participate in VRRP processes. When you enable authentication, Dell EMC Networking OS includes the password in its VRRP transmission. The receiving router uses that password to verify the transmission. NOTE: You must configure all virtual routers in the VRRP group the same: you must enable authentication with the same password or authentication is disabled.
vrrp-group 111 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 Changing the Advertisement Interval By default, the MASTER router transmits a VRRP advertisement to all members of the VRRP group every one second, indicating it is operational and is the MASTER router.
Track an Interface or Object You can set Dell EMC Networking OS to monitor the state of any interface according to the virtual group. Each VRRP group can track up to 12 interfaces and up to 20 additional objects, which may affect the priority of the VRRP group. If the tracked interface goes down, the VRRP group’s priority decreases by a default value of 10 (also known as cost). If the tracked interface’s state goes up, the VRRP group’s priority increases by 10.
The following example shows how to verify tracking using the show conf command. DellEMC(conf-if-gi-1/1-vrid-111)#show conf ! vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 track GigabitEthernet 1/2 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 The following example shows verifying the tracking status.
Setting VRRP Initialization Delay When configured, VRRP is enabled immediately upon system reload or boot. You can delay VRRP initialization to allow the IGP and EGP protocols to be enabled prior to selecting the VRRP Master. This delay ensures that VRRP initializes with no errors or conflicts. You can configure the delay for up to 15 minutes, after which VRRP enables normally.
Figure 146. VRRP for IPv4 Topology Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#interface gigabitethernet 2/31 R2(conf-if-gi-2/31)#ip address 10.1.1.1/24 R2(conf-if-gi-2/31)#vrrp-group 99 R2(conf-if-gi-2/31-vrid-99)#priority 200 R2(conf-if-gi-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-gi-2/31-vrid-99)#no shut R2(conf-if-gi-2/31)#show conf ! interface GigabitEthernet 2/31 ip address 10.1.1.
-----------------GigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 VRF: 0 default State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#interface tengigabitethernet 3/21 R3(conf-if-gi-3/21)#ip address 10.1.1.2/24 R3(conf-if-gi-3/21)#vrrp-group 99 R3(conf-if-gi-3/21-vrid-99)#virtual 10.
Figure 147. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
interface GigabitEthernet 1/1 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-gi-1/1)#end R2#show vrrp -----------------GigabitEthernet 1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 135 Virtual
Both Switch-1 and Switch-2 have three VRF instances defined: VRF-1, VRF-2, and VRF-3. Each VRF has a separate physical interface to a LAN switch and an upstream VPN interface to connect to the Internet. Both Switch-1 and Switch-2 use VRRP groups on each VRF instance in order that there is one MASTER and one backup router for each VRF. In VRF-1 and VRF-2, Switch-2 serves as owner-master of the VRRP group and Switch-1 serves as the backup. On VRF-3, Switch-1 is the owner-master and Switch-2 is the backup.
S1(conf-if-gi-1/2-vrid-101)#virtual-address 10.10.1.2 S1(conf-if-gi-1/2)#no shutdown ! S1(conf)#interface GigabitEthernet 1/3 S1(conf-if-gi-1/3)#ip vrf forwarding VRF-3 S1(conf-if-gi-1/3)#ip address 20.1.1.5/24 S1(conf-if-gi-1/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-gi-1/3-vrid-105)#priority 255 S1(conf-if-gi-1/3-vrid-105)#virtual-address 20.1.1.
This VLAN scenario often occurs in a service-provider network in which you configure VLAN tags for traffic from multiple customers on customer-premises equipment (CPE), and separate VRF instances associated with each VLAN are configured on the provider edge (PE) router in the point-of-presence (POP).
10.1.1.100 Authentication: (none) VRRP in VRF: Switch-2 VLAN Configuration Switch-2 S2(conf)#ip vrf VRF-1 1 ! S2(conf)#ip vrf VRF-2 2 ! S2(conf)#ip vrf VRF-3 3 ! S2(conf)#interface GigabitEthernet 1/1 S2(conf-if-gi-1/1)#no ip address S2(conf-if-gi-1/1)#switchport S2(conf-if-gi-1/1)#no shutdown ! S2(conf-if-gi-1/1)#interface vlan 100 S2(conf-if-vl-100)#ip vrf forwarding VRF-1 S2(conf-if-vl-100)#ip address 10.10.1.
Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 419, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.100 Authentication: (none) VRRP for IPv6 Configuration This section shows VRRP IPv6 topology with CLI configurations.
NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be master even if one of two routers has a higher IP or IPv6 address. Router 2 R2(conf)#interface gigabitethernet 1/1 R2(conf-if-gi-1/1)#no ip address R2(conf-if-gi-1/1)#ipv6 address 1::1/64 R2(conf-if-gi-1/1)#vrrp-group 10 NOTE: You must configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
VRF: 0 default State: Backup, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 11, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP address: 1::10 fe80::10 DellEMC#show vrrp gigabitethernet 1/1 GigabitEthernet 1/1, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:fd76 VRF: 0 default State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down: 0 ce
Port-channel 1, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:fd76 VRF: 2 vrf2 State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 548, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 Proxy Gateway with VRRP VLT proxy gateway solves the inefficient traffic trombone problem when VLANs are extended between date cen
• • • The core routers C1 and D1 in the local VLT domain are connected to the core routers C2 and D2 in the remote VLT Domain using VLT links. The core routers C1 and D1 in local VLT Domain along with C2 and D2 in the remote VLT Domain are part of a Layer 3 cloud. The core routers C1, D1, C2, D2 are in a VRRP group with the same vrrp-group ID. When a virtual machine running in Server Rack 1 migrates to Server Rack 2, L3 packets for that VM are routed through the default gateway.
unit-id 1 peer-routing interface port-channel 128 channel member ten 1/1/1 channel member ten 1/1/2 no shutdown int ten 1/5/1 port-channel-protocol lacp port-channel 10 mode active no shut int ten 1/4/1 port-channel-protocol lacp port-channel 20 mode active no shut interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.
interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.3/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.0/24 area 0 Sample configuration of D2: vlt domain 10 peer-link port-channel 128 back-up destination 10.16.140.
int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.
65 Debugging and Diagnostics Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • • • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, Level 0 diagnostics verify the identification registers of the components on the board. Level 1 — A smaller set of diagnostic tests.
Diagnostic results are printed to a file in the flash using the filename format TestReport-SU-.txt. Log messages differ somewhat when diagnostics are done on a standalone unit and on a stack member. 4. View the results of the diagnostic tests. EXEC Privilege mode show file flash://TestReport-SU-stack-unit-id.
• show hardware stack-unit {1–12} cpu management statistics View driver-level statistics for the data-plane port on the CPU for the specified stack-unit. EXEC Privilege mode show hardware stack-unit {1–12} cpu data-plane statistics • • This view provides insight into the packet types entering the CPU to see whether CPU-bound traffic is internal (IPC traffic) or network control traffic, which the CPU must process.
SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ 1638400 1638400 1638400 1638400 1638400 1638400 1638400 1638400 1638400 1638400 1638400 1638400 1638400 Length(OM2) 1m = 0x00 Length(OM1) 1m = 0x00 Length(Copper) 1m = 0x03 Vendor Rev = B Laser Wavelength = 256 nm CheckCodeBase = 0xe2 Serial Extended ID fields Options = 0x00 0x00 BR max = 0 BR min = 0 Vendor SN = CN053HVN3711D9N Datecode = 130703 CheckCodeExt = 0x3a SFP+ 1638400 DOM is not supported DellEMC# Recognize an Overtemperature Co
Recognize an Under-Voltage Condition If the system detects an under-voltage condition, it sends an alarm. To recognize this condition, look for the following system message: %CHMGR-1-CARD_SHUTDOWN: Major alarm: stack unit 2 down - auto-shutdown due to under voltage. This message indicates that the specified card is not receiving enough power. In response, the system first shuts down Power over Ethernet (PoE). If the under-voltage condition persists, line cards are shut down, then the RPMs.
