Dell Configuration Guide for the S4820T System 9.14.1.5 May 2019 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2018 - 2019 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: About this Guide......................................................................................................... 31 Audience...............................................................................................................................................................................31 Conventions.........................................................................................................................................................................
Moving a Command from EXEC Privilege Mode to EXEC Mode.................................................................... 55 Allowing Access to CONFIGURATION Mode Commands................................................................................. 55 Allowing Access to Different Modes...................................................................................................................... 55 Applying a Privilege Level to a Username...........................................................
Chapter 5: 802.1X........................................................................................................................84 Port-Authentication Process..........................................................................................................................................85 EAP over RADIUS........................................................................................................................................................86 Configuring 802.1X................
IP Prefix Lists.................................................................................................................................................................... 116 Configuration Task List for Prefix Lists.................................................................................................................117 ACL Remarks................................................................................................................................................................
BGP global and address family configuration......................................................................................................172 Implement BGP with Dell EMC Networking OS................................................................................................. 173 Configuration Information........................................................................................................................................ 176 Basic BGP configuration tasks.........................
Configuring CAM Threshold and Silence Period..................................................................................................... 232 CAM Optimization...........................................................................................................................................................233 Troubleshoot CAM Profiling.........................................................................................................................................
Configuring DCBx......................................................................................................................................................267 Verifying the DCB Configuration.................................................................................................................................270 Sample DCB Configuration...........................................................................................................................................
Creating an ECMP Group Bundle..........................................................................................................................307 Modifying the ECMP Group Threshold................................................................................................................307 RTAG7...............................................................................................................................................................................
FRRP Support on VLT................................................................................................................................................... 337 Chapter 18: GARP VLAN Registration Protocol (GVRP)............................................................. 340 Configure GVRP...............................................................................................................................................................341 Enabling GVRP Globally..........................
Designating a Multicast Router Interface................................................................................................................. 369 Chapter 21: Interfaces............................................................................................................... 370 Interface Types.................................................................................................................................................................371 View Basic Interface Information....
Enabling Link Dampening........................................................................................................................................ 399 Link Bundle Monitoring..................................................................................................................................................400 Using Ethernet Pause Frames for Flow Control..................................................................................................... 400 Enabling Pause Frames.....
Configuring a Broadcast Address............................................................................................................................... 426 Configurations Using UDP Helper............................................................................................................................... 427 UDP Helper with Broadcast-All Addresses...............................................................................................................
Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer.......................................................... 452 Enable and Disable iSCSI Optimization................................................................................................................ 453 Default iSCSI Optimization Values..............................................................................................................................453 iSCSI Optimization Prerequisites......................................
Chapter 28: Layer 2................................................................................................................... 493 Manage the MAC Address Table................................................................................................................................ 493 Clearing the MAC Address Table.......................................................................................................................... 493 Setting the Aging Time for Dynamic Entries.............
Enabling a Switch for Multicast NLB................................................................................................................... 527 Chapter 31: Multicast Source Discovery Protocol (MSDP).........................................................528 Anycast RP....................................................................................................................................................................... 529 Implementation Information..................................
Enabling IP Multicast..................................................................................................................................................... 563 Implementation Information......................................................................................................................................... 563 Multicast Policies.......................................................................................................................................................
Configuring Stub Areas............................................................................................................................................ 614 Configuring Passive-Interface................................................................................................................................ 614 Redistributing Routes...............................................................................................................................................
Displaying Remote-Port Mirroring Configurations............................................................................................656 Configuration procedure for Remote Port Mirroring....................................................................................... 656 Encapsulated Remote Port Monitoring..................................................................................................................... 660 ERPM Behavior on a typical Dell EMC Networking OS .....................
Displaying WRED Drop Statistics........................................................................................................................... 701 Displaying egress–queue Statistics....................................................................................................................... 701 Pre-Calculating Available QoS CAM Space.............................................................................................................. 702 Configuring Weights and ECN for WRED ....
AAA Accounting...............................................................................................................................................................736 Configuration Task List for AAA Accounting......................................................................................................736 RADIUS Accounting.................................................................................................................................................. 738 AAA Authentication.
Configuring replay protection................................................................................................................................. 777 Rate-limiting RADIUS packets................................................................................................................................ 777 Configuring time-out value......................................................................................................................................
Back-Off Mechanism...................................................................................................................................................... 812 sFlow on LAG ports.........................................................................................................................................................812 Enabling Extended sFlow.............................................................................................................................................
Creating a VLAN........................................................................................................................................................842 Assigning a VLAN Alias............................................................................................................................................ 842 Displaying the Ports in a VLAN..............................................................................................................................
Configuring Storm Control from INTERFACE Mode........................................................................................ 872 Configuring Storm Control from CONFIGURATION Mode.............................................................................873 Chapter 53: Spanning Tree Protocol (STP)................................................................................874 Protocol Overview.......................................................................................................
Setting Recurring Daylight Saving Time..............................................................................................................903 Chapter 56: Tunneling...............................................................................................................905 Configuring a Tunnel......................................................................................................................................................905 Configuring Tunnel Keepalive Settings.............
VLT Port Delayed Restoration............................................................................................................................... 937 PIM-Sparse Mode Support on VLT...................................................................................................................... 937 VLT Routing .............................................................................................................................................................. 939 Non-VLT ARP Sync........
Creating a Non-Default VRF Instance................................................................................................................ 1001 Assigning an Interface to a VRF........................................................................................................................... 1001 Assigning a Front-end Port to a Management VRF........................................................................................ 1001 View VRF Instance Information..............................
Chapter 65: Standards Compliance.......................................................................................... 1055 IEEE Compliance........................................................................................................................................................... 1055 RFC and I-D Compliance............................................................................................................................................. 1056 General Internet Protocols.............
1 About this Guide This guide describes the protocols and features the Dell EMC Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell EMC Command Line Reference Guide for your system. The S4820T platform is available with Dell EMC Networking OS version 8.3.19.0 and beyond. The S4820T platform is available with Dell EMC Networking OS version 8.3.19.0 and beyond.
2 Configuration Fundamentals The Dell EMC Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
The Dell EMC Networking OS CLI is divided into three major mode levels: ● EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information. ● EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted.
RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE SUPPORTASSIST TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP uBoot Navigating CLI Modes The Dell EMC Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode.
Table 1.
Table 1.
The do Command You can enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode by preceding the EXEC mode command with the do command. The following example shows the output of the do command.
no ip address no shutdown Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree. Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command: ● To list the keywords available in the current mode, enter ? at the prompt or after a keyword.
Short-Cut Key Action Combination CNTL-L Re-enters the previous command. CNTL-N Return to more recent commands in the history buffer after recalling commands with CTRL-P or the UP arrow key. CNTL-P Recalls commands, beginning with the last command. CNTL-R Re-enters the previous command. CNTL-U Deletes the line. CNTL-W Deletes the previous word. CNTL-X Deletes the line. CNTL-Z Ends continuous scrolling of command outputs. Esc B Moves the cursor back one word.
Example of the except Keyword DellEMC#show system brief | except 1 Stack MAC Reload-Type : 4c:76:25:e5:49:40 : normal-reload [Next boot : normal-reload] The find keyword displays the output of the show command beginning from the first occurrence of specified text. The following example shows this command used in combination with the show system brief command. Example of the find Keyword The display command displays additional configuration information.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell EMC Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
The SSH server transmits the terminal commands to the CLI shell and the results are displayed on the screen non-interactively. Executing Local CLI Scripts Using an SSH Connection You can execute CLI commands by entering a CLI script in one of the following ways: ssh username@hostname or cat < CLIscript.file > | ssh admin@hostname The script is run and the actions contained in the script are performed.
Accessing the System Remotely Configuring the system for remote access is a three-step process, as described in the following topics: 1. Configure an IP address for the management port. Configure the Management Port IP Address 2. Configure a management route with a default gateway. Configure a Management Route 3. Configure a username and password. Configure a Username and Password Configure the Management Port IP Address To access the system remotely, assign IP addresses to the management ports. 1.
○ sha256–password: Uses sha256–based encryption method for password. ○ encryption-type: Enter the encryption type for securing an user password. There are four encryption types. ■ 0 — input the password in clear text. ■ 5 — input the password that is already encrypted using MD5 encryption method. ■ 7 — input the password that is already encrypted using DES encryption method. ■ 8 — input the password that is already encrypted using sha256–based encryption method.
Configuration File Management Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the system from EXEC Privilege mode. Copy Files to and from the System The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url. NOTE: For a detailed description of the copy command, refer to the Dell EMC Networking OS Command Reference.
Before executing any CLI command to perform file operations, you must first mount the NFS file system to a mount-point on the device. Since multiple mount-points exist on a device, it is mandatory to specify the mount-point to which you want to load the system. The /f10/mnt/nfs directory is the root of all mount-points. To mount an NFS file system, perform the following steps: Table 4.
! 24 bytes successfully copied DellEMC# DellEMC#copy tftp://10.16.127.35/username/dv-maa-test ? flash: Copy to local file system ([flash://]filepath) nfsmount: Copy to nfs mount file system (nfsmount:///filepath) running-config remote host: Destination file name [test.c]: ! 225 bytes successfully copied DellEMC# Save the Running-Configuration The running-configuration contains the current system configuration. Dell EMC Networking recommends coping your runningconfiguration to the startup-configuration.
EXEC Privilege mode show startup-config The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.
- - - network - network rw tftp: rw scp: You can change the default file system so that file management commands apply to a particular device or memory. To change the default directory, use the following command. ● Change the default directory. EXEC Privilege mode cd directory Enabling Software Features on Devices Using a Command Option The capability to activate software applications or components on a device using a command is supported on this platform. Starting with Release 9.4(0.
Example of the show command-history Command Example 1: Default configuration service timestamps log datetime or service timestamps log datetime localtime DellEMC(conf)#service timestamps log datetime DellEMC# show command-history - Repeated 1 time. [May 17 15:38:55]: CMD-(CLI):[service timestamps log datetime]by default from console [May 17 15:41:40]: CMD-(CLI):[write memory]by default from console - Repeated 1 time.
[May 17 15:53:16]: CMD-(CLI):[write memory]by default from console - Repeated 3 times. [May 17 15:53:22]: CMD-(CLI):[show logging]by default from console - Repeated 1 time. [May 17 15:53:36]: CMD-(CLI):[write memory]by default from console - Repeated 5 times.
Verify Software Images Before Installation To validate the software image on the flash drive, you can use the MD5 message-digest algorithm or SHA256 Secure Hash Algorithm, after the image is transferred to the system but before the image is installed. The validation calculates a hash value of the downloaded image file on system’s flash drive, and, optionally, compares it to a Dell EMC Networking published hash for that file.
4 Management This chapter describes the different protocols or services used to manage the Dell EMC Networking system.
Removing a Command from EXEC Mode To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each command you wish to restrict.
privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword} ● Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...
DellEMC(conf)# interface group vlan 1 - 2 , tengigabitethernet 1/1 DellEMC(conf-if-group-vl-1-2,te-1/1)# no shutdown DellEMC(conf-if-group-vl-1-2,te-1/1)# end Applying a Privilege Level to a Username To set the user privilege level, use the following command. ● Configure a privilege level for a user. CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command.
● Clearing Audit Logs Enabling Audit and Security Logs You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode. This command is available with or without RBAC enabled. For information about RBAC, see Role-Based Access Control. Audit Logs The audit log contains configuration events and information.
Example of the show logging auditlog Command DellEMC#show logging auditlog May 12 12:20:25: DellEMC#: %CLI-6-logging extended by admin from vty0 (10.14.1.98) May 12 12:20:42: DellEMC#: %CLI-6-configure terminal by admin from vty0 (10.14.1.98) May 12 12:20:42: DellEMC#: %CLI-6-service timestamps log datetime by admin from vty0 (10.14.1.
%CHMGR-5-CARDDETECTED: Line card 8 present %CHMGR-5-CARDDETECTED: Line card 10 present %CHMGR-5-CARDDETECTED: Line card 12 present %TSM-6-SFM_DISCOVERY: Found SFM 0 %TSM-6-SFM_DISCOVERY: Found SFM 1 %TSM-6-SFM_DISCOVERY: Found SFM 2 %TSM-6-SFM_DISCOVERY: Found SFM 3 %TSM-6-SFM_DISCOVERY: Found SFM 4 %TSM-6-SFM_DISCOVERY: Found SFM 5 %TSM-6-SFM_DISCOVERY: Found SFM 6 %TSM-6-SFM_DISCOVERY: Found SFM 7 %TSM-6-SFM_SWITCHFAB_STATE: Switch Fabric: UP %TSM-6-SFM_DISCOVERY: Found SFM 8 %TSM-6-SFM_DISCOVERY: Found 9
Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server DellEMC(conf)#ip ssh server enable 2. On the syslog server, create a reverse SSH tunnel from the syslog server to the Dell OS switch, using following syntax: ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is 10.16.131.
Sending System Messages to a Syslog Server To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP. ● Specify the server to which you want to send system messages. You can configure up to eight syslog servers.
The following example enables login activity tracking. The system stores the login activity details for the last 30 days. DellEMC(config)#login statistics enable The following example enables login activity tracking and configures the system to store the login activity details for 12 days. DellEMC(config)#login statistics enable DellEMC(config)#login statistics time-period 12 Display Login Statistics To view the login statistics, use the show login statistics command.
Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2 Example of the show login statistics user user-id command The show login statistics user user-id command displays the successful and failed login details of a specific user in the last 30 days or the custom defined time period.
Configuring Concurrent Session Limit To configure concurrent session limit, follow this procedure: ● Limit the number of concurrent sessions for each user. CONFIGURATION mode login concurrent-session limit number-of-sessions The following example limits the permitted number of concurrent login sessions to 4.
CONFIGURATION Mode secure-cli enable After entering the command, save the running-configuration. Once you save the running-configuration, the secured CLI mode is enabled. If you do not want to enter the secured mode, do not save the running-configuration. Once saved, to disable the secured CLI mode, you need to manually edit the startup-configuration file and reboot the system.
Display the Logging Buffer and the Logging Configuration To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered based on the user roles. Only the security administrator and system administrator can view the security logs.
○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ local3 (for local use) local4 (for local use) local5 (for local use) local6 (for local use) local7 (for local use) lpr (for line printer system messages) mail (for mail system messages) news (for USENET news messages) sys9 (system use) sys10 (system use) sys11 (system use) sys12 (system use) sys13 (system use) sys14 (system use) syslog (for syslog messages) user (for user programs) uucp (UNIX to UNIX copy protocol) To view nondefault settings, use the show running-config
Enabling Timestamp on Syslog Messages By default, syslog messages include a time/date stamp, taken from the datetime, stating when the error or message was created. To enable timestamp, use the following command. ● Add timestamp to syslog messages. CONFIGURATION mode service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] [utc] | uptime] Specify the following optional parameters: ○ datetime: To view the timestamp in system local time that includes the local time zone.
May 17 15:41:40 %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startupconfig in flash by default Example 2: service timestamps log datetime utc DellEMC(conf)#service timestamps log datetime utc DellEMC#show clock 15:47:05.
Trap logging: level informational Last logging buffer cleared: May 17 15:50:31 1d0h25m %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config flash by default 1d0h25m %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from console 1d0h24m %STKUNIT1-M:CP %IFMGR-5-OSTATE_UP: Changed interface state 1d0h24m %STKUNIT1-M:CP %IFMGR-5-ASTATE_UP: Changed interface Admin 1d0h24m %STKUNIT1-M:CP %IFMGR-5-OSTATE_DN: Changed interface state 1d0h24m %STKUNIT1-M:CP %IFMGR-5-ASTATE_DN: Changed interface Admin to startup-confi
Configuration Task List for File Transfer Services The configuration tasks for file transfer services are: ● Enable FTP Server (mandatory) ● Configure FTP Server Parameters (optional) ● Configure FTP Client Parameters (optional) Enabling the FTP Server To enable the system as an FTP server, use the following command. To view FTP configuration, use the show running-config ftp command in EXEC privilege mode. ● Enable FTP on the system.
CONFIGURATION mode ip ftp source-interface interface ● Configure a password. CONFIGURATION mode ip ftp password password ● Enter a username to use on the FTP client. CONFIGURATION mode ip ftp username name To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for Enable FTP Server. Terminal Lines You can access the system remotely and restrict access to the system by creating user profiles.
ip access-list extended testdeny seq 10 deny ip 30.1.1.
line vty 1 password myvtypassword login authentication myvtymethodlist line vty 2 password myvtypassword login authentication myvtymethodlist DellEMC(config-line-vty)# Setting Timeout for EXEC Privilege Mode EXEC timeout is a basic security feature that returns Dell EMC Networking OS to EXEC mode after a period of inactivity on the terminal lines. To set timeout, use the following commands. ● Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY.
login: admin DellEMC# Lock CONFIGURATION Mode Dell EMC Networking OS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2). You can set two types of lockst: auto and manual. ● Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set auto-lock, every time a user is in CONFIGURATION mode, all other users are denied access.
NOTE: You must enter the CLI commands. The system rejects them if they are copied and pasted. 4. Set the system parameters to ignore the startup configuration file when the system reloads. uBoot mode setenv stconfigignore true 5. To save the changes, use the saveenv command. uBoot mode saveenv 6. Reload the system. uBoot mode reset 7. Copy startup-config.bak to the running config. EXEC Privilege mode copy flash://startup-config.bak running-config 8.
enable {password | secret | sha256–password} 8. Save the running-config to the startup-config. EXEC Privilege mode copy running-config startup-config Recovering from a Failed Start A system that does not start correctly might be attempting to boot from a corrupted Dell Networking OS image or from a mis-specified location. In this case, you can restart the system and interrupt the boot process to point the system to another boot location. Use the setenv command, as described in the following steps.
The following example illustrates the restore factory-defaults command to restore the factory default settings. DellEMC#restore factory-defaults stack-unit 0 nvram *********************************************************************** * Warning - Restoring factory defaults will delete the existing * * persistent settings (stacking, fanout, etc.) * * After restoration the unit(s) will be powercycled immediately.
=> setenv gatewayip gateway_ip_address For example, 10.16.150.254. 6. Save the modified environmental variables. uBoot mode => saveenv 7. Reload the system. uBoot mode reset Dell EMC Networking OS Security Hardening The security of a network consists of multiple factors. Apart from access to the device, best practices, and implementing various security features, security also lies with the integrity of the device. If the software itself is compromised, all of the aforementioned methods become ineffective.
EXEC Privilege copy running-configuration startup-configuration After enabling and configuring OS image hash verification, the device verifies the hash checksum of the OS boot image during every reload. DellEMC# verified boot hash system-image A: 619A8C1B7A2BC9692A221E2151B9DA9E Image Verification for Subsequent OS Upgrades After enabling OS image hash verification, for subsequent Dell EMC Networking OS upgrades, you must enter the hash checksum of the new OS image file.
EXEC Privilege generate hash {md5 | sha1 | sha256} {flash://filename | startup-config} 3. Verify the hash checksum of the current startup configuration on the local file system. EXEC Privilege verified boot hash startup—config hash-value NOTE: The verified boot hash command is only applicable for the startup configuration file in the local file system. After enabling and configuring startup configuration verification, the device verifies the hash checksum of the startup configuration during every reload.
○ 0 directs the system to store the password as clear text. ○ 7 directs the system to store the password with a dynamic salt. When you configure the root access password, ensure that your password meets the following criteria: ○ ○ ○ ○ ○ A A A A A minimum minimum minimum minimum minimum of of of of of eight characters in length one lower case letter (a to z) one upper case letter (A to Z) one numeric character (0 to 9) one special character including a space (" !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~") If you
5 802.1X 802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example). 802.
● The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. ● The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network. It translates and forwards requests and responses between the authentication server and the supplicant.
Figure 5. EAP Port-Authentication EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 6. EAP Over RADIUS RADIUS Attributes for 802.1X Support Dell EMC Networking systems include the following RADIUS attributes in all 802.
Configuring 802.1X Configuring 802.1X on a port is a one-step process. For more information, refer to Enabling 802.1X. Related Configuration Tasks ● ● ● ● ● ● Configuring Request Identity Re-Transmissions Forcibly Authorizing or Unauthorizing a Port Re-Authenticating a Port Configuring Timeouts Configuring a Guest VLAN Configuring an Authentication-Fail VLAN Important Points to Remember ● Dell EMC Networking OS supports 802.
Enabling 802.1X Enable 802.1X globally. Figure 7. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode.
no ip address dot1x authentication no shutdown ! DellEMC# To view 802.1X configuration information for an interface, use the show dot1x interface command. In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default. DellEMC#show dot1x interface TenGigabitEthernet 2/1/ 802.
Configuring Request Identity Re-Transmissions When the authenticator sends a Request Identity frame and the supplicant does not respond, the authenticator waits for 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator re-transmits can be configured.
Quiet Period: 120 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Forcibly Authorizing or Unauthorizing a Port The 802.1X ports can be placed into any of the three states: ● ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network.
To configure re-authentication time settings, use the following commands: ● Configure the authenticator to periodically re-authenticate the supplicant. INTERFACE mode dot1x reauthentication [interval] seconds The range is from 1 to 31536000. The default is 3600. ● Configure the maximum number of times the supplicant can be re-authenticated. INTERFACE mode dot1x reauth-max number The range is from 1 to 10. The default is 2.
The bold lines show the new supplicant and server timeouts. DellEMC(conf-if-Te-1/1)#dot1x port-control force-authorized DellEMC(conf-if-Te-1/1)#do show dot1x interface TenGigabitEthernet 1/1 802.
Figure 8. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2. Make the interface a switchport so that it can be assigned to a VLAN. 3. Create the VLAN to which the interface will be assigned. 4. Connect the supplicant to the port configured for 802.1X. 5.
● If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of the Guest VLAN and the authentication process begins. Configuring a Guest VLAN If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN. NOTE: For more information about configuring timeouts, refer to Configuring Timeouts.
Example of Viewing Configured Authentication 802.
interface TenGigabitEthernet 21 switchport dot1x static-mab profile sample no shutdown DellEMC(conf-if-Te 2/1))#show dot1x interface TenGigabitEthernet 2/1 802.
Untagged VLAN id: Guest VLAN: Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: 98 802.
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This section describes the access control list (ACL) virtual local area network (VLAN) group, and content addressable memory (CAM) enhancements.
The ACL manager does not notify the ACL agent in the following cases: ● The ACL VLAN group is created. ● The ACL VLAN group is deleted and it does not contain VLAN members. ● The ACL is applied or removed from a group and the ACL group does not contain a VLAN member. ● The description of the ACL group is added or removed.
acl-vlan-group {group name} 2. Add a description to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode description description 3. Apply an egress IP ACL to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode ip access-group {group name} out implicit-permit 4. Add VLAN member(s) to an ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode member vlan {VLAN-range} 5. Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name.
EXEC Privilege mode DellEMC#show cam-usage switch Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|============|============|============= 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 Codes: * - cam usage is above 90%. Viewing CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL subpartitions) using the show cam-usage command in EXEC Privilege mode.
| | | | | | | | | | | IN-V6 ACL | OUT-L2 ACL | OUT-L3 ACL | OUT-V6 ACL 3 0 | IN-L2 ACL | IN-L3 ACL | IN-V6 ACL | OUT-L2 ACL | OUT-L3 ACL | OUT-V6 ACL Codes: * - cam usage is above 90%.
To display the number of FP blocks that is allocated for the different VLAN services, use the show cam-acl-vlan command. After you configure the ACL VLAN groups, reboot the system to store the settings in nonvolatile storage. During CAM initialization, the chassis manager reads the NVRAM and allocates the dynamic VCAP regions.
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
• • • • • • • • • Configure Ingress ACLs Configure Egress ACLs IP Prefix Lists ACL Remarks ACL Resequencing Route Maps Important Points to Remember Logging of ACL Processes Flow-Based Monitoring IP Access Control Lists (ACLs) In Dell EMC Networking switch/routers, you can create two different types of IP ACLs: standard or extended. A ● ● ● ● ● ● ● standard ACL filters packets based on the source IP packet.
CAM Optimization When you enable this command, if a policy map containing classification rules (ACL and/or dscp/ ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only one FP entry is used). When you disable this command, the system behaves as described in this chapter. Test CAM Usage This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs.
ACL Optimization If an access list contains duplicate entries, Dell EMC Networking OS deletes one entry to conserve CAM space. Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM entries to identify whether the access list is a standard or extended ACL.
IP Fragments ACL Examples The following examples show how you can use ACL commands with the fragment keyword to filter fragmented packets. The following configuration permits all packets (both fragmented and non-fragmented) with destination IP 10.1.1.1. The second rule does not get hit at all. Example of Permitting All Packets on an Interface DellEMC(conf)#ip access-list extended ABC DellEMC(conf-ext-nacl)#permit ip any 10.1.1.1/32 DellEMC(conf-ext-nacl)#deny ip any 10.1.1.
DellEMC(conf-ext-nacl)#deny ip any any log DellEMC(conf-ext-nacl) When configuring ACLs with the fragments keyword, be aware of the following. When an ACL filters packets, it looks at the fragment offset (FO) to determine whether it is a fragment. ● FO = 0 means it is either the first fragment or the packet is a non-fragment. ● FO > 0 means it is dealing with the fragments of the original packet. Configure a Standard IP ACL To configure an ACL, use commands in IP ACCESS LIST mode and INTERFACE mode.
Configuring a Standard IP ACL Filter If you are creating a standard ACL with only one or two filters, you can let Dell EMC Networking OS assign a sequence number based on the order in which the filters are configured. The software assigns filters in multiples of five. 1. Configure a standard IP ACL and assign it a unique name. CONFIGURATION mode ip access-list standard access-list-name 2. Configure a drop or forward IP ACL filter.
CONFIG-EXT-NACL mode seq sequence-number {deny | permit} {ip-protocol-number | icmp | ip | tcp | udp} {source mask | any | host ip-address} {destination mask | any | host ip-address} [operator [portnumber ] [count [byte]] [order] [monitor [session-id]] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details.
{deny | permit} {source mask | any | host ip-address} [count [byte]] [order] [monitor [session-id]] [fragments] ● Configure a deny or permit filter to examine TCP packets. CONFIG-EXT-NACL mode {deny | permit} tcp {source mask] | any | host ip-address}} [count [byte]] [order] [monitor [session-id]] [fragments] ● Configure a deny or permit filter to examine UDP packets.
Assign an IP ACL to an Interface To pass traffic through a configured IP ACL, assign that ACL to a physical interface, a port channel interface, or a VLAN. The IP ACL is applied to all traffic entering a physical or port channel interface and the traffic is either forwarded or dropped depending on the criteria and actions specified in the ACL. The same ACL may be applied to different interfaces and that changes its functionality.
Configure Ingress ACLs Ingress ACLs are applied to interfaces and to traffic entering the system. These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation. To create an ingress ACL, use the ip access-group command in EXEC Privilege mode. The example shows applying the ACL, rules to the newly created access group, and viewing the access list.
DellEMC(config-ext-nacl)#permit tcp any any DellEMC(config-ext-nacl)#deny icmp any any DellEMC(config-ext-nacl)#permit 1.1.1.2 DellEMC(config-ext-nacl)#end DellEMC#show ip accounting access-list ! Extended Ingress IP access list abcd on tengigabitethernet 0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.
address. For example, in 112.24.0.0/16, the first 16 bits of the address 112.24.0.0 match all addresses between 112.24.0.0 to 112.24.255.255. The following examples show permit or deny filters for specific routes using the le and ge parameters, where x.x.x.x/x represents a route prefix: ● To deny only /8 prefixes, enter deny x.x.x.x/x ge 8 le 8. ● To permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8. ● To deny routes with a mask less than /24, enter deny x.x.x.
The following example shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 20 was configured before filter 15 and 12, but the show config command displays the filters in the correct order. DellEMC(conf-nprefixl)#seq 20 permit 0.0.0.0/0 le 32 DellEMC(conf-nprefixl)#seq 12 deny 134.23.0.0 /16 DellEMC(conf-nprefixl)#seq 15 deny 120.23.14.0 /8 le 16 DellEMC(conf-nprefixl)#show config ! ip prefix-list juba seq 12 deny 134.23.0.0/16 seq 15 deny 120.0.0.
show ip prefix-list summary [prefix-name] The following example shows the show ip prefix-list detail command. DellEMC>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 seq 5 deny 100.100.1.
Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. ● Enter OSPF mode. CONFIGURATION mode router ospf ● Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded. CONFIG-ROUTER-OSPF mode distribute-list prefix-list-name in [interface] ● Apply a configured prefix list to incoming routes.
The following example shows how to write a remark for an ACL rule: Dell(config-ext-nacl)#ip access-list extended test Dell(config-ext-nacl)# remark permit any ip Dell(config-ext-nacl)# seq 10 permit ip any any Dell(config-ext-nacl)#sh config ! ip access-list extended test remark 10 permit any ip seq 10 permit ip any any Deleting a Remark To delete a remark, follow this procedure: A standard IP ACL uses the source IP address as its match criterion.
Table 7. ACL Resequencing (continued) Rules Resquencing Rules After Resequencing: seq 5 permit any host 1.1.1.1 seq 10 permit any host 1.1.1.2 seq 15 permit any host 1.1.1.3 seq 20 permit any host 1.1.1.4 Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs, prefix lists, and MAC ACLs. To resequence an ACL or prefix list, use the following commands. You must specify the list name, starting number, and increment when using these commands.
remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4 DellEMC# end DellEMC# resequence access-list ipv4 test 2 2 DellEMC# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.1 remark 6 this remark has no corresponding rule remark 8 this remark corresponds to permit ip any host 1.
Creating a Route Map Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route map filters do not contain the permit and deny actions found in ACLs and prefix lists. Route map filters match certain routes and set or specific values. To create a route map, use the following command. ● Create a route map and assign it a unique name. The optional permit and deny keywords are the actions of the route map.
Set clauses: tag 3444 DellEMC# To delete a route map, use the no route-map map-name command in CONFIGURATION mode. Configure Route Map Filters Within ROUTE-MAP mode, there are match and set commands. ● match commands search for a certain criterion in the routes. ● set commands change the characteristics of routes, either adding something or specifying a level.
CONFIG-ROUTE-MAP mode match interface interface The parameters are: ○ ○ ○ ○ ○ For For For For For a a a a a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Loopback interface, enter the keyword loopback then a number from 0 to 16383. port channel interface, enter the keywords port-channel then a number.
CONFIG-ROUTE-MAP mode set automatic-tag ● Specify an OSPF area or ISIS level for redistributed routes. CONFIG-ROUTE-MAP mode set level {backbone | level-1 | level-1-2 | level-2 | stub-area} ● Specify a value for the BGP route’s LOCAL_PREF attribute. CONFIG-ROUTE-MAP mode set local-preference value ● Specify a value for redistributed routes. CONFIG-ROUTE-MAP mode set metric {+ | - | metric-value} ● Specify an OSPF or ISIS type for redistributed routes.
Example of Calling a Route Map to Redistribute Specified Routes router ospf 34 default-information originate metric-type 1 redistribute static metric 20 metric-type 2 tag 0 route-map staticospf ! route-map staticospf permit 10 match interface TenGigabitEthernet 1/1 match metric 255 set level backbone Configure a Route Map for Route Tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol.
When you enable ACL log messages, at times, depending on the volume of traffic, it is possible that a large number of logs might be generated that can impact the system performance and efficiency. To avoid an overload of ACL logs from being recorded, you can configure the rate-limiting functionality. Specify the interval or frequency at which ACL logs must be triggered and also the threshold or limit for the maximum number of logs to be generated.
● For ACL entries applied on port-channel interfaces, one match index for every member interface of the port-channel interface is assigned. Therefore, the total available match indices of 251 are split (125 match indices for permit action and 126 match indices for the deny action). ● You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs on egress interfaces.
When you apply an ACL within the monitor session, it is applied to all source interfaces configured in the monitor session. The Dell EMC Networking OS honors any permit or deny actions of the ACL rules used for flow-based mirroring. Packets that match a mirror ACL rule is denied or forwarded depending on the rule but the packet is mirrored. However, the user ACL has precedence over the mirror ACL. The same source interface can be part of multiple monitor sessions.
Enabling Flow-Based Monitoring Flow-based monitoring is supported on the S4820T platform. Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead of all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 2 and Layer 3 ingress traffic. You can specify traffic using standard or extended access-lists. 1. Enable flow-based monitoring for a monitoring session. MONITOR SESSION mode flow-based enable 2.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 9. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
State Description Init The local system is communicating. Up Both systems are exchanging control packets. The session is declared down if: ● A control packet is not received within the detection time. ● Sufficient echo packets are lost. ● Demand mode is active and a control packet is not received in response to a poll packet. BFD Three-Way Handshake A three-way handshake must take place between the systems that participate in the BFD session.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 11.
● ● ● ● ● Configure BFD for OSPFv3 Configure BFD for IS-IS Configure BFD for BGP Configure BFD for VRRP Configuring Protocol Liveness Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
Remote Addr: 2.2.2.
Establishing Sessions for Static Routes for Default VRF Sessions are established for all neighbors that are the next hop of a static route on the default VRF. Figure 12. Establishing Sessions for Static Routes To establish a BFD session, use the following command. ● Establish BFD sessions for all neighbors that are the next hop of a static route.
For more information on prefix lists, see IP Prefix Lists. To enable BFD sessions on specific neighbors, perform the following steps: Enter the following command to enable BFD session on specific next-hop neighbors: CONFIGURATION ip route bfd prefix-list prefix-list-name The BFD session is established for the next-hop neighbors that are specified in the prefix-list. ● The absence of a prefix-list causes BFD sessions to be enabled on all the eligible next-hop neighbors.
Configure BFD for OSPF When you use BFD with OSPF, the OSPF protocol registers with the BFD manager. BFD sessions are established with all neighboring interfaces participating in OSPF. If a neighboring interface fails, the BFD agent notifies the BFD manager, which in turn notifies the OSPF protocol that a link state change has occurred. Configuring BFD for OSPF is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPF neighbors.
● Enable BFD globally. CONFIGURATION mode bfd enable ● Establish sessions with all OSPF neighbors. ROUTER-OSPF mode bfd all-neighbors ● Establish sessions with OSPF neighbors on a single interface. INTERFACE mode ip ospf bfd all-neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions.
The following example shows the show bfd neighbors command output. DellEMC# show bfd neighbors * Ad Dn B C I O O3 R M V VT - Active session role Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr 1.0.1.1 3.3.3.3 3.3.3.3 3.3.3.3 3.3.3.3 3.3.3.3 * * * * * * RemoteAddr 1.0.1.2 192.168.122.135 192.168.122.136 192.168.122.137 192.168.122.138 192.168.122.
INTERFACE mode ip ospf bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command. Disabling BFD for OSPF If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state. If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote system are placed in a Down state.
O3 R M V VT - OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr Clients * 1.1.1.1 RemoteAddr Interface State Rx-int Tx-int Mult 1.1.1.2 Te 1/1 Up 200 200 3 O * 2.1.1.1 2.1.1.
VT - Vxlan Tunnel LocalAddr Mult VRF Clients * 10.1.1.1 511 O RemoteAddr Interface State Rx-int Tx-int 10.1.1.2 Vl 100 Up 150 150 3 * 11.1.1.1 511 O 11.1.1.2 Vl 101 Up 150 150 3 * 12.1.1.1 511 O 12.1.1.2 Vl 102 Up 150 150 3 * 13.1.1.1 511 O 13.1.1.
INTERFACE mode ipv6 ospf bfd all-neighbors disable Configure BFD for IS-IS When using BFD with IS-IS, the IS-IS protocol registers with the BFD manager on the RPM. BFD sessions are then established with all neighboring interfaces participating in IS-IS. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the IS-IS protocol that a link state change occurred. Configuring BFD for IS-IS is a two-step process: 1. Enable BFD globally. 2.
ROUTER-ISIS mode bfd all-neighbors ● Establish sessions with IS-IS neighbors on a single interface. INTERFACE mode isis bfd all-neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows that IS-IS BFD sessions are enabled. R2(conf-router_isis)#bfd all-neighbors R2(conf-router_isis)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.
Configure BFD for BGP In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD for BGP is supported on physical, portchannel, and VLAN interfaces. BFD for BGP does not support the BGP multihop feature. Before configuring BFD for BGP, you must first configure BGP on the routers that you want to interconnect.
Prerequisites Before configuring BFD for BGP, you must first configure the following settings: ● Configure BGP on the routers that you want to interconnect. Establishing Sessions with BGP Neighbors for Default VRF To establish sessions with either IPv6 or IPv4 BGP neighbors for the default VRF, follow these steps: 1. Enable BFD globally. CONFIGURATION mode bfd enable 2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3.
neighbor 20::2 activate exit-address-family DellEMC(conf-router_bgp)# Establishing Sessions with BGP Neighbors for Nondefault VRF To establish sessions with either IPv6 or IPv4 BGP neighbors for nondefault VRFs, follow these steps: 1. Enable BFD globally. CONFIGURATION mode bfd enable 2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3. Specify the address family as IPv4. CONFIG-ROUTERBGP mode address-family ipv4 vrf vrf-name 4.
router bgp 1 ! address-family ipv4 vrf vrf1 neighbor 10.1.1.2 remote-as 2 neighbor 10.1.1.2 no shutdown neighbor 20::2 remote-as 2 neighbor 20::2 no shutdown bfd all-neighbors exit-address-family ! address-family ipv6 unicast vrf vrf1 neighbor 20::2 activate exit-address-family DellEMC(conf-router_bgp)# Disabling BFD for BGP You can disable BFD for BGP. To disable a BFD for BGP session with a specified neighbor, use the first command.
● Verify that a BFD for BGP session has been successfully established with a BGP neighbor. A line-by-line listing of established BFD adjacencies is displayed. EXEC Privilege mode show bfd neighbors [interface] [detail] ● Check to see if BFD is enabled for BGP connections. EXEC Privilege mode show ip bgp summary ● Displays routing information exchanged with BGP neighbors, including BFD for BGP sessions.
Statistics: Number of packets received from neighbor: 4762 Number of packets sent to neighbor: 4490 Number of state changes: 2 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 5 Session Discriminator: 10 Neighbor Discriminator: 11 Local Addr: 2.2.2.3 Local MAC Addr: 00:01:e8:66:da:34 Remote Addr: 2.2.2.
Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Neighbor is using BGP global mode BFD configuration For address family: IPv4 Unicast BGP table version 0, neighbor version 0 Prefixes accepted 0 (consume 0 bytes), withdrawn 0 by peer, martian prefixes ignored 0 Prefixes adverti
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 16. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. ● Establish sessions with all VRRP neighbors.
LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.5.1 2.2.5.2 Te 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command. The bold line shows the VRRP BFD session. DellEMC(conf-if-te-4/25)#do show vrrp -----------------TenGigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1 VRF:0 default State: Backup, Priority: 1, Master: 2.2.5.
Configuring Protocol Liveness Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled. When you disable a client, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state. To enable protocol liveness, use the following command. ● Enable Protocol Liveness.
The output for the debug bfd event command is the same as the log messages that appear on the console by default.
9 Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) is an interdomain routing protocol that manages routing between edge routers. BGP uses an algorithm to exchange routing information between switches enabled with BGP. BGP determines a path to reach a particular destination using certain attributes while avoiding routing loops. BGP selects a single path as the best path to a destination network or host. You can also influence BGP to select different path by altering some of the BGP attributes.
the knowledge to reach routers external to the AS. EBGP routers exchange information with other EBGP routers as well as IBGP routers to maintain connectivity and accessibility. Figure 17. BGP Topology with autonomous systems (AS) BGP version 4 (BGPv4) supports classless interdomain routing (CIDR) and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network.
Figure 18. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. AS4 Number Representation Dell EMC Networking OS supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If 4-Byte AS numbers are not implemented, only ASPLAIN representation is supported.
● All AS numbers between 0 and 65535 are represented as a decimal number, when entered in the CLI and when displayed in the show commands outputs. ● AS Numbers larger than 65535 is represented using ASDOT notation as .. For example: AS 65546 is represented as 1.10. ASDOT representation combines the ASPLAIN and ASDOT+ representations.
DellEMC(conf-router_bgp)#do sho ip bgp BGP table version is 28093, local router ID is 172.30.1.57 AS4 SUPPORT DISABLED DellEMC(conf-router_bgp)#no bgp four-octet-as-support DellEMC(conf-router_bgp)#sho conf ! router bgp 100 neighbor 172.30.1.250 local-as 65057 DellEMC(conf-router_bgp)#do show ip bgp BGP table version is 28093, local router ID is 172.30.1.57 Four-Byte AS Numbers You can use the 4-Byte (32-bit) format when configuring autonomous system numbers (ASNs).
State Description Idle BGP initializes all resources, refuses all inbound BGP connection attempts, and initiates a TCP connection to the peer. Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state.
Best Path Selection Criteria Paths for active routes are grouped in ascending order according to their neighboring external AS number (BGP best path selection is deterministic by default, which means the bgp non-deterministic-med command is NOT applied). The best path in each group is selected based on specific criteria. Only one “best path” is selected at a time. If any of the criteria results in more than one path, BGP moves on to the next option in the list.
7. 8. 9. 10. 11. 12. 13. a. This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs are compared only if the first AS in the AS_SEQUENCE is the same for both paths. b. If you entered the bgp always-compare-med command, MEDs are compared for all paths. c. Paths with no MED are treated as “worst” and assigned a MED of 4294967295. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths.
Figure 20. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 21. Multi-Exit Discriminators NOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
the unicast and multicast BGP database to form a routing table for unicast and multicast. You can configure BGP peers that exchange both unicast and multicast Network Layer Reachability Information (NLRI) in which MBGP routes is redistributed into BGP. The default is IPv4 unicast. IPv4 and IPv6 address family The IPv4 address family configuration in Dell EMC Networking OS is used for identifying routing sessions for protocols that use IPv4 address. You can specify multicast within the IPv4 address family.
BGP global configuration default values By default, BGP is disabled. The following table displays the default values for BGP on Dell EMC Networking OS. Table 8. BGP Default Values Item Default BGP Neighbor Adjacency changes All BGP neighbor changes are logged.
● If the redistribute command has metric configured (route-map set metric or redistribute route-type metric) and the BGP peer outbound route-map has metric-type internal configured, BGP advertises the metric configured in the redistribute command as MED. ● If BGP peer outbound route-map has metric configured, all other metrics are overwritten by this configuration. NOTE: When redistributing static, connected, or OSPF routes, there is no metric option.
Figure 22. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH.
● Configure inbound BGP soft-reconfiguration on a peer for f10BgpM2PrefixInPrefixesRejected to display the number of prefixes filtered due to a policy. If you do enable BGP soft-reconfig, the denied prefixes are not accounted for. ● F10BgpM2AdjRibsOutRoute stores the pointer to the NLRI in the peer's Adj-Rib-Out. ● PA Index (f10BgpM2PathAttrIndex field in various tables) is used to retrieve specific attributes from the PA table.
Basic BGP configuration tasks The following sections describe how to configure a basic BGP network and the basic configuration tasks that are required for the BGP to be up and running.
neighbor {ip-address | ipv6-address| peer-group name} remote-as as-number ● ip-address: IPv4 address of the neighbor ● ipv6-address: IPv6 address of the neighbor ● peer-group name: Name of the peer group. It can contain 16 characters. ● as-number: Autonomous number NOTE: Neighbors that are defined using the neighbor remote-as command in the CONFIGURATION-ROUTERBGP mode exchange IPv4 unicast address prefixes only. 3. Enable the BGP neighbor.
The third line of the show ip bgp neighbors output contains the BGP State. If anything other than ESTABLISHED is listed, the neighbor is not exchanging information and routes. For more information about using the show ip bgp neighbors command, refer to the Dell EMC Networking OS Command Line Interface Reference Guide. The following example shows the show ip bgp neighbors command output. DellEMC#show ip bgp neighbors BGP neighbor is 20.20.20.1, remote AS 20, external link BGP remote router ID 1.1.1.
1 neighbor(s) using 40960 bytes of memory Neighbor 20.20.20.1 AS 200 MsgRcvd 0 MsgSent 0 TblVer 0 InQ 0 OutQ Up/Down State/Pfx 0 00:00:00 0 Changing a BGP router ID BGP uses the configured router ID to identify the devices in the network. By default, the router ID is the highest IP address of the Loopback interface. If no Loopback interfaces are configured, the highest IP address of a physical interface on the router is used as the BGP router ID.
bgp asnotation asplain NOTE: ASPLAIN is the default method Dell EMC Networking OS uses and does not appear in the configuration display. ● Enable ASDOT AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot ● Enable ASDOT+ AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot+ The following example shows the bgp asnotation asplain command output.
CONFIG mode router bgp as-number ● Add the IP address of the neighbor for the specified autonomous system. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6–address | peer-group-name} remote-as as-number ● Enable the neighbor. CONFIG-ROUTERBGP mode neighbor ip-address | ipv6-address | peer-group-name no shutdown ● Specify the IPv4 address family configuration. CONFIG-ROUTER-BGP mode address-family ipv4 [multicast | vrf vrf-name] multicast — Specifies the IPv4 multicast address family.
To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes. Example-Configuring BGP routing between peers Example of enabling BGP in Router A Following is an example to enable BGP configuration in the router A. RouterA# configure terminal RouterA(conf)# router bgp 40000 RouterA(conf-router_bgp)# bgp router-id 10.1.1.99 RouterA(conf-router_bgp)# timers bgp 80 130 RouterA(conf-router_bgp)# neighbor 192.
● You must create a peer group first before adding the neighbors in the peer group. ● If you remove any configuration parameters from a peer group, it will apply to all the neighbors configured under that peer group. ● If you have not configured a parameter for an individual neighbor in the peer group, the neighbor uses the value configured in the peer group. ● If you reset any parameter for an individual neighbor, it will override the value set in the peer group.
To add an internal BGP (IBGP) neighbor, configure the as-number parameter with the same BGP as-number configured in the router bgp as-number command. After you create a peer group, you can use any of the commands beginning with the keyword neighbor to configure that peer group. When you add a peer to a peer group, it inherits all the peer group’s configured parameters.
Example-Configuring BGP peer groups The following example configurations show how to enable BGP and set up some peer groups. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes. The following illustration shows the configurations described on the following examples.
R1(conf-if-gi-1/31)#show config ! interface GigabitEthernet 1/31 ip address 10.0.3.31/24 no shutdown R1(conf-if-gi-1/31)#exit R1(conf)#ip route 192.168.128.2/32 10.0.1.22 R1(conf)#router bgp 99 R1(conf-router_bgp)#neighbor 192.168.128.2 remote 99 R1(conf-router_bgp)#neighbor 192.168.128.2 no shut R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 R1(conf-router_bgp)#neighbor 10.0.3.33 remote 100 R1(conf-router_bgp)#neighbor 10.0.3.
R3(conf-if-te-3/11)#no shutdown R3(conf-if-te-3/11)#show config ! interface TengigabitEthernet 3/11 ip address 10.0.3.33/24 no shutdown R3(conf-if-te-3/11)#int te 3/21 R3(conf-if-te-3/21)#ip address 10.0.2.3/24 R3(conf-if-te-3/21)#no shutdown R3(conf-if-te-3/21)#show config ! interface TengigabitEthernet 3/21 ip address 10.0.2.3/24 no shutdown R3(conf-if-te-3/21)# R3(conf-if-te-3/21)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#neighbor 10.0.3.
Example of Enabling Peer Groups (Router 2) R2#conf R2(conf)#router bgp 99 R2(conf-router_bgp)# neighbor CCC peer-group R2(conf-router_bgp)# neighbor CC no shutdown R2(conf-router_bgp)# neighbor BBB peer-group R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.
Advanced BGP configuration tasks The following sections describe how to configure the advanced (optional) BGP configuration tasks. Route-refresh and Soft-reconfiguration BGP soft-reconfiguration allows for faster and easier route changing. Changing routing policies typically requires a reset of BGP sessions (the TCP connection) for the policies to take effect. Such resets cause undue interruption to traffic due to hard reset of the BGP cache and the time it takes to re-establish the session.
Route-refresh This section explains how the soft-reconfiguration and route-refresh works. Soft-reconfiguration has to be configured explicitly for a neighbor unlike route refresh, which is automatically negotiated between BGP peers when establishing a peer session. The route-refresh updates will be sent, only if the neighbor soft-reconfiguration inbound command is not configured in a BGP neighbor and when you do a soft reset using clear ip bgp {neighbor-address | peer-groupname} soft in command.
redistribute connected neighbor 20.1.1.2 remote-as 200 neighbor 20.1.1.2 no shutdown neighbor 20::2 remote-as 200 neighbor 20::2 no shutdown ! address-family ipv6 unicast redistribute connected neighbor 20::2 activate exit-address-family ! DellEMC(conf-router_bgp)#do clear ip bgp 20.1.1.2 soft in May 8 15:28:11 : BGP: 20.1.1.2 sending ROUTE_REFRESH AFI/SAFI (1/1) May 8 15:28:12 : BGP: 20.1.1.2 UPDATE rcvd packet len 56 May 8 15:28:12 : BGP: 20.1.1.2 rcvd UPDATE w/ attr: origin ?, path 200, nexthop 20.1.1.
○ suppress-map map-name-Create aggregate route by suppressing the advertisements of specific routes. ○ advertise-map map-name-Create aggregate route by advertising specific routes. Configuring BGP aggregate routes To create an aggregate route entry in the BGP routing table, use the following commands. The aggregate route is advertised from the autonomous system. ● Enter the router configuration mode and the AS number for the specific BGP routing process.
DellEMC(conf-router_bgp)# aggregate-address 10.1.1.0/24 suppress-map map1 DellEMC(conf-router_bgp)# exit DellEMC(conf)# The route-map named map1 can have any action such as permit and sequence number configured, so that the advertisement of aggregate routes can be suppressed based on the set action in the route-map. Following is the sample configuration to suppress the advertisement of specific aggregate routes to all neighbors.
As seen in the following example, the expressions are displayed when using the show commands. To view the AS-PATH ACL configuration, use the show config command in CONFIGURATION AS-PATH ACL mode and the show ip as-pathaccess-list command in EXEC Privilege mode. For more information about this command and route filtering, refer to Filtering BGP Routes. The following example applies access list Eagle to routes inbound from BGP peer 10.5.5.2.
NOTE: When you configure a new set of BGP policies, to ensure the changes are made, always reset the neighbor or peer group by using the clear ip bgp command in EXEC Privilege mode. Filtering BGP using IP prefix lists An IP prefix lists contains a list of networks. When applying an IP prefix list to a BGP neighbor, you can able to send or receive the routes whose destination is in the IP prefix list. Filtering BGP routes based on IP prefix lists involves the following steps: ● Create a prefix list.
10.10.10.2. So the routes from 10.10.10.1/24 network is distributed to neighbor 10.10.10.2 since the IP prefix list route10 explicitly permits the routes to be distributed to the neighbor. To view the BGP configuration, use the show config command in ROUTER BGP mode. To view a prefix list configuration, use the show ip prefix-list detail or show ip prefix-list summary commands in EXEC Privilege mode. Filtering BGP Routes Using Route Maps To filter routes using a route map, use these commands. 1.
To configure an AS-PATH ACL to filter a specific AS_PATH value, use these commands in the following sequence. 1. Assign a name to a AS-PATH ACL and enter AS-PATH ACL mode. CONFIGURATION mode ip as-path access-list as-path-name 2. Enter the parameter to match BGP AS-PATH for filtering. CONFIG-AS-PATH mode {deny | permit} filter parameter This is the filter that is used to match the AS-path. The entries can be any format, letters, numbers, or regular expressions.
CONFIG-ROUTE-MAP mode match {community community-list-name [exact] | extcommunity extcommunity-list-name [exact]} 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number AS-number: 0 to 65535 (2-Byte) or 1 to 4294967295 (4-Byte) or 0.1 to 65535.65535 (Dotted format) 5. Apply the route map to the neighbor or peer group’s incoming or outgoing routes.
DellEMC(conf-router_bgp)# neighbor 10.10.10.1 fall-over DellEMC(conf-router_bgp)# exit DellEMC(conf-router_bgp)# To verify that you enabled fast fall-over on a particular BGP neighbor, use the show ip bgp neighbors command. Because fast fall-over is disabled by default, it appears only if it has been enabled (shown in bold). DellEMC#show ip bgp neighbors BGP neighbor is 10.10.10.1, remote AS 500, internal link Member of peer-group test for session parameters BGP version 4, remote router ID 30.30.30.
neighbor neighbor neighbor neighbor neighbor neighbor neighbor DellEMC# test peer-group test fall-over test no shutdown 10.10.10.1 remote-as 500 10.10.10.1 fall-over 10.10.10.1 update-source Loopback 0 10.10.10.1 no shutdown Configuring Passive Peering When you enable a peer-group, the software sends an OPEN message to initiate a TCP connection. If you enable passive peering for the peer group, the software does not send an OPEN message, but it responds to an OPEN message.
● Save all forwarding information base (FIB) and content addressable memory (CAM) entries on the line card and continue forwarding traffic while the secondary route processor module (RPM) is coming online. ● Advertise to all BGP neighbors and peer-groups that the forwarding state of all routes has been saved. This prompts all peers to continue saving the routes they receive and to continue forwarding traffic.
○ metric value: The value is from 0 to 16777215. The default is 0. ○ route-map map-name: Specify the name of a configured route map to be consulted before adding the ISIS route. ● Include specific OSPF routes into BGP. ROUTER BGP or CONF-ROUTER_BGPv6_ AF mode redistribute ospf process-id [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: ○ ospf: Indicates that you are redistributing OSPF routes in BGP.
DellEMC(conf-router_bgp_af)# neighbor 10.10.10.1 add-path both 3 DellEMC(conf-router_bgp_af)# exit The above configuration example shows how to enable BGP additional paths to be sent and received with a maximum of two additional paths to the peers. You can configure the neighbor to send and receive additional paths using the neighbor add-pathcommand at the address family configuration level.
deny 702:667 deny 703:667 deny 704:666 deny 705:666 deny 14551:666 DellEMC# Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1. Create a extended community list and enter the EXTCOMMUNITY-LIST mode. CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2. Two types of extended communities are supported.
Configure BGP attributes Following sections explain how to configure the BGP attributes such as MED, COMMUNITY, WEIGHT, and LOCAL_PREFERENCE. Changing MED Attributes By default, Dell EMC Networking OS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths received from different BGP neighbors or peers from the same AS for the same route. You can configure the device to compare the MED attributes from neighbors or peers in different AS using the bgp always-compare-med command.
● community-number: use AA:NN format where AA is the AS number (2 or 4 Bytes) and NN is a value specific to that autonomous system. ● local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED and are not sent to EBGP peers. ● no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE and are not advertised. ● no-export: routes with the COMMUNITY attribute of NO_EXPORT. ● none: remove the COMMUNITY attribute. ● additive: add the communities to already existing communities. 3.
value: the range is from 0 to 4294967295. The default is 100. DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf_router_bgp)# neighbor 10.10.10.1 remote-as 500 DellEMC(conf_router_bgp)# bgp default local-preference 150 DellEMC(conf_router_bgp)# exit In the above example configuration, the default LOCAL_PREFERENCE value is changed to 150 for all the updates from AS 500 to AS 400. The default value is 100.
● Disable next hop processing and configure the router (route reflector) as the next hop for a BGP neighbor. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} next-hop-self [all] If you do not use the all keyword, the next hop of only eBGP-learned routes is updated by the route reflector. If you use the all keyword, the next hop of both eBGP- and iBGP-learned routes are updated by the route reflector. ● Sets the next hop address.
○ number: Maximum number of parallel paths. The range is from 2 to 64. DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# maximum-paths ibgp 5 DellEMC(conf-router_bgp)# exit In the above example configuration, the maximum number of parallel internal BGP routes is set to 5, so that only 5 routes can be installed in a routing table. The show ip bgp network command includes multipath information for that network.
● Assign a cluster ID or an IP address to a router reflector cluster. CONFIG-ROUTER-BGP mode bgp cluster-id ip-address | number ○ ip-address: IP address as the route reflector cluster ID. ○ number: A route reflector cluster ID as a number from 1 to 4294967295. You can have multiple clusters in an AS. When a BGP cluster contains only one route reflector, the cluster ID is the route reflector’s router ID. For redundancy, a BGP cluster may contain two or more route reflectors.
○ suppress: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is greater than the suppress value, the flapping route is no longer advertised (that is, it is suppressed). The default is 2000.) ○ max-suppress-time: the range is from 1 to 255. The maximum number of minutes a route can be suppressed. The default is four times the half-life value. The default is 60 minutes. ○ route-map map-name: name of a configured route map.
route-map Route-map to specify criteria for dampening To view a count of dampened routes, history routes, and penalized routes when you enable route dampening, look at the seventh line of the show ip bgp summary command output, as shown in the following example (bold). DellEMC>show ip bgp summary BGP router identifier 10.114.8.
In the above example configuration, the BGP timers are set with keepalive time as 80 seconds with which the system sends keepalive messages to the BGP peer and holdtime as 120 seconds with which the system waits for a message from the BGP peer before concluding that the peer is dead. To view non-default values, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode.
2. Shut down the BGP neighbors corresponding to the IPv4 unicast address family using the following command: shutdown address-family-ipv4-unicast To enable or disable BGP neighbors corresponding to IPv4 multicast address family: 1. Enter the router bgp mode using the following command: CONFIGURATION Mode router bgp as-number 2.
Match a Clause with a Continue Clause The continue feature can exist without a match clause. Without a match clause, the continue clause executes and jumps to the specified route-map entry. With a match clause and a continue clause, the match clause executes first and the continue clause next in a specified route map entry. The continue clause launches only after a successful match.
● Enter the router configuration mode and the AS number. CONFIG mode router bgp as-number ● Specify the IPv4 address family configuration. CONFIG-ROUTER-BGP mode address-family {ipv4 [multicast] | ipv6 unicast} vrf vrf-name vrf vrf-name — Specifies the name of VRF instance associated with the IPv4 or IPv6 address-family configuration. ● Add the IP address of the neighbor in the specified AS to the IPv4 MBGP neighbor table.
neighbor 50.0.0.2 activate exit-address-family ! address-family ipv6 unicast vrf vrf1 neighbor 50.0.0.2 activate exit-address-family DellEMC# Maintaining Existing AS Numbers During an AS Migration The local-as feature smooths out the BGP network migration operation and allows you to maintain existing ASNs during a BGP network migration. When you complete your migration, be sure to reconfigure your routers with the new information and disable this feature. ● Allow external routes from this neighbor.
○ peer-group-name: 16 characters. ○ Number: 1 through 10. Format: IP Address: A.B.C.D and IPv6 adress: X:X:X:X::X. You must Configure Peer Groups before assigning it to an AS. The lines shown in bold are the number of times ASN 65123 can appear in the AS path (allows–in 9). To disable this feature, use the no neighbor allow-as in number command in CONFIGURATION ROUTER BGP mode. R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.
MBGP support for IPv6 MBGP suports IPv6 with same features and functionality as IPv4 BGP. MBGP for IPv6 supports IPv6 address-family and Network Layer Reachability Information (NLRI) and next hop that uses IPv6 address. Configuring IPv6 MBGP between peers To configure IPv6 MBGP, use the following commands. Following are the steps to configure IPv6 MBGP between two peers. The neighbors that are configured using neighbor remote-as command exchange only the IPv4 unicast address prefixes.
Example-Configuring IPv4 and IPv6 neighbors Example of enabling BGP and address family configuration in router (R1) Following is an example to enable BGP and address family configuration for the neighbor R2 (20.20.20.2) in the router R1. R1(conf)# router bgp 10 R1(conf-router_bgp)# neighbor 20.20.20.2 remote-as 200 R1(conf-router_bgp)# neighbor 20.20.20.2 no shutdown R1(conf-router_bgp)# neighbor 2001::2 remote-as 200 R1(conf-router_bgp)# neighbor 2001::2 no shutdown R1(conf-router_bgp)# neighbor 30.30.30.
Following is the output of show ip bgp ipv6 unicast summary command for the above configuration example. R1#show ip bgp ipv6 unicast summary BGP router identifier 1.1.1.1, local AS number 10 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 2 neighbor(s) using 24576 bytes of memory Neighbor 20.20.20.
Configure IPv6 NH Automatically for IPv6 Prefix Advertised over IPv4 Neighbor You can configure the system to pick the next hop IPv6 address dynamically for IPv6 prefix advertised over an IPv4 neighbor configured under IPv6 address family. If there is no IPv6 address configured on the local interface, the system uses the IPv4 mapped IPv6 address. If there are multiple IPv6 addresses configured on the interface, the system uses the lowest IPv6 address configured on that interface.
! exit-address-family Example configuration performed in R2 DellEMC# configure terminal DellEMC(conf)# router bgp 20 DellEMC(conf-router_bgp)# neighbor 10.1.1.1 remote-as 655 DellEMC(conf-router_bgp)# neighbor 10.1.1.1 no shutdown DellEMC(conf-router_bgp)# address-family ipv6 unicast DellEMC(conf-router_bgpv6_af)# neighbor 10.1.1.1 activate DellECM(conf-router_bgpv6_af)# exit Following is the show running-config command output for the above configuration.
● View information about local BGP state changes and other BGP events. EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] events [in | out] ● View information about BGP KEEPALIVE messages. EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] keepalive [in | out] ● View information about BGP notifications received from or sent to neighbors.
For address family: IPv4 Unicast BGP table version 1395, neighbor version 1394 Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by peer Prefixes advertised 0, rejected 0, 0 withdrawn from peer Connections established 3; dropped 2 Last reset 00:00:12, due to Missing well known attribute Notification History 'UPDATE error/Missing well-known attr' Sent : 1 Recv: 0 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:26:02 ago ffffffff ffffffff ffffffff ffffffff 00160303 03010000 Last notifi
10 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On Dell EMC Networking systems, CAM stores Layer 2 (L2) and Layer 3 (L3) forwarding information, access-lists (ACLs), flows, and routing policies.
Table 11. Default Cam Allocation Settings (continued) CAM Allocation Setting vrfv4Acl 0 Openflow 0 fedgovacl 0 NOTE: When you reconfigure CAM allocation, use the nlbclusteracl number command to change the number of NLB ARP entries. The range is from 0 to 2. The default value is 0. At the default value of 0, eight NLB ARP entries are available for use. This platform supports upto 256 CAM entries. Select 1 to configure 128 entries. Select 2 to configure 256 entries.
cam-acl {default | l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt number ipmacacl number vman-qos | vman-dual-qos number ecfmacl number nlbcluster number ipv4pbr number openflow number | fcoe number iscsioptacl number [vrfv4acl number] NOTE: If you do not enter the allocation values for the CAM regions, the value is 0. 3. Execute write memory and verify that the new settings are written to the CAM on the next boot. EXEC Privilege mode show cam-acl 4. Reload the system.
NOTE: If you select the CAM profile from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis. Example of show running-config cam-profile Command Dell#show running-config cam-profile ! cam-profile default microcode default Dell# View CAM-ACL Settings The show cam-acl command shows the cam-acl setting that will be loaded after the next reload.
Example of Viewing CAM-ACL Settings DellEMC#show cam-acl -- Chassis Cam ACL -Current Settings(in block sizes) 1 block = 128 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsiOptAcl : 0 ipv4pbr : 0 vrfv4Acl : 0 Openflow : 0 fedgovacl : 0 -- Stack unit 0 -Current Settings(in block sizes) 1 block = 128 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 Ecfm
View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4 and IPv6 Flow and Layer 2 ACL sub-partitions) using the show cam-usage command in EXEC Privilege mode The following output shows CAM blocks usage for Layer 2 and Layer 3 ACLs and other processes that use CAM space: Example of the show cam-usage Command DellEMC#show cam-usage Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=====
● Re-configure the CAM threshold ● Add or delete an ACL rule Example of Syslog message on CAM usage Following table shows few possible scenarios during which the syslog message appear on re-configuring the CAM usage threshold value. Consider if the last CAM threshold was set to 90 percent and now you re-configure the CAM threshold to 80. And, if the current CAM usage is 85 percent, then the system displays the syslog message saying that the CAM usage is above the configured CAM threshold value. Table 13.
2. Allocate more entries in the IPv4Flow region to QoS. Dell EMC Networking OS supports the ability to view the actual CAM usage before applying a service-policy. The test camusage service-policy command provides this test framework. For more information, refer to Pre-Calculating Available QoS CAM Space.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 28. CoPP Implemented Versus CoPP Not Implemented Topics: • Configure Control Plane Policing Configure Control Plane Policing The system can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
DellEMC(conf)#mac access-list extended lacp cpu-qos DellEMC(conf-mac-acl-cpuqos)#permit lacp DellEMC(conf-mac-acl-cpuqos)#exit DellEMC(conf)#ipv6 access-list ipv6-icmp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit icmp DellEMC(conf-ipv6-acl-cpuqos)#exit DellEMC(conf)#ipv6 access-list ipv6-vrrp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit vrrp DellEMC(conf-ipv6-acl-cpuqos)#exit The following example shows creating the QoS input policy.
1. Create a QoS input policy for the router and assign the policing. CONFIGURATION mode qos-policy-input name cpu-qos 2. Create an input policy-map to assign the QoS policy to the desired service queues.l. CONFIGURATION mode policy-map--input name cpu-qos service-queue queue-number qos-policy name 3. Enter Control Plane mode. CONFIGURATION mode control-plane-cpuqos 4. Assign a CPU queue-based service policy on the control plane in cpu-qos mode.
CPU Processing of CoPP Traffic The systems use FP rules to take the packets to control plane by CopyToCPU or redirect packet to CPU port. Only 8 CPU queues are used while sending the packet to CPU. The CPU Management Interface Controller (CMIC) interface on all the systems supports 48 queues in hardware.
NDP Packets Neighbor discovery protocol has 4 types of packets NS, NA, RA, RS. These packets need to be taken to CPU for neighbor discovery. ● Unicast NDP packets: ○ Packets hitting the L3 host/route table and discovered as local terminated packets/CPU bound traffic. For CPU bound traffic route entry have CPU action. Below are packets are CPU bound traffic. ■ Packets destined to chassis.
Catch-All Entry for IPv6 Packets Dell EMC Networking OS currently supports configuration of IPv6 subnets greater than /64 mask length, but the agent writes it to the default LPM table where the key length is 64 bits. The device supports table to store up to 256 subnets of maximum of /128 mask lengths. This can be enabled and agent can be modified to update the /128 table for mask lengths greater than /64. This will restrict the subnet sizes to required optimal level which would avoid these NDP attacks.
Displaying CoPP Configuration The CLI provides show commands to display the protocol traffic assigned to each control-plane queue and the current rate-limit applied to each queue. Other show commands display statistical information for trouble shooting CoPP operation. To view the rates for each queue, use the show cpu-queue rate cp command.
Example of Viewing Queue Mapping for IPv6 Protocols DellEMC#show ipv6 protocol-queue-mapping Protocol Src-Port Dst-Port TcpFlag Queue EgPort Rate (kbps) --------------- -------- ------- ----- ------ ----------TCP (BGP) any/179 179/any _ Q6 CP _ ICMP any any _ Q6 CP _ VRRP any any _ Q7 CP _ DellEMC# 244 Control Plane Policing (CoPP)
12 Data Center Bridging (DCB) Data center bridging (DCB) refers to a set of enhancements to Ethernet local area networks used in data center environments, particularly with clustering and storage area networks. NOTE: DCB is not supported when you use 10GBaseT ports for stacking.
a unified fabric and consolidate multiple network infrastructures use a single input/output (I/O) device called a converged network adapter (CNA). A CNA is a computer input/output device that combines the functionality of a host bus adapter (HBA) with a network interface controller (NIC). Multiple adapters on different devices for several traffic types are no longer required.
Figure 29. Illustration of Traffic Congestion The system supports loading two DCB_Config files: ● FCoE converged traffic with priority 3. ● iSCSI storage traffic with priority 4. In the Dell EMC Networking OS, PFC is implemented as follows: ● PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface.
Figure 30. Enhanced Transmission Selection The following table lists the traffic groupings ETS uses to select multiprotocol traffic for transmission. Table 15. ETS Traffic Groupings Traffic Groupings Description Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7 configurable; 8 - 14 reservation and 15.0 - 15.7 is strict priority group.. Group bandwidth Percentage of available bandwidth allocated to a priority group.
Data Center Bridging in a Traffic Flow The following figure shows how DCB handles a traffic flow on an interface. Figure 31. DCB PFC and ETS Traffic Handling Enabling Data Center Bridging DCB is automatically configured when you configure FCoE or iSCSI optimization. Data center bridging supports converged enhanced Ethernet (CEE) in a data center network. DCB is disabled by default. It must be enabled to support CEE.
DCB Maps and its Attributes This topic contains the following sections that describe how to configure a DCB map, apply the configured DCB map to a port, configure PFC without a DCB map, and configure lossless queues. DCB Map: Configuration Procedure A DCB map consists of PFC and ETS parameters. By default, PFC is not enabled on any 802.1p priority and ETS allocates equal bandwidth to each priority. To configure user-defined PFC and ETS settings, you must create a DCB map.
ETS: Equal bandwidth is assigned to each port queue and each dot1p priority in a priority group. To configure PFC and ETS parameters on an interface, you must specify the PFC mode, the ETS bandwidth allocation for a priority group, and the 802.1p priority-to-priority group mapping in a DCB map. No default PFC and ETS settings are applied to Ethernet interfaces. Configuring Priority-Based Flow Control Priority-Based Flow Control (PFC) provides a flow control mechanism based on the 802.
Port B acting as Egress During the congestion, [traffic pump on priorities 3 and 4 from PORT A and PORT C is at full line rate], PORT A and C send out the PFCs to rate the traffic limit. Egress drops are not observed on Port B since traffic flow on priorities is mapped to loss less queues. Port B acting as Ingress If the traffic congestion is on PORT B , Egress DROP is on PORT A or C, as the PFC is not enabled on PORT B.
As soon as you apply a DCB map with PFC enabled on an interface, DCBx starts exchanging information with a peer. The IEEE802.1Qbb, CEE and CIN versions of PFC TLV are supported. DCBx also validates PFC configurations that are received in TLVs from peer devices. By applying a DCB map with PFC enabled, you enable PFC operations on ingress port traffic. To achieve complete lossless handling of traffic, configure PFC priorities on all DCB egress ports.
Applying a DCB Map on a Port When you apply a DCB map with PFC enabled on a switch interface, a memory buffer for PFC-enabled priority traffic is automatically allocated. The buffer size is allocated according to the number of PFC-enabled priorities in the assigned map. To apply a DCB map to an Ethernet port, follow these steps: Table 16. DCB Map to an Ethernet Port Step Task Command Command Mode 1 Enter interface configuration mode on an Ethernet port.
Configuring Lossless Queues DCB also supports the manual configuration of lossless queues on an interface when PFC mode is disabled in a DCB map, apply the map on the interface. The configuration of no-drop queues provides flexibility for ports on which PFC is not needed, but lossless traffic should egress from the interface. Configuring no-drop queues is applicable only on the interfaces which do not need PFC.
Table 18. Configuring Lossless Queues on a Port Interface (continued) Step Task Command Command Mode The maximum number of lossless queues globally supported on a port is 2. You cannot configure PFC no-drop queues on an interface on which a DCB map with PFC enabled has been applied, or which is already configured for PFC using the pfc priority command. Range: 0-3.
By default the total available buffer for PFC is 6.6 MB and when you configure dynamic ingress buffering, a minimum of least 52 KB per queue is used when all ports are congested. By default, the system enables a maximum of two lossless queues on the S4820T platform. This default behavior is impacted if you modify the total buffer available for PFC or assign static buffer configurations to the individual PFC queues.
Table 19. Queue Assignments (continued) Internal-priority Queue 4 2 5 3 6 3 7 3 Table 19. Queue Assignments Internal-priority Queue 0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7 3. Dot1p->Queue Mapping Configuration is retained at the default value.
Configure Enhanced Transmission Selection ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic. Different traffic types have different service needs. Using ETS, you can create groups within an 802.1p priority class to configure different treatment for traffic with different bandwidth, latency, and best-effort needs. For example, storage traffic is sensitive to frame loss; interprocess communication (IPC) traffic is latency-sensitive.
Leave a space between each priority group number. For example: priority-pgid 0 0 0 1 2 4 4 4 in which priority group 0 maps to dot1p priorities 0, 1, and 2; priority group 1 maps to dot1p priority 3; priority group 2 maps to dot1p priority 4; priority group 4 maps to dot1p priorities 5, 6, and 7. Dell EMC Networking OS Behavior: A priority group consists of 802.1p priority values that are grouped for similar bandwidth allocation and scheduling, and that share latency and loss requirements. All 802.
Dell(conf-qos-policy-out)#bandwidth-percentage 100 The default is none. 3. Repeat Step 2 to configure bandwidth percentages for other priority queues on the port. QoS OUTPUT POLICY mode Dell(conf-qos-policy-out)#bandwidth-percentage 100 4. Exit QoS Output Policy Configuration mode. QoS OUTPUT POLICY mode Dell(conf-if-te-0/1)#exit 5. Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port 6.
ETS Prerequisites and Restrictions On a switch, ETS is enabled by default on Ethernet ports with equal bandwidth assigned to each 802.1p priority. You can change the default ETS configuration only by using a DCB map.
Using ETS to Manage Converged Ethernet Traffic To use ETS for managing converged Ethernet traffic, use the following command: dcb-map stack-unit all dcb-map-name Applying DCB Policies in a Switch Stack You can apply DCB policies with PFC and ETS configurations to all stacked ports in a switch stack or on a stacked switch. To apply DCB policies in a switch stack, follow this step. NOTE: Use only 40G ports as stacking ports when you enable DCB.
The first auto-upstream that is capable of receiving a peer configuration is elected as the configuration source. The elected configuration source then internally propagates the configuration to other autoupstream and auto-downstream ports. A port that receives an internally propagated configuration overwrites its local configuration with the new parameter values.
○ If a configuration source is elected, the ports send an application priority TLV based on the application priority TLV received on the configuration-source port. When an application priority TLV is received on the configuration-source port, the auto-upstream and auto-downstream ports use the internally propagated PFC priorities to match against the received application priority. Otherwise, these ports use their locally configured PFC priorities in application priority TLVs.
NOTE: DCB configurations internally propagated from a configuration source do not overwrite the configuration on a DCBx port in a manual role. When a configuration source is elected, all auto-upstream ports other than the configuration source are marked as willing disabled. The internally propagated DCB configuration is refreshed on all auto-configuration ports and each port may begin configuration negotiation with a DCBx peer again.
Figure 32. DCBx Sample Topology DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: ● For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
● ieee-v2.5: configures the port to use IEEE 802.1Qaz (Draft 2.5). The default is Auto. 4. Configure the DCBx port role the interface uses to exchange DCB information. PROTOCOL LLDP mode [no] DCBx port-role {config-source | auto-downstream | auto-upstream | manual} ● auto-upstream: configures the port to receive a peer configuration. The configuration source is elected from autoupstream ports.
● auto: configures all ports to operate using the DCBx version received from a peer. ● cee: configures a port to use CEE (Intel 1.01). cin configures a port to use Cisco-Intel-Nuova (DCBx 1.0). ● ieee-v2.5: configures a port to use IEEE 802.1Qaz (Draft 2.5). The default is Auto. NOTE: To configure the DCBx port role the interfaces use to exchange DCB information, use the DCBx port-role command in INTERFACE Configuration mode (Step 3). 4.
DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs. LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface. DSM_DCBx_PEER_VERSION_CONFLICT: A local port expected to receive the IEEE, CIN, or CEE version in a DCBx TLV from a remote peer but received a different, conflicting DCBx version.
Table 20. Displaying DCB Configurations (continued) Command Output show dcb [stack-unit unit-number] Displays the data center bridging status, number of PFCenabled ports, and number of PFC-enabled queues. On the master switch in a stack, you can specify a stack-unit number. The range is from 0 to 5. show qos priority-groups Displays the ETS priority groups configured on the switch, including the 802.1p priority classes and ID of each group.
PG:0 TSA:ETS BW:50 PFC:OFF Priorities:0 1 2 5 6 7 PG:1 TSA:ETS BW:50 Priorities:3 4 PFC:ON The following example shows the show interfaces pfc summary command.
Table 21. show interface pfc summary Command Description (continued) Fields Description DCBx exchange (Willing bit received in PFC TLV): enabled or disabled. Local is enabled DCBx operational status (enabled or disabled) with a list of the configured PFC priorities Operational status (local port) DCBx operational status (enabled or disabled) with a list of the configured PFC priorities.
Te Te Te Te Te 1/1 1/1 1/1 1/1 1/1 P3 P4 P5 P6 P7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 The following example shows the show interface ets summary command.
