Dell Configuration Guide for the S6100–ON System 9.14.2.8 September 2020 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: About this Guide.........................................................................................................32 Audience.............................................................................................................................................................................. 32 Conventions........................................................................................................................................................................
Removing a Command from EXEC Mode..............................................................................................................57 Moving a Command from EXEC Privilege Mode to EXEC Mode.................................................................... 57 Allowing Access to CONFIGURATION Mode Commands..................................................................................57 Allowing Access to Different Modes...........................................................................
Configuring dot1x Profile ................................................................................................................................................ 87 Configuring MAC addresses for a do1x Profile...........................................................................................................87 Configuring the Static MAB and MAB Profile ...........................................................................................................88 Configuring Critical VLAN .....
Configuring a Standard IP ACL Filter....................................................................................................................122 Configure an Extended IP ACL.....................................................................................................................................123 Configuring Filters with a Sequence Number.....................................................................................................
Implement BGP with Dell EMC Networking OS................................................................................................. 182 Configuration Information........................................................................................................................................185 Basic BGP configuration tasks.....................................................................................................................................
Troubleshoot CAM Profiling..........................................................................................................................................241 QoS CAM Region Limitation....................................................................................................................................241 Syslog Error When the Table is Full.......................................................................................................................
Configuring ETS in a DCB Map..............................................................................................................................270 Hierarchical Scheduling in ETS Output Policies.......................................................................................................272 Using ETS to Manage Converged Ethernet Traffic................................................................................................272 Applying DCB Policies in a Switch Stack................
Source Address Validation..............................................................................................................................................311 Enabling IP Source Address Validation.................................................................................................................. 311 DHCP MAC Source Address Validation.................................................................................................................
Ring Status................................................................................................................................................................. 342 Multiple FRRP Rings.................................................................................................................................................342 Important FRRP Points............................................................................................................................................
Enabling a Physical Interface........................................................................................................................................378 Physical Interfaces..........................................................................................................................................................378 Configuration Task List for Physical Interfaces.................................................................................................
Configure the MTU Size on an Interface..................................................................................................................405 Port-Pipes.........................................................................................................................................................................406 CR4 Auto-Negotiation...................................................................................................................................................
Troubleshooting UDP Helper........................................................................................................................................ 431 Chapter 22: IPv6 Routing.......................................................................................................... 432 Protocol Overview.......................................................................................................................................................... 432 Extended Address Space............
Chapter 24: Intermediate System to Intermediate System.........................................................458 IS-IS Protocol Overview................................................................................................................................................458 IS-IS Addressing.............................................................................................................................................................. 458 Multi-Topology IS-IS...........................
Configuring Shared LAG State Tracking............................................................................................................. 487 Important Points about Shared LAG State Tracking........................................................................................488 LACP Basic Configuration Example............................................................................................................................489 Configure a LAG on ALPHA.....................................
Configuring LLDP Notification Interval......................................................................................................................525 Configuring Transmit and Receive Mode..................................................................................................................525 Configuring the Time to Live Value............................................................................................................................ 526 Debugging LLDP....................
Disable MLD Snooping............................................................................................................................................. 563 Configure the switch as a querier.........................................................................................................................563 Specify port as connected to multicast router..................................................................................................563 Enable Snooping Explicit Tracking........
Protocol Overview..........................................................................................................................................................605 Autonomous System (AS) Areas...........................................................................................................................605 Area Types..................................................................................................................................................................
Refuse Multicast Traffic..........................................................................................................................................652 Send Multicast Traffic............................................................................................................................................. 652 Configuring PIM-SM......................................................................................................................................................
Protocol Overview..........................................................................................................................................................695 Implementation Information......................................................................................................................................... 696 Configure Per-VLAN Spanning Tree Plus.................................................................................................................
Chapter 43: Routing Information Protocol (RIP)........................................................................734 Protocol Overview.......................................................................................................................................................... 734 RIPv1.............................................................................................................................................................................734 RIPv2...........................
Support for Change of Authorization and Disconnect Messages packets..................................................776 TACACS+.......................................................................................................................................................................... 786 Configuration Task List for TACACS+................................................................................................................. 786 TACACS+ Remote Authentication...........................
Enabling Drop Eligibility............................................................................................................................................822 Honoring the Incoming DEI Value..........................................................................................................................823 Marking Egress Packets with a DEI Value.......................................................................................................... 823 Dynamic Mode CoS for VLAN Stacking..
Copying the Startup-Config Files to the Running-Config...............................................................................848 Copying the Startup-Config Files to the Server via FTP................................................................................ 848 Copying the Startup-Config Files to the Server via TFTP..............................................................................849 Copy a Binary File to the Startup-Configuration....................................................
Example of Deriving the Interface Index Number...................................................................................................880 MIB Objects for Viewing the System Image on Flash Partitions....................................................................881 Monitoring BGP sessions via SNMP........................................................................................................................... 881 Monitor Port-Channels..................................................
Protocol Overview.....................................................................................................................................................913 Configure the Network Time Protocol................................................................................................................. 913 Enabling NTP..............................................................................................................................................................
Enabling Null VLAN as the Default VLAN.................................................................................................................. 941 Chapter 59: Virtual Link Trunking (VLT).................................................................................... 942 Overview........................................................................................................................................................................... 942 VLT Terminology............................
Chapter 60: VLT Proxy Gateway...............................................................................................1009 Proxy Gateway in VLT Domains................................................................................................................................ 1009 LLDP VLT Proxy Gateway in a Square VLT Topology.....................................................................................1012 Configuring a Static VLT Proxy Gateway..............................................
Loading VRF CAM...................................................................................................................................................1055 Creating a Non-Default VRF Instance................................................................................................................1055 Assigning an Interface to a VRF..........................................................................................................................
Chapter 65: Standards Compliance...........................................................................................1107 IEEE Compliance.............................................................................................................................................................1107 RFC and I-D Compliance.............................................................................................................................................. 1108 General Internet Protocols...........
1 About this Guide This guide describes the protocols and features the Dell EMC Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell EMC Command Line Reference Guide for your system. The S6100–ON platform is available with Dell EMC Networking OS version 9.10(0.0) and beyond. Though this guide contains information about protocols, it is not intended to be a complete reference.
2 Configuration Fundamentals The Dell EMC Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
● EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information. ● EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted.
GRUB RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP Navigating CLI Modes The Dell EMC Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode.
Table 1.
Table 1.
Stack MAC Reload-Type : 4c:76:25:f5:06:80 : normal-reload [Next boot : normal-reload] -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports ----------------------------------------------------------------------1 Management online S6100-ON S6100-ON 1-0(0-4703) 130 2 Member not present 3 Member not present 4 Member not present 5 Member not present 6 Member not present -- Module Info -Unit Module No Status Module Type Ports --------------------------------------------------------1 1 online S6100-MO
Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command: ● To list the keywords available in the current mode, enter ? at the prompt or after a keyword. ● Enter ? after a command prompt to list all of the available keywords. The output of this command is the same as the help command.
Short-Cut Key Action Combination CNTL-R Re-enters the previous command. CNTL-U Deletes the line. CNTL-W Deletes the previous word. CNTL-X Deletes the line. CNTL-Z Ends continuous scrolling of command outputs. Esc B Moves the cursor back one word. Esc F Moves the cursor forward one word. Esc D Deletes all characters from the cursor to the end of the word. Command History The Dell EMC Networking OS maintains a history of previously-entered commands for each mode.
Reload-Type : normal-reload [Next boot : normal-reload] The find keyword displays the output of the show command beginning from the first occurrence of specified text. The following example shows this command used in combination with the show system brief command. Example of the find Keyword DellEMC#show system brief | find Management 1 Management online S6100-ON S6100-ON 9.10(0.
EXEC Privilege mode show alias Example of the show alias Command DellEMC# configure terminal DellEMC(config)# alias-definition DellEMC(conf-alias-definition)# alias ns no shutdown DellEMC(conf-alias-definition)# alias 10gint interface TenGigabitEthernet $1 Viewing alias configuration To view the Alias configurations, use the following commands: 1. Display the complete list of aliases and its definitions.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell EMC Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
1. Power on the PC. 2. Connect the USB-A end of cable into an available USB port on the PC. 3. Connect the micro USB-B end of cable into the micro USB-B console port on the system. 4. Power on the system. 5. Install the necessary USB device drivers. (To download the drivers, go to https://www.dell.com/support.) For assistance, contact Dell EMC Networking Technical Support. 6. Open your terminal software emulation program to access the system. 7.
interface ManagementEthernet slot/port 2. Assign an IP address to the interface. INTERFACE mode ip address ip-address/mask ● ip-address: an address in dotted-decimal format (A.B.C.D). ● mask: a subnet mask in /prefix-length format (/ xx). 3. Enable the interface. INTERFACE mode no shutdown Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely.
○ privilege level: Assign a privilege levels to the user. The range is from 0 to 15. ○ role role-name: Assign a role name for the user. Dell EMC Networking OS encrypts type 5 secret and type 7 password based on dynamic-salt option such that the encrypted password is different when an user is configured with the same password. NOTE: dynamic-salt option is shown only with secret and password options.
Configuration File Management Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the system from EXEC Privilege mode. Copy Files to and from the System The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url. NOTE: For a detailed description of the copy command, refer to the Dell EMC Networking OS Command Reference.
Mounting an NFS File System This feature enables you to quickly access data on an NFS mounted file system. You can perform file operations on an NFS mounted file system using supported file commands. This feature allows an NFS mounted device to be recognized as a file system. This file system is visible on the device and you can execute all file commands that are available on conventional file systems such as a Flash file system.
Example of Copying to NFS Mount DellEMC#copy flash://test.txt nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:///username/snoop.pcap ! 24 bytes successfully copied DellEMC# DellEMC#copy tftp://10.16.127.
Configure the Overload Bit for a Startup Scenario For information about setting the router overload bit for a specific period of time after a switch reload is implemented, see the Intermediate System to Intermediate System (IS-IS) section in the Dell Command Line Reference Guide for your system. Viewing Files You can only view file information and content on local file systems. To view a list of files or the contents of a file, use the following commands. ● View a list of files on the internal flash.
Managing the File System The Dell EMC Networking system can use the internal Flash, external Flash, or remote devices to store files. The system stores files on the internal Flash by default but can be configured to store files elsewhere. To view file system information, use the following command. ● View information about each file system.
[May 17 15:42:42]: CMD-(CLI):[show clock]by default from console [May 17 15:42:52]: CMD-(CLI):[write memory]by default from console - Repeated 1 time. [May 17 15:43:08]: CMD-(CLI):[end]by default from console [May 17 15:43:16]: CMD-(CLI):[show logging]by default from console [May 17 15:43:22]: CMD-(CLI):[show command-history]by default from console DellEMC# Example 2: service timestamps log datetime utc DellEMC(conf)#service timestamps log datetime utc DellEMC# show command-history - Repeated 1 time.
Upgrading Dell EMC Networking OS To upgrade Dell EMC Networking Operating System (OS), refer to the Release Notes for the version you want to load on the system. You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website. Using HTTP for File Transfers Stating with Release 9.3(0.1), you can use HTTP to copy files or configuration details to a remote server.
To validate a software image: 1. Download Dell EMC Networking OS software image file from the iSupport page to the local (FTP or TFTP) server. The published hash for that file displays next to the software image file on the iSupport page. 2. Go on to the Dell EMC Networking system and copy the software image to the flash drive, using the copy command. 3. Run the verify {md5 | sha256} [ flash://]img-file sha256 flash://FTOS-SE-9.5.0.0.bin [hash-value] command. For example, verify 4.
4 Management This chapter describes the different protocols or services used to manage the Dell EMC Networking system.
Removing a Command from EXEC Mode To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each command you wish to restrict.
CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...|| command} DellEMC#show running-config privilege ! privilege exec level 3 configure privilege exec level 4 resequence privilege configure level 3 line privilege configure level 3 interface tengigabitethernet DellEMC#telnet 10.11.80.
NOTE: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode, but the prompt is hostname#, rather than hostname>. Configuring Logging The Dell EMC Networking OS tracks changes in the system using event and error messages. By default, Dell EMC Networking OS logs these messages on: ● the internal buffer ● console and terminal lines ● any configured syslog servers To disable logging, use the following commands. ● Disable all logging except on the console.
The security log contains security events and information. RBAC restricts access to audit and security logs based on the CLI sessions’ user roles. The types of information in this log consist of the following: ● Establishment of secure traffic flows, such as SSH. ● Violations on secure flows or certificate issues. ● Adding and deleting of users.
Configuring Logging Format To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version {0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.
1. On the switch, enable the SSH server DellEMC(conf)#ip ssh server enable 2. On the syslog server, create a reverse SSH tunnel from the syslog server to the Dell OS switch, using following syntax: ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is 10.16.131.141 and the listening port is 5140 ssh -R 5140:10.156.166.48:5141 admin@10.16.131.
Sending System Messages to a Syslog Server To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP. ● Specify the server to which you want to send system messages. You can configure up to eight syslog servers.
The following example enables login activity tracking. The system stores the login activity details for the last 30 days. DellEMC(config)#login statistics enable The following example enables login activity tracking and configures the system to store the login activity details for 12 days. DellEMC(config)#login statistics enable DellEMC(config)#login statistics time-period 12 Display Login Statistics To view the login statistics, use the show login statistics command.
Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2 Example of the show login statistics user user-id command The show login statistics user user-id command displays the successful and failed login details of a specific user in the last 30 days or the custom defined time period.
Configuring Concurrent Session Limit To configure concurrent session limit, follow this procedure: ● Limit the number of concurrent sessions for each user. CONFIGURATION mode login concurrent-session limit number-of-sessions The following example limits the permitted number of concurrent login sessions to 4.
Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 4 vty 2 10.14.1.97 5 vty 3 10.14.1.97 Kill existing session? [line number/Enter to cancel]: Enabling Secured CLI Mode The secured CLI mode prevents the users from enhancing the permissions or promoting the privilege levels. ● Enter the following command to enable the secured CLI mode: CONFIGURATION Mode secure-cli enable After entering the command, save the running-configuration.
To view the logging configuration, use the show running-config logging command in privilege mode, as shown in the example for Configure a UNIX Logging Facility Level. Display the Logging Buffer and the Logging Configuration To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered based on the user roles.
○ ○ ○ ○ ○ ○ sys12 (system use) sys13 (system use) sys14 (system use) syslog (for syslog messages) user (for user programs) uucp (UNIX to UNIX copy protocol) To view nondefault settings, use the show running-config logging command in EXEC mode. DellEMC#show running-config logging ! logging buffered 524288 debugging service timestamps log datetime msec service timestamps debug datetime msec ! logging trap debugging logging facility user logging source-interface Loopback 0 logging 10.10.10.
Specify the following optional parameters: ○ datetime: To view the timestamp in system local time that includes the local time zone. ○ localtime: You can add the keyword localtime to view timestamp in system local time that includes the local time zone. ○ show-timezone: Enter the keyword to include the time zone information in the timestamp. ○ msec: Enter the keyword msec to include milliseconds in the timestamp. ○ uptime: To view time since last boot.
[May [May [May [May [May [May 17 17 17 17 17 17 10:17:05]: CMD-(CLI):[show clock]by default from console 10:17:20]: CMD-(CLI):[show running-config]by default from console 10:17:30]: CMD-(CLI):[interface tengigabitethernet 1/2/2]by default from console 10:17:32]: CMD-(CLI):[shutdown]by default from console 10:17:34]: CMD-(CLI):[no shutdown]by default from console 10:17:40]: CMD-(CLI):[write memory]by default from console - Repeated 1 time.
Example 4: no service timestamps log DellEMC(conf)#no service timestamps log DellEMC#show clock 15:55:12.246 IST Fri May 17 2019 DellEMC# show command-history [May 17 15:53:10]: CMD-(CLI):[no service timestamps log]by default from console [May 17 15:53:16]: CMD-(CLI):[write memory]by default from console - Repeated 3 times. [May 17 15:53:22]: CMD-(CLI):[show logging]by default from console - Repeated 1 time. [May 17 15:53:36]: CMD-(CLI):[write memory]by default from console - Repeated 5 times.
Enabling the FTP Server To enable the system as an FTP server, use the following command. To view FTP configuration, use the show running-config ftp command in EXEC privilege mode. ● Enable FTP on the system. CONFIGURATION mode ftp-server enable DellEMC#show running ftp ! ftp-server enable ftp-server username nairobi password 0 zanzibar DellEMC# Configuring FTP Server Parameters After you enable the FTP server on the system, you can configure different parameters.
ip ftp source-interface interface ● Configure a password. CONFIGURATION mode ip ftp password password ● Enter a username to use on the FTP client. CONFIGURATION mode ip ftp username name To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for Enable FTP Server. Terminal Lines You can access the system remotely and restrict access to the system by creating user profiles.
seq 10 deny ip 30.1.1.
password myvtypassword login authentication myvtymethodlist line vty 2 password myvtypassword login authentication myvtymethodlist DellEMC(config-line-vty)# Setting Timeout for EXEC Privilege Mode EXEC timeout is a basic security feature that returns Dell EMC Networking OS to EXEC mode after a period of inactivity on the terminal lines. To set timeout, use the following commands. ● Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY.
login: admin DellEMC# Lock CONFIGURATION Mode Dell EMC Networking OS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2). You can set two types of lockst: auto and manual. ● Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set auto-lock, every time a user is in CONFIGURATION mode, all other users are denied access.
3. System Status LED changes to an alarm state, blinking amber for S3048–ON, S6100–ON and Z9100–ON, and solid amber for C9000. It is not possible to suppress this LED pattern until the unit is switched off (for RMA). 4. The switch (control/management/data plane) continues to be active. NOTE: This is true even if the unit is the master (in a HA chassis environment – as in the case of RPM) or a Stack master or standby (as in case of S3048-ON).
Restoring Factory Default Environment Variables The Boot line determines the location of the image that is used to boot up the chassis after restoring factory default settings. Ideally, these locations contain valid images, using which the chassis boots up. When you restore factory-default settings, you can either use a flash boot procedure or a network boot procedure to boot the switch.
5. Assign an IP address as the default gateway for the system. default-gateway gateway_ip_address For example, 10.16.150.254. 6. The environment variables are auto saved. 7. Reload the system. BOOT_USER # reload Reloading the system You can reload the system using the reload command. To reload the system, follow these steps: ● Reload the system into Dell EMC Networking OS. EXEC Privilege mode reload ● Reload the system if a configuration change to the NVRAM requires a device reload.
show reset-reason [stack-unit {unit-number | all}] Enter the stack-unit keyword and the stack unit number to view the reason for the last system reboot for that stack unit. Enter the stack-unit keyword and the keyword all to view the reason for the last system reboot of all stack units in the stack.
5 802.1X 802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example). 802.
● The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. ● The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network. It translates and forwards requests and responses between the authentication server and the supplicant.
Figure 5. EAP Port-Authentication EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 6. EAP Over RADIUS RADIUS Attributes for 802.1X Support Dell EMC Networking systems include the following RADIUS attributes in all 802.
Configuring 802.1X Configuring 802.1X on a port is a one-step process. For more information, refer to Enabling 802.1X. Related Configuration Tasks ● ● ● ● ● ● Configuring Request Identity Re-Transmissions Forcibly Authorizing or Unauthorizing a Port Re-Authenticating a Port Configuring Timeouts Configuring a Guest VLAN Configuring an Authentication-Fail VLAN Important Points to Remember ● Dell EMC Networking OS supports 802.
Enabling 802.1X Enable 802.1X globally. Figure 7. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode.
no ip address dot1x authentication no shutdown ! DellEMC# To view 802.1X configuration information for an interface, use the show dot1x interface command. In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default. DellEMC#show dot1x interface TenGigabitEthernet 1/1/1/1 802.
● Configure a list of MAC addresses for a dot1x profile. DOT1X PROFILE CONFIG (conf-dot1x-profile) mac mac-address mac-address — Enter the keyword mac and type up to the 48– bit MAC addresses using the nn:nn:nn:nn:nn:nn format. A maximum of 6 MAC addresses are allowed. The following example configures 2 MAC addresses and then displays these addresses.
Auth PAE State: Backend State: Authenticated Idle Configuring Critical VLAN By default, critical-VLAN is not configured. If authentication fails because of a server which is not reachable, user session is authenticated under critical-VLAN. To configure a critical-VLAN for users or devices when authenticating server is not reachable, use the following command.
● Configure the amount of time that the authenticator waits before re-transmitting an EAP Request Identity frame. INTERFACE mode dot1x tx-period number The range is from 1 to 65535 (1 year) The default is 30. ● Configure the maximum number of times the authenticator re-transmits a Request Identity frame. INTERFACE mode dot1x max-eap-req number The range is from 1 to 10. The default is 2.
Configuring a Quiet Period after a Failed Authentication If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default. You can configure this period. NOTE: The quiet period (dot1x quiet-period) is the transmit interval after a failed authentication; the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive supplicant. To configure a quiet period, use the following command.
● Place a port in the ForceAuthorized, ForceUnauthorized, or Auto state. INTERFACE mode dot1x port-control {force-authorized | force-unauthorized | auto} The default state is auto. The example shows configuration information for a port that has been force-authorized. The bold line shows the new port-control state. DellEMC(conf-if-Te-1/1/1/1)#dot1x port-control force-authorized DellEMC(conf-if-Te-1/1/1/1)#show dot1x interface TenGigabitEthernet 1/1/1/1 802.
Re-Authentication: Enable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize Configuring Dynamic VLAN Assignment with Port Authentication Dell EMC Networking OS supports dynamic VLAN assignment when using 802.1X.
Figure 8. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2. Make the interface a switchport so that it can be assigned to a VLAN. 3. Create the VLAN to which the interface will be assigned. 4. Connect the supplicant to the port configured for 802.1X. 5.
● If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of the Guest VLAN and the authentication process begins. Configuring a Guest VLAN If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN. NOTE: For more information about configuring timeouts, refer to Configuring Timeouts.
Example of Viewing Configured Authentication 802.
ReAuth Max: 10 Supplicant Timeout: 15 seconds Server Timeout: 15 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: Auth PAE State: Backend State: SINGLE_HOST Initialize Initialize Enter the tasks the user should do after finishing this task (optional). Multi-Host Authentication By default, 802.1x assumes that a single end user is connected to a single authenticator port in a one-to-one mode of authentication called single-host mode.
Figure 10. Multi-Host Authentication Mode When you configure multi-host mode authentication, the first client to respond to an identity request is authenticated and subsequent responses are still ignored. However, because the authenticator expects the possibility of multiple responses, no system log is generated. After the first supplicant is authenticated, all end users connected to the authorized port are allowed to access the network.
Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Critical VLAN: Critical VLAN id: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: Disable NONE NONE Disable NONE Disable Disable Disable NONE 30 seconds 60 seconds 2 30 seconds 30 seconds 3600 seconds 2 MULTI_HOST Connecting Idle Configuring Single-Host Authentication To enable sing
both devices could access the network. However, if you wanted to place them in different VLANs — a VoIP VLAN and a data VLAN — you would need to authenticate the devices separately so that the RADIUS server can send each device’s VLAN assignment during that devices authentication process. During the authentication process, the switch is able to learn the MAC address of the device though the EAPoL frames, and the VLAN assignment from the RADIUS server.
MAC Authentication Bypass MAC authentication bypass (MAB) enables you to provide MAC-based security by allowing only known MAC addresses within the network using a RADIUS server. 802.1X-enabled clients can authenticate themselves using the 802.1X protocol. Other devices that do not use 802.1X — like IP phones, printers, and IP fax machines — still need connectivity to the network. The guest VLAN provides one way to access the network.
● ● ● ● ● Attribute Attribute Attribute Attribute Attribute 4—NAS-IP-Address: IPv4 address of the switch that is used to communicate with the RADIUS server. 5—NAS -Port: The port number of the interface being authorized entered as an integer. 30—Called-Station-Id: MAC address of the ingress interfaces of the authenticator. 31—Calling-Station-Id: MAC address of the 802.1X supplicant. 87—NAS-Port-Id: The name of the interface being authorized entered as a string.
NOTE: When a priority is statically configured using the dynamic dot1p command and dynamically configured using dynamic CoS with 802.1X, the dynamic configuration takes precedence. You can use dynamic CoS with 802.1X is when the traffic from a server should be classified based on the application that it is running. A static dot1p priority configuration applied from the switch is not sufficient in this case, as the server application might change.
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This section describes the access control list (ACL) virtual local area network (VLAN) group, and content addressable memory (CAM) enhancements.
The ACL manager does not notify the ACL agent in the following cases: ● The ACL VLAN group is created. ● The ACL VLAN group is deleted and it does not contain VLAN members. ● The ACL is applied or removed from a group and the ACL group does not contain a VLAN member. ● The description of the ACL group is added or removed.
acl-vlan-group {group name} 2. Add a description to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode description description 3. Add VLAN member(s) to an ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode member vlan {VLAN-range} 4. Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name.
Viewing CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL subpartitions) using the show cam-usage command in EXEC Privilege mode. Display Layer 2, Layer 3, ACL, or all CAM usage statistics. EXCE Privilege mode show cam usage [acl | router | switch] The following output shows CAM blocks usage for Layer 2 and Layer 3 ACLs and other processes that use CAM space: Starting from OS 9.11(2.
| | OUT-V6 ACL | Codes: * - cam usage is above 90%.
ACL Optimization to Increase Number of Supported IPv4 ACLs You can configure the Dell EMC Networking OS to support more number of IPv4 ACLs.
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
• • • • • • • • Assign an IP ACL to an Interface Applying an IP ACL Configure Ingress ACLs Configure Egress ACLs IP Prefix Lists ACL Remarks ACL Resequencing Route Maps IP Access Control Lists (ACLs) In Dell EMC Networking switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet.
CAM Optimization When you enable this command, if a policy map containing classification rules (ACL and/or dscp/ ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only one FP entry is used). When you disable this command, the system behaves as described in this chapter. Test CAM Usage This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs.
ACL Optimization If an access list contains duplicate entries, Dell EMC Networking OS deletes one entry to conserve CAM space. Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM entries to identify whether the access list is a standard or extended ACL.
CONFIGURATION ACL RANGE mode type [inverse value] lower threshold upper-threshold DellEMC(conf)#feature aclrange DellEMC(conf)#aclrange sportrange1 DellEMC(conf-aclrange-sportrange1)# l4srcport 1024 65535 DellEMC(conf)#aclrange destportrange1 DellEMC(conf-acl-destportrange1)# l4dstport 500 500 DellEMC(conf)#aclrange inverserange DellEMC(conf-acl-inverserange)# l4dstport inverse 1000 DellEMC# show aclrange INDEX PROFILE_NAME TYPE INVERSE LOWER UPPER REF_CNT THRESHOLD THRESHOLD ----------------------------
Creating a Route Map Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route map filters do not contain the permit and deny actions found in ACLs and prefix lists. Route map filters match certain routes and set or specific values. To create a route map, use the following command. ● Create a route map and assign it a unique name. The optional permit and deny keywords are the actions of the route map.
Set clauses: tag 3444 DellEMC# To delete a route map, use the no route-map map-name command in CONFIGURATION mode. Configure Route Map Filters Within ROUTE-MAP mode, there are match and set commands. ● match commands search for a certain criterion in the routes. ● set commands change the characteristics of routes, either adding something or specifying a level.
● Match routes whose next hop is a specific interface. CONFIG-ROUTE-MAP mode match interface interface The parameters are: ○ For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the stack/slot/port/subport information. ○ For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the stack/slot/port/subport information. ○ For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the stack/slot/port[/subport] information.
Configuring Set Conditions To configure a set condition, use the following commands. ● Add an AS-PATH number to the beginning of the AS-PATH. CONFIG-ROUTE-MAP mode set as-path prepend as-number [... as-number] ● Generate a tag to be added to redistributed routes. CONFIG-ROUTE-MAP mode set automatic-tag ● Specify an OSPF area or ISIS level for redistributed routes.
Route maps add to that redistribution capability by allowing you to match specific routes and set or change more attributes when redistributing those routes. In the following example, the redistribute command calls the route map static ospf to redistribute only certain static routes into OSPF. According to the route map static ospf, only routes that have a next hop of interface 1/1/1/1 and that have a metric of 255 are redistributed into the OSPF backbone area.
IP Fragment Handling Dell EMC Networking OS supports a configurable option to explicitly deny IP fragmented packets, particularly second and subsequent packets. It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable to all Layer protocols (permit/deny ip/tcp/udp/icmp). ● Both standard and extended ACLs support IP fragments. ● Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these fragments.
Example of Permitting All Packets from a Specified Host DellEMC(conf)#ip access-list extended ABC DellEMC(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24 DellEMC(conf-ext-nacl)#deny ip any any fragment DellEMC(conf-ext-nacl) In the following example, the TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with TCP destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host 10.1.1.1 are permitted.
seq 20 seq 25 seq 30 seq 35 seq 40 seq 45 seq 50 DellEMC# deny deny deny deny deny deny deny 10.4.0.0 /16 10.5.0.0 /16 10.6.0.0 /16 10.7.0.0 /16 10.8.0.0 /16 10.9.0.0 /16 10.10.0.0 /16 The following example shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 25 was configured before filter 15, but the show config command displays the filters in the correct order. DellEMC(config-std-nacl)#seq 25 deny ip host 10.5.0.
seq 50 permit tcp 10.8.0.0 /16 10.50.188.118 /31 eq 49 monitor 349 seq 55 permit udp 10.15.1.0 /24 10.50.188.118 /31 range 1812 1813 To delete a filter, enter the show config command in IP ACCESS LIST mode and locate the sequence number of the filter you want to delete. Then use the no seq sequence-number command in IP ACCESS LIST mode.
seq sequence-number {deny | permit} icmp {source mask | any | host ip-address} [count [byte]] [order] [monitor [session-id]] [fragments] The ICMP packets cannot be filtered using mirroring ACL.
Configure Filters, TCP Packets To create a filter for TCP packets with a specified sequence number, use the following commands. 1. Create an extended IP ACL and assign it a unique name. CONFIGURATION mode ip access-list extended access-list-name 2. Configure an extended IP ACL filter for TCP packets.
{deny | permit} udp {source mask | any | host ip-address}} [count [byte]] [order] [monitor [session-id]] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details. The following example shows an extended IP ACL in which the sequence numbers were assigned by the software.
The same ACL may be applied to different interfaces and that changes its functionality. For example, you can take ACL “ABCD” and apply it using the in keyword and it becomes an ingress access list. If you apply the same ACL using the out keyword, it becomes an egress access list. If you apply the same ACL to the Loopback interface, it becomes a Loopback access list. Applying an IP ACL To apply an IP ACL (standard or extended) to a physical or port channel interface, use the following commands. 1.
Configure Ingress ACLs Ingress ACLs are applied to interfaces and to traffic entering the system. These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation. To create an ingress ACL, use the ip access-group command in EXEC Privilege mode. The example shows applying the ACL, rules to the newly created access group, and viewing the access list.
DellEMC(config-ext-nacl)#permit tcp any any DellEMC(config-ext-nacl)#deny icmp any any DellEMC(config-ext-nacl)#permit 1.1.1.2 DellEMC(config-ext-nacl)#end DellEMC#show ip accounting access-list ! Extended Ingress IP access list abcd on gigethernet 0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.
The following examples show permit or deny filters for specific routes using the le and ge parameters, where x.x.x.x/x represents a route prefix: ● ● ● ● To To To To deny only /8 prefixes, enter deny x.x.x.x/x ge 8 le 8. permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8. deny routes with a mask less than /24, enter deny x.x.x.x/x le 24. permit routes with a mask greater than /20, enter permit x.x.x.x/x ge 20.
The following example shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 20 was configured before filter 15 and 12, but the show config command displays the filters in the correct order. DellEMC(conf-nprefixl)#seq 20 permit 0.0.0.0/0 le 32 DellEMC(conf-nprefixl)#seq 12 deny 134.23.0.0 /16 DellEMC(conf-nprefixl)#seq 15 deny 120.23.14.0 /8 le 16 DellEMC(conf-nprefixl)#show config ! ip prefix-list juba seq 12 deny 134.23.0.0/16 seq 15 deny 120.0.0.
EXEC Privilege mode show ip prefix-list summary [prefix-name] The following example shows the show ip prefix-list detail command. DellEMC>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 seq 5 deny 100.
Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. ● Enter OSPF mode. CONFIGURATION mode router ospf ● Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded. CONFIG-ROUTER-OSPF mode distribute-list prefix-list-name in [interface] ● Apply a configured prefix list to incoming routes.
The remark number is optional. The following example shows how to write a remark for an ACL rule: Dell(config-ext-nacl)#ip access-list extended test Dell(config-ext-nacl)# remark permit any ip Dell(config-ext-nacl)# seq 10 permit ip any any Dell(config-ext-nacl)#sh config ! ip access-list extended test remark 10 permit any ip seq 10 permit ip any any Deleting a Remark To delete a remark, follow this procedure: A standard IP ACL uses the source IP address as its match criterion.
Table 7. ACL Resequencing (continued) Rules Resquencing seq 7 permit any host 1.1.1.3 seq 10 permit any host 1.1.1.4 Rules After Resequencing: seq 5 permit any host 1.1.1.1 seq 10 permit any host 1.1.1.2 seq 15 permit any host 1.1.1.3 seq 20 permit any host 1.1.1.4 Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs, prefix lists, and MAC ACLs. To resequence an ACL or prefix list, use the following commands.
ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4 DellEMC# end DellEMC# resequence access-list ipv4 test 2 2 DellEMC# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 11. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
State Description Init The local system is communicating. Up Both systems are exchanging control packets. The session is declared down if: ● A control packet is not received within the detection time. ● Sufficient echo packets are lost. ● Demand mode is active and a control packet is not received in response to a poll packet. BFD Three-Way Handshake A three-way handshake must take place between the systems that participate in the BFD session.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 13.
● ● ● ● ● Configure BFD for OSPFv3 Configure BFD for IS-IS Configure BFD for BGP Configure BFD for VRRP Configuring Protocol Liveness Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
Establishing a Session on Physical Ports To establish a session, enable BFD at the interface level on both ends of the link, as shown in the following illustration. The configuration parameters do not need to match. Figure 14. Establishing a BFD Session on Physical Ports 1. Enter interface mode. CONFIGURATION mode interface 2. Assign an IP address to the interface if one is not already assigned. INTERFACE mode ip address ip-address 3.
Client Registered: CLI Uptime: 00:03:57 Statistics: Number of packets received from neighbor: 1775 Number of packets sent to neighbor: 1775 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 Log messages display when you configure both interfaces for BFD. R1(conf-if-te-1/1/4/1)#00:36:01: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Down for neighbor 2.2.2.
● Enable BFD on an interface. INTERFACE mode bfd enable If you disable BFD on a local interface, this message displays: If the remote system state changes due to the local state administration being down, this message displays: Configure BFD for Static Routes BFD offers systems a link state detection mechanism for static routes.
C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 2.2.2.2 Te 4/24/1 Up 200 200 4 R To view detailed session information, use the show bfd neighbors detail command. Establishing Sessions for Static Routes for Nondefault VRF You can also create nondefault VRFs and establish sessions for all neighbors that are the next hop of a static route. To establish a BFD session for nondefault VRFs, use the following command.
M V VT - MPLS - VRRP - Vxlan Tunnel LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult VRF Clients * 13.1.1.1 13.1.1.2 Te 1/1/1/2 Up 200 200 3 2 R * 23.1.1.1 23.1.1.2 Vl 300 Up 200 200 3 2 R * 33.1.1.1 33.1.1.2 Vl 301 Up 200 200 3 2 R Establishing Static Route Sessions on Specific Neighbors You can selectively enable BFD sessions on specific neighbors based on a destination prefix-list.
Changing Static Route Session Parameters BFD sessions are configured with default intervals and a default role. The parameters you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all static routes. If you change a parameter, the change affects all sessions for static routes. To change parameters for static route sessions, use the following command . ● Change parameters for all static route sessions.
Ad Dn B C I O O3 R M V VT - LocalAddr * 11::1 Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel RemoteAddr 11::2 Interface Te 1/1/1 State Rx-int Tx-int Mult Clients Up 200 200 3 R To view detailed session information, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information.
* Ad Dn B C I O O3 R M V VT - Active session role Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 13::1 RemoteAddr 13::2 Interface State Rx-int Tx-int Mult VRF Clients Te 1/1/1/1 Up 200 200 3 2 R * 23::1 23::2 Vl 300 Up 200 200 3 2 R * 33::1 33::2 Vl 301 Up 200 200 3 2 R Changing IPv6 Static Route Session Parameters BFD sessions are configured with default intervals and a default role.
Establishing Sessions with OSPF Neighbors for the Default VRF BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 16. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. ● Enable BFD globally.
The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Te 2/1/1 Up 100 100 3 O * 2.2.3.1 2.2.3.2 Te 2/2/1 Up 100 100 3 O Establishing Sessions with OSPF Neighbors for nondefault VRFs To configure BFD in a nondefault VRF, follow this procedure: ● Enable BFD globally.
* 6.1.1.1 6.1.1.2 Vl 30 Up 200 200 3 O * 7.1.1.1 7.1.1.2 Te 1/1/1/1 Up 200 200 3 O The following example shows the show bfd vrf neighbors command output showing the nondefault VRF. show bfd vrf VRF_blue neighbors * Ad Dn B C I O O3 R M V VT - Active session role Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 5.1.1.1 RemoteAddr 5.1.1.2 Interface Po 30 State Rx-int Tx-int Mult VRF Clients Up 200 200 3 255 O * 6.1.1.1 6.1.1.
TX: 200ms, RX: 200ms, Multiplier: 3 Role: Active Delete session on Down: True VRF: VRF_blue Client Registered: OSPF Uptime: 00:00:15 Statistics: Number of packets received from neighbor: 78 Number of packets sent to neighbor: 78 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 Session Discriminator: 6 Neighbor Discriminator: 1 Local Addr: 7.1.1.1 Local MAC Addr: 00:a0:c9:00:00:02 Remote Addr: 7.1.1.
Disabling BFD for OSPF If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state. If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote system are placed in a Down state. Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated. To disable BFD sessions, use the following commands. ● Disable BFD sessions with all OSPF neighbors.
LocalAddr Clients * 1.1.1.1 O RemoteAddr Interface State Rx-int Tx-int Mult 1.1.1.2 Te 1/1/1/1 Up 200 200 3 * 2.1.1.1 O 2.1.1.2 Vl 2 Up 200 200 3 * fe80::2a0:c9ff:fe00:2 O3 fe80::3617:98ff:fe34:12 Hu 1/1 Up 200 200 3 * fe80::2a0:c9ff:fe00:2 O3 DellEMC# fe80::3617:98ff:fe34:12 Vl 2 Up 200 200 3 Establishing BFD Sessions with OSPFv3 Neighbors for nondefault VRFs To configure BFD in a nondefault VRF, use the following procedure: ● Enable BFD globally.