• • • • • • • • • • show hardware system-flow layer2 stack-unit stack-unit-number port-set 0 {counters | pipeline 0-3} show hardware drops interface interface show hardware buffer-stats-snapshot resource interface interface show hardware buffer inteface interface{priority-group { id | all } | queue { id| all} } buffer-info show hardware buffer-stats-snapshot resource interface interface{priority-group { id | all } | queue { ucast{id | all}{ mcast {id | all} | all} show hardware drops interface interface cl
IPv4 L3UC Aged & Drops TTL Threshold Drops INVALID VLAN CNTR Drops L2MC Drops PKT Drops of ANY Conditions Hg MacUnderflow TX Err PKT Counter --- Error counters--Internal Mac Transmit Errors Unknown Opcodes Internal Mac Receive Errors : : : : : : : 0 0 0 0 0 0 0 : 0 : 0 : 0 DellEMC#show hardware stack-unit 1 drops UNIT No: 1 Total Total Total Total Total Ingress Drops IngMac Drops Mmu Drops EgMac Drops Egress Drops : : : : : 6804353 0 124904297 0 0 DellEMC#show hardware stack-unit 1 drops unit 0 User
0 0 0 0 25 26 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 49 49 49 52 52 52 52 53 53 53 53 988 25 0 0 0 26 0 0 0 27 0 0 0 28 0 0 0 29 0 0 0 30 0 0 0 31 0 0 0 32 0 0 0 33 0 0 0 34 0 0 0 35 0 0 0 36 0 0 0 37 0 0 0 38 0
0 0 0 0 0 0 54/1 54/2 54/3 54/4 Internal Internal 69 0 70 0 71 0 72 0 53 0 57 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4659499 0 0 Dataplane Statistics The show hardware stack-unit cpu data-plane statistics command provides insight into the packet types coming to the CPU. The show hardware stack-unit cpu party-bus statistics command displays input and output statistics on the party bus, which carries inter-process communication traffic between CPUs.
txPkt(COS11) txPkt(UNIT0) :0 :0 Example of Viewing Party Bus Statistics DellEMC#sh hardware stack-unit 1 cpu party-bus statistics Input Statistics: 27550 packets, 2559298 bytes 0 dropped, 0 errors Output Statistics: 1649566 packets, 1935316203 bytes 0 errors Display Stack Port Statistics The show hardware stack-unit stack-port command displays input and output statistics for a stack-port interface.
RX RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - Multicast Packet Counter Broadcast Frame Counter Byte Counter Control frame counter PAUSE frame counter Oversized frame counter Jabber frame counter VLAN tag frame counter Double VLAN tag frame counter RUNT frame counter Fragment counter VLAN tagged packets 64 Byte Frame Counter 64 to 127 Byte Frame Counter 128 to 255 Byte Frame Counter 256 to 511 Byte Frame Counter 512 to 1023 Byte Frame Counter
RX - Broadcast Frame Counter RX - Byte Counter RX - Control Frame Counter RX - Pause Control Frame Counter RX - Oversized Frame Counter RX - Jabber Frame Counter RX - VLAN Tag Frame Counter RX - Double VLAN Tag Frame Counter RX - RUNT Frame Counter RX - Fragment Counter RX - VLAN Tagged Packets RX - Ingress Dropped Packet RX - MTU Check Error Frame Counter RX - PFC Frame Priority 0 RX - PFC Frame Priority 1 RX - PFC Frame Priority 2 RX - PFC Frame Priority 3 RX - PFC Frame Priority 4 RX - PFC Frame Priority
flash: 2368282624 bytes total (2293637120 bytes free) Example of a Mini Core Text File VALID MAGIC -----------------PANIC STRING ----------------panic string is : ---------------STACK TRACE START--------------0035d60c : 00274f8c : 0024e2b0 : 0024dee8 : 0024d9c4 : 002522b0 : 0026a8d0 : 0026a00c : ----------------STACK TRACE END-----------------------------------FREE MEM
66 Standards Compliance This chapter describes standards compliance for Dell EMC Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell EMC Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance Dell EMC Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell EMC Networking OS first supports the standard. General Internet Protocols The following table lists the Dell EMC Networking OS support per platform for general internet protocols. Table 126.