3 4 5 6 7 Priority# Bandwidth TSA 0 1 2 3 4 5 6 7 Remote Parameters: ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# 0 0,1,2,3,4,5,6,7 1 2 3 4 5 6 7 0% 0% 0% 0% 0% ETS ETS ETS ETS ETS 13% 13% 13% 13% 12% 12% 12% 12% ETS ETS ETS ETS ETS ETS ETS ETS Bandwidth 100% 0% 0% 0% 0% 0% 0% 0% TSA ETS ETS ETS ETS ETS ETS ETS ETS Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic
Table 22. show interface ets detail Command Description (continued) Field Description Local Parameters ETS configuration on local port, including Admin mode (enabled when a valid TLV is received from a peer), priority groups, assigned dot1p priorities, and bandwidth allocation. Operational status (local port) Port state for current operational ETS configuration: ● Init: Local ETS configuration parameters were exchanged with peer. ● Recommend: Remote ETS configuration parameters were received from peer.
6 7 8 - - Stack unit 1 stack port all Max Supported TC Groups is 4 Number of Traffic Classes is 1 Admin mode is on Admin Parameters: -------------------Admin is enabled TC-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,3,4,5,6,7 100% ETS 1 2 3 4 5 6 7 8 The following example shows the show interface DCBx detail command (IEEE).
DCBx Operational Version is 0 DCBx Max Version Supported is 0 Sequence Number: 1 Acknowledgment Number: 1 Protocol State: In-Sync Peer DCBx Status: ---------------DCBx Operational Version is 0 DCBx Max Version Supported is 0 Sequence Number: 1 Acknowledgment Number: 1 Total DCBx Frames transmitted 994 Total DCBx Frames received 646 Total DCBx Frame errors 0 Total DCBx Frames unrecognized 0 The following table describes the show interface DCBx detail command fields. Table 23.
Table 23. show interface DCBx detail Command Description (continued) Field Description Total DCBx Frames transmitted Number of DCBx frames sent from local port. Total DCBx Frames received Number of DCBx frames received from remote peer port. Total DCBx Frame errors Number of DCBx frames with errors received. Total DCBx Frames unrecognized Number of unrecognizable DCBx frames received. Sample DCB Configuration The following shows examples of using PFC and ETS to manage your data center traffic.
QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
QoS dot1p Traffic Classification and Queue Assignment The following section describes QoS dot1P traffic classification and assignments. DCB supports PFC, ETS, and DCBx to handle converged Ethernet traffic that is assigned to an egress queue according to the following QoS methods: Honor dot1p You can honor dot1p priorities in ingress traffic at the port or global switch level (refer to Default dot1p to Queue Mapping) using the service-class dynamic dot1p command in INTERFACE configuration mode.
Configuring the Dynamic Buffer Method Priority-based flow control using dynamic buffer spaces is supported on the switch. To configure the dynamic buffer capability, perform the following steps: 1. Enable the DCB application. By default, DCB is enabled and link-level flow control is disabled on all interfaces. CONFIGURATION mode dcb enable 2. Configure the shared PFC buffer size and the total buffer size. A maximum of 4 lossless queues are supported.
13 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters. Multiple servers might respond to a single DHCPDISCOVER; the client might wait a period of time and then act on the most preferred offer.
● All platforms support Dynamic ARP Inspection on 16 VLANs per system. For more information, refer to Dynamic ARP Inspection. NOTE: If the DHCP server is on the top of rack (ToR) and the VLTi (ICL) is down due to a failed link, when a VLT node is rebooted in BMP (Bare Metal Provisioning) mode, it is not able to reach the DHCP server, resulting in BMP failure.
DHCP mode show config After an IP address is leased to a client, only that client may release the address. Dell EMC Networking OS performs a IP + MAC source address validation to ensure that no client can release another clients address. This validation is a default behavior and is separate from IP+MAC source address validation.
Configure a Method of Hostname Resolution Dell systems are capable of providing DHCP clients with parameters for two methods of hostname resolution—using DNS or NetBIOS WINS. Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1. Create a domain. DHCP domain-name name 2. Specify in order of preference the DNS servers that are available to a DHCP client.
Debugging the DHCP Server To debug the DHCP server, use the following command. ● Display debug information for DHCP server. EXEC Privilege mode debug ip dhcp server [events | packets] Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. ● Clear DHCP binding entries for the entire binding table. EXEC Privilege mode. clear ip dhcp binding ● Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode.
Figure 36. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int tengigabitethernet 1/3 TenGigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: ● The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (Dell EMC Networking OS version and a configuration file). BMP is enabled as a factory-default setting on a switch.
● If you enable DHCP snooping globally on a switch and you enable a DHCP client on an interface, the trust port, source MAC address, and snooping table validations are not performed on the interface by DHCP snooping for packets destined to the DHCP client daemon. The following criteria determine packets destined for the DHCP client: ○ DHCP is enabled on the interface. ○ The user data protocol (UDP) destination port in the packet is 68.
● stack group ID The received stacking configuration is always applied on the master stack unit. option #230 "unit-number:3#priority:2#stack-group:14" Configuring DHCP relay source interface The following section explains how to configure global and interface level DHCP relay source IPv4 or IPv6 configuration to forward all the DHCP packets from the DHCP client to DHCP server through the configured source interface.
Following are the steps to configure interface specific source IPv4 or IPv6 configuration for DHCP relay. The below example shows when the DHCP relay uses the interface specific configuration and global source interface configuration depending on the configuration. 1. Configuring L3 interface with IPv4 or IPv6 address. Following are the steps to configure a L3 interface (loopback) with IPv4 and IPv6 address in INTERFACE MODE.
Option 82 (DHCPv4 relay options) RFC 3046 (the relay agent information option, or Option 82) is used for class-based IP address assignment. The code for the relay agent information option is 82, and includes two suboptions, circuit ID and remote ID. Circuit ID This is the interface on which the client-originated message is received. Remote ID This identifies the host from which the message is received. The value of this suboption is the MAC address of the relay agent that adds Option 82.
● Default Agent Interface ID is constructed in the format VLANID:LagID:SlotID:PortStr. When the port is fanned-out, the PortStr is represented as mainPort:subPort (all in ASCII format). ● Default Agent Remote ID is the system MAC address of the relay agent that adds Option 37 (in binary format). DHCP Snooping DHCP snooping is a feature that protects networks from spoofing. It acts as a firewall between the DHCP server and DHCP clients. DHCP snooping places the ports either in trusted or non-trusted mode.
Enabling DHCP Snooping To enable DHCP snooping, use the following commands. 1. Enable DHCP snooping globally. CONFIGURATION mode ip dhcp snooping 2. Specify ports connected to DHCP servers as trusted. INTERFACE mode INTERFACE PORT EXTENDER mode ip dhcp snooping trust 3. Enable DHCP snooping on a VLAN. CONFIGURATION mode ip dhcp snooping vlan name Enabling IPv6 DHCP Snooping To enable IPv6 DHCP snooping, use the following commands. 1. Enable IPv6 DHCP snooping globally.
clear ip dhcp snooping binding Clearing the DHCP IPv6 Binding Table To clear the DHCP IPv6 binding table, use the following command. ● Delete all of the entries in the binding table. EXEC Privilege mode clear ipv6 dhcp snooping binding DellEMC# clear ipv6 dhcp snooping? binding Clear the snooping binding database Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. ● Display the DHCP snooping information.
The following example output of the show ip dhcp snooping binding command displays that different IP addresses are mapped to the same MAC address: DellEMC#show ip dhcp snooping binding Codes : S - Static D - Dynamic IP Address MAC Address Expires(Sec) Type VLAN Interface ========================================================================= 10.1.1.100 00:00:a0:00:00:00 39735 S Vl 200 Te 1/4 10.1.1.101 00:00:a0:00:00:00 39736 S Vl 200 Te 1/4 10.1.1.
Debugging the IPv6 DHCP To debug the IPv6 DHCP, use the following command. ● Display debug information for IPV6 DHCP. EXEC Privilege mode debug ipv6 dhcp IPv6 DHCP Snooping MAC-Address Verification Configure to enable verify source mac-address in the DHCP packet against the mac address stored in the snooping binding table. ● Enable IPV6 DHCP snooping .
IP Address MAC Address Expires(Sec) Type VLAN Interface ================================================================ 10.1.1.251 00:00:4d:57:f2:50 172800 D Vl 10 Te 1/2 10.1.1.252 00:00:4d:57:e6:f6 172800 D Vl 10 Te 1/1 10.1.1.253 00:00:4d:57:f8:e8 172740 D Vl 10 Te 1/3 10.1.1.
To see how many valid and invalid ARP packets have been processed, use the show arp inspection statistics command. DellEMC#show arp inspection statistics Dynamic ARP Inspection (DAI) Statistics --------------------------------------Valid ARP Requests : 0 Valid ARP Replies : 1000 Invalid ARP Requests : 1000 Invalid ARP Replies : 0 DellEMC# Configuring dynamic ARP inspection-limit To configure dynamic ARP inspection rate limit on a port, perform the following task. 1. Enter into global configuration mode.
Enabling IP Source Address Validation IP source address validation (SAV) prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table. A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker. For example, using ARP spoofing, an attacker can assume a legitimate client’s identity and receive traffic addressed to it. Then the attacker can spoof the client’s IP address to interact with other clients.
reload 4. Do one of the following. ● Enable IP+MAC SAV. INTERFACE mode ip dhcp source-address-validation ipmac ● Enable IP+MAC SAV with VLAN option. INTERFACE mode ip dhcp source-address-validation ipmac vlan vlan-id Dell EMC Networking OS creates an ACL entry for each IP+MAC address pair and optionally with its VLAN ID in the binding table and applies it to the interface.
14 Equal Cost Multi-Path (ECMP) This chapter describes configuring ECMP. This chapter describes configuring ECMP. Topics: • • • • ECMP for Flow-Based Affinity Link Bundle Monitoring RTAG7 Flow-based Hashing for ECMP ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring.
Configuring the Hash Algorithm Seed Deterministic ECMP sorts ECMPs in order even though RTM provides them in a random order. However, the hash algorithm uses as a seed the lower 12 bits of the chassis MAC, which yields a different hash result for every chassis. This behavior means that for a given flow, even though the prefixes are sorted, two unrelated chassis can select different hops.
Managing ECMP Group Paths To avoid path degeneration, configure the maximum number of paths for an ECMP route that the L3 CAM can hold. When you do not configure the maximum number of routes, the CAM can hold a maximum ECMP per route. To configure the maximum number of paths, use the following command. NOTE: For the new settings to take effect, save the new ECMP settings to the startup-config (write-mem) then reload the system. ● Configure the maximum number of paths per ECMP group. CONFIGURATION mode.
NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indices are generated in even numbers (0, 2, 4, 6... 1022) and are for information only. You can configure ecmp-group with id 2 for link bundle monitoring. This ecmp-group is different from the ecmp-group index 2 that is created by configuring routes and is automatically generated.
mac Set the mac key fields to use in hash computation(default = source-mac dest-mac vlan ethertype) tcp-udp Option to use TCP/UDP ports in packet for ECMP/LAG hashing tunnel Set the tunnel key fields to use in hash computation(default = Hash-computation based on Inner Header)] ● The second portion comes from static physical configuration such as ingress and egress port numbers.
Figure 37. Before Polarization Effect Router B performs the same hash as router A and all the traffic goes through the same path to router D, while no traffic is redirected to router E. Some of the anti-polarization techniques used generally to mitigate unequal traffic distribution in LAG/ECMP as follows: 1. Configuring different hash-seed values at each node - Hash seed is the primary parameter in hash computations that determine distribution of traffic among the ECMP paths.
bits of xor4 xor8 bits of xor8 xor16 CRC16_BISYNC_AND_XOR8 - Upper 8 bits of CRC16-BISYNC and lower 8 CR16 - 16 bit XOR] Example to view show hash-algorithm: DellEMC(conf)#hash-algorithm ecmp flow-based-hashing crc16 DellEMC(conf)#end DellEMC#show hash-algorithm Hash-Algorithm linecard 0 Port-Set 0 Seed 185270328 Hg-Seed 185282673 EcmpFlowBasedHashingAlgo- crc16 EcmpAlgo- crc32MSB LagAlgo- crc32LSB HgAlgo- crc16 Figure 38.
15 FIP Snooping The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces or in a switch stack.
The following table lists the FIP functions. Table 27. FIP Functions FIP Function Description FIP VLAN discovery FCoE devices (ENodes) discover the FCoE VLANs on which to transmit and receive FIP and FCoE traffic. FIP discovery FCoE end-devices and FCFs are automatically discovered. Initialization FCoE devices learn ENodes from the FLOGI and FDISC to allow immediate login and create a virtual link with an FCoE switch.
Dynamic ACL generation on the switch operating as a FIP snooping bridge function as follows: Port-based ACLs These ACLs are applied on all three port modes: on ports directly connected to an FCF, server-facing ENode ports, and bridge-to-bridge links. Port-based ACLs take precedence over global ACLs. FCoE-generated ACLs These take precedence over user-configured ACLs. A user-configured ACL entry cannot deny FCoE and FIP snooping frames.
● To provide more port security on ports that are directly connected to an FCF and have links to other FIP snooping bridges, set the FCF or Bridge-to-Bridge Port modes. ● To ensure that they are operationally active, check FIP snooping-enabled VLANs. ● Process FIP VLAN discovery requests and responses, advertisements, solicitations, FLOGI/FDISC requests and responses, FLOGO requests and responses, keep-alive packets, and clear virtual-link messages.
● When you disable FIP snooping: ○ ACLs are not installed, FIP and FCoE traffic is not blocked, and FIP packets are not processed. ○ The existing per-VLAN and FIP snooping configuration is stored. The configuration is re-applied the next time you enable the FIP snooping feature. ● You must apply the CAM-ACL space for the FCoE region before enabling the FIP-Snooping feature.
● FCoE traffic is allowed on VLANs only after a successful virtual-link initialization (fabric login FLOGI) between an ENode and an FCF. All other FCoE traffic is dropped. ● You must configure at least one interface for FCF (FCoE Forwarder) mode on a FIP snooping-enabled VLAN. You can configure multiple FCF trusted interfaces in a VLAN. ● A maximum of eight VLANS are supported for FIP snooping on the switch.
Table 28. Impact of Enabling FIP Snooping (continued) Impact Description deleted. If a port is enabled for FIP snooping in ENode or FCF mode, the ENode/FCF MAC-based ACLs are deleted. FIP Snooping Restrictions The following restrictions apply when you configure FIP snooping. ● The maximum number of FCoE VLANs supported on the switch is eight. ● The maximum number of FIP snooping sessions supported per ENode server is 32.
Displaying FIP Snooping Information Use the following show commands to display information on FIP snooping. Table 29. Displaying FIP Snooping Information Command Output show fip-snooping sessions [interface vlan vlan-id] Displays information on FIP-snooped sessions on all VLANs or a specified VLAN, including the ENode interface and MAC address, the FCF interface and MAC address, VLAN ID, FCoE MAC address and FCoE session ID number (FC-ID), worldwide node name (WWNN) and the worldwide port name (WWPN).
Table 30. show fip-snooping sessions Command Description Field Description ENode MAC MAC address of the ENode . ENode Interface Slot/port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. FCF Interface Slot/port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FCoE MAC MAC address of the FCoE session assigned by the FCF. FC-ID Fibre Channel ID assigned by the FCF. Port WWPN Worldwide port name of the CNA port.
Table 32. show fip-snooping fcf Command Description (continued) Field Description FCF Interface Slot/port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FC-MAP FC-Map value advertised by the FCF. ENode Interface Slot/port number of the interface connected to the ENode. FKA_ADV_PERIOD Period of time (in milliseconds) during which FIP keep-alive advertisements are transmitted. No of ENodes Number of ENodes connected to the FCF.
The following example shows the show fip-snooping statistics port-channel command.
Table 33. show fip-snooping statistics Command Descriptions (continued) Field Description Number of FDISC Rejects Number of FIP FDISC reject frames received on the interface. Number of FLOGO Accepts Number of FIP FLOGO accept frames received on the interface. Number of FLOGO Rejects Number of FIP FLOGO reject frames received on the interface. Number of CVLs Number of FIP clear virtual link frames received on the interface.
FCoE Transit Configuration Example The following illustration shows a switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 41. Configuration Example: FIP Snooping on a Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
Example of Configuring the ENode Server-Facing Port DellEMC(conf)# interface tengigabitethernet 1/1 DellEMC(conf-if-te-1/1)# portmode hybrid DellEMC(conf-if-te-1/1)# switchport DellEMC(conf-if-te-1/1)# protocol lldp DellEMC(conf-if-te-1/1-lldp)# dcbx port-role auto-downstream NOTE: A port is enabled by default for bridge-ENode links.
16 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a softwarebased cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell EMC Networking platforms.
When you enable FIPS mode, the following actions are taken: ● If enabled, the SSH server is disabled. ● All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed. ● Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. ● FIPS mode is enabled. ○ If you enable the SSH server when you enter the fips mode enable command, it is re-enabled for version 2 only. ○ If you re-enable the SSH server, a new RSA host key-pair is generated automatically.
● ● ● ● ● Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. FIPS mode disables. The SSH server re-enables. The Telnet server re-enables (if it is present in the configuration). New 1024–bit RSA and RSA1 host key-pairs are created. To disable FIPS mode, use the following command. ● To disable FIPS mode from a console port.
17 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) and may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
Figure 42. Example of Multiple Rings Connected by Single Switch Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. ● The Master node transmits ring status check frames at specified intervals. ● You can run multiple physical rings on the same switch.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202, as shown in the illustration in Member VLAN Spanning Two Rings Connected by One Switch. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose.
● If multiple rings share one or more member VLANs, they cannot share any links between them. ● Member VLANs across multiple rings are not supported in Master nodes. ● Each ring has only one Master node; all others are transit nodes. FRRP Configuration These are the tasks to configure FRRP.
● For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. 3. Assign the Primary and Secondary ports and the control VLAN for the ports on the ring. CONFIG-FRRP mode. interface primary interface secondary interface control-vlan vlan id Interface: ● For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. ● For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. 4.
5. Identify the Member VLANs for this FRRP group. CONFIG-FRRP mode. member-vlan vlan-id {range} VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. 6. Enable this FRRP group on this switch. CONFIG-FRRP mode. no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time 3 times the Hello-Interval. ● Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode.
Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks ● ● ● ● ● Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only. Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP.
interface Vlan 101 no ip address tagged TenGigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tagged TenGigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary TenGigabitEthernet 2/14 secondary TenGigabitEthernet 2/31 controlvlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface TenGigabitEthernet 3/14 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 101 no ip address
Figure 43. FRRP Ring Connecting VLT Devices You can also configure an FRRP ring where both the VLT peers are connected to the FRRP ring and the VLTi acts as the primary interface for the FRRP Master and transit nodes. This active-active FRRP configuration blocks the FRRP ring on a per VLAN or VLAN group basis enabling the configuration to spawn across different set of VLANs.
control VLAN, multiple member VLANS are configured (for example, M1 to M10) that carry the data traffic across the FRRP rings. The secondary port P2 is tagged to the control VLAN (V1). VLTi is implicitly tagged to the member VLANs when these VLANs are configured in the VLT peer. As a result of the VLT Node2 configuration on R2, the secondary interface P2 is blocked for the member VLANs (M11 to Mn). Following figure illustrated the FRRP Ring R1 topology: Figure 44.
18 GARP VLAN Registration Protocol (GVRP) The generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 45. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
gvrp enable DellEMC(conf)#protocol gvrp DellEMC(config-gvrp)#no disable DellEMC(config-gvrp)#show config ! protocol gvrp no disable DellEMC(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. ● Enable GVRP on a Layer 2 interface.
no shutdown DellEMC(conf-if-te-1/21)# Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings. ● Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The Dell EMC Networking OS default is 200ms.
19 High Availability (HA) High availability (HA) is supported on Dell EMC Networking OS. HA is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. To support all the features within the HA collection, you should have the latest boot code. The following table lists the boot code requirements as of this Dell EMC Networking OS release. Table 34. Boot Code Requirements Component Boot Code S4820T 1 2.0.
Boot the Chassis with a Single RPM You can boot the chassis with one RPM and later add a second RPM, which automatically becomes the standby RPM. Dell Networking OS displays the following message when the standby RPM is online. %RPM-2-MSG:CP0 %POLLMGR-2-ALT_RPM_STATE: Alternate RPM is present %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is in Standby State. Boot the Chassis with Dual RPMs When you boot the system with two RPMs installed, the RPM in slot R0 is the primary RPM by default.
Example of Boot Failure on Standby RPM System failed to boot up. Please reboot the chassis !!! 00:12:46: %RPM1-U:CP %TME-0-RPM BRINGUP FAIL: FTOS failed to bring up the system Communication between RPMs is not up, check the software version and reboot chassis. Dell(standby)(bootfail)# Automatic and Manual Stack Unit Failover Stack unit failover is the process of the standby unit becoming a management unit. Dell EMC Networking OS fails over to the standby stack unit when: 1.
Support for RPM Redundancy by Dell EMC Networking OS Version Dell EMC Networking OS supports increasing levels of RPM redundancy (warm and hot) as described in the table below. Table 36. Support for RPM Redundancy by Dell EMC Networking OS Version Platform Failover Type Failover Behavior S4820T Hot Failover Only the failed RPM reboots. All the line cards and SFMs remain online. All application tasks are spawned on the secondary RPM before failover.
Disabling Auto-Reboot To disable auto-reboot, use the following command. ● Prevent a failed stack unit from rebooting after a failover. CONFIGURATION mode redundancy disable-auto-reboot Manually Synchronizing Management and Standby Units To manually synchronize Management and Standby units at any time, use the following command. ● Manually synchronize Management and Standby units.
Example of Viewing Line Card Configuration Dell(conf)#do show linecard all -- Line cards -Slot Status NxtBoot ReqTyp CurTyp Version Ports --------------------------------------------------------------------------0 not present [output omitted] Dell(conf)# %RPM0-P:CP %CHMGR-5-CARDDETECTED: Line card 0 present Dell(conf)# do show linecard all -- Line cards -Slot Status NxtBoot ReqTyp CurTyp Version Ports --------------------------------------------------------------------------0 online online E48VB E48VB 7-5-1
no stack-unit unit_id provision Hitless Behavior Hitless is a protocol-based system behavior that makes a stack unit failover on the local system transparent to remote systems. The system synchronizes protocol information on the Management and Standby stack units such that, in the event of a stack unit failover, it is not necessary to notify the remote systems of a local state change. Hitless behavior is defined in the context of a stack unit failover only. ● Only failovers via the CLI are hitless.
Failure and Event Logging Dell EMC Networking systems provide multiple options for logging failures and events. Trace Log Developers interlace messages with software code to track the execution of a program. These messages are called trace messages and are primarily used for debugging and to provide lower-level information then event messages, which system administrators primarily use.
With a system reload, the system must read and apply the entire startup-config file, which might take some time if the startup-config is large. Restarting a process saves time because only a portion of the configuration related to the crashed process is read and reapplied. For a dual-RPMs system, restarting a process also precludes launching the failover process on the primary and standby RPMs.
20 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 46. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. ● Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. ● To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1. Include messages prevents traffic from all other sources in the group from reaching the subnet.
Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
● ● ● ● ● ● Adjusting Timers Preventing a Host from Joining a Group Enabling IGMP Immediate-Leave IGMP Snooping Fast Convergence after MSTP Topology Changes Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. ● View IGMP-enabled IPv4 interfaces. EXEC Privilege mode show ip igmp interface ● View IGMP-enabled IPv6 interfaces.
Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command. ● View both learned and statically configured IGMP groups. EXEC Privilege mode show ip igmp groups show ipv6 mld groups DellEMC# show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface 225.1.1.1 TenGigabitEthernet 1/1 225.1.2.1 TenGigabitEthernet 1/1 Mode IGMPV2 IGMPV2 Uptime 00:11:19 00:10:19 Expires 00:01:50 00:01:50 Last Reporter 165.87.34.100 165.
● Adjust the last member query interval. INTERFACE mode ip igmp last-member-query-interval ● Adjust the amount of time the querier waits, for the initial query response, before sending the next IPv6 query. Interface mode ipv6 mld last-member-query-interval Enabling IGMP Immediate-Leave If the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robustness value). Then, after no response, it removes the group from the outgoing interface for the subnet.
ip igmp snooping enable ● View the configuration. CONFIGURATION mode show running-config ● Disable snooping on a VLAN.
ip igmp snooping mrouter ● View the ports that are connected to multicast routers. EXEC Privilege mode. show ip igmp snooping mrouter Configuring the Switch as Querier To configure the switch as a querier, use the following command. Hosts that do not support unsolicited reporting wait for a general query before sending a membership report. When the multicast source and receivers are in the same VLAN, multicast traffic is not routed and so there is no querier.
Transit traffic (destination IP not configured in the switch) that is received on the front-end port with destination on the management port is dropped and received in the management port with destination on the front-end port is dropped. Switch-destined traffic (destination IP configured in the switch) is: ● Received in the front-end port with destination IP equal to management port IP address or management port subnet broadcast address is dropped.
If you configure a source interface is for any EIS management application, EIS might not coexist with that interface and the behavior is undefined in such a case. You can configure the source interface for the following applications: FTP, ICMP (ping and traceroute utilities), NTP, RADIUS, TACACS, Telnet, TFTP, syslog, and SNMP traps. Out of these applications, EIS can coexist with only syslog and SNMP traps because these applications do not require a response after a packet is sent.
Handling of Management Route Configuration When the EIS feature is enabled, the following processing occurs: ● All existing management routes (connected, static and default) are duplicated and added to the management EIS routing table. ● Any management static route newly added using the management route CLI is installed to both the management EIS routing table and default routing table.
● Because fallback support is removed, if the management port is down or the route lookup in EIS table fails packets are dropped. Therefore, switch-initiated traffic sessions that used to work previously via fallback may not work now. Handling of Switch-Destined Traffic ● The switch processes all traffic received on the management port destined to the management port IP address or the front-end port destined to the front-end IP address.
Table 38. Mapping of Management Applications and Traffic Type Traffic type / Application type Switch initiated traffic Switch-destined traffic Transit Traffic EIS Management Application Management is the preferred egress port selected based on route lookup in EIS table. If the management port is down or the route lookup fails, packets are dropped.
EIS Behavior for ICMP: ICMP packets do not have TCP/UDP ports. To do an EIS route lookup for ICMP-based applications (ping and traceroute) using the source ip option, the management port IP address should be specified as the source IP address. If management port is down or route lookup fails, packets are dropped. Default Behavior: Route lookup is done in the default routing table and appropriate egress port is selected. Table 39.
Table 40. Behavior of Various Applications for Switch-Destined Traffic (continued) Protocol Behavior when EIS is Enabled Behavior when EIS is Disabled ssh EIS Behavior Default Behavior Snmp (snmp mib response) EIS Behavior Default Behavior telnet EIS Behavior Default Behavior icmp (ping and traceroute) EIS Behavior for ICMP Default Behavior Interworking of EIS With Various Applications Stacking ● The management EIS is enabled on the master and the standby unit.
21 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell EMC Networking Operating System (OS). The system supports 10 Gigabit Ethernet and 40 Gigabit Ethernet interfaces. NOTE: Only Dell-qualified optics are supported on these interfaces. Non-Dell 40G optics are set to error-disabled state.
• • • • • • • • • • • • • Defining Interface Range Macros Monitoring and Maintaining Interfaces Configuring wavelength for 10–Gigabit SFP+ optics Link Dampening Link Bundle Monitoring Using Ethernet Pause Frames for Flow Control Configure the MTU Size on an Interface Port-Pipes Auto-Negotiation on Ethernet Interfaces View Advanced Interface Information Configuring the Traffic Sampling Size Globally Dynamic Counters Compressing Configuration Files Interface Types The following table describes different int
Hardware is Force10Eth, address is 00:01:e8:05:f3:6a Current address is 00:01:e8:05:f3:6a Pluggable media present, XFP type is 10GBASE-LR. Medium is MultiRate, Wavelength is 1310nm XFP receive power reading is -3.7685 Interface index is 67436603 Internet address is 65.113.24.
Resetting an Interface to its Factory Default State You can reset the configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1. View the configurations applied on an interface. INTERFACE mode show config DellEMC(conf-if-te-1/5)#show config ! interface TenGigabitEthernet 1/5 no ip address portmode hybrid switchport rate-interval 8 mac learning-limit 10 no-station-move no shutdown 2. Reset an interface to its factory default state.
View EEE Information To view the details of Energy Efficient Ethernet (EEE), you can use the following show commands. You have several options for viewing the details of EEE on interfaces. ● List all the interfaces. EXEC mode EXEC PRIVILEGE mode show interfaces This command displays the status of each interface with various details along with the information whether EEE is enabled on the interfaces.. ● List the status of eee on all the interfaces, on a specified port, or on a range of ports.
0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Time since last interface status change: 3d17h51m The following example shows the status of EEE on a specific interface.
RX - Debug Counter 3 RX - Debug Counter 4 RX - Debug Counter 5 RX - Debug Counter 6 RX - Debug Counter 7 RX - Debug Counter 8 RX - EEE LPI Event Counter RX - EEE LPI Duration Counter TX - 64 Byte Frame Counter TX - 65 to 127 Byte Frame Counter TX - 128 to 255 Byte Frame Counter TX - 256 to 511 Byte Frame Counter TX - 512 to 1023 Byte Frame Counter TX - 1024 to 1518 Byte Frame Counter TX - 1519 to 1522 Byte Good VLAN Frame Counter TX - 1519 to 2047 Byte Frame Counter TX - 2048 to 4095 Byte Frame Counter TX -
RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - 1519 to 1522 Byte Good VLAN Frame Counter 1519 to 2047 Byte Frame Counter 2048 to 4095 Byte Frame Counter 4096 to 9216 Byte Frame Counter Good Packet Counter Packet/Frame Counter Unicast Frame Counter Multicast Frame Counter Broadcast Frame Counter Byte Counter Control Frame Counter Pause
TX TX TX TX TX TX TX TX TX TX TX TX TX - Debug Counter 1 Debug Counter 2 Debug Counter 3 Debug Counter 4 Debug Counter 5 Debug Counter 6 Debug Counter 7 Debug Counter 8 Debug Counter 9 Debug Counter 10 Debug Counter 11 EEE LPI Event Counter EEE LPI Duration Counter 0 0 0 0 0 0 0 0 0 0 0 0 0 <
Physical Interfaces The Management Ethernet interface is a single RJ-45 Fast Ethernet port on a switch. The interface provides dedicated management access to the system. Stack-unit interfaces support Layer 2 and Layer 3 traffic over the and 40-Gigabit Ethernet interfaces. These interfaces can also become part of virtual interfaces such as virtual local area networks (VLANs) or port channels. For more information about VLANs, refer to Bulk Configuration.
● Enable Layer 2 data transmissions through an individual interface. INTERFACE mode switchport DellEMC(conf-if)#show config ! interface Port-channel 1 no ip address switchport no shutdown DellEMC(conf-if)# Configuring Layer 2 (Interface) Mode To configure an interface in Layer 2 mode, use the following commands. ● Enable the interface. INTERFACE mode no shutdown ● Place the interface in Layer 2 (switching) mode.
Configuring Layer 3 (Interface) Mode To assign an IP address, use the following commands. ● Enable the interface. INTERFACE mode no shutdown ● Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx). Add the keyword secondary if the IP address is the interface’s backup IP address. You can only configure one primary IP address per interface.
To enable and configure EIS, use the following commands: 1. Enter EIS mode. CONFIGURATION mode management egress-interface-selection 2. Configure which applications uses EIS.
Virtual-IP IPv6 address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit, Mode full duplex ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:06:14 Queueing strategy: fifo Input 791 packets, 62913 bytes, 775 multicast Received 0 errors, 0 discarded Output 21 packets, 3300 bytes, 20 multicast Output 0 errors, 0 invalid protocol Time since last interface status change: 00:06:03 If there are two RPMs on the system, configure each Management interface with a diffe
Internet address is 10.11.131.240/23 [output omitted] DellEMC#show ip route Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is 10.11.
Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Because this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability. You can place Loopback interfaces in default Layer 3 mode. To configure, view, or delete a Loopback interface, use the following commands. ● Enter a number as the Loopback interface.
Port Channel Benefits A port channel interface provides many benefits, including easy management, link redundancy, and sharing. Port channels are transparent to network configurations and can be modified and managed as one interface. For example, you configure one IP address for the group and that IP address is used for all routed traffic on the port channel. With this feature, you can create larger-capacity interfaces by utilizing a group of lower-speed links.
Configuration Tasks for Port Channel Interfaces To configure a port channel (LAG), use the commands similar to those found in physical interfaces. By default, no port channels are configured in the startup configuration.
INTERFACE PORT-CHANNEL mode channel-member interface The interface variable is the physical interface type and slot/port information. 2. Double check that the interface was added to the port channel. INTERFACE PORT-CHANNEL mode show config To view the port channel’s status and channel members in a tabular format, use the show interfaces port-channel brief command in EXEC Privilege mode, as shown in the following example.
DellEMC(conf-if)#ip address 10.56.4.4 /24 % Error: Port is part of a LAG Te 1/6. DellEMC(conf-if)# Reassigning an Interface to a New Port Channel An interface can be a member of only one port channel. If the interface is a member of a port channel, remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, Dell EMC Networking OS recalculates the hash algorithm for the port channel.
Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to a VLAN, place the port channel in Layer 2 mode (by using the switchport command). To add or remove a VLAN port channel and to view VLAN port channel members, use the following commands. ● Add the port channel to the VLAN as a tagged interface. INTERFACE VLAN mode tagged port-channel id number An interface with tagging enabled can belong to multiple VLANs.
Assigning an IP Address to a Port Channel You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols. To assign an IP address, use the following command. ● Configure an IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] ○ ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in slash format (/24). ○ secondary: the IP address is the interface’s backup IP address.
For more information about algorithm choices, refer to the command details in the IP Routing chapter of the Dell EMC Networking OS Command Reference Guide. ● Change to another algorithm. CONFIGURATION mode DellEMC(conf)#hash-algorithm ecmp xor 26 lag crc 26 nh-ecmp checksum 26 DellEMC(conf)# The hash-algorithm command is specific to ECMP group. The default ECMP hash configuration is crc-lower. This command takes the lower 32 bits of the hash key to compute the egress port.
Bulk Configuration Examples Use the interface range command for bulk configuration. ● ● ● ● ● ● ● Create a Single-Range Create a Multiple-Range Exclude Duplicate Entries Exclude a Smaller Port Range Overlap Port Ranges Commas Add Ranges Create a Single-Range The following is an example of a single range.
Overlap Port Ranges The following is an example showing how the interface-range prompt extends a port range from the smallest start port number to the largest end port number when port ranges overlap. handles overlapping port ranges.
The following example shows how to change to the interface-range configuration mode using the interface-range macro named “test.” DellEMC(config)# interface range macro test DellEMC(config-if)# Monitoring and Maintaining Interfaces Monitor interface statistics with the monitor interface command. This command displays an ongoing list of the interface status (up/down), number of packets, traffic statistics, and so on. To view the interface’s statistics, use the following command.
Maintenance Using TDR The time domain reflectometer (TDR) is supported on all Dell EMC Networking switches. TDR is an assistance tool to resolve link issues that helps detect obvious open or short conditions within any of the four copper pairs. TDR sends a signal onto the physical cable and examines the reflection of the signal that returns. By examining the reflection, TDR is able to indicate whether there is a cable fault (when the cable is broken, becomes unterminated, or if a transceiver is unplugged).
● suppress-threshold— The suppress threshold is a value that triggers a flapping interface to dampen. The system adds penalty when the interface state goes up and down. When the accumulated penalty reaches the default or configured suppress threshold, the interface state changes to Error-Disabled state. The range of suppress threshold is from 1 to 20000. The default is 2500. ● half-life— The accumulated penalty decays exponentially based on the half-life period.
Figure 51. Interface State Change Consider an interface periodically flaps as shown above. Every time the interface goes down, a penalty (1024) is added. In the above example, during the first interface flap (flap 1), the penalty is added to 1024. And, the accumulated penalty will exponentially decay based on the set half-life, which is set as 10 seconds in the above example. During the second interface flap (flap 2), again the penalty (1024) is accumulated.
Enabling Link Dampening To enable link dampening, use the following command. ● Enable link dampening. INTERFACE mode dampening To view the link dampening configuration on an interface, use the show config command. R1(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode.
Configure MTU Size on an Interface In Dell EMC Networking OS, Maximum Transmission Unit (MTU) is defined as the entire Ethernet packet (Ethernet header + FCS + payload). The following table lists the range for each transmission media. Transmission Media MTU Range (in bytes) Ethernet 594-12000 = link MTU 576-9234 = IP MTU Link Bundle Monitoring Monitoring linked LAG bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time.
The PAUSE frame is defined by IEEE 802.3x and uses MAC Control frames to carry the PAUSE commands. Ethernet pause frames are supported on full duplex only. If a port is over-subscribed, Ethernet Pause Frame flow control does not ensure no-loss behavior. Restriction: Ethernet Pause Frame flow control is not supported if PFC is enabled on an interface. Control how the system responds to and generates 802.3x pause frames on Ethernet interfaces. The default is rx off tx off. INTERFACE mode.
Table 43. Layer 2 Overhead Layer 2 Overhead Difference Between Link MTU and IP MTU Ethernet (untagged) 18 bytes VLAN Tag 22 bytes Untagged Packet with VLAN-Stack Header 22 bytes Tagged Packet with VLAN-Stack Header 26 bytes Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: ● All members must have the same link MTU value and the same IP MTU value.
show interfaces [interface | stack—unit stack-unit-number] status 2. Determine the remote interface status. EXEC mode or EXEC Privilege mode [Use the command on the remote system that is equivalent to the first command.] 3. Access CONFIGURATION mode. EXEC Privilege mode config 4. Access the port. CONFIGURATION mode interface interface-type 5. Set the local port speed.
duplex full no shutdown Set Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/ forced slave once auto-negotiation is enabled. CAUTION: Ensure that only one end of the node is configured as forced-master and the other is configured as forced-slave. If both are configured the same (that is, both as forced-master or both as forced-slave), the show interface command flaps between an auto-neg-error and forced-master/slave states.
DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show ip interface stack-unit 1 configured ip interface tengigabitEthernet 1 configured ip interface br configured ip interface br stack-unit 1 configured ip interface br tengigabitEthernet 1 configured running-config interfaces configured running-config interface tengigabitEthernet 1 configured In EXEC mode, the show interfaces switchport command displays only interfaces in Layer 2 mode and their relevant configuration i
0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 100 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
DellEMC#show int po 20 Port-channel 20 is up, line protocol is up Hardware address is 4c:76:25:f4:ab:02, Current address is 4c:76:25:f4:ab:02 Interface index is 1258301440 Minimum number of links to bring Port-channel up is 1 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :4c7625f4ab02 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 80000 Mbit Members in this channel: Fo 1/1/7/1(U) Fo 1/1/8/1(U) ARP type: ARPA, ARP Timeout 04:00:00 Queueing strategy: fifo Input Statistics: 139
EXEC Privilege mode clear counters [interface] [vrrp [vrid] | learning-limit] (OPTIONAL) Enter the following interface keywords and slot/port or number information: ○ For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. ○ For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. ○ For a Loopback interface, enter the keyword loopback then a number from 0 to 16383.
Table 44. Standard and Compressed Configurations Uncompressed Compressed ! ! interface TenGigabitEthernet 1/3 interface TenGigabitEthernet 1/34 no ip address ip address 2.1.1.
Table 44. Standard and Compressed Configurations (continued) Uncompressed Compressed ip address 1.1.1.1/16 no shutdown Uncompressed config size – 52 lines write memory compressed The write memory compressed CLI will write the operating configuration to the startup-config file in the compressed mode. In stacking scenario, it will also take care of syncing it to all the standby and member units.
22 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. ● Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3. Apply the crypto policy to management traffic.
23 IPv4 Routing The Dell EMC Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell EMC Networking OS.
• Troubleshooting UDP Helper IP Addresses Dell EMC Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks. Supernetting, which increases the number of subnets, is also supported. To subnet, you add a mask to the IP address to separate the network and host portions of the IP address.
no shutdown 3. Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] ● ip-address mask: the IP address must be in dotted decimal format (A.B.C.D). The mask must be in slash prefixlength format (/24). ● secondary: add the keyword secondary if the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses.
S 6.1.2.6/32 S 6.1.2.7/32 S 6.1.2.8/32 S 6.1.2.9/32 S 6.1.2.10/32 S 6.1.2.11/32 S 6.1.2.12/32 S 6.1.2.13/32 S 6.1.2.14/32 S 6.1.2.15/32 S 6.1.2.16/32 S 6.1.2.17/32 S 11.1.1.0/24 Direct, Lo 0 --More-- via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.
Configure Static Routes for the Management Interface When an IP address that a protocol uses and a static management route exists for the same prefix, the protocol route takes precedence over the static management route. To configure a static route for the management port, use the following command. ● Assign a static route to point to the management interface or forwarding router.
Using the Configured Source IP Address in ICMP Messages ICMP error or unreachable messages are now sent with the configured IP address of the source interface instead of the front-end port IP address as the source IP address. Enable the generation of ICMP unreachable messages through the ip unreachable command in Interface mode. When a ping or traceroute packet from an endpoint or a device arrives at the null 0 interface configured with a static route, it is discarded.
INTERFACE mode ip directed-broadcast To view the configuration, use the show config command in INTERFACE mode. Resolution of Host Names Domain name service (DNS) maps host names to IP addresses. This feature simplifies commands such as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default. Unless you enable the feature, the system resolves only host names entered into the host table with the ip host command.
Specifying the Local System Domain and a List of Domains If you enter a partial domain, Dell EMC Networking OS can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. Dell EMC Networking OS searches the host table first to resolve the partial domain. The host table contains both statically configured and dynamically learnt host and IP addresses.
ARP Dell EMC Networking OS uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, Dell EMC Networking OS creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time.
Enabling Proxy ARP By default, Proxy ARP is enabled. To disable Proxy ARP, use the no proxy-arp command in the interface mode. To re-enable Proxy ARP, use the following command. ● Re-enable Proxy ARP. INTERFACE mode ip proxy-arp To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output.
ARP Learning via ARP Request In Dell EMC Networking OS versions prior to 8.3.1.0, Dell EMC Networking OS learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address. If the target IP does not match the incoming interface, the packet is dropped. If there is an existing entry for the requesting host, it is updated. Figure 52.
The default is 5. The range is from 1 to 20. ● Set the exponential timer for resending unresolved ARPs. CONFIGURATION mode arp backoff-time The default is 30. The range is from 1 to 3600. ● Display all ARP entries learned via gratuitous ARP. EXEC Privilege mode show arp retries ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply).
Figure 54. ICMP Redirect Host H is connected to the same Ethernet segment as SW1 and SW2. SW1 and SW2 are multi-layer switches which can route packets. The default gateway of Host H is configured as SW1. Although the best route to the remote branch office host may be through SW2, Host H sends a packet destined for Host R to its default gateway — SW1.
○ UDP broadcast traffic with port number 67 or 68 are unicast to the dynamic host configuration protocol (DHCP) server per the ip helper-address configuration whether or not the UDP port list contains those ports. ○ If the UDP port list contains ports 67 or 68, UDP broadcast traffic is forwarded on those ports. Enabling UDP Helper To enable UDP helper, use the following command. ● Enable UPD helper.
Configurations Using UDP Helper When you enable UDP helper and the destination IP address of an incoming packet is a broadcast address, Dell EMC Networking OS suppresses the destination address of the packet. The following sections describe various configurations that employ UDP helper to direct broadcasts.
Packet 2 is sent from the host on VLAN 101. It has a broadcast MAC address and a destination IP address of 1.1.1.255. In this case, it is flooded on VLAN 101 in its original condition as the forwarding process is Layer 2. Figure 56. UDP Helper with Subnet Broadcast Addresses UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces.
Troubleshooting UDP Helper To display debugging information for troubleshooting, use the debug ip udp-helper command. Example of the debug ip udp-helper Command DellEMC(conf)# debug ip udp-helper 01:20:22: Pkt rcvd on Te 5/1 with IP DA (0xffffffff) will be sent on Te 5/2 Te 5/3 Vlan 3 01:44:54: Pkt rcvd on Te 7/1 is handed over for DHCP processing. When using the IP helper and UDP helper on the same interface, use the debug ip dhcp command. Example Output from the debug ip dhcp Command Packet 0.0.0.
24 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell EMC Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
● Duplicate Address Detection (DAD) — Before configuring its IPv6 address, an IPv6 host node device checks whether that address is used anywhere on the network using this mechanism. ● Prefix Renumbering — Useful in transparent renumbering of hosts in the network when an organization changes its service provider. NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration.
Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities. Routers understand the priority settings and handle them appropriately during conditions of congestion.
Hop Limit (8 bits) The Hop Limit field shows the number of hops remaining for packet processing. In IPv4, this is known as the Time to Live (TTL) field and uses seconds rather than hops. Each time the packet moves through a forwarding router, this field decrements by 1. If a router receives a packet with a Hop Limit of 1, it decrements it to 0 (zero). The router discards the packet and sends an ICMPv6 message back to the sending router indicating that the Hop Limit was exceeded in transit.
11 Discard the packet and send an ICMP Parameter Problem, Code 2 message to the packet’s Source IP Address only if the Destination IP Address is not a multicast address. The second byte contains the Option Data Length. The third byte specifies whether the information can change en route to the destination. The value is 1 if it can change; the value is 0 if it cannot change.
Implementing IPv6 with Dell EMC Networking OS Dell EMC Networking OS supports both IPv4 and IPv6 and both may be used simultaneously in your system. The following table lists the Dell EMC Networking OS version in which an IPv6 feature became available for each platform. The sections following the table give greater detail about the feature. Table 45.
Table 45. Dell EMC Networking OS versions and supported platforms with IPv6 support (continued) Feature and Functionality Dell EMC Networking OS Release Introduction Documentation and Chapter Location S4820T IPv6 IS-IS in the Dell EMC Networking OS Command Line Reference Guide. OSPF for IPv6 (OSPFv3) 9.1(0.0) Equal Cost Multipath for IPv6 8.3.19 OSPFv3 in the Dell EMC Networking OS Command Line Reference Guide. IPv6 Services and Management Telnet client over IPv6 (outbound Telnet) 8.3.
Path MTU discovery The size of the packet that can be sent across each hop in the network path without being fragmented is called the path maximum transmission unit (PMTU). The PMTU value might differ for the same route between two devices, mainly over a public network, depending on the network load and speed, and it is not a consistent value. The MTU size can also be different for various types of traffic sent from one host to the same endpoint.
Figure 60. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
● invalid host addresses If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed. Example for Configuring an IPv6 Recursive DNS Server The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
ff02::1 ff02::2 ff02::1:ff00:12 ff02::1:ff8b:7570 ND MTU is 0 ICMP redirects are not sent DAD is enabled, number of DAD attempts: 3 ND reachable time is 20120 milliseconds ND base reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 198 to 600 seconds ND router advertisements live for 1800 seconds ND advertised hop limit is 64 IPv6 hop limit for originated packets is 64 ND dns-server ad
You must enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd-numbered ranges. The default option sets the CAM Profile as follows: ● L3 ACL (ipv4acl): 6 ● L2 ACL(l2acl): 5 ● IPv6 L3 ACL (ipv6acl): 0 ● L3 QoS (ipv4qos): 1 ● L2 QoS (l2qos): 1 To have the changes take effect, save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings. ● Allocate space for IPV6 ACLs.
NOTE: After you configure a static IPv6 route (the ipv6 route command) and configure the forwarding router’s address (specified in the ipv6 route command) on a neighbor’s interface, the IPv6 neighbor does not display in the show ipv6 route command output. ● Set up IPv6 static routes. CONFIGURATION mode ipv6 route [vrf vrf-name] prefix interface-type slot/port forwarding router tag ○ vrf vrf-name:(OPTIONAL) name of the VRF.
Displaying IPv6 Information View specific IPv6 configuration with the following commands. ● List the IPv6 show options.
ND base reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND hop limit is 64 Showing IPv6 Routes To view the global IPv6 routing information, use the following command. ● Show IPv6 routing information for the specified route type. EXEC mode show ipv6 route [vrf vrf-name] type The following keywords are available: ○ To display information about a network, enter ipv6 address (X:X:X:X::X). ○ To display information about a host, enter hostname.
The following example shows the show ipv6 route static command. DellEMC#show ipv6 route static Destination Dist/Metric, Gateway, Last Change ----------------------------------------------------S 8888:9999:5555:6666:1111:2222::/96 [1/0] via 2222:2222:3333:3333::1, Te 9/1, 00:03:16 S 9999:9999:9999:9999::/64 [1/0] via 8888:9999:5555:6666:1111:2222:3333:4444, 00:03:16 Showing the Running-Configuration for an Interface To view the configuration for any interface, use the following command.
● To reenable the ND timer, use the no form of the command: INTERFACE no ipv6 nd disable-reachable-timer The following example shows how to disable the ND timer. DellEMC(conf-if-fo-1/1/1)#ipv6 nd disable-reachable-timer Configuring IPv6 RA Guard The IPv6 Router Advertisement (RA) guard allows you to block or reject the unwanted router advertisement guard messages that arrive at the network device platform. To configure the IPv6 RA guard, perform the following steps: 1.
POLICY LIST CONFIGURATION mode trusted-port 12. Set the maximum transmission unit (MTU) value. POLICY LIST CONFIGURATION mode mtu value 13. Set the advertised reachability time. POLICY LIST CONFIGURATION mode reachable—time value The reachability time range is from 0 to 3,600,000 milliseconds. 14. Set the advertised retransmission time. POLICY LIST CONFIGURATION mode retrans—timer value The retransmission time range is from 100 to 4,294,967,295 milliseconds. 15.
Interfaces : Te 1/1 DellEMC# Monitoring IPv6 RA Guard To debug IPv6 RA guard, use the following command. EXEC Privilege mode debug ipv6 nd ra-guard [interface slot/port | count value] The count range is from 1 to 65534. The default is infinity. For a complete listing of all commands related to IPv6 RA Guard, see the Dell EMC Networking OS Command Line Reference Guide.
25 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables qualityof-service (QoS) treatment for iSCSI traffic.
NOTE: After a switch is reloaded, powercycled, or upgraded, the system may display the ACL_AGENT-3ISCSI_OPT_MAX_SESS_LIMIT_REACHED: Monitored iSCSI sessions reached maximum limit log message. This cannot be inferred as the maximum supported iSCSI sessions are reached. Also, number of iSCSI sessions displayed on the system may show any number equal to or less than the maximum.
Application of Quality of Service to iSCSI Traffic Flows You can configure iSCSI CoS mode. This mode controls whether CoS (dot1p priority) queue assignment and/or packet marking is performed on iSCSI traffic. When you enable iSCSI CoS mode, the CoS policy is applied to iSCSI traffic. When you disable iSCSI CoS mode, iSCSI sessions and connections are still detected and displayed in the status tables, but no CoS policy is applied to iSCSI traffic.
Detection and Auto-Configuration for Dell EqualLogic Arrays The iSCSI optimization feature includes auto-provisioning support with the ability to detect directly connected Dell EqualLogic storage arrays and automatically reconfigure the switch to enhance storage traffic flows. The switch uses the link layer discovery protocol (LLDP) to discover Dell EqualLogic devices on the network. LLDP is enabled by default. For more information about LLDP, refer to Link Layer Discovery Protocol (LLDP).
● Additional updates to connections (including aging updates) that are learnt on VLT lag members are synced to the peer. ● When receiving an iSCSI login request on a non-VLT interface followed by a response from a VLT interface, the session is not synced since it is initially learnt on a non-VLT interface through the request packet. ● The peer generates a new connection log that sees the login response packet.
Table 46. iSCSI Optimization Defaults (continued) Parameter Default Value iSCSI optimization target ports iSCSI well-known ports 3260 and 860 are configured as default (with no IP address or name) but can be removed as any other configured target. iSCSI session monitoring Disabled. The CAM allocation for iSCSI is set to zero (0). iSCSI Optimization Prerequisites The following are iSCSI optimization prerequisites. ● iSCSI optimization requires LLDP on the switch.
[no] iscsi target port tcp-port-1 [tcp-port-2...tcp-port-16] [ip-address address] ● tcp-port-n is the TCP port number or a list of TCP port numbers on which the iSCSI target listens to requests. You can configure up to 16 target TCP ports on the switch in one command or multiple commands. The default is 860, 3260. Separate port numbers with a comma. If multiple IP addresses are mapped to a single TCP port, use the no iscsi target port tcp-port-n command to remove all IP addresses assigned to the TCP number.
Displaying iSCSI Optimization Information To display information on iSCSI optimization, use the following show commands. ● Display the currently configured iSCSI settings. show iscsi ● Display information on active iSCSI sessions on the switch. show iscsi sessions ● Display detailed information on active iSCSI sessions on the switch . To display detailed information on specified iSCSI session, enter the session’s iSCSI ID.
Up Time:00:00:01:28(DD:HH:MM:SS) Time for aging out:00:00:09:34(DD:HH:MM:SS) ISID:806978696102 Initiator Initiator Target Target IP Address TCP Port IP Address TCPPort 10.10.0.53 33432 10.10.0.
26 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell EMC Networking supports both IPv4 and IPv6 versions of IS-IS.
Figure 62. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases. Use this feature to place a virtual physical topology into logical routing domains, which can each support different routing and security policies. All routers on a LAN or point-to-point must have at least one common supported topology when operating in Multi-Topology IS-IS mode.
Graceful Restart Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change. Normally, when an IS-IS router is restarted, temporary disruption of routing occurs due to events in both the restarting router and the neighbors of the restarting router.
● Computes routes to IPv6 destinations. ● Downloads IPv6 routes to the RTM for installing in the FIB. ● Accepts external IPv6 information and advertises this information in the PDUs. The following table lists the default IS-IS values. Table 47.
In IS-IS, neighbors form adjacencies only when they are same IS type. For example, a Level 1 router never forms an adjacency with a Level 2 router. A Level 1-2 router forms Level 1 adjacencies with a neighboring Level 1 router and forms Level 2 adjacencies with a neighboring Level 2 router. NOTE: Even though you enable IS-IS globally, enable the IS-IS process on an interface for the IS-IS process to exchange protocol information and form adjacencies. To configure IS-IS globally, use the following commands.
To view the IS-IS configuration, enter the show isis protocol command in EXEC Privilege mode or the show config command in ROUTER ISIS mode. DellEMC#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
ROUTER ISIS AF IPV6 mode set-overload-bit 3. Set the minimum interval between SPF calculations. ROUTER ISIS AF IPV6 mode spf-interval [level-l | level-2 | interval] [initial_wait_interval [second_wait_interval]] Use this command for IPv6 route computation only when you enable multi-topology. If using single-topology mode, to apply to both IPv4 and IPv6 route computations, use the spf-interval command in CONFIG ROUTER ISIS mode. 4. Implement a wide metric-style globally.
○ adjacency: the restarting router receives the remaining time value from its peer and adjusts its T3 value so if user has configured this option. ○ manual: allows you to specify a fixed value that the restarting router should use. The range is from 50 to 120 seconds. The default is 30 seconds. NOTE: If this timer expires before the synchronization has completed, the restarting router sends the overload bit in the LSP.
Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary. To change the defaults, use any or all of the following commands. ● Set interval between LSP generation. ROUTER ISIS mode lsp-gen-interval [level-1 | level-2] seconds ○ seconds: the range is from 0 to 120.
Table 48. Metric Styles Metric Style Characteristics Cost Range Supported on IS-IS Interfaces narrow Sends and accepts narrow or old TLVs (Type, Length, Value). 0 to 63 wide Sends and accepts wide or new TLVs. 0 to 16777215 transition Sends both wide (new) and narrow (old) TLVs. 0 to 63 narrow transition Sends narrow (old) TLVs and accepts both narrow (old) and wide (new) TLVs. 0 to 63 wide transition Sends wide (new) TLVs and accepts both narrow (old) and wide (new) TLVs.
isis ipv6 metric default-metric [level-1 | level-2] ○ default-metric: the range is from 0 to 63 for narrow and transition metric styles. The range is from 0 to 16777215 for wide metric styles. The default is 10. The default level is level-1. For more information about this command, refer to Configuring the IS-IS Metric Style. The following table describes the correct value range for the isis metric command.
LSPID B233.00-00 eljefe.00-00 * eljefe.01-00 * eljefe.02-00 * Force10.00-00 LSP Seq Num 0x00000006 0x0000000D 0x00000001 0x00000001 0x00000004 LSP Checksum 0xC38A 0x51C6 0x68DF 0x2E7F 0xCDA9 LSP Holdtime 1124 1129 1122 1113 1107 ATT/P/OL 0/0/0 0/0/0 0/0/0 0/0/0 0/0/0 DellEMC# Controlling Routing Updates To control the source of IS-IS route information, use the following command. ● Disable a specific interface from sending or receiving IS-IS routing information.
○ static: for user-configured routes. ○ bgp: for BGP routes only. ● Deny RTM download for pre-existing redistributed IPv4 routes. ROUTER ISIS mode distribute-list redistributed-override in Applying IPv6 Routes To apply prefix lists to incoming or outgoing IPv6 routes, use the following commands. NOTE: These commands apply to IPv6 IS-IS only. To apply prefix lists to IPv4 routes, use ROUTER ISIS mode, previously shown. ● Apply a configured prefix list to all incoming IPv6 IS-IS routes.
Configure the following parameters: ○ level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. ○ metric-value the range is from 0 to 16777215. The default is 0. ○ metric-type: choose either external or internal. The default is internal. ○ map-name: enter the name of a configured route map. ● Include specific OSPF routes in IS-IS.
Configuring Authentication Passwords You can assign an authentication password for routers in Level 1 and for routers in Level 2. Because Level 1 and Level 2 routers do not communicate with each other, you can assign different passwords for Level 1 routers and for Level 2 routers. However, if you want the routers in the level to communicate with each other, configure them with the same password. To configure a simple text password, use the following commands. ● Configure authentication password for an area.
Debugging IS-IS To debug IS-IS processes, use the following commands. ● View all IS-IS information. EXEC Privilege mode debug isis ● View information on all adjacency-related activity (for example, hello packets that are sent and received). EXEC Privilege mode debug isis adj-packets [interface] To view specific information, enter the following optional parameter: ○ interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only.
Configure Metric Values For any level (Level-1, Level-2, or Level-1-2), the value range possible in the isis metric command in INTERFACE mode changes depending on the metric style. The following describes the correct value range for the isis metric command.
Table 49.
Table 51.
Figure 63. IPv6 IS-IS Sample Topography The following is a sample configuration for enabling IPv6 IS-IS. IS-IS Sample Configuration — Congruent Topology DellEMC(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ip address 24.3.1.1/24 ipv6 address 24:3::1/76 ip router isis ipv6 router isis no shutdown DellEMC(conf-if-te-3/17)# DellEMC(conf-router_isis)#show config ! router isis metric-style wide level-1 metric-style wide level-2 net 34.0000.0000.AAAA.
IS-IS Sample Configuration — Multi-topology Transition DellEMC(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown DellEMC(conf-if-te-3/17)# DellEMC(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
27 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic.
● You can configure link dampening on individual members of a LAG. LACP Modes Dell EMC Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. ● Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. ● Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state.
Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. ● Create a dynamic port channel (LAG). CONFIGURATION mode interface port-channel ● Create a dynamic port channel (LAG). CONFIGURATION mode switchport DellEMC(conf)#interface port-channel 32 DellEMC(conf-if-po-32)#no shutdown DellEMC(conf-if-po-32)#switchport The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the tagged command on the LAG.
NOTE: The 30-second timeout is available for dynamic LAG interfaces only. You can enter the lacp long-timeout command for static LAGs, but it has no effect. To configure LACP long timeout, use the following command. ● Set the LACP timeout value to 30 seconds.
Figure 64. Shared LAG State Tracking To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). Dell EMC Networking OS has the ability to bring LAG 2 down if LAG 1 fails, so that traffic can be redirected. This redirection is what is meant by shared LAG state tracking. To achieve this functionality, you must group LAG 1 and LAG 2 into a single entity, called a failover group.
Figure 65. Configuring Shared LAG State Tracking The following are shared LAG state tracking console messages: ● 2d1h45m: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 1 ● 2d1h45m: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 To view the status of a failover group member, use the show interface port-channel command.
LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 66. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unicasts 0 Vlans, 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec,0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec,0 packets/sec, 0.
Figure 68.
Figure 69.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-te-3/21-lacp)#port-channel 10 mode active Bravo(conf-if-te-3/21-lacp)#no shut Bravo(conf-if-te-3/21)#end ! interface TenGigabitEthernet 3/21 no ip address ! port-ch
Figure 70.
Figure 71.
Figure 72. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
28 Layer 2 This chapter describes the Layer 2 features supported on the device. Topics: • • • • • Manage the MAC Address Table MAC Learning Limit NIC Teaming Configure Redundant Pairs Far-End Failure Detection Manage the MAC Address Table You can perform the following management tasks in the MAC address table.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. ● Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. ● Display the contents of the MAC address table.
Setting the MAC Learning Limit To set a MAC learning limit on an interface, use the following command. ● Specify the number of MAC addresses that the system can learn off a Layer 2 interface. INTERFACE mode mac learning-limit address_limit Three options are available with the mac learning-limit command: ○ dynamic ○ no-station-move ○ station-move NOTE: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations.
mac learning-limit no-station-move The no-station-move option, also known as “sticky MAC,” provides additional port security by preventing a station move. When you configure this option, the first entry in the table is maintained instead of creating an entry on the new interface. no-station-move is the default behavior. Entries created before you set this option are not affected. To display a list of all interfaces with a MAC learning limit, use the following command.
● Display a list of all of the interfaces configured with MAC learning limit or station move violation. CONFIGURATION mode show mac learning-limit violate-action NOTE: When the MAC learning limit (MLL) is configured as no-station-move, the MLL will be processed as static entries internally. For static entries, the MAC address will be installed in all port-pipes, irrespective of the VLAN membership.
mac port-security NIC Teaming NIC teaming is a feature that allows multiple network interface cards in a server to be represented by one MAC address and one IP address in order to provide transparent redundancy, balancing, and to fully utilize network adapter resources. The following illustration shows a topology where two NICs have been teamed together. In this case, if the primary NIC fails, traffic switches to the secondary NIC because they are represented by the same set of addresses. Figure 73.
Figure 74. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 75. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
As shown in the above illustration, interface 3/41 is a backup interface for 3/42, and 3/42 is in the Down state. If 3/41 fails, 3/42 transitions to the Up state, which makes the backup link active. A message similar to the following message appears whenever you configure a backup port.
Apr 9 00:16:29: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Te 1/2 DellEMC(conf-if-po-1)# Far-End Failure Detection Far-end failure detection (FEFD) is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval. You can enable FEFD globally or locally on an interface basis.
3. When the local interface receives the echoed packet from the remote end, the local interface transitions to the Bi-directional state. 4. If the FEFD enabled system is configured to use FEFD in Normal mode and neighboring echoes are not received after three intervals, (you can set each interval can be set between 3 and 300 seconds) the state changes to unknown. 5.
fefd-global {interval | mode} To display information about the state of each interface, use the show fefd command in EXEC privilege mode. DellEMC#show fefd FEFD is globally 'ON', interval is 3 seconds, mode is 'Normal'.
Debugging FEFD To debug FEFD, use the first command. To provide output for each packet transmission over the FEFD enabled connection, use the second command. ● Display output whenever events occur that initiate or disrupt an FEFD enabled connection. EXEC Privilege mode debug fefd events ● Provide output for each packet transmission over the FEFD enabled connection.
29 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). Topics: • • • • • • • • • • • • • • 802.
TLVs are encapsulated in a frame called an LLDP data unit (LLDPDU) (shown in the following table), which is transmitted from one LLDP-enabled device to its LLDP-enabled neighbors. LLDP is a one-way protocol. LLDP-enabled devices (LLDP agents) can transmit and/or receive advertisements, but they cannot solicit and do not respond to advertisements. There are five types of TLVs. All types are mandatory in the construction of an LLDPDU except Optional TLVs.
Figure 79. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell EMC Networking system to advertise any or all of these TLVs. Table 54. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. Dell EMC Networking OS does not currently support this TLV.
Table 54. Optional TLV Types (continued) Type TLV Description (non-configurable) in the LLDP-MED implementation. 127 Power via MDI Dell EMC Networking supports the LLDP-MED protocol, which recommends that Power via MDI TLV be not implemented, and therefore Dell EMC Networking implements Extended Power via MDI TLV only. 127 Link Aggregation Indicates whether the link is capable of being aggregated, whether it is currently in a LAG, and the port identification of the LAG.
Table 55. TIA-1057 (LLDP-MED) Organizationally Specific TLVs (continued) Type SubType TLV Description 127 2 Network Policy Indicates the application type, VLAN ID, Layer 2 Priority, and DSCP value. 127 3 Location Identification Indicates that the physical location of the device expressed in one of three possible formats: ● Coordinate Based LCI ● Civic Address LCI ● Emergency Call Services ELIN 127 4 Location Identification Indicates power requirements, priority, and power status.
Figure 80. LLDP-MED Capabilities TLV Table 56. Dell EMC Networking OS LLDP-MED Capabilities Bit Position TLV Dell EMC Networking OS Support 0 LLDP-MED Capabilities Yes 1 Network Policy Yes 2 Location Identification Yes 3 Extended Power via MDI-PSE Yes 4 Extended Power via MDI-PD No 5 Inventory No 6–15 reserved No Table 57.
Table 58. Network Policy Applications (continued) Type Application Description 1 Voice Specify this application type for dedicated IP telephony handsets and other appliances supporting interactive voice services. 2 Voice Signaling Specify this application type only if voice control packets use a separate network policy than voice data.
Figure 82. Extended Power via MDI TLV Configure LLDP Configuring LLDP is a two-step process. 1. Enable LLDP globally. 2. Advertise TLVs out of an interface. Related Configuration Tasks ● ● ● ● ● ● Viewing the LLDP Configuration Viewing Information Advertised by Adjacent LLDP Agents Configuring LLDPDU Intervals Configuring Transmit and Receive Mode Configuring a Time to Live Debugging LLDP Important Points to Remember ● LLDP is enabled by default.
mode multiplier no show LLDP mode configuration (default = rx and tx) LLDP multiplier configuration Negate a command or set its defaults Show LLDP configuration DellEMC(conf-lldp)#exit DellEMC(conf)#interface tengigabitethernet 1/3 DellEMC(conf-if-te-1/3)#protocol lldp DellEMC(conf-if-te-1/3-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol on this interface end Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode configuration (def
Include the keyword for each TLV you want to advertise. ● For management TLVs: system-capabilities, system-description. ● For 802.1 TLVs: port-protocol-vlan-id, port-vlan-id vlan-name. ● For 802.3 TLVs: max-frame-size. ● For TIA-1057 TLVs: ○ guest-voice ○ guest-voice-signaling ○ location-identification ○ power-via-mdi ○ softphone-voice ○ streaming-video ○ video-conferencing ○ video-signaling ○ voice ○ voice-signaling In the following example, LLDP is enabled globally.
! interface TenGigabitEthernet 1/31 no ip address switchport no shutdown DellEMC(conf-if-te-1/31)#protocol lldp DellEMC(conf-if-te-1/31-lldp)#show config ! protocol lldp DellEMC(conf-if-te-1/31-lldp)# Viewing Information Advertised by Adjacent LLDP Neighbors To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands. ● Display brief information about adjacent devices.
(109, 4) (110, 4) (111, 4) (112, 4) (113, 4) (114, 4) (115, 4) (116, (119, 4) (120, 4) (121, 4) (122, 4) (123, 4) (124, 4) (125, 4) (126, OrgUnknownTLVList: --------------------------------------------------------------------------Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 00:00:00:00:00:02 Remote Port Subtype: Interface name (5) Remote Port ID: TenGigabitEthernEt 1/40 Local Port ID: TenGigabitEthernet 1/1 Locally assigned remote Neighbor Index: 2 Remote TTL: 120 Information valid for nex
4) --------------------------------------------------------------------------- Configuring LLDPDU Intervals LLDPDUs are transmitted periodically; the default interval is 30 seconds. To configure LLDPDU intervals, use the following command. ● Configure a non-default transmit interval.
advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#mode ? rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description mode tx no disable R1(conf-lldp)#no mode R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id adverti
Debugging LLDP You can view the TLVs that your system is sending and receiving. To view the TLVs, use the following commands. ● View a readable version of the TLVs. debug lldp brief ● View a readable version of the TLVs plus a hexadecimal version of the entire LLDPDU, including unrecognized TLVs. debug lldp detail To stop viewing the LLDP TLVs sent and received by the system, use the no debug lldp command. Figure 84.
Relevant Management Objects Dell EMC Networking OS supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: ● received and transmitted TLVs ● the LLDP configuration on the local agent ● IEEE 802.1AB Organizationally Specific TLVs ● received and transmitted LLDP-MED TLVs Table 59.
Table 60.
Table 61. LLDP 802.
Table 62.
30 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
Limitations of the NLB Feature The following limitations apply to switches on which you configure NLB: ● The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN. When a large volume of traffic is processed, the clustering performance might be impacted in a small way. This limitation is applicable to switches that perform unicast flooding in the software. ● The ip vlan-flooding command applies globally across the system and for all VLANs.
There might be some ARP table entries that are resolved through ARP packets, which had the Ethernet MAC SA different from the MAC information inside the ARP packet. This unicast data traffic flooding occurs only for those packets that use these ARP entries. Enabling a Switch for Multicast NLB To enable a switch for Multicast NLB mode, perform the following steps: 1.
31 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell EMC Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 86.
Implementation Information The Dell EMC Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process. 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Refer to the following figures. The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP.
Figure 87.
Figure 88.
Figure 89.
Figure 90. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
CONFIGURATION mode clear ip msdp sa-cache [group-address | local | rejected-sa] Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error. ● Cache rejected sources.
Figure 91.
Figure 92.
Figure 93. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. ● Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check. DellEMC(conf)#ip msdp peer 10.0.50.
DellEMC#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Reason Rpf-Fail Rpf-Fail Rpf-Fail Limiting the Source-Active Messages from a Peer To limit the source-active messages from a peer, use the following commands. 1.
Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1. OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache. CONFIGURATION mode ip msdp cache-rejected-sa 2. Prevent the system from caching remote sources learned from a specific peer based on source and group. CONFIGURATION mode ip msdp sa-filter list out peer list ext-acl As shown in the following example, R1 is advertising source 10.11.4.2.
GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 local R3(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 192.168.0.1 Expire 70 UpTime 00:27:20 Expire 1 UpTime 00:10:29 [Router 3] R3(conf)#do show ip msdp sa-cache R3(conf)# To display the configured SA filters for a peer, use the show ip msdp peer command from EXEC Privilege mode.
clear ip msdp peer peer-address R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.3(639) Connect Source: Lo 0 State: Established Up/Down Time: 00:04:26 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 5/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none R3(conf)#do clear ip msdp peer 192.168.0.1 R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.
1. All the RPs serving a given group are configured with an identical anycast address. 2. Sources then register with the topologically closest RP. 3. RPs use MSDP to peer with each other using a unique address. Figure 94. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2.
ip msdp peer 5. Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group.
ip msdp peer 192.168.0.22 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.22 ip msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 The following example shows an R2 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.
interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.11 connect-source Loopback 0 ip msdp peer 192.168.0.
MSDP Sample Configuration: R2 Running-Config ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.
router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.23 MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface TenGigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface TenGigabitEthernet 4/22 ip address 10.10.42.
32 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview MSTP — specified in IEEE 802.
• • • • • • • Modifying Global Parameters Modifying the Interface Parameters Setting STP path cost as constant Configuring an EdgePort Flush MAC Addresses after a Topology Change MSTP Sample Configurations Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell EMC Networking OS supports four variations of spanning tree, as shown in the following table. Table 63. Spanning Tree Variations Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .
● Prevent Network Disruptions with BPDU Guard ● Enabling SNMP Traps for Root Elections and Topology Changes ● Configuring Spanning Trees as Hitless Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. ● Within an MSTI, only one path from any bridge to any other bridge is enabled.
protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping. To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode.
To view the bridge priority, use the show config command from PROTOCOL MSTP mode. R3(conf-mstp)#msti 2 bridge-priority 0 1d2h51m: %RPM0-P:RP2 %SPANMGR-5-STP_ROOT_CHANGE: MSTP root changed for instance 2. My Bridge ID: 0:0001.e809.c24a Old Root: 32768:0001.e806.953e New Root: 0:0001.e809.c24a R3(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 MSTI 2 bridge-priority 0 Interoperate with Non-Dell Bridges Dell EMC Networking OS supports only one MSTP region.
● Max-age — the length of time the bridge maintains configuration information before it refreshes that information by recomputing the MST topology. ● Max-hops — the maximum number of hops a BPDU can travel before a receiving switch discards it. NOTE: Dell EMC Networking recommends that only experienced network administrators change MSTP parameters. Poorly planned modification of MSTP parameters can negatively affect network performance.
Table 64.
Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode, an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states. The bpduguard shutdown-on-violation option causes the interface hardware to be shut down when it receives a BPDU.
Figure 96. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown SFTOS Example Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3.
Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. ● Display BPDUs. EXEC Privilege mode debug spanning-tree mstp bpdu ● Display MSTP-triggered topology change messages. debug spanning-tree mstp events To ensure all the necessary parameters match (region name, region version, and VLAN to instance mapping), examine your individual routers. To show various portions of the MSTP configuration, use the show spanning-tree mst commands.
Name: Tahiti, Rev: 123 (MSTP region name and revision), Int Root Path Cost: 0 Rem Hops: 19, Bridge Id: 32768:0001.e8d5.cbbd 4w0d4h : INST 1 (MSTP Instance): Flags: 0x78, Reg Root: 32768:0001.e806.953e, Int Root Cost: 0 Brg/Port Prio: 32768/128, Rem Hops: 19 INST 2 (MSTP Instance): Flags: 0x78, Reg Root: 32768:0001.e806.
33 Multicast Features NOTE: Multicast routing is supported on secondary IP addresses; it is not supported on IPv6. NOTE: Multicast routing is supported across default and non-default virtual routing and forwarding (VRFs).
Protocol Ethernet Address RIP 01:00:5e:00:00:09 NTP 01:00:5e:00:01:01 VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d ● ● ● ● The Dell EMC Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. Multicast is not supported on secondary IP addresses. If you enable multicast routing, egress Layer 3 ACL is not applied to multicast data traffic. Multicast traffic can be forwarded to a maximum of 15 VLANs with the same outgoing interface.
● Limit the total number of multicast routes on the system. CONFIGURATION mode ip multicast-limit The range is from 1 to 16000. The default is 4000. NOTE: The IN-L3-McastFib CAM partition stores multicast routes and is a separate hardware limit that exists per port-pipe. Any software-configured limit may supersede this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit is reached using the ip multicast-limit command.
Figure 97. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 65. Preventing a Host from Joining a Group — Description Location Description 1/21 ● ● ● ● Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 ● ● ● ● Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Table 65. Preventing a Host from Joining a Group — Description (continued) Location Description 2/11 ● ● ● ● Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 ● ● ● ● Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 ● ● ● ● Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 ● ● ● ● Interface TenGigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
but no outgoing interfaces are listed. R2 has no filter, so it is allowed to forward both groups. As a result, Receiver 1 receives only one transmission, while Receiver 2 receives duplicate transmissions. Figure 98. Preventing a Source from Transmitting to a Group The following table lists the location and description shown in the previous illustration. Table 66.
Table 66. Preventing a Source from Transmitting to a Group — Description (continued) Location Description ● no shutdown 2/11 ● ● ● ● Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 ● ● ● ● Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 ● ● ● ● Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Understanding Multicast Traceroute (mtrace) Multicast Traceroute (mtrace) is a multicast diagnostic facility used for tracing multicast paths. Mtrace enables you to trace the path that a multicast packet takes from its source to the destination. When you initiate mtrace from a source to a destination, an mtrace Query packet with IGMP type 0x1F is sent to the last-hop multicast router for the given destination. The mtrace query packet is forwarded hop-by-hop untill it reaches the last-hop router.
● MTRACE Transit — when a Dell EMC Networking system is an intermediate router between the source and destination in an MTRACE query, Dell EMC Networking OS computes the RPF neighbor for the source, fills in the request, and forwards the request to the RPF neighbor. When a Dell EMC Networking system is the last hop to the destination, Dell EMC Networking OS sends a response to the query. To print the network path, use the following command.
Table 67. mtrace Command Output — Explained (continued) Command Output Description From source (?) to destination (?) In case the provided source or destination IP can be resolved to a hostname the corresponding name will be displayed. In cases where the IP cannot be resolved, it is displayed as (?) 0 1.1.1.1 --> Destination The first row in the table corresponds to the destination provided by the user. -1 1.1.1.1 PIM Reached RP/Core 103.103.103.