3 511 O * 11.1.1.1 3 511 O 11.1.1.2 Vl 101 Up 150 150 * 12.1.1.1 3 511 O 12.1.1.2 Vl 102 Up 150 150 * 13.1.1.1 3 511 O 13.1.1.
Configure BFD for IS-IS When using BFD with IS-IS, the IS-IS protocol registers with the BFD manager on the RPM. BFD sessions are then established with all neighboring interfaces participating in IS-IS. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the IS-IS protocol that a link state change occurred. Configuring BFD for IS-IS is a two-step process: 1. Enable BFD globally. 2. Establish sessions for all or particular IS-IS neighbors.
● Establish sessions with IS-IS neighbors on a single interface. INTERFACE mode isis bfd all-neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows that IS-IS BFD sessions are enabled. R2(conf-router_isis)#bfd all-neighbors R2(conf-router_isis)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.
Configure BFD for BGP In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD for BGP is supported on physical, portchannel, and VLAN interfaces. BFD for BGP does not support the BGP multihop feature. Before configuring BFD for BGP, you must first configure BGP on the routers that you want to interconnect.
Prerequisites Before configuring BFD for BGP, you must first configure the following settings: ● Configure BGP on the routers that you want to interconnect. Establishing Sessions with BGP Neighbors for Default VRF To establish sessions with either IPv6 or IPv4 BGP neighbors for the default VRF, follow these steps: 1. Enable BFD globally. CONFIGURATION mode bfd enable 2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3.
address-family ipv6 unicast neighbor 20::2 activate exit-address-family DellEMC(conf-router_bgp)# Establishing Sessions with BGP Neighbors for Nondefault VRF To establish sessions with either IPv6 or IPv4 BGP neighbors for nondefault VRFs, follow these steps: 1. Enable BFD globally. CONFIGURATION mode bfd enable 2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3. Specify the address family as IPv4.
! router bgp 1 ! address-family ipv4 vrf vrf1 neighbor 10.1.1.2 remote-as 2 neighbor 10.1.1.2 no shutdown neighbor 20::2 remote-as 2 neighbor 20::2 no shutdown bfd all-neighbors exit-address-family ! address-family ipv6 unicast vrf vrf1 neighbor 20::2 activate exit-address-family DellEMC(conf-router_bgp)# Disabling BFD for BGP You can disable BFD for BGP. To disable a BFD for BGP session with a specified neighbor, use the first command.
neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors The following example shows viewing all BFD neighbors. R2# show bfd neighbors * - Active session role Ad Dn - Admin Down B - BGP C - CLI I - ISIS O - OSPF R - Static Route (RTM) M - MPLS V - VRRP LocalAddr * 1.1.1.3 * 2.2.2.3 * 3.3.3.3 RemoteAddr 1.1.1.2 2.2.2.2 3.3.3.
Client Registered: BGP Uptime: 00:02:22 Statistics: Number of packets received from neighbor: 1428 Number of packets sent to neighbor: 1428 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 The following example shows viewing BFD summary information. The bold line shows the message displayed when you enable BFD for BGP connections. R2# show ip bgp summary BGP router identifier 10.0.0.
E1200i_R2# R2# show ip bgp neighbors 2.2.2.3 BGP neighbor is 2.2.2.3, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP neighbor mode BFD configuration Peer active in peer-group outbound optimization ... R2# show ip bgp neighbors 2.2.2.4 BGP neighbor is 2.2.2.
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 19. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. ● Establish sessions with all VRRP neighbors.
LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.5.1 2.2.5.2 Te 1/1/1/1 Down 1000 1000 3 V To view session state information, use the show vrrp command. The bold line shows the VRRP BFD session. DellEMC(conf-if-te-1/1/1/1)#do show vrrp -----------------TenGigabitEthernet 1/1/2/1, VRID: 1, Net: 2.2.5.1 VRF:0 default State: Backup, Priority: 1, Master: 2.2.5.
Configuring Protocol Liveness Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled. When you disable a client, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state. To enable protocol liveness, use the following command. ● Enable Protocol Liveness.
9 Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) is an interdomain routing protocol that manages routing between edge routers. BGP uses an algorithm to exchange routing information between switches enabled with BGP. BGP determines a path to reach a particular destination using certain attributes while avoiding routing loops. BGP selects a single path as the best path to a destination network or host. You can also influence BGP to select different path by altering some of the BGP attributes.
The devices within an AS (AS1 or AS2, as seen in the following illustration) exchange routing information using Internal BGP (IBGP), whereas the devices in different AS communicate using External BGP (EBGP). IBGP provides routers inside the AS with the knowledge to reach routers external to the AS. EBGP routers exchange information with other EBGP routers as well as IBGP routers to maintain connectivity and accessibility. Figure 20.
Figure 21. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. AS4 Number Representation Dell EMC Networking OS supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If 4-Byte AS numbers are not implemented, only ASPLAIN representation is supported.
● All AS numbers between 0 and 65535 are represented as a decimal number, when entered in the CLI and when displayed in the show commands outputs. ● AS Numbers larger than 65535 is represented using ASDOT notation as .. For example: AS 65546 is represented as 1.10. ASDOT representation combines the ASPLAIN and ASDOT+ representations.
DellEMC(conf-router_bgp)#do sho ip bgp BGP table version is 28093, local router ID is 172.30.1.57 AS4 SUPPORT DISABLED DellEMC(conf-router_bgp)#no bgp four-octet-as-support DellEMC(conf-router_bgp)#sho conf ! router bgp 100 neighbor 172.30.1.250 local-as 65057 DellEMC(conf-router_bgp)#do show ip bgp BGP table version is 28093, local router ID is 172.30.1.57 Four-Byte AS Numbers You can use the 4-Byte (32-bit) format when configuring autonomous system numbers (ASNs).
State Description Idle BGP initializes all resources, refuses all inbound BGP connection attempts, and initiates a TCP connection to the peer. Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state.
Best Path Selection Criteria Paths for active routes are grouped in ascending order according to their neighboring external AS number (BGP best path selection is deterministic by default, which means the bgp non-deterministic-med command is NOT applied). The best path in each group is selected based on specific criteria. Only one “best path” is selected at a time. If any of the criteria results in more than one path, BGP moves on to the next option in the list.
6. Prefer the path with the lowest multi-exit discriminator (MED) attribute. The following criteria apply: a. This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs are compared only if the first AS in the AS_SEQUENCE is the same for both paths. b. If you entered the bgp always-compare-med command, MEDs are compared for all paths. c. Paths with no MED are treated as “worst” and assigned a MED of 4294967295. 7.
Figure 23. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 24. Multi-Exit Discriminators NOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
IPv4 and IPv6 address family The IPv4 address family configuration in Dell EMC Networking OS is used for identifying routing sessions for protocols that use IPv4 address. You can specify multicast within the IPv4 address family. The default of address family configuration is IPv4 unicast. You can configure the VRF instances for IPv4 address family configuration. The IPv6 address family configuration is used for identifying routing sessions for protocols that use IPv6 address.
Table 8. BGP Default Values (continued) Item Default Graceful Restart feature Disabled Local preference 100 MED 0 Route Flap Damping Parameters half-life = 15 minutes reuse = 750 suppress = 2000 max-suppress-time = 60 minutes Distance external distance = 20 internal distance = 200 local distance = 200 Timers keepalive = 60 seconds holdtime = 180 seconds Add-path Disabled Implement BGP with Dell EMC Networking OS The following sections describe how to implement BGP on Dell EMC Networking OS.
Table 9.
If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH. If an inbound route-map is used to prepend the as-path to the update from the peer, the Local-AS is added first. For example, consider the topology described in the previous illustration.
● To return all values on an snmpwalk for the f10BgpM2Peer sub-OID, use the -C c option, such as snmpwalk -v 2c -C c -c public. ● An SNMP walk may terminate pre-maturely if the index does not increment lexicographically. Dell EMC Networking recommends using options to ignore such errors. ● Multiple BPG process instances are not supported. Thus, the f10BgpM2PeerInstance field in various tables is not used to locate a peer.
Restrictions Dell EMC Networking OS supports only one BGP routing configuration and autonomous system (AS), but supports multiple address family configuration. Enabling BGP By default, BGP is disabled on the system. Dell EMC Networking OS supports one autonomous system (AS) and assigns the AS number (ASN). To enable the BGP process and begin exchanging information, assign an AS number and use commands in ROUTER BGP mode to configure a BGP neighbor.
Following is the configuration steps: DellEMC# configure terminal DellEMC(conf)# router bgp 65535 DellEMC(conf-router_bgp)# neighbor 20.20.20.1 remote-as 20 DellEMC(conf-router_bgp)# neighbor 20.20.20.1 no shutdown DellEMC(conf-router_bgp)#exit DellEMC(conf)# The following example shows verifying the BGP configuration using the show running-config bgp command.. DellEMC#show running-config bgp ! router bgp 65535 neighbor 20.20.20.1 remote-as 20 neighbor 20.20.20.
OutQ : Added 0, Withdrawn 0 Allow local AS number 0 times in AS-PATH attribute Prefixes accepted 0, withdrawn 0 by peer, martian prefixes ignored 0 Prefixes advertised 0, denied 0, withdrawn 0 from peer Connections established 0; dropped 0 Last reset never No active TCP connection Enabling four-byte autonomous system numbers You can enable 4-byte support for configuring autonomous system numbers (ASN). To enable 4-byte support for the BGP process, use the following command.
Peering sessions are reset when you change the router ID of a BGP router. Upon changing the router ID, the system automatically restarts the BGP instance for the configuration to take effect. DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# bgp router-id 1.1.1.1 Following is the sample output of show ip bgp ipv4 multicast summary command. DellEMC# show ip bgp summary BGP router identifier 1.1.1.
neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.250 no shutdown 5332332 9911991 65057 18508 12182 7018 46164 i The following example shows the bgp asnotation asdot command output. DellEMC(conf-router_bgp)#bgp asnotation asdot DellEMC(conf-router_bgp)#sho conf ! router bgp 100 bgp asnotation asdot bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.
neighbor {ip-address | ipv6–address | peer-group-name} activate NOTE: Neighbors have to be activated using neighbor activate command in the respective address family. To exchange other address prefix types (IPv4 multicast or IPv6 unicast), the neighbors must be activated under the respective address family configuration such as address-family ipv4 multicast (for IPv4 multicast) andaddress-family ipv6 unicast(for IPv6). DellEMC(conf)# router bgp 10 DellEMC(conf-router_bgp)# neighbor 20.20.20.
Following is an example to enable BGP configuration in the router B. RouterB# configure terminal RouterB(conf)# router bgp 45000 RouterB(conf-router_bgp)# bgp router-id 172.17.1.99 RouterB(conf-router_bgp)# timers bgp 70 120 RouterB(conf-router_bgp)# neighbor 192.168.1.2 remote-as 40000 RouterB(conf-router_bgp)# exit RouterB(conf)# The show ip bgp summary displays BGP configuration. Following is the sample output for show ip bgp summary command for router A.
After you create a peer group, you can configure route policies for it. For information about configuring route policies for a peer group, refer to Filtering BGP Routes. See Example-Configuring BGP peer groups for configuring multiple BGP neighbors and enabling peer groups. Configuring Peer Groups To configure a peer group, use the following commands. 1. Enter the router configuration mode and the AS number. CONFIG mode router bgp as-number 2. Create a peer group by assigning a name to it.
A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates. NOTE: When you configure a new set of BGP policies for a peer group, always reset the peer group by entering the clear ip bgp peer-group peer-group-name command in EXEC Privilege mode. To view the configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/32 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int te 1/1/2/1 R1(conf-if-te-1/1/2/1)#ip address 10.0.1.21/24 R1(conf-if-te-1/1/2/1)#no shutdown R1(conf-if-te-1/1/2/1)#show config ! interface TegGigabitEthernet 1/1/2/1 ip address 10.0.1.
router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 10.0.3.33 no shutdown neighbor 10.0.3.33 remote-as 100 Example of Enabling BGP (Router 2) R2# conf R2(conf)#int loop 0 R2(conf-if-lo-0)#ip address 192.168.128.2/32 R2(conf-if-lo-0)#no shutdown R2(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.2/24 no shutdown R2(conf-if-lo-0)#int te 1/1/1/1 R2(conf-if-te-1/1/1/1)#ip address 10.0.1.
R3(conf-if-te-3/21/1)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#neighbor 10.0.3.31 remote 99 R3(conf-router_bgp)#neighbor 10.0.3.31 no shut R3(conf-router_bgp)#neighbor 10.0.2.2 remote 99 R3(conf-router_bgp)#neighbor 10.0.2.2 no shut R3(conf-router_bgp)#show config ! router bgp 100 neighbor 10.0.3.31 remote 99 neighbor 10.0.3.31 no shut neighbor 10.0.2.2 remote 99 neighbor 10.0.2.
network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 peer-group CCC neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 peer-group BBB neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.
BGP soft-reconfiguration clears the policies without resetting the TCP connection. To reset a BGP connection using BGP soft-reconfiguration, use the clear ip bgp command in EXEC Privilege mode at the system prompt. When you change the BGP inbound policy locally, you need to process the updates received from a peer. The route-refresh capability allows the local peer to reset inbound information dynamically by exchanging route-refresh requests to supporting peers.
individual neighbor. If the neighbor is part of a peer-group and when neighbor soft-reconfiguration inbound is removed from the peer group, you need to do a hard reset for the peer-group. If neighbor soft-reconfiguration inbound command is not configured ever in the router, then doing a soft reset is enough for the route-refresh updates to be sent.
May 8 15:28:12 : BGP: 20.1.1.2 rcvd UPDATE w/ attr: origin ?, path 200, nexthop 20.1.1.2, metric 0,
● Create an aggregate entry in the BGP routing table. CONFIG-ROUTER-BGP mode aggregate—address address-mask Use the aggregate-address command without any keywords to create an aggregate entry if any specific BGP routes are available in the specified range. DellEMC# configure terminal DellEMC(conf)# router bgp 100 DellEMC(conf-router_bgp)# aggregate-address 10.1.1.0/24 DellEMC(conf-router_bgp)# exit DellEMC(conf)# Following is the sample output of show ip bgp command.
Filtering BGP The following section describes the methods used to filter the updates received from BGP neighbors. Following are the filtering methods of BGP updates: ● Filtering using IP prefix lists ● Filtering using route maps ● Filtering using AS-PATH information ● Filtering using community lists Regular Expressions as Filters Regular expressions are used to filter AS paths or community lists.
neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown DellEMC(conf-router_bgp)#neigh 10.155.15.2 filter-list 1 in DellEMC(conf-router_bgp)#ex DellEMC(conf)#ip as-path access-list Eagle DellEMC(config-as-path)#deny 32$ DellEMC(config-as-path)#ex DellEMC(conf)#router bgp 99 DellEMC(conf-router_bgp)#neighbor AAA filter-list Eagle in DellEMC(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA filter-list Eaglein neighbor AAA no shutdown neighbor 10.
CONFIGURATION mode ip prefix-list prefix-name 2. Create multiple prefix list filters with a deny or permit action. CONFIG-PREFIX LIST mode seq sequence-number {deny | permit} {any | ip-prefix [ge | le] } ● ge: minimum prefix length to be matched. ● le: maximum prefix length to me matched. For information about configuring prefix lists, refer to Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-PREFIX LIST mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5.
CONFIG-ROUTE-MAP mode {match | set} For information about configuring route maps, see Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Filter routes based on the criteria in the configured route map.
AS-PATH ACL mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Use a configured AS-PATH ACL for route filtering and manipulation. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} filter-list as-path-name {in | out} If you assign an non-existent or empty AS-PATH ACL, the software allows all routes. To view all BGP path attributes in the BGP database, use the show ip bgp paths command in EXEC Privilege mode.
CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} route-map map-name {in | out} DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# neighbor 10.10.10.1 remote-as 500 DellEMC(conf-router_bgp)# neighbor 10.10.10.
Sent 45 messages, 5 notifications, Received 6 updates, Sent 0 updates Route refresh request: received 0, Minimum time between advertisement Minimum time before advertisements 0 in queue sent 0 runs is 5 seconds start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) fall-over enabled Update source set to Loopback 0
Configuring Passive Peering When you enable a peer-group, the software sends an OPEN message to initiate a TCP connection. If you enable passive peering for the peer group, the software does not send an OPEN message, but it responds to an OPEN message. When a BGP neighbor connection with authentication configured is rejected by a passive peer-group, Dell EMC Networking OS does not allow another passive peer-group on the same subnet to connect with the BGP neighbor.
To enable graceful restart, use the following command. bgp graceful-restart [restart-time seconds] [stale-path-time seconds] [role receiver-only] To return to the default, use the no bgp graceful-restart command. ● Enable graceful restart for the BGP node. CONFIG-ROUTER-BGP mode bgp graceful-restart ● Set maximum restart time, in seconds, to restart and bring-up all the peers. CONFIG-ROUTER-BGP mode bgp graceful-restart [restart-time time-in-seconds] The default is 120 seconds.
redistribute ospf process-id [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: ○ ospf: Indicates that you are redistributing OSPF routes in BGP. ○ process-id: the range is from 1 to 65535. ○ match internal, external1, and external2: Specify the type of OSPF routes to be redistributed into BGP. ○ metric-type: external or internal.
The above configuration example shows how to enable BGP additional paths to be sent and received with a maximum of two additional paths to the peers. You can configure the neighbor to send and receive additional paths using the neighbor addpathcommand at the address family configuration level. Configuring IP Community Lists Within Dell EMC Networking OS, you have multiple methods of manipulating routing attributes. One attribute you can manipulate is the COMMUNITY attribute.
deny 704:666 deny 705:666 deny 14551:666 DellEMC# Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1. Create a extended community list and enter the EXTCOMMUNITY-LIST mode. CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2. Two types of extended communities are supported.
Configure BGP attributes Following sections explain how to configure the BGP attributes such as MED, COMMUNITY, WEIGHT, and LOCAL_PREFERENCE. Changing MED Attributes By default, Dell EMC Networking OS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths received from different BGP neighbors or peers from the same AS for the same route. You can configure the device to compare the MED attributes from neighbors or peers in different AS using the bgp always-compare-med command.
Configure a community list by denying or permitting specific community numbers or types of community. ● community-number: use AA:NN format where AA is the AS number (2 or 4 Bytes) and NN is a value specific to that autonomous system. ● local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED and are not sent to EBGP peers. ● no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE and are not advertised. ● no-export: routes with the COMMUNITY attribute of NO_EXPORT.
value: the range is from 0 to 4294967295. The default is 100. DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf_router_bgp)# neighbor 10.10.10.1 remote-as 500 DellEMC(conf_router_bgp)# bgp default local-preference 150 DellEMC(conf_router_bgp)# exit In the above example configuration, the default LOCAL_PREFERENCE value is changed to 150 for all the updates from AS 500 to AS 400. The default value is 100.
● Disable next hop processing and configure the router (route reflector) as the next hop for a BGP neighbor. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} next-hop-self [all] If you do not use the all keyword, the next hop of only eBGP-learned routes is updated by the route reflector. If you use the all keyword, the next hop of both eBGP- and iBGP-learned routes are updated by the route reflector. ● Sets the next hop address.
○ number: Maximum number of parallel paths. The range is from 2 to 64. DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# maximum-paths ibgp 5 DellEMC(conf-router_bgp)# exit In the above example configuration, the maximum number of parallel internal BGP routes is set to 5, so that only 5 routes can be installed in a routing table. The show ip bgp network command includes multipath information for that network.
● Assign a cluster ID or an IP address to a router reflector cluster. CONFIG-ROUTER-BGP mode bgp cluster-id ip-address | number ○ ip-address: IP address as the route reflector cluster ID. ○ number: A route reflector cluster ID as a number from 1 to 4294967295. You can have multiple clusters in an AS. When a BGP cluster contains only one route reflector, the cluster ID is the route reflector’s router ID. For redundancy, a BGP cluster may contain two or more route reflectors.
○ reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is less than the reuse value, the flapping route is once again advertised (or no longer suppressed). Withdrawn routes are removed from history state. The default is 750. ○ suppress: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value.
DellEMC(conf-router_bgp)#bgp dampening 2 2000 ? <1-20000> Value to start suppressing a route (default = 2000) DellEMC(conf-router_bgp)#bgp dampening 2 2000 3000 ? <1-255> Maximum duration to suppress a stable route (default = 60) DellEMC(conf-router_bgp)#bgp dampening 2 2000 3000 10 ? route-map Route-map to specify criteria for dampening To view a count of dampened routes, history routes, and penalized routes when you enable route dampening, look at the seventh line of the show ip bgp summary command o
○ holdtime: Time interval, in seconds, between the last keepalive message and declaring the BGP peer is dead. The range is from 3 to 65536. The default is 180 seconds. DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# network 10.1.1.0 mask 255.255.255.
To enable or disable BGP neighbors corresponding to the IPv4 unicast address families, use the following commands: 1. Enter the router bgp mode using the following command: CONFIGURATION Mode router bgp as-number 2. Shut down the BGP neighbors corresponding to the IPv4 unicast address family using the following command: shutdown address-family-ipv4-unicast To enable or disable BGP neighbors corresponding to IPv4 multicast address family: 1.
Route Map Continue The BGP route map continue feature, continue [sequence-number], (in ROUTE-MAP mode) allows movement from one route-map entry to a specific route-map entry (the sequence number). If you do not specify a sequence number, the continue feature moves to the next sequence number (also known as an “implied continue”). If a match clause exists, the continue feature executes only after a successful match occurs. If there are no successful matches, continue is ignored.
Configuring a BGP VRF address family To perform BGP configuration between two neighbors that must exchange IPv6 or IPv4 VRF information, use the following commands. Following are the steps to configure BGP VRF address-family between two peers. ● Configure a VRF routing table. CONFIG mode ip vrf vrf-name For more information on VRF configuration, see Virtual Routing and Forwarding (VRF). ● Enter the router configuration mode and the AS number.
bgp router-id 1.1.1.1 network 10.10.21.0/24 bgp four-octet-as-support neighbor 20.20.20.1 remote-as 65550 neighbor 20.20.20.1 no shutdown ! address-family ipv4 vrf vrf1 neighbor 50.0.0.2 maximum-prefix 10000 warning-only neighbor 50.0.0.2 remote-as 200 neighbor 50.0.0.2 no shutdown exit-address-family ! address-family ipv4 multicast vrf vrf1 neighbor 50.0.0.2 activate exit-address-family ! address-family ipv6 unicast vrf vrf1 neighbor 50.0.0.
Allowing an AS Number to Appear in its Own AS Path This command allows you to set the number of times a particular AS number can occur in the AS path. The allow-as feature permits a BGP speaker to allow the ASN to be present for a specified number of times in the update received from the peer, even if that ASN matches its own. The AS-PATH loop is detected if the local ASN is present more than the specified number of times in the command.
● Exchange of IPv4 multicast route information occurs through the use of two new attributes called MP_REACH_NLRI and MP_UNREACH_NLRI, for feasible and withdrawn routes, respectively. ● If the peer has not been activated in any AFI/SAFI, the peer remains in Idle state. Most Dell EMC Networking OS BGP IPv4 unicast commands are extended to support the IPv4 multicast RIB using extra options to the command.
Example-Configuring IPv4 and IPv6 neighbors The following example configurations show how to enable BGP and set up some peer under IPv4 and IPv6 address families. To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes.
BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 1 neighbor(s) using 24576 bytes of memory Neighbor 20.20.20.2 R1# AS 200 MsgRcvd 10 MsgSent 20 TblVer 0 InQ 0 OutQ Up/Down State/Pfx 0 00:06:11 0 Following is the output of show ip bgp ipv6 unicast summary command for the above configuration example. R1#show ip bgp ipv6 unicast summary BGP router identifier 1.1.1.
Configure IPv6 NH Automatically for IPv6 Prefix Advertised over IPv4 Neighbor You can configure the system to pick the next hop IPv6 address dynamically for IPv6 prefix advertised over an IPv4 neighbor configured under IPv6 address family. If there is no IPv6 address configured on the local interface, the system uses the IPv4 mapped IPv6 address. If there are multiple IPv6 addresses configured on the interface, the system uses the lowest IPv6 address configured on that interface.
! exit-address-family Example configuration performed in R2 DellEMC# configure terminal DellEMC(conf)# router bgp 20 DellEMC(conf-router_bgp)# neighbor 10.1.1.1 remote-as 655 DellEMC(conf-router_bgp)# neighbor 10.1.1.1 no shutdown DellEMC(conf-router_bgp)# address-family ipv6 unicast DellEMC(conf-router_bgpv6_af)# neighbor 10.1.1.1 activate DellECM(conf-router_bgpv6_af)# exit Following is the show running-config command output for the above configuration.
● View information about local BGP state changes and other BGP events. EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] events [in | out] ● View information about BGP KEEPALIVE messages. EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] keepalive [in | out] ● View information about BGP notifications received from or sent to neighbors.
For address family: IPv4 Unicast BGP table version 1395, neighbor version 1394 Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by peer Prefixes advertised 0, rejected 0, 0 withdrawn from peer Connections established 3; dropped 2 Last reset 00:00:12, due to Missing well known attribute Notification History 'UPDATE error/Missing well-known attr' Sent : 1 Recv: 0 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:26:02 ago ffffffff ffffffff ffffffff ffffffff 00160303 03010000 Last notifi
10 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On Dell EMC Networking systems, CAM stores Layer 2 (L2) and Layer 3 (L3) forwarding information, access-lists (ACLs), flows, and routing policies.
Table 11. Default Cam Allocation Settings (continued) CAM Allocation Setting fedgovacl 0 nlbclusteracl 0 NOTE: When you reconfigure CAM allocation, use the nlbclusteracl number command to change the number of NLB ARP entries. The range is from 0 to 2. The default value is 0. At the default value of 0, eight NLB ARP entries are available for use. This platform supports upto 512 CAM entries. Select 1 to configure 256 entries. Select 2 to configure 1024 entries.
NOTE: If you do not enter the allocation values for the CAM regions, the value is 0. 3. Execute write memory and verify that the new settings are written to the CAM on the next boot. EXEC Privilege mode show cam-acl 4. Reload the system. EXEC Privilege mode reload Test CAM Usage To determine whether sufficient CAM space is available to enable a service-policy, use the test-cam-usage command.
FcoeAcl : ipv4pbr : vrfv4Acl : Openflow : fedgovacl : nlbclusteracl: 0 0 0 0 0 0 0 0 0 0 0 0 DellEMC# NOTE: If you change the cam-acl setting from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis.
| | | | | | | | | | | | | | | | | | IN-L3 ACL | IN-L3 ECMP GRP | IN-V6 ACL | IN-NLB ACL | IPMAC ACL | IN-L3-UDFMIRRACL| (IN-V6-MIRR ACL) | | | IN-L3-MIRR ACL | | | | OUT-L2 ACL | | | | OUT-L3 ACL | | | | OUT-V6 ACL | | | | IN-L3 QOS | | | | IN-L3 FIB | Codes: * - cam usage is above 90%.
Table 13. Possible Scenarios of Syslog Warning Old CAM Threshold New CAM Threshold Current CAM Usage Syslog 90 80 85 90 95 91 98 100 100 No syslog 95 80 10 No syslog 92 90 89 No syslog DellEMC(conf)#Nov 5 19:55:12 %S6000:0 %ACL_AGENT-4ACL_AGENT_CAM_USAGE_OVER_THE_THRESHOLD: The Ipv4Acl cam region on stack-unit 0 Portpipe 0 Pipeline 0 is more than 80% Full.
A table-full error message is displayed once the number of entries is crossed the table size. Table-full message is generated only once when it crosses the threshold. For subsequent addition of entries, the table-full message is not recorded you clear the table-full message. The table-full message is cleared internally when the number of entries is less than the table size.
show hardware forwarding-table mode DellEMC#show hardware forwarding-table mode Mode L2 MAC Entries L3 Host Entries L3 Route Entries : : : : Current Settings Default 72K 72K 16K Next Boot Settings scaled-l3-hosts 8K 136K 16K IPv6 CAM ACL Region The IPv6 ACL CAM region is triple-wide in the platform. You can change the IPv6 ACL region to be double-wide mode. This results in a better scale of the IPv6 ACL entries. The IPV6 ACL CAM region can also be shared with the IPv4 QOS CAM region.
If the ipv6acl option of the cam-acl command is not in multiples of two, the system does not allow reload. Sharing CAM space between IPv4 QoS and IPv6 ACLs To share CAM space between IPv4 QoS and IPv6 ACLs, follow these steps. 1. Convert the IPv6 ACL CAM to double-wide. CONFIGURATION mode feature ipv6acloptimized You can use the no feature ipv6acloptimized command to disable this feature. 2. Configure the cam-acl such that the IPV6 ACL is in multiples of 2.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 31. CoPP Implemented Versus CoPP Not Implemented Topics: • Configure Control Plane Policing Configure Control Plane Policing The system can process a maximum of 8500 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
DellEMC(conf)#mac access-list extended lacp cpu-qos DellEMC(conf-mac-acl-cpuqos)#permit lacp DellEMC(conf-mac-acl-cpuqos)#exit DellEMC(conf)#ipv6 access-list ipv6-icmp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit icmp DellEMC(conf-ipv6-acl-cpuqos)#exit DellEMC(conf)#ipv6 access-list ipv6-vrrp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit vrrp DellEMC(conf-ipv6-acl-cpuqos)#exit The following example shows creating the QoS input policy.
1. Create a QoS input policy for the router and assign the policing. CONFIGURATION mode qos-policy-input name cpu-qos 2. Create an input policy-map to assign the QoS policy to the desired service queues.l. CONFIGURATION mode policy-map--input name cpu-qos service-queue queue-number qos-policy name 3. Enter Control Plane mode. CONFIGURATION mode control-plane-cpuqos 4. Assign a CPU queue-based service policy on the control plane in cpu-qos mode.
Table 15.
Displaying CoPP Configuration The CLI provides show commands to display the protocol traffic assigned to each control-plane queue and the current rate-limit applied to each queue. Other show commands display statistical information for trouble shooting CoPP operation. To view the rates for each queue, use the show cpu-queue rate cp command.
Example of Viewing Queue Mapping for IPv6 Protocols DellEMC#show ipv6 protocol-queue-mapping Protocol Src-Port Dst-Port TcpFlag ---------------------------TCP (BGP) any/179 179/any _ UDP (DHCPV6) 546/547 546/547 _ ICMPV6 NA any any _ ICMPV6 RA any any _ ICMPV6 NS any any _ ICMPV6 RS any any _ ICMPV6 any any _ VRRPV6 any any _ OSPFV3 any any _ DellEMC# 252 Control Plane Policing (CoPP) Queue ----Q9 Q10 Q6 Q6 Q5 Q5 Q6 Q10 Q9 EgPort -----_ _ _ _ _ _ _ _ _ Rate (kbps) ----------_ _ _ _ _ _ _ _ _
12 Data Center Bridging (DCB) Data center bridging (DCB) refers to a set of enhancements to Ethernet local area networks used in data center environments, particularly with clustering and storage area networks.
A CNA is a computer input/output device that combines the functionality of a host bus adapter (HBA) with a network interface controller (NIC). Multiple adapters on different devices for several traffic types are no longer required.
Figure 32. Illustration of Traffic Congestion The system supports loading two DCB_Config files: ● FCoE converged traffic with priority 3. ● iSCSI storage traffic with priority 4. In the Dell EMC Networking OS, PFC is implemented as follows: ● PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface.
Figure 33. Enhanced Transmission Selection The following table lists the traffic groupings ETS uses to select multiprotocol traffic for transmission. Table 16. ETS Traffic Groupings Traffic Groupings Description Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7 configurable; 8 - 14 reservation and 15.0 - 15.7 is strict priority group.. Group bandwidth Percentage of available bandwidth allocated to a priority group.
Data Center Bridging in a Traffic Flow The following figure shows how DCB handles a traffic flow on an interface. Figure 34. DCB PFC and ETS Traffic Handling Enabling Data Center Bridging DCB is automatically configured when you configure FCoE or iSCSI optimization. Data center bridging supports converged enhanced Ethernet (CEE) in a data center network. DCB is disabled by default. It must be enabled to support CEE.
● Enter global configuration mode to create a DCB map or edit PFC and ETS settings. ● Configure the PFC setting (on or off) and the ETS bandwidth percentage allocated to traffic in each priority group, or whether the priority group traffic should be handled with strict priority scheduling. You can enable PFC on a maximum of two priority queues on an interface. Enabling PFC for dot1p priorities makes the corresponding port queue lossless.
When traffic congestion occurs, PFC sends a pause frame to a peer device with the CoS priority values of the traffic that is to be stopped. Data Center Bridging Exchange protocol (DCBx) provides the link-level exchange of PFC parameters between peer devices. PFC allows network administrators to create zero-loss links for Storage Area Network (SAN) traffic that requires nodrop service, while retaining packet-drop congestion management for Local Area Network (LAN) traffic.
The configuration of no-drop queues provides flexibility for ports on which PFC is not needed but lossless traffic should egress from the interface. Lossless traffic egresses out the no-drop queues. Ingress dot1p traffic from PFC-enabled interfaces is automatically mapped to the no-drop egress queues. 1. Enter INTERFACE Configuration mode. CONFIGURATION mode interface interface-type 2. Configure the port queues that will still function as no-drop queues for lossless traffic.
transmission for specified priorities (CoS values) without impacting other priority classes. Different traffic types are assigned to different priority classes. When traffic congestion occurs, PFC sends a pause frame to a peer device with the CoS priority values of the traffic that needs to be stopped. DCBx provides the link-level exchange of PFC parameters between peer devices.
● You can enable PFC on a maximum of four priority queues on an interface. The default is two. Enabling PFC for dot1p priorities configures the corresponding port queue as lossless. ● You cannot enable PFC and link-level flow control at the same time on an interface. Applying a DCB Map on a Port When you apply a DCB map with PFC enabled on a switch interface, a memory buffer for PFC-enabled priority traffic is automatically allocated.
Configuring PFC Asymmetric The interface is designed to honor incoming pause frames (lossy and lossless) on all priorities. However, the interface will only generate pause frames on priorities that are configured to be lossless (typically priorities 3 and 4). Any received pause frames are reflected in the appropriate counters, and PFC watchdog accounts for pause frames on all priorities. Table 19.
Although the system contains 4 MB of space for shared buffers, a minimum guaranteed buffer is provided to all the internal and external ports in the system for both unicast and multicast traffic. This minimum guaranteed buffer reduces the total available shared buffer to 3399 KB. This shared buffer can be used for lossy and lossless traffic. The default behavior causes up to a maximum of 2656 KB to be used for PFC-related traffic. The remaining approximate space of 744 KB can be used by lossy traffic.
Table 20. Buffer usage statistics when shared headroom is not used (continued) Parameter Description The Headroom value reserved per lossless queue 94 – 18 = 76KB NOTE: 76KB is the headroom space that is required per PG [or a lossless queue] on a 40 Gigabit port in a worst case scenario to guarantee lossless behavior.
continue to be the ingress threshold limit for bursty traffic. This attribute determines the maximum buffer a PG can use from the shared head room pool. Viewing Shared Head Room Usage You can obtain an instantaneous usage count for the shared hear room pool. To view the head room usage count: Enter the following show command: EXEC-Privilege Mode show hardware buffer headroom-pool [detail] buffer-info NOTE: The detail option display the current headroom pool usage in each of the Pipelines in the device.
● When Peer sends a PFC message for Priority 2, based on above PRIO2COS table (TABLE 2), Queue 2 is halted. ● Queue 2 starts buffering the packets with Dot1p 2. This causes PG6 buffer counter to increase on the ingress, since P-dot1p 2 is mapped to PG6. ● As the PG6 watermark threshold is reached, PFC generates for dot1p 2. SNMP Support for PFC and Buffer Statistics Tracking Buffer Statistics Tracking (BST) feature provides a mechanism to aid in Resource Monitoring and Tuning of Buffer Allocation.
mappings are identical. This section discusses the Dell EMC Networking OS configurations needed for above PFC generation and honoring mechanism to work for the untagged packets. PRIORITY to PG mapping (PRIO2PG) is on the ingress for each port. By default, all priorities are mapped to PG7. A priority for which PFC has to be generated is assigned to a PG other than PG7 (say PG6) and buffer watermark is set on PG6 so as to generate PFC.
b. Apply PFC Priority configuration. Configure priorities on which PFC is enabled.
PRIORITY-GROUP mode exit 5. Repeat Steps 1 to 4 to configure all remaining dot1p priorities in an ETS priority group. 6. Specify the dot1p priority-to-priority group mapping for each priority. priority-pgid dot1p0_group_num dot1p1_group_num ...dot1p7_group_num Priority group range is from 0 to 7. All priorities that map to the same queue must be in the same priority group. Leave a space between each priority group number.
● Traffic in priority groups is assigned to strict-queue or weighted round-robin (WRR) scheduling in an ETS configuration and is managed using the ETS bandwidth-assignment algorithm. Dell EMC Networking OS de-queues all frames of strict-priority traffic before servicing any other queues. A queue with strict-priority traffic can starve other queues in the same port. ● ETS-assigned bandwidth allocation and strict-priority scheduling apply only to data queues, not to control queues.
Hierarchical Scheduling in ETS Output Policies ETS supports up to three levels of hierarchical scheduling. For example, you can apply ETS output policies with the following configurations: Priority group 1 Assigns traffic to one priority queue with 20% of the link bandwidth and strict-priority scheduling. Priority group 2 Assigns traffic to one priority queue with 30% of the link bandwidth.
● Configure Enhanced Transmission Selection DCBx supports the following versions: CIN, CEE, and IEEE2.5. Prerequisite: For DCBx, enable LLDP on all DCB devices. DCBx Operation DCBx performs the following operations: ● Discovers DCB configuration (such as PFC and ETS) in a peer device. ● Detects DCB mis-configuration in a peer device; that is, when DCB features are not compatibly configured on a peer device and the local switch.
Configuration source The port is configured to serve as a source of configuration information on the switch. Peer DCB configurations received on the port are propagated to other DCBx auto-configured ports. If the peer configuration is compatible with a port configuration, DCBx is enabled on the port. On a configuration-source port, the link with a DCBx peer is enabled when the port receives a DCB configuration that can be internally propagated to other auto-configured ports.
is not compatible, a warning message is logged and the DCBx frame error counter is incremented. Although DCBx is operationally disabled, the port keeps the peer link up and continues to exchange DCBx packets. If a compatible peer configuration is later received, DCBx is enabled on the port. ● If there is no configuration source, a port may elect itself as the configuration source.
DCBx Example The following figure shows how to use DCBx. The external 40GbE ports on the base module (ports 33 and 37) of two switches are used for uplinks configured as DCBx autoupstream ports. The device is connected to third-party, top-of-rack (ToR) switches through uplinks. The ToR switches are part of a Fibre Channel storage network. The internal ports (ports 1-32) connected to the 10GbE backplane are configured as auto-downstream ports. Figure 35.