R F C # Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 24 Definition of 7.7.1 74 the Differentiate d Services Field (DS Field) in the IPv4 and IPv6 Headers 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 PPP over 61 SONET/SDH 5 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 6 9 8 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 130 5 Network Time Protocol (Version 3) Specification, Implementation and Analysis 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1519 Classless Inter-Domain Routing 7.6.1 (CIDR): an Address Assignment and Aggregation Strategy 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 154 2 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) Clarifications and Extensions for 7.6.
RFC Full Name # S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 4291 Internet Protocol Version 6 (IPv6) Addressing Architecture 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4443 Internet Control Message Protocol (ICMPv6) for the IPv6 Specification 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4861 8.3.12.0 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4862 IPv6 Stateless Address Autoconfiguration 8.3.12.0 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.
Open Shortest Path First (OSPF) The following table lists the Dell EMC Networking OS support per platform for OSPF protocol. Table 130. Open Shortest Path First (OSPF) RFC # Full Name S-Series/ZSeries S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1587 The OSPF Not-SoStubby Area (NSSA) Option 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2154 OSPF with Digital Signatures 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2370 The OSPF Opaque LSA Option 7.6.1 9.8(0.
RFC# Full Name S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 5308 Routing IPv6 with IS-IS 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) draft-ietfisisigpp2poverlan-06 Point-to-point operation over LAN in link-state routing protocols 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) draftkaplanisis-e xteth-02 Extended Ethernet Frame Size 9.8(0.0P2) Support 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/CSPortal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/CSPortal20/Main/Login.aspx Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/AccountRequest/AccountRequest.
67 X.509v3 supports X.509v3 standards. Topics: • • • • • • • • • Introduction to X.509v3 certificates X.509v3 support in Information about installing CA certificates Information about Creating Certificate Signing Requests (CSR) Information about installing trusted certificates Transport layer security (TLS) Online Certificate Status Protocol (OSCP) Verifying certificates Event logging Introduction to X.509v3 certificates X.
Advantages of X.509v3 certificates Public key authentication is preferred over password-based authentication, although both may be used in conjunction, for various reasons. Public-key authentication provides the following advantages over normal password-based authentication: • • • Public-key authentication avoids the human problems of low-entropy password selection and provides more resistance to brute-force attacks than password-based authentication.
The other hosts on the network, such as the SUT switch, syslog server, and OCSP server, generate private keys and create Certificate Signing Requests (CSRs). The hosts then upload the CSRs to the Intermediate CA or make the CSRs available for the Intermediate CA to download. generates a CSR using the crypto cert generate request command. The hosts on the network (SUT, syslog, OCSP…) also download and install the CA certificates from the Root and Intermediate CAs.
Installing CA certificate To install a CA certificate, enter the crypto ca-cert install {path} command in Global Configuration mode. Information about Creating Certificate Signing Requests (CSR) Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA. In order for a device to get a X.509v3 certificate, the device first requests a certificate from a CA through a Certificate Signing Request (CSR).
NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell EMC Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS. This trusted certificate is also presented to the TLS server implementations that require client authentication such as Syslog.
TLS compression is disabled by default. TLS session resumption is also supported to reduce processor and traffic overhead due to public key cryptographic operations and handshake traffic. However, the maximum time allowed for a TLS session to resume without repeating the TLS authentication or handshake process is configurable with a default of 1 hour. You can also disable session resumption.
Configuring Revocation Behavior You can configure the system behavior if an OCSP responder fails. By default, when all the OCSP responders fail to send a response to an OSCP request, the system accepts the certificate and logs the event. However, you can configure the system to reject the certificate in case OCSP responders fail.
• A secure session negotiation fails due to invalid, expired, or revoked certificate. X.