Table 68. Supported Error Codes (continued) Error Code Error Name Description 0x81 NO_SPACE There is not enough room to insert another response data block in the packet. mtrace Scenarios This section describes various scenarios that may result when an mtrace command is issued. The following table describes various scenarios when the mtrace command is issued: Table 69.
Table 69. Mtrace Scenarios (continued) Scenario You invoke a weak mtrace request by specifying only the source without specifying the mulicast tree or multicast group information for the source. Mtrace traces a path towards the source by using the RPF neighbor at each node. Output R1>mtrace 103.103.103.3 Type Ctrl-C to abort. Querying reverse path for source 103.103.103.
Table 69. Mtrace Scenarios (continued) Scenario When you issue the mtrace command with the source and multicast group information, if a multicast route is not present on a particular node, then the NO ROUTE error code is displayed on the node. In this scenario, the Source Network/Mask column for that particular node displays the the value as default.
Table 69. Mtrace Scenarios (continued) Scenario Output ----------------------------------------------------------------- If the destination provided in the command is not a valid receiver for the multicast group, the last hop router for the destination provides the WRONG LAST HOP error code. If the last-hop router contains a path to the source, the path is traced irrespective of the incorrect destination.
Table 69. Mtrace Scenarios (continued) Scenario Output 0 1.1.1.1 --> Destination -1 * * * * ----------------------------------------------------------------Timed out receiving responses Perhaps no local router has a route for source, the receiver is not a member of the multicast group or the multicast ttl is too low. While traversing the path from source to destination, if the mtrace packet exhausts the maximum buffer size of the packet, then NO SPACE error is displayed in the output.
Table 69. Mtrace Scenarios (continued) Scenario Output Querying reverse path for source 6.6.6.6 to destination 4.4.4.5 via RPF From source (?) to destination (?) ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/Mask| ---------------------------------------------------------------0 4.4.4.5 --> Destination -1 4.4.4.4 PIM 6.6.6.0/24 -2 20.20.20.2 PIM 6.6.6.0/24 -3 10.10.10.1 PIM RPF Interface 6.6.6.
34 Object Tracking IPv4 or IPv6 object tracking is available on Dell EMC Networking OS. Object tracking allows the Dell EMC Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell EMC Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 99. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: ● UP and DOWN thresholds used to report changes in a route metric. ● A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
A tracked route matches a route in the routing table only if the exact address and prefix length match an entry in the routing table. For example, when configured as a tracked route, 10.0.0.0/24 does not match the routing table entry 10.0.0.0/8. If no route-table entry has the exact address and prefix length, the tracked route is considered to be DOWN.
VRRP Object Tracking As a client, VRRP can track up to 20 objects (including route entries, and Layer 2 and Layer 3 interfaces) in addition to the 12 tracked interfaces supported for each VRRP group. You can assign a unique priority-cost value from 1 to 254 to each tracked VRRP object or group interface. The priority cost is subtracted from the VRRP group priority if a tracked VRRP object is in a DOWN state.
show track object-id DellEMC(conf)#track 100 interface tengigabitethernet 1/1 line-protocol DellEMC(conf-track-100)#delay up 20 DellEMC(conf-track-100)#description San Jose data center DellEMC(conf-track-100)#end DellEMC#show track 100 Track 100 Interface TenGigabitEthernet 1/1 line-protocol Description: San Jose data center Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface.
DellEMC(conf-track-101)#description NYC metro DellEMC(conf-track-101)#end DellEMC#show track 101 Track 101 Interface TenGigabitEthernet 7/2 ip routing Description: NYC metro The following is an example of configuring object tracking for an IPv6 interface: DellEMC(conf)#track 103 interface tengigabitethernet 1/11 ipv6 routing DellEMC(conf-track-103)#description Austin access point DellEMC(conf-track-103)#end DellEMC#show track 103 Track 103 Interface TenGigabitEthernet 7/11 ipv6 routing Description: Austin a
○ The resolution value used to map RIP routes is not configurable. The RIP hop-count is automatically multiplied by 16 to scale it. For example, a RIP metric of 16 (unreachable) scales to 256, which considers a route to be DOWN. Tracking Route Reachability Use the following commands to configure object tracking on the reachability of an IPv4 or IPv6 route. To remove object tracking, use the no track object-id command. 1. Configure object tracking on the reachability of an IPv4 or IPv6 route.
Reachability is Down (route not in route table) 2 changes, last change 00:03:03 Configuring track reachability refresh interval If there is no entry in ARP table or if the next-hop address in the ARP cache ages out for a route tracked for its reachability, an attempt is made to check if the next-hop address is reachable after a certain refresh interval to see if the next-hop address appear in the ARP cache before considering it as DOWN.
4. (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters. 5. (Optional) Configure the metric threshold for the UP and/or DOWN routing status to be tracked for the specified route. OBJECT TRACKING mode threshold metric {[up number] [down number]} The default UP threshold is 254. The routing state is UP if the scaled route metric is less than or equal to the UP threshold. The defult DOWN threshold is 255.
Track 2 IPv6 route 2040::/64 metric threshold Metric threshold is Up (STATIC/0/0) 5 changes, last change 00:02:16 Metric threshold down 255 up 254 First-hop interface is TenGigabitEthernet 1/2 Tracked by: VRRP TenGigabitEthernet 2/30 IPv6 VRID 1 Track 3 IPv6 route 2050::/64 reachability Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is TenGigabitEthernet 1/2 Tracked by: VRRP TenGigabitEthernet 2/30 IPv6 VRID 1 Track 4 Interface TenGigabitEthernet 1/4 ip routing IP routing is
35 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell EMC Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell EMC Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 100. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. NOTE: If you configure two non-backbone areas, then you must enable the B bit in OSPF.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
● Type 3: Summary LSA (OSPFv2), Inter-Area-Prefix LSA (OSPFv3) — An ABR takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to. The link-state ID of the Type 3 LSA is the destination network number. ● Type 4: AS Border Router Summary LSA (OSPFv2), Inter-Area-Router LSA (OSPFv3) — In some cases, Type 5 External LSAs are flooded to areas where the detailed next-hop information may not be available.
Figure 102. Priority and Cost Examples OSPF with Dell EMC Networking OS The Dell EMC Networking OS supports up to 16,000 OSPF routes for OSPFv2. Dell EMC Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell EMC Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell EMC Networking OS supports only one OSPFv3 process per VRF. OSPFv2 and OSPFv3 can co-exist but you must configure them individually.
OSPF graceful restart understands that in a modern router, the control plane and data plane functionality are separate, restarting the control plane functionality (such as the failover of the active RPM to the backup in a redundant configuration), does not necessarily have to interrupt the forwarding of data packets.
Multi-Process OSPFv2 with VRF Multi-process OSPF with VRF is supported on the Dell EMC Networking OS. Only one OSPFv2 process per VRF is supported. Multi-process OSPF allows multiple OSPFv2 processes on a single router. Multiple OSPFv2 processes allow for isolating routing domains, supporting multiple route policies and priorities in different domains, and creating smaller domains for easier management. Each OSPFv2 process has a unique process ID and must have an associated router ID.
RFC 2328 is supported by default on Dell EMC Networking OS and it is indicated in the show ip ospf command output. DellEMC#show ip ospf Routing Process ospf 1 with ID 2.2.2.
Configuration Information The interfaces must be in Layer 3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode. NOTE: Loop back routes are not installed in the Route Table Manager (RTM) as non-active routes.
Enabling OSPFv2 To enable Layer 3 routing, assign an IP address to an interface (physical or Loopback). By default, OSPF, similar to all routing protocols, is disabled. You must configure at least one interface for Layer 3 before enabling OSPFv2 globally. If implementing multi-process OSPF, create an equal number of Layer 3 enabled interfaces and OSPF process IDs. For example, if you create four OSPFv2 process IDs, you must have four interfaces with Layer 3 enabled. 1. Assign an IP address to an interface.
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 DellEMC# Enabling Multi-Process OSPF (OSPFv2, IPv4 Only) Multi-process OSPF allows multiple OSPFv2 processes on a single router. For more information, refer to Multi-Process OSPF (OSPFv2, IPv4 Only) When configuring a single OSPF process, follow the same steps previously described. Repeat them as often as necessary for the desired number of processes.
Enable OSPFv2 on Interfaces Enable and configure OSPFv2 on each interface (configure for Layer 3 protocol), and not shutdown. You can also assign OSPFv2 to a Loopback interface as a virtual interface. OSPF functions and features, such as MD5 Authentication, Grace Period, Authentication Wait Time, are assigned on a per interface basis. NOTE: If using features like MD5 Authentication, ensure all the neighboring routers are also configured for MD5.
Example of Viewing OSPF Status on a Loopback Interface DellEMC#show ip ospf 1 int TenGigabitEthernet 1/23 is up, line protocol is up Internet Address 10.168.0.1/24, Area 0.0.0.1 Process ID 1, Router ID 10.168.253.2, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 10.168.253.5, Interface address 10.168.0.4 Backup Designated Router (ID) 192.168.253.3, Interface address 10.168.0.
Enabling Passive Interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface. Although the passive interface does not send or receive routing updates, the network on that interface is still included in OSPF updates sent via other interfaces. To suppress the interface’s participation on an OSPF interface, use the following command. This command stops the router from sending updates on that interface.
● Enable OSPF fast-convergence and specify the convergence level. CONFIG-ROUTEROSPF- id mode fast-convergence {number} The parameter range is from 1 to 4. The higher the number, the faster the convergence. When disabled, the parameter is set at 0. NOTE: A higher convergence level can result in occasional loss of OSPF adjacency. Generally, convergence level 1 meets most convergence requirements. Only select higher convergence levels following consultation with Dell Technical Support.
ip ospf hello-interval seconds ○ seconds: the range is from 1 to 65535 (the default is 10 seconds). The hello interval must be the same on all routers in the OSPF network. ● Use the MD5 algorithm to produce a message digest or key, which is sent instead of the key. CONFIG-INTERFACE mode ip ospf message-digest-key keyid md5 key ○ keyid: the range is from 1 to 255. ○ Key: a character string. NOTE: Be sure to write down or otherwise record the key. You cannot learn the key after it is configured.
Enabling OSPFv2 Authentication To enable or change various OSPF authentication parameters, use the following commands. ● Set a clear text authentication scheme on the interface. CONFIG-INTERFACE mode ip ospf authentication-key key Configure a key that is a text string no longer than eight characters. All neighboring routers must share password to exchange OSPF information. ● Set the authentication change wait time in seconds between 0 and 300 for the interface.
Dell EMC Networking OS supports the following options: ● Helper-only: the OSPFv2 router supports graceful-restart only as a helper router. ● Restart-only: the OSPFv2 router supports graceful-restart only during unplanned restarts. By default, OSPFv2 supports both restarting and helper roles. Selecting one or the other role restricts OSPFv2 to the single selected role. To disable OSPFv2 graceful-restart after you have enabled it, use the no graceful-restart grace-period command in CONFIG-ROUTEROSPF- id mode.
Redistributing Routes You can add routes from other routing instances or protocols to the OSPF process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process. NOTE: Do not route iBGP routes to OSPF unless there are route-maps associated with the OSPF redistribution. To redistribute routes, use the following command. ● Specify which routes are redistributed into OSPF process.
show ip route summary ● View the summary information for the OSPF database. EXEC Privilege mode show ip ospf database ● View the configuration of OSPF neighbors connected to the local router. EXEC Privilege mode show ip ospf neighbor ● View the LSAs currently in the queue. EXEC Privilege mode show ip ospf timers rate-limit ● View debug messages.
Figure 103. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Te 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface TenGigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface TenGigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.
OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface TenGigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface TenGigabitEthernet 2/2 ip address 10.2.22.2/24 no shutdown OSPFv3 NSSA NSSA (Not-So-Stubby-Area) is a stub area that does not support Type-5 LSAs, but supports Type-7 LSAs to forward external links.
Enable OSPFv3 for IPv6 by specifying an OSPF process ID and an area in INTERFACE mode. If you have not created an OSPFv3 process, it is created automatically. All IPv6 addresses configured on the interface are included in the specified OSPF process. NOTE: IPv6 and OSPFv3 do not support Multi-Process OSPF. You can only enable a single OSPFv3 process. To create multiple OSPF processes you need to have multiple VRFs on a switch.
2. Bring up the interface. CONF-INT-type slot/port mode no shutdown Assigning Area ID on an Interface To assign the OSPFv3 process to an interface, use the following command. The ipv6 ospf area command enables OSPFv3 on an interface and places the interface in the specified area. Additionally, the command creates the OSPFv3 process with ID on the router.
router-id {number} ○ number: the IPv4 address. The format is A.B.C.D. NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. ● Disable OSPF. CONFIGURATION mode no ipv6 router ospf process-id vrf {vrf-name} ● Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf [vrf vrf-name] process Configuring Stub Areas To configure IPv6 stub areas, use the following command. ● Configure the area as a stub area.
○ ○ ○ ○ ○ bgp | connected | static: enter one of the keywords to redistribute those routes. metric metric-value: The range is from 0 to 4294967295. metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. route-map map-name: enter a name of a configured route map. tag tag-value: The range is from 0 to 4294967295. Configuring a Default Route To generate a default external route into the OSPFv3 routing domain, configure the following parameters.
RPM. During a planned restart, OSPFv3 sends out a Grace LSA before the system switches over to the secondary RPM. OSPFv3 is notified that a planned restart is happening. ○ Unplanned-only: the OSPFv3 router supports graceful-restart only for unplanned restarts. During an unplanned restart, OSPFv3 sends out a Grace LSA once the secondary RPM comes online. The default is both planned and unplanned restarts trigger an OSPFv3 graceful restart.
LSA count Summary LSAs Rtr LSA Count Net LSA Count Inter Area Pfx LSA Count Inter Area Rtr LSA Count Group Mem LSA Count 12010 1 4 3 12000 0 0 The following example shows the show ipv6 ospf database grace-lsa command. DellEMC#show ipv6 ospf database grace-lsa ! Type-11 Grace LSA (Area 0) LS Age Link State ID Advertising Router LS Seq Number Checksum Length Associated Interface Restart Interval Restart Reason : : : : : : : : : 10 6.16.192.66 100.1.1.
OSPFv3 Authentication Using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552. ● To use IPsec, configure an authentication (using AH) or encryption (using ESP) security policy on an interface or in an OSPFv3 area. Each security policy consists of a security policy index (SPI) and the key used to validate OSPFv3 packets. After IPsec is configured for OSPFv3, IPsec operation is invisible to the user.
○ key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted). For SHA-1 authentication, the key must be 40 hex digits (non-encrypted) or 80 hex digits (encrypted). ● Remove an IPsec authentication policy from an interface.
Configuring IPSec Authentication for an OSPFv3 Area To configure, remove, or display IPSec authentication for an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)). The security policy index (SPI) value must be unique to one IPSec security policy (authentication or encryption) on the router.
○ key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information. The required lengths of a non-encrypted or encrypted key are: 3DES - 48 or 96 hex digits; DES - 16 or 32 hex digits; AES-CBC - 32 or 64 hex digits for AES-128 and 48 or 96 hex digits for AES-192. ○ key-encryption-type: (optional) specifies if the key is encrypted. Valid values: 0 (key is not encrypted) or 7 (key is encrypted).
Transform set : ah-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-0-501 Policy refcount : 1 Inbound ESP SPI : 501 (0x1F5) Outbound ESP SPI : 501 (0x1F5) Inbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb7c0c30808825fb5 Outbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb7c0c30808825fb5 Inbound ESP Cipher Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba10345a1039ba8f8a Outbound ESP Cipher Key : bbdd96e6
Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3 operation on the switch. This section describes typical, OSPFv3 troubleshooting scenarios. NOTE: The following troubleshooting section is meant to be a comprehensive list, but only to provide some examples of typical troubleshooting checks.
36 Policy-based Routing (PBR) Policy-based routing (PBR) allows a switch to make routing decisions based on policies applied to an interface.
● ● ● ● ● ● ● IP address of the forwarding router (next-hop IP address) Protocol as defined in the header Source IP address and mask Destination IP address and mask Source port Destination port TCP Flags After you apply a redirect-list to an interface, all traffic passing through it is subjected to the rules defined in the redirect-list. Traffic is forwarded based on the following: ● ● ● ● Next-hop addresses are verified.
● Apply a Redirect-list to an Interface using a Redirect-group PBR Exceptions (Permit) To create an exception to a redirect list, use thepermit command. Exceptions are used when a forwarding decision should be based on the routing table rather than a routing policy. The Dell EMC Networking OS assigns the first available sequence number to a rule configured without a sequence number and inserts the rule into the PBR CAM region next to the existing entries.
● ● ● ● ● ● ● FORMAT: slot/port ip-protocol-number or protocol-type is the type of protocol to be redirected FORMAT: 0-255 for IP protocol number, or enter protocol type source ip-address or any or host ip-address is the Source’s IP address FORMAT: A.B.C.D/NN, or ANY or HOST IP address destination ip-address or any or host ip-address is the Destination’s IP address FORMAT: A.B.C.D/NN, or ANY or HOST IP address To delete a rule, use the no redirect command.
NOTE: Starting with the Dell EMC Networking OS version 9.4(0.0), the use of multiple recursive routes with the same source-address and destination-address combination in a redirect policy on an router. A recursive route is a route for which the immediate next-hop address is learned dynamically through a routing protocol and acquired through a route lookup in the routing table.
! interface GigabitEthernet 1/1 no ip address ip redirect-group test ip redirect-group xyz shutdown DellEMC(conf-if-gi-1/1)# In addition to supporting multiple redirect-lists in a redirect-group, multiple redirect-groups are supported on a single interface. Dell EMC Networking OS has the capability to support multiple groups on an interface for backup purposes. Show Redirect List Configuration To view the configuration redirect list configuration, use the following commands. 1.
Applied interfaces: Te 2/2 NOTE: If you apply the redirect-list to an interface, the output of the show ip redirect-list redirect-listname command displays reachability status for the specified next-hop.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.254 ip 192.
View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23) seq 10 redirect 10.99.99.254 ip 192.168.2.0/24 any, Next-hop reachable (via Te 3/23) seq 15 permit ip any any Applied interfaces: Te 2/11 EDGE_ROUTER# Creating a PBR list using Explicit Track Objects for Redirect IPs Create Track Objects to track the Redirect IPs: DellEMC#configure terminal DellEMC(conf)#track 3 ip host 42.1.1.
seq 25 redirect 43.1.1.2 track 4 ip host 7.7.7.7 host 144.144.144.144, Track 4 [up], Next-hop reachable (via Vl 20) Applied interfaces: Te 2/28 DellEMC# Creating a PBR list using Explicit Track Objects for Tunnel Interfaces Creating steps for Tunnel Interfaces: DellEMC#configure terminal DellEMC(conf)#interface tunnel 1 DellEMC(conf-if-tu-1)#tunnel destination 40.1.1.2 DellEMC(conf-if-tu-1)#tunnel source 40.1.1.1 DellEMC(conf-if-tu-1)#tunnel mode ipip DellEMC(conf-if-tu-1)#tunnel keepalive 60.1.1.
Verify the Applied Redirect Rules: DellEMC#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.0/24, Track 1 [up], Nexthop reachable (via Te 1/32) seq 10 redirect tunnel 1 track 1 tcp any any, Track 1 [up], Next-hop reachable (via Te 1/32) seq 15 redirect tunnel 1 track 1 udp 155.55.0.0/16 host 144.144.144.144, Track 1 [up], Next-hop reachable (via Te 1/32) seq 20 redirect tunnel 2 track 2 tcp 155.55.2.0/24 222.22.2.
37 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
3. If a host on the same subnet as another multicast receiver sends an IGMP report for the same multicast group, the gateway takes no action. If a router between the host and the RP receives a PIM Join message for which it already has a (*,G) entry, the interface on which the message was received is added to the outgoing interface list associated with the (*,G) entry, and the message is not (and does not need to be) forwarded towards the RP.
Related Configuration Tasks The following are related PIM-SM configuration tasks. ● ● ● ● Configuring S,G Expiry Timers Configuring a Static Rendezvous Point Configuring a Designated Router Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1. Enable IPv4 multicast routing on the system. CONFIGURATION mode ip multicast-routing [vrf vrf-name] 2. Enable PIM-Sparse mode.
127.87.50.5 DellEMC# Te 2/13 00:03:08/00:01:37 v2 1 / S DellEMC#show ipv6 pim neighbor Neighbor Interface Uptime/Expires Address fe80::201:e8ff:fe02:140f Te 1/11 01:44:59/00:01:16 fe80::201:e8ff:fe00:6265 Te 1/12 01:45:00/00:01:16 DellEMC# Ver v2 v2 DR Prio/Mode 1 / S 1 / DR To display the PIM routing table, use the show ip pim tib [group-address [source-address]] command from EXEC privilege mode.
ip pim sparse-mode sg-expiry-timer seconds The range is from 211 to 86,400 seconds. The default is 210. NOTE: The global expiry time for all [S, G] entries can vary from 360 to 420 seconds. Configuring a Static Rendezvous Point The rendezvous point (RP) is a PIM-enabled interface on a router that acts as the root a group-specific tree; every group must have an RP. ● Identify an RP by the IP address of a PIM-enabled or Loopback interface.
INTERFACE mode ip pim query-interval seconds ● Display the current value of these parameter.
Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the Internet. Create multicast boundaries and domains by filtering inbound and outbound bootstrap router (BSR) messages per interface. The following command is applied to the subsequent inbound and outbound updates.
38 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Related Configuration Tasks ● Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode.
Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.
Group Address Interface Mode Uptime 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:36 Member Ports: Te 1/1 R1(conf)#do show ip igmp ssm-map 239.0.0.2 SSM Map Information Group : 239.0.0.2 Source(s) : 10.11.5.2 R1(conf)#do show ip igmp groups detail Interface Group Uptime Expires Router mode Last reporter Last reporter mode Last report Group source Source address 10.11.5.2 00:00:01 Expires Never Last Reporter 10.11.3.2 Vlan 300 239.0.0.2 00:00:01 Never IGMPv2-Compat 10.11.3.
To enable BSR election for IPv4 or IPv6, perform the following steps: 1. Enter the following IPv4 or IPv6 command to make a PIM router a BSR candidate: CONFIGURATION ip pim bsr-candidate ipv6 pim bsr-candidate 2. Enter the following IPv4 or IPv6 command to make a PIM router a RP candidate: CONFIGURATION ip pim rp-candidate ipv6 pim rp-candidate 3. Display IPv4 or IPv6 Bootstrap Router information.
NOTE: You can create the ACL list of multicast prefix using the ip access-list standard command.
39 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
You can configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session. The platform supports multiple source-destination statements in a single monitor session. The maximum number of source ports that can be supported in a session is 128. The maximum number of destination ports that can be supported depends on the port mirroring directions as follows: ● 4 per port pipe, if the four destination ports mirror in one direction, either rx or tx.
TTL Drop Rate ------ ----------- ---0 Te 1/13 0 No N/A 10 Te 1/14 0 No N/A 20 Te 1/15 0 No N/A 30 Te 1/16 0 No N/A 300 Te 1/17 0 No N/A DellEMC# Gre-Protocol --------------------Te 1/1 N/A Te 1/1 N/A Te 1/1 N/A Te 1/1 N/A Te 1/1 N/A FcMonitor --- -----------rx interface yes rx interface yes rx interface yes rx interface yes rx interface yes --------- -------- ---- 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.
Configuring Port Monitoring To configure port monitoring, use the following commands. 1. Verify that the intended monitoring port has no configuration other than no shutdown, as shown in the following example. EXEC Privilege mode show interface 2. Create a monitoring session using the command monitor session from CONFIGURATION mode, as shown in the following example. CONFIGURATION mode monitor session monitor session type rpm/erpm type is an optional keyword, required only for rpm and erpm 3.
NOTE: Source as VLAN is achieved via Flow based mirroring. Please refer section Enabling Flow-Based Monitoring. In the following example, the host and server are exchanging traffic which passes through the uplink interface 1/1. Port 1/1 is the monitored port and port 1/42 is the destination port, which is configured to only monitor traffic received on tengigabitethernet 1/1 (host-originated traffic). Figure 105.
cam-acl l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt number ipmacacl number vman-qos number ipv4mirracl number 6. Apply the ACL to the monitored port. MONITOR SESSION mode ip access-group access-list-name To view an access-list that you applied to an interface, use the show ip accounting access-list command from EXEC Privilege mode.
The reserved VLANs transport the mirrored traffic in sessions (blue pipes) to the destination analyzers in the local network. Two destination sessions are shown: one for the reserved VLAN that transports orange-circle traffic; one for the reserved VLAN that transports green-circle traffic. Figure 106.
● To associate with source session, the reserved VLAN can have at max of only 4 member ports. ● To associate with destination session, the reserved VLAN can have multiple member ports. ● Reserved Vlan cannot have untagged ports In the reserved L2 VLAN used for remote port mirroring: ● MAC address learning in the reserved VLAN is automatically disabled. ● The reserved VLAN for remote port mirroring can be automatically configured in intermediate switches by using GVRP.
Displaying Remote-Port Mirroring Configurations To display the current configuration of remote port mirroring for a specified session, enter the show config command in MONITOR SESSION configuration mode.
interface vlan vlan-id 3. Configure the RSPAN VLAN to be used to transport mirrored traffic in RPM. VLAN INTERFACE mode mode remote-port-mirroring 4. Configure a tagged port to carry mirrored traffic in the VLAN. VLAN INTERFACE mode tagged interface You can repeat this command to configure additional tagged ports for the VLAN. Configuring a source session Following are the steps for configuring a source session on a switch.
Configuration Example of Remote Port Mirroring This example provides a sample configuration of remote port mirroring (RPM) on a source switch, an intermediate switch, and a destination switch based on the following illustration. Figure 107.
Following is a sample configuration of RPM on an a destination switch.
Configuration Example of RPM for port-channel This example provides a sample configuration of remote port mirroring for the port-channel source interface. Configuring Remote Port Mirroring on source switch The below configuration example shows that the source is a source port-channel and the destination is the reserved VLAN (for example, remote-vlan 30).
● You can configure up to four ERPM source sessions on switch. ● Configure the system MTU to accommodate the increased size of the ERPM mirrored packet. ● The maximum number of source ports you can define in a session is 128. ● The system encapsulates the complete ingress or egress data under GRE header, IP header, and outer MAC header and sends it out at the next hop interface as pointed by the routing table.
SessID Source Destination Dir Protocol FcMonitor Status ------ ------ ----------- -------------- --------- ------0 Te 1/9 remote-ip rx No Enabled 0 Po 1 remote-ip tx No Enabled 1 Vl 11 remote-ip rx No Enabled Mode Source IP Dest IP DSCP TTL Drop Rate Gre- ---- --------- -------- ---- --- ---- ---- Port 1.1.1.1 7.1.1.2 0 255 No 100 111 Port 1.1.1.1 7.1.1.2 0 255 No 100 111 Flow 5.1.1.1 3.1.1.
As seen in the above figure, the packets received/transmitted on Port A will be encapsulated with an IP/GRE header plus a new L2 header and sent to the destination ip address (Port D’s ip address) on the sniffer. The Header that gets attached to the packet is 38 bytes long. If the sniffer does not support IP interface, a destination switch will be needed to receive the encapsulated ERPM packet and locally mirror the whole packet to the Sniffer or a Linux Server.
The port monitoring or mirroring function when applied to VLT devices works as expected except with some restrictions. You can configure RPM or ERPM monitoring between two VLT peers. As VLT devices are seen as a single device in the network, when a fail over occurs, the source or destination port on one of the VLT peers becomes inactive causing the monitoring session to fail. As a result, Dell EMC Networking OS does not allow local Port mirroring based monitoring to be configured between VLT peers.
Table 71. RPM over VLT Scenarios (continued) Scenario RPM Restriction Recommended Solution The packet analyzer is connected to the VLT device through the orphan port.. Mirroring using Intermediate VLT device No restrictions apply — In this scenario, the VLT device acts as the intermediate device in remote mirroring. The TOR switch contains the source-RPM configurations that enable mirroring of the VLT lag (of the TOR switch) to any orphan port in the VLT device.
40 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on Dell EMC Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell EMC Networking OS Command Line Reference Guide. Private VLANs extend the Dell EMC Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
● Community port — a port that belongs to a community VLAN and is allowed to communicate with other ports in the same community VLAN and with promiscuous ports. ● Host port — in the context of a private VLAN, is a port in a secondary VLAN: ○ The port must first be assigned that role in INTERFACE mode. ○ A port assigned the host role cannot be added to a regular VLAN. ● Isolated port — a port that, in Layer 2, can only communicate with promiscuous ports that are in the same PVLAN.
Configuration Task List The following sections contain the procedures that configure a private VLAN. ● ● ● ● Creating Creating Creating Creating PVLAN Ports a Primary VLAN a Community VLAN an Isolated VLAN Creating PVLAN ports PVLAN ports are ports that will be assigned to the PVLAN. 1. Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2. Enable the port. INTERFACE mode no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4.
interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 4. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: ● Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). ● Specified with this command even before they have been created.
You can only add host (isolated) ports to the VLAN. Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make an isolated VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to isolated. INTERFACE VLAN mode private-vlan mode isolated 4.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 109. Sample Private VLAN Topology The following configuration is based on the example diagram for the Z9500: ● Te 1/1 and Te 1/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. ● Te 1/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. ● Te 1/24 and Te 1/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
● The S4810 ports would have the same intra-switch communication characteristics as described for the Z9500. ● For transmission between switches, tagged packets originating from host PVLAN ports in one secondary VLAN and destined for host PVLAN ports in the other switch travel through the promiscuous ports in the local VLAN 4000 and then through the trunk ports (1/25 in each switch). Inspecting the Private VLAN Configuration The standard methods of inspecting configurations also apply in PVLANs.
G - GVRP tagged, M - Vlan-stack NUM * 1 100 P 200 I 201 Status Inactive Inactive Inactive Inactive Description Q Ports primary VLAN in PVLAN T Te 1/19-20 isolated VLAN in VLAN 200 T Te 1/21 The following example shows viewing a private VLAN configuration.
41 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN).
Figure 110. Per-VLAN Spanning Tree The Dell EMC Networking OS supports three other variations of spanning tree, as shown in the following table. Table 72. Spanning Tree Variations Dell EMC Networking OS Supports Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
Configure Per-VLAN Spanning Tree Plus Configuring PVST+ is a four-step process. 1. 2. 3. 4. Configure interfaces for Layer 2. Place the interfaces in VLANs. Enable PVST+. Optionally, for load balancing, select a nondefault bridge-priority for a VLAN.
Influencing PVST+ Root Selection As shown in the previous per-VLAN spanning tree illustration, all VLANs use the same forwarding topology because R2 is elected the root, and all TenGigabitEthernet ports have the same cost. The following per-VLAN spanning tree illustration changes the bridge priority of each bridge so that a different forwarding topology is generated for each VLAN. This behavior demonstrates how you can use PVST+ to achieve load balancing. Figure 111.
Current root has priority 4096, Address 0001.e80d.b6d6 Number of topology changes 5, last change occurred 00:34:37 ago on Te 1/32 Port 375 (TenGigabitEthernet 1/22) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.375 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.
● Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost. The following tables lists the default values for port cost by interface. Table 73.
CAUTION: Configure EdgePort only on links connecting to an end station. EdgePort can cause loops if you enable it on an interface connected to a network. To enable EdgePort on an interface, use the following command. ● Enable EdgePort on an interface. INTERFACE mode spanning-tree pvst edge-port [bpduguard | shutdown-on-violation] The EdgePort status of each interface is given in the output of the show spanning-tree pvst command, as previously shown.
Figure 112. PVST+ with Extend System ID ● Augment the bridge ID with the VLAN ID. PROTOCOL PVST mode extend system-id DellEMC(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/22,32 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface TenGigabitEthernet 2/12 no ip address switchport no shutdown ! interface TenGigabitEthernet 2/32 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown ! inte
42 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 74.
Table 74. Dell EMC Networking Operating System (OS) Support for Port-Based, Policy-Based Features (continued) Feature Direction Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 113.
• Enabling Buffer Statistics Tracking Implementation Information The Dell EMC Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
Honoring dot1p Priorities on Ingress Traffic By default, Dell EMC Networking OS does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries.
Configuring Port-Based Rate Shaping Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted. If any stream exceeds the configured bandwidth on a continuous basis, it can consume all of the buffer space that is allocated to the port. Dell EMC Networking OS Behavior: Rate shaping is effectively rate limiting because of its smaller buffer size.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 114. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell EMC Networking OS matches packets against match criteria in the order that you configure them.
class-map match-any 2. Create a match-all class map. CONFIGURATION mode class-map match-all 3. Specify your match criteria. CLASS MAP mode [seq sequence number] match {ip | ipv6 | ip-any} After you create a class-map, Dell EMC Networking OS places you in CLASS MAP mode. Match-any class maps allow up to five ACLs. Match-all class-maps allow only one ACL. NOTE: Within a class-map, the match rules are installed in the sequence number order. 4. Link the class-map to a queue.
3. Specify your match criteria. CLASS MAP mode [seq sequence number] match mac After you create a class-map, Dell EMC Networking OS places you in CLASS MAP mode. Match-any class maps allow up to five access-lists. Match-all class-maps allow only one. You can match against only one VLAN ID. 4. Link the class-map to a queue.
seq 5 permit ip host 23.64.0.2 any seq 10 deny ip any any ! ip access-list extended AF1-FB2 seq 5 permit ip host 23.64.0.3 any seq 10 deny ip any any ! ip access-list extended AF2 seq 5 permit ip host 23.64.0.5 any seq 10 deny ip any any DellEMC# show cam layer3-qos interface tengigabitethernet 2/4 Cam Port Dscp Proto Tcp Src Dst SrcIp DstIp DSCP Queue Index Flag Port Port Marking ----------------------------------------------------------------------20416 1 18 IP 0x0 0 0 23.64.0.5/32 0.0.0.
Creating an Input QoS Policy To create an input QoS policy, use the following steps. 1. Create a Layer 3 input QoS policy. CONFIGURATION mode qos-policy-input Create a Layer 2 input QoS policy by specifying the keyword layer2 after the qos-policy-input command. 2.
The following table lists the default bandwidth weights for each queue, and their equivalent percentage which is derived by dividing the bandwidth weight by the sum of all queue weights. Table 76. Default Bandwidth Weights Queue Default Bandwidth Percentage for 4– Default Bandwidth Percentage for 8– Queue System Queue System 0 6.67% 1% 1 13.33% 2% 2 26.67% 3% 3 53.33% 4% 4 - 5% 5 - 10% 6 - 25% 7 - 50% NOTE: The system supports 4 data queues.
Applying a Class-Map or Input QoS Policy to a Queue To apply a class-map or input QoS policy to a queue, use the following command. ● Assign an input QoS policy to a queue. POLICY-MAP-IN mode service-queue Applying an Input QoS Policy to an Input Policy Map To apply an input QoS policy to an input policy map, use the following command. ● Apply an input QoS policy to an input policy map.
Table 78. Default dot1p to Queue Mapping (continued) dot1p Queue ID 3 1 4 2 5 3 6 3 7 3 The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN. ● Enable the trust dot1p feature. POLICY-MAP-IN mode trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0.
Creating Output Policy Maps 1. Create an output policy map. CONFIGURATION mode policy-map-output 2. After you create an output policy map, do one or more of the following: Applying an Output QoS Policy to a Queue Specifying an Aggregate QoS Policy Applying an Output Policy Map to an Interface 3. Apply the policy map to an interface. Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. ● Apply an output QoS policy to queues.
Important Points to Remember ● All DSCP values that are not specified as yellow or red are colored green (low drop precedence). ● A DSCP value cannot be in both the yellow and red lists. Setting the red or yellow list with any DSCP value that is already in the other list results in an error and no update to that DSCP list is made. ● Each color map can only have one list of DSCP values for each color; any DSCP values previously listed for that color that are not in the new DSCP list are colored green.
Displaying a DSCP Color Policy Configuration To display the DSCP color policy configuration for one or all interfaces, use the show qos dscp-color-policy {summary [interface] | detail {interface}} command in EXEC mode. summary: Displays summary information about a color policy on one or more interfaces. detail: Displays detailed color policy information on an interface interface : Enter the name of the interface that has the color policy configured.
Enabling Strict-Priority Queueing In strict-priority queuing, the system de-queues all packets from the assigned queue before servicing any other queues. You can assign strict-priority to one unicast queue, using the strict-priority command. ● Policy-based per-queue rate shaping is not supported on the queue configured for strict-priority queuing. To use queuebased rate-shaping as well as strict-priority queuing at the same time on a queue, use the Scheduler Strict feature as described in Scheduler Strict .
Table 79. Pre-Defined WRED Profiles Default Profile Name Minimum Threshold Maximum Threshold Maximum Drop Rate wred_drop 0 0 100 wred_teng_y 467 4671 100 wred_teng_g 467 4671 50 wred_fortyg_y 467 4671 50 wred_fortyg_g 467 4671 25 Creating WRED Profiles To create WRED profiles, use the following commands. 1. Create a WRED profile. CONFIGURATION mode wred-profile 2. Specify the minimum and maximum threshold values.
Displaying WRED Drop Statistics To display WRED drop statistics, use the following command. ● Display the number of packets Dell EMC Networking OS the WRED profile drops.
Pre-Calculating Available QoS CAM Space Before Dell EMC Networking OS version 7.3.1, there was no way to measure the number of CAM entries a policy-map would consume (the number of CAM entries that a rule uses is not predictable; from 1 to 16 entries might be used per rule depending upon its complexity). Therefore, it was possible to apply to an interface a policy-map that requires more entries than are available.
exceeded. If you configure ECN for WRED, devices employ ECN to mark the packets and reduce the rate of sending packets in a congested network. In a best-effort network topology, data packets are transmitted in a manner in which latency or throughput is not maintained to be at an effective level. Packets are dropped when the network experiences a large traffic load.
Table 80. Scenarios of WRED and ECN Configuration (continued) Queue Configuration Service-Pool Configuration WRED Threshold Relationship Expected Functionality Q threshold = Q-T, Service pool threshold = SP-T 1 0 0 X X 1 X Q-T < SP-T SP-T < Q-T Queue based WRED, No ECN marking SP based WRED, No ECN marking 1 1 0 X X Queue-based ECN marking above queue threshold. 1 X Q-T < SP-T ECN marking to shared buffer limits of the service-pool and then packets are tail dropped.
Guidelines for Configuring ECN for Classifying and Color-Marking Packets Keep the following points in mind while configuring the marking and mapping of incoming packets using ECN fields in IPv4 headers: ● Currently Dell EMC Networking OS supports matching only the following TCP flags: ○ ACK ○ FIN ○ SYN ○ PSH ○ RST ○ URG In the existing software, ECE/CWR TCP flag qualifiers are not supported.