3. Configure the DCBx version used on the interface, where: auto configures the port to operate using the DCBx version received from a peer. PROTOCOL LLDP mode [no] DCBx version {auto | cee | cin | ieee-v2.5} ● cee: configures the port to use CEE (Intel 1.01). ● cin: configures the port to use Cisco-Intel-Nuova (DCBx 1.0). ● ieee-v2.5: configures the port to use IEEE 802.1Qaz (Draft 2.5). The default is Auto. 4. Configure the DCBx port role the interface uses to exchange DCB information.
configure 2. Enter LLDP Configuration mode to enable DCBx operation. CONFIGURATION mode [no] protocol lldp 3. Configure the DCBx version used on all interfaces not already configured to exchange DCB information. PROTOCOL LLDP mode [no] DCBx version {auto | cee | cin | ieee-v2.5} ● auto: configures all ports to operate using the DCBx version received from a peer. ● cee: configures a port to use CEE (Intel 1.01). cin configures a port to use Cisco-Intel-Nuova (DCBx 1.0). ● ieee-v2.
DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs. LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface. DSM_DCBx_PEER_VERSION_CONFLICT: A local port expected to receive the IEEE, CIN, or CEE version in a DCBx TLV from a remote peer but received a different, conflicting DCBx version.
Table 23. Displaying DCB Configurations (continued) Command Output Displays the data center bridging status, number of PFCenabled ports, and number of PFC-enabled queues. show interface port-type pfc {summary | detail} Displays the PFC configuration applied to ingress traffic on an interface, including priorities and link delay. To clear PFC TLV counters, use the clear pfc counters interface port-type slot/port command.
Application Priority TLV Parameters : -------------------------------------FCOE TLV Tx Status is disabled Local FCOE PriorityMap is 0x8 Remote FCOE PriorityMap is 0x8 DellEMC# show interfaces tengigabitethernet 1/1/1/4 pfc detail Interface TenGigabitEthernet 1/1/1/4 Admin mode is on Admin is enabled Remote is enabled Remote Willing Status is enabled Local is enabled Oper status is recommended PFC DCBx Oper status is Up State Machine Type is Feature TLV Tx Status is enabled PFC Link Delay 45556 pause quanta
Table 24. show interface pfc summary Command Description (continued) Fields Description PFC Link Delay Link delay (in quanta) used to pause specified priority traffic. Application Priority TLV: FCOE TLV Tx Status Status of FCoE advertisements in application priority TLVs from local DCBx port: enabled or disabled. Application Priority TLV: ISCSI TLV Tx Status Status of ISCSI advertisements in application priority TLVs from local DCBx port: enabled or disabled.
5 6 7 - - - - - - Remote Parameters : ------------------Remote is disabled Local Parameters : -----------------Local is enabled PG-grp Priority# BW-% BW-COMMITTED BW-PEAK TSA % Rate(Mbps) Burst(KB) Rate(Mbps) Burst(KB) ---------------------------------------------------------------------------------0 3 25 ETS 1 4 25 ETS 2 0,1,2,5,6,7 50 ETS 3 4 5 6 7 Oper status is init ETS DCBX Oper status is Down Reason: Port Shutdown State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Stat
5 6 7 0% 0% 0% Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output TLV Pkts ETS ETS ETS TSA ETS ETS ETS ETS ETS ETS ETS ETS Pkts, 0 Error Conf TLV Pkts Traffic Class TLV Pkts, 0 Error Traffic Class The following table describes the show interface ets detail command fields. Table 25.
Table 25. show interface ets detail Command Description (continued) Field Description ETS TLV Statistic: Error Conf TLV pkts Number of ETS Error Configuration TLVs received. The following example shows the show interface DCBx detail command (IEEE).
The following table describes the show interface DCBx detail command fields. Table 26. show interface DCBx detail Command Description Field Description Interface Interface type with chassis slot and port number. Port-Role Configured DCBx port role: auto-upstream, auto-downstream, config-source, or manual. DCBx Operational Status Operational status (enabled or disabled) used to elect a configuration source and internally propagate a DCB configuration.
QoS dot1p Traffic Classification and Queue Assignment The following section describes QoS dot1P traffic classification and assignments. DCB supports PFC, ETS, and DCBx to handle converged Ethernet traffic that is assigned to an egress queue according to the following QoS methods: Honor dot1p You can honor dot1p priorities in ingress traffic at the port or global switch level (refer to Default dot1p to Queue Mapping) using the service-class dynamic dot1p command in INTERFACE configuration mode.
DellEMC(conf)# dcb-policy buffer-threshold stack-unit all stack-ports all dcb-policy-name 7. Assign the DCB policy to the DCB buffer threshold profile on interfaces. This setting takes precedence over the default buffer-threshold setting. INTERFACE mode dcb-policy buffer-threshold dcb-buffer-threshold 8. Configuring Global total buffer size on stack ports. CONFIGURATION mode dcb pfc-total-buffer-size buffer-size stack-unit all port-set {port-pipe |all} Port-set number range is from 0 to 3.
QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
13 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network endstations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters. Multiple servers might respond to a single DHCPDISCOVER; the client might wait a period of time and then act on the most preferred offer.
● All platforms support Dynamic ARP Inspection on 16 VLANs per system. For more information, refer to Dynamic ARP Inspection. NOTE: If the DHCP server is on the top of rack (ToR) and the VLTi (ICL) is down due to a failed link, when a VLT node is rebooted in BMP (Bare Metal Provisioning) mode, it is not able to reach the DHCP server, resulting in BMP failure.
DHCP mode show config After an IP address is leased to a client, only that client may release the address. Dell EMC Networking OS performs a IP + MAC source address validation to ensure that no client can release another clients address. This validation is a default behavior and is separate from IP+MAC source address validation.
Configure a Method of Hostname Resolution Dell systems are capable of providing DHCP clients with parameters for two methods of hostname resolution—using DNS or NetBIOS WINS. Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1. Create a domain. DHCP domain-name name 2. Specify in order of preference the DNS servers that are available to a DHCP client.
Debugging the DHCP Server To debug the DHCP server, use the following command. ● Display debug information for DHCP server. EXEC Privilege mode debug ip dhcp server [events | packets] Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. ● Clear DHCP binding entries for the entire binding table. EXEC Privilege mode. clear ip dhcp binding ● Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode.
Configuring the DHCP Client System This section describes how to configure and view an interface as a DHCP client to receive an IP address. Dell EMC Networking OS Behavior: The ip address dhcp command enables DHCP server-assigned dynamic addresses on an interface. The setting persists after a switch reboot. To stop DHCP transactions and save the dynamically acquired IP address, use the shutdown command on the interface.
● To display dynamic IP address lease information currently assigned to a DHCP client interface, use the show ip dhcp lease [interface type slot/port[/subport]] command. ● To display log messages for all DHCP packets sent and received on DHCP client interfaces, use the debug ip dhcp client packets [interface type slot/port[/subport] command.
DHCP Snooping A DHCP client can run on a switch simultaneously with the DHCP snooping feature as follows: ● If you enable DHCP snooping globally on a switch and you enable a DHCP client on an interface, the trust port, source MAC address, and snooping table validations are not performed on the interface by DHCP snooping for packets destined to the DHCP client daemon. The following criteria determine packets destined for the DHCP client: ○ DHCP is enabled on the interface.
! ip vrf VRF_2 ip route-import 2:2 ip route-export 1:1 ! route-map rmap1 permit 10 match source-protocol connected ! route-map map2 permit 20 match source-protocol connected Route Leaking for Complete Routing Table ! ip vrf VRF_1 ip route-import 1:1 ip route-export 2:2 ! ip vrf VRF_2 ip route-import 2:2 ip route-export 1:1 Route Leaking for Selective Routes ! ip vrf VRF_1 ip route-import 1:1 map1 ip route-export 2:2 map2 ! ip vrf VRF_2 ip route-import 2:2 ip route-export 1:1 ! ! route-map map1 permit 10 m
INTERFACE mode ipv6 helper-address [vrf vrf-name] ipv6-address Configuring DHCP relay source interface The following section explains how to configure global and interface level DHCP relay source IPv4 or IPv6 configuration to forward all the DHCP packets from the DHCP client to DHCP server through the configured source interface. This feature is applicable only for L3 interface with relay configuration and L3 DHCP snooping enabled VLANs.
1. Configuring L3 interface with IPv4 or IPv6 address. Following are the steps to configure a L3 interface (loopback) with IPv4 and IPv6 address in INTERFACE MODE. Dell(conf)# interface loopback 2 Dell(conf-if-lo-1)# ip vrf forwarding vrf1 Dell(conf-if-lo-1)# ip address 2.2.2.2/32 Dell(conf-if-lo-1)# ipv6 address 2::2/128 Dell(conf-if-lo-1)# no shutdown Dell(conf)# interface loopback 3 Dell(conf-if-lo-1)# ip vrf forwarding vrf2 Dell(conf-if-lo-1)# ip address 3.3.3.
The received stacking configuration is always applied on the master stack unit. option #230 "unit-number:3#priority:2#stack-group:14" Configure Secure DHCP DHCP as defined by RFC 2131 provides no authentication or security mechanisms. Secure DHCP is a suite of features that protects networks that use dynamic address allocation from spoofing and attacks.
ip dhcp relay information-option remote-id DHCPv6 relay agent options The DHCPv6 relay agent inserts Options 18 and 37 before forwarding DHCPv6 packets to the server. These DHCPv6 options are enabled by default and are not configurable. Interface ID (Option 18) Remote ID (Option 37) Interface on which the client-originated message is received. The interface-ID is 12 bytes long and is constructed using three ifindexes: Logical, Received, and Physical. Each of the ifindex is 4 bytes long.
NOTE: If you enable DHCP Option 82 using the ip dhcp relay command, by default, the remote-ID field contains the MAC address of the relay agent. If you configure the remote ID as the host name in a VLT setup, configure different host names on both VLT peers. If you configure the remote ID with your own string, ensure that your strings are different on both VLT peers. DHCP Snooping in a VLT Setup In a VLT setup, the DHCP snooping binding table synchronizes between the VLT nodes.
Adding a Static IPV6 DHCP Snooping Binding Table To add a static entry in the snooping database, use the following command. ● Add a static entry in the snooping binding table. EXEC Privilege mode ipv6 dhcp snooping binding mac address vlan-id vlan-id ipv6 ipv6-address interface interface-type | interface-number lease value Clearing the Binding Table To clear the binding table, use the following command. ● Delete all of the entries in the binding table.
Invalid Binding List of List of List of Binding Entry Entry lease expired Trust Ports DHCP Snooping Enabled Vlans DAI Trust ports : 0 : 0 :Te 1/4/1 :Vl 10 :Te 1/4/1 DellEMC#show ip dhcp snooping IP IP IP IP DHCP DHCP DHCP DHCP Snooping Snooping Mac Verification Relay Information-option Relay Trust Downstream : : : : Enabled. Disabled. Disabled. Disabled.
10.1.1.101 10.1.1.254 00:00:a0:00:00:00 00:00:a0:00:00:00 39736 162 S D Vl 200 Vl 200 Hu 1/4 Hu 1/4 The following example shows a sample output of the show ip dhcp snooping binding command for a device connected to the peer VLT node, but not to itself. The Po 10 interface is the VLTi link between the VLT peers.
To view the number of entries in the table, use the show ip dhcp snooping binding command. This output displays the snooping binding table created using the ACK packets from the trusted port. DellEMC#show ip dhcp snooping binding Codes : S - Static D - Dynamic IP Address MAC Address Expires(Sec) Type VLAN Interface ================================================================ 10.1.1.251 00:00:4d:57:f2:50 172800 D Vl 10 Te 1/2/1 10.1.1.252 00:00:4d:57:e6:f6 172800 D Vl 10 Te 1/1/1 10.1.1.
Internet Internet Internet DellEMC# 10.1.1.252 10.1.1.253 10.1.1.254 - 00:00:4d:57:e6:f6 00:00:4d:57:f8:e8 00:00:4d:69:e8:f2 Te 1/1/1 Te 1/3/1 Te 1/5/1 Vl 10 CP Vl 10 CP Vl 10 CP To see how many valid and invalid ARP packets have been processed, use the show arp inspection statistics command.
Source Address Validation Using the DHCP binding table, Dell EMC Networking OS can perform three types of source address validation (SAV). Table 29. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table.
Enabling IP+MAC Source Address Validation IP source address validation (SAV) validates the IP source address of an incoming packet and optionally the VLAN ID of the client against the DHCP snooping binding table. IP+MAC SAV ensures that the IP source address and MAC source address are a legitimate pair, rather than validating each attribute individually. You cannot configure IP+MAC SAV with IP SAV. 1. Allocate at least one FP block to the ipmacacl CAM region. CONFIGURATION mode cam-acl l2acl 2.
Clearing the Number of SAV Dropped Packets To clear the number of SAV dropped packets, use the clear ip dhcp snooping source-address-validation discard-counters command. DellEMC>clear ip dhcp snooping source-address-validation discard-counters To clear the number of SAV dropped packets on a particular interface, use the clear ip dhcp snooping sourceaddress-validation discard-counters interface interface command.
14 Equal Cost Multi-Path (ECMP) This chapter describes configuring ECMP. This chapter describes configuring ECMP. Topics: • • ECMP for Flow-Based Affinity Link Bundle Monitoring ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Configuring the Hash Algorithm Seed Deterministic ECMP sorts ECMPs in order even though RTM provides them in a random order.
NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indexes are generated in even numbers (0, 2, 4, 6... 1022) and are for information only. For link bundle monitoring with ECMP, to enable the link bundle monitoring feature, use the ecmp-group command.
Modifying the ECMP Group Threshold You can customize the threshold percentage for monitoring ECMP group bundles. To customize the ECMP group bundle threshold and to view the changes, use the following commands. ● Modify the threshold for monitoring ECMP group bundles. CONFIGURATION mode link-bundle-distribution trigger-threshold {percent} The range is from 1 to 90%. The default is 60%. ● Display details for an ECMP group bundle.
The output of show IPv6 cam command has been enhanced to include the ECMP field in the Neighbor table of Ipv6 CAM. The sample output is displayed as follows, which is similar to the prefix table.
ipv6-selection Set the IPV6 key fields to use in hash computation(default = source-ipv6 dest-ipv6 vlan protocol L4-source-port L4-dest-port) mac Set the mac key fields to use in hash computation(default = source-mac dest-mac vlan ethertype) tcp-udp Option to use TCP/UDP ports in packet for ECMP/LAG hashing tunnel Set the tunnel key fields to use in hash computation(default = Hash-computation based on Inner Header)] ● The second portion comes from static physical configuration such as ingress and egress port
Figure 39. Before Polarization Effect Router B performs the same hash as router A and all the traffic goes through the same path to router D, while no traffic is redirected to router E. Some of the anti-polarization techniques used generally to mitigate unequal traffic distribution in LAG/ECMP as follows: 1. Configuring different hash-seed values at each node - Hash seed is the primary parameter in hash computations that determine distribution of traffic among the ECMP paths.
bits of xor4 xor8 bits of xor8 xor16 CRC16_BISYNC_AND_XOR8 - Upper 8 bits of CRC16-BISYNC and lower 8 CR16 - 16 bit XOR] Example to view show hash-algorithm: DellEMC(conf)#hash-algorithm ecmp flow-based-hashing crc16 DellEMC(conf)#end DellEMC#show hash-algorithm Hash-Algorithm linecard 0 Port-Set 0 Seed 185270328 Hg-Seed 185282673 EcmpFlowBasedHashingAlgo- crc16 EcmpAlgo- crc32MSB LagAlgo- crc32LSB HgAlgo- crc16 Figure 40.
15 FIP Snooping The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces or in a switch stack.
Table 30. FIP Functions FIP Function Description FIP VLAN discovery FCoE devices (ENodes) discover the FCoE VLANs on which to transmit and receive FIP and FCoE traffic. FIP discovery FCoE end-devices and FCFs are automatically discovered. Initialization FCoE devices learn ENodes from the FLOGI and FDISC to allow immediate login and create a virtual link with an FCoE switch. Maintenance A valid virtual link between an FCoE device and an FCoE switch is maintained and the LOGO functions properly.
Port-based ACLs These ACLs are applied on all three port modes: on ports directly connected to an FCF, server-facing ENode ports, and bridge-to-bridge links. Port-based ACLs take precedence over global ACLs. FCoE-generated ACLs These take precedence over user-configured ACLs. A user-configured ACL entry cannot deny FCoE and FIP snooping frames. The following illustration shows a switch used as a FIP snooping bridge in a converged Ethernet network.
● Process FIP VLAN discovery requests and responses, advertisements, solicitations, FLOGI/FDISC requests and responses, FLOGO requests and responses, keep-alive packets, and clear virtual-link messages. Using FIP Snooping There are four steps to configure FCoE transit. 1. 2. 3. 4. Enable the FCoE transit feature on a switch. Enable FIP snooping globally on all Virtual Local Area Networks (VLANs) or individual VLANs on a FIP snooping bridge.
NOTE: Manually add the CAM-ACL space to the FCoE region as it is not applied by default. To support FIP-Snooping and set CAM-ACL, usecam-acl l2acl 2 ipv4acl 0 ipv6acl 0 ipv4qos 2 l2qos 0 l2pt 0 ipmacacl 0 vman-qos 0 fcoeacl 2 etsacl 1 iscsi 2 command.
Enable FIP Snooping on VLANs You can enable FIP snooping globally on a switch on all VLANs or on a specified VLAN. When you enable FIP snooping on VLANs: ● FIP frames are allowed to pass through the switch on the enabled VLANs and are processed to generate FIP snooping ACLs. ● FCoE traffic is allowed on VLANs only after a successful virtual-link initialization (fabric login FLOGI) between an ENode and an FCF. All other FCoE traffic is dropped.
Table 31. Impact of Enabling FIP Snooping (continued) Impact Description MTU auto-configuration MTU size is set to mini-jumbo (2500 bytes) when a port is in Switchport mode, the FIP snooping feature is enabled on the switch, and FIP snooping is enabled on all or individual VLANs. Link aggregation group (LAG) FIP snooping is supported on port channels on ports on which PFC mode is on (PFC is operationally up).
Table 32. Displaying FIP Snooping Information (continued) Command Output MAC address and FCoE session ID number (FC-ID), worldwide node name (WWNN) and the worldwide port name (WWPN). show fip-snooping config Displays the FIP snooping status and configured FC-MAP values. show fip-snooping enode [enode-mac-address] Displays information on the ENodes in FIP-snooped sessions, including the ENode interface and MAC address, FCF MAC address, VLAN ID and FC-ID.
Table 33. show fip-snooping sessions Command Description (continued) Field Description VLAN VLAN ID number used by the session. FCoE MAC MAC address of the FCoE session assigned by the FCF. FC-ID Fibre Channel ID assigned by the FCF. Port WWPN Worldwide port name of the CNA port. Port WWNN Worldwide node name of the CNA port. The following example shows the show fip-snooping config command.
Table 35. show fip-snooping fcf Command Description (continued) Field Description FKA_ADV_PERIOD Period of time (in milliseconds) during which FIP keep-alive advertisements are transmitted. No of ENodes Number of ENodes connected to the FCF. FC-ID Fibre Channel session ID assigned by the FCF. The following example shows the show fip-snooping statistics interface vlan command (VLAN and port).
Number Number Number Number Number Number Number Number Number Number Number Number of of of of of of of of of of of of Multicast Discovery Advertisement Unicast Discovery Advertisement FLOGI Accepts FLOGI Rejects FDISC Accepts FDISC Rejects FLOGO Accepts FLOGO Rejects CVL FCF Discovery Timeouts VN Port Session Timeouts Session failures due to Hardware Config :4451 :2 :2 :0 :16 :0 :0 :0 :0 :0 :0 :0 The following table describes the show fip-snooping statistics command fields. Table 36.
Table 36. show fip-snooping statistics Command Descriptions (continued) Field Description Number of VN Port Session Timeouts Number of VN port session timeouts that occurred on the interface. Number of Session failures due to Hardware Config Number of session failures due to hardware configuration that occurred on the interface. The following example shows the show fip-snooping system command.
● A server-facing port is configured for DCBx in an auto-downstream role. ● An FCF-facing port is configured for DCBx in an auto-upstream or configuration-source role. The DCBx configuration on the FCF-facing port is detected by the server-facing port and the DCB PFC configuration on both ports is synchronized. For more information about how to configure DCBx and PFC on a port, refer to the Data Center Bridging (DCB) chapter.
16 Flex Hash and Optimized Boot-Up This chapter describes the Flex Hash and fast-boot enhancements. Topics: • • • • • • • Flex Hash Capability Overview Configuring the Flex Hash Mechanism Configuring Fast Boot and LACP Fast Switchover Optimizing the Boot Time Interoperation of Applications with Fast Boot and System States RDMA Over Converged Ethernet (RoCE) Overview Preserving 802.
Flex hash APIs do not mask out unwanted byte values after extraction of the data from the Layer 4 headers for the offset value. 2. Use the load-balance flexhash command to specify whether IPv4 or IPv6 packets must be subjected to the flex hash functionality, a unique protocol number, the offset of hash fields from the start of the L4 header to be used for hash calculation, and a meaningful description to associate the protocol number with the name.
unexpected shutdown) from an older release of Dell EMC Networking OS to Release 9.3(0.0) or later. Dell EMC recommends that you do not downgrade your system from Release 9.3(0.0) to an earlier release that does not support the fast boot functionality because the system behavior is unexpected and undefined. ● Fast boot uses the Symmetric Multiprocessing (SMP) utility that is enabled on the Intel CPU on the device to enhance the speed of the system startup. SMP is supported on the device.
A file is generated to indicate that the system is undergoing a fast boot, which is used after the system comes up. After the Dell EMC Networking OS image is loaded and activated, and the appropriate software components come up, the following additional actions are performed: ● If a database of dynamic ARP entries is present on the flash drive, that information is read and the ARP entries are restored; the entries are installed on the switch as soon as possible.
Unexpected Reload of the System When an unexpected or unplanned reload occurs, such as a reset caused by the software, the system performs the regular boot sequence even if it is configured for fast boot. When the system comes up, dynamic ARP or ND database entries are not present or required to be restored. The system boot up mode will not be fast boot and actions specific to this mode will not be performed.
RDMA Over Converged Ethernet (RoCE) Overview This functionality is supported on the platform. RDMA is a technology that a virtual machine (VM) uses to directly transfer information to the memory of another VM, thus enabling VMs to be connected to storage networks. With RoCE, RDMA enables data to be forwarded without passing through the CPU and the main memory path of TCP/IP.
except the Layer 2 and Layer 3 control frames. It is not required for a VLAN ID to be preserved (in the hardware or the OS application) when a VLAN ID, used for encapsulation, is associated with a physical/Port-channel interface. Normal VLANs and VLAN encapsulation can exist simultaneously and any non-unicast traffic received on a normal VLAN is not flooded using lite subinterfaces whose encapsulation VLAN ID matches with that of the normal VLAN ID.
17 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) and may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
Figure 44. Example of Multiple Rings Connected by Single Switch Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. ● ● ● ● ● ● ● ● ● ● The Master node transmits ring status check frames at specified intervals. You can run multiple physical rings on the same switch.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202, as shown in the illustration in Member VLAN Spanning Two Rings Connected by One Switch. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose.
● ● ● ● The control VLAN cannot have members that are not ring ports. If multiple rings share one or more member VLANs, they cannot share any links between them. Member VLANs across multiple rings are not supported in Master nodes. Each ring has only one Master node; all others are transit nodes. FRRP Configuration These are the tasks to configure FRRP.
Interface: ● For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the stack/slot/port/subport information. ● For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the stack/slot/port/subport information. ● For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the stack/slot/port[/subport] information. ● For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the stack/slot/port/subport information.
● For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the stack/slot/port/subport information. ● For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the stack/slot/port/subport information. ● For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the stack/slot/port[/subport] information. ● For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the stack/slot/port/subport information.
Ring ID: the range is from 1 to 255. ● Clear the counters associated with all FRRP groups. EXEC PRIVELEGED mode. clear frrp Viewing the FRRP Configuration To view the configuration for the FRRP group, use the following command. ● Show the configuration for this FRRP group. CONFIG-FRRP mode. show configuration Viewing the FRRP Information To view general FRRP information, use one of the following commands. ● Show the information for the identified FRRP group. EXEC or EXEC PRIVELEGED mode.
no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TenGigabitEthernet 1/1/1/2,1/1/1/2 no shutdown ! interface Vlan 201 no ip address tagged TenGigabitEthernet 1/1/1/1, 1/1/1/2 no shutdown ! protocol frrp 101 interface primary TenGigabitEthernet 1/1/1/1 secondary TenGigabitEthernet 1/1/1/2 control-vlan 101 member-vlan 201 mode master no disable Example of R2 TRANSIT interface TenGigabitEthernet 1/1/2/1 no ip address switchport no shutdown ! interface TenGigabitEthernet 1/1/2/2 no
! protocol frrp 101 interface primary TenGigabitEthernet 1/1/2/1 secondary TenGigabitEthernet 1/1/4/1 control-vlan 101 member-vlan 201 mode transit no disable FRRP Support on VLT Using FRRP rings, you can inter-connect VLT domains across data centers. These FRRP rings make use of Layer2 VLANs that spawn across Data Centers and provide resiliency by detecting node or link level failures.
of the nodes and the FRRP ring itself. In addition to the control VLAN, multiple member VLANS are configured (for example, M1 through M10) that carry the data traffic across the FRRP rings. The secondary port P1 is tagged to the control VLAN (V1). VLTi is implicitly tagged to the member VLANs when these VLANs are configured in the VLT peer. As a result of the VLT Node1 configuration, the FRRP ring R1 becomes active by blocking the secondary interface P1 for the member VLANs (M1 to M10).
18 GARP VLAN Registration Protocol (GVRP) The generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 47. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
gvrp enable DellEMC(conf)#protocol gvrp DellEMC(config-gvrp)#no disable DellEMC(config-gvrp)#show config ! protocol gvrp no disable DellEMC(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. ● Enable GVRP on a Layer 2 interface.
no shutdown DellEMC(conf-if-te-1/1/1/1)# Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings. ● Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The Dell EMC Networking OS default is 200ms.
19 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 48. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. ● Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. ● To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1. Include messages prevents traffic from all other sources in the group from reaching the subnet.
Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
● ● ● ● ● ● Adjusting Timers Preventing a Host from Joining a Group Enabling IGMP Immediate-Leave IGMP Snooping Fast Convergence after MSTP Topology Changes Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. ● View IGMP-enabled IPv4 interfaces. EXEC Privilege mode show ip igmp interface ● View IGMP-enabled IPv6 interfaces.
ip igmp version DellEMC(conf-if-te-1/13/1)#ip igmp version 3 DellEMC(conf-if-te-1/13/1)#do show ip igmp interface GigabitEthernet 1/13/1 is up, line protocol is down Inbound IGMP access group is not set Interface IGMP group join rate limit is not set Internet address is 1.1.1.
The maximum response time is the amount of time that the querier waits for a response to a query before taking further action. The querier advertises this value in the query (refer to the illustration in IGMP Version 2). Lowering this value decreases leave latency but increases response burstiness because all host membership reports must be sent before the maximum response time expires. Inversely, increasing this value decreases burstiness at the expense of leave latency.
If you enable IGMP snooping on a VLT unit, IGMP snooping dynamically learned groups and multicast router ports are made to learn on the peer by explicitly tunneling the received IGMP control packets. IGMP Snooping Implementation Information ● IGMP snooping on Dell EMC Networking OS uses IP multicast addresses not MAC addresses.
shutdown DellEMC(conf-if-vl-100)# Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. When you configure the no ip igmp snooping flood command, the system drops the packets immediately. The system does not forward the frames on mrouter ports, even if they are present.
Fast Convergence after MSTP Topology Changes When a port transitions to the Forwarding state as a result of an STP or MSTP topology change, Dell EMC Networking OS sends a general query out of all ports except the multicast router ports. The host sends a response to the general query and the forwarding database is updated without having to wait for the query interval to expire.
Table 37.
panel port IP on the peer box is initiated via management port only, if the management port is UP and management route is available.
● TFTP is an exception to the preceding logic. ● For TFTP, data transfer is initiated on port 69, but the data transfer ports are chosen independently by the sender and receiver during initialization of the connection. The ports are chosen at random according to the parameters of the networking stack, typically from the range of temporary ports. ● If route lookup in EIS routing table succeeds, the application-specific packet count is incremented.
Handling of Transit Traffic (Traffic Separation) This is forwarded traffic where destination IP is not an IP address configured in the switch. ● Packets received on the management port with destination on the front-end port is dropped. ● Packets received on the front-end port with destination on the management port is dropped. ● A separate drop counter is incremented for this case. This counter is viewed using the netstat command, like all other IP layer counters.
This phenomenon occurs where traffic is originating from the switch. 1. Management Applications (Applications that are configured as management applications): The management port is an egress port for management applications. If the management port is down or the destination is not reachable through the management port (next hop ARP is not resolved, and so on), and if the destination is reachable through a data port, then the management application traffic is sent out through the front-end data port.
EIS Behavior: If source TCP or UDP port matches an EIS management or a non-EIS management application and source IP address is management port IP address, management port is the preferred egress port selected based on route lookup in EIS table. If the management port is down or the route lookup fails, packets are dropped. If the source TCP/UDP port or source IP address does not match the management port IP address, a route lookup is done in the default routing table.
Designating a Multicast Router Interface To designate an interface as a multicast router interface, use the following command. Dell EMC Networking OS also has the capability of listening in on the incoming IGMP general queries and designate those interfaces as the multicast router interface when the frames have a non-zero IP source address. All IGMP control packets and IP multicast data traffic originating from receivers is forwarded to multicast router interfaces.
20 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell EMC Networking Operating System (OS). The system supports 10–Gigabit, 25–Gigabit, 40–Gigbit, 50–Gigabit, and 100–Gigabit QSFP 28 interfaces. NOTE: Only Dell-qualified optics are supported on these interfaces. Non-Dell optics for 40–Gigbit, 25–Gigabit, 50–Gigabit, and 100–Gigabit are set to error-disabled state.
• • • • • • • • • • • • • • • • • • Monitoring and Maintaining Interfaces Split 40G Ports on a 16X40G QSFP+ Module Splitting 100G Ports Link Dampening Link Bundle Monitoring Using Ethernet Pause Frames for Flow Control Configure the MTU Size on an Interface Port-Pipes CR4 Auto-Negotiation FEC Configuration Setting the Speed of Ethernet Interfaces Syslog Warning Upon Connecting SFP28 Optics with QSA Adjusting the Keepalive Timer View Advanced Interface Information Configuring the Traffic Sampling Size Globa
NOTE: The CLI output may be incorrectly displayed as 0 (zero) for the Rx/Tx power values. To obtain the correct power information, perform a simple network management protocol (SNMP) query. The following example shows the configuration and status information for one interface.
To determine which physical interfaces are available, use the show running-config command in EXEC mode. This command displays all physical interfaces available on the system.
Enabling a Physical Interface After determining the type of physical interfaces available, to enable and configure the interfaces, enter INTERFACE mode by using the interface interface command. 1. Enter the keyword interface then the type of interface and slot/port[/subport] information. CONFIGURATION mode interface interface ● For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the stack/slot/port/subport information.
Table 42. Layer Modes Type of Interface Possible Modes Requires Creation Default State 10 Gigabit Ethernet, 25– Gigabit Ethernet, 40–Gigabit Ethernet, 50–Gigabit Ethernet, and 100–Gigabit Ethernet. Layer 2 No Shutdown (disabled) Management N/A No Shutdown (disabled) Loopback Layer 3 Yes No shutdown (enabled) Null interface N/A No Enabled Port Channel Layer 2 Yes Shutdown (disabled) Yes, except for the default VLAN.
Configuring Layer 3 (Network) Mode When you assign an IP address to a physical interface, you place it in Layer 3 mode. To enable Layer 3 mode on an individual interface, use the following commands. In all interface types except VLANs, the shutdown command prevents all traffic from passing through the interface. In VLANs, the shutdown command prevents Layer 3 traffic from passing through the interface. Layer 2 traffic is unaffected by the shutdown command.
Poison Reverse is disabled ICMP redirects are not sent ICMP unreachables are not sent IP unicast RPF check is not supported Automatic recovery of an Err-disabled interface The Dell EMC Networking OS attempts to recover the interface from the Err-disabled state automatically based on the cause of the error.
Whenever the Err-disable recovery timer is reconfigured, it will get effective only after the current timer expires. Following message is displayed after each Err-disable recovery timer configuration: DellEMC(conf)# errdisable recovery interval 30 New timer interval will be effective from the next timer instance only. Following is the sample steps to configure the recovery cause and the timer interval for automatic recovery of an interface.
Management Interfaces The system supports the Management Ethernet interface as well as the standard interface on any port. You can use either method to connect to the system. Configuring Management Interfaces The dedicated Management interface provides management access to the system. You can configure this interface using the CLI, but the configuration options on this interface are limited.
If there are two RPMs on the system, configure each Management interface with a different IP address. Unless you configure the management route command, you can only access the Management interface from the local LAN. To access the Management interface from another LAN, configure the management route command to point to the Management interface. Alternatively, you can use the virtual-ip command to manage a system with one or two RPMs.
Destination ----------*S 0.0.0.0/0 C 10.11.130.0/23 DellEMC# Gateway Dist/Metric Last Change ----------------- ----------via 10.11.131.254, Te 1/1/1/1 1/0 1d2h Direct, Te 1/1/1/1 0/0 1d2h S6100 — OIR This section deals with information on the S6100–OIR (Online Insertion and Removal) feature. Online Insertion and Removal of Modules There are 3 scenarios you may come across with regard to Online Insertion and Removal of Modules: 1.
○ secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. interface Vlan 10 ip address 1.1.1.2/24 tagged TenGigabitEthernet 1/1/2/1-1/1/4/4 tagged TenGigabitEthernet 5/1/1 ip ospf authentication-key force10 ip ospf cost 1 ip ospf dead-interval 60 ip ospf hello-interval 15 no shutdown ! Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally.
Use the port-delay-restore command and ensure to specify a value between 1 second and 300 seconds. DellEMC(conf)#port-delay-restore 300 Use the no port-delay-restore command to disable the feature. DellEMC(conf)#no port-delay-restore If you would like to turn this feature off for an individual interface, enter the INTERFACE mode and use the no port-delayrestore command.
Member ports of a LAG are added and programmed into the hardware in a predictable order based on the port ID, instead of in the order in which the ports come up. With this implementation, load balancing yields predictable results across device reloads. A physical interface can belong to only one port channel at a time. Each port channel must contain interfaces of the same interface type/speed. Port channels can contain a mix of 1G/10G/25G/40G/50G/100G.
You can configure a port channel as you would a physical interface by enabling or configuring protocols or assigning access control lists. Adding a Physical Interface to a Port Channel The physical interfaces in a port channel can be on any line card in the chassis, but must be the same physical type.
1212627 packets input, 1539872850 bytes Input 1212448 IP Packets, 0 Vlans 0 MPLS 4857 64-byte pkts, 17570 over 64-byte pkts, 35209 over 127-byte pkts 69164 over 255-byte pkts, 143346 over 511-byte pkts, 942523 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 42 CRC, 0 IP Checksum, 0 overrun, 0 discarded 2456590833 packets output, 203958235255 bytes, 0 underruns Output 1640 Multicasts, 56612 Broadcasts, 2456532581 Unicasts 2456590654 IP Packets, 0 Vlans, 0 MPLS 0 throttles,
DellEMC(conf-if-po-4)#int port 3 DellEMC(conf-if-po-3)#channel tengi 1/1/8/1 DellEMC(conf-if-po-3)#sho conf ! interface Port-channel 3 no ip address channel-member TenGigabitEthernet 1/1/8/1 shutdown DellEMC(conf-if-po-3)# Configuring the Minimum Oper Up Links in a Port Channel You can configure the minimum links in a port channel (LAG) that must be in “oper up” status to consider the port channel to be in “oper up” status. To set the “oper up” status of your links, use the following command.
Configuring VLAN Tags for Member Interfaces To configure and verify VLAN tags for individual members of a port channel, perform the following: 1. Configure VLAN membership on individual ports INTERFACE mode DellEMC(conf-if)#vlan tagged 2,3-4 2. Use the switchport command in INTERFACE mode to enable Layer 2 data transmissions through an individual interface INTERFACE mode DellEMC(conf-if)#switchport 3. Verify the manually configured VLAN membership (show interfaces switchport interface command).
Load Balancing Through Port Channels Dell EMC Networking OS uses hash algorithms for distributing traffic evenly over channel members in a port channel (LAG). The hash algorithm distributes traffic among Equal Cost Multi-path (ECMP) paths and LAG members. The distribution is based on a flow, except for packet-based hashing. A flow is identified by the hash and is assigned to one link. In packet-based hashing, a single flow can be distributed on the LAG and uses one link.
Hash seed is used to compute the hash value. By default hash seed is chassis MAC 32 bits. we can also change the hash seed by the following command. CONFIGURATION mode hash-algorithm seed {seed value} ● Change to another algorithm. CONFIGURATION mode hash-algorithm [ecmp{crc16|crc16cc|crc32LSB|crc32MSB|crc-upper|dest-ip|lsb|xor1|xor2| xor4|xor8|xor16}] DellEMC(conf)#hash-algorithm ecmp xor 26 lag crc 26 nh-ecmp checksum 26 DellEMC(conf)# The hash-algorithm command is specific to ECMP group.
using the mac-address-table static multicast-mac-address vlan vlan-id output-range interface command. Bulk Configuration Examples Use the interface range command for bulk configuration. ● ● ● ● ● ● ● Create a Single-Range Create a Multiple-Range Exclude Duplicate Entries Exclude a Smaller Port Range Overlap Port Ranges Commas Add Ranges Create a Single-Range The following is an example of a single range.
Exclude a Smaller Port Range The following is an example show how the smaller of two port ranges is omitted in the interface-range prompt.
Define the Interface Range The following example shows how to define an interface-range macro named “test” to select Ten Gigabit Ethernet interfaces 5/1 through 5/4. Example of the define interface-range Command for Macros DellEMC(config)# define interface-range test tengigabitethernet 1/1/1/1 - 1/1/4/1 Choosing an Interface-Range Macro To use an interface-range macro, use the following command. ● Selects the interfaces range to be configured using the values saved in a named interface-range macro.
Traffic statistics: Current Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 64B packets: 0 Over 64B packets: 0 Over 127B packets: 0 Over 255B packets: 0 Over 511B packets: 0 Over 1023B packets: 0 Error statistics: Input underruns: 0 Input giants: 0 Input throttles: 0 Input CRC: 0 Input IP checksum: 0 Input overrun: 0 Output underruns: 0 Output throttles: 0 m l T q - Change mode Page up Increase refresh interval Quit 0 0 0 0 0 0 0 0 0 0 Rate Bps Bps pps pps pps pps pps pps pps pps 0 0
1 1 1 3/1/2 3/1/3 3/1/4 QSFP QSFP QSFP 40GBASE-SR4 40GBASE-SR4 40GBASE-SR4 4829455N01XP 4829455N01XP 4829455N01XP Yes Yes Yes The physical port is missing also from the show ip interface brief command output: DellEMC# show ip interface brief TenGigabitEthernet 1/3/1/1 unassigned TenGigabitEthernet 1/3/1/2 unassigned TenGigabitEthernet 1/3/1/3 unassigned TenGigabitEthernet 1/3/1/4 unassigned TenGigabitEthernet 1/3/3/1 unassigned TenGigabitEthernet 1/3/3/2 unassigned TenGigabitEthernet 1/3/3/3 unassigne
○ module module-number: enter the keyword module then the module number to specify the optional module in which the port is present. ○ number: enter the port number of the 100G port to be split. The range is from 1 to 8. Link Dampening Interface state changes occur when interfaces are administratively brought up or down or if an interface state changes. Every time an interface changes a state or flaps, routing protocols are notified of the status of the routes that are affected by the change in state.
● half-life— 10 seconds ● reuse-threshold—300 ● suppress-threshold—2400 ● max-suppress-time—60 seconds Figure 53.
Consider an interface periodically flaps as shown above. Every time the interface goes down, a penalty (1024) is added. In the above example, during the first interface flap (flap 1), the penalty is added to 1024. And, the accumulated penalty will exponentially decay based on the set half-life, which is set as 10 seconds in the above example. During the second interface flap (flap 2), again the penalty (1024) is accumulated.
Link Dampening Support for XML View the output of the following show commands in XML by adding | display xml to the end of the command. ● show interfaces dampening ● show interfaces dampening summary ● show interfaces interface slot/port/subport Configure MTU Size on an Interface In Dell EMC Networking OS, Maximum Transmission Unit (MTU) is defined as the entire Ethernet packet (Ethernet header + FCS + payload). The following table lists the range for each transmission media.
Using Ethernet Pause Frames for Flow Control Ethernet pause frames and threshold settings are supported on the Dell EMC Networking OS. Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it. The destination sends a PAUSE frame back to the source, stopping the sender’s transmission for a period of time.
○ monitor session-ID: Enter the keyword monitor then the session–ID to enable mirror flow control frames on the port. The session–ID range is from 1 to 65535. Configure the MTU Size on an Interface If a packet includes a Layer 2 header, the difference in bytes between the link MTU and IP MTU must be enough to include the Layer 2 header. NOTE: The system supports jumbo frames by default (the default maximum transmission unit (MTU) is 9416 bytes).
Port-Pipes A port pipe is a Dell EMC Networking-specific term for the hardware packet-processing elements that handle network traffic to and from a set of front-end I/O ports. The physical, front-end I/O ports are referred to as a port-set. In the command-line interface, a port pipe is entered as port-set port-pipe-number. CR4 Auto-Negotiation You can configure interface type as CR4 with auto-negotiation enabled. Many DAC cable link issues are resolved by setting the interface type as CR4.
example for the fec enable command for a 100G interface. DellEMC(conf-if-hu-1/1/1)#fec enable DellEMC(conf-if-hu-1/1/1)#show config ! interface hundredGigE 1/1/1 no ip address shutdown intf-type cr4 autoneg fec enable Important Points to Remember ● For 10–Gigabit and 40–Gigabit Ethernet interfaces, FEC configurations are not applicable. ● For 100-Gigabit Ethernet interfaces, CR4 auto-negotiation is enabled by default. You can enable or disable FEC and auto negotiation irrespective of each other.
show interfaces [interface | stack—unit stack-unit-number] status 2. Determine the remote interface status. EXEC mode or EXEC Privilege mode [Use the command on the remote system that is equivalent to the first command.] 3. Access CONFIGURATION mode. EXEC Privilege mode config 4. Access the port. CONFIGURATION mode interface interface-type 5. Set the local port speed.
duplex full no shutdown Syslog Warning Upon Connecting SFP28 Optics with QSA When you connect the SFP28 optics with the QSA, the system displays the following syslog warning: For Dell-qualified SFP28 optics: Aug 5 01:14:55 %S6100-ON:1 %IFAGT-5-INSERT_OPTICS_SFP28: Optics SFP28 inserted in stackunit 1 module 2 port 2/1. Wrong QSA in use.
In EXEC mode, the show interfaces switchport command displays only interfaces in Layer 2 mode and their relevant configuration information. The show interfaces switchport command displays the interface, whether it supports IEEE 802.1Q tagging or not, and the VLANs to which the interface belongs. DellEMC#show interfaces switchport Name: TenGigabitEthernet 1/1/1/1 802.1QTagged: True Vlan membership: Vlan 2 Name: TenGigabitEthernet 1/1/1/2 802.
DellEMC#show interfaces TenGigabitEthernet 1/1/1/1 is down, line protocol is down Hardware is DellEMCEth, address is 00:01:e8:01:9e:d9 Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 1d23h45m Queueing strategy: fifo 0 packets input, 0 bytes Input 0 IP Packets, 0 Vlans 0 MPLS 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pk
406 Multicasts, 0 Broadcasts, 2700 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 3106 packets, 226755 bytes, 0 underruns 133 64-byte pkts, 2973 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 406 Multicasts, 0 Broadcasts, 2700 Unicasts 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 150 seconds): Input 300.00 Mbits/sec, 1534517 packets/sec, 30.00% of line-rate Output 100.
● L2 ACL ● L2 FIB Clearing Interface Counters The counters in the show interfaces command are reset by the clear counters command. This command does not clear the counters any SNMP program captures. To clear the counters, use the following the command. ● Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones. Without an interface specified, the command clears all interface counters.
You can create groups of VLANs using the interface group command. This command will create nonexistent VLANs specified in a range. On successful command execution, the CLI switches to the interface group context. The configuration commands inside the group context will be the similar to that of the existing range command. Two existing exec mode CLIs are enhanced to display and store the running configuration in the compressed mode.
Table 44. Standard and Compressed Configurations Uncompressed Compressed tagged te 1/1/1/1 no ip address shutdown ! interface Vlan 4 tagged te 1/1/1/1 no ip address shutdown ! interface Vlan 5 tagged te 1/1/1/1 no ip address shutdown ! interface Vlan 100 no ip address no shutdown ! interface Vlan 1000 ip address 1.1.1.
21 IPv4 Routing The Dell EMC Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell EMC Networking OS.
IP Addresses Dell EMC Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks. Supernetting, which increases the number of subnets, is also supported. To subnet, you add a mask to the IP address to separate the network and host portions of the IP address.
● For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. 2. Enable the interface. INTERFACE mode no shutdown 3. Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] ● ip-address mask: the IP address must be in dotted decimal format (A.B.C.D). The mask must be in slash prefixlength format (/24). ● secondary: add the keyword secondary if the IP address is the interface’s backup IP address.
S 6.1.2.0/24 S 6.1.2.2/32 S 6.1.2.3/32 S 6.1.2.4/32 S 6.1.2.5/32 S 6.1.2.6/32 S 6.1.2.7/32 S 6.1.2.8/32 S 6.1.2.9/32 S 6.1.2.10/32 S 6.1.2.11/32 S 6.1.2.12/32 S 6.1.2.13/32 S 6.1.2.14/32 S 6.1.2.15/32 S 6.1.2.16/32 S 6.1.2.17/32 S 11.1.1.0/24 Direct, Lo 0 --More-- via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.
NOTE: You can view the description of the configured static routes only using the show running-config static command. Configure Static Routes for the Management Interface When an IP address that a protocol uses and a static management route exists for the same prefix, the protocol route takes precedence over the static management route. To configure a static route for the management port, use the following command. ● Assign a static route to point to the management interface or forwarding router.
Packet handling during MTU mismatch When you configure the MTU size on an interface, ensure that the MTU size of both ingress and egress interfaces are set to the same value for IPv4 traffic to work correctly. If there is an MTU mismatch between the ingress and egress interface, there may be a high CPU usage. If egress interface MTU size is smaller than the ingress interface, packets may get fragmented.
Enabling Directed Broadcast By default, Dell EMC Networking OS drops directed broadcast packets destined for an interface. This default setting provides some protection against denial of service (DoS) attacks. To enable Dell EMC Networking OS to receive directed broadcasts, use the following command. ● Enable directed broadcast. INTERFACE mode ip directed-broadcast To view the configuration, use the show config command in INTERFACE mode.
Specifying the Local System Domain and a List of Domains If you enter a partial domain, Dell EMC Networking OS can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. Dell EMC Networking OS searches the host table first to resolve the partial domain. The host table contains both statically configured and dynamically learnt host and IP addresses.
ARP Dell EMC Networking OS uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, Dell EMC Networking OS creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time.
Enabling Proxy ARP By default, Proxy ARP is enabled. To disable Proxy ARP, use the no proxy-arp command in the interface mode. To re-enable Proxy ARP, use the following command. ● Re-enable Proxy ARP. INTERFACE mode ip proxy-arp To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output.
CONFIGURATION mode arp learn-enable ARP Learning via ARP Request In Dell EMC Networking OS versions prior to 8.3.1.0, Dell EMC Networking OS learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address. If the target IP does not match the incoming interface, the packet is dropped. If there is an existing entry for the requesting host, it is updated. Figure 54.
arp retries number The default is 5. The range is from 1 to 20. ● Set the exponential timer for resending unresolved ARPs. CONFIGURATION mode arp backoff-time The default is 30. The range is from 1 to 3600. ● Display all ARP entries learned via gratuitous ARP.
Figure 56. ICMP Redirect Host H is connected to the same Ethernet segment as SW1 and SW2. SW1 and SW2 are multi-layer switches which can route packets. The default gateway of Host H is configured as SW1. Although the best route to the remote branch office host may be through SW2, Host H sends a packet destined for Host R to its default gateway — SW1.
○ UDP broadcast traffic with port number 67 or 68 are unicast to the dynamic host configuration protocol (DHCP) server per the ip helper-address configuration whether or not the UDP port list contains those ports. ○ If the UDP port list contains ports 67 or 68, UDP broadcast traffic is forwarded on those ports. Enabling UDP Helper To enable UDP helper, use the following command. ● Enable UPD helper.
Figure 57. UDP Helper with Broadcast-All Addresses UDP Helper with Subnet Broadcast Addresses When the destination IP address of an incoming packet matches the subnet broadcast address of any interface, the system changes the address to the configured broadcast address and sends it to matching interface. In the following illustration, Packet 1 has the destination IP address 1.1.1.255, which matches the subnet broadcast address of VLAN 101.
Figure 59. UDP Helper with Configured Broadcast Addresses UDP Helper with No Configured Broadcast Addresses The following describes UDP helper with no broadcast addresses configured. ● If the incoming packet has a broadcast destination IP address, the unaltered packet is routed to all Layer 3 interfaces. ● If the Incoming packet has a destination IP address that matches the subnet broadcast address of any interface, the unaltered packet is routed to the matching interfaces.
22 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell EMC Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
● Prefix Renumbering — Useful in transparent renumbering of hosts in the network when an organization changes its service provider. NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration. NOTE: Dell EMC Networking OS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS).
● Partition will take effect only after the switch reboot. During the reboot Dell EMC Networking OS reads the partition configuration from NVRAM and uses the same for partitioning the LPM. ● A command has been introduced to partition the LPM to support provisioning of IPv6 /65 to /128 route prefixes. To support /65 – /128 IPv6 route prefix entries, Dell EMC Networking OS needs to be programmed with /65 - /128 bit IPv6 support. The number of entries as well needs to be explicitly programmed.
Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities. Routers understand the priority settings and handle them appropriately during conditions of congestion.
Hop Limit (8 bits) The Hop Limit field shows the number of hops remaining for packet processing. In IPv4, this is known as the Time to Live (TTL) field and uses seconds rather than hops. Each time the packet moves through a forwarding router, this field decrements by 1. If a router receives a packet with a Hop Limit of 1, it decrements it to 0 (zero). The router discards the packet and sends an ICMPv6 message back to the sending router indicating that the Hop Limit was exceeded in transit.
11 Discard the packet and send an ICMP Parameter Problem, Code 2 message to the packet’s Source IP Address only if the Destination IP Address is not a multicast address. The second byte contains the Option Data Length. The third byte specifies whether the information can change en route to the destination. The value is 1 if it can change; the value is 0 if it cannot change.
Implementing IPv6 with Dell EMC Networking OS Dell EMC Networking OS supports both IPv4 and IPv6 and both may be used simultaneously in your system. ICMPv6 ICMP for IPv6 combines the roles of ICMP, IGMP and ARP in IPv4. Like IPv4, it provides functions for reporting delivery and forwarding errors, and provides a simple echo service for troubleshooting. The Dell EMC Networking OS implementation of ICMPv6 is based on RFC 4443.
IPv6 Neighbor Discovery The IPv6 neighbor discovery protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In place of address resolution protocol (ARP), NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes. Using these messages, an IPv6 device learns the link-layer addresses for neighbors known to reside on attached links, quickly purging cached values that become invalid.
The DNS server address does not allow the following: ● link local addresses ● loopback addresses ● prefix addresses ● multicast addresses ● invalid host addresses If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed. Example for Configuring an IPv6 Recursive DNS Server The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
Displaying IPv6 RDNSS Information To display IPv6 interface information, including IPv6 RDNSS information, use the show ipv6 interface command in EXEC or EXEC Privilege mode. Examples of Displaying IPv6 RDNSS Information The following example displays IPv6 RDNSS information. The output in the last 3 lines indicates that the IPv6 RDNSS was correctly configured on interface te 1/1/1.
Configuration Tasks for IPv6 The following are configuration tasks for the IPv6 protocol. ● ● ● ● ● ● ● Adjusting Your CAM-Profile Assigning an IPv6 Address to an Interface Assigning a Static IPv6 Route Configuring Telnet with IPv6 SNMP over IPv6 Showing IPv6 Information Clearing IPv6 Routes Adjusting Your CAM-Profile Although adjusting your CAM-profile is not a mandatory step, if you plan to implement IPv6 ACLs, adjust your CAM settings. The CAM space is allotted in FP blocks.
You can configure up to two IPv6 addresses on management interfaces, allowing required default router support on the management port that is acting as host, per RFC 4861. Data ports support more than two IPv6 addresses. When you configure IPv6 addresses on multiple interfaces (the ipv6 address command) and verify the configuration (the show ipv6 interfaces command), the same link local (fe80) address is displayed for each IPv6 interface. ● Enter the IPv6 Address for the device.
EXEC mode or EXEC Privileged mode telnet [vrf vrf-name] ipv6 address ○ ipv6 address: x:x:x:x::x ○ mask: prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing. SNMP over IPv6 You can configure SNMP over IPv6 transport so that an IPv6 host can perform SNMP queries and receive SNMP notifications from a device running Dell EMC Networking OS IPv6.
○ For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the stack/slot/port/subport information. ○ For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the stack/slot/port/subport information. ○ For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the stack/slot/port[/subport] information. ○ For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the stack/slot/port/subport information.
○ To display information about static IPv6 routes, enter static. ○ To display information about an IPv6 Prefix lists, enter list and the prefix-list name. The following example shows the show ipv6 route summary command. DellEMC#show ipv6 route summary Route Source Active Routes Non-active Routes connected 5 0 static 0 0 Total 5 0 The following example shows the show ipv6 route command.
○ For the Management interface on the stack-unit, enter the keyword ManagementEthernet then the slot/port information. DellEMC#show run int Te 1/1/1/1 ! interface TenGigabitEthernet 1/1/1/1 no ip address ipv6 address 3:4:5:6::8/24 shutdown DellEMC# Clearing IPv6 Routes To clear routes from the IPv6 routing table, use the following command. ● Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} ○ *: all routes.
ipv6 nd ra-guard enable 3. Create the policy. POLICY LIST CONFIGURATION mode ipv6 nd ra-guard policy policy-name 4. Define the role of the device attached to the port. POLICY LIST CONFIGURATION mode device-role {host | router} Use the keyword host to set the device role as host. Use the keyword router to set the device role as router. 5. Set the hop count limit. POLICY LIST CONFIGURATION mode hop-limit {maximum | minimum limit} The hop limit range is from 0 to 254. 6.
Example of the show config Command DellEMC(conf-ra_guard_policy_list)#show config ! ipv6 nd ra-guard policy test device-role router hop-limit maximum 251 mtu 1350 other-config-flag on reachable-time 540 retrans-timer 101 router-preference maximum medium trusted-port DellEMC(conf-ra_guard_policy_list)# Configuring IPv6 RA Guard on an Interface To configure the IPv6 Router Advertisement (RA) guard on an interface, perform the following steps: 1. Configure the terminal to enter the Interface mode.
23 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables qualityof-service (QoS) treatment for iSCSI traffic.
NOTE: After a switch is reloaded, powercycled, or upgraded, the system may display the ACL_AGENT-3ISCSI_OPT_MAX_SESS_LIMIT_REACHED: Monitored iSCSI sessions reached maximum limit log message. This cannot be inferred as the maximum supported iSCSI sessions are reached. Also, number of iSCSI sessions displayed on the system may show any number equal to or less than the maximum.
Application of Quality of Service to iSCSI Traffic Flows You can configure iSCSI CoS mode. This mode controls whether CoS (dot1p priority) queue assignment and/or packet marking is performed on iSCSI traffic. When you enable iSCSI CoS mode, the CoS policy is applied to iSCSI traffic. When you disable iSCSI CoS mode, iSCSI sessions and connections are still detected and displayed in the status tables, but no CoS policy is applied to iSCSI traffic.
Detection and Auto-Configuration for Dell EqualLogic Arrays The iSCSI optimization feature includes auto-provisioning support with the ability to detect directly connected Dell EqualLogic storage arrays and automatically reconfigure the switch to enhance storage traffic flows. The switch uses the link layer discovery protocol (LLDP) to discover Dell EqualLogic devices on the network. LLDP is enabled by default. For more information about LLDP, refer to Link Layer Discovery Protocol (LLDP).
● Additional updates to connections (including aging updates) that are learnt on VLT lag members are synced to the peer. ● When receiving an iSCSI login request on a non-VLT interface followed by a response from a VLT interface, the session is not synced since it is initially learnt on a non-VLT interface through the request packet. ● The peer generates a new connection log that sees the login response packet.
Table 45. iSCSI Optimization Defaults (continued) Parameter Default Value iSCSI optimization target ports iSCSI well-known ports 3260 and 860 are configured as default (with no IP address or name) but can be removed as any other configured target. iSCSI session monitoring Disabled. The CAM allocation for iSCSI is set to zero (0). iSCSI Optimization Prerequisites The following are iSCSI optimization prerequisites. ● iSCSI optimization requires LLDP on the switch.
To delete a specific IP address from the TCP port, use the no iscsi target port tcp-port-n ip-address address command to specify the address to be deleted. ● ip-address specifies the IP address of the iSCSI target. When you enter the no form of the command, and the TCP port you want to delete is one bound to a specific IP address, include the IP address value in the command.
show iscsi sessions ● Display detailed information on active iSCSI sessions on the switch . To display detailed information on specified iSCSI session, enter the session’s iSCSI ID. show iscsi sessions detailed [session isid] ● Display all globally configured non-default iSCSI settings in the current Dell EMC Networking OS session. show run iscsi The following example shows the show iscsi command.
24 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell EMC Networking supports both IPv4 and IPv6 versions of IS-IS.
Figure 64. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases. Use this feature to place a virtual physical topology into logical routing domains, which can each support different routing and security policies. All routers on a LAN or point-to-point must have at least one common supported topology when operating in Multi-Topology ISIS mode.
Graceful Restart Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change. Normally, when an IS-IS router is restarted, temporary disruption of routing occurs due to events in both the restarting router and the neighbors of the restarting router.
● ● ● ● Processes IPv6 information received in the PDUs. Computes routes to IPv6 destinations. Downloads IPv6 routes to the RTM for installing in the FIB. Accepts external IPv6 information and advertises this information in the PDUs. The following table lists the default IS-IS values. Table 46.
In IS-IS, neighbors form adjacencies only when they are same IS type. For example, a Level 1 router never forms an adjacency with a Level 2 router. A Level 1-2 router forms Level 1 adjacencies with a neighboring Level 1 router and forms Level 2 adjacencies with a neighboring Level 2 router. NOTE: Even though you enable IS-IS globally, enable the IS-IS process on an interface for the IS-IS process to exchange protocol information and form adjacencies. To configure IS-IS globally, use the following commands.
If you configure a tag variable, it must be the same as the tag variable assigned in step 1. The default IS type is level-1-2. To change the IS type to Level 1 only or Level 2 only, use the is-type command in ROUTER ISIS mode. To view the IS-IS configuration, enter the show isis protocol command in EXEC Privilege mode or the show config command in ROUTER ISIS mode. DellEMC#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.
Enter the keyword transition to allow an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode. After every router has been configured with the transition keyword, and all the routers are in MT IS-IS IPv6 mode, you can remove the transition keyword on each router. NOTE: When you do not enable transition mode, you do not have IPv6 connectivity between routers operating in singletopology mode and routers operating in multi-topology mode. 2.
○ level-1, level-2: identifies the database instance type to which the wait interval applies. The range is from 5 to 120 seconds. The default is 30 seconds. ● Configure graceful restart timer T3 to set the time used by the restarting router as an overall maximum time to wait for database synchronization to complete.
Number of active level-1 adjacencies: 1 Level-2 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
Configuring the IS-IS Cost When you change from one IS-IS metric style to another, the IS-IS metric value could be affected. For each interface with IS-IS enabled, you can assign a cost or metric that is used in the link state calculation. To change the metric or cost of the interface, use the following commands. ● Assign an IS-IS metric. INTERFACE mode isis metric default-metric [level-1 | level-2] ○ default-metric: the range is from 0 to 63 if the metric-style is narrow, narrow-transition, or transition.
ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2} To view which IS-type is configured, use the show isis protocol command in EXEC Privilege mode. The show config command in ROUTER ISIS mode displays only non-default information. If you do not change the IS-type, the default value (level-1-2) is not displayed. The default is Level 1-2 router. When the IS-type is Level 1-2, the software maintains two Link State databases, one for each level.
Applying IPv4 Routes To apply prefix lists to incoming or outgoing IPv4 routes, use the following commands. NOTE: These commands apply to IPv4 IS-IS only. To apply prefix lists to IPv6 routes, use ADDRESS-FAMILY IPV6 mode, shown later. ● Apply a configured prefix list to all incoming IPv4 IS-IS routes.
○ ○ ○ ○ For For For For a a a a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the stack/slot/port information. Loopback interface, enter the keyword loopback then a number from 0 to 16383. port channel interface, enter the keywords port-channel then a number. VLAN interface, enter the keyword vlan then a number from 1 to 4094. ● Apply a configured prefix list to all outgoing IPv6 IS-IS routes.
○ map-name: enter the name of a configured route map. Redistributing IPv6 Routes To add routes from other routing instances or protocols, use the following commands. NOTE: These commands apply to IPv6 IS-IS only. To apply prefix lists to IPv4 routes, use the ROUTER ISIS mode previously shown. ● Include BGP, directly connected, RIP, or user-configured (static) routes in IS-IS.
The Dell OS supports both DES and HMAC-MD5 authentication methods. This password is inserted in Level 2 LSPs, Complete SNPs, and Partial SNPs. To view the passwords, use the show config command in ROUTER ISIS mode or the show running-config isis command in EXEC Privilege mode. To remove a password, use either the no area-password or no domain-password commands in ROUTER ISIS mode.
debug isis local-updates [interface] To view specific information, enter the following optional parameter: ○ interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. ● View IS-IS SNP packets, include CSNPs and PSNPs.
Metric Style Correct Value Range for the isis metric Command narrow transition 0 to 63 transition 0 to 63 Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow.
Table 48. Metric Value When the Metric Style Changes (continued) Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value wide transition narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition narrow transition default value (10) if the original value is greater than 63. A message is sent to the console. wide transition transition truncated value (the truncated value appears in the LSP only).
Table 50.
Figure 65. IPv6 IS-IS Sample Topography The following is a sample configuration for enabling IPv6 IS-IS. IS-IS Sample Configuration — Congruent Topology DellEMC(conf-if-te-1/1/1/1)#show config ! interface TenGigabitEthernet 1/1/1/1 ip address 24.3.1.1/24 ipv6 address 24:3::1/76 ip router isis ipv6 router isis no shutdown DellEMC(conf-if-te-1/1/1/1)# DellEMC(conf-router_isis)#show config ! router isis metric-style wide level-1 metric-style wide level-2 net 34.0000.0000.AAAA.
IS-IS Sample Configuration — Multi-topology Transition DellEMC(conf-if-te-1/1/1/1)#show config ! interface TenGigabitEthernet 1/1/1/1 ipv6 address 24:3::1/76 ipv6 router isis no shutdown DellEMC(conf-if-te-1/1/1/1)# DellEMC(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
25 In-Service Software Upgrade This chapter deals with In-Service Software Upgrade (ISSU) and its dependencies. Topics: • • • • • • • • • ISSU Introduction Fastboot 2.0 (Zero Loss Upgrade) L2 ISSU L3 ISSU CoPP Mirroring flow control packets PFC QoS Tunnel Configuration ISSU Introduction In-service software upgrades (ISSU), also known as warmboot or fastboot 2.0, allow Dell EMC Networking to address software bugs and add new features to switches and routers without interrupting network availability.
L2 ISSU This section deals with L2 ISSU related information. The following changes are required by ISSU for L2: LACP Long Timeout If there is a LACP protocol running on an interface, the user needs to have the LACP long timeout configured, if LACP short timeout is configured, ISSU will not take place. Spanning Tree When spanning tree is enabled, user needs to have BPDU guard configured in the interfaces.
The user will need to configure the boot-type to warmboot under the reload-type configuration mode. Warmboot is a system reload technique where the NPU will not restart. Only the CPU is restarted to bring up the upgraded software. Software upgrade ISSU, is the typical use case for warmboot. Since BCM chip is already up and running while the software is restarted, there should not be any traffic outage during warmboot.
26 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic.
NOTE: There is no configuration on the interface because that condition is required for an interface to be part of a LAG. ● You can configure link dampening on individual members of a LAG. LACP Modes Dell EMC Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. ● Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state.
● ● ● ● Configuring the LAG Interfaces as Dynamic Setting the LACP Long Timeout Monitoring and Debugging LACP Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. ● Create a dynamic port channel (LAG). CONFIGURATION mode interface port-channel ● Create a dynamic port channel (LAG).
Setting the LACP Long Timeout PDUs are exchanged between port channel (LAG) interfaces to maintain LACP sessions. PDUs are transmitted at either a slow or fast transmission rate, depending upon the LACP timeout value. The timeout value is the amount of time that a LAG interface waits for a PDU from the remote system before bringing the LACP session down. The default timeout value is 1 second. You can configure the default timeout value to be 30 seconds.
Figure 66. Shared LAG State Tracking To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). Dell EMC Networking OS has the ability to bring LAG 2 down if LAG 1 fails, so that traffic can be redirected. This redirection is what is meant by shared LAG state tracking. To achieve this functionality, you must group LAG 1 and LAG 2 into a single entity, called a failover group.
Figure 67. Configuring Shared LAG State Tracking The following are shared LAG state tracking console messages: ● 2d1h45m: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 1 ● 2d1h45m: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 To view the status of a failover group member, use the show interface port-channel command.
LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 68. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unicasts 0 Vlans, 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec,0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec,0 packets/sec, 0.
Figure 70.
Figure 71.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 1/1/1/3 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-1/1/1/3)#port-channel-protocol lacp Bravo(conf-if-te-1/1/1/3-lacp)#port-channel 10 mode active Bravo(conf-if-te-1/1/1/3-lacp)#no shut Bravo(conf-if-te-1/1/1/3)#end ! interface TenGigabitEthernet 1/1/1/3 no ip
Figure 72.
Figure 73.
Figure 74. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
27 Layer 2 This chapter describes the Layer 2 features supported on the device. Topics: • • • • • Manage the MAC Address Table MAC Learning Limit NIC Teaming Configure Redundant Pairs Far-End Failure Detection Manage the MAC Address Table You can perform the following management tasks in the MAC address table.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. ● Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. ● Display the contents of the MAC address table.
Setting the MAC Learning Limit To set a MAC learning limit on an interface, use the following command. ● Specify the number of MAC addresses that the system can learn off a Layer 2 interface. INTERFACE mode mac learning-limit address_limit Three options are available with the mac learning-limit command: ○ dynamic ○ no-station-move ○ station-move NOTE: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations.
mac learning-limit no-station-move The no-station-move option, also known as “sticky MAC,” provides additional port security by preventing a station move. When you configure this option, the first entry in the table is maintained instead of creating an entry on the new interface. nostation-move is the default behavior. Entries created before you set this option are not affected. To display a list of all interfaces with a MAC learning limit, use the following command.
station-move-violation shutdown-both ● Display a list of all of the interfaces configured with MAC learning limit or station move violation. CONFIGURATION mode show mac learning-limit violate-action NOTE: When the MAC learning limit (MLL) is configured as no-station-move, the MLL will be processed as static entries internally. For static entries, the MAC address will be installed in all port-pipes, irrespective of the VLAN membership.
CONFIGURATION mode mac port-security NIC Teaming NIC teaming is a feature that allows multiple network interface cards in a server to be represented by one MAC address and one IP address in order to provide transparent redundancy, balancing, and to fully utilize network adapter resources. The following illustration shows a topology where two NICs have been teamed together.
Figure 76. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 77. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
As shown in the previous illustration, interface 1/1/1/1 is a backup interface for 1/1/2/1, and 1/1/3/1 is in the Down state. If 1/1/1/1 fails, 1/1/2/1 transitions to the Up state, which makes the backup link active. A message similar to the following message appears whenever you configure a backup port.
DellEMC# DellEMC(conf-if-po-1)#switchport backup interface tengigabitethernet 1/2/1 Apr 9 00:16:29: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Te 1/1/1/2 DellEMC(conf-if-po-1)# Far-End Failure Detection Far-end failure detection (FEFD) is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval.
2. After you enable FEFD on an interface, it transitions to the Unknown state and sends an FEFD packet to the remote end of the link. 3. When the local interface receives the echoed packet from the remote end, the local interface transitions to the Bi-directional state. 4. If the FEFD enabled system is configured to use FEFD in Normal mode and neighboring echoes are not received after three intervals, (you can set each interval can be set between 3 and 300 seconds) the state changes to unknown. 5.
CONFIGURATION mode fefd-global {interval | mode} To display information about the state of each interface, use the show fefd command in EXEC privilege mode. DellEMC#show fefd FEFD is globally 'ON', interval is 3 seconds, mode is 'Normal'.
Debugging FEFD To debug FEFD, use the first command. To provide output for each packet transmission over the FEFD enabled connection, use the second command. ● Display output whenever events occur that initiate or disrupt an FEFD enabled connection. EXEC Privilege mode debug fefd events ● Provide output for each packet transmission over the FEFD enabled connection.
28 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). Topics: • • • • • • • • • • • • • • • • • 802.
Figure 79. Type, Length, Value (TLV) Segment TLVs are encapsulated in a frame called an LLDP data unit (LLDPDU) (shown in the following table), which is transmitted from one LLDP-enabled device to its LLDP-enabled neighbors. LLDP is a one-way protocol. LLDP-enabled devices (LLDP agents) can transmit and/or receive advertisements, but they cannot solicit and do not respond to advertisements. There are five types of TLVs. All types are mandatory in the construction of an LLDPDU except Optional TLVs.
Optional TLVs The Dell EMC Networking OS supports these optional TLVs: management TLVs, IEEE 802.1 and 802.3 organizationally specific TLVs, and TIA-1057 organizationally specific TLVs. Management TLVs A management TLV is an optional TLVs sub-type. This kind of TLV contains essential management information about the sender. Organizationally Specific TLVs A professional organization or a vendor can define organizationally specific TLVs.
Table 53. Optional TLV Types (continued) Type TLV Description port belongs (and the untagged VLAN to which a port belongs if the port is in Hybrid mode). 127 Protocol Identity Indicates the protocols that the port can process. Dell EMC Networking OS does not currently support this TLV. 127 MAC/PHY Configuration/Status Indicates the capability and current setting of the duplex status and bit rate, and whether the current settings are the result of auto-negotiation.
Table 54. TIA-1057 (LLDP-MED) Organizationally Specific TLVs Type SubType TLV Description 127 1 LLDP-MED Capabilities Indicates: ● whether the transmitting device supports LLDPMED ● what LLDP-MED TLVs it supports ● LLDP device class 127 2 Network Policy Indicates the application type, VLAN ID, Layer 2 Priority, and DSCP value.
LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV. ● The value of the LLDP-MED capabilities field in the TLV is a 2–octet bitmap, each bit represents an LLDP-MED capability (as shown in the following table). ● The possible values of the LLDP-MED device type are shown in the following.
An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED network policy TLV is generated for each application type that you specify with the Dell EMC Networking OS CLI (Advertising TLVs).
power priority through the CLI. Dell EMC Networking also honors the power priority value the powered device sends; however, the CLI configuration takes precedence. ● Power Value — Dell EMC Networking advertises the maximum amount of power that can be supplied on the port. By default the power is 15.4W, which corresponds to a power value of 130, based on the TIA-1057 specification. You can advertise a different power value using the max-milliwatts option with the power inline auto | static command.
Example of the protocol lldp Command (CONFIGURATION Level) R1(conf)#protocol lldp R1(conf-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol globally end Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode configuration (default = rx and tx) multiplier LLDP multiplier configuration no Negate a command or set its defaults show Show LLDP configuration DellEMC(conf-lldp)#exit DellEMC(conf)#interface tengigabitethernet 1/1/3/1 DellEMC(con
2. Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode management-interface 3. Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP on Management Ports To disable or undo LLDP on management ports, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION mode. protocol lldp 2. Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode. management-interface 3. Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode.
In the following example, LLDP is enabled globally. R1 and R2 are transmitting periodic LLDPDUs that contain management, 802.1, and 802.3 TLVs. Figure 85. Configuring LLDP Storing and Viewing Unrecognized LLDP TLVs Dell EMC Networking OS provides support to store unrecognized (reserved and organizational specific) LLDP TLVs. Also, support is extended to retrieve the stored unrecognized TLVs using SNMP. When the incoming TLV from LLDP neighbors is not recognized, the TLV is categorized as unrecognized TLV.
The organizational specific TLV list is limited to store 256 entries per neighbor. If TLV entries are more than 256, then the oldest entry (of that neighbor) in the list is replaced. A syslog message appears when the organization specific unrecognized TLV list exceeds more than 205 entries (80 percent of 256) for you to take action.
show lldp neighbors detail Examples of Viewing Information Advertised by Neighbors Example of Viewing Brief Information Advertised by Neighbors DellEMC#show lldp neighbors Loc PortID Rem Host Name Rem Port Id Rem Chassis Id -------------------------------------------------------------------Te 1/1/1/1 TenGigabitEthernet 1/1/3/1 00:01:e8:05:40:46 Te 1/1/2/1 TenGigabitEthernet 1/1/4/1 00:01:e8:05:40:46 Ma 1/1 swlab2-maa-tor-...
Example of Viewing Detailed Information Advertised by Neighbors DellEMC(conf)#do show lldp neighbors detail ======================================================================== Local Interface hundredGigE 1/1/1 has 2 neighbors Total Frames Out: 3 Total Frames In: 8 Total Neighbor information Age outs: 0 Total Multiple Neighbors Detected: 0 Total Frames Discarded: 0 Total In Error Frames: 0 Total Unrecognized TLVs: 960 Total TLVs Discarded: 16 Next packet will be sent after 9 seconds The neighbors are gi
OrgUnknownTLVList: ((00-01-66),127, 4) ((00-01-66),126, 4) ((00-01-66),125, 4) ((00-01-66),124, ((00-01-66),123, 4) ((00-01-66),122, 4) ((00-01-66),121, 4) ((00-01-66),120, 4) ((00-01-66),119, ((00-01-66),118, 4) --------------------------------------------------------------------------Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 4c:76:25:f4:ab:02 Remote Port Subtype: Interface name (5) Remote Port ID: fortyGigE 1/2/8/1 Local Port ID: hundredGigE 1/1/2 Locally assigned remote Neighbor Index
no disable R1(conf-lldp)# Configuring LLDP Notification Interval This implementation has been introduced to adhere to the IEEE 802.1AB standard. This implementation allows a user to configure the LLDP notification interval between 5 (default) and 3600 seconds. NOTE: Before implementation of this feature, notification messages were not throttled. After implementation, the system throttles the lldp notification messages by 5 seconds (default) or as configured by the user.
advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Configuring the Time to Live Value The information received from a neighbor expires after a specific amount of time (measured in seconds) called a time to live (TTL). The TTL is the product of the LLDPDU transmit interval (hello) and an integer called a multiplier. The default multiplier is 4, which results in a default TTL of 120 seconds. ● Adjust the TTL value.
Figure 86. The debug lldp detail Command — LLDPDU Packet Dissection Example of debug lldp Command Output with Unrecognized Reserved and Organizational Specific LLDP TLVs The following is an example of LLDPDU with both (Reserved and Organizational specific) unrecognized TLVs.
Table 58. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value. msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs.
Table 59.
Table 60. LLDP 802.1 Organizationally specific TLV MIB Objects (continued) TLV Type TLV Name TLV Variable System LLDP MIB Object VLAN name length Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName VLAN name Table 61.
Table 61.
29 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
Limitations of the NLB Feature The following limitations apply to switches on which you configure NLB: ● The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN. When a large volume of traffic is processed, the clustering performance might be impacted in a small way. This limitation is applicable to switches that perform unicast flooding in the software. ● The ip vlan-flooding command applies globally across the system and for all VLANs.
There might be some ARP table entries that are resolved through ARP packets, which had the Ethernet MAC SA different from the MAC information inside the ARP packet. This unicast data traffic flooding occurs only for those packets that use these ARP entries. Enabling a Switch for Multicast NLB To enable a switch for Multicast NLB mode, perform the following steps: 1.
30 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell EMC Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 88.
Implementation Information The Dell EMC Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process. 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Refer to the following figures. The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP.
Figure 89.
Figure 90.
Figure 91.
Figure 92. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
Clearing the Source-Active Cache To clear the source-active cache, use the following command. ● Clear the SA cache of all, local, or rejected entries, or entries for a specific group. CONFIGURATION mode clear ip msdp sa-cache [group-address | local | rejected-sa] Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error.
Figure 93.
Figure 94.
Figure 95. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. ● Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check. DellEMC(conf)#ip msdp peer 10.0.50.
DellEMC#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Reason Rpf-Fail Rpf-Fail Rpf-Fail Limiting the Source-Active Messages from a Peer To limit the source-active messages from a peer, use the following commands. 1.
Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1. OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache. CONFIGURATION mode ip msdp cache-rejected-sa 2. Prevent the system from caching remote sources learned from a specific peer based on source and group. CONFIGURATION mode ip msdp sa-filter list out peer list ext-acl As shown in the following example, R1 is advertising source 10.11.4.2.
MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 local R3(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 192.168.0.1 Expire 70 UpTime 00:27:20 Expire 1 UpTime 00:10:29 [Router 3] R3(conf)#do show ip msdp sa-cache R3(conf)# To display the configured SA filters for a peer, use the show ip msdp peer command from EXEC Privilege mode.
CONFIGURATION mode clear ip msdp peer peer-address R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.3(639) Connect Source: Lo 0 State: Established Up/Down Time: 00:04:26 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 5/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none R3(conf)#do clear ip msdp peer 192.168.0.1 R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.
Anycast RP relieves these limitations by allowing multiple RPs per group, which can be distributed in a topologically significant manner according to the locations of the sources and receivers. 1. All the RPs serving a given group are configured with an identical anycast address. 2. Sources then register with the topologically closest RP. 3. RPs use MSDP to peer with each other using a unique address. Figure 96.
4. Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5. Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP.
! ip ip ip ip ip multicast-msdp msdp peer 192.168.0.3 connect-source Loopback 1 msdp peer 192.168.0.22 connect-source Loopback 1 msdp mesh-group AS100 192.168.0.22 msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 The following example shows an R2 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 1/1/3/1 ip pim sparse-mode ip address 10.11.4.
ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.
! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R2 Running-Config ip multicast-routing ! interface TenGigabitEthernet 1/1/1/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 1/1/1/2 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 1/1/1/3 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.
redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.23 MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface TenGigabitEthernet 1/1/1/1 ip pim sparse-mode ip address 10.11.5.
31 Multicast Listener Discovery Protocol Dell Networking OS Supports Multicast Listener Discovery (MLD) protocol. Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
Joining a Multicast Group The Querier periodically sends a General Query to the all-nodes multicast address FF02::1. A host that wants to join a multicast group responds to the general query with a report that contains the group address; the report is also addressed to the group (in the IPv6 Destination Address field). To avoid duplicate reporting, any host that hears a report from another host for the same group in which it itself is interested cancels its report for that group.
| | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +. -+ . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version 2 multicast listener reports are sent by IP nodes to report (to neighboring routers) the current multicast listening state, or changes in the multicast listening state, of their interfaces.
| | * Source Address [1] * | | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +-+ . . . . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Auxiliary Data . . .
report when the timer expires. Increasing this value spreads host responses over a greater period of time, and so reduces response burstiness. To adjust the query response time, use the following command: INTERFACE Mode ipv6 mld query-max-resp-time Configuring MLD Version To configure MLD version on the system, follow this procedure: Select the MLD version INTERFACE Mode ipv6 mld version {1 | 2} If you do not configure the MLD version, the system defaults to version 2.
retransmissions. Lowering the Last Listener Query Interval reduces the time to detect that there are no remaining receivers for a group, and so can reduce the amount of unnecessarily forwarded traffic. To adjust the last-member query interval, use the following command: INTERFACE Mode ipv6 mld last-member-query-interval Displaying MLD groups table Display MLD groups. Group information can be filtered.
Enable MLD Snooping MLD is automatically enabled when you enable IPv6 PIM, but MLD snooping must be explicitly enabled. To enable MLD snooping, use the following command: CONFIGURATION Mode ipv6 mld snooping enable Disable MLD Snooping When MLD is enabled globally, it is by default enabled on all the VLANs.
2. To display the MLD explicit-tracking table, use the following command. EXEC Pivilege show ipv6 mld snooping groups explicit Display the MLD Snooping Table 1. To display the MLD snooping table, use the following command: EXEC Privilege show ipv6 mroute snooping vlan 2.
32 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview MSTP — specified in IEEE 802.
• • • • • • • Modifying Global Parameters Modifying the Interface Parameters Setting STP path cost as constant Configuring an EdgePort Flush MAC Addresses after a Topology Change MSTP Sample Configurations Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell EMC Networking OS supports four variations of spanning tree, as shown in the following table. Table 62. Spanning Tree Variations Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .
● Enabling SNMP Traps for Root Elections and Topology Changes ● Configuring Spanning Trees as Hitless Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. ● Within an MSTI, only one path from any bridge to any other bridge is enabled.
no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping. To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode.
For a bridge to be in the same MSTP region as another, all three of these qualities must match exactly. The default values for the name and revision number must match on all Dell EMC Networking OS devices. If there are non-Dell devices that participate in MSTP, ensure these values match on all devices. NOTE: Some non-Dell devices may implement a non-null default region name. SFTOS, for example, uses the Bridge ID, while others may use a MAC address.
The default is 2 seconds. 3. Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4. Change the max-hops parameter. PROTOCOL MSTP mode max-hops number The range is from 1 to 40. The default is 20. To view the current values for MSTP parameters, use the show running-config spanning-tree mstp command from EXEC privilege mode.
Table 63. Default Values for Port Costs by Interface (continued) Port Cost Default Value Port Channel with 100-Gigabit Ethernet interfaces 100 To change the port cost or priority of an interface, use the following commands. 1. Change the port cost of an interface. INTERFACE mode spanning-tree msti number cost cost The range is from 0 to 200000. For the default, refer to the default values shown in the table.. 2. Change the port priority of an interface.
○ When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware. ○ When you remove a physical port from a port channel in the Error Disable state, the error disabled state is cleared on this physical port (the physical port is enabled in the hardware). ○ You can clear the Error Disabled state with any of the following methods: ■ ■ ■ ■ Use the shutdown command on the interface.
Figure 98. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs. Router 3 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3.
Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. ● Display BPDUs. EXEC Privilege mode debug spanning-tree mstp bpdu ● Display MSTP-triggered topology change messages. debug spanning-tree mstp events To ensure all the necessary parameters match (region name, region version, and VLAN to instance mapping), examine your individual routers. To show various portions of the MSTP configuration, use the show spanning-tree mst commands.
Regional Bridge Id: 32768:0001.e806.953e, CIST Port Id: 128:470 Msg Age: 0, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver3 Len: 96 Name: Tahiti, Rev: 123 (MSTP region name and revision), Int Root Path Cost: 0 Rem Hops: 19, Bridge Id: 32768:0001.e8d5.cbbd 4w0d4h : INST 1 (MSTP Instance): Flags: 0x78, Reg Root: 32768:0001.e806.953e, Int Root Cost: 0 Brg/Port Prio: 32768/128, Rem Hops: 19 INST 2 (MSTP Instance): Flags: 0x78, Reg Root: 32768:0001.e806.
33 Multicast Features NOTE: Multicast routing is supported on secondary IP addresses; it is not supported on IPv6. NOTE: Multicast routing is supported across default and non-default virtual routing and forwarding (VRFs).
Protocol Ethernet Address RIP 01:00:5e:00:00:09 NTP 01:00:5e:00:01:01 VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d ● ● ● ● The Dell EMC Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. Multicast is not supported on secondary IP addresses. If you enable multicast routing, egress Layer 3 ACL is not applied to multicast data traffic. Multicast traffic can be forwarded to a maximum of 15 VLANs with the same outgoing interface.
● Limit the total number of multicast routes on the system. CONFIGURATION mode ip multicast-limit The range is from 1 to . The default is 4000. NOTE: The IN-L3-McastFib CAM partition stores multicast routes and is a separate hardware limit that exists per portpipe. Any software-configured limit may supersede this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit is reached using the ip multicast-limit command.
Figure 99. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 64. Preventing a Host from Joining a Group — Description Location Description 1/21/1 ● ● ● ● Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31/1 ● ● ● ● Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.13.
Table 64. Preventing a Host from Joining a Group — Description (continued) Location Description 2/11/1 ● ● ● ● Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31/1 ● ● ● ● Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1/1 ● ● ● ● Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11/1 ● ● ● ● Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.
Initially, a single PIM-SM tree called a shared tree to distribute traffic. It is called shared because all traffic for the group, regardless of the source, or the location of the source, must pass through the RP. The shared tree is unidirectional; that is, all multicast traffic flows only from the RP to the receivers. Once a receiver receives traffic from the RP, PM-SM switches to SPT to forward multicast traffic, which connects the receiver directly to the source.
Figure 100. Preventing a Source from Transmitting to a Group The following table lists the location and description shown in the previous illustration. Table 66. Preventing a Source from Transmitting to a Group — Description Location Description 1/21/1 ● ● ● ● Interface TenGigabitEthernet 1/1/1/1 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31/1 ● ● ● ● Interface TenGigabitEthernet 1/1/1/2 ip pim sparse-mode ip address 10.11.13.
Table 66. Preventing a Source from Transmitting to a Group — Description (continued) Location Description 2/11/1 ● ● ● ● Interface TenGigabitEthernet 1/1/1/4 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31/1 ● ● ● ● Interface TenGigabitEthernet 1/1/2/1 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1/1 ● ● ● ● Interface TenGigabitEthernet 1/1/2/2 ip pim sparse-mode ip address 10.11.5.
Understanding Multicast Traceroute (mtrace) Multicast Traceroute (mtrace) is a multicast diagnostic facility used for tracing multicast paths. Mtrace enables you to trace the path that a multicast packet takes from its source to the destination. When you initiate mtrace from a source to a destination, an mtrace Query packet with IGMP type 0x1F is sent to the last-hop multicast router for the given destination. The mtrace query packet is forwarded hop-by-hop untill it reaches the last-hop router.
● MTRACE Transit — when a Dell EMC Networking system is an intermediate router between the source and destination in an MTRACE query, Dell EMC Networking OS computes the RPF neighbor for the source, fills in the request, and forwards the request to the RPF neighbor. When a Dell EMC Networking system is the last hop to the destination, Dell EMC Networking OS sends a response to the query. To print the network path, use the following command.
Table 67. mtrace Command Output — Explained (continued) Command Output Description From source (?) to destination (?) In case the provided source or destination IP can be resolved to a hostname the corresponding name will be displayed. In cases where the IP cannot be resolved, it is displayed as (?) 0 1.1.1.1 --> Destination The first row in the table corresponds to the destination provided by the user. -1 1.1.1.1 PIM Reached RP/Core 103.103.103.
Table 68. Supported Error Codes (continued) Error Code Error Name Description 0x81 NO_SPACE There is not enough room to insert another response data block in the packet. mtrace Scenarios This section describes various scenarios that may result when an mtrace command is issued. The following table describes various scenarios when the mtrace command is issued: Table 69.
Table 69. Mtrace Scenarios (continued) Scenario You invoke a weak mtrace request by specifying only the source without specifying the mulicast tree or multicast group information for the source. Mtrace traces a path towards the source by using the RPF neighbor at each node. Output R1>mtrace 103.103.103.3 Type Ctrl-C to abort. Querying reverse path for source 103.103.103.
Table 69. Mtrace Scenarios (continued) Scenario When you issue the mtrace command with the source and multicast group information, if a multicast route is not present on a particular node, then the NO ROUTE error code is displayed on the node. In this scenario, the Source Network/Mask column for that particular node displays the the value as default.
Table 69. Mtrace Scenarios (continued) Scenario Output ----------------------------------------------------------------- If the destination provided in the command is not a valid receiver for the multicast group, the last hop router for the destination provides the WRONG LAST HOP error code. If the last-hop router contains a path to the source, the path is traced irrespective of the incorrect destination.
Table 69. Mtrace Scenarios (continued) Scenario Output 0 1.1.1.1 --> Destination -1 * * * * ----------------------------------------------------------------Timed out receiving responses Perhaps no local router has a route for source, the receiver is not a member of the multicast group or the multicast ttl is too low. While traversing the path from source to destination, if the mtrace packet exhausts the maximum buffer size of the packet, then NO SPACE error is displayed in the output.
Table 69. Mtrace Scenarios (continued) Scenario Output Querying reverse path for source 6.6.6.6 to destination 4.4.4.5 via RPF From source (?) to destination (?) ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/Mask| ---------------------------------------------------------------0 4.4.4.5 --> Destination -1 4.4.4.4 PIM 6.6.6.0/24 -2 20.20.20.2 PIM 6.6.6.0/24 -3 10.10.10.1 PIM RPF Interface 6.6.6.
34 Object Tracking IPv4 or IPv6 object tracking is available on Dell EMC Networking OS. Object tracking allows the Dell EMC Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell EMC Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 101. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: ● UP and DOWN thresholds used to report changes in a route metric. ● A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table. Specify a tracked route by its IPv4 or IPv6 address and prefix-length. Optionally specify a tracked route by a virtual routing and forwarding (VRF) instance name if the route to be tracked is part of a VRF. The next-hop address is not part of the definition of the tracked object.
Set Tracking Delays You can configure an optional UP and/or DOWN timer for each tracked object to set the time delay before a change in the state of a tracked object is communicated to clients. The configured time delay starts when the state changes from UP to DOWN or the opposite way. If the state of an object changes back to its former UP/DOWN state before the timer expires, the timer is cancelled and the client is not notified.
OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0. 3. (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters. 4. (Optional) Display the tracking configuration and the tracked object’s status.
OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0. 3. (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters. 4. (Optional) Display the tracking configuration and the tracked object’s status.
To provide a common tracking interface for different clients, route metrics are scaled in the range from 0 to 255, where 0 is connected and 255 is inaccessible. The scaled metric value communicated to a client always considers a lower value to have priority over a higher value.
IP route 10.0.0.0/8 reachability Reachability is Down (route not in route table) 2 changes, last change 00:02:49 Tracked by: DellEMC#configure DellEMC(conf)#track 4 ip route 3.1.1.
● OSPF routes - 1 to 1592. The efault is 1. 2. Configure object tracking on the metric of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} metric threshold [vrf vrf-name] Valid object IDs are from 1 to 500. Enter an IPv4 address in dotted decimal format. Valid IPv4 prefix lengths are from /0 to /32. Enter an IPv6 address in X:X:X:X::X format. Valid IPv6 prefix lengths are from /0 to /128.
Displaying Tracked Objects To display the currently configured objects used to track Layer 2 and Layer 3 interfaces, and IPv4 and IPv6 routes, use the following show commands. To display the configuration and status of currently tracked Layer 2 or Layer 3 interfaces, IPv4 or IPv6 routes, or a VRF instance, use the show track command. You can also display the currently configured per-protocol resolution values used to scale route metrics when tracking metric thresholds.
Example of the show track vrf Command DellEMC#show track vrf red Track 5 IP route 192.168.0.0/24 reachability, Vrf: red Reachability is Up (CONNECTED) 3 changes, last change 00:02:39 First-hop interface is TenGigabitEthernet 1/1/4/1 Example of Viewing Object Tracking Configuration DellEMC#show running-config track track 1 ip route 23.0.0.
35 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell EMC Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell EMC Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 102. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. NOTE: If you configure two non-backbone areas, then you must enable the B bit in OSPF.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
● Type 3: Summary LSA (OSPFv2), Inter-Area-Prefix LSA (OSPFv3) — An ABR takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to. The link-state ID of the Type 3 LSA is the destination network number. ● Type 4: AS Border Router Summary LSA (OSPFv2), Inter-Area-Router LSA (OSPFv3) — In some cases, Type 5 External LSAs are flooded to areas where the detailed next-hop information may not be available.
Figure 104. Priority and Cost Examples OSPF with Dell EMC Networking OS The Dell EMC Networking OS supports up to 128,000 OSPF routes for OSPFv2. Dell EMC Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell EMC Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell EMC Networking OS supports only one OSPFv3 process per VRF. OSPFv2 and OSPFv3 can co-exist but you must configure them individually.
OSPF graceful restart understands that in a modern router, the control plane and data plane functionality are separate, restarting the control plane functionality (such as the failover of the active RPM to the backup in a redundant configuration), does not necessarily have to interrupt the forwarding of data packets.
Multi-Process OSPFv2 with VRF Multi-process OSPF with VRF is supported on the Dell EMC Networking OS. Only one OSPFv2 process per VRF is supported. Multi-process OSPF allows multiple OSPFv2 processes on a single router. Multiple OSPFv2 processes allow for isolating routing domains, supporting multiple route policies and priorities in different domains, and creating smaller domains for easier management. Each OSPFv2 process has a unique process ID and must have an associated router ID.
LSType:Type-5 AS External(5) Age:1 Seq:0x8000000c id:170.1.2.0 Adv:6.1.0.0 Netmask:255.255.255.0 fwd:0.0.0.0 E2, tos:0 metric:0 RFC 2328 is supported by default on Dell EMC Networking OS and it is indicated in the show ip ospf command output. DellEMC#show ip ospf Routing Process ospf 1 with ID 2.2.2.
Configuration Information The interfaces must be in Layer 3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode. NOTE: Loop back routes are not installed in the Route Table Manager (RTM) as non-active routes.
Enabling OSPFv2 To enable Layer 3 routing, assign an IP address to an interface (physical or Loopback). By default, OSPF, similar to all routing protocols, is disabled. You must configure at least one interface for Layer 3 before enabling OSPFv2 globally. If implementing multi-process OSPF, create an equal number of Layer 3 enabled interfaces and OSPF process IDs. For example, if you create four OSPFv2 process IDs, you must have four interfaces with Layer 3 enabled. 1. Assign an IP address to an interface.
Supports only single TOS (TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 DellEMC# Assigning an OSPFv2 Area After you enable OSPFv2, assign the interface to an OSPF area. Set up OSPF areas and enable OSPFv2 on an interface with the network command. You must have at least one AS area: Area 0. This is the backbone area. If your OSPF network contains more than one area, configure a backbone area (Area ID 0.0.0.0).
To view currently active interfaces and the areas assigned to them, use the show ip ospf interface command. Example of Viewing Active Interfaces and Assigned Areas DellEMC>show ip ospf 1 interface TenGigabitEthernet 1/1/1/2 is up, line protocol is up Internet Address 10.2.2.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 11.1.2.1, Interface address 10.2.2.1 Backup Designated Router (ID) 0.0.0.
configure 3. Enter ROUTER OSPF mode. CONFIGURATION mode router ospf process-id [vrf] Process ID is the ID assigned when configuring OSPFv2 globally. 4. Configure the area as a stub area. CONFIG-ROUTER-OSPF-id mode area area-id stub [no-summary] Use the keywords no-summary to prevent transmission into the area of summary ASBR LSAs. Area ID is the number or IP address assigned when creating the area.
When you configure a passive interface, the show ip ospf process-id interface command adds the words passive interface to indicate that the hello packets are not transmitted on that interface (shown in bold). DellEMC#show ip ospf 34 int TenGigabitEthernet 1/1/1/1 is up, line protocol is down Internet Address 10.1.2.100/24, Area 1.1.1.1 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DOWN, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 0.
The following examples shows how to disable fast-convergence. DellEMC#(conf-router_ospf-1)#no fast-converge DellEMC#(conf-router_ospf-1)#ex DellEMC#(conf)#ex DellEMC##show ip ospf 1 Routing Process ospf 1 with ID 192.168.67.
● Change the retransmission interval between LSAs. CONFIG-INTERFACE mode ip ospf retransmit-interval seconds ○ seconds: the range is from 1 to 65535 (the default is 5 seconds). The retransmit interval must be the same on all routers in the OSPF network. ● Change the wait period between link state update packets sent out the interface. CONFIG-INTERFACE mode ip ospf transmit-delay seconds ○ seconds: the range is from 1 to 65535 (the default is 1 second).
Enabling OSPFv2 Graceful Restart Graceful restart is enabled for the global OSPF process. The Dell EMC Networking implementation of OSPFv2 graceful restart enables you to specify: ● grace period — the length of time the graceful restart process can last before OSPF terminates it. ● helper-reject neighbors — the router ID of each restart router that does not receive assistance from the configured router. ● mode — the situation or situations that trigger a graceful restart.
graceful-restart helper-reject 10.1.1.1 graceful-restart helper-reject 20.1.1.1 network 10.0.2.0/24 area 0 DellEMC# Creating Filter Routes To filter routes, use prefix lists. OSPF applies prefix lists to incoming or outgoing routes. Incoming routes must meet the conditions of the prefix lists. If they do not, OSPF does not add the route to the routing table. Configure the prefix list in CONFIGURATION PREFIX LIST mode prior to assigning it to the OSPF process.
To view the current OSPF configuration, use the show running-config ospf command in EXEC mode or the show config command in ROUTER OSPF mode. DellEMC(conf-router_ospf)#show config ! router ospf 34 network 10.1.2.32 0.0.0.255 area 2.2.2.2 network 10.1.3.24 0.0.0.255 area 3.3.3.3 distribute-list dilling in DellEMC(conf-router_ospf)# Troubleshooting OSPFv2 Use the information in this section to troubleshoot OSPFv2 operation on the switch.
○ ○ ○ ○ event: view OSPF event messages. packet: view OSPF packet information. spf: view SPF information. database-timers rate-limit: view the LSAs currently in the queue. DellEMC#show run ospf ! router ospf 4 router-id 4.4.4.4 network 4.4.4.0/28 area 1 ! ipv6 router ospf 999 default-information originate always router-id 10.10.10.10 DellEMC# Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These examples are not comprehensive directions.
no shutdown ! interface Loopback 10 ip address 192.168.10.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.20.0/24 area 0 network 10.1.1.0/24 area 0 network 10.2.13.0/24 area 0 ! interface Loopback 30 ip address 192.168.20.100/24 no shutdown ! interface TenGigabitEthernet 1/1/3/1 ip address 10.1.13.3/24 no shutdown ! interface TenGigabitEthernet 1/1/3/2 ip address 10.2.13.3/24 no shutdown OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.30.
2. No-redistribute – To restrict Type-7 LSAs — When NSSA ASBR is also an ABR, redistributed external routes need not be translated from Type-7 to Type-5 LSAs. ABR will directly inject external routes through Type-5 LSAs into the OSPF domain. It does not send Type-7 LSAs into the NSSA area. 3. No-summary – To act as totally stubby area — NSSA area can be converted intoa totally stubby area to reduce the number of Type-3 LSAs.
Assigning IPv6 Addresses on an Interface To assign IPv6 addresses to an interface, use the following commands. 1. Assign an IPv6 address to the interface. CONF-INT-type slot/port mode ipv6 address ipv6 address IPv6 addresses are normally written as eight groups of four hexadecimal digits; separate each group by a colon (:). The format is A:B:C::F/128. 2. Bring up the interface.
Assigning OSPFv3 Process ID and Router ID to a VRF To assign, disable, or reset OSPFv3 on a non-default VRF, use the following commands. ● Enable the OSPFv3 process on a non-default VRF and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID}} The process ID range is from 0 to 65535. ● Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} ○ number: the IPv4 address. The format is A.B.C.D.
Configuring Passive-Interface To suppress the interface’s participation on an OSPFv3 interface, use the following command. This command stops the router from sending updates on that interface. ● Specify whether some or all some of the interfaces are passive. CONF-IPV6-ROUTER-OSPF mode passive-interface {interface-type} Interface: identifies the specific interface that is passive. ○ For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the stack/slot/port/subport information.
○ metric metric-value: The range is from 0 to 4294967295. ○ metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. ○ route-map map-name: enter a name of a configured route map. Applying cost for OSPFv3 Change in bandwidth directly affects the cost of OSPF routes. ● Explicitly specify the cost of sending a packet on an interface. INTERFACE mode ipv6 ospf interface-cost ○ interface-cost:The range is from 1 to 65535. Default cost is based on the bandwidth.
○ Planned-only: the OSPFv3 router supports graceful restart only for planned restarts. A planned restart is when you manually enter a redundancy force-failover rpm command to force the primary RPM over to the secondary RPM. During a planned restart, OSPFv3 sends out a Grace LSA before the system switches over to the secondary RPM. OSPFv3 is notified that a planned restart is happening. ○ Unplanned-only: the OSPFv3 router supports graceful-restart only for unplanned restarts.
Area 0 database summary Type Brd Rtr Count AS Bdr Rtr Count LSA count Summary LSAs Rtr LSA Count Net LSA Count Inter Area Pfx LSA Count Inter Area Rtr LSA Count Group Mem LSA Count Count/Status 2 2 12010 1 4 3 12000 0 0 The following example shows the show ipv6 ospf database grace-lsa command.
OSPFv3 Authentication Using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552. ● To use IPsec, configure an authentication (using AH) or encryption (using ESP) security policy on an interface or in an OSPFv3 area. Each security policy consists of a security policy index (SPI) and the key used to validate OSPFv3 packets. After IPsec is configured for OSPFv3, IPsec operation is invisible to the user.
○ key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted). For SHA-1 authentication, the key must be 40 hex digits (non-encrypted) or 80 hex digits (encrypted). ● Remove an IPsec authentication policy from an interface.
Configuring IPSec Authentication for an OSPFv3 Area To configure, remove, or display IPSec authentication for an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)). The security policy index (SPI) value must be unique to one IPSec security policy (authentication or encryption) on the router.
○ key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information. The required lengths of a non-encrypted or encrypted key are: 3DES - 48 or 96 hex digits; DES - 16 or 32 hex digits; AES-CBC - 32 or 64 hex digits for AES-128 and 48 or 96 hex digits for AES-192. ○ key-encryption-type: (optional) specifies if the key is encrypted. Valid values: 0 (key is not encrypted) or 7 (key is encrypted).
Crypto IPSec client security policy data Policy name Policy refcount Inbound AH SPI Outbound AH SPI Inbound AH Key Outbound AH Key Transform set : : : : : : : OSPFv3-1-500 2 500 (0x1F4) 500 (0x1F4) bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e ah-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-0-501 Policy refcount : 1 Inbound ESP SPI : 501 (0x1F5) Outbound ESP SPI : 501 (0x1F5) Inbound ESP Auth Key
replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3 operation on the switch. This section describes typical, OSPFv3 troubleshooting scenarios. NOTE: The following troubleshooting section is meant to be a comprehensive list, but only to provide some examples of typical troubleshooting checks.
MIB Support for OSPFv3 SNMPv3 context name support implements MIB views on multiple OSPV3 instances. Table 70. MIB Objects for OSPFv3 MIB Object OID Description ospfv3GeneralGroup 1.3.6.1.2.1.191.1.1 Contains a 32-bit unsigned integer uniquely identifying the router in the autonomous system. ospfv3AreaEntry 1.3.6.1.2.1.191.1.2.1 Contains information describing the parameter configuration and cumulative statistics of the router’s attached areas. ospfv3AsLsdbEntry 1.3.6.1.2.1.191.1.3.
36 Policy-based Routing (PBR) Policy-based routing (PBR) allows a switch to make routing decisions based on policies applied to an interface. Topics: • • • • Overview Implementing PBR Configuration Task List for Policy-based Routing Sample Configuration Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table.
● ● ● ● Destination IP address and mask Source port Destination port TCP Flags After you apply a redirect-list to an interface, all traffic passing through it is subjected to the rules defined in the redirect-list. Traffic is forwarded based on the following: ● ● ● ● Next-hop addresses are verified. If the specified next hop is reachable, traffic is forwarded to the specified next-hop. If the specified next-hops are not reachable, the normal routing table is used to forward the traffic.
PBR Exceptions (Permit) To create an exception to a redirect list, use thepermit command. Exceptions are used when a forwarding decision should be based on the routing table rather than a routing policy. The Dell EMC Networking OS assigns the first available sequence number to a rule configured without a sequence number and inserts the rule into the PBR CAM region next to the existing entries. Because the order of rules is important, ensure that you configure any necessary sequence numbers.
● ● ● ● source ip-address or any or host ip-address is the Source’s IP address FORMAT: A.B.C.D/NN, or ANY or HOST IP address destination ip-address or any or host ip-address is the Destination’s IP address FORMAT: A.B.C.D/NN, or ANY or HOST IP address To delete a rule, use the no redirect command.
multiple seq redirect commands with the same source and destination address and specify a different next-hop IP address. In this way, the recursive routes are used as different forwarding routes for dynamic failover. If the primary path goes down and the recursive route is removed from the routing table, the seq redirect command is ignored and the next command in the list with a different route is used.
show ip redirect-list redirect-list-name 2. View the redirect list entries programmed in the CAM. EXEC mode show cam pbr show cam-usage List the redirect list configuration using the show ip redirect-list redirect-list-name command. The noncontiguous mask displays in dotted format (x.x.x.x). The contiguous mask displays in /x format. DellEMC#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.
1/1/1/4 00003 Fi 1/21/1 N/A UDP 0x0 0 0 155.55.0.0/16 222.22.2.0/24 00:00:00:00:00:04 Te 1/1/1/4 Sample Configuration You can use the following example configuration to set up a PBR. These are not comprehensive directions but are intended to give you a guidance with typical configurations. You can copy and paste from these examples to your CLI. Make the necessary changes to support your own IP addresses, interfaces, names, and so on.
seq 10 redirect 10.99.99.254 ip 192.168.2.0/24 any seq 15 permit ip any any Assign Redirect-List GOLD to Interface 2/11 EDGE_ROUTER(conf)#int Te 2/11/1 EDGE_ROUTER(conf-if-Te-2/11/1)#ip add 192.168.3.
3 4 IP Host reachability IP Host reachability 42.1.1.2/32 43.1.1.2/32 Up Up 00:00:59 00:00:59 Apply the Redirect Rule to an Interface: DellEMC# DellEMC(conf)#int TenGigabitEthernet 2/28 DellEMC(conf-if-te-2/28)#ip redirect-group redirect_list_with_track DellEMC(conf-if-te-2/28)#end Verify the Applied Redirect Rules: DellEMC#show ip redirect-list redirect_list_with_track IP redirect-list redirect_list_with_track Defined as: seq 5 redirect 42.1.1.2 track 3 tcp 155.55.2.0/24 222.22.2.
2 Interface ipv6 routing DellEMC# Tunnel 2 Up 00:00:00 Create a Redirect-list with Track Objects pertaining to Tunnel Interfaces: DellEMC#configure terminal DellEMC(conf)#ip redirect-list explicit_tunnel DellEMC(conf-redirect-list)#redirect tunnel 1 track DellEMC(conf-redirect-list)#redirect tunnel 1 track DellEMC(conf-redirect-list)#redirect tunnel 1 track 144.144.144.
37 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
2. The last-hop DR sends a PIM Join message to the RP. All routers along the way, including the RP, create an (*,G) entry in their multicast routing table, and the interface on which the message was received becomes the outgoing interface associated with the (*,G) entry. This process constructs an RPT branch to the RP. 3. If a host on the same subnet as another multicast receiver sends an IGMP report for the same multicast group, the gateway takes no action.
3. Enable PIM-SM on an interface. Enable multicast routing. CONFIGURATION mode {ip | ipv6} multicast-routing [vrf vrf-name] Related Configuration Tasks The following are related PIM-SM configuration tasks. ● ● ● ● Configuring S,G Expiry Timers Configuring a Static Rendezvous Point Configuring a Designated Router Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1. Enable IPv4 or IPv6 multicast routing on the system.
Following is an example of show ip pim neighbor command output: DellEMC#show Neighbor Address 127.87.5.5 127.87.3.5 127.87.50.
Configuring S,G Expiry Timers You can configure a global expiry time (for all [S,G] entries). By default, [S,G] entries expire in 210 seconds. When you create, delete, or update an expiry time, the changes are applied when the keep alive timer refreshes. To configure a global expiry time, use the following command. Enable global expiry timer for S, G entries. CONFIGURATION mode {ip | ipv6} pim sparse-mode sg-expiry-timer seconds The range is from 211 to 86,400 seconds. The default is 210.
Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. Use the following command if you have configured a static RP for a group. If you do not use the override option with the following command, the RPs advertised in the BSR updates take precedence over any statically configured RPs.
INTERFACE mode {ip | ipv6} pim query-interval seconds ● Display the current value of these parameter.
Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the Internet. Create multicast boundaries and domains by filtering inbound and outbound bootstrap router (BSR) messages per interface. The following command is applied to the subsequent inbound and outbound updates.
show ip pim bsr-router Example: DellEMC# show ip pim bsr-router PIMv2 Bootstrap information This system is the Bootstrap Router (v2) BSR address: 7.7.7.7 (?) BSR Priority: 0, Hash mask length: 30 Next bootstrap message in 00:00:08 This system is a candidate BSR Candidate BSR address: 7.7.7.
38 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Related Configuration Tasks ● Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode.
Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.
1. C-BSRs flood their candidacy throughout the domain in a BSM. Each message contains a BSR priority value, and the C-BSR with the highest priority value becomes the BSR. 2. Each C-RP unicasts periodic Candidate-RP-Advertisements to the BSR. Each message contains an RP priority value and the group ranges for which it is a C-RP. 3. The BSR collects the most efficient group-to-RP mappings and periodically updates it to all PIM routes in the network. 4.
Enabling RP to Server Specific Multicast Groups When you configure an RP candidate, its advertisement is sent to the entire multicast address range and the group-to-RP mapping is advertised for the entire range of multicast address. Starting with Dell EMC Networking OS 9.11.0.0, you can configure an RP candidate for a specified range of multicast group address. The Configured multicast group ranges are used by the BSR protocol to advertise the candidate RPs in the bootstrap messages.
39 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
Port Monitoring Port monitoring is supported on both physical and logical interfaces, such as VLAN and port-channel interfaces. The source port (MD) with monitored traffic and the destination ports (MG) to which an analyzer can be attached must be on the same switch. You can configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session. The platform supports multiple source-destination statements in a single monitor session.
port. Similarly, if BPDUs are transmitted, the MG port receives them tagged with the VLAN ID 4095. This behavior might result in a difference between the number of egress packets on the MD port and monitored packets on the MG port. Dell EMC Networking OS Behavior: The platform continues to mirror outgoing traffic even after an MD participating in spanning tree protocol (STP) transitions from the forwarding to blocking. Configuring Port Monitoring To configure port monitoring, use the following commands. 1.
N/A N/A 0 1 Po 10 N/A Vl 40 N/A Te 1/1/1/2 No Te 1/1/1/3 No rx Port 0.0.0.0 0.0.0.0 0 0 No rx Flow 0.0.0.0 0.0.0.0 0 0 No NOTE: Source as VLAN is achieved via Flow based mirroring. Please refer section Enabling Flow-Based Monitoring. In the following example, the host and server are exchanging traffic which passes through the uplink interface 1/1/1/1.
Flow-Based Monitoring Flow-based monitoring conserves bandwidth by monitoring only the specified traffic instead of all traffic on the interface. It is available for Layer 3 ingress traffic. You can specify the traffic that needs to be monitored using standard or extended accesslists. The flow-based monitoring mechanism copies packets that matches the ACL rules applied on the port and forwards (mirrors) them to another port.
---- ------ -------------1 Te 1/1/2/1 remote-ip 0 0 No N/A N/A DellEMC# --------rx Port yes 0.0.0.0 0.0.0.0 The show config command has been modified to display monitoring configuration in a particular session.
MONITOR SESSION mode ip access-group access-list-name To view an access-list that you applied to an interface, use the show ip accounting access-list command from EXEC Privilege mode. DellEMC(conf)#monitor session 0 DellEMC(conf-mon-sess-0)#flow-based enable DellEMC(conf)#ip access-list ext testflow DellEMC(config-ext-nacl)#seq 5 permit icmp any any count bytes monitor DellEMC(config-ext-nacl)#seq 10 permit ip 102.1.1.
Configuring IPv6 Flow-Based Mirroring This section describes how to configure IPv6 flow-based mirroring in the monitor session. You can configure IPv6 flow-based mirroring under monitor session. The IPv6 flow-based mirroring is supported in SPAN, RSPAN, and ERSPAN monitor sessions. By default, all mirror ACLs is considered as implicit permit. The Dell EMC Networking OS creates a separate logical group out of a physical CAM region for IPv6 mirroring.
DellEMC(config-ext-nacl)#exit DellEMC(conf)#interface tengigabitethernet 1/1/1/1 DellEMC(conf-if-te-1/1/1/1)#ipv6 access-group testflow in The following is sample running-configuration of IPv6 flow-based mirroring with ACLs applied to monitor sessions.
Remote port mirroring helps network administrators monitor and analyze traffic to troubleshoot network problems in a timesaving and efficient way. In a remote-port mirroring session, monitored traffic is tagged with a VLAN ID and switched on a user-defined, non-routable L2 VLAN. The VLAN is reserved in the network to carry only mirrored traffic, which is forwarded on all egress ports of the VLAN.
● You can configure any switch in the network with source ports and destination ports, and allow it to function in an intermediate transport session for a reserved VLAN at the same time for multiple remote-port mirroring sessions. You can enable and disable individual mirroring sessions. ● BPDU monitoring is not required to use remote port mirroring.
Restrictions When you configure remote port mirroring, the following restrictions apply: ● You can configure the same source port to be used in multiple source sessions. ● You cannot configure a source port channel or source VLAN in a source session if the port channel or VLAN has a member port that is configured as a destination port in a remote-port mirroring session.
2. A source session that consists of multiple source ports, port channels, and VLANs which are associated with the dedicated VLAN and located on different source switches 3. A destination session that consists of multiple destination ports associated with the dedicated VLAN and located on different destination switches Configuring a RSPAN VLAN for RPM Following are the steps for configuring a RSPAN VLAN for RPM. You must repeat the below mentioned steps on source, intermediate, and destination switches. 1.
monitor session session-id 2. Associate the Layer 2 VLAN used to transport monitored traffic with this destination session. MONITOR SESSION mode source remote-vlan vlan-id destination interface direction {rx | tx | both} 3. (Optional) Configure destination ports so that the VLAN tag is added to the monitored traffic. MONITOR SESSION mode tagged destination interface To configure destination ports as untagged ports, enter the untagged destinationcommand.
DellEMC(conf-mon-sess-1)#no disable DellEMC(conf-mon-sess-1)#exit Configuring Remote Port Mirroring on an intermediate switch Following is a sample configuration of RPM on an intermediate switch.
Following is a sample configuration of RPM on a destination switch.
DellEMC(conf-mon-sess-3)#tagged destination tengigabitethernet 1/1/8/1 DellEMC(conf-mon-sess-3)#end Encapsulated Remote Port Monitoring Encapsulated Remote Port Monitoring (ERPM) copies traffic from source ports/port-channels or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the destination IP address specified in the session. NOTE: When configuring ERPM, follow these guidelines ● The Dell EMC Networking OS supports ERPM source session only.
Table 71. Configuration steps for ERPM (continued) Step Command Purpose 6 no disable Enter the no disable command to enable the ERPM session. The following example shows an ERPM configuration: DellEMC(conf)#monitor session 0 type erpm DellEMC(conf-mon-sess-0)#source tengigabitethernet 1/1/1/1 direction rx DellEMC(conf-mon-sess-0)#source port-channel 1 direction tx DellEMC(conf-mon-sess-0)#erpm source-ip 1.1.1.1 dest-ip 7.1.1.
ERPM Behavior on a typical Dell EMC Networking OS The Dell EMC Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported. Figure 108.
○ Either have a Linux server's ethernet port ip as the ERPM destination ip or connect the ingress interface of the server to the ERPM MirrorToPort. The analyzer should listen in the forward/egress interface. If there is only one interface, one can choose the ingress and forward interface to be same and listen in the tx direction of the interface. ○ Download/ Write a small script (for example: erpm.py) such that it will strip the given ERPM packet starting from the bit where GRE header ends.