Classifying Incoming Packets Using ECN and Color-Marking Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded. If you configure ECN for WRED, devices employ this functionality of ECN to mark the packets and reduce the rate of sending packets in a congested, heavily-loaded network.
You can now use the ‘ecn’ match qualifier along with the above TCP flag for classification.
policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Approach with explicit ECN match qualifiers for ECN packets: ! ip access-list standard dscp_50_ecn seq 5 permit any dscp 50 ecn 1 seq 10 permit any dscp 50 ecn 2 seq 15 permit any dscp 50 ecn 3 ! ip access-list standard dscp_40_ecn seq 5 permit any dscp 40 ecn 1 seq 10 permit any dscp 40 ecn 2 seq 15 permit any dscp 40 ecn 3 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0
Applying DSCP and VLAN Match Criteria on a Service Queue You can configure Layer 3 class maps which contain both a Layer 3 Differentiated Services Code Point (DSCP) and IP VLAN IDs as match criteria to filter incoming packets on a service queue on the switch. To configure a Layer 3 class map to classify traffic according to both an IP VLAN ID and DSCP value, use the match ip vlan vlan-id command in class-map input configuration mode.
Enable this utility to be able to configure the parameters for buffer statistics tracking. By default, buffer statistics tracking is disabled. 3.
4. Use show hardware buffer-stats-snapshot resource interface interface{priority-group { id | all } | queue { ucast{id | all}{ mcast {id | all} | all} to view buffer statistics tracking resource information for a specific interface.
43 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter.
Table 81. RIP Defaults Feature Default Interfaces running RIP ● Listen to RIPv1 and RIPv2 ● Transmit RIPv1 RIP timers ● ● ● ● Auto summarization Enabled ECMP paths supported 16 update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Configuration Information By default, RIP is disabled in Dell EMC Networking OS. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
To view the global RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. DellEMC(conf-router_rip)#show config ! router rip network 10.0.0.0 DellEMC(conf-router_rip)# When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes. DellEMC#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 1/4 160.160.0.0/16 auto-summary 2.0.0.
31.0.0.0/8 auto-summary 192.162.2.0/24 [120/1] via 29.10.10.12, 00:01:21, Fa 1/49 192.162.2.0/24 auto-summary 192.161.1.0/24 [120/1] via 29.10.10.12, 00:00:27, Fa 1/49 192.161.1.0/24 auto-summary 192.162.3.0/24 [120/1] via 29.10.10.12, 00:01:22, Fa 1/49 192.162.3.0/24 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes.
Adding RIP Routes from Other Instances In addition to filtering routes, you can add routes from other routing instances or protocols to the RIP process. With the redistribute command, you can include open shortest path first (OSPF), static, or directly connected routes in the RIP process. To add routes from other routing instances or protocols, use the following commands. ● Include directly connected or user-configured (static) routes in RIP.
To view the routing protocols configuration, use the show ip protocols command in EXEC mode.
○ value The range is from 1 to 16. ○ route-map-name: The name of a configured route map. To confirm that the default route configuration is completed, use the show config command in ROUTER RIP mode. Summarize Routes Routes in the RIPv2 routing table are summarized by default, thus reducing the size of the routing table and improving routing efficiency in large networks. By default, the autosummary command in ROUTER RIP mode is enabled and summarizes RIP routes up to the classful network boundary.
● debug ip rip [interface | database | events | trigger] EXEC privilege mode Enable debugging of RIP. The following example shows the confirmation when you enable the debug function. DellEMC#debug ip rip RIP protocol debug is ON DellEMC# To disable RIP, use the no debug ip rip command. RIP Configuration Example The examples in this section show the command sequence to configure RIPv2 on the two routers shown in the following illustration — Core 2 and Core 3.
● To display Core 2 RIP setup, use the show ip route command. ● To display Core 2 RIP activity, use the show ip protocols command. The following example shows the show ip rip database command to view the learned RIP routes on Core 2. Core2(conf-router_rip)#end 00:12:24: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console Core2#show ip rip database Total number of routes in RIP database: 7 10.11.30.0/24 [120/1] via 10.11.20.1, 00:00:03, TenGigabitEthernet 2/3 10.300.10.
10.300.10.0 10.200.10.0 10.11.20.0 10.11.10.0 Routing Information Sources: Gateway Distance Last Update 10.11.20.1 120 00:00:12 Distance: (default is 120) Core2# RIP Configuration on Core3 The following example shows how to configure RIPv2 on a host named Core3. Core3(conf)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.0 Core3(conf-router_rip)#network 192.168.2.0 Core3(conf-router_rip)#network 10.11.30.0 Core3(conf-router_rip)#network 10.11.20.
L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change ----------- ------- --------------------R 10.11.10.0/24 via 10.11.20.2, Te 3/21 120/1 00:01:14 C 10.11.20.0/24 Direct, Te 3/21 0/0 00:01:53 C 10.11.30.0/24 Direct, Te 3/11 0/0 00:06:00 R 10.200.10.0/24 via 10.11.20.2, Te 3/21 120/1 00:01:14 R 10.300.10.0/24 via 10.11.20.2, Te 3/21 120/1 00:01:14 C 192.168.1.
10.300.10.0 10.11.10.0 10.11.20.0 The following example shows viewing the RIP configuration on Core 3. ! interface TenGigabitEthernet 3/1 ip address 10.11.30.1/24 no shutdown ! interface TenGigabitEthernet 3/2 ip address 10.11.20.1/24 no shutdown ! interface TenGigabitEthernet 3/4 ip address 192.168.1.1/24 no shutdown ! interface TenGigabitEthernet 3/5 ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
44 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell EMC Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
[no] rmon alarm number variable interval {delta | absolute} rising-threshold [value event-number] falling-threshold value event-number [owner string] OR [no] rmon hc-alarm number variable interval {delta | absolute} rising-threshold value event-number falling-threshold value event-number [owner string] Configure the alarm using the following optional parameters: ○ number: alarm number, an integer from 1 to 65,535, the value must be unique in the RMON Alarm Table.
this command. This configuration also generates an SNMP trap when the event is triggered using the SNMP community string “eventtrap”. DellEMC(conf)#rmon event 1 log trap eventtrap description “High ifOutErrors” owner nms1 Configuring RMON Collection Statistics To enable RMON MIB statistics collection on an interface, use the RMON collection statistics command in INTERFACE CONFIGURATION mode. ● Enable RMON MIB statistics collection.
45 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP).
● ● ● ● ● ● Prevent Network Disruptions with BPDU Guard Influencing RSTP Root Selection Configuring Spanning Trees as Hitless Enabling SNMP Traps for Root Elections and Topology Changes Configuring Fast Hellos for Link State Detection Flush MAC Addresses after a Topology Change Important Points to Remember ● RSTP is disabled by default. ● Dell EMC Networking OS supports only one Rapid Spanning Tree (RST) instance.
Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. ● Only one path from any bridge to any other bridge is enabled. ● Bridges block a redundant path by disabling one of the link ports. To enable RSTP globally for all Layer 2 interfaces, use the following commands. 1.
To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. DellEMC#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Te 3/4 R3# Altr 128.684 128 20000 BLK 20000 P2P No Adding and Removing Interfaces To add and remove interfaces, use the following commands. To add an interface to the Rapid Spanning Tree topology, configure it for Layer 2 and it is automatically added. If you previously disabled RSTP on the interface using the command no spanning-tree 0 command, re-enable it using the spanning-tree 0 command. ● Remove an interface from the Rapid Spanning Tree topology.
hello-time seconds NOTE: With large configurations (especially those configurations with more ports) Dell EMC Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. ● Change the max-age parameter. PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode.
Influencing RSTP Root Selection RSTP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. To change the bridge priority, use the following command. ● Assign a number as the bridge priority or designate it as the primary or secondary root. PROTOCOL SPANNING TREE RSTP mode bridge-priority priority-value ○ priority-value The range is from 0 to 65535.
interface TenGigabitEthernet 2/1 no ip address switchport spanning-tree rstp edge-port shutdown DellEMC(conf-if-te-2/1)# Configuring Fast Hellos for Link State Detection Use RSTP fast hellos to achieve sub-second link-down detection so that convergence is triggered faster. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed. To achieve sub-second link-down detection so that convergence is triggered faster, use RSTP fast hellos.
46 Software-Defined Networking (SDN) The Dell EMC Networking OS supports software-defined networking (SDN). For more information, see the SDN Deployment Guide.
47 Security This chapter describes several ways to provide security to the Dell EMC Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide.
CONFIGURATION mode aaa accounting {commands level | dot1x | exec | rest | suppress | system} {default | name} {start-stop | wait-start | stop-only} {radius | tacacs+} The variables are: ○ system: sends accounting information of any other AAA configuration. ○ exec: sends accounting information when a user has logged in to EXEC mode. ○ dot1x: sends accounting information when a dot1x user has logged in to EXEC mode. ○ command level: sends accounting of commands executed at the specified privilege level.
accounting exec execAcct DellEMC(config-line-vty)# accounting commands 15 com15 DellEMC(config-line-vty)# accounting exec execAcct Monitoring AAA Accounting Dell EMC Networking OS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command.
EAP START accounting record: Fri May 10 12:20:43 2019 NAS-IP-Address = 10.16.133.
Acct-Multi-Session-Id = "00-11-22-33-44-55-00-11-33-44-77-88-5e-50-d6-5cc" Acct-Link-Count = 1 Acct-Terminate-Cause = Lost-Carrier Acct-Status-Type = Stop Event-Timestamp = "May 10 2019 23:30:42 CDT" Tmp-String-9 = "ai:" Acct-Unique-Session-Id = "5a761462ef63b815707de5fa1c5ef348" Timestamp = 1557549042 RADIUS Accounting attributes The following tables describe the various types of attributes that identify the supplicant sessions: Table 84.
Table 85. RADIUS Accounting Stop Record Attributes for CLI user (continued) RADIUS Attribute code RADIUS Attribute Description VIRTUAL - for telnet/SSH session. Table 86. Use cases for CLI user to trigger RADIUS Accounting Start/Stop records CLI event Accounting type Attributes CLI user authentication success Start Start record attributes for CLI user. CLI user log-off Stop Stop record attributes with termination cause as User Request (1).
Table 88. RADIUS Accounting Stop Record Attributes for dot1x supplicant (continued) RADIUS Attribute code RADIUS Attribute Description 1 User-Name User name/ Supplicant MAC Address (for MAB). 5 NAS-Port Port on which session is terminated. 6 Service-Type Framed (2) for EAP /Call check (10) for MAB. 8 Framed-IP-Address IPv4 address of supplicant. 168 Framed-IPV6-Address IPv6 address of supplicant. 30 Called-Station-Id Switch MAC Address. 31 Calling-Station-Id Supplicant MAC Address.
Table 89. Use cases for dot1x supplicant to trigger RADIUS Accounting Start/Stop records (continued) dot1x event Accounting type Attributes Configure max supplicant per interface Stop Stop record attributes with termination cause as port-reinitialized (21). Supplicant goes off without explicitly sending EAP logoff Stop Stop record attributes with termination cause as Idle Timeout (4). Periodic Reauth of supplicant Stop Stop record attributes with termination cause as Supplicant restart (19).
Configuring AAA Authentication Login Methods To configure an authentication method and method list, use the following commands. Dell EMC Networking OS Behavior: If you use a method list on the console port in which RADIUS or TACACS is the last authentication method, and the server is not reachable, Dell EMC Networking OS allows access even though the username and password credentials cannot be verified.
CONFIGURATION mode aaa authentication enable default radius tacacs 2. Establish a host address and password. CONFIGURATION mode radius-server host x.x.x.x key some-password 3. Establish a host address and password. CONFIGURATION mode tacacs-server host x.x.x.x key some-password To get enable authentication from the RADIUS server and use TACACS as a backup, issue the following commands. The following example shows enabling authentication from the RADIUS server.
Example: DellEMC(config)#aaa authentication login vty_auth_list radius Force all logged-in users to re-authenticate (y/n)? 3. You are prompted to force the users to re-authenticate whenever there is a change in the RADIUS server list.. CONFIGURATION mode radius-server host IP Address Example: DellEMC(config)#radius-server host 192.100.0.12 Force all logged-in users to re-authenticate (y/n)? DellEMC(config)#no radius-server host 192.100.0.
● Privilege level 1 — is the default level for EXEC mode. At this level, you can interact with the router, for example, view some show commands and Telnet and ping to test connectivity, but you cannot configure the router. This level is often called the “user” level. One of the commands available in Privilege level 1 is the enable command, which you can use to enter a specific privilege level. ● Privilege level 0 — contains only the end, enable, and disable commands.
Configuring the Enable Password Command To configure Dell EMC Networking OS, use the enable command to enter EXEC Privilege level 15. After entering the command, Dell EMC Networking OS requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level. You can always change a password for any privilege level. To change to a different privilege level, enter the enable command, then the privilege level.
3. Configure level and commands for a mode or reset a command’s level. CONFIGURATION mode privilege mode {level level command | reset command} Configure the following required and optional parameters: ● mode: enter a keyword for the modes (exec, configure, interface, line, route-map, or router) ● level level: the range is from 0 to 15. Levels 0, 1, and 15 are pre-configured. Levels 2 to 14 are available for custom configuration. ● command: an Dell EMC Networking OS CLI keyword (up to five keywords allowed).
snmp-server Modify SNMP parameters DellEMC(conf)# Specifying LINE Mode Password and Privilege You can specify a password authentication of all users on different terminal lines. The user’s privilege level is the same as the privilege level assigned to the terminal line, unless a more specific privilege level is assigned to the user. To specify a password for the terminal line, use the following commands. ● Configure a custom privilege level for the terminal lines.
8. Copy the startup-config into the running-config. 9. To display the content of the startup-config, remove the previous authentication configuration and set the new authentication parameters. The rest of the previous configuration is preserved. Version 2.00.1201. Copyright (C) 2017 American Megatrends, Inc. EVALUATION COPY. Press or to enter setup. Grub 1.99~rc1 (Dell Force10) Built by root at bsdlab on Thu_Aug_18_06:51:21_UTC_2011 Z9000 Boot selector Label 3.0.1.1 NetBoot Label 0.0.0.
● Privilege Levels After gaining authorization for the first time, you may configure these attributes. NOTE: RADIUS authentication/authorization is done for every login. There is no difference between first-time login and subsequent logins. Idle Time Every session line has its own idle-time. If the idle-time value is not changed, the default value of 30 minutes is used. RADIUS specifies idle-time allow for a user during a session before timeout.
For a complete listing of all Dell EMC Networking OS commands related to RADIUS, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide. NOTE: RADIUS authentication and authorization are done in a single step. Hence, authorization cannot be used independent of authentication. However, if you have configured RADIUS authorization and have not configured authentication, a message is logged stating this.
○ retransmit retries: the range is from 0 to 100. Default is 3. ○ timeout seconds: the range is from 0 to 1000. Default is 5 seconds. ○ key [encryption-type] key: enter 0 for plain text or 7 for encrypted text, and a string for the key. The key can be up to 42 characters long. This key must match the key configured on the RADIUS server host. If you do not configure these optional parameters, the global default values for all RADIUS host are applied.
Microsoft Challenge-Handshake Authentication Protocol Support for RADIUS Authentication Dell EMC Networking OS supports Microsoft Challenge-Handshake Authentication Protocol (MS-CHAPv2) with RADIUS authentication. RADIUS is used to authenticate Telnet, SSH, console, REST, and OMI access to the switch based on the AAA configuration. By default, the RADIUS client in the switch uses PAP (Password Authentication Protocol) for sending the login credentials to the RADIUS server.
Choosing TACACS+ as the Authentication Method One of the login authentication methods available is TACACS+ and the user’s name and password are sent for authentication to the TACACS hosts specified. To use TACACS+ to authenticate users, specify at least one TACACS+ server for the system to communicate with and configure TACACS+ as one of your authentication methods. To select TACACS+ as the login authentication method, use the following commands. 1. Configure a TACACS+ server host.
vty0 (10.11.9.209) DellEMC(conf)#username angeline password angeline DellEMC(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline on vty0 (10.11.9.209) %RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password authentication success on vty0 ( 10.11.9.209 ) Monitoring TACACS+ To view information on TACACS+ transactions, use the following command. ● View TACACS+ transactions to troubleshoot problems.
To delete a TACACS+ server host, use the no tacacs-server host {hostname | ip-address} command. freebsd2# telnet 2200:2200:2200:2200:2200::2202 Trying 2200:2200:2200:2200:2200::2202... Connected to 2200:2200:2200:2200:2200::2202. Escape character is '^]'. Login: admin Password: DellEMC# Command Authorization The AAA command authorization feature configures Dell EMC Networking OS to send each configuration command to a TACACS server for authorization before it is added to the running configuration.
● Display SSH connection information. EXEC Privilege mode show ip ssh The following example uses the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. DellEMC(conf)#ip ssh server version 2 DellEMC(conf)#do show ip ssh SSH server : enabled. SSH server version : v2. SSH server vrf : default. SSH server ciphers : 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192ctr,aes256-ctr.
● ● ● ● ● ip ssh rsa-authentication enable : enable RSA authentication for the SSHv2 server. ip ssh rsa-authentication : add keys for the RSA authentication. show crypto : display the public part of the SSH host-keys. show ip ssh client-pub-keys : display the client public keys used in host-based authentication. show ip ssh rsa-authentication : display the authorized-keys for the RSA authentication. DellEMC#copy scp: flash: Address or name of remote host []: 10.10.10.
● diffie-hellman-group14-sha1 The default key exchange algorithms are the following: ● diffie-hellman-group-exchange-sha1 ● diffie-hellman-group1-sha1 ● diffie-hellman-group14-sha1 When FIPS is enabled, the default is diffie-hellman-group14-sha1. Example of Configuring a Key Exchange Algorithm The following example shows you how to configure a key exchange algorithm.
● hmac-sha1 ● hmac-sha1-96 ● hmac-sha2-256 The default list of HMAC algorithm is in the following order: ● hmac-sha2-256 ● hmac-sha1 ● hmac-sha1-96 ● hmac-md5 ● hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256, hmac-sha1, hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list.
● aes256-cbc ● aes128-ctr ● aes192-ctr ● aes256-ctr The default cipher list is in the given order: aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc. Example of Configuring a Cipher List The following example shows you how to configure a cipher list. DellEMC(conf)#ip ssh cipher aes128-ctr aes128-cbc 3des-cbc Secure Shell Authentication Secure Shell (SSH) is enabled by default using the SSH Password Authentication method.
5. Install user’s public key for RSA authentication in SSH. EXEC Privilege Mode ip ssh rsa-authentication username username my-authorized-keys flash://public_key If you provide the username, the Dell EMC Networking OS installs the public key for that specific user. In case, no user is associated with the current logged-in session, the system displays the following error message. NOTE: If no user is associated with the current logged-in session, the system displays the following error message.
admin@Unix_client# cat shosts 10.16.127.201, ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8K7jLZRVfjgHJzUOmXxuIbZx/AyW hVgJDQh39k8v3e8eQvLnHBIsqIL8jVy1QHhUeb7GaDlJVEDAMz30myqQbJgXBBRTWgBpLWwL/ doyUXFufjiL9YmoVTkbKcFmxJEMkE3JyHanEi7hg34LChjk9hL1by8cYZP2kYS2lnSyQWk= The following example shows creating rhosts. admin@Unix_client# ls id_rsa id_rsa.pub rhosts shosts admin@Unix_client# cat rhosts 10.16.127.
VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in . These depend on which authentication scheme you use — line, local, or remote. Table 90. VTY Access Authentication Method VTY access-class support? Username access-class support? Remote authorization support? Line YES NO NO Local NO YES NO TACACS+ YES NO YES (with version 5.2.1.0 and later) RADIUS YES NO YES (with version 6.1.1.
VTY Line Remote Authentication and Authorization retrieves the access class from the VTY line. The takes the access class from the VTY line and applies it to ALL users. does not need to know the identity of the incoming user and can immediately apply the access class. If the authentication method is RADIUS, TACACS+, or line, and you have configured an access class for the VTY line, immediately applies it.
Change of Authorization (CoA) packets Using the CoA packets, the NAS can handle authorization of dot1x sessions by processing the following requests from the Dynamic Authorization Client (DAC): Re-authentication of the supplicant, Port disable, and Port bounce. The CoA packets constitute one message request (CoA request) and one of the following two possible responses: ● Change of Authorization Acknowledgement (CoA-Ack) - If the authorization state change is successful, then NAS sends a CoA-Ack.
Table 94.
Table 97. CoA EAP/MAB Disable Port (continued) Radius Attribute code Radius Attribute Description Mandatory t=26(vendor-specific);l=length;vendoridentification-attribute;Length=value; Data=”cmd=bounce-host-port” Yes Authorization Attributes 26 Vendor-Specific Table 98. CoA EAP/MAB Bounce Port Radius Attribute code Radius Attribute Description Mandatory NAS Identification Attributes 4 NAS-IP-Address IPv4 address of the NAS. No 95 NAS-IPv6–Address IPv6 address of the NAS.
Table 100. DM AAA Session(s) disconnect (continued) Radius Attribute code Radius Attribute Description Mandatory 5 NAS-Port Port on which session is terminated No t=26(vendor-specific);l=length;vendoridentification-attribute;Length=value; Data=”cmd=disconnect-user” Yes Authorization Attributes 26 Vendor-Specific Error-cause Values It is possible that a Dynamic Authorization Server cannot honor Disconnect Message request or CoA request packets for some reason.
NOTE: The Invalid Attribute Value Error-Cause is applicable to following scenarios: ○ if the CoA request contains incorrect Vendor-Specific attribute value. ○ if the CoA request contains incorrect NAS-port or calling-station-id values. ● rejects the CoA-Request containing NAS-IP-Address or NAS-IPV6-Address attribute that does not match the NAS with a CoA-Nak; Error-Cause value is “NAS Identification Mismatch” (403).
● responds with DM-Nak for any internal processing error in NAS; Error-Cause value is “Resources Unavailable” (506). ● ignores attributes that are supported as per RFC but are irrelevant to the DM operation. ● responds to a disconnect message containing one or more incorrect attributes values with a Disconnect-NAK; Error-Cause value is “Invalid Attribute Value” (407). ● responds to a disconnect message containing unsupported attributes with DM-Nak; Error-Cause value is “Unsupported Attributes” (401).
NAS uses the user-name or both the user-name as well as the NAS-Port attribute to identify the AAA user session. NAS disconnects all sessions related to the user, if the user-name is provided without NAS-port. 1. Enter the following command to configure the dynamic authorization feature: radius dynamic-auth 2. Enter the following command to terminate the 802.1x user session: disconnect-user NAS disconnects the administrative users who are connected through an AAA interface.
● The user is logged-in through 802.1X enabled physical port and successfully authenticated with Radius Server. To initiate 802.1x session re-authentication, the DAC sends a standard CoA request that contains one or more session identification attributes. NAS uses the calling-station-id or the NAS-port attributes to identify a 802.1x user session. In case of the EAP or MAB users, the MAC address is the calling-station-id of the supplicant and the NAS-port is the interface identifier.
● sends a DM-Nak with an error-cause value of 506 (resource unavailable), if it is not able to apply changes to the existing session. ● discards the packet, if simultaneous requests are received for the same NAS-port or calling-station-id, or both. Disabling 802.1x enabled port Dell EMC Networking OS provides RADIUS extension commands that enables you to disable 802.1x enabled ports. This command administratively shuts down the port causing the termination of the dot1x user session.
Stack failover scenario This section describes the stack failover scenario. ● The NAS stacking module processes the RADIUS dynamic authorization messages only if the role of module is master. ● The NAS standby stacking module processes the retransmitted CoA or DM messages without requiring a chassis reboot, if the master module fails and the standby module becomes the master. Configuring replay protection NAS enables you to configure the replay protection window period.
● System-Defined RBAC User Roles ● Creating a New User Role ● Modifying Command Permissions for Roles ● Adding and Deleting Users from a Role ● Role Accounting ● Configuring AAA Authentication for Roles ● Configuring AAA Authorization for Roles ● Configuring an Accounting for Roles ● Applying an Accounting Method to a Role ● Displaying Active Accounting Sessions for Roles ● Configuring TACACS+ and RADIUS VSA Attributes for RBAC ● Displaying User Roles ● Displaying Accounting for User Roles ● Displaying Info
Configuring Role-based Only AAA Authorization You can configure authorization so that access to commands is determined only by the user’s role. If the user has no user role, access to the system is denied as the user is not able to login successfully.
● Network Operator (netoperator) - This user role has no privilege to modify any configuration on the switch. You can access Exec mode (monitoring) to view the current configuration and status information. ● Network Administrator (netadmin): This user role can configure, display, and debug the network operations on the switch. You can access all of the commands that are available from the network operator user role.
Example of Creating a User Role The configuration in the following example creates a new user role, myrole, which inherits the security administrator (secadmin) permissions. Create a new user role, myrole and inherit security administrator permissions. DellEMC(conf)#userrole myrole inherit secadmin Verify that the user role, myrole, has inherited the security administrator permissions.
Example: Allow Security Administrator to Access Interface Mode The following example allows the security administrator (secadmin) to access Interface mode.
In the following example the command protocol permissions are reset to their original setting or one or more of the systemdefined roles and any roles that inherited permissions from them. DellEMC(conf)#role configure reset protocol Adding and Deleting Users from a Role To create a user name that is authenticated based on a user role, use the username name password encryption-type password role role-name command in CONFIGURATION mode.
Configure AAA Authorization for Roles Authorization services determine if the user has permission to use a command in the CLI. Users with only privilege levels can use commands in privilege-or-role mode (the default) provided their privilege level is the same or greater than the privilege level of those commands. Users with defined roles can use commands provided their role is permitted to use those commands. Role inheritance is also used to determine authorization.
authorization exec ucraaa accounting commands role netadmin line vty 6 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 7 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 8 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 9 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin ! ucraaa ucraaa ucraaa ucraaa ucraaa Configuring T
● Displaying Active Accounting Sessions for Roles Configuring AAA Accounting for Roles To configure AAA accounting for roles, use the aaa accounting command in CONFIGURATION mode. aaa accounting {system | exec | commands {level | role role-name}} {name | default} {start-stop | wait-start | stop-only} {tacacs+} Example of Configuring AAA Accounting for Roles The following example shows you how to configure AAA accounting to monitor commands executed by the users who have a secadmin user role.
netoperator netadmin secadmin sysadmin testadmin Exec Exec Config Interface Line Router IP Routemap Protocol MAC Exec Config Exec Config Interface Line Router IP Routemap Protocol MAC netadmin Exec Config Interface Line Router IP Routemap Protocol MAC Displaying Role Permissions Assigned to a Command To display permissions assigned to a command, use the show role command in EXEC Privilege mode. The output displays the user role and or permission level.
● If the credentials are invalid, the authentication fails. NOTE: 2FA does not support RADIUS authentications done with REST, Web UI, and OMI. Handling Access-Challenge Message To provide a two-step verification in addition to the username and password, NAS prompts for additional information. An Access-Challenge request is sent from the RADIUS server to NAS.
Configuring the System to Drop Certain ICMP Reply Messages You can configure the Dell EMC Networking OS to drop ICMP reply messages. When you configure the drop icmp command, the system drops the ICMP reply messages from the front end and management interfaces. By default, the Dell EMC Networking OS responds to all the ICMP messages. ● Drop the ICMP or ICMPv6 message type. drop {icmp | icmp6} CONFIGURATION mode.
Table 103.
48 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell EMC Networking OS. Topics: • • • • • VLAN Stacking VLAN Stacking Packet Drop Precedence Dynamic Mode CoS for VLAN Stacking Layer 2 Protocol Tunneling Provider Backbone Bridging VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.
Figure 118. VLAN Stacking in a Service Provider Network Important Points to Remember ● Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. ● Dell EMC Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
Related Configuration Tasks ● ● ● ● Configuring the Protocol Type Value for the Outer VLAN Tag Configuring Dell EMC Networking OS Options for Trunk Ports Debugging VLAN Stacking VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. ● Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN.
2 3 4 5 6 Inactive Inactive Inactive Inactive Active DellEMC# M Po1(Te 3/14-15) M Te 3/13 Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. ● Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100. To display the S-Tag TPID for a VLAN, use the show running-config command from EXEC privilege mode.
Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged G - GVRP tagged, M - Vlan-stack NUM * 1 100 101 103 Status Inactive Inactive Inactive Inactive Description Q Ports U Te 1/1 T Te 1/1 M Te 1/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. ● Debug the internal state and membership of a VLAN and its ports. debug member The port notations are as follows: ● MT — stacked trunk ● MU — stacked access port ● T — 802.1Q trunk port ● U — 802.
system is able to differentiate between 0x8100 and untagged traffic and maps each to the appropriate VLAN, as shown by the packet originating from Building A. Therefore, a mismatched TPID results in the port not differentiating between tagged and untagged traffic. Figure 119.
Figure 120.
Figure 121. Single and Double-Tag TPID Mismatch The following table details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the S-Series. Table 104. Behaviors for Mismatched TPID Network Position Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Table 104. Behaviors for Mismatched TPID (continued) Network Position Egress Access Point Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Precedence Description Green High-priority packets that are the least preferred to be dropped. Yellow Lower-priority packets that are treated as best-effort. Red Lowest-priority packets that are always dropped (regardless of congestion status). ● Honor the incoming DEI value by mapping it to an Dell EMC Networking OS drop precedence. INTERFACE mode dei honor {0 | 1} {green | red | yellow} You may enter the command once for 0 and once for 1. Packets with an unmapped DEI value are colored green.
Figure 122. Statically and Dynamically Assigned dot1p for VLAN Stacking When configuring Dynamic Mode CoS, you have two options: ● Mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. In this case, you must have other dot1p QoS configurations; this option is classic dot1p marking. ● Mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p.
interface TenGigabitEthernet 1/21 no ip address switchport vlan-stack access vlan-stack dot1p-mapping c-tag-dot1p 0-3 sp-tag-dot1p 7 service-policy input in layer2 no shutdown Mapping C-Tag to S-Tag dot1p Values To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly, use the following commands. 1. Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag.
Figure 123. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 124. VLAN Stacking with L2PT Implementation Information ● L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. ● No protocol packets are tunneled when you enable VLAN stacking. ● L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2.
INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell EMC Networking OS uses a Dell EMC Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command. ● Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network.
originally specified in 802.1Q. Only bridges in the service provider network use this destination MAC address so these bridges treat BPDUs originating from the customer network as normal data frames, rather than consuming them. The same is true for GARP VLAN registration protocol (GVRP). 802.
49 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
● If the global sampling rate is non-default, for example 256, and if the sampling rate is not configured on the interface, the sampling rate of the interface is the global non-default sampling rate, that is, 256. To avoid the back-off, either increase the global sampling rate or configure all the line card ports with the desired sampling rate even if some ports have no sFlow configured.
Te 1/1: configured rate 16384, actual rate 16384 DellEMC# If you did not enable any extended information, the show output displays the following (shown in bold).
Example of viewing the sflow max-header-size extended on an Interface Mode DellEMC#show sflow interface tengigabitethernet 1/1 Te 1/1 sFlow type :Ingress Configured sampling rate :16384 Actual sampling rate :16384 Counter polling interval :20 Extended max header size :256 Samples rcvd from h/w :0 Example of the show running-config sflow Command DellEMC#show running-config sflow ! sflow collector 100.1.1.12 agent-addr 100.1.1.
Displaying Show sFlow on an Interface To view sFlow information on a specific interface, use the following command. ● Display sFlow configuration information and statistics on a specific interface. EXEC mode show sflow interface interface-name The following example shows the show sflow interface command.
Changing the Polling Intervals The sflow polling-interval command configures the polling interval for an interface in the maximum number of seconds between successive samples of counters sent to the collector. This command changes the global default counter polling (20 seconds) interval. You can configure an interface to use a different polling interval. To configure the polling intervals globally (in CONFIGURATION mode) or by interface (in INTERFACE mode), use the following command.
The bold line shows that extended sFlow settings are enabled on all three types. DellEMC#show sflow sFlow services are enabled Egress Management Interface sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 20 Global default extended maximum header size: 128 bytes Global extended information enabled: none 1 collectors configured Collector IP addr: 100.1.1.1, Agent IP addr: 1.1.1.
Table 106. Extended Gateway Summary (continued) IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS Description Version 7.8.1.0 allows extended gateway information in cases where the source and destination IP addresses are learned by different routing protocols, and for cases where is source is reachable over ECMP. BGP 814 BGP sFlow Exported Exported Extended gateway data is packed.
50 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell EMC Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
You can download the latest MIB files from the following path: ● https://www.force10networks.com/CSPortal20/Main/SupportMain.aspx. Implementation Information The following describes SNMP implementation information. ● Dell EMC Networking OS supports SNMP version 1 as defined by RFC 1155, 1157, and 1212, SNMP version 2c as defined by RFC 1901, and SNMP version 3 as defined by RFC 2571. ● Dell EMC Networking OS supports up to 16 trap receivers.
3. If you attempt to enable or disable FIPS mode and if any SNMPv3 users are previously configured, an error message is displayed stating you must delete all of the SNMP users before changing the FIPS mode. 4. A message is logged indicating whether FIPS mode is enabled for SNMPv3. This message is generated only when the first SNMPv3 user is configured because you can modify the FIPS mode only when users are not previously configured.
Creating a Community For SNMPv1 and SNMPv2, create a community to enable the community-based security in Dell EMC Networking OS. The management station generates requests to either retrieve or alter the value of a management object and is called the SNMP manager. A network element that processes SNMP requests is called an SNMP agent. An SNMP community is a group of SNMP agents and managers that are allowed to interact.
● Configure an SNMPv3 view. CONFIGURATION mode snmp-server view view-name 3 noauth {included | excluded} NOTE: To give a user read and write privileges, repeat this step for each privilege type. ● Configure an SNMP group (with password or privacy privileges). CONFIGURATION mode snmp-server group group-name {oid-tree} priv read name write name ● Configure the user with a secure authorization password and privacy password.
In the following example, the value “4” displays in the OID before the IP address for IPv4. For an IPv6 IP address, a value of “16” displays. > snmpget -v 2c -c mycommunity 10.11.131.161 sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (32852616) 3 days, 19:15:26.16 > snmpget -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1.3.0 The following example shows reading the value of the next managed object. > snmpgetnext -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1.3.0 SNMPv2-MIB::sysContact.
The default is None. ● (From a management station) Identify the system manager along with this person’s contact information (for example, an email address or phone number). CONFIGURATION mode snmpset -v version -c community agent-ip sysContact.0 s “contact-info” You may use up to 55 characters. The default is None. ● (From a management station) Identify the physical location of the system (for example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1).
snmp linkdown snmp linkup PORT_LINKDN:changed interface state to down:%d PORT_LINKUP:changed interface state to up:%d Enabling a Subset of SNMP Traps You can enable a subset of Dell EMC Networking enterprise-specific SNMP traps using one of the following listed command options. To enable a subset of Dell EMC Networking enterprise-specific SNMP traps, use the following command. ● Enable a subset of SNMP traps.
Enable VLT traps. vrrp Enable VRRP state change traps xstp %SPANMGR-5-STP_NEW_ROOT: New Spanning Tree Root, Bridge ID Priority 32768, Address 0001.e801.fc35. %SPANMGR-5-STP_TOPOLOGY_CHANGE: Bridge port TenGigabitEthernet 1/8 transitioned from Forwarding to Blocking state. %SPANMGR-5-MSTP_NEW_ROOT_BRIDGE: Elected root bridge for instance 0. %SPANMGR-5-MSTP_NEW_ROOT_PORT: MSTP root changed to port Te 1/8 for instance 0. My Bridge ID: 40960:0001.e801.fc35 Old Root: 40960:0001.e801.fc35 New Root: 32768:00d0.
CONFIGURATION MODE snmp-server enable traps snmp syslog-unreachable To enable an SNMP agent to send a trap when the syslog server resumes connectivity, enter the following command: CONFIGURATION MODE snmp-server enable traps snmp syslog-reachable Table 108. List of Syslog Server MIBS that have read access MIB Object OID Object Values Description dF10SysLogTraps 1.3.6.1.4.1.6027.3.30.1.1 1 = reachable2 = unreachable Specifies whether the syslog server is reachable or unreachable.
Table 109. MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Object Values Description 2 = running-config ● If copySrcFileType is running-config or startupconfig, the default copySrcFileLocation is flash. ● If copySrcFileType is a binary file, you must also specify copySrcFileLocation and copySrcFileName. 3 = startup-config copySrcFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.
Table 109. MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Object Values Description ● If you specify copyUserName, you must also specify copyUserPassword. copyUserPassword .1.3.6.1.4.1.6027.3.5.1.1.1.1.10 Password for the server. Password for the FTP, TFTP, or SCP server. Copying a Configuration File To copy a configuration file, use the following commands. NOTE: In UNIX, enter the snmpset command for help using the following commands. Place the f10-copy-config.
The following examples show the command syntax using MIB object names and the same command using the object OIDs. In both cases, a unique index number follows the object. The following example shows copying configuration files using MIB object names. > snmpset -v 2c -r 0 -t 60 -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.101 i 2 copyDestFileType.101 i 3 FTOS-COPY-CONFIG-MIB::copySrcFileType.101 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileType.
Copying the Startup-Config Files to the Server via TFTP To copy the startup-config to the server via TFTP from the UNIX machine, use the following command. NOTE: Verify that the file exists and its permissions are set to 777. Specify the relative path to the TFTP root directory. ● Copy the startup-config to the server via TFTP from the UNIX machine. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 3 copyDestFileType.index i 1 copyDestFileName.
Table 110. Additional MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Values Description 6 = timeout 7 = unknown copyEntryRowStatus .1.3.6.1.4.1.6027.3.5.1.1.1.1.15 Row status Specifies the state of the copy operation. Uses CreateAndGo when you are performing the copy. The state is set to active when the copy is completed. Obtaining a Value for MIB Objects To obtain a value for any of the MIB objects, use the following command. ● Get a copy-config MIB object value.
Table 111. MIB Objects to Display the Information for Power Monitoring (continued) MIB Object OID Description envMonSupplyAvgStartTime 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.7 Displays average input-power start time. SNMP Walk Example Output snmpwalk -v 2c -c public 10.16.131.156 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.5 SNMPv2-SMI::enterprises.674.10895.3000.1.2.110.7.2.1.5.11 = INTEGER: 48 SNMPv2-SMI::enterprises.674.10895.3000.1.2.110.7.2.1.5.12 = INTEGER: 40 snmpwalk -v 2c -c public 10.16.131.