VLT Fail-over Scenario Consider a scenario where port monitoring is configured to mirror traffic on the source port or LAG of a VLT device to a destination port on an other device on the network. A fail-over occurs when the primary VLT device fails causing the secondary VLT device to take over. At the time of failover, the mirrored packets are dropped for some time. This time period is equivalent to the gracious VLT failover recovery time.
Table 72. RPM over VLT Scenarios (continued) Scenario RPM Restriction Recommended Solution device:source remote vlan destination orphan port. Mirroring VLT LAG across VLT Peers — In this scenario, the VLT LAG on the primary VLT peer is mirrored to an orphan port on the secondary VLT peer through the ICL LAG. The packet analyzer is connected to the secondary VLT peer. No restrictions apply to the RPM session.
40 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on Dell EMC Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell EMC Networking OS Command Line Reference Guide. Private VLANs extend the Dell EMC Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
PVLAN port types include: ● Community port — a port that belongs to a community VLAN and is allowed to communicate with other ports in the same community VLAN and with promiscuous ports. ● Host port — in the context of a private VLAN, is a port in a secondary VLAN: ○ The port must first be assigned that role in INTERFACE mode. ○ A port assigned the host role cannot be added to a regular VLAN. ● Isolated port — a port that, in Layer 2, can only communicate with promiscuous ports that are in the same PVLAN.
Configuration Task List The following sections contain the procedures that configure a private VLAN. ● ● ● ● Creating Creating Creating Creating PVLAN Ports a Primary VLAN a Community VLAN an Isolated VLAN Creating PVLAN ports PVLAN ports are ports that will be assigned to the PVLAN. 1. Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2. Enable the port. INTERFACE mode no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4.
CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 4. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: ● Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). ● Specified with this command even before they have been created.
You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add host (isolated) ports to the VLAN. Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make an isolated VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 109. Sample Private VLAN Topology The following configuration is based on the example diagram for the Z9500: ● ● ● ● ● Te Te Te Te Te 1/1 and Te 1/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. 1/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. 1/24 and Te 1/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
● The S4810 ports would have the same intra-switch communication characteristics as described for the Z9500. ● For transmission between switches, tagged packets originating from host PVLAN ports in one secondary VLAN and destined for host PVLAN ports in the other switch travel through the promiscuous ports in the local VLAN 4000 and then through the trunk ports (1/25 in each switch). Inspecting the Private VLAN Configuration The standard methods of inspecting configurations also apply in PVLANs.
G - GVRP tagged, M - Vlan-stack NUM * 1 100 P 200 I 201 Status Inactive Inactive Inactive Inactive Description Q Ports primary VLAN in PVLAN T Te 1/19/1-2 isolated VLAN in VLAN 200 T Te 1/21/1 The following example shows viewing a private VLAN configuration.
41 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN).
Figure 110. Per-VLAN Spanning Tree The Dell EMC Networking OS supports three other variations of spanning tree, as shown in the following table. Table 73. Spanning Tree Variations Dell EMC Networking OS Supports Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
Configure Per-VLAN Spanning Tree Plus Configuring PVST+ is a four-step process. 1. 2. 3. 4. Configure interfaces for Layer 2. Place the interfaces in VLANs. Enable PVST+. Optionally, for load balancing, select a nondefault bridge-priority for a VLAN.
Influencing PVST+ Root Selection As shown in the previous per-VLAN spanning tree illustration, all VLANs use the same forwarding topology because R2 is elected the root, and all TenGigabitEthernet ports have the same cost. The following per-VLAN spanning tree illustration changes the bridge priority of each bridge so that a different forwarding topology is generated for each VLAN. This behavior demonstrates how you can use PVST+ to achieve load balancing. Figure 111.
Current root has priority 4096, Address 0001.e80d.b6d6 Number of topology changes 5, last change occurred 00:34:37 ago on Te 1/1/1/1 Port 375 (TenGigabitEthernet 1/1/2/1) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.375 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.
● Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost. The following tables lists the default values for port cost by interface. Table 74.
CAUTION: Configure EdgePort only on links connecting to an end station. EdgePort can cause loops if you enable it on an interface connected to a network. To enable EdgePort on an interface, use the following command. ● Enable EdgePort on an interface. INTERFACE mode spanning-tree pvst edge-port [bpduguard | shutdown-on-violation] The EdgePort status of each interface is given in the output of the show spanning-tree pvst command, as previously shown.
Figure 112. PVST+ with Extend System ID ● Augment the bridge ID with the VLAN ID. PROTOCOL PVST mode extend system-id DellEMC(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/1/1/1,1/1/1/2 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface TenGigabitEthernet 1/1/1/1 no ip address switchport no shutdown ! interface TenGigabitEthernet 1/1/2/1 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 1/1/1/1,1/1/2/1 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 1/1/
42 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 75.
Table 75. Dell EMC Networking Operating System (OS) Support for Port-Based, Policy-Based Features (continued) Feature Direction Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 113.
• • • • • • Configuring Policy-Based Rate Shaping Configuring Weights and ECN for WRED Configuring WRED and ECN Attributes Guidelines for Configuring ECN for Classifying and Color-Marking Packets Applying Layer 2 Match Criteria on a Layer 3 Interface Enabling Buffer Statistics Tracking Implementation Information The Dell EMC Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
dot1p-priority DellEMC#configure terminal DellEMC(conf)#interface tengigabitethernet 1/1/1/1 DellEMC(conf-if-te-1/1/1/1)#switchport DellEMC(conf-if-te-1/1/1/1)#dot1p-priority 1 DellEMC(conf-if-te-1/1/1/1)#end Honoring dot1p Priorities on Ingress Traffic By default, Dell EMC Networking OS does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel.
Configuring Port-Based Rate Shaping Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted. If any stream exceeds the configured bandwidth on a continuous basis, it can consume all of the buffer space that is allocated to the port. Dell EMC Networking OS Behavior: Rate shaping is effectively rate limiting because of its smaller buffer size.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 114. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell EMC Networking OS matches packets against match criteria in the order that you configure them.
class-map match-any 2. Create a match-all class map. CONFIGURATION mode class-map match-all 3. Specify your match criteria. CLASS MAP mode [seq sequence number] match {ip | ipv6 | ip-any} After you create a class-map, Dell EMC Networking OS places you in CLASS MAP mode. Match-any class maps allow up to five ACLs. Match-all class-maps allow only one ACL. NOTE: Within a class-map, the match rules are installed in the sequence number order. 4. Link the class-map to a queue.
3. Specify your match criteria. CLASS MAP mode [seq sequence number] match mac After you create a class-map, Dell EMC Networking OS places you in CLASS MAP mode. Match-any class maps allow up to five access-lists. Match-all class-maps allow only one. You can match against only one VLAN ID. 4. Link the class-map to a queue.
ip access-list extended AF1-FB1 seq 5 permit ip host 23.64.0.2 any seq 10 deny ip any any ! ip access-list extended AF1-FB2 seq 5 permit ip host 23.64.0.3 any seq 10 deny ip any any ! ip access-list extended AF2 seq 5 permit ip host 23.64.0.
Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. ● Layer 3 — QoS input policies allow you to rate police and set a DSCP or dot1p value. In addition, you can configure a drop precedence for incoming packets based on their DSCP value by using a DSCP color map. For more information, see DSCP Color Maps.
Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1. Create an output QoS policy. CONFIGURATION mode qos-policy-output 2. After you configure an output QoS policy, do one or more of the following: Scheduler Strict — Policy-based Strict-priority Queueing configuration is done through scheduler strict. It is applied to Qospolicy-output. When scheduler strict is applied to multiple Queues, high queue number takes precedence.
Specifying WRED Drop Precedence You can configure the WRED drop precedence in an output QoS policy. ● Specify a WRED profile to yellow and/or green traffic. QOS-POLICY-OUT mode wred For more information, refer to Applying a WRED Profile to Traffic. DSCP Color Maps This section describes how to configure color maps and how to display the color map and color map configuration.
Create the DSCP color map profile, bat-enclave-map, with a yellow drop precedence , and set the DSCP values to 9,10,11,13,15,16 DellEMC(conf)# qos dscp-color-map bat-enclave-map DellEMC(conf-dscp-color-map)# dscp yellow 9,10,11,13,15,16 DellEMC(conf-dscp-color-map)# exit Assign the color map, bat-enclave-map to the interface. Displaying DSCP Color Maps To display DSCP color maps, use the show qos dscp-color-map command in EXEC mode. Examples for Creating a DSCP Color Map Display all DSCP color maps.
Applying an Input QoS Policy to an Input Policy Map Honoring DSCP Values on Ingress Packets Honoring dot1p Values on Ingress Packets 3. Apply the input policy map to an interface. Applying a Class-Map or Input QoS Policy to a Queue To apply a class-map or input QoS policy to a queue, use the following command. ● Assign an input QoS policy to a queue.
Table 79. Default dot1p to Queue Mapping dot1p Queue ID 0 1 1 0 2 2 3 3 4 4 5 5 6 6 7 7 The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN. ● Enable the trust dot1p feature. POLICY-MAP-IN mode trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0.
INTERFACE mode service-policy input Specify the keyword layer2 if the policy map you are applying a Layer 2 policy map. Creating Output Policy Maps 1. Create an output policy map. CONFIGURATION mode policy-map-output 2. After you create an output policy map, do one or more of the following: Applying an Output QoS Policy to a Queue Specifying an Aggregate QoS Policy Applying an Output Policy Map to an Interface 3. Apply the policy map to an interface.
● Cyclic redundancy check (CRC): 4 bytes ● Inter-frame gap (IFG): (variable) You can optionally include overhead fields in rate metering calculations by enabling QoS rate adjustment. QoS rate adjustment is disabled by default. ● Specify the number of bytes of packet overhead to include in rate limiting, policing, and shaping calculations. CONFIGURATION mode qos-rate-adjust overhead-bytes For example, to include the Preamble and SFD, type qos-rate-adjust 8.
Support for marking dot1p value in L3 Input Qos Policy In case the incoming packet is untagged and the packet which goes out to the peer is tagged, then the dot1p should be marked appropriately using L3 Input Qos Policy. This is required because in the peer switch PFC will be generated based on the dot1p value. Currently if the ingress is untagged and egress is tagged, then dot1p priority 0(default) will be added as part of the tag header and from the next hop PFC will be based on that dot1p priority.
Figure 115. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Enabling and Disabling WRED Globally By default, WRED is enabled on the system. You can disable or reenable WRED manually using a single command. Follow these steps to disable or enable WRED in Dell EMC Networking OS.
Applying a WRED Profile to Traffic After you create a WRED profile, you must specify to which traffic Dell EMC Networking OS should apply the profile. Dell EMC Networking OS assigns a color (also called drop precedence) — red, yellow, or green — to each packet based on it DSCP value before queuing it. DSCP is a 6–bit field. Dell EMC Networking uses the first three bits (LSB) of this field (DP) to determine the drop precedence. ● DP values of 110 and 100, 101 map to yellow; all other values map to green.
8 UCAST 9 UCAST 10 MCAST 11 MCAST 12 MCAST 13 MCAST 14 MCAST 15 MCAST 16 MCAST 17 MCAST 18 MCAST 19 MCAST DellEMC# 0 1132 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 143063 0 0 0 0 0 0 0 0 0 0 0 217 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Pre-Calculating Available QoS CAM Space Before Dell EMC Networking OS version 7.3.
Specifying Policy-Based Rate Shaping in Packets Per Second You can configure the rate shaping in packets per second (pps) for QoS output policies. You can configure rate shaping in pps for a QoS output policy, apart from specifying the rate shaping value in bytes. You can also configure the peak rate and the committed rate for packets in kilobits per second (Kbps) or pps. Committed rate refers to the guaranteed bandwidth for traffic entering or leaving the interface under normal network conditions.
Configuring Weights and ECN for WRED The WRED congestion avoidance functionality drops packets to prevent buffering resources from being consumed. Traffic is a mixture of various kinds of packets. The rate at which some types of packets arrive might be greater than others. In this case, the space on the buffer and traffic manager (BTM) (ingress or egress) can be consumed by only one or few types of traffic, leaving no space for other types.
Table 80. Scenarios of WRED and ECN Configuration Queue Configuration Service-Pool Configuration WRED Threshold Relationship Expected Functionality Q threshold = Q-T, Service pool threshold = SP-T WRED ECN WRED ECN 0 0 X X X WRED/ECN not applicable 1 0 0 X X Queue based WRED, 1 X Q-T < SP-T SP-T < Q-T No ECN marking SP based WRED, No ECN marking 1 1 0 X X Queue-based ECN marking above queue threshold.
Guidelines for Configuring ECN for Classifying and Color-Marking Packets Keep the following points in mind while configuring the marking and mapping of incoming packets using ECN fields in IPv4 headers: ● Currently Dell EMC Networking OS supports matching only the following TCP flags: ○ ACK ○ FIN ○ SYN ○ PSH ○ RST ○ URG In the existing software, ECE/CWR TCP flag qualifiers are not supported.
Classifying Incoming Packets Using ECN and Color-Marking Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded. If you configure ECN for WRED, devices employ this functionality of ECN to mark the packets and reduce the rate of sending packets in a congested, heavily-loaded network.
You can now use the ‘ecn’ match qualifier along with the above TCP flag for classification.
! policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Approach with explicit ECN match qualifiers for ECN packets: ! ip access-list standard dscp_50_ecn seq 5 permit any dscp 50 ecn 1 seq 10 permit any dscp 50 ecn 2 seq 15 permit any dscp 50 ecn 3 ! ip access-list standard dscp_40_ecn seq 5 permit any dscp 40 ecn 1 seq 10 permit any dscp 40 ecn 2 seq 15 permit any dscp 40 ecn 3 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn
Managing Hardware Buffer Statistics The memory management unit (MMU) is 12.2 MB in size. It contains approximately 60,000 cells, each of which is 208 bytes in size. MMU also has another portion of 3 MB allocated to it. The entire MMU space is shared across a maximum of 104 logical ports to support the egress admission-control functionality to implement scheduling and shaping on per-port and per-queue levels.
EXEC/EXEC Privilege mode DellEMC# show hardware buffer-stats-snapshot resource interface fortyGigE 0/0 queue all Unit 0 unit: 0 port: 1 (interface Fo 0/0) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------UCAST 0 0 UCAST 1 0 UCAST 2 0 UCAST 3 0 UCAST 4 0 UCAST 5 0 UCAST 6 0 UCAST 7 0 UCAST 8 0 UCAST 9 0 UCAST 10 0 UCAST 11 0 MCAST 0 0 MCAST 1 0 MCAST 2 0 MCAST 3 0 MCAST 4 0 MCAST 5 0 MCAST 6 0 MCAST 7 0 MCAST 8 0 Quality of Service (QoS) 733
43 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter.
Table 81. RIP Defaults Feature Default Interfaces running RIP ● Listen to RIPv1 and RIPv2 ● Transmit RIPv1 RIP timers ● ● ● ● Auto summarization Enabled ECMP paths supported 16 update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Configuration Information By default, RIP is disabled in Dell EMC Networking OS. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
The Dell EMC Networking OS default is to send RIPv1 and to receive RIPv1 and RIPv2. To change the RIP version globally, use the version command in ROUTER RIP mode. To view the global RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. DellEMC(conf-router_rip)#show config ! router rip network 10.0.0.0 DellEMC(conf-router_rip)# When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes.
29.0.0.0/8 31.0.0.0/8 [120/1] via 31.0.0.0/8 192.162.2.0/24 [120/1] via 192.162.2.0/24 192.161.1.0/24 [120/1] via 192.161.1.0/24 192.162.3.0/24 [120/1] via 192.162.3.0/24 auto-summary 29.10.10.12, 00:00:26, Fa 1/49 auto-summary 29.10.10.12, 00:01:21, Fa 1/49 auto-summary 29.10.10.12, 00:00:27, Fa 1/49 auto-summary 29.10.10.12, 00:01:22, Fa 1/49 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode.
To view the current RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. Adding RIP Routes from Other Instances In addition to filtering routes, you can add routes from other routing instances or protocols to the RIP process. With the redistribute command, you can include open shortest path first (OSPF), static, or directly connected routes in the RIP process. To add routes from other routing instances or protocols, use the following commands.
To configure an interface to receive or send both versions of RIP, include 1 and 2 in the command syntax. The command syntax for sending both RIPv1 and RIPv2 and receiving only RIPv2 is shown in the following example. DellEMC(conf-if)#ip rip send version 1 2 DellEMC(conf-if)#ip rip receive version 2 The following example of the show ip protocols command confirms that both versions are sent out that interface.
○ weight: the range is from 1 to 255. The default is 120. ○ ip-address mask: the IP address in dotted decimal format (A.B.C.D), and the mask in slash format (/x). ○ access-list-name: the name of a configured IP ACL. ● Apply an additional number to the incoming or outgoing route metrics.
RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Core2(conf-if-te-1/1/2/1)# Core2(conf-if-te-1/1/2/1)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
R 192.168.1.0/24 R 192.168.2.0/24 Core2# R 192.168.1.0/24 R 192.168.2.0/24 via 10.11.20.1, Te 1/1/1/1 via 10.11.20.1, Te 1/1/1/1 120/1 00:01:20 120/1 00:01:20 via 10.11.20.1, Te 1/1/1/1 via 10.11.20.1, Te 1/1/1/1 120/1 00:05:22 120/1 00:05:22 Core2# The following example shows the show ip protocols command to show the RIP configuration activity on Core 2.
The following example shows the show ip rip database command to view the learned RIP routes on Core 3. Core3#show ip rip database Total number of routes in RIP database: 7 10.11.10.0/24 [120/1] via 10.11.20.2, 00:00:13, TenGigabitEthernet 10.200.10.0/24 [120/1] via 10.11.20.2, 00:00:13, TenGigabitEthernet 10.300.10.0/24 [120/1] via 10.11.20.2, 00:00:13, TenGigabitEthernet 10.11.20.0/24 directly connected,TenGigabitEthernet 10.11.30.0/24 directly connected,TenGigabitEthernet 10.0.0.0/8 auto-summary 192.168.
Core3# RIP Configuration Summary The following example shows viewing the RIP configuration on Core 2. ! interface TenGigabitEthernet ip address 10.11.10.1/24 no shutdown ! interface TenGigabitEthernet ip address 10.11.20.2/24 no shutdown ! interface TenGigabitEthernet ip address 10.200.10.1/24 no shutdown ! interface TenGigabitEthernet ip address 10.250.10.1/24 no shutdown router rip version 2 10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.
44 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell EMC Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
[no] rmon alarm number variable interval {delta | absolute} rising-threshold [value event-number] falling-threshold value event-number [owner string] OR [no] rmon hc-alarm number variable interval {delta | absolute} rising-threshold value event-number falling-threshold value event-number [owner string] Configure the alarm using the following optional parameters: ○ number: alarm number, an integer from 1 to 65,535, the value must be unique in the RMON Alarm Table.
In the following example, the configuration creates RMON event number 1, with the description “High ifOutErrors”, and generates a log entry when an alarm triggers the event. The user nms1 owns the row that is created in the event table by this command. This configuration also generates an SNMP trap when the event is triggered using the SNMP community string “eventtrap”.
The following command example enables an RMON MIB collection history group of statistics with an ID number of 20 and an owner of john, both the sampling interval and the number of buckets use their respective defaults.
45 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP).
● ● ● ● ● ● Prevent Network Disruptions with BPDU Guard Influencing RSTP Root Selection Configuring Spanning Trees as Hitless Enabling SNMP Traps for Root Elections and Topology Changes Configuring Fast Hellos for Link State Detection Flush MAC Addresses after a Topology Change Important Points to Remember ● RSTP is disabled by default. ● Dell EMC Networking OS supports only one Rapid Spanning Tree (RST) instance.
To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. The bold lines indicate that the interface is in Layer 2 mode. Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. ● Only one path from any bridge to any other bridge is enabled.
To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. DellEMC#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Te 1/1/2/4 Altr R3# 128.684 128 20000 BLK 20000 P2P No Adding and Removing Interfaces To add and remove interfaces, use the following commands. To add an interface to the Rapid Spanning Tree topology, configure it for Layer 2 and it is automatically added. If you previously disabled RSTP on the interface using the command no spanning-tree 0 command, re-enable it using the spanningtree 0 command. ● Remove an interface from the Rapid Spanning Tree topology.
● Change the forward-delay parameter. PROTOCOL SPANNING TREE RSTP mode forward-delay seconds The range is from 4 to 30. The default is 15 seconds. ● Change the hello-time parameter. PROTOCOL SPANNING TREE RSTP mode hello-time seconds NOTE: With large configurations (especially those configurations with more ports) Dell EMC Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. ● Change the max-age parameter.
Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps collectively, use this command. Enable SNMP traps for RSTP, MSTP, and PVST+ collectively. snmp-server enable traps xstp Influencing RSTP Root Selection RSTP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. To change the bridge priority, use the following command.
● Enable EdgePort on an interface. INTERFACE mode spanning-tree rstp edge-port [bpduguard | shutdown-on-violation] To verify that EdgePort is enabled on a port, use the show spanning-tree rstp command from EXEC privilege mode or the show config command from INTERFACE mode. NOTE: Dell EMC Networking recommends using the show config command from INTERFACE mode. In the following example, the bold line indicates that the interface is in EdgePort mode.
46 Software-Defined Networking (SDN) The Dell EMC Networking OS supports software-defined networking (SDN). For more information, see the SDN Deployment Guide.
47 Security This chapter describes several ways to provide security to the Dell EMC Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide.
● Enable AAA accounting and create a record for monitoring the accounting function. CONFIGURATION mode aaa accounting {commands level | dot1x | exec | rest | suppress | system} {default | name} {start-stop | wait-start | stop-only} {radius | tacacs+} The variables are: ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ system: sends accounting information of any other AAA configuration. exec: sends accounting information when a user has logged in to EXEC mode.
CONFIG-LINE-VTY mode accounting commands 15 com15 accounting exec execAcct DellEMC(config-line-vty)# accounting commands 15 com15 DellEMC(config-line-vty)# accounting exec execAcct Monitoring AAA Accounting Dell EMC Networking OS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting.
Sample dot1x accounting records The following lists the sample EAP and MAB accounting records EAP START accounting record: Fri May 10 12:20:43 2019 NAS-IP-Address = 10.16.133.
NAS-Port = 1010 NAS-Port-Id = "GigabitEthernet 1/11" Service-Type = Call-Check Acct-Session-Time = 21 Acct-Session-Id = "00-11-22-33-44-55-4" Acct-Multi-Session-Id = "00-11-22-33-44-55-00-11-33-44-77-88-5e-50-d6-5cc" Acct-Link-Count = 1 Acct-Terminate-Cause = Lost-Carrier Acct-Status-Type = Stop Event-Timestamp = "May 10 2019 23:30:42 CDT" Tmp-String-9 = "ai:" Acct-Unique-Session-Id = "5a761462ef63b815707de5fa1c5ef348" Timestamp = 1557549042 RADIUS Accounting attributes The following tables describe the va
Table 85. RADIUS Accounting Stop Record Attributes for CLI user (continued) RADIUS Attribute code RADIUS Attribute Description 46 Acct-Session Time Time the user has received the service. 49 Acct-Terminate-Cause Reason for session termination. 61 NAS-Port-Type ASYNC - for Console session. VIRTUAL - for telnet/SSH session. Table 86.
Table 88. RADIUS Accounting Stop Record Attributes for dot1x supplicant (continued) RADIUS Attribute code RADIUS Attribute Description 4 NAS-IP-Address IPv4 address of the NAS. 95 NAS-IPv6–Address IPv6 address of the NAS. Session Identification Attributes 1 User-Name User name/ Supplicant MAC Address (for MAB). 5 NAS-Port Port on which session is terminated. 6 Service-Type Framed (2) for EAP /Call check (10) for MAB. 8 Framed-IP-Address IPv4 address of supplicant.
Table 89. Use cases for dot1x supplicant to trigger RADIUS Accounting Start/Stop records (continued) dot1x event Accounting type Attributes Configure Port control to force unauth Stop Stop record attributes with termination cause as port-reinitialized (21). Interface Host mode change (single/multihost/multiauth) Stop Stop record attributes with termination cause as port-reinitialized (21).
Configuring AAA Authentication Login Methods To configure an authentication method and method list, use the following commands. Dell EMC Networking OS Behavior: If you use a method list on the console port in which RADIUS or TACACS is the last authentication method, and the server is not reachable, Dell EMC Networking OS allows access even though the username and password credentials cannot be verified.
Enabling AAA Authentication — RADIUS To enable authentication from the RADIUS server, and use TACACS as a backup, use the following commands. 1. Enable RADIUS and set up TACACS as backup. CONFIGURATION mode aaa authentication enable default radius tacacs 2. Establish a host address and password. CONFIGURATION mode radius-server host x.x.x.x key some-password 3. Establish a host address and password. CONFIGURATION mode tacacs-server host x.x.x.
2. You are prompted to force the users to re-authenticate while adding or removing a RADIUS/TACACS+ server. CONFIGURATION mode aaa authentication login method-list-name Example: DellEMC(config)#aaa authentication login vty_auth_list radius Force all logged-in users to re-authenticate (y/n)? 3. You are prompted to force the users to re-authenticate whenever there is a change in the RADIUS server list.. CONFIGURATION mode radius-server host IP Address Example: DellEMC(config)#radius-server host 192.100.0.
Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network. However, at times, you might need to allow others access to the router and you can limit that access to a subset of commands. In Dell EMC Networking OS, you can configure a privilege level for users who need limited access to the system. Every command in Dell EMC Networking OS is assigned a privilege level of 0, 1, or 15. You can configure up to 16 privilege levels in Dell EMC Networking OS.
○ privilege level The range is from 0 to 15. ○ Secret:Specify the secret for the user To view username, use the show users command in EXEC Privilege mode. Configuring the Enable Password Command To configure Dell EMC Networking OS, use the enable command to enter EXEC Privilege level 15. After entering the command, Dell EMC Networking OS requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level.
enable password [level level] [encryption-mode] password Configure the optional and required parameters: ● level level: specify a level from 0 to 15. Level 15 includes all levels. ● encryption-type: enter 0 for plain text or 7 for encrypted text. ● password: enter a string up to 32 characters long. To change only the password for the enable command, configure only the password parameter. 3. Configure level and commands for a mode or reset a command’s level.
exit Exit from the EXEC no Negate a command show Show running system information terminal Set terminal line parameters traceroute Trace route to destination DellEMC#confi DellEMC(conf)#? end Exit from Configuration mode exit Exit from Configuration mode no Reset a command snmp-server Modify SNMP parameters DellEMC(conf)# Specifying LINE Mode Password and Privilege You can specify a password authentication of all users on different terminal lines.
RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol. This protocol transmits authentication, authorization, and configuration information between a central RADIUS server and a RADIUS client (the Dell EMC Networking system). The system sends user information to the RADIUS server and requests authentication of the user and password. The RADIUS server returns one of the following responses: ● Access-Accept — the RADIUS server authenticates the user.
Auto-Command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line. The auto-command command is executed when the user is authenticated and before the prompt appears to the user. ● Automatically execute a command. auto-command Privilege Levels Through the RADIUS server, you can configure a privilege level for the user to enter into when they connect to a session. This value is configured on the client system. ● Set a privilege level.
Applying the Method List to Terminal Lines To enable RADIUS AAA login authentication for a method list, apply it to a terminal line. To configure a terminal line for RADIUS authentication and authorization, use the following commands. ● Enter LINE mode. CONFIGURATION mode line {aux 0 | console 0 | vty number [end-number]} ● Enable AAA login authentication for the specified RADIUS method list.
CONFIGURATION mode radius-server deadtime seconds ○ seconds: the range is from 0 to 2147483647. The default is 0 seconds. ● Configure a key for all RADIUS communications between the system and RADIUS server hosts. CONFIGURATION mode radius-server key [encryption-type] key ○ encryption-type: enter 7 to encrypt the password. Enter 0 to keep the password as plain text. ○ key: enter a string. The key can be up to 42 characters long. You cannot use spaces in the key.
● Change of Authorization non-Acknowledgement (CoA-Nak) - If the authorization state change is not successful, then the NAS sends a CoA-Nak, which is a negative acknowledgement. Disconnect Messages Using the Disconnect Messages, the NAS can disconnect AAA and dot1x sessions. NAS can disconnect AAA sessions using either username or a combination of the username and session id. NAS can disconnect dot1x sessions using NAS-port, or callingstation ID, or both.
Table 93. Vendor-specific Attributes Attribute code Attribute Description ● t=26(vendor-speific);l=length;vendor-identificationattribute;Length=value;data=”cmd=disconnect-user” The vendor identification attribute can be one of the following: ● v=9(Cisco);Vendor-Type=1(cisco-av-pair) Length = value ● v=6027 (Force10);Vendor-Type=1(Force10-av-pair) Length = value Table 94. DM Attributes Attribute code Attribute Description 1 User-Name(Mandatory) Name of the user associated with one or more sessions.
Table 97. CoA EAP/MAB Bounce Port Radius Attribute code Radius Attribute Description Mandatory NAS Identification Attributes 4 NAS-IP-Address IPv4 address of the NAS. No 95 NAS-IPv6–Address IPv6 address of the NAS. No Port on which session is terminated Yes t=26(vendor-specific);l=length;vendoridentification-attribute;Length=value; Data=”cmd=bounce-host-port” Yes Session Identification Attributes 5 NAS-Port Authorization Attributes 26 Vendor-Specific Table 98.
Error-cause Values It is possible that a Dynamic Authorization Server cannot honor Disconnect Message request or CoA request packets for some reason. The Error-Cause Attribute provides more detail on the cause of the problem. It may be included within CoA-Nak and Disconnect-Nak packets. The following table describes various error causes for the CoA and DM requests: Table 100.
NOTE: The Administratively Prohibited Error-Cause is also applicable to following scenarios: ○ if the dot1x feature is not enabled in the NAS-port. ○ if the NAS-port state is administratively down. CoA or DM Discard This section lists various actions that the NAS performs during CoA or DM discard. The following activities are performed by NAS: ● discards the packet, if dynamic authorization feature is not enabled in NAS.
● rejects the disconnect message containing NAS-IP-Address or NAS-IPV6-Address attribute that does not match NAS with DM-Nak; Error-Cause value is “NAS Identification Mismatch” (403). ● responds with a DM-Nak, if the NAS is configured to prohibit honoring of disconnect messages; Error-Cause value is “Administratively Prohibited” (501). Configuring DAC You can configure trusted dynamic authorization clients (DACs). This setting enables you to configure more than one DAC.
NAS disconnects the administrative users who are connected through an AAA interface. Dell(conf#)radius dynamic-auth Dell(conf-dynamic-auth#)disconnect-user NAS takes the following actions: ● ● ● ● ● validates the DM request and the session identification attributes. sends a DM-Nak with an error-cause of 402 (missing attribute), if the DM request does not contain the User-Name. sends a DM-Ack, if it is able to successfully disconnect the admin user.
both these attributes are present in the CoA request, NAS retrieves the supplicant connected to the interface. The EAP or MAB user sessions are re-authenticated and the NAS sends a CoA-Ack to the user, in case the re-authentication is successful. 1. Enter the following command to configure the dynamic authorization feature: radius dynamic-auth 2. Enter the following command to configure the re-authentication of 802.1x sessions: coa-reauthenticate NAS re-initiates the user authentication state.
Disabling 802.1x enabled port Dell EMC Networking OS provides RADIUS extension commands that enables you to disable 802.1x enabled ports. This command administratively shuts down the port causing the termination of the dot1x user session. This command is useful when a port is known to cause issue in the network and needs to be disabled. Before disabling the 802.1x enabled port, ensure that the following prerequisites are satisfied: ● Shared key is configured in NAS for DAC.
● The NAS stacking module processes the RADIUS dynamic authorization messages only if the role of module is master. ● The NAS standby stacking module processes the retransmitted CoA or DM messages without requiring a chassis reboot, if the master module fails and the standby module becomes the master. Configuring replay protection NAS enables you to configure the replay protection window period. NAS drops the packets if duplicate packets are received within replay protection window period.
Choosing TACACS+ as the Authentication Method One of the login authentication methods available is TACACS+ and the user’s name and password are sent for authentication to the TACACS hosts specified. To use TACACS+ to authenticate users, specify at least one TACACS+ server for the system to communicate with and configure TACACS+ as one of your authentication methods. To select TACACS+ as the login authentication method, use the following commands. 1. Configure a TACACS+ server host.
vty0 (10.11.9.209) DellEMC(conf)#username angeline password angeline DellEMC(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline on vty0 (10.11.9.209) %RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password authentication success on vty0 ( 10.11.9.209 ) Monitoring TACACS+ To view information on TACACS+ transactions, use the following command. ● View TACACS+ transactions to troubleshoot problems.
To delete a TACACS+ server host, use the no tacacs-server host {hostname | ip-address} command. freebsd2# telnet 2200:2200:2200:2200:2200::2202 Trying 2200:2200:2200:2200:2200::2202... Connected to 2200:2200:2200:2200:2200::2202. Escape character is '^]'. Login: admin Password: DellEMC# Command Authorization The AAA command authorization feature configures Dell EMC Networking OS to send each configuration command to a TACACS server for authorization before it is added to the running configuration.
● Display SSH connection information. EXEC Privilege mode show ip ssh The following example uses the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. DellEMC(conf)#ip ssh server version 2 DellEMC(conf)#do show ip ssh SSH server : enabled. SSH server version : v2. SSH server vrf : default. SSH server ciphers : 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192ctr,aes256-ctr.
● ● ● ● ● ip ssh rsa-authentication enable : enable RSA authentication for the SSHv2 server. ip ssh rsa-authentication : add keys for the RSA authentication. show crypto : display the public part of the SSH host-keys. show ip ssh client-pub-keys : display the client public keys used in host-based authentication. show ip ssh rsa-authentication : display the authorized-keys for the RSA authentication. DellEMC#copy scp: flash: Address or name of remote host []: 10.10.10.
● diffie-hellman-group14-sha1 The default key exchange algorithms are the following: ● diffie-hellman-group-exchange-sha1 ● diffie-hellman-group1-sha1 ● diffie-hellman-group14-sha1 When FIPS is enabled, the default is diffie-hellman-group14-sha1. Example of Configuring a Key Exchange Algorithm The following example shows you how to configure a key exchange algorithm.
● aes128-cbc ● aes192-cbc ● aes256-cbc ● aes128-ctr ● aes192-ctr ● aes256-ctr The default cipher list is aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc. Example of Configuring a Cipher List The following example shows you how to configure a cipher list. DellEMC(conf)#ip ssh server cipher 3des-cbc aes128-cbc aes128-ctr Configuring DNS in the SSH Server Dell EMC Networking provides support to enable the DNS in SSH server configuration for host-based authentication.
SSH server version : v2. SSH server vrf : default. SSH server ciphers : 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192ctr,aes256-ctr. SSH server macs : hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmacsha2-256,hmac-sha2-256-96. SSH server kex algorithms : diffie-hellman-group-exchange-sha1,diffie-hellman-group1sha1,diffie-hellman-group14-sha1. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled.
5. Disable password authentication and RSA authentication, if configured CONFIGURATION mode or EXEC Privilege mode no ip ssh password-authentication or no ip ssh rsa-authentication 6. Enable host-based authentication. CONFIGURATION mode ip ssh hostbased-authentication enable 7. Bind shosts and rhosts to host-based authentication. CONFIGURATION mode ip ssh pub-key-file flash://filename or ip ssh rhostsfile flash://filename The following example shows creating shosts.
Troubleshooting SSH To troubleshoot SSH, use the following information. You may not bind id_rsa.pub to RSA authentication while logged in via the console. In this case, this message displays:%Error: No username set for this term. Enable host-based authentication on the server (Dell EMC Networking system) and the client (Unix machine). The following message appears if you attempt to log in via SSH and host-based is disabled on the client.
You can assign line authentication on a per-VTY basis; it is a simple password authentication, using an access-class as authorization. Configure local authentication globally and configure access classes on a per-user basis. can assign different access classes to different users by username. Until users attempt to log in, does not know if they will be assigned a VTY line. This means that incoming users always see a login prompt even if you have excluded them from the VTY line with a deny-all access class.
DellEMC(config-std-mac)#deny any DellEMC(conf)# DellEMC(conf)#line vty 0 9 DellEMC(config-line-vty)#access-class sourcemac DellEMC(config-line-vty)#end Role-Based Access Control With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role. Users are granted permissions based on their user roles, not on their individual user ID. User roles are created for job functions and through those roles they acquire the permissions to perform their associated job function.
role. You can modify the permissions specific to that command and/or command option. For more information, see Modifying Command Permissions for Roles . NOTE: When you enter a user role, you have already been authenticated and authorized. You do not need to enter an enable password because you will be automatically placed in EXEC Priv mode. For greater security, the ability to view event, audit, and security system log is associated with user roles.
line vty 1 login authentication test authorization exec test To enable role-based only AAA authorization, enter the following command in Configuration mode: DellEMC(conf)#aaa authorization role-only System-Defined RBAC User Roles By default, the Dell EMC Networking OS provides 4 system defined user roles. You can create up to 8 additional user roles. NOTE: You cannot delete any system defined roles.
modify command permissions. The security administrator and roles inherited by security administrator can only modify permissions for commands they already have access to. ● Make sure you select the correct role you want to inherit. ● If you inherit a user role, you cannot modify or delete the inheritance. If you want to change or remove the inheritance, delete the user role and create it again. If the user role is in use, you cannot delete the user role. 1.
The following example denies the netadmin role from using the show users command and then verifies that netadmin cannot access the show users command in exec mode. Note that the netadmin role is not listed in the Role access: secadmin,sysadmin, which means the netadmin cannot access the show users command.
By default, the system defined role, secadmin, is not allowed to configure protocols. The following example first grants the secadmin role to configure protocols and then removes access to configure protocols. DellEMC(conf)#role configure addrole secadmin protocol DellEMC(conf)#role configure deleterole secadmin protocol Example: Resets Only the Security Administrator role to its original setting. The following example resets only the secadmin role to its original setting.
that have only privilege levels are denied access to the system because they do not have a role. For information about role only mode, see Configuring Role-based Only AAA Authorization. NOTE: Authentication services only validate the user ID and password combination. To determine which commands are permitted for users, configure authorization. For information about how to configure authorization for roles, see Configure AAA Authorization for Roles.
line vty 2 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 3 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 4 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 5 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 6 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 7 login
In the following example, you create an AV pair for a user-defined role. You must also define a role, using the userrole myrole inherit command on the switch to associate it with this AV pair. Force10-avpair= ”shell:role=myrole“ The string, “myrole”, is associated with a TACACS+ user group. The user IDs are associated with the user group. Role Accounting This section describes how to configure role accounting and how to display active sessions for roles.
Display Information About User Roles This section describes how to display information about user roles and consists of the following topics: ● Displaying User Roles ● Displaying Information About Roles Logged into the Switch ● Displaying Active Accounting Sessions for Roles Displaying User Roles To display user roles using the show userrole command in EXEC Privilege mode, use the show userroles and show users commands in EXEC privilege mode.
*3 vty 1 4 vty 2 sec1 ml1 secadmin netadmin 14 12 idle idle 172.31.1.4 172.31.1.5 Two Factor Authentication (2FA) Two factor authentication also known as 2FA, strengthens the login security by providing one time password (OTP) in addition to username and password. 2FA supports RADIUS authentications with Console, Telnet, and SSHv2. To perform 2FA, follow these steps: ● When the Network access server (NAS) prompts for the username and password, provide the inputs.
Challenge Response Auth : enabled. Vty Encryption 2 aes128-cbc 4 aes128-cbc * 5 aes128-cbc DellEMC# HMAC hmac-md5 hmac-md5 hmac-md5 Remote IP 10.16.127.141 10.16.127.141 10.16.127.141 SMS-OTP Mechanism A short message service one time password (SMS-OTP) is a free RADIUS module to implement two factor authentication. There are multiple 2FA mechanisms that can be deployed with the RADIUS.
Table 102. Suppressed ICMP message types (continued) ICMPv4 message types Address mask request (17) Address mask reply (18) NOTE: The Dell EMC Networking OS does not suppress the ICMP message type echo request (8). Table 103.
Dell EMC Networking OS Security Hardening The security of a network consists of multiple factors. Apart from access to the device, best practices, and implementing various security features, security also lies with the integrity of the device. If the software itself is compromised, all of the aforementioned methods become ineffective. The Dell EMC Networking OS is enhanced verify whether the OS image and the startup configuration file are altered before loading.
● Use the following command to upgrade the Dell EMC Networking OS and enter the hash value when prompted. EXEC Privilege upgrade system DellEMC# upgrade system tftp://10.16.127.35/FTOS-SE-9.11.0.1 A: Hash Value: e42e2548783c2d5db239ea2fa9de4232 !!!!!!!!!!!!!!... Startup Configuration Verification Dell EMC Networking OS comes with startup configuration verification feature.
After enabling and configuring startup configuration verification, the device verifies the hash checksum of the startup configuration during every reload. DellEMC# verified boot hash startup—config 619A8C1B7A2BC9692A221E2151B9DA9E Configuring the root User Password For added security, you can change the root user password. If you configure the secure-cli command on the system, the Dell EMC Networking OS resets any previously-configured root access password without displaying any warning message.
○ A minimum of one special character including a space (" !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~") If you enable the boot access password, the system prompts for a password when you access the GRUB interface. DellEMC(conf)#boot-access password 7 Hg$7^5HMoiY% *********************************************************************** * Warning - boot-access password will enable password protection in * * GRUB. Keep it safe. Forgetting this password and the CLI password * * may result in switch becoming inaccessible.
48 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell EMC Networking OS. Topics: • • • • • VLAN Stacking VLAN Stacking Packet Drop Precedence Dynamic Mode CoS for VLAN Stacking Layer 2 Protocol Tunneling Provider Backbone Bridging VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.
Figure 118. VLAN Stacking in a Service Provider Network Important Points to Remember ● Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. ● Dell EMC Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
Related Configuration Tasks ● ● ● ● Configuring the Protocol Type Value for the Outer VLAN Tag Configuring Dell EMC Networking OS Options for Trunk Ports Debugging VLAN Stacking VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. ● Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN.
Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. ● Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100. To display the S-Tag TPID for a VLAN, use the show running-config command from EXEC privilege mode. Dell EMC Networking OS displays the S-Tag TPID only if it is a non-default value.
Debugging VLAN Stacking To debug VLAN stacking, use the following command. ● Debug the internal state and membership of a VLAN and its ports. debug member The port notations are as follows: ● ● ● ● ● MT — stacked trunk MU — stacked access port T — 802.1Q trunk port U — 802.
Figure 119.
Figure 120.
Figure 121. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Table 104. Drop Eligibility Behavior (continued) Ingress Egress DEI Disabled DEI Enabled Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI. Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 Access Port Trunk Port To enable drop eligibility globally, use the following command. ● Make packets eligible for dropping based on their DEI value.
To display the DEI-marking configuration, use the show interface dei-mark [interface slot/port/subport ] in EXEC Privilege mode. DellEMC#show interface dei-mark Default CFI/DEI Marking: 0 Interface Drop precedence CFI/DEI -------------------------------Te 1/1/1 Green 0 Te 1/1/1 Yellow 1 Te 2/9/1 Yellow 0 Te 2/10/1 Yellow 0 Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.
Examples of QoS Interface Configuration and Rate Policing policy-map-input in layer2 service-queue 3 class-map a qos-policy 3 ! class-map match-any a layer2 match mac access-group a ! mac access-list standard a seq 5 permit any ! qos-policy-input 3 layer2 rate-police 40 Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3.
NOTE: Because dot1p-mapping marks and queues packets, the only remaining applicable QoS configuration is rate metering. You may use Rate Shaping or Rate Policing. Layer 2 Protocol Tunneling Spanning tree bridge protocol data units (BPDUs) use a reserved destination MAC address called the bridge group address, which is 01-80-C2-00-00-00. Only spanning-tree bridges on the local area network (LAN) recognize this address and process the BPDU.
Dell EMC Networking OS Behavior: In Dell EMC Networking OS versions prior to 8.2.1.0, the MAC address that Dell EMC Networking systems use to overwrite the Bridge Group Address on ingress was non-configurable. The value of the L2PT MAC address was the Dell EMC Networking-unique MAC address, 01-01-e8-00-00-00.
EXEC Privilege mode show cam-profile 2. Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3. Tunnel BPDUs the VLAN. INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell EMC Networking OS uses a Dell EMC Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command.
Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. 802.
49 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
● If the global sampling rate is non-default, for example 256, and if the sampling rate is not configured on the interface, the sampling rate of the interface is the global non-default sampling rate, that is, 256. To avoid the back-off, either increase the global sampling rate or configure all the line card ports with the desired sampling rate even if some ports have no sFlow configured.
Hu 1/2/1: configured rate 131072, actual rate 131072 DellEMC# If you did not enable any extended information, the show output displays the following (shown in bold).
Example of the show running-config sflow Command sFlow Show Commands Dell EMC Networking OS includes the following sFlow display commands. ● Displaying Show sFlow Globally ● Displaying Show sFlow on an Interface ● Displaying Show sFlow on a Line Card Displaying Show sFlow Global To view sFlow statistics, use the following command. ● Display sFlow configuration information and statistics. EXEC mode show sflow The first bold line indicates sFlow is globally enabled.
sflow sample-rate 8192 no shutdown Displaying Show sFlow on a Stack-unit To view sFlow statistics on a specified Stack-unit, use the following command. ● Display sFlow configuration information and statistics on the specified interface.
This is as per sFlow version 5 draft. After the back-off changes the sample-rate, you must manually change the sampling rate to the desired value. As a result of back-off, the actual sampling-rate of an interface may differ from its configured sampling rate. You can view the actual sampling-rate of the interface and the configured sample-rate by using the show sflow command. sFlow on LAG ports When a physical port becomes a member of a LAG, it inherits the sFlow configuration from the LAG port.
Important Points to Remember ● To export extended-gateway data, BGP must learn the IP destination address. ● If the IP destination address is not learned via BGP the Dell EMC Networking system does not export extended-gateway data. ● If the IP source address is learned via IGP, srcAS and srcPeerAS are zero. ● The srcAS and srcPeerAS might be zero even though the IP source address is learned via BGP.
50 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell EMC Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
• • • • Monitor Port-Channels Troubleshooting SNMP Operation Transceiver Monitoring Configuring SNMP context name Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a management information base (MIB).
In this example, for a specified user and a group, the AES128-CFB algorithm, the authentication password to enable the server to receive packets from the host, and the privacy password to encode the message contents are configured. SHA authentication needs to be used with the AES-CFB128 privacy algorithm only when FIPS is enabled because SHA is then the only available authentication level.
Set up SNMP As previously stated, Dell EMC Networking OS supports SNMP version 1 and version 2 that are community-based security models. The primary difference between the two versions is that version 2 supports two additional protocol operations (informs operation and snmpgetbulk query) and one additional object (counter64 object). SNMP version 3 (SNMPv3) is a user-based security model that provides password authentication for user security and encryption for data security and privacy.
snmp-server group group-name 3 noauth auth read name write name ● Configure an SNMPv3 view. CONFIGURATION mode snmp-server view view-name oid-tree {included | excluded} NOTE: To give a user read and write view privileges, repeat this step for each privilege type. ● Configure the user with an authorization password (password privileges only). CONFIGURATION mode snmp-server user name group-name 3 noauth auth md5 auth-password ● Configure an SNMP group (password privileges only).
Reading Managed Object Values You may only retrieve (read) managed object values if your management station is a member of the same community as the SNMP agent. Dell EMC Networking supports RFC 4001, Textual Conventions for Internet Work Addresses that defines values representing a type of internet address. These values display for ipAddressTable objects using the snmpwalk command. There are several UNIX SNMP commands that read data. ● Read the value of a single managed object.
Configuring Contact and Location Information using SNMP You may configure system contact and location information from the Dell EMC Networking system or from the management station using SNMP. To configure system contact and location information from the Dell EMC Networking system and from the management station using SNMP, use the following commands.
To send informational messages, enter the keyword informs. To send the SNMP version to use for notification messages, enter the keyword version. To identify the SNMPv1 community string, enter the name of the community-string. 2. Specify which traps the Dell EMC Networking system sends to the trap receiver. CONFIGURATION mode snmp-server enable traps Enable all Dell EMC Networking enterprise-specific and RFC-defined traps using the snmp-server enable traps command from CONFIGURATION mode.
CONFIGURATION MODE snmp-server enable traps snmp syslog-unreachable To enable an SNMP agent to send a trap when the syslog server resumes connectivity, enter the following command: CONFIGURATION MODE snmp-server enable traps snmp syslog-reachable Table 107. List of Syslog Server MIBS that have read access MIB Object OID Object Values Description dF10SysLogTraps 1.3.6.1.4.1.6027.3.30.1.1 1 = reachable2 = unreachable Specifies whether the syslog server is reachable or unreachable.
Table 108. MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Object Values Description 2 = running-config ● If copySrcFileType is running-config or startupconfig, the default copySrcFileLocation is flash. ● If copySrcFileType is a binary file, you must also specify copySrcFileLocation and copySrcFileName. 3 = startup-config copySrcFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.3 1 = flash 2 = slot0 3 = tftp 4 = ftp 5 = scp 6 = usbflash copySrcFileName copyDestFileType .
Table 108. MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Object Values Description copyUserName .1.3.6.1.4.1.6027.3.5.1.1.1.1.9 Username for the server. Username for the FTP, TFTP, or SCP server. ● If you specify copyUserName, you must also specify copyUserPassword. copyUserPassword .1.3.6.1.4.1.6027.3.5.1.1.1.1.10 Password for the server. Password for the FTP, TFTP, or SCP server.
Copying Configuration Files via SNMP To copy the running-config to the startup-config from the UNIX machine, use the following command. ● Copy the running-config to the startup-config from the UNIX machine. snmpset -v 2c -c public force10system-ip-address copySrcFileType.index i 2 copyDestFileType.index i 3 The following examples show the command syntax using MIB object names and the same command using the object OIDs. In both cases, a unique index number follows the object.
copyServerAddress.110 a 11.11.11.11 copyUserName.110 s mylogin copyUserPassword.110 s mypass FTOS-COPY-CONFIG-MIB::copySrcFileType.110 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileName.110 = STRING: /home/startup-config FTOS-COPY-CONFIG-MIB::copyDestFileLocation.110 = INTEGER: ftp(4) FTOS-COPY-CONFIG-MIB::copyServerAddress.110 = IpAddress: 11.11.11.11 FTOS-COPY-CONFIG-MIB::copyUserName.110 = STRING: mylogin FTOS-COPY-CONFIG-MIB::copyUserPassword.
Table 109. Additional MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Values Description copyTimeCompleted .1.3.6.1.4.1.6027.3.5.1.1.1.1.13 Time value Specifies the point in the uptime clock that the copy operation completed. copyFailCause .1.3.6.1.4.1.6027.3.5.1.1.1.1.14 1 = bad filename Specifies the reason the copy request failed. 2 = copy in progress 3 = disk full 4 = file exists 5 = file not found 6 = timeout 7 = unknown copyEntryRowStatus .1.3.6.1.4.1.6027.
MIB Support to Display Reason for Last System Reboot Dell EMC Networking provides MIB objects to display the reason for the last system reboot. The dellNetProcessorResetReason object contains the reason for the last system reboot. The following table lists the related MIB objects. Table 110. MIB Objects for Displaying Reason for Last System Reboot MIB Object OID Description dellNetProcessorResetReason 1.3.6.1.4.1.6027.3.26.1.4.3.1.7 This is the table that contains the reason for last system reboot.
SNMP Walk Example Output snmpwalk -v 2c -c public 10.16.131.156 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.5 SNMPv2-SMI::enterprises.674.10895.3000.1.2.110.7.2.1.5.11 = INTEGER: 48 SNMPv2-SMI::enterprises.674.10895.3000.1.2.110.7.2.1.5.12 = INTEGER: 40 snmpwalk -v 2c -c public 10.16.131.156 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.6 SNMPv2-SMI::enterprises.674.10895.3000.1.2.110.7.2.1.6.11 = INTEGER: 31 SNMPv2-SMI::enterprises.674.10895.3000.1.2.110.7.2.1.6.12 = INTEGER: 26 snmpwalk -v 2c -c public 10.16.131.
Table 112. MIB Objects to Display support for 25G, 40G, 50G, 100G Optical Transceiver or DAC cable IDPROM user info (continued) MIB Object OID Description dellNetIfTransTemperature 1.3.6.1.4.1.6027.3.11.1.3.1.1.16 Specifies Temperature value of the Optics inserted SNMP Example Output (Single Interface) DellEMC$ snmpwalk -v 2c -c public -m all -M 10.16.150.140 .1.3.6.1.4.1.6027.3.11.1.3 | grep 2112517 DELL-NETWORKING-IF-EXTENSION-MIB::dellNetIfTransDeviceName.
MIB Support to Display the Software Core Files Generated by the System Dell EMC Networking provides MIB objects to display the software core files generated by the system. The chSysSwCoresTable contains the list of software core files generated by the system. The following table lists the related MIB objects. Table 114. MIB Objects for Displaying the Software Core Files Generated by the System MIB Object OID Description chSysSwCoresTable 1.3.6.1.4.1.6027.3.10.1.2.
MIB Support for PFC Storm Control Dell EMC Networking provides MIB objects to display the information for PFC Storm Control. The OIDs specific to PFC Storm Control are appended to the dellNetFpStatsMib. These statistics can also be obtained by using the CLI commands: show stormcontrol pfc status stack-unit <> port-set <> and show storm-control pfc statistics stack-unit <> port-set <> . The following table lists the related MIB objects, OID and description for the same: Table 115.
SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.2.2097669.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.2.2097925.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.2.2097925.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097157.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097157.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097413.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097413.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097669.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097669.
Table 116. MIB Objects to Display the Information for PFC no-drop-priority L2Dlf Drop MIB Object OID Description dellNetFpPfcL2DlfDropCounterTable 1.3.6.1.4.1.6027.3.27.1.22 Table to show the drop counters of pfcnodrop-priority l2-dlf drop. dellNetFpPfcL2DlfDropCounterEntry 1.3.6.1.4.1.6027.3.27.1.22.1 Table entry to show the drop counters of pfc-nodrop-priority l2-dlf drop. dellNetFpPfcL2DlfDropCounters 1.3.6.1.4.1.6027.3.27.1.22.1.
SNMPv2-SMI::enterprises.6027.3.27.1.23.1.3.1.1.3 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.3.1.1.4 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.4.1.1.1 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.4.1.1.2 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.4.1.1.3 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.4.1.1.4 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.5.1.1.1 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.5.1.1.2 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.5.1.1.3 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.5.1.1.
● 31997973 is the count of red packet-drops (Out of Profile Drops). MIB Support to Display the Available Partitions on Flash Dell EMC Networking provides MIB objects to display the information of various partitions such as /flash, /tmp, /usr/ pkg, and /f10/ConfD. The dellNetFlashStorageTable table contains the list of all partitions on disk. The following table lists the related MIB objects: Table 119.
.1.3.6.1.4.1.6027.3.26.1.4.8.1.3.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.5 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.5 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.5 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.1 .1.3.6.1.4.1.6027.3.
MIB Support to ECMP Group Count Dell EMC Networking OS provides MIB objects to display the information of the ECMP group count information. The following table lists the related MIB objects: Table 122. MIB Objects to display ECMP Group Count MIB Object OID Description dellNetInetCidrECMPGrpMax 1.3.6.1.4.1.6027.3.9.1.6 Total CAM for ECMP group. dellNetInetCidrECMPGrpUsed 1.3.6.1.4.1.6027.3.9.1.7 Used CAM for ECMP group. dellNetInetCidrECMPGrpAvl 1.3.6.1.4.1.6027.3.9.1.
INTEGER: 2097157 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.100.100.100.0.24.1.4.10.1.1.1.1.4.10.1.1.1 = INTEGER: 2098693 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.100.100.100.0.24.1.4.20.1.1.1.1.4.20.1.1.1 = INTEGER: 1258296320 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.100.100.100.0.24.1.4.30.1.1.1.1.4.30.1.1.1 = INTEGER: 1275078656 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.10.1.1.0.24.0.0.0.0 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.10.1.1.1.32.1.4.10.1.1.1.1.4.10.1.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.70.70.70.0.24.0.0.0.0 = STRING: "CP" SNMPv2SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.70.70.70.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = STRING: "CP" SNMPv2SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.70.70.70.2.32.1.4.70.70.70.2.1.4.70.70.70.2 = STRING: "Fo 1/1/1" SNMPv2SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.80.80.80.0.24.1.4.10.1.1.1.1.4.10.1.1.1 = STRING: "Fo 1/4/1" SNMPv2SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.80.80.80.0.24.1.4.20.1.1.1.1.4.20.1.1.
SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.100.100.100.0.24.1.4.10.1.1.1.1.4.10.1.1.1 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.100.100.100.0.24.1.4.20.1.1.1.1.4.20.1.1.1 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.100.100.100.0.24.1.4.30.1.1.1.1.4.30.1.1.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.6.0 = Gauge32: 2048 SNMPv2-SMI::enterprises.6027.3.9.1.7.0 = Gauge32: 1 SNMPv2-SMI::enterprises.6027.3.9.1.8.
Table 123. MIB Objects for Displaying the Details of FEC BER (continued) MIB Object OID Description dellNetFpEgTTLThresholdDrops 1.3.6.1.4.1.6027.3.27.1.3.1.17 TTL Threshold Drops. dellNetFpEgInvalidVLANCounterDrops 1.3.6.1.4.1.6027.3.27.1.3.1.18 Invalid VLAN Counter Drops. dellNetFpEgL2MCDrops 1.3.6.1.4.1.6027.3.27.1.3.1.19 L2 MC Drops. dellNetFpEgPktDropsOfAnyCondition 1.3.6.1.4.1.6027.3.27.1.3.1.20 Packet Drops of ANY Conditions. dellNetFpEgHgMacUnderFlow 1.3.6.1.4.1.6027.3.27.1.3.1.
SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2108430 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2108942 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2109454 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2109966 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2110478 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2110990 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2111502 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2112014 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2112526 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.
SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2102286 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2102798 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2103310 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2103822 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2104334 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2104846 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2105358 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2105870 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2106382 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.
.1.3.6.1.2.1.47.1.3.2.1.2.25.0 .1.3.6.1.2.1.47.1.3.2.1.2.29.0 .1.3.6.1.2.1.47.1.3.2.1.2.30.0 .1.3.6.1.2.1.47.1.3.2.1.2.31.0 = = = = OID: OID: OID: OID: .1.3.6.1.2.1.2.2.1.1.2099717 .1.3.6.1.2.1.2.2.1.1.2100228 .1.3.6.1.2.1.2.2.1.1.2100356 .1.3.6.1.2.1.2.2.1.1.2100484 MIB Support for LAG Dell EMC Networking provides a method to retrieve the configured LACP information (Actor and Partner).
Table 125. MIB Objects for LAG (continued) MIB Object OID Description dot3adAggPartnerOperKey 1.2.840.10006.300.43.1.1.1.1.9 Contains the current operational value of the key for the Aggregator’s current protocol partner. dot3adAggCollectorMaxDelay 1.2.840.10006.300.43.1.1.1.1.
MIB Support to Display Unrecognized LLDP TLVs This section provides information about MIB objects that display unrecognized LLDP TLV information about reserved and organizational specific unrecognized LLDP TLVs. MIB Support to Display Reserved Unrecognized LLDP TLVs The lldpRemUnknownTLVTable contains the information about an incoming reserved unrecognized LLDP TLVs that is not recognized by the local neighbor. The following table lists the related MIB objects: Table 126.
MIB Support to Display Organizational Specific Unrecognized LLDP TLVs The lldpRemOrgDefInfoTable contains organizationally defined information that is not recognized by the local neighbor. The following table lists the related MIB objects: Table 127. MIB Objects for Displaying Organizational Specific Unrecognized LLDP TLVs MIB Object OID Description lldpRemOrgDefInfoTable 1.0.8802.1.1.2.1.4.4 This table contains organizationally defined information that is not recognized by the local neighbor.
Global MIB objects for port security This section describes about the scalar MIB objects of the global MIB dellNetPortSecGlobalObjects. The following table shows the scalar global MIB objects for port security. Table 128. Global MIB Objects for Port Security MIB Object OID Access or Permission Description dellNetGlobalPortSecurityMod 1.3.6.1.4.1.6027.3.31.1.1.1 e read-write Enables or disables port security feature globally on the device. dellNetGlobalTotalSecureAddr 1.3.6.1.4.1.6027.3.31.1.1.
Table 129. Interface level MIB Objects for Port Security (continued) MIB Object OID Access or Permission Description dellNetPortSecIfStickyEnable 1.3.6.1.4.1.6027.3.31.1.2.1.1.8 read-write Enables or disables sticky port security feature on this interface. dellNetPortSecIfClearSecure MacAddresses 1.3.6.1.4.1.6027.3.31.1.2.1.1.9 read-write Deletes secure MAC addresses based on the specified type. dellNetPortSecIfResetViolatio nStatus 1.3.6.1.4.1.6027.3.31.1.2.1.1.
Table 130. MIB Objects for configuring MAC addresses MIB Object OID Access or Permission Description dellNetPortSecSecureStaticM acAddrTable. Enabling and viewing SNMP for static MAC addresses You can enable and view SNMP for static MAC addresses using snmpset and snmpget command. Following example shows how to enable and view the static MAC addresses. To configure a static MAC address (00:00:00:00:11:11) on a vlan (100) on interface whose ifIndex is (2101252), use the following command.
MIB Support for CAM Dell EMC Networking provides a method to retrieve the CAM usage information. The following table lists the related MIB objects: Table 132. MIB Objects for CAM MIB Object OID Description camUsageL2Pi 1.3.6.1.4.1.6027.3.7.1.1.2.1.11 peLine Contains information about the pipe line number of the chip on the layer 2 switch where CAM is located. camUsageL3Pi 1.3.6.1.4.1.6027.3.7.1.1.3.1.
MIB support for MAC notification traps Dell EMC Networking OS provides MIB support to generate SNMP trap messages on learning or station move of a new or existing MAC address in the system with mac–address, vlan–id, and port details. The following table lists the related MIB objects, OID, and description for the same: Table 133. MIB Objects for MAC notification traps MIB Object OID Description dellNetMacNotifMib 1.3.6.1.4.1.6027.3.28.1 Contains the MAC notification groups.
Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object. The snmpset operation shown in the following example creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. > snmpset -v2c -c mycommunity 123.45.6.78 .1.3.6.1.2.1.17.7.1.4.3.1.5.10 i 4 SNMPv2-SMI::mib-2.17.7.1.4.3.1.5.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" .1.3.6.1.2.1.17.7.1.4.3.1.4.1107787786 x "40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.
respectively To set time to wait till bgp session are up set 1.3.6.1.4.1.6027.3.18.1.3 and 1.3.6.1.4.1.6027.3.18.1.6 Enabling and Disabling a Port using SNMP To enable and disable a port using SNMP, use the following commands. 1. Create an SNMP community on the Dell system. CONFIGURATION mode snmp-server community 2. From the Dell EMC Networking system, identify the interface index of the port for which you want to change the admin status.
example, the decimal equivalent of E8 is 232, and so the instance number for MAC address 00:01:e8:06:95:ac is.0.1.232.6.149.172. The value of dot1dTpFdbPort is the port number of the port off which the system learns the MAC address. In this case, of TenGigabitEthernet 1/1/2/1, the manager returns the integer 118.
MIB Objects for Viewing the System Image on Flash Partitions To view the system image on Flash Partition A, use the chSysSwInPartitionAImgVers object or, to view the system image on Flash Partition B, use the chSysSwInPartitionBImgVers object. Table 135. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImgVers 1.3.6.1.4.1.6027.3.10.1.2.8.1.11 List the version string of the system image in Flash Partition A.
● snmp-server community VRF2 ro ● snmp-server context cx1 ● snmp-server context cx2 ● snmp-server group admingroup 3 auth read readview write writeview ● snmp-server group admingroup 3 auth read readview context cx1 ● snmp-server group admingroup 3 auth read readview context cx2 ● snmp-server user admin admingroup 3 auth md5 helloworld ● snmp mib community-map VRF1 context cx1 ● snmp mib community-map VRF2 context cx2 ● snmp-server view readview .1 included ● snmp-server view writeview .1 included 2.
Monitor Port-Channels To check the status of a Layer 2 port-channel, use f10LinkAggMib (.1.3.6.1.4.1.6027.3.2). In the following example, Po 1 is a switchport and Po 2 is in Layer 3 mode. Example of SNMP Trap for Monitored Port-Channels [senthilnathan@lithium ~]$ snmpwalk -v 2c -c public 10.11.1.1 .1.3.6.1.4.1.6027.3.2.1.1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.1 = INTEGER: 1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.2 = INTEGER: 2 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.2.
IF-MIB::linkUp IF-MIB::ifIndex.1107755009 = INTEGER: 1107755009 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_UP: Changed interface state to up: Po 1" Troubleshooting SNMP Operation When you use SNMP to retrieve management data from an SNMP agent on a Dell EMC Networking router, take into account the following behavior. ● When you query an IPv4 icmpMsgStatsInPkts object in the ICMP table by using the snmpwalk command, the output for echo replies may be incorrectly displayed.
Table 136. SNMP OIDs for Transceiver Monitoring (continued) Field (OID) Description SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.4 Optics Type SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.5 Vendor Name SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.6 Part Number SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.7 Serial Number SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.8 Transmit Power Lane1 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.9 Transmit Power Lane2 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.
51 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell EMC Networking Operating System (OS) Behavior: Dell EMC Networking OS supports unknown-unicast, muticast, and broadcast control for Layer 2 and Layer 3 traffic. To view the storm control broadcast configuration show storm-control broadcast | multicast | unknownunicast | pfc-llfc[interface] command.
● Configure the packets per second of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. INTERFACE mode storm-control multicast packets_per_second in ● Shut down the port if it receives the PFC/LLFC packets more than the configured rate. INTERFACE mode storm-control pfc-llfc pps in shutdown NOTE: PFC/LLFC storm control enabled interface disables the interfaces if it receives continuous PFC/LLFC packets.
Detect PFC Storm The following section explains the procedure to detect the PFC storm. You can detect the PFC storm by polling the lossless queues in a port or priority periodically. When the queue depth is not equal to zero or when the queue has traffic after subsequent number of polling, then the port or priority is detected to have the PFC storm. ● Use the polling—interval {interval in milli-seconds} command to set the polling interval. The queue traffic and egress counters are polled.
Te 0/0 Te 0/1 Te 0/2 Te 0/3 Te 0/4 Te 0/5 Te 0/80 3 4 5 6 3 4 5 6 3 4 5 6 3 4 5 6 3 4 5 6 3 4 5 6 3 4 5 6 2 2 2 2 0 0 0 0 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 DellEMC# Storm Control 889
52 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell EMC Networking OS.
● ● ● ● ● ● ● Modifying Global Parameters Modifying Interface STP Parameters Enabling PortFast Prevent Network Disruptions with BPDU Guard STP Root Guard Enabling SNMP Traps for Root Elections and Topology Changes Configuring Spanning Trees as Hitless Important Points to Remember ● STP is disabled by default. ● The Dell EMC Networking OS supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+).
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 125. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface.
no shutdown DellEMC(conf-if-te-1/1/1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default. When you enable STP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the Spanning Tree topology. ● Only one path from any bridge to any other bridge participating in STP is enabled. ● Bridges block a redundant path by disabling one of the link ports. Figure 126.
To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP. NOTE: Dell EMC Networking recommends that only experienced network administrators change the spanning tree parameters. Poorly planned modification of the spanning tree parameters can negatively affect network performance. The following table displays the default values for STP. Table 138.
To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally. Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. ● Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port.
Prevent Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
Figure 127. Enabling BPDU Guard Dell EMC Networking OS Behavior BPDU guard: ● is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. ● drops the BPDU after it reaches the RP and generates a console message. Example of Blocked BPDUs DellEMC(conf-if-te-1/1/7/1)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e805.fb07 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e85d.
Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. ● Assign a number as the bridge priority or designate it as the root or secondary root.
Figure 128. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell EMC Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: ● Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
To disable STP root guard on a port or port-channel interface, use the no spanning-tree 0 rootguard command in an interface configuration mode. To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps individually or collectively, use the following commands.
As soon as a BPDU is received on an STP port in a Loop-Inconsistent state, the port returns to a blocking state. If you disable STP loop guard on a port in a Loop-Inconsistent state, the port transitions to an STP blocking state and restarts the max-age timer. Figure 129. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis.
○ If a BPDU is received from a remote device, BPDU guard places the port in an Err-Disabled Blocking state and no traffic is forwarded on the port. ○ If no BPDU is received from a remote device, loop guard places the port in a Loop-Inconsistent Blocking state and no traffic is forwarded on the port. ● When used in a PVST+ network, STP loop guard is performed per-port or per-port channel at a VLAN level.
53 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell EMC Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell EMC Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell EMC Networking device. For more information on SmartScripts, see Dell EMC Networking Open Automation guide. Figure 130.
Enable the SupportAssist service. CONFIGURATION mode support-assist activate DellEMC(conf)#support-assist activate This command guides you through steps to configure SupportAssist. Configuring SupportAssist Manually To manually configure SupportAssist service, use the following commands. 1. Accept the end-user license agreement (EULA). CONFIGURATION mode eula-consent {support-assist} {accept | reject} NOTE: Once accepted, you do not have to accept the EULA again.
CONFIGURATION mode support-assist DellEMC(conf)#support-assist DellEMC(conf-supportassist)# 3. (Optional) Configure the contact information for the company. SUPPORTASSIST mode contact-company name {company-name}[company-next-name] ... [company-next-name] DellEMC(conf)#support-assist DellEMC(conf-supportassist)#contact-company name test DellEMC(conf-supportassist-cmpy-test)# 4. (Optional) Configure the contact name for an individual.
[no] activity {full-transfer|core-transfer|event-transfer} DellEMC(conf-supportassist)#activity full-transfer DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist)#activity core-transfer DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist)#activity event-transfer DellEMC(conf-supportassist-act-event-transfer)# 2. Copy an action-manifest file for an activity to the system.
SUPPORTASSIST ACTIVITY mode [no] enable DellEMC(conf-supportassist-act-full-transfer)#enable DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist-act-core-transfer)#enable DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist-act-event-transfer)#enable DellEMC(conf-supportassist-act-event-transfer)# Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company.
[no] contact-person [first ] last DellEMC(conf-supportassist)#contact-person first john last doe DellEMC(conf-supportassist-pers-john_doe)# 2. Configure the email addresses to reach the contact person. SUPPORTASSIST PERSON mode [no] email-address primary email-address [alternate email-address] DellEMC(conf-supportassist-pers-john_doe)#email-address primary jdoe@mycompany.com DellEMC(conf-supportassist-pers-john_doe)# 3. Configure phone numbers of the contact person.
[no] enable DellEMC(conf-supportassist-serv-default)#enable DellEMC(conf-supportassist-serv-default)# 4. Configure the URL to reach the SupportAssist remote server. SUPPORTASSIST SERVER mode [no] url uniform-resource-locator DellEMC(conf-supportassist-serv-default)#url https://192.168.1.1/index.htm DellEMC(conf-supportassist-serv-default)# Viewing SupportAssist Configuration To view the SupportAssist configurations, use the following commands: 1.
! server Dell enable url http://1.1.1.1:1337 DellEMC# 3. Display the EULA for the feature. EXEC Privilege mode show eula-consent {support-assist | other feature} DellEMC#show eula-consent support-assist SupportAssist EULA has been: Accepted Additional information about the SupportAssist EULA is as follows: By installing SupportAssist, you allow Dell to save your contact information (e.g.
54 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell EMC Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell EMC Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell EMC Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks.
To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. DellEMC#show ntp status Clock is synchronized, stratum 4, reference is 10.16.151.117, vrf-id is 0 frequency is -44.862 ppm, stability is 0.050 ppm, precision is -18 reference time deeef7ef.85eeaa10 Tue, Jul 10 2018 9:16:31.523 UTC clock offset is -0.167449 msec, root delay is 149.194 msec root dispersion is 54.557 msec, peer dispersion is 0.
○ For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the stack/slot/port/subport information. ○ For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the stack/slot/port/subport information. ○ For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the stack/slot/port[/subport] information. ○ For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the stack/slot/port/subport information.
○ ipv6-address : Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported. ○ key keyid : Configure a text string as the key exchanged between the NTP server and the client. ○ prefer: Enter the keyword prefer to set this NTP server as the preferred server. ○ version number : Enter a number as the NTP version. The range is from 1 to 4. ○ minpoll polling-interval: Enter the minpoll value. The range is from 4 to 16.
octet, left-justified, zero-padded ASCII string, for example: in the case of stratum 2 and greater (secondary reference) this is the four-octet internet address of the peer selected for synchronization. ● Reference Timestamp (sys.reftime, peer.reftime, pkt.reftime) — This is the local time, in timestamp format, when the local clock was last updated. If the local clock has never been synchronized, the value is zero. ● Originate Timestamp: The departure time on the server of its last NTP message.
Configuring a Custom-defined Period for NTP time Synchronization You can configure the system to send an audit log message to a syslog server if the time difference from the NTP server is greater than a threshold value (offset-threshold). However, time synchronization still occurs. To configure the offset-threshold, follow this procedure. ● Specify the threshold time interval before which the system generates an NTP audit log message if the system time deviates from the NTP server.
Setting the Timezone Universal time coordinated (UTC) is the time standard based on the International Atomic Time standard, commonly known as Greenwich Mean time. When determining system time, include the differentiator between UTC and your local timezone. For example, San Jose, CA is the Pacific Timezone with a UTC offset of -8. To set the clock timezone, use the following command. ● Set the clock to the appropriate timezone.
changed from "none" to "Summer time starts 00:00:00 Pacific Sat Mar 14 2009;Summer time ends 00:00:00 pacific Sat Nov 7 2009" Setting Recurring Daylight Saving Time Set a date (and time zone) on which to convert the switch to daylight saving time on a specific day every year. If you have already set daylight saving for a one-time setting, you can set that date and time as the recurring setting with the clock summer-time time-zone recurring command.
last Week number to start DellEMC(conf)#clock summer-time pacific recurring DellEMC(conf)#02:10:57: %RPM0-P:CP %CLOCK-6-TIME CHANGE: Summertime configuration changed from "Summer time starts 00:00:00 Pacific Tue Mar 14 2017 ; Summer time ends 00:00:00 pacific Tue Nov 7 2017" to "Summer time starts 02:00:00 Pacific Tue Mar 14 2017;Summer time ends 02:00:00 pacific Tue Nov 7 2017" System Time and Date 921
55 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): DellEMC(conf)#interface tunnel 3 DellEMC(conf-if-tu-3)#tunnel source 5::5 DellEMC(conf-if-tu-3)#tunnel destination 8::9 DellEMC(conf-if-tu-3)#tunnel mode ipv6 DellEMC(conf-if-tu-3)#ip address 3.1.1.1/24 DellEMC(conf-if-tu-3)#ipv6 address 3::1/64 DellEMC(conf-if-tu-3)#no shutdown DellEMC(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
The following sample configuration shows how to use the interface tunnel configuration commands. DellEMC(conf-if-te-1/1/1/1)#show config ! interface TenGigabitEthernet 1/1/1/1 ip address 20.1.1.1/24 ipv6 address 20:1::1/64 no shutdown DellEMC(conf)#interface tunnel 1 DellEMC(conf-if-tu-1)#ip unnumbered tengigabitethernet 1/1/1/1 DellEMC(conf-if-tu-1)#ipv6 unnumbered tengigabitethernet 1/1/1/1 DellEMC(conf-if-tu-1)#tunnel source 40.1.1.
DellEMC(conf-if-tu-1)#no shutdown DellEMC(conf-if-tu-1)#show config ! interface Tunnel 1 ip address 1.1.1.1/24 ipv6 address 1abd::1/64 tunnel source anylocal tunnel allow-remote 40.1.1.2 tunnel mode ipip decapsulate-any no shutdown Guidelines for Configuring Multipoint Receive-Only Tunnels ● You can configure up to eight remote end-points for a multipoint receive-only tunnel.
56 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link.
Figure 132. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 133. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
● If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
To revert to the default setting, use the no downstream disable links command. 4. (Optional) Enable auto-recovery so that UFD-disabled downstream ports in the uplink-state group come up when a disabled upstream port in the group comes back up. UPLINK-STATE-GROUP mode downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5. (Optional) Enter a text description of the uplink-state group.
02:36:43: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Fo 3/4/1 02:36:43: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Fo 3/5/1 02:36:43: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Fo 3/6/1 02:37:29: %RPM0-P:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Te 1/7/1 02:37:29: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 1/7/1 02:37:29 : UFD: Group:3, UplinkState: DOWN 02:37:29: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed
The following example shows viewing the uplink state group status. The following example shows viewing the interface status with UFD information.
DellEMC# 00:10:00: %STKUNIT0-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 1/1/1 DellEMC(conf-uplink-state-group-3)# description Testing UFD feature DellEMC(conf-uplink-state-group-3)# show config ! uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream TenGigabitEthernet 1/1-2,5,9,11-12/1 upstream TenGigabitEthernet 1/3-4/1 DellEMC(conf-uplink-state-group-3)# DellEMC(conf-uplink-state-group-3)#exit DellEMC(conf)#exit DellEMC# 00:13:06: %STKUNIT0-M:CP %SYS-
57 Upgrade Procedures To find the upgrade procedures, go to the Dell EMC Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell EMC Networking OS version. To upgrade your system type, follow the procedures in the Dell EMC Networking OS Release Notes. You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.
58 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 portbased VLANs and one default VLAN, as specified in IEEE 802.1Q.
NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN. For more information about assigning IP addresses, refer to Assigning an IP Address to a VLAN. ● Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN.
● The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). ● Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard. Some devices that are not compliant with IEEE 802.3 may not support the larger frame size.
Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands. To place an interface in Layer 2 mode, use the switchport command. You can further designate these Layer 2 interfaces as tagged or untagged. For more information, see the Interfaces chapter and Configuring Layer 2 (Data Link) Mode.
When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN. If the tagged interface is removed from the only VLAN to which it belongs, the interface is placed in the Default VLAN as an untagged interface. Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1. Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface.
Assigning an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces. The shutdown command in INTERFACE mode does not affect Layer 2 traffic on the interface; the shutdown command only prevents Layer 3 traffic from traversing over the interface. NOTE: You cannot assign an IP address to the Default VLAN (VLAN 1).
Enabling Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured. This presents a vulnerability because both interfaces are initially placed in the native VLAN, VLAN 1, and for that period customers are able to access each other's networks.
59 Virtual Link Trunking (VLT) Virtual link trunking (VLT) is a Dell EMC technology that provides two Dell EMC switches the ability to function as a single switch. VLT allows physical links between two Dell EMC switches to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR). As a result, the two physical switches appear as a single switch to the connected devices.
VLT not only overcomes this caveat, but also provides a multipath to the connected devices. In the example shown below, the two physical VLT peers appear as a single logical device to the connected devices. As the connected devices consider the VLT peers as a single switch, VLT eliminates STP-blocked ports. However, the two VLT devices are independent Layer2/Layer3 (L2/L3) switches for devices in the upstream network. Figure 136.
Figure 137. Example of VLT Deployment VLT offers the following benefits: ● ● ● ● ● ● ● ● ● ● ● ● Allows a single device to use a LAG across two upstream devices. Eliminates STP-blocked ports. Provides a loop-free topology. Uses all available uplink bandwidth. Provides fast convergence if either the link or a device fails. Optimized forwarding with virtual router redundancy protocol (VRRP). Provides link-level resiliency. Assures high availability. Active-Active load sharing with VRRP.
● VLT backup link — The backup link monitors the connectivity between the VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. ● VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches. Both ends must be on 10G, 25G, 40G, 50G, or 100G interfaces. ● VLT domain — This domain includes both the VLT peer devices, VLT interconnect, and all of the port channels in the VLT connected to the attached devices.
Viewing the MAC Synchronization Between VLT Peers You can use the following commands to verify the MAC synchronization between VLT peers: VLT-10-PEER-1#show mac-address-table count MAC Entries for all vlans : Dynamic Address Count : 1007 Static Address (User-defined) Count : 1 Sticky Address Count : 0 Total Synced Mac from Peer(N): 503 Total MAC Addresses in Use: 1008 VLT-10-PEER-1#show vlt counter mac Total MAC VLT counters ---------------------L2 Total MAC-Address Count: 1007 VLT-10-PEER-1#show mac-addr
that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode. This example provides the highest form of resiliency, scaling, and load balancing in data center switching networks. The following example shows stacking at the access, VLT in aggregation, and Layer 3 at the core. Figure 139. VLT on Core Switches The aggregation layer is mostly in the L2/L3 switching/routing layer.
Figure 140. Enhanced VLT Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember WARNING: Do not add any VLANs to the VLT Interconnect. The VLTi interface manages VLAN tagged/untagged traffic automatically between peers. Manually adding any VLAN configuration has been shown to disrupt traffic flow.
● ● ● ● ● ● ● ● ● ● ● ● channels to or from a VLAN. You can manually add or remove a VLTi port-channel to a VLAN. In case a VLTi port-channel is manually removed from a VLAN, it is added back to the VLAN after reload of the VLTi peers. Use the lacp ungroup member-independent command only if the system connects to nodes using bare metal provisioning (BMP) to upgrade or boot from the network.
Configuration Notes When you configure VLT, the following conditions apply. ● With VLT, when an L3 interface is created, the local DA of that interface is added as an L2 entry pointing to the ICL interface on the peer chassis. This ensures that the L3 packets reaching the peer, by LAG hashing on ToR, get forwarded to the actual chassis via ICL and then get routed. When this interface is removed, the entry pointing to ICL on the peer chassis is deleted.
NOTE: If you configure the VLT system MAC address or VLT unit-id on only one of the VLT peer switches, the link between the VLT peer switches is not established. Each VLT peer switch must be correctly configured to establish the link between the peers. ○ If the link between the VLT peer switches is established, changing the VLT system MAC address or the VLT unit-id causes the link between the VLT peer switches to become disabled.
○ ○ ○ ○ ○ ○ ○ ■ Ingress and egress QoS policies applied on VLT ports must be the same on both VLT peers. ■ Apply the same ingress and egress QoS policies on VLTi (ICL) member ports to handle failed links. For detailed information about how to use VRRP in a VLT domain, see the following VLT and VRRP interoperability section. For information about configuring IGMP Snooping in a VLT domain, see VLT and IGMP Snooping.
can configure another peer as the Primary Peer using the VLT domain domain-id role priority priority-value command. If the VLTi link fails, the status of the remote VLT Primary Peer is checked using the backup link. If the remote VLT Primary Peer is available, the Secondary Peer disables all VLT ports to prevent loops. If all ports in the VLTi link fail or if the communication between VLTi links fails, VLT checks the backup link to determine the cause of the failure.
VLT and IGMP Snooping When configuring IGMP Snooping with VLT, ensure the configurations on both sides of the VLT trunk are identical to get the same behavior on both sides of the trunk. When you configure IGMP snooping on a VLT node, the dynamically learned groups and multicast router ports are automatically learned on the VLT peer node. VLT IPv6 The following features have been enhanced to support IPv6: ● VLT Sync — Entries learned on the VLT interface are synced on both VLT peers.
Figure 141. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
If the VLT node elected as the designated router fails and you enable VLT Multicast Routing, multicast routes are synced to the other peer for traffic forwarding to ensure minimal traffic loss. If you did not enable VLT Multicast Routing, traffic loss occurs until the other VLT peer is selected as the DR. VLT Routing VLT Routing refers to the ability to run a dynamic routing protocol within a single VLT domain or between VLT domains (mVLT).
If you enable peer routing, a VLT node acts as a proxy gateway for its connected VLT peer as shown in the image below. Even though the gateway address of the packet is different, Peer-1 routes the packet to its destination on behalf of Peer-2 to avoid sub-optimal routing. Figure 143. Packets with peer routing enabled Benefits of Peer Routing ● ● Avoids sub-optimal routing ● Reduces latency by avoiding another hop in the traffic path.
Configuring VLT Unicast To enable and configure VLT unicast, follow these steps. 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2. Enable peer-routing. VLT DOMAIN mode peer-routing 3. Configure the peer-routing timeout. VLT DOMAIN mode peer-routing—timeout value value: Specify a value (in seconds) from 1 to 65535. The default value is infinity (without configuring the timeout).
3. Configure the multicast peer-routing timeout. VLT DOMAIN mode multicast peer-routing—timeout value value: Specify a value (in seconds) from 1 to 1200. NOTE: Reduce the multicast peer-routing-timeout value to 10 seconds to clear the (S,G) entry in mroute in primary VLT peer. Also, the MLD leave packet must be sent after the unicast route convergence. 4. Configure a PIM-SM compatible VLT node as a designated router (DR). For more information, refer to Configuring a Designated Router. 5.
Sample RSTP configuration The following is a sample of an RSTP configuration: Using the example shown in the Overview section as a sample VLT topology, the primary VLT switch sends BPDUs to an access device (switch or server) with its own RSTP bridge ID. BPDUs generated by an RSTP-enabled access device are only processed by the primary VLT switch. The secondary VLT switch tunnels the BPDUs that it receives to the primary VLT switch over the VLT interconnect.
Configuring a VLT Interconnect To configure a VLT interconnect, follow these steps. 1. Configure the port channel for the VLT interconnect on a VLT switch and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain. NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2.
You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds. 3. Configure the port channel to be used as the VLT interconnect between VLT peers in the domain. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 4. Enable peer routing. VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer. 5.
CONFIGURATION mode vlt domain domain-id The range of domain IDs from 1 to 1000. 2. Enter an amount of time, in seconds, to delay the restoration of the VLT ports after the system is rebooted. CONFIGURATION mode delay-restore delay-restore-time The range is from 1 to 1200. The default is 90 seconds. Reconfiguring the Default VLT Settings (Optional) To reconfigure the default VLT settings, use the following commands. 1. Enter VLT-domain configuration mode for a specified VLT domain.
INTERFACE PORT-CHANNEL mode no ip address 3. Place the interface in Layer 2 mode. INTERFACE PORT-CHANNEL mode switchport 4. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: ● For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the stack/slot/port/subport information.
CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command in the . 2. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: ● For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the stack/slot/port/subport information.
switchport 10. Associate the port channel to the corresponding port channel in the VLT peer for the VLT connection to an attached device. INTERFACE PORT-CHANNEL mode vlt-peer-lag port-channel id-number 11. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 12. Add links to the eVLT port. Configure a range of interfaces to bulk configure. CONFIGURATION mode interface range {port-channel id} 13. Enable LACP on the LAN port. INTERFACE mode port-channel-protocol lacp 14.
EXEC mode or EXEC Privilege mode show interfaces interface 8. Configure the VLT links between VLT peer 1 and VLT peer 2 to the top of rack unit (shown in the following example). 9. Configure the static LAG/LACP between ports connected from VLT peer 1 and VLT peer 2 to the top of rack unit. EXEC Privilege mode show running-config entity 10. Configure the VLT peer link port channel id in VLT peer 1 and VLT peer 2. EXEC mode or EXEC Privilege mode show interfaces interface 11.
configuring VLT peer lag in VLT Dell-2#show running-config interface port-channel 2 ! interface Port-channel 2 no ip address switchport vlt-peer-lag port-channel 2 no shutdown Dell-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG 2 L Mode L2L3 Status up Uptime 03:33:14 Ports Te 1/1/4/1 (Up) In the ToR unit, configure LACP on the physical ports.
Multicast peer-routing timeout DellEMC# : 150 seconds Verify that the VLT LAG is up in VLT peer unit. Dell-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG L 2 Mode L2L3 Status up Uptime 03:43:24 Ports Te 1/1/4/1 (Up) Dell-4#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG L 2 Mode L2L3 Status up Uptime 03:33:31 Ports Te 1/1/5/1 (Up) PVST+ Configuration PVST+ is supported in a VLT domain.
Te 1/10/1 128.230 128 128.230 Te 1/13/1 128.233 128 90b1.1cf4.9b79 128.233 Interface Name ---------Po 1 Po 2 Te 1/10/1 Te 1/10/3 DellEMC# Role -----Desg Desg Desg Desg 2000 FWD 2000 FWD PortID -------128.2 128.3 128.230 128.233 Prio ---128 128 128 128 Cost ------188 2000 2000 2000 0 0 0 Sts ----------FWD FWD FWD FWD 90b1.1cf4.
Figure 144. Peer Routing Configuration Example Dell-1 Switch Configuration In the following output, RSTP is enabled with a bridge priority of 0. This ensures that Dell-1 becomes the root bridge. DellEMC#1#show run | find protocol protocol spanning-tree pvst no disable vlan 1,20,800,900 bridge-priority 0 The following output shows the existing VLANs.
(The management interfaces are part of a default VRF and are isolated from the switch’s data plane.) In Dell-1, te 0/0 and te 0/1 are used for VLTi. DellEMC#1#sh run int te0/0 interface TenGigabitEthernet 0/0 description VLTi LINK no ip address no shutdown (VLTi Physical link) ! DellEMC#1#sh run int te0/1 interface TenGigabitEthernet 0/1 description VLTi LINK no ip address no shutdown (VLTi Physical link) The following example shows that te 0/0 and te 0/1 are included in port channel 10.
Vlan 20 is used in Dell-1, Dell-2, and R1 to form OSPF adjacency. When OSPF is converged, the routing tables in all devices are synchronized. DellEMC#1#sh run int vlan 20 interface Vlan 20 description OSPF PEERING VLAN ip address 192.168.20.1/29 untagged Port-channel 1 no shutdown ! DellEMC#1#sh run int vlan 800 interface Vlan 800 description Client-VLAN ip address 192.168.8.1/24 tagged Port-channel 2 no shutdown The following output shows Dell-1 is configured with VLT domain 1.
Use the show vlt detail command to verify that VLT is functional and that the correct VLANs are allowed. DellEMC#1#sh vlt detail Local LAG Id -----------1 2 Peer LAG Id ----------1 2 Local Status -----------UP UP Peer Status ----------UP UP Active VLANs ------------20 1, 800, 900 The following output displays the OSPF configuration in Dell-1 DellEMC#1#sh run | find router router ospf 1 router-id 172.17.1.1 network 192.168.9.0/24 area 0 network 192.168.8.0/24 area 0 network 172.17.1.
0 0 90:b1:1c:f4:2c:bd 90:b1:1c:f4:29:f3 LOCAL_DA LOCAL_DA 00001 00001A The above output shows that the 90:b1:1c:f4:2c:bd MAC address belongs to Dell-1. The 90:b1:1c:f4:29:f3 MAC address belongs to Dell-2. Also note that these MAC addresses are marked with LOCAL_DA. This means, these are the local destination MAC addresses used by hosts when routing is required. Packets sent to this MAC address are directly forwarded to their destinations without being sent to the peer switch.
no ip address port-channel-protocol LACP port-channel 2 mode active no shutdown Te 0/6 connects to the uplink switch R1. Dell-2#sh run int te0/6 interface TenGigabitEthernet 0/6 description To_CR1_fa0/13 no ip address port-channel-protocol LACP port-channel 1 mode active no shutdown Port channel 1 connects the uplink switch R1.
Verify if VLT on Dell-1 is functional Dell-2#sh vlt brief VLT Domain Brief -----------------Domain ID: Role: Role Priority: 1 Secondary 55000 ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: Peer routing : Peer routing-Timeout timer: Multicast peer routing timeout: Up Up Up 1 6(3) 90:b1:1c:f4:29:f1 90:b1:1c:f4:2c:bb 90:b1:1c:f4:01:01 6(3) 90 seconds En
The following output displays the routes learned using OSPF. Dell-2 also learns the routes to the loopback addresses on R1 through OSPF. Dell-2#show ip route ospf Destination Gateway ----------------O 2.2.2.2/24 via 192.168.20.3, O 3.3.3.2/24 via 192.168.20.3, O 4.4.4.2/24 via 192.168.20.3, O 172.15.1.1/32 via 192.168.20.3, O 172.16.1.2/32 via 192.168.20.
network 172.15.1.0 0.0.0.255 area 0 network 192.168.20.0 0.0.0.7 area 0 CR1#show ip ospf neighbor (R1 is a DROTHER) Neighbor ID Pri State Dead Time Address Interface 172.16.1.2 1 FULL/BDR 00:00:31 192.168.20.2 Port-channel1 172.17.1.1 1 FULL/DR 00:00:38 192.168.20.1 Port-channel1 CR1#show ip route (Output Truncated) 2.0.0.0/24 is subnetted, 1 subnets C 2.2.2.0 is directly connected, Loopback2 3.0.0.0/24 is subnetted, 1 subnets C 3.3.3.0 is directly connected, Loopback3 O 192.168.8.0/24 [110/2] via 192.168.
Figure 145. eVLT Configuration Example eVLT Configuration Step Examples In Domain 1, configure the VLT domain and VLTi on Peer 1. Domain_1_Peer1#configure Domain_1_Peer1(conf)#interface port-channel 1 Domain_1_Peer1(conf-if-po-1)# channel-member TenGigabitEthernet 1/1/8/1-1/1/8/2 Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.
Configure eVLT on Peer 2. Domain_1_Peer2(conf)#interface port-channel 100 Domain_1_Peer2(conf-if-po-100)# switchport Domain_1_Peer2(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer2(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 2.
PIM-Sparse Mode Configuration Example The following sample configuration shows how to configure the PIM Sparse mode designated router functionality on the VLT domain with two VLT port-channels that are members of VLAN 4001. For more information, refer to PIM-Sparse Mode Support on VLT. Examples of Configuring PIM-Sparse Mode The following example shows how to enable PIM multicast routing on the VLT node globally.
EXEC mode show vlt role ● Display the current configuration of all VLT domains or a specified group on the switch. EXEC mode show running-config vlt ● Display statistics on VLT operation. EXEC mode show vlt statistics ● Display the RSTP configuration on a VLT peer switch, including the status of port channels used in the VLT interconnect trunk and to connect to access devices. EXEC mode show spanning-tree rstp ● Display the current status of a port or port-channel interface used in the VLT domain.
Version Local System MAC address Remote System MAC address Remote system version Delay-Restore timer : : : : : 6(3) 00:01:e8:8a:e9:91 00:01:e8:8a:e9:76 6(3) 90 seconds Delay-Restore Abort Threshold Peer-Routing Peer-Routing-Timeout timer Multicast peer-routing timeout DellEMC# : : : : 60 seconds Disabled 0 seconds 150 seconds The following example shows the show vlt detail command.
HeartBeat Messages Received: 986 ICL Hello's Sent: 148 ICL Hello's Received: 98 Dell_VLTpeer2# show vlt statistics VLT Statistics ---------------HeartBeat Messages Sent: HeartBeat Messages Received: ICL Hello's Sent: ICL Hello's Received: 994 978 89 89 The following example shows the show spanning-tree rstp command. The bold section displays the RSTP state of port channels in the VLT domain. Port channel 100 is used in the VLT interconnect trunk (VLTi) to connect to VLT peer2.
Dell_VLTpeer1(conf-vlt-domain)#back-up destination 10.11.206.35 Dell_VLTpeer1(conf-vlt-domain)#exit Configure the backup link. Dell_VLTpeer1(conf)#interface ManagementEthernet 1/1 Dell_VLTpeer1(conf-if-ma-1/1)#ip address 10.11.206.23/ Dell_VLTpeer1(conf-if-ma-1/1)#no shutdown Dell_VLTpeer1(conf-if-ma-1/1)#exit Configure the VLT interconnect (VLTi).
Dell_VLTpeer2(conf-if-po-110)#channel-member fortyGigE 1/12 Dell_VLTpeer2(conf-if-po-110)#no shutdown Dell_VLTpeer2(conf-if-po-110)#vlt-peer-lag port-channel 110 Dell_VLTpeer2(conf-if-po-110)#end Verify that the port channels used in the VLT domain are assigned to the same VLAN.
Table 139. Troubleshooting VLT (continued) Description Behavior at Peer Up Behavior During Run Time Action to Take Spanning tree mismatch at global level All VLT port channels go down on both VLT peers. A syslog error message is generated. No traffic is passed on the port channels. During run time, a loop may occur as long as the mismatch lasts. Spanning tree mismatch at port level A syslog error message is generated. A one-time informational syslog message is generated.
Specifying VLT Nodes in a PVLAN You can configure VLT peer nodes in a private VLAN (PVLAN). VLT enables redundancy without the implementation of Spanning Tree Protocol (STP), and provides a loop-free network with optimal bandwidth utilization. Because the VLT LAG interfaces are terminated on two different nodes, PVLAN configuration of VLT VLANs and VLT LAGs are symmetrical and identical on both the VLT peers. PVLANs provide Layer 2 isolation between ports within the same VLAN.
MAC Synchronization for VLT Nodes in a PVLAN For the MAC addresses that are learned on non-VLT ports, MAC address synchronization is performed with the other peer if the VLTi (ICL) link is part of the same VLAN as the non-VLT port. For MAC addresses that are learned on VLT ports, the VLT LAG mode of operation and the primary to secondary association of the VLT nodes is determined on both the VLT peers.
Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN The following table illustrates the association of the VLTi link and PVLANs, and the MAC synchronization of VLT nodes in a PVLAN (for various modes of operations of the VLT peers): Table 140.
Table 140.
6. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 7. Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 8. (Optional) To configure a VLT LAG, enter the VLAN ID number of the VLAN where the VLT forwards packets received on the VLTi from an adjacent peer that is down.
Proxy ARP Capability on VLT Peer Nodes The proxy ARP functionality is supported on VLT peer nodes. A proxy ARP-enabled device answers the ARP requests that are destined for the other router in a VLT domain. The local host forwards the traffic to the proxy ARP-enabled device, which in turn transmits the packets to the destination. By default, proxy ARP is enabled. To disable proxy ARP, use the no proxy-arp command in Interface mode. To re-enable proxy ARP, use the ip proxy-arp command in Interface mode.
The VLT node, where the ICL link is deleted, flushes the peer IP addresses and does not perform proxy ARP for the additional LAG hashed ARP requests. VLT Nodes as Rendezvous Points for Multicast Resiliency You can configure VLT peer nodes as rendezvous points (RPs) in a Protocol Independent Multicast (PIM) domain. PIM uses a VLT node as the RP to distribute multicast traffic to a multicast group.
Configure the VLT domain DellEMC(conf)#vlt domain 1 DellEMC(conf-vlt-domain)#peer-link port-channel 1 DellEMC(conf-vlt-domain)#back-up destination 10.16.151.116 DellEMC(conf-vlt-domain)#primary-priority 100 DellEMC(conf-vlt-domain)#system-mac mac-address 00:00:00:11:11:11 DellEMC(conf-vlt-domain)#unit-id 0 DellEMC(conf-vlt-domain)# DellEMC#show running-config vlt ! vlt domain 1 peer-link port-channel 1 back-up destination 10.16.151.
Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN DellEMC#show vlan id 50 Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C - Community, I - Isolated O - Openflow Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack i - Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged NUM 50 Status Active Description DellEMC# Q M M V
Configure the VLAN as a VLAN-Stack VLAN and add the VLT LAG as members to the VLAN DellEMC(conf)#interface vlan 50 DellEMC(conf-if-vl-50)#vlan-stack compatible DellEMC(conf-if-vl-50-stack)#member port-channel 10 DellEMC(conf-if-vl-50-stack)#member port-channel 20 DellEMC(conf-if-vl-50-stack)# DellEMC#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown DellEMC# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VL
IPv6 Peer Routing When you enable peer routing on VLT nodes, the MAC address of the peer VLT node is stored in the ternary content addressable memory (TCAM) space table of a station. If the data traffic destined to a VLT node, node1, reaches the other VLT node, node2, owing to LAG-level hashing in the ToR switch, it is routed instead of forwarding the packet to node1. This processing occurs because of the match or hit for the entry in the TCAM of the VLT node2.
control information present in the tunneled NA packet is processed in such a way so that the ingress port is marked as the link from Node B to Unit 2 rather than pointing to ICL link through which tunneled NA arrived. Figure 146. Sample Configuration of IPv6 Peer Routing in a VLT Domain Sample Configuration of IPv6 Peer Routing in a VLT Domain Consider a sample scenario as shown in the following figure in which two VLT nodes, Unit1 and Unit2, are connected in a VLT domain using an ICL or VLTi link.
Neighbor Solicitation from VLT Hosts Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR. When VLT node1 receives NS from VLT VLAN interface, it unicasts the NA packet on the VLT interface. When NS reaches VLT node2, it is flooded on all interfaces including ICL. When VLT node 1 receives NS on ICL, it floods the NA packet on the VLAN.
When VLT node receives traffic from non-VLT host intended to VLT host, it routes the traffic to VLT interface. If VLT interface is not operationally up VLT node will route the traffic over ICL. Non-VLT host to North Bound traffic flow When VLT node receives traffic from non-VLT host intended to north bound with DMAC as self MAC it routes traffic to next hop.
ToR 1. Enable BFD globally. TOR(conf)# bfd enable 2. Configure a VLT peer LAG. TOR(conf)#interface tengigabitethernet 1/1/1 TOR(conf-if-te-1/1/1)#no ip address TOR(conf-if-te-1/1/1)#port-channel-protocol lacp TOR(conf-if-te-1/1/1)#port-channel 10 mode active TOR(conf-if-te-1/1/1)#no shutdown TOR(conf)#interface tengigabitethernet 1/1/2 TOR(conf-if-te-1/1/2)#no ip address TOR(conf-if-te-1/1/2)#port-channel-protocol lacp TOR(conf-if-te-1/1/2)#port-channel 10 mode active TOR(conf-if-te-1/1/2)#no shutdown 3.
5. Enable BFD over OSPF. TOR(conf)# router ospf 1 TOR(conf-router_ospf)# network 100.1.1.0/24 area 0 TOR(conf-router_ospf)# bfd all-neighbors VLT Primary 1. Enable BFD globally. VLT_Primary(conf)# bfd enable 2. Configure port channel which is used as VLTi link. VLT_Primary(conf)# interface VLT_Primary(conf-if-po-100)# VLT_Primary(conf-if-po-100)# VLT_Primary(conf-if-po-100)# port-channel 100 no ip address channel-member tengigabitethernet 1/1/1, 1/1/2 no shutdown 3. Enable VLT and configure a VLT domain.
2. Configure port channel which is used as VLTi link. VLT_Secondary(conf)# interface VLT_Secondary(conf-if-po-100)# VLT_Secondary(conf-if-po-100)# VLT_Secondary(conf-if-po-100)# port-channel 100 no ip address channel-member tengigabitethernet 1/1/1, 1/1/2 no shutdown 3. Enable VLT and configure a VLT domain. VLT_Secondary(conf)# vlt domain VLT_Secondary(conf-vlt-domain)# VLT_Secondary(conf-vlt-domain)# VLT_Secondary(conf-vlt-domain)# 100 peer-link port-channel 100 back-up destination 10.16.206.
Delay-Restore Abort Threshold: Peer-Routing : Peer-Routing-Timeout timer: Multicast peer-routing timeout: 60 seconds Enabled 0 seconds 150 seconds ● To verify the VLTi (ICL) link is up in the VLT secondary peer, use show vlt brief command.
Static VXLAN Configuration in a VLT setup Configuration steps are covered below: 1. Both Gateway VTEPs need VLT configured. ● ICL port configuration interface Port-channel 1 no ip address channel-member TenGigabitEthernet 0/4-5 no shutdown ● VLT Domain Configuration vlt domain 100 peer-link port-channel 1 back-up destination 10.11.70.14 this is ip address of the peer node ● VXLAN Instance Configuration vxlan-instance 1 static local-vtep-ip 14.14.14.
vni-profile test vnid 200 remote-vtep-ip 3.3.3.3 vni-profile test ● VLT Access port configuration interface TengigabitEthernet 0/12 port-channel-protocol lacp port-channel 30 mode active interface Port-channel 30 no ip address vxlan-instance 1 switchport vlt-peer-lag port-channel 30 no shutdown 2. Configure loopback interface and VXLAN instances on both the peers. ● Configure loopback interface IP address on both peers with the same IPaddress. interface Loopback 1 ip address 14.14.14.14/32 no shutdown 3.
60 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Command Line Reference Guide.
Figure 148. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: ● Proxy gateway is supported only for VLT; for example, across a VLT domain. ● You must enable the VLT peer-routing command for the VLT proxy gateway to function.
● When a Virtual Machine (VM) moves from one VLT domain to the another VLT domain, the VM host sends the gratuitous ARP (GARP) , which in-turn triggers a mac movement from the previous VLT domain to the newer VLT domain. ● After a station move, if the host sends a TTL1 packet destined to its gateway; for example, a previous VLT node, the packet can be dropped.
● You must globally enable LLDP. ● You cannot have interface–level LLDP disable commands on the interfaces configured for proxy gateway and you must enable both transmission and reception. ● You must connect both units of the remote VLT domain by the port channel member. ● If you connect more than one port to a unit of the remote VLT domain, the connection must be completed by the time you enable the proxy gateway LLDP.
● The preceding figure shows a sample square VLT Proxy gateway topology. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This causes sub-optimal routing. For VLT Proxy Gateway to work in this scenario you must configure the VLT-peer-mac transmit command under VLT Domain Proxy Gateway LLDP mode, in both C and D (VLT domain 1) and C1 and D1 (VLT domain 2).
2. Configure peer-domain-link port-channel in VLT Domain Proxy Gateway LLDP mode. The VLT port channel is the one that connects the remote VLT domain. Sample Dynamic Proxy Configuration on C switch or C1 switch Switch_C#conf Switch_C(conf)#vlt domain 1 Switch_C(conf-vlt-domain1)#proxy-gateway lldp Switch_C(conf-vlt-domain1-pxy-gw-lldp)#peer-domain-link port-channel 1....
The MAC addresses, configured using the remote-mac-address command, belong to Dell-3 and Dell-4.
remote-mac-address 00:01:e8:8b:ff:4f remote-mac-address 00:01:e8:d8:93:04 The MAC addresses, configured using the remote-mac-address command, belong to Dell-3 and Dell-4. interface Vlan 100 description OSPF peering VLAN to Dell-1 ip address 10.10.100.2/30 ip ospf network point-to-point no shutdown The following is the OSPF configuration on Dell-2. router ospf 1 router-id 2.2.2.2 network 10.10.100.0/30 area 0 The following output shows that Dell-1 forms OSPF neighborship with Dell-2.
interface Vlan 102 description ospf peering vlan to DELL-4 ip address 10.10.102.1/30 ip ospf network point-to-point no shutdown The following is the OSPF configuration on Dell-3. router ospf 1 router-id 3.3.3.3 network 10.10.101.0/30 area 0 network 10.10.102.0/30 area 0 The following output shows that Dell-4 and VLT domain 120 form OSPF neighborship with Dell-3. Dell-3#sh ip ospf nei ! Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.4 1 FULL/ - 00:00:33 10.10.101.1 Vl 101 0 1.1.1.
Configure BFD in VLT Domain Dell EMC Networking OS supports Bidirectional Forwarding Detection (BFD) to detect communication failures on an interface that is a part of a VLT link aggregation group (LAG). In VLT domain, BFD provides high availability path when there are communication failures in any one of the VLT LAG links. The VLT nodes and top of rack (ToR) use the VLT LAG links to carry the BFD packets.
3. Configure the port channel for the VLT interconnect on a ToR. TOR(conf)# interface TOR(conf-if-po-111)# TOR(conf-if-po-111)# TOR(conf-if-po-111)# port-channel 10 no ip address switchport no shutdown 4. Configure a VLAN. TOR(conf)#interface vlan 100 TOR(conf-if-vl-100)#ip address 100.1.1.3/24 TOR(conf-if-vl-100)#tagged port-channel 10 TOR(conf-if-vl-100)#arp timeout 1 TOR(conf-if-vl-100)#no shutdown TOR(conf-if-vl-100)#exit 5. Enable BFD over OSPF.
VLT_Primary(conf-if-vl-100)#no shutdown VLT_Primary(conf-if-vl-100)#exit 6. Enable BFD over OSPF. VLT_Primary(conf)# router ospf 1 VLT_Primary(conf-router_ospf)# network 100.1.1.0/24 area 0 VLT_Primary(conf-router_ospf)# bfd all-neighbors VLT Secondary 1. Enable BFD globally. VLT_Secondary(conf)# bfd enable 2. Configure port channel which is used as VLTi link.
● To verify the BFD neighbors in the ToR, use show bfd neighbors command. TOR#show bfd neighbors LocalAddr RemoteAddr * 100.1.1.3 100.1.1.1 * 100.1.1.3 100.1.1.2 Interface Vl 100 Vl 100 State Rx-int Tx-int Mult Clients Up 200 200 3 O Up 200 200 3 O ● To verify the VLTi (ICL) link is up in the VLT primary peer, use show vlt brief command.
61 Virtual Extensible LAN (VXLAN) Virtual Extensible LAN (VXLAN) is supported on Dell EMC Networking OS. Overview The switch acts as the VXLAN gateway and performs the VXLAN Tunnel End Point (VTEP) functionality. VXLAN is a technology where in the data traffic from the virtualized servers is transparently transported over an existing legacy network. Figure 151. VXLAN Gateway NOTE: In a stack setup, the Dell EMC Networking OS does not support VXLAN.
• • Routing in and out of VXLAN tunnels NSX Controller-based VXLAN for VLT Components of VXLAN network VXLAN provides a mechanism to extend an L2 network over an L3 network. In short, VXLAN is an L2 overlay scheme over an L3 network and this overlay is termed as a VXLAN segment.
Service Node(SN) It is also another VTEP, but it is fully managed by the controller. The purpose of SN is to be the central replication engine for flooded packets Legacy TOR It is a TOR switch, which performs routing or switching decisions. Functional Overview of VXLAN Gateway The following section is the functional overview of VXLAN Gateway: 1. Provides connectivity between a Virtual server infrastructure and a Physical server infrastructure. 2.
● Destination Address: Generally, it is a first hop router's MAC address when the VTEP is on a different address. ● Source Address : It is the source MAC address of the router that routes the packet. ● VLAN: It is optional in a VXLAN implementation and will be designated by an ethertype of 0×8100 and has an associated VLAN ID tag. ● Ethertype: It is set to 0×0800 because the payload packet is an IPv4 packet.
Configuring and Controlling VXLAN from the NSX Controller GUI You can configure and control VXLAN from the NSX controller GUI, by adding a hardware device to NSX and authenticating the device. 1. Generate a certificate in your system and add it to the NSX before adding a hardware device for authentication. To generate a certificate, use the following command: ● crypto cert generate self-signed cert-file flash://vtep-cert.pem key-file flash:// vtep-privkey.
Figure 153. Create VXLAN Gateway To create a VXLAN L2 Gateway, the IP address of the Gateway is required. After connectivity is established between the VTEP and NSX controller, the management IP address and the connectivity status are populated as shown in the following image. Figure 154. Hardware Devices 3. Add a service node or replicator. Under Home > Networking and Security > Service Definition > Hardware Devices > Replication Cluster, click the Edit button.
Figure 155. Add Service Node or Replicator NOTE: Ensure L3 reachability between the VTEP and the replicator. 4. Create Logical Switch. You can create a logical network by creating a logical switch. The logical network acts as the forwarding domain for workloads on the physical as well as virtual infrastructure. Click Home > Networking and Security > Logical Switches and click Add. The New Logical Switch window opens. Enter a name and select Unicast as the replication mode and click OK. Figure 156.
In the Manage Hardware Bindings window, expand a VTEP and click Add. The Manage Hardware Bindings Window opens. Click the Select link and the Specify Hardware Port window opens. Click the hardware port and click OK. Figure 157. Specify Hardware Port In the Manage Hardware Bindings window, under the VLAN column, enter the VLAN ID and press OK. Figure 158. Create Logical Switch Port 6. (Optional) Enable or disable BFD globally. Go to Hardware Devices tab > BFD Configuration, and click the Edit button.
Figure 159. Edit VXLAN BFD Configuration NOTE: For more details about NSX controller configuration, refer to the NSX user guide from VMWare . Configuring and Controling VXLAN from Nuage Controller GUI The Dell EMC Networking OS supports Nuage controller for VXLAN. You can configure and control VXLAN from the Nuage controller GUI, by adding a hardware device to the Nuage controller and authenticating the device. 1. Under the Infrastructure tab, add a datacenter gateway. Figure 160.
Figure 161. Port-to-VLAN mappings 3. Under the Networks tab, create an L2 domain. Under the L2 domain, create a logical network (VNI) and add access ports of the VTEP in the logical network. Figure 162. Access ports of the VTEP Configuring VxLAN Gateway To configure the VxLAN gateway on the switch, follow these steps: 1. Connecting to NVP controller 2. Advertising VXLAN access ports to controller Connecting to an NVP Controller To connect to an NVP controller, use the following commands. 1.
3. Define how the device connects to the controller. VxLAN INSTANCE mode controller controller ID ip address port port-number TCP | SSL The port number range is from 1 to 6632. The default connection type is SSL. TCP, PTCP, and PSSL are supported with NSX controller only. 4. Enter the gateway IP VxLAN INSTANCE mode gateway-ip IP address 5. Enter the maximum backoff time (Optional). VxLAN INSTANCE mode max_backoff time The range is from 1000-180000. The default value is 30000 milliseconds. 6.
The following example shows the show vxlan vxlan-instance logical-network command. • show vxlan vxlan-instance 1 logical-network Instance : 1 Total LN count : 1024 * - No VLAN mapping exists and yet to be installed Name VNID 1ba08465-8774-3383-ba51-8b7e642ff632 6427 02f063c2-36c7-3ef6-a324-b432b748d15d 6218 36ab6265-5fa8-3ce8-b35c-e7cfdaf7c9e8 6368 The following example shows the show vxlan vxlan-instance statistics interface command.
Examples of the show bfd neighbors command. To verify that the session is established, use the show bfd neighbors command. Dell_GW1#show bfd neighbors * Ad Dn B C I O O3 R M V VT * * * * * * - Active session role Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr 1.0.1.1 3.3.3.3 3.3.3.3 3.3.3.3 3.3.3.3 3.3.3.3 RemoteAddr 1.0.1.2 192.168.122.135 192.168.122.136 192.168.122.137 192.168.122.138 192.168.122.
VNI-PROFILE mode vnid VNID Range 6. Create a remote tunnel and associate the remote VTEP to the VNID. VXLAN-INSTANCE mode remote—vtep—ip remote IP Address vni-profile profile name 7. Enable the VXLAN. VXLAN-INSTANCE mode no shutdown 8. Enable VXLAN instance on the interface. The interface should not be on layer 2. INTERFACE mode vxlan-instance Instance ID 9. Associate VNID to VLAN.
Use the following command to clear the remote VTEP and access port statistics. DellEMC# clear vxlan vxlan-instance 1 statistics Disabling MAC Address Learning on Static VXLAN Tunnels You can configure the system to not learn MAC addresses on static VXLAN tunnels or remote VTEPs. MAC address learning on static VXLAN tunnels is Enabled by default.
Following is the output of show ip routecommand for the above connection: DellEMC# show ip route Destination Gateway --------------- Dist/Metric Last ----------- *B IN 0.0.0.0/0 C 1.1.1.1/32 B IN 2.2.2.2/32 200/0 0/0 200/0 via 192.168.11.2 Direct, Lo 1 via 192.168.22.1 Change ----------16:13:30 8:59:34 00:36:48 From the above routing table it is understood that the remote VTEP 2.2.2.2/32 is resolved through next-hop 192.168.22.1, which is not directly connected.
In this RIOT scheme, whenever R1 tries to reach R2, the packet gets to P1 on VTEP 1 with VLAN 10 and gets routed out of P2 on VLAN 20. VTEP 1 sends an ARP request for R2 (10.1.2.1) through P2. This request gets VXLAN encapsulated at P3 and is sent out of P4. Eventually, the native ARP request reaches R2. R2 sends an ARP response that is VXLAN encapsulated at VTEP 2. This response reaches VTEP 1 on P4 with a VXLAN encapsulation. At this point, the ARP response is de-capsulated at P4.
The topology to achieve RIOT with a physical loopback is inherently susceptible to Layer 2 loops. To prevent these loops from disrupting the network, the following egress masks need to be applied: ● ● ● ● Any