MIB Support to Display the Software Core Files Generated by the System Dell EMC Networking provides MIB objects to display the software core files generated by the system. The chSysSwCoresTable contains the list of software core files generated by the system. The following table lists the related MIB objects. Table 113. MIB Objects for Displaying the Software Core Files Generated by the System MIB Object OID Description chSysSwCoresTable 1.3.6.1.4.1.6027.3.10.1.2.
MIB Support to Display the Available Partitions on Flash Dell EMC Networking provides MIB objects to display the information of various partitions such as /flash, /tmp, /usr/ pkg, and /f10/ConfD. The dellNetFlashStorageTable table contains the list of all partitions on disk. The following table lists the related MIB objects: Table 114. MIB Objects to Display the Available Partitions on Flash MIB Object OID Description dellNetFlashPartitionNumber 1.3.6.1.4.1.6027.3.26.1.4.8.1.1 Index for the table.
.1.3.6.1.4.1.6027.3.26.1.4.8.1.4.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.5 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.5 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.
SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.10.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.20.1.1.0.24.0.0.0.0 = INTEGER: 1258296320 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.20.1.1.1.32.1.4.20.1.1.1.1.4.20.1.1.1 = INTEGER: 1258296320 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.20.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.30.1.1.0.24.0.0.0.0 = INTEGER: 1275078656 SNMPv2-SMI::enterprises.6027.
SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.80.80.80.0.24.1.4.10.1.1.1.1.4.10.1.1.1 = HexSTRING: 4C 76 25 F4 AB 02 SNMPv2SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.80.80.80.0.24.1.4.20.1.1.1.1.4.20.1.1.1 = HexSTRING: 4C 76 25 F4 AB 02 SNMPv2SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.80.80.80.0.24.1.4.30.1.1.1.1.4.30.1.1.1 = HexSTRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.90.90.90.0.24.0.0.0.0 = "" SNMPv2SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.90.90.90.1.32.1.4.127.0.0.1.1.4.127.0.0.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.10.1.1.0.24.0.0.0.0 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.10.1.1.1.32.1.4.10.1.1.1.1.4.10.1.1.1 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.10.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.20.1.1.0.24.0.0.0.0 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.20.1.1.1.32.1.4.20.1.1.1.1.4.20.1.1.1 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.20.1.
Table 117. MIB Objects for entAliasMappingTable (continued) MIB Object OID Description entAliasMappingEntry 1.3.6.1.2.1.47.1.3.2.1 Contains information about a particular logical entity. entAliasLogicalIndexOrZero 1.3.6.1.2.1.47.1.3.2.1.1 Contains a non–zero value and identifies the logical entity named by the same value of entLogicalIndex. entAliasMappingIdentifier 1.3.6.1.2.1.47.1.3.2.1.
Table 118. MIB Objects for LAG (continued) MIB Object OID Description dot3adAggActorSystemPriority 1.2.840.10006.300.43.1.1.1.1.2 Contains a two octet read–write value indicating the priority value associated with the Actor’s system ID. dot3adAggActorSystemID 1.2.840.10006.300.43.1.1.1.1.3 Contains a six octet read–write MAC address value used as a unique identifier for the system that contains the Aggregator. dot3adAggAggregateOrIndividual 1.2.840.10006.300.43.1.1.1.1.
iso.2.840.10006.300.43.1.1.1.1.3.1258356224 iso.2.840.10006.300.43.1.1.1.1.3.1258356736 iso.2.840.10006.300.43.1.1.1.1.4.1258356224 iso.2.840.10006.300.43.1.1.1.1.4.1258356736 iso.2.840.10006.300.43.1.1.1.1.5.1258356224 iso.2.840.10006.300.43.1.1.1.1.5.
Table 120. Interface level MIB Objects for Port Security (continued) MIB Object OID Access or Permission Description dellNetPortSecIfSecureMacLi mit 1.3.6.1.4.1.6027.3.31.1.2.1.1.3 read-write Maximum number (N) of MAC addresses to be secured on the interface dellNetPortSecIfCurrentMacC 1.3.6.1.4.1.6027.3.31.1.2.1.1.4 ount read-only Current number of MAC addresses learnt or configured on this interface dellNetPortSecIfStationMove Enable 1.3.6.1.4.1.6027.3.31.1.2.1.1.
● VLAN ID ● Interface Index NOTE: MAC addresses cannot be retrieved using dellNetPortSecSecureStaticMacAddrTable and dellNetPortSecSecureMacAddrTable. These tables are valid only if port security feature is enabled globally in the system. Table 121. MIB Objects for configuring MAC addresses MIB Object OID Access or Permission Description dellNetPortSecIfSecureStatic MacRowStatus 1.3.6.1.4.1.6027.3.31.1.2.2.1.
Viewing the Details of MAC addresses You can retrieve the dellNetSecureMacAddrType details, use the snmpwalk command. To retrieve the dellNetSecureMacAddrType on a MAC address (00:00:00:00:11:11) learnt or configured on a VLAN 10, use the following command. snmpwalk -v 2c -c public 10.16.129.24 1.3.6.1.4.1.6027.3.31.1.3.1.1.4.6.0.0.0.0.17.17.10 SNMPv2-SMI::enterprises.6027.3.31.1.3.1.1.4.6.0.0.0.0.17.17.
LineSpeed auto ARP type: ARPA, ARP Timeout 04:00:00 To display the ports in a VLAN, send an snmpget request for the object dot1qStaticEgressPorts using the interface index as the instance number, as shown for an S-Series. The following example shows viewing VLAN ports using SNMP with no ports assigned. > snmpget -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.
Example of Adding an Untagged Port to a VLAN using SNMP In the following example, Port 0/2 is added as an untagged member of VLAN 10. >snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 x "40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" .1.3.6.1.2.1.17.7.1.4.3.1.4.
F10-ISIS-MIB::f10IsisSysOloadV6SetOverload F10-ISIS-MIB::f10IsisSysOloadV6SetOloadOnStartupUntil F10-ISIS-MIB::f10IsisSysOloadV6WaitForBgp To enable overload bit for IPv4 set 1.3.6.1.4.1.6027.3.18.1.1 and IPv6 set 1.3.6.1.4.1.6027.3.18.1.4 To set time to wait set 1.3.6.1.4.1.6027.3.18.1.2 and 1.3.6.1.4.1.6027.3.18.1.5 respectively To set time to wait till bgp session are up set 1.3.6.1.4.1.6027.3.18.1.3 and 1.3.6.1.4.1.6027.3.18.1.
In the following example, R1 has one dynamic MAC address, learned off of port TenGigabitEthernet 1/21, which a member of the default VLAN, VLAN 1. The SNMP walk returns the values for dot1dTpFdbAddress, dot1dTpFdbPort, and dot1dTpFdbStatus. Each object comprises an OID concatenated with an instance number. In the case of these objects, the instance number is the decimal equivalent of the MAC address; derive the instance number by converting each hex pair to its decimal equivalent.
Pluggable media not present Interface index is 2097156 MIB Objects for Viewing the System Image on Flash Partitions To view the system image on Flash Partition A, use the chSysSwInPartitionAImgVers object or, to view the system image on Flash Partition B, use the chSysSwInPartitionBImgVers object. Table 124. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImgVers 1.3.6.1.4.1.6027.3.10.1.2.8.1.
● snmp-server community VRF1 ro ● snmp-server community VRF2 ro ● snmp-server context cx1 ● snmp-server context cx2 ● snmp-server group admingroup 3 auth read readview write writeview ● snmp-server group admingroup 3 auth read readview context cx1 ● snmp-server group admingroup 3 auth read readview context cx2 ● snmp-server user admin admingroup 3 auth md5 helloworld ● snmp mib community-map VRF1 context cx1 ● snmp mib community-map VRF2 context cx2 ● snmp-server view readview .
Monitor Port-Channels To check the status of a Layer 2 port-channel, use f10LinkAggMib (.1.3.6.1.4.1.6027.3.2). In the following example, Po 1 is a switchport and Po 2 is in Layer 3 mode. Example of SNMP Trap for Monitored Port-Channels [senthilnathan@lithium ~]$ snmpwalk -v 2c -c public 10.11.1.1 .1.3.6.1.4.1.6027.3.2.1.1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.1 = INTEGER: 1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.2 = INTEGER: 2 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.2.
IF-MIB::linkUp IF-MIB::ifIndex.1107755009 = INTEGER: 1107755009 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_UP: Changed interface state to up: Po 1" Troubleshooting SNMP Operation When you use SNMP to retrieve management data from an SNMP agent on a Dell EMC Networking router, take into account the following behavior. ● When you query an IPv4 icmpMsgStatsInPkts object in the ICMP table by using the snmpwalk command, the output for echo replies may be incorrectly displayed.
Table 125. SNMP OIDs for Transceiver Monitoring (continued) Field (OID) Description SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.4 Optics Type SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.5 Vendor Name SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.6 Part Number SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.7 Serial Number SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.8 Transmit Power Lane1 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.9 Transmit Power Lane2 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.
51 Stacking Using the Dell EMC Networking OS stacking feature, you can interconnect multiple switch units with stacking ports or front end user ports. The stack becomes manageable as a single switch through the stack management unit. The system accepts Unit ID numbers from 0 to 11 and it supports stacking up to six units.
Stack Master Election The stack elects a master and standby unit at bootup time based on two criteria. ● Unit priority — User-configurable. The range is from 1 to 14. A higher value (14) means a higher priority. The default is 0. By removing the stack-unit priority using the no stack-unit priority command, you can set the priority back to the default value of zero. The unit with the highest priority is elected the master management unit; the unit with the second highest priority is elected the standby unit.
Failover Roles If the stack master fails (for example, is powered off), it is removed from the stack topology. The standby unit detects the loss of peering communication and takes ownership of the stack management, switching from the standby role to the master role. The distributed forwarding tables are retained during the failover, as is the stack MAC address. The lack of a standby unit triggers an election within the remaining units for a standby role.
Example of Adding a Standalone with a Lower MAC Address and Equal Priority to a Stack ---------------STANDALONE AFTER CONNECTION----------------Standalone#%STKUNIT0-M:CP %POLLMGR-2-ALT_STACK_UNIT_STATE: Alternate Stack-unit is present 00:20:20: %STKUNIT0-M:CP %CHMGR-5-STACKUNITDETECTED: Stack unit 1 present 00:20:22: %STKUNIT0-M:CP %CHMGR-5-STACKUNITDETECTED: Stack unit 2 present Going for reboot.
Figure 125. Supported Stacking Topologies High Availability on Stacks Stacks have master and standby management units analogous to Dell EMC Networking route processor modules (RPM). The master unit synchronizes the running configuration and protocol states so that the system fails over in the event of a hardware or software fault on the master unit. In such an event, or when the master unit is removed, the standby unit becomes the stack manager and Dell EMC Networking OS elects a new standby unit.
pwd rename reset show ssh-peer-stack-unit start telnet-peer-stack-unit terminal upload Dell(standby)# Display current working directory Rename a file Reset selected card Show running system information Open a SSH connection to the peer stack-unit Start shell Open a telnet connection to the peer stack-unit Set terminal line parameters Upload file -----------------CONSOLE ACCESS ON A MEMBER---------------------------Dell(stack-member-1)#? reset-self Reset this unit alone show Show running system information
Figure 126. Stack-Group Assignments You can connect the units while they are powered down or up. Stacking ports are bi-directional. When a unit is added to a stack, the management unit performs a system check on the new unit to ensure the hardware type is compatible. A similar check is performed on the Dell EMC Networking OS version. If the stack is running Dell EMC Networking OS version 8.3.12.0 and the new unit is running an earlier software version, the new unit is put into a card problem state.
EXEC Privilege mode reload Dell EMC Networking OS automatically assigns a number to the new unit and adds it as member switch in the stack. The new unit synchronizes its running and startup configurations with the stack. 4. After the units are reloaded, the system reboots. The units come up in a stack after the reboot completes. To view the port assignments, use the show system stack-unit command.
When the stack-group configuration is complete, the system prints a syslog for reload. DellEMC#configure DellEMC(conf)#stack-unit 4 stack-group 13 DellEMC(conf)#02:39:12: %STKUNIT4-M:CP %IFMGR-6-STACK_PORTS_ADDED: Ports Fo 4/52 have been configured as stacking ports. Please save and reload for config to take effect DellEMC(conf)#stack-unit 4 stack-group 14 DellEMC(conf)#02:39:15: %STKUNIT4-M:CP %IFMGR-6-STACK_PORTS_ADDED: Ports Fo 4/56 have been configured as stacking ports.
1. On the stack, determine the next available stack-unit number, and the management priority of the management unit. EXEC Privilege mode show system brief or show system stack-unit 2. On the new unit, number it the next available stack-unit number. EXEC Privilege mode stack-unit stack-unit-number renumber stack-unit-new-number 3. (OPTIONAL) On the new unit, assign a management priority based on whether you want the new unit to be the stack manager.
Adding a Configured Unit to an Existing Stack To add a configured unit to an existing stack, use the following commands. If a stack unit goes down and is removed from the stack, the logical provisioning configured for that stack-unit number is saved on the master and standby units. When a new unit is added to the stack, if a stack group configuration conflict occurs between the new unit and the provisioned stack unit, the configuration of the new unit takes precedence. 1.
Split a Stack To split a stack, unplug the desired stacking cables. You may do this at any time, whether the stack is powered or unpowered, and the units are online or offline. Each portion of the split stack retains the startup and running configuration of the original stack. For a parent stack that is split into two child stacks, A and B, each with multiple units: ● If one of the new stacks receives the master and the standby management units, it is unaffected by the split.
EXEC Privilege mode show system ● Display most of the information in show system, but in a more convenient tabular form. EXEC Privilege mode show system brief ● Display the same information in show system, but only for the specified unit. EXEC Privilege mode show system stack-unit ● Display topology and stack link status for the entire stack. EXEC Privilege mode show system stack-ports [status | topology] Display information about a switch stack using the show system command.
Dell Networking Jumbo Capable POE Capable Burned In MAC No Of MACs OS Version : 8-3-7-13 : yes : no : 00:01:e8:8a:df:bf : 3 -----output truncated----The following is an example of the show system brief command to view the stack summary information.
The default is 0. Managing Redundancy on a Stack Use the following commands to manage the redundancy on a stack. ● Reset the current management unit and make the standby unit the new master unit. EXEC Privilege mode redundancy force-failover stack-unit A new standby is elected. When the former stack master comes back online, it becomes a member unit. ● Prevent the stack master from rebooting after a failover.
(Gb/s) Status Status Group ----------------------------------------------------1/48 7/56 40 up up 1/52 5/60 40 up up 2/56 6/52 40 up up 2/60 4/52 40 up up 3/48 7/52 40 up up 3/52 5/56 40 up up 4/52 6/48 40 up up 4/56 4/48 40 up up DellEMC# The following example shows the parameters for the management unit in the stack.
3/39 3/44 3/45 3/46 3/47 1/36 1/37 1/38 1/39 2/36 2/37 2/38 2/39 stack-2# 1/39 2/36 2/37 2/38 2/39 3/36 3/37 3/38 3/39 3/44 3/45 3/46 3/47 10 10 10 10 10 10 10 10 10 10 10 10 10 up up up up up up up up up up up up up up up up up up up up up up up up up up Remove Units or Front End Ports from a Stack To remove units or front end ports from a stack, use the following instructions.
8 9 10 11 Member Member Member Member not not not not present present present present NOTE: Each unit in the stack has a stack number that is either assigned by you or Dell EMC Networking OS. To manually renumber stack members, use the stack-unit old-unit-number renumber new-unit-number command. Renumbering stack members causes the entire stack to reload. Removing Front End Port Stacking To remove the configuration on the front end ports used for stacking, use the following commands. 1.
now. Error: Please check the stack cable/module and power-cycle the stack. Recover from a Card Problem State on a Stack If a unit added to a stack has a different Dell EMC Networking OS version, the unit does not come online and Dell EMC Networking OS cites a card problem error. To recover, disconnect the new unit from the stack, change the Dell EMC Networking OS version to match the stack, and then reconnect it to the stack.
Stack MAC : 00:01:e8:d5:ef:81 -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports ---------------------------------------------------------0 Management online S50V S50V 7.8.1.
52 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell EMC Networking Operating System (OS) Behavior: Dell EMC Networking OS supports unknown-unicast, muticast, and broadcast control for Layer 2 and Layer 3 traffic. Dell EMC Networking OS Behavior: The minimum number of packets per second (PPS) that storm control can limit on the device is two.
● Configure the packets per second of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. INTERFACE mode storm-control multicast packets_per_second in ● Shut down the port if it receives the PFC/LLFC packets more than the configured rate. INTERFACE mode storm-control pfc-llfc pps in shutdown NOTE: PFC/LLFC storm control enabled interface disables the interfaces if it receives continuous PFC/LLFC packets.
53 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell EMC Networking OS.
Related Configuration Tasks ● ● ● ● ● ● ● ● Adding an Interface to the Spanning Tree Group Modifying Global Parameters Modifying Interface STP Parameters Enabling PortFast Prevent Network Disruptions with BPDU Guard STP Root Guard Enabling SNMP Traps for Root Elections and Topology Changes Configuring Spanning Trees as Hitless Important Points to Remember ● STP is disabled by default. ● The Dell EMC Networking OS supports only one spanning tree instance (0).
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 128. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface.
no shutdown DellEMC(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default. When you enable STP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the Spanning Tree topology. ● Only one path from any bridge to any other bridge participating in STP is enabled. ● Bridges block a redundant path by disabling one of the link ports. Figure 129.
To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP. NOTE: Dell EMC Networking recommends that only experienced network administrators change the spanning tree parameters. Poorly planned modification of the spanning tree parameters can negatively affect network performance. The following table displays the default values for STP. Table 127.
Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. ● Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. ● Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost. The default values are listed in Modifying Global Parameters.
Prevent Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
Figure 130. Enabling BPDU Guard Dell EMC Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: ● is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. ● drops the BPDU after it reaches the RP and generates a console message.
Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. ● Assign a number as the bridge priority or designate it as the root or secondary root.
Figure 131. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell EMC Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: ● Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps individually or collectively, use the following commands. ● Enable SNMP traps for spanning tree state changes. snmp-server enable traps stp ● Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
Figure 132. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. The following conditions apply to a port enabled with loop guard: ● Loop guard is supported on any STP-enabled port or port-channel interface.
● When used in a PVST+ network, STP loop guard is performed per-port or per-port channel at a VLAN level. If no BPDUs are received on a VLAN interface, the port or port-channel transitions to a Loop-Inconsistent (Blocking) state only for this VLAN. To enable a loop guard on an STP-enabled port or port-channel interface, use the following command. ● Enable loop guard on a port or port-channel interface.
54 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell EMC Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell EMC Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell EMC Networking device. For more information on SmartScripts, see Dell EMC Networking Open Automation guide. Figure 133.
Enable the SupportAssist service. CONFIGURATION mode support-assist activate DellEMC(conf)#support-assist activate This command guides you through steps to configure SupportAssist. Configuring SupportAssist Manually To manually configure SupportAssist service, use the following commands. 1. Accept the end-user license agreement (EULA). CONFIGURATION mode eula-consent {support-assist} {accept | reject} NOTE: Once accepted, you do not have to accept the EULA again.
support-assist DellEMC(conf)#support-assist DellEMC(conf-supportassist)# 3. (Optional) Configure the contact information for the company. SUPPORTASSIST mode contact-company name {company-name}[company-next-name] ... [company-next-name] DellEMC(conf)#support-assist DellEMC(conf-supportassist)#contact-company name test DellEMC(conf-supportassist-cmpy-test)# 4. (Optional) Configure the contact name for an individual.
[no] activity {full-transfer|core-transfer|event-transfer} DellEMC(conf-supportassist)#activity full-transfer DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist)#activity core-transfer DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist)#activity event-transfer DellEMC(conf-supportassist-act-event-transfer)# 2. Copy an action-manifest file for an activity to the system.
SUPPORTASSIST ACTIVITY mode [no] enable DellEMC(conf-supportassist-act-full-transfer)#enable DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist-act-core-transfer)#enable DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist-act-event-transfer)#enable DellEMC(conf-supportassist-act-event-transfer)# Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company.
[no] contact-person [first ] last DellEMC(conf-supportassist)#contact-person first john last doe DellEMC(conf-supportassist-pers-john_doe)# 2. Configure the email addresses to reach the contact person. SUPPORTASSIST PERSON mode [no] email-address primary email-address [alternate email-address] DellEMC(conf-supportassist-pers-john_doe)#email-address primary jdoe@mycompany.com DellEMC(conf-supportassist-pers-john_doe)# 3. Configure phone numbers of the contact person.
[no] enable DellEMC(conf-supportassist-serv-default)#enable DellEMC(conf-supportassist-serv-default)# 4. Configure the URL to reach the SupportAssist remote server. SUPPORTASSIST SERVER mode [no] url uniform-resource-locator DellEMC(conf-supportassist-serv-default)#url https://192.168.1.1/index.htm DellEMC(conf-supportassist-serv-default)# Viewing SupportAssist Configuration To view the SupportAssist configurations, use the following commands: 1.
! server Dell enable url http://1.1.1.1:1337 DellEMC# 3. Display the EULA for the feature. EXEC Privilege mode show eula-consent {support-assist | other feature} DellEMC#show eula-consent support-assist SupportAssist EULA has been: Accepted Additional information about the SupportAssist EULA is as follows: By installing SupportAssist, you allow Dell to save your contact information (e.g.
55 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell EMC Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell EMC Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell EMC Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks.
To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. DellEMC#show ntp status Clock is synchronized, stratum 4, reference is 10.16.151.117, vrf-id is 0 frequency is -44.862 ppm, stability is 0.050 ppm, precision is -18 reference time deeef7ef.85eeaa10 Tue, Jul 10 2018 9:16:31.523 UTC clock offset is -0.167449 msec, root delay is 149.194 msec root dispersion is 54.557 msec, peer dispersion is 0.
○ ○ ○ ○ ○ For For For For For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. a Loopback interface, enter the keyword loopback then a number from 0 to 16383. the Management interface, enter the keyword ManagementEthernet then the slot/port information. a port channel interface, enter the keywords port-channel then a number. a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
5. Configure the switch as NTP master. CONFIGURATION mode ntp master To configure the switch as NTP Server use the ntp master command. stratum number identifies the NTP Server's hierarchy. The following example shows configuring an NTP server. Dell EMC(conf)#show running-config ntp ! ntp master ntp server 10.16.127.44 ntp server 10.16.127.86 ntp server 10.16.127.
● Transmit Timestamp — the departure time on the server of the current NTP message from the sender. ● Filter dispersion — the error in calculating the minimum delay from a set of sample data from a peer. To view the NTP configuration, use the show running-config ntp command in EXEC privilege mode. The following example shows an encrypted authentication key (in bold). All keys are encrypted. DellEMC#show running ntp ! ntp authenticate ntp authentication-key 345 md5 5A60910F3D211F02 ntp server 11.1.1.
○ month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. ○ day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. ○ year: enter a four-digit number as the year. The range is from 1993 to 2035.
○ end-day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. ○ end-year: enter a four-digit number as the year. The range is from 1993 to 2035. ○ end-time: enter the time in hours:minutes. For the hour variable, use the 24-hour format; example, 17:15 is 5:15 pm. ○ offset: (OPTIONAL) enter the number of minutes to add during the summer-time period. The range is from 1 to1440. The default is 60 minutes.
NOTE: If you enter after entering the recurring command parameter, and you have already set a one-time daylight saving time/date, the system uses that time and date as the recurring setting. The following example shows the clock summer-time recurring parameters.
56 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): DellEMC(conf)#interface tunnel 3 DellEMC(conf-if-tu-3)#tunnel source 5::5 DellEMC(conf-if-tu-3)#tunnel destination 8::9 DellEMC(conf-if-tu-3)#tunnel mode ipv6 DellEMC(conf-if-tu-3)#ip address 3.1.1.1/24 DellEMC(conf-if-tu-3)#ipv6 address 3::1/64 DellEMC(conf-if-tu-3)#no shutdown DellEMC(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
no shutdown DellEMC(conf)#interface tunnel 1 DellEMC(conf-if-tu-1)#ip unnumbered tengigabitethernet 1/1 DellEMC(conf-if-tu-1)#ipv6 unnumbered tengigabitethernet 1/1 DellEMC(conf-if-tu-1)#tunnel source 40.1.1.1 DellEMC(conf-if-tu-1)#tunnel mode ipip decapsulate-any DellEMC(conf-if-tu-1)#no shutdown DellEMC(conf-if-tu-1)#show config ! interface Tunnel 1 ip unnumbered TenGigabitEthernet 1/1 ipv6 unnumbered TenGigabitEthernet 1/1 tunnel source 40.1.1.
tunnel allow-remote 40.1.1.
57 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link.
Figure 135. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 136. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
● If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5. (Optional) Enter a text description of the uplink-state group. UPLINK-STATE-GROUP mode description text The maximum length is 80 alphanumeric characters. 6. (Optional) Disable upstream-link tracking without deleting the uplink-state group. UPLINK-STATE-GROUP mode no enable The default is upstream-link tracking is automatically enabled in an uplink-state group.
02:38:53: Fo 3/48 02:38:53: Fo 3/52 02:38:53: Fo 3/56 02:38:53: Fo 3/60 02:38:53: 02:38:53: 02:38:53: 02:38:53: %RPM0-P:CP %IFMGR-5-OSTATE_UP: Downstream interface cleared from UFD error-disabled: %RPM0-P:CP %IFMGR-5-OSTATE_UP: Downstream interface cleared from UFD error-disabled: %RPM0-P:CP %IFMGR-5-OSTATE_UP: Downstream interface cleared from UFD error-disabled: %RPM0-P:CP %IFMGR-5-OSTATE_UP: Downstream interface cleared from UFD error-disabled: %RPM0-P:CP %RPM0-P:CP %RPM0-P:CP %RPM0-P:CP %IFMGR-5-OSTAT
Uplink State Group : 5 Status: Enabled, Down Upstream Interfaces : Te 1/1(Dwn) Te 1/3(Dwn) Te 1/5(Dwn) Downstream Interfaces : Te 3/2(Dis) Te 3/4(Dis) Te 3/11(Dis) Te 3/12(Dis) Te 3/13(Dis) Te 3/14(Dis) Te 3/15(Dis) Uplink State Group : 6 Upstream Interfaces : Downstream Interfaces : Status: Enabled, Up Uplink State Group : 7 Upstream Interfaces : Downstream Interfaces : Status: Enabled, Up Uplink State Group : 16 Status: Disabled, Up Upstream Interfaces : Te 1/4(Dwn) Po 8(Dwn) Downstream Interfaces : T
upstream TenGigabitEthernet 1/22 upstream Port-channel 8 Sample Configuration: Uplink Failure Detection The following example shows a sample configuration of UFD on a switch/router in which you configure as follows. ● ● ● ● ● ● Configure uplink-state group 3. Add downstream links Tengigabitethernet 1/1, 1/2, 1/5, 1/9, 1/11, and 1/12. Configure two downstream links to be disabled if an upstream link fails. Add upstream links Tengigabitethernet 1/3 and 1/4. Add a text description for the group.
58 Upgrade Procedures To find the upgrade procedures, go to the Dell EMC Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell EMC Networking OS version. To upgrade your system type, follow the procedures in the Dell EMC Networking OS Release Notes. You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.
59 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN. For more information about assigning IP addresses, refer to Assigning an IP Address to a VLAN. ● Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN.
● The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). ● Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard. Some devices that are not compliant with IEEE 802.3 may not support the larger frame size.
Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands. To place an interface in Layer 2 mode, use the switchport command. You can further designate these Layer 2 interfaces as tagged or untagged. For more information, see the Interfaces chapter and Configuring Layer 2 (Data Link) Mode.
When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN. If the tagged interface is removed from the only VLAN to which it belongs, the interface is placed in the Default VLAN as an untagged interface. Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1. Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface.
Assigning an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces. The shutdown command in INTERFACE mode does not affect Layer 2 traffic on the interface; the shutdown command only prevents Layer 3 traffic from traversing over the interface. NOTE: You cannot assign an IP address to the Default VLAN (VLAN 1).
Enabling Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured. This presents a vulnerability because both interfaces are initially placed in the native VLAN, VLAN 1, and for that period customers are able to access each other's networks.
60 Virtual Link Trunking (VLT) Virtual link trunking (VLT) is a Dell EMC technology that provides two Dell EMC switches the ability to function as a single switch. VLT allows physical links between two Dell EMC switches to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR). As a result, the two physical switches appear as a single switch to the connected devices.
peers as a single switch, VLT eliminates STP-blocked ports. However, the two VLT devices are independent Layer2/Layer3 (L2/L3) switches for devices in the upstream network. Figure 139. VLT providing multipath VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches and supporting a loop-free topology. To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol.
Figure 140. Example of VLT Deployment VLT offers the following benefits: ● ● ● ● ● ● ● ● ● ● ● ● Allows a single device to use a LAG across two upstream devices. Eliminates STP-blocked ports. Provides a loop-free topology. Uses all available uplink bandwidth. Provides fast convergence if either the link or a device fails. Optimized forwarding with virtual router redundancy protocol (VRRP). Provides link-level resiliency. Assures high availability. Active-Active load sharing with VRRP.
● VLT backup link — The backup link monitors the connectivity between the VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. ● VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches. Both ends must be on 10G or 40G interfaces. ● VLT domain — This domain includes both the VLT peer devices, VLT interconnect, and all of the port channels in the VLT connected to the attached devices.
Viewing the MAC Synchronization Between VLT Peers You can use the following commands to verify the MAC synchronization between VLT peers: VLT-10-PEER-1#show mac-address-table count MAC Entries for all vlans : Dynamic Address Count : 1007 Static Address (User-defined) Count : 1 Sticky Address Count : 0 Total Synced Mac from Peer(N): 503 Total MAC Addresses in Use: 1008 VLT-10-PEER-1#show vlt counter mac Total MAC VLT counters ---------------------L2 Total MAC-Address Count: 1007 VLT-10-PEER-1#show mac-addr
such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode. This example provides the highest form of resiliency, scaling, and load balancing in data center switching networks. The following example shows stacking at the access, VLT in aggregation, and Layer 3 at the core. Figure 142. VLT on Core Switches The aggregation layer is mostly in the L2/L3 switching/routing layer.
Figure 143. Enhanced VLT Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember ● ● ● ● ● ● ● ● ● ● ● ● You cannot enable stacking simultaneously with VLT. If you enable both at the same time, unexpected behavior can occur. VLT port channel interfaces must be switch ports. If you include RSTP on the system, configure it before VLT.
● o disable this feature on VLT and port channels, use no lacp ungroup member-independent {vlt | portchannel} command under the configuration mode. ● When you enable IGMP snooping on the VLT peers, ensure the value of the delay-restore command is not less than the query interval.
○ VLT peer switches operate as separate chassis with independent control and data planes for devices attached on non-VLT ports. ○ One device in the VLT domain is assigned a primary role; the other device takes the secondary role. The primary and secondary roles are required for scenarios when connectivity between the chassis is lost. VLT assigns the primary chassis role according to the lowest MAC address. You can configure the primary role manually.
● ● ● ● ● ○ In order that the chassis backup link does not share the same physical path as the interconnect trunk, Dell EMC Networking recommends using the management ports on the chassis and traverse an out-of-band management network. The backup link can use user ports, but not the same ports the interconnect trunk uses. ○ The chassis backup link does not carry control plane information or data traffic. Its use is restricted to health checks only.
○ In a VLT domain, VRRP interoperates with virtual link trunks that carry traffic to and from access devices (see Overview). The VLT peers belong to the same VRRP group and are assigned master and backup roles. Each peer actively forwards L3 traffic, reducing the traffic flow over the VLT interconnect. ○ VRRP elects the router with the highest priority as the master in the VRRP group.
● Configure any ports at the edge of the spanning tree’s operating domain as edge ports, which are directly connected to end stations or server racks. Disable RSTP on ports connected directly to Layer 3-only routers not running STP or configure them as edge ports. ● Ensure that the primary VLT node is the root bridge and the secondary VLT peer node has the second-best bridge ID in the network.
VLT Port Delayed Restoration When a VLT node boots up, if the VLT ports have been previously saved in the start-up configuration, they are not immediately enabled. To ensure MAC and ARP entries from the VLT per node are downloaded to the newly enabled VLT node, the system allows time for the VLT ports on the new node to be enabled and begin receiving traffic. The delay-restore feature waits for all saved configurations to be applied, then starts a configurable timer.
Figure 144. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
If the VLT node elected as the designated router fails and you enable VLT Multicast Routing, multicast routes are synced to the other peer for traffic forwarding to ensure minimal traffic loss. If you did not enable VLT Multicast Routing, traffic loss occurs until the other VLT peer is selected as the DR. VLT Routing VLT Routing refers to the ability to run a dynamic routing protocol within a single VLT domain or between VLT domains (mVLT).
If you enable peer routing, a VLT node acts as a proxy gateway for its connected VLT peer as shown in the image below. Even though the gateway address of the packet is different, Peer-1 routes the packet to its destination on behalf of Peer-2 to avoid sub-optimal routing. Figure 146. Packets with peer routing enabled Benefits of Peer Routing ● ● Avoids sub-optimal routing ● Reduces latency by avoiding another hop in the traffic path.
Configuring VLT Unicast To enable and configure VLT unicast, follow these steps. 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2. Enable peer-routing. VLT DOMAIN mode peer-routing 3. Configure the peer-routing timeout. VLT DOMAIN mode peer-routing—timeout value value: Specify a value (in seconds) from 1 to 65535. The default value is infinity (without configuring the timeout).
3. Configure the multicast peer-routing timeout. VLT DOMAIN mode multicast peer-routing—timeout value value: Specify a value (in seconds) from 1 to 1200. NOTE: Reduce the multicast peer-routing-timeout value to 10 seconds to clear the (S,G) entry in mroute in primary VLT peer. Also, the MLD leave packet must be sent after the unicast route convergence. 4. Configure a PIM-SM compatible VLT node as a designated router (DR). For more information, refer to Configuring a Designated Router. 5.
Sample RSTP configuration The following is a sample of an RSTP configuration: Using the example shown in the Overview section as a sample VLT topology, the primary VLT switch sends BPDUs to an access device (switch or server) with its own RSTP bridge ID. BPDUs generated by an RSTP-enabled access device are only processed by the primary VLT switch. The secondary VLT switch tunnels the BPDUs that it receives to the primary VLT switch over the VLT interconnect.
Configuring a VLT Interconnect To configure a VLT interconnect, follow these steps. 1. Configure the port channel for the VLT interconnect on a VLT switch and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain. NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2.
VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer. 5. (Optional) After you configure a VLT domain on each peer switch and connect (cable) the two VLT peers on each side of the VLT interconnect, the system elects a primary and secondary VLT peer device (see Primary and Secondary VLT Peers). To configure the primary and secondary roles before the election process, use the primary-priority command.
delay-restore delay-restore-time The range is from 1 to 1200. The default is 90 seconds. Reconfiguring the Default VLT Settings (Optional) To reconfigure the default VLT settings, use the following commands. 1. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2.
INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: ● For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. ● For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. 5. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 6.
CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 4. Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 5. Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages.
INTERFACE mode port-channel number mode [active] 15. Ensure that the interface is active. MANAGEMENT INTERFACE mode no shutdown 16. Enable peer routing. VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer. 17. Repeat steps 1 through 16 for the VLT peer node in Domain 1. 18. Repeat steps 1 through 16 for the first VLT node in Domain 2. 19. Repeat steps 1 through 16 for the VLT peer node in Domain 2.
show vlt brief or show vlt detail 13. Verify that the VLT LAG is running in both VLT peer units. EXEC mode or EXEC Privilege mode show interfaces interface In the following sample VLT configuration steps, VLT peer 1 is Dell-2, VLT peer 2 is Dell-4, and the ToR is S60-1. NOTE: If you use a third-party ToR unit, Dell EMC Networking recommends using static LAGs with VLT peers to avoid potential problems if you reboot the VLT peers. Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2.
configuring VLT peer lag in VLT Dell-2#show running-config interface port-channel 2 ! interface Port-channel 2 no ip address switchport vlt-peer-lag port-channel 2 no shutdown Dell-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel L LAG 2 Mode L2L3 Status up Uptime 03:33:14 Ports Te 1/4 (Up) In the ToR unit, configure LACP on the physical ports.
Multicast peer-routing timeout DellEMC# : 150 seconds Verify that the VLT LAG is up in VLT peer unit. Dell-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG L 2 Mode L2L3 Status up Uptime 03:43:24 Ports Te 1/4 (Up) Dell-4#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG L 2 Mode L2L3 Status up Uptime 03:33:31 Ports Te 1/18 (Up) PVST+ Configuration PVST+ is supported in a VLT domain.
Te 1/10 Te 1/13 128.230 128.233 Interface Name ---------Po 1 Po 2 Te 1/10 Te 1/13 DellEMC# Role -----Desg Desg Desg Desg 128 128 2000 2000 PortID -------128.2 128.3 128.230 128.233 Prio ---128 128 128 128 FWD FWD Cost ------188 2000 2000 2000 0 0 Sts ----------FWD FWD FWD FWD 0 0 90b1.1cf4.9b79 90b1.1cf4.9b79 128.230 128.
Dell-1 Switch Configuration In the following output, RSTP is enabled with a bridge priority of 0. This ensures that Dell-1 becomes the root bridge. DellEMC#1#show run | find protocol protocol spanning-tree pvst no disable vlan 1,20,800,900 bridge-priority 0 The following output shows the existing VLANs.
description To_CR1_fa0/13 no ip address port-channel-protocol LACP port-channel 1 mode active no shutdown Port channel 1 connects the uplink switch R1. DellEMC#1#sh run int po1 interface Port-channel 1 description port-channel_to_R1 no ip address switchport vlt-peer-lag port-channel 1 no shutdown Port channel 2 connects the access switch A1.
Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: Peer routing : Peer routing-Timeout timer: Multicast peer routing timeout: 6(3) 90:b1:1c:f4:2c:bb 90:b1:1c:f4:29:f1 90:b1:1c:f4:01:01 6(3) 90 seconds Enabled 0 seconds 150 seconds Verify that the heartbeat mechanism is operational DellEMC#1#sh vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: Destination VRF: HeartBeat Timer Interval: He
The following output displays the MAC address of all interfaces in the system. All interfaces, physical and virtual, have the same MAC address. This is the address used for peer routing.
no shutdown ! DellEMC#1#sh run int te0/1 interface TenGigabitEthernet 0/1 description VLTi LINK no ip address no shutdown The following example shows that te 0/0 and te 0/1 are included in port channel 10. Also note that configuration on the VLTi links does not contain the switchport command. Dell-2#sh run int po10 interface Port-channel 10 description VLTi Port-Channel no ip address channel-member TenGigabitEthernet 0/0-1 no shutdown Te 0/4 connects to the access switch A1.
interface Vlan 800 description Client-VLAN ip address 192.168.8.2/24 tagged Port-channel 2 no shutdown The following output shows Dell-2 is configured with VLT domain 1. The peer-link port-channel command makes port channel 10 as the VLTi link. The peer-routing command enables peer routing between VLT peers in VLT domain 1. The IP address configured with the backup-destination command is the management IP address of the VLT peer (Dell-1). A priority value of 55000 makes Dell-2 as the secondary VLT peer.
router-id 172.17.1.2 network 192.168.8.0/24 area 0 network 192.168.9.0/24 area 0 network 172.16.1.0/24 area 0 network 192.168.20.0/29 area 0 passive-interface default no passive-interface vlan 20 While the passive-interface default command prevents all interfaces from establishing an OSPF neighborship, the no passiveinterface vlan 20 command allows the interface for VLAN 20, the OSPF peering VLAN, to establish OSPF adjacencies. The following output displays that Dell-1 forms neighborship with Dell-2 and R1.
interface Loopback3 ip address 3.3.3.2 255.255.255.0 ! interface Loopback4 ip address 4.4.4.2 255.255.255.0 R1#show run int port-channel 1 interface Port-channel1 switchport ip address 192.168.20.3 255.255.255.248 R1#show run | find router router ospf 1 router-id 172.15.1.1 passive-interface default no passive-interface Port-channel1 network 2.2.2.0 0.0.0.255 area 0 network 3.3.3.0 0.0.0.255 area 0 network 4.4.4.0 0.0.0.255 area 0 (The above subnets correspond to loopback interfaces lo2, lo3 and lo4.
This default route is configured for testing purposes, as described in the next section. The access switch (A1) is used to generate ICMP test PINGs to a loopback interface on CR1. This default route points to DellEMC#2’s VLAN 800 SVI interface. It’s in place to ensure that routed test traffic has DellEMC#2’s MAC address as the destination address in the Ethernet frame’s header When A1 sends a packet to R1, the VLT peers act as the default gateway for each other.
Add links to the eVLT port-channel on Peer 1. Domain_1_Peer1(conf)#interface range tengigabitethernet 1/16 - 17 Domain_1_Peer1(conf-if-range-te-1/16-17)# port-channel-protocol LACP Domain_1_Peer1(conf-if-range-te-1/16-17)# port-channel 100 mode active Domain_1_Peer1(conf-if-range-te-1/16-17)# no shutdown Next, configure the VLT domain and VLTi on Peer 2.
Domain_2_Peer4(conf-vlt-domain)# Domain_2_Peer4(conf-vlt-domain)# Domain_2_Peer4(conf-vlt-domain)# Domain_2_Peer4(conf-vlt-domain)# Domain_2_Peer4(conf-vlt-domain)# peer-link port-channel 1 back-up destination 10.18.130.12 system-mac mac-address 00:0b:00:0b:00:0b peer-routing unit-id 1 Configure eVLT on Peer 4.
Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, use any of the following show commands on the primary and secondary VLT switches. ● Display information on backup link operation. EXEC mode show vlt backup-link ● Display general status information about VLT domains currently configured on the switch.
UDP Port: 34998 HeartBeat Messages Sent: 1030 HeartBeat Messages Received: 1014 The following example shows the show vlt brief command.
back-up destination 10.11.200.18 Dell_VLTpeer2# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.20 The following example shows the show vlt statistics command.
Additional VLT Sample Configurations To configure VLT, configure a backup link and interconnect trunk, create a VLT domain, configure a backup link and interconnect trunk, and connect the peer switches in a VLT domain to an attached access device (switch or server). Review the following examples of VLT configurations. Configuring Virtual Link Trunking (VLT Peer 1) Enable VLT and create a VLT domain with a backup-link and interconnect trunk (VLTi).
Configure the VLT interconnect (VLTi). Dell_VLTpeer2(conf)#interface port-channel 100 Dell_VLTpeer2(conf-if-po-100)#no ip address Dell_VLTpeer2(conf-if-po-100)#channel-member fortyGigE 1/56,60 Dell_VLTpeer2(conf-if-po-100)#no shutdown Dell_VLTpeer2(conf-if-po-100)#exit Configure the port channel to an attached device.
Table 128. Troubleshooting VLT (continued) Description Behavior at Peer Up Behavior During Run Time Action to Take Dell EMC Networking OS Version mismatch A syslog error message is generated. A syslog error message is generated. Follow the correct upgrade procedure for the unit with the mismatched Dell EMC Networking OS version. Remote VLT port channel status N/A N/A Use the show vlt detail and show vlt brief commands to view the VLT port channel status information.
6. On the Secondary switch (stack-unit1), enter the command stack-unit1 renumber 0. 7. Confirm the reload query. 8. After reloading, confirm that VLT is enabled. 9. Confirm that the management ports are interconnected or connected to a switch that can transfer Heartbeat information. Specifying VLT Nodes in a PVLAN You can configure VLT peer nodes in a private VLAN (PVLAN).
functionalities in a PVLAN. For example, if a VLAN is a primary VLT VLAN on one peer and not a primary VLT VLAN on the other peer, VLTi is not made a part of that VLAN. MAC Synchronization for VLT Nodes in a PVLAN For the MAC addresses that are learned on non-VLT ports, MAC address synchronization is performed with the other peer if the VLTi (ICL) link is part of the same VLAN as the non-VLT port.
Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN The following table illustrates the association of the VLTi link and PVLANs, and the MAC synchronization of VLT nodes in a PVLAN (for various modes of operations of the VLT peers): Table 129.
Table 129.
VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 8. (Optional) To configure a VLT LAG, enter the VLAN ID number of the VLAN where the VLT forwards packets received on the VLTi from an adjacent peer that is down. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number peer-down-vlan vlan interface number Associating the VLT LAG or VLT VLAN in a PVLAN 1. Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2. Enable the port.
show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only nondefault information displays in the show config command output. An ARP proxy operation is performed on the VLT peer node IP address when the peer VLT node is down. The ARP proxy stops working either when the peer routing timer expires or when the peer VLT node goes up. Layer 3 VLT provides a higher resiliency at the Layer 3 forwarding level.
VLT Nodes as Rendezvous Points for Multicast Resiliency You can configure VLT peer nodes as rendezvous points (RPs) in a Protocol Independent Multicast (PIM) domain. PIM uses a VLT node as the RP to distribute multicast traffic to a multicast group. Messages to join the multicast group (Join messages) and data are sent towards the RP, so that receivers can discover who the senders are and begin receiving traffic destined for the multicast group.
DellEMC(conf-vlt-domain)#peer-link port-channel 1 DellEMC(conf-vlt-domain)#back-up destination 10.16.151.116 DellEMC(conf-vlt-domain)#primary-priority 100 DellEMC(conf-vlt-domain)#system-mac mac-address 00:00:00:11:11:11 DellEMC(conf-vlt-domain)#unit-id 0 DellEMC(conf-vlt-domain)# DellEMC#show running-config vlt ! vlt domain 1 peer-link port-channel 1 back-up destination 10.16.151.
Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C - Community, I - Isolated O - Openflow Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack i - Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged NUM 50 Status Active Description DellEMC# Q M M V Ports Po10(Te 1/8) Po20(Te 1/12) Po1(Te 1/30-32) Sample Configuration of VLAN-Stack Over VLT (Peer 2) Configure
DellEMC(conf-if-vl-50-stack)#member port-channel 10 DellEMC(conf-if-vl-50-stack)#member port-channel 20 DellEMC(conf-if-vl-50-stack)# DellEMC#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown DellEMC# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN DellEMC#show vlan id 50 Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C - Community, I - Isolated O - Openflow Q: U
VLT node, node2, owing to LAG-level hashing in the ToR switch, it is routed instead of forwarding the packet to node1. This processing occurs because of the match or hit for the entry in the TCAM of the VLT node2. Synchronization of IPv6 ND Entries in a VLT Domain Because the VLT nodes appear as a single unit, the ND entries learned via the VLT interface are expected to be the same on both VLT nodes.
Figure 149. Sample Configuration of IPv6 Peer Routing in a VLT Domain Sample Configuration of IPv6 Peer Routing in a VLT Domain Consider a sample scenario as shown in the following figure in which two VLT nodes, Unit1 and Unit2, are connected in a VLT domain using an ICL or VLTi link. To the south of the VLT domain, Unit1 and Unit2 are connected to a ToR switch named Node B. Also, Unit1 is connected to another node, Node A, and Unit2 is linked to a node, Node C.
Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR. When VLT node1 receives NS from VLT VLAN interface, it unicasts the NA packet on the VLT interface. When NS reaches VLT node2, it is flooded on all interfaces including ICL. When VLT node 1 receives NS on ICL, it floods the NA packet on the VLAN. If NS is unicast and if it reaches the wrong VLT peer, it is lifted to the CPU using ACL entry.
When VLT node receives traffic from non-VLT host intended to VLT host, it routes the traffic to VLT interface. If VLT interface is not operationally up VLT node will route the traffic over ICL. Non-VLT host to North Bound traffic flow When VLT node receives traffic from non-VLT host intended to north bound with DMAC as self MAC it routes traffic to next hop.
ToR 1. Enable BFD globally. TOR(conf)# bfd enable 2. Configure a VLT peer LAG. TOR(conf)#interface tengigabitethernet 1/1 TOR(conf-if-te-1/1)#no ip address TOR(conf-if-te-1/1)#port-channel-protocol lacp TOR(conf-if-te-1/1)#port-channel 10 mode active TOR(conf-if-te-1/1)#no shutdown TOR(conf)#interface tengigabitethernet 1/2 TOR(conf-if-te-1/2)#no ip address TOR(conf-if-te-1/2)#port-channel-protocol lacp TOR(conf-if-te-1/2)#port-channel 10 mode active TOR(conf-if-te-1/2)#no shutdown 3.
5. Enable BFD over OSPF. TOR(conf)# router ospf 1 TOR(conf-router_ospf)# network 100.1.1.0/24 area 0 TOR(conf-router_ospf)# bfd all-neighbors VLT Primary 1. Enable BFD globally. VLT_Primary(conf)# bfd enable 2. Configure port channel which is used as VLTi link. VLT_Primary(conf)# interface VLT_Primary(conf-if-po-100)# VLT_Primary(conf-if-po-100)# VLT_Primary(conf-if-po-100)# port-channel 100 no ip address channel-member tengigabitethernet 1/1, 1/2 no shutdown 3. Enable VLT and configure a VLT domain.
2. Configure port channel which is used as VLTi link. VLT_Secondary(conf)# interface VLT_Secondary(conf-if-po-100)# VLT_Secondary(conf-if-po-100)# VLT_Secondary(conf-if-po-100)# port-channel 100 no ip address channel-member tengigabitethernet 1/1, 1/2 no shutdown 3. Enable VLT and configure a VLT domain. VLT_Secondary(conf)# vlt domain VLT_Secondary(conf-vlt-domain)# VLT_Secondary(conf-vlt-domain)# VLT_Secondary(conf-vlt-domain)# 100 peer-link port-channel 100 back-up destination 10.16.206.
Delay-Restore Abort Threshold: Peer-Routing : Peer-Routing-Timeout timer: Multicast peer-routing timeout: 60 seconds Enabled 0 seconds 150 seconds ● To verify the VLTi (ICL) link is up in the VLT secondary peer, use show vlt brief command.
61 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Command Line Reference Guide.
Figure 151. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: ● Proxy gateway is supported only for VLT; for example, across a VLT domain. ● You must enable the VLT peer-routing command for the VLT proxy gateway to function.
● Private VLANs (PVLANs) are not supported. ● When a Virtual Machine (VM) moves from one VLT domain to the another VLT domain, the VM host sends the gratuitous ARP (GARP) , which in-turn triggers a mac movement from the previous VLT domain to the newer VLT domain. ● After a station move, if the host sends a TTL1 packet destined to its gateway; for example, a previous VLT node, the packet can be dropped.
● You cannot have interface–level LLDP disable commands on the interfaces configured for proxy gateway and you must enable both transmission and reception. ● You must connect both units of the remote VLT domain by the port channel member. ● If you connect more than one port to a unit of the remote VLT domain, the connection must be completed by the time you enable the proxy gateway LLDP. ● You cannot have other conflicting configurations (for example, you cannot have a static proxy gateway configuration).
For VLT Proxy Gateway to work in this scenario you must configure the VLT-peer-mac transmit command under VLT Domain Proxy Gateway LLDP mode, in both C and D (VLT domain 1) and C1 and D1 (VLT domain 2). This behavior is applicable only in the LLDP configuration and not required in the static configuration.
Sample Dynamic Proxy Configuration on C switch or C1 switch Switch_C#conf Switch_C(conf)#vlt domain 1 Switch_C(conf-vlt-domain1)#proxy-gateway lldp Switch_C(conf-vlt-domain1-pxy-gw-lldp)#peer-domain-link port-channel 1.... VLT Proxy Gateway Sample Topology VLT proxy gateway enables one VLT domain to act as proxy gateway for another VLT domain when a host or virtual machine is moved from one VLT domain to the other VLT domain.
interface TenGigabitEthernet 0/9 description "To DELL-3 10Gb" no ip address ! port-channel-protocol LACP port-channel 50 mode active no shutdown interface Port-channel 50 description "mVLT port channel to DELL-3" no ip address switchport no spanning-tree vlt-peer-lag port-channel 50 no shutdown Note that on the inter-domain link, the switchport command is enabled. On a VLTi link between VLT peers in a VLT domain, the switchport command is not used.
The MAC addresses, configured using the remote-mac-address command, belong to Dell-3 and Dell-4. interface Vlan 100 description OSPF peering VLAN to Dell-1 ip address 10.10.100.2/30 ip ospf network point-to-point no shutdown The following is the OSPF configuration on Dell-2. router ospf 1 router-id 2.2.2.2 network 10.10.100.0/30 area 0 The following output shows that Dell-1 forms OSPF neighborship with Dell-2. Dell-2#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.
ip ospf network point-to-point no shutdown The following is the OSPF configuration on Dell-3. router ospf 1 router-id 3.3.3.3 network 10.10.101.0/30 area 0 network 10.10.102.0/30 area 0 The following output shows that Dell-4 and VLT domain 120 form OSPF neighborship with Dell-3. Dell-3#sh ip ospf nei ! Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.4 1 FULL/ - 00:00:33 10.10.101.1 Vl 101 0 1.1.1.1 1 FULL/ - 00:00:34 10.10.102.
62 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time.
Figure 154. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
NOTE: To configure a router ID in a non-default VRF, configure at least one IP address in both the default as well as the non-default VRF. Table 130. Software Features Supported on VRF Feature/Capability Support Status for Default VRF Support Status for Non-default VRF 802.
DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance. VRF Configuration The VRF configuration tasks are: 1. Enabling VRF in Configuration Mode 2. Creating a Non-Default VRF 3. Assign an Interface to a VRF You can also: ● View VRF Instance Information ● Connect an OSPF Process to a VRF Instance ● Configure VRRP on a VRF Loading VRF CAM ● Load CAM memory for the VRF feature.
2. Assign the interface to management VRF. INTERFACE CONFIGURATION ip vrf forwarding management Before assigning a front-end port to a management VRF, ensure that no IP address is configured on the interface. 3. Assign an IPv4 address to the interface. INTERFACE CONFIGURATION ip address 10.1.1.1/24 Before assigning a front-end port to a management VRF, ensure that no IP address is configured on the interface. 4. Assign an IPv6 address to the interface.
Table 131. Configuring VRRP on a VRF (continued) Task Command Syntax Assign an IP address to the interface Configure the VRRP group and virtual IP address View VRRP command output for the VRF vrf1 Command Mode ip address 10.1.1.1 /24 no shutdown vrrp-group 10 virtual-address 10.1.1.100 show config ----------------------------! interface TenGigabitEthernet 1/13 ip vrf forwarding vrf1 ip address 10.1.1.1/24 ! vrrp-group 10 virtual-address 10.1.1.
● ● ● ● ● ● ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 nd reachable-time — Set advertised reachability time nd retrans-timer — Set NS retransmit interval used and advertised in RA nd suppress-ra — Suppress IPv6 Router Advertisements ad — IPv6 Address Detection ad autoconfig — IPv6 stateless auto-configuration address — Configure IPv6 address on an interface NOTE: The command line help still displays relevant details corresponding to each of these commands.
Figure 156. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface TenGigabitEthernet no ip address switchport no shutdown ! interface TenGigabitEthernet ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding green ip address 30.0.0.
ip vrf forwarding blue ip address 1.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.0/24 area 0 ! router ospf 2 vrf orange router-id 2.0.0.1 network 2.0.0.0/24 area 0 network 20.0.0.
! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/2 ! ip route vrf green30.0.0.0/24 3.0.0.1 ! The following shows the output of the show commands on Router 1.
Change Destination --------------------C 2.0.0.0/24 C 20.0.0.0/24 O 21.0.0.0/24 00:10:41 Gateway Dist/Metric ------- ----------- Direct, Vl 192 Direct, Te 1/2 via 2.0.0.
C 11.0.0.
Dynamic Route Leaking Route Leaking is a powerful feature that enables communication between isolated (virtual) routing domains by segregating and sharing a set of services such as VOIP, Video, and so on that are available on one routing domain with other virtual domains. Inter-VRF Route Leaking enables a VRF to leak or export routes that are present in its RTM to one or more VRFs.
ip route-import 1:1 5. Configure the export target in VRF-red. ip route-export 2:2 6. Configure VRF-blue. ip vrf vrf-blue interface-type slot/port ip vrf forwarding VRF-blue ip address ip—address mask A non-default VRF named VRF-blue is created and the interface 1/12 is assigned to it. 7. Configure the import target in VRF-blue. ip route-import 1:1 8. Configure the export target in VRF-blue. ip route-import 3:3 9. Configure VRF-green.
DellEMC# show ip route vrf VRF-Shared O 44.4.4.4/32 via 144.4.4.4 110/0 C 144.4.4.0/24 00:00:11 Direct, Te 1/4 0/0 00:32:36 Show routing tables of VRFs( after route-export and route-import tags are configured). DellEMC# show ip route vrf VRF-Red O C O C 11.1.1.1/32 111.1.1.0/24 44.4.4.4/32 144.4.4.0/24 via 111.1.1.1 110/0 00:00:10 Direct, Te 1/11 0/0 22:39:59 via VRF-shared:144.4.4.4 0/0 00:32:36 Direct, VRF-shared:Te 1/4 0/0 00:32:36 DellEMC# show ip route vrf VRF-Blue O 22.2.2.2/32 via 122.2.2.
You can use the match source-protocol or match ip-address commands to specify matching criteria for importing or exporting routes between VRFs. NOTE: You must use the match source-protocol or match ip-address commands in conjunction with the route-map command to be able to define the match criteria for route leaking. Consider a scenario where you have created two VRF tables VRF-red and VRF-blue. VRF-red exports routes with the export_ospfbgp_protocol route-map to VRF-blue.
The show run output for the above configuration is as follows: ip vrf vrf-Red ip route-export 1:1 export_ospfbgp_protocol ip route-import 2:2 ! this action exports only the OSPF and BGP routes to other VRFs ! ip vrf vrf-Blue ip route-export 2:2 ip route-import 1:1 import_ospf_protocol !this action accepts only OSPF routes from VRF-red even though both OSPF as well as BGP routes are shared The show VRF commands displays the following output: DellEMC# show ip route vrf VRF-Blue C 122.2.2.
63 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. Topics: • • • • • VRRP Overview VRRP Benefits VRRP Implementation VRRP Configuration Sample Configurations VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
Figure 157. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. In conjunction with Virtual Link Trunking (VLT), you can configure optimized forwarding with virtual router redundancy protocol (VRRP).
NOTE: In a VLT environment, VRRP configuration acts as active-active and if route is not present in any of the VRRP nodes, the packet to the destination is dropped on that VRRP node. Table 132.
The following examples how to configure VRRP. DellEMC(conf)#interface tengigabitethernet 1/1 DellEMC(conf-if-te-1/1)#vrrp-group 111 DellEMC(conf-if-te-1/1-vrid-111)# The following examples how to verify the VRRP configuration. DellEMC(conf-if-te-1/1)#show conf ! interface TenGigabitEthernet 1/1 ip address 10.10.10.
3. Set the backup switches to version 3. Dell_backup_switch1(conf-if-te-1/1-vrid-100)#version 3 Dell_backup_switch2(conf-if-te-1/2-vrid-100)#version 3 Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID). A VRRP group does not transmit VRRP packets until you assign the Virtual IP address to the VRRP group.
priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 ! vrrp-group 222 no shutdown The following example shows the same VRRP group (VRID 111) configured on multiple interfaces on different subnets. DellEMC#show vrrp -----------------TenGigabitEthernet 1/1, VRID: 111, Version: 2 Net: 10.10.10.1 VRF: 0 default State: Master, Priority: 255, Master: 10.10.10.
00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------TenGigabitEthernet 1/2, VRID: 111, Net: 10.10.2.1 VRF: 0 default State: Master, Priority: 125, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 601, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.
● Prevent any BACKUP router with a higher priority from becoming the MASTER router. INTERFACE-VRID mode no preempt Re-enable preempt by entering the preempt command. When you enable preempt, it does not display in the show commands, because it is a default setting. The following example shows how to disable preempt using the no preempt command.
The following example shows how to change the advertise interval using the advertise-interval command. DellEMC(conf-if-te-1/1)#vrrp-group 111 DellEMC(conf-if-te-1/1-vrid-111)#advertise-interval 10 DellEMC(conf-if-te-1/1-vrid-111)# The following example shows how to verify the advertise interval change using the show conf command. DellEMC(conf-if-te-1/1-vrid-111)#show conf ! vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.
● (Optional) Display the configuration and the UP or DOWN state of tracked objects, including the client (VRRP group) that is tracking an object’s state. EXEC mode or EXEC Privilege mode show track ● (Optional) Display the configuration and the UP or DOWN state of tracked interfaces and objects in VRRP groups, including the time since the last change in an object’s state.
2007::1 fe80::1 Tracking states for 2 resource Ids: 2 - Up IPv6 route, 2040::/64, priority-cost 20, 00:02:11 3 - Up IPv6 route, 2050::/64, priority-cost 30, 00:02:11 The following example shows verifying the VRRP configuration on an interface.
Figure 158. VRRP for IPv6 Topology NOTE: This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, and so on.
NOTE: The virtual IPv6 address you configure should be the same as the IPv6 subnet to which the interface belongs.
00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 DellEMC#show vrrp tengigabitethernet 2/8 TenGigabitEthernet 2/8, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:e9ed VRF: 0 default State: Master, Priority: 110, Master: fe80::201:e8ff:fe8a:e9ed (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 120 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 DellEMC# D
Sample Configurations Before you set up VRRP, review the following sample configurations. VRRP for an IPv4 Configuration The following configuration shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.3 no shutdown R2(conf-if-te-2/31)#end R2#show vrrp -----------------TenGigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 VRF: 0 default State: Master, Priority: 200, Master: 10.1.1.
Figure 160. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-1/1)#end R2#show vrrp -----------------TenGigabitEthernet 1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 135 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP addre
Both Switch-1 and Switch-2 have three VRF instances defined: VRF-1, VRF-2, and VRF-3. Each VRF has a separate physical interface to a LAN switch and an upstream VPN interface to connect to the Internet. Both Switch-1 and Switch-2 use VRRP groups on each VRF instance in order that there is one MASTER and one backup router for each VRF. In VRF-1 and VRF-2, Switch-2 serves as owner-master of the VRRP group and Switch-1 serves as the backup. On VRF-3, Switch-1 is the owner-master and Switch-2 is the backup.
% Info: The VRID used by the VRRP group 11 in VRF 2 will be 178. S1(conf-if-te-1/2-vrid-101)#priority 100 S1(conf-if-te-1/2-vrid-101)#virtual-address 10.10.1.2 S1(conf-if-te-1/2)#no shutdown ! S1(conf)#interface TenGigabitEthernet 1/3 S1(conf-if-te-1/3)#ip vrf forwarding VRF-3 S1(conf-if-te-1/3)#ip address 20.1.1.5/24 S1(conf-if-te-1/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-1/3-vrid-105)#priority 255 S1(conf-if-te-1/3-vrid-105)#virtual-address 20.1.1.
VLAN Scenario In another scenario, to connect to the LAN, VRF-1, VRF-2, and VRF-3 use a single physical interface with multiple tagged VLANs (instead of separate physical interfaces). In this case, you configure three VLANs: VLAN-100, VLAN-200, and VLAN-300. Each VLAN is a member of one VRF. A physical interface (tengigabitethernet 1/1 ) attaches to the LAN and is configured as a tagged interface in VLAN-100, VLAN-200, and VLAN-300. The rest of this example is similar to the non-VLAN scenario.
Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 419, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.
Virtual MAC address: 00:00:5e:00:01:0a Virtual IP address: 20.1.1.100 Authentication: (none) DellEMC#show vrrp vrf vrf2 port-channel 1 -----------------Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 419, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.
64 Debugging and Diagnostics This chapter describes debugging and diagnostics for the device.
You cannot enter this command on a MASTER or Standby stack unit. NOTE: The system reboots when the offline diagnostics complete. This is an automatic process. The following warning message appears when you implement the offline stack-unit command: Warning - Diagnostic execution will cause stack-unit to reboot after completion of diags. Proceed with Offline-Diags [confirm yes/no]:y After the system goes offline, you must reload or run the online stack-unit stack-unit-number command for the normal operation.
9 10 11 Member Member Member not present not present not present -- Power Supplies -Unit Bay Status Type FanSpeed(rpm) --------------------------------------------------------------------------0 0 down UNKNOWN 0 0 1 up AC 14000 -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -----------------------------------------------------------------------------------0 0 up up 13466 up 13466 0 1 up up 13653 up 13466 Speed in RPM The following example shows the diag command (standalone unit).
Stack Unit Board temperature Stack Unit Number : 46 Degree C : 0 **************************Stack Unit EEPROM INFO************************** **************MFG INFO******************* Data in Chassis Eeprom Vendor Id : Country Code : Date Code : Serial Number : Part Number : Product Revision : Product Order Number : Mfg Info is listed as...
Last Restart Reason If the system restarts for some reason (automatically or manually), the show system command output includes the reason for the restart. The following table shows the reasons displayed in the output and their corresponding causes. Table 133.
show hardware stack-unit {0-11} cpu party-bus statistics ● View the ingress and egress internal packet-drop counters, MAC counters drop, and FP packet drops for the stack unit on per port basis. EXEC Privilege mode show hardware stack-unit {0-11} drops unit {0-1} port {1-64} This view helps identifying the stack unit/port pipe/port that may experience internal drops. ● View the input and output statistics for a stack-port interface.
QSFP QSFP QSFP QSFP QSFP QSFP 52 52 52 52 52 52 Serial ID Extended Fields BR max = 0 BR min = 0 Vendor SN = QC050955 Datecode = 120205 CheckCodeExt = 0x2b QSFP 52 Diagnostic Information =================================== QSFP 52 Rx Power measurement type =================================== QSFP 52 Temp High Alarm threshold QSFP 52 Voltage High Alarm threshold QSFP 52 Bias High Alarm threshold QSFP 52 RX Power High Alarm threshold QSFP 52 Temp Low Alarm threshold QSFP 52 Voltage Low Alarm threshold QSFP
Unit3 Minor Off 55 Minor 60 Major Off 75 Major 80 Shutdown 85 Troubleshoot an Over-temperature Condition To troubleshoot an over-temperature condition, use the following information. 1. Use the show environment commands to monitor the temperature levels. 2. Check air flow through the system. Ensure that the air ducts are clean and that all fans are working correctly. 3. After the software has determined that the temperature levels are within normal limits, you can re-power the card safely.
Table 134. SNMP Traps and OIDs (continued) OID String OID Name Description .1.3.6.1.4.1.6027.3.27.1.5 dellNetFpStatsPerPortTable View the forwarding plane statistics containing the packet buffer usage per port per stack unit. .1.3.6.1.4.1.6027.3.27.1.6 dellNetFpStatsPerCOSTable View the forwarding plane statistics containing the packet buffer statistics per COS per port.
● show hardware system-flow layer2 stack-unit stack-unit-number port-set 0 {counters | pipeline 0-3} ● show hardware drops interface interface ● show hardware buffer-stats-snapshot resource interface interface ● show hardware buffer inteface interface{priority-group { id | all } | queue { id| all} } buffer-info ● show hardware buffer-stats-snapshot resource interface interface{priority-group { id | all } | queue { ucast{id | all}{ mcast {id | all} | all} ● show hardware drops interface interface ● clear har
Ingress MTUExceeds --- MMU Drops --Ingress MMU Drops HOL DROPS(TOTAL) HOL DROPS on COS0 HOL DROPS on COS1 HOL DROPS on COS2 HOL DROPS on COS3 HOL DROPS on COS4 HOL DROPS on COS5 HOL DROPS on COS6 HOL DROPS on COS7 HOL DROPS on COS8 HOL DROPS on COS9 HOL DROPS on COS10 HOL DROPS on COS11 HOL DROPS on COS12 HOL DROPS on COS13 HOL DROPS on COS14 HOL DROPS on COS15 HOL DROPS on COS16 HOL DROPS on COS17 TxPurge CellErr Aged Drops --- Egress MAC counters--Egress FCS Drops --- Egress FORWARD PROCESSOR IPv4 L3UC Ag
rxPkt(COS6 ) :0 rxPkt(COS7 ) :0 rxPkt(COS8 ) :773 rxPkt(COS9 ) :0 rxPkt(COS10) :0 rxPkt(COS11) :0 rxPkt(UNIT0) :773 transmitted :12698 txRequested :12698 noTxDesc :0 txError :0 txReqTooLarge :0 txInternalError :0 txDatapathErr :0 txPkt(COS0 ) :0 txPkt(COS1 ) :0 txPkt(COS2 ) :0 txPkt(COS3 ) :0 txPkt(COS4 ) :0 txPkt(COS5 ) :0 txPkt(COS6 ) :0 txPkt(COS7 ) :0 txPkt(COS8 ) :0 txPkt(COS9 ) :0 txPkt(COS10) :0 txPkt(COS11) :0 txPkt(UNIT0) :0 Example of Viewing Party Bus Statistics DellEMC#sh hardware stack-unit 1 c
Display Stack Member Counters You can use the show hardware command to display internal receive and transmit statistics, based on the selected command option. The following example is a sample of the output for the counters option.
RX - IPV6 L3 Unicast Frame Counter --------------------Interface Fo 0/60 : Description RX - IPV4 L3 Unicast Frame Counter RX - IPV4 L3 routed multicast Packets RX - IPV6 L3 Unicast Frame Counter RX - IPV6 L3 routed multicast Packets RX - Unicast Packet Counter RX - 64 Byte Frame Counter RX - 64 to 127 Byte Frame Counter RX - 128 to 255 Byte Frame Counter RX - 256 to 511 Byte Frame Counter RX - 512 to 1023 Byte Frame Counter RX - 1024 to 1518 Byte Frame Counter RX - 1519 to 1522 Byte Good VLAN Frame Counter
RX - Unicast Packet Counter RX - 64 Byte Frame Counter RX - 65 to 127 Byte Frame Counter RX - 128 to 255 Byte Frame Counter RX - 256 to 511 Byte Frame Counter RX - 512 to 1023 Byte Frame Counter RX - 1024 to 1518 Byte Frame Counter RX - 1519 to 1522 Byte Good VLAN Frame Counter RX - 1519 to 2047 Byte Frame Counter RX - 2048 to 4095 Byte Frame Counter RX - 4096 to 9216 Byte Frame Counter RX - Good Packet Counter RX - Packet/Frame Counter RX - Unicast Frame Counter RX - Multicast Frame Counter RX - Broadcast
A mini core dump contains critical information in the event of a crash. Mini core dump files are located in flash:/ (root dir). The application mini core filename format is f10StkUnit..acore.mini.txt. The kernel mini core filename format is f10StkUnit.kcore.mini.txt. The following are sample filenames. When a member or standby unit crashes, the mini core file gets uploaded to master unit.
You can use the capture-duration timer and the packet-count counter at the same time. The TCP dump stops when the first of the thresholds is met. That means that even if the duration timer is 9000 seconds, if the maximum file count parameter is met first, the dumps stop. To enable a TCP dump, use the following command. ● Enable a TCP dump for CPU bound traffic.
65 Standards Compliance This chapter describes standards compliance for Dell EMC Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell EMC Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance Dell EMC Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell EMC Networking OS first supports the standard. General Internet Protocols The following table lists the Dell EMC Networking OS support per platform for general internet protocols. Table 135.
Table 135. General Internet Protocols (continued) R F C # Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 6 0 Transfer Protocol 2 4 7 4 Definition of 7.7.1 the Differentiate d Services Field (DS Field) in the IPv4 and IPv6 Headers 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 PPP over 61 SONET/SD 5 H 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 6 9 8 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.
Table 136. General IPv4 Protocols (continued) RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 103 DOMAIN NAMES 5 IMPLEMENTATION AND SPECIFICATION (client) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 104 A Standard for the 2 Transmission of IP Datagrams over IEEE 802 Networks 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1191 Path MTU Discovery 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
Table 137. General IPv6 Protocols (continued) RFC Full Name # S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 246 2 (Par tial) IPv6 Stateless Address Autoconfiguration 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 246 4 Transmission of IPv6 Packets over Ethernet Networks 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 267 5 IPv6 Jumbograms 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2711 IPv6 Router Alert Option 8.3.12.0 9.8(0.
Table 138. Border Gateway Protocol (BGP) (continued) RFC# Full Name SSeries/ZSeries S3048–ON S4048–ON Z9100–ON S4048TON S6010–ON 2842 Capabilities Advertisement with BGP-4 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2858 Multiprotocol Extensions for BGP-4 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2918 Route Refresh Capability for BGP-4 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 3065 Autonomous System Confederations for BGP 7.8.1 9.
Intermediate System to Intermediate System (IS-IS) The following table lists the Dell EMC Networking OS support per platform for IS-IS protocol. Table 140. Intermediate System to Intermediate System (IS-IS) RFC# Full Name S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1142 OSI IS-IS Intra-Domain Routing Protocol (ISO DP 10589) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.
Routing Information Protocol (RIP) The following table lists the Dell EMC Networking OS support per platform for RIP protocol. Table 141. Routing Information Protocol (RIP) RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 105 8 Routing Information Protocol 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 245 RIP Version 3 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4191 Default Router Preferences and More-Specific Routes 8.3.12.0 9.8(0.
Table 143. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1156 Management Information Base for Network Management of TCP/IP-based internets 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 1157 A Simple Network Management 7.6.1 Protocol (SNMP) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 1212 Concise MIB Definitions 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
Table 143. Network Management (continued) RFC# Full Name 2575 S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON View-based Access Control 7.6.1 Model (VACM) for the Simple Network Management Protocol (SNMP) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2576 Coexistence Between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
Table 143. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Network Management Protocol (SNMP) 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3434 Remote Monitoring MIB Extensions for High Capacity Alarms, High-Capacity Alarm Table (64 bits) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3580 IEEE 802.
Table 143. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON IEEE Management Information Base 802.1A module for LLDP configuration, B statistics, local system data and remote systems data components. 7.7.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) IEEE The LLDP Management 802.1A Information Base extension B module for IEEE 802.1 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) 7.7.1 9.8(0.0P2) 9.8(0.
Table 143. Network Management (continued) RFC# Full Name FORC E10-IFEXTEN SIONMIB S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Force10 Enterprise IF Extension 7.6.1 MIB (extends the Interfaces portion of the MIB-2 (RFC 1213) by providing proprietary SNMP OIDs for other counters displayed in the "show interfaces" output) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORC E10LINKA GGMIB Force10 Enterprise Link Aggregation MIB 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
Table 143. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON ALAR M-MIB MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/CSPortal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/CSPortal20/Main/Login.aspx Some pages of iSupport require a login.
66 X.509v3 supports X.509v3 standards. Topics: • • • • • • • • • Introduction to X.509v3 certificates X.509v3 support in Information about installing CA certificates Information about Creating Certificate Signing Requests (CSR) Information about installing trusted certificates Transport layer security (TLS) Online Certificate Status Protocol (OSCP) Verifying certificates Event logging Introduction to X.509v3 certificates X.
Advantages of X.509v3 certificates Public key authentication is preferred over password-based authentication, although both may be used in conjunction, for various reasons. Public-key authentication provides the following advantages over normal password-based authentication: ● Public-key authentication avoids the human problems of low-entropy password selection and provides more resistance to brute-force attacks than password-based authentication.
The other hosts on the network, such as the SUT switch, syslog server, and OCSP server, generate private keys and create Certificate Signing Requests (CSRs). The hosts then upload the CSRs to the Intermediate CA or make the CSRs available for the Intermediate CA to download. generates a CSR using the crypto cert generate request command. The hosts on the network (SUT, syslog, OCSP…) also download and install the CA certificates from the Root and Intermediate CAs.
After the CA certificate is installed, the system can secure communications with TLS servers by verifying certificates that are signed by the CA. Installing CA certificate To install a CA certificate, enter the crypto ca-cert install {path} command in Global Configuration mode. Information about Creating Certificate Signing Requests (CSR) Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA. In order for a device to get a X.
● ● ● ● ● Common Name Email address Validity Length Alternate Name NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell EMC Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS.
TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS compression is disabled by default. TLS session resumption is also supported to reduce processor and traffic overhead due to public key cryptographic operations and handshake traffic.
Configuring OCSP behavior You can configure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders. To configure this behavior, follow this step: In CONFIGURATION mode, enter the following command: crypto x509 ocsp {[nonce] [sign-request]} Both the none and sign-request parameters are optional. The default behavior is to not use these two options.
Verifying Client Certificates Verifying client certificates is optional in the TLS protocol and is not explicitly required by Common Criteria. However, TLS-protected Syslog and RADIUS protocols mandate that certificate-based mutual authentication be performed. Event logging The system logs the following events: ● A CA certificate is installed or deleted. ● A self-signed certificate and private key are generated. ● An existing host certificate, a private key, or both are deleted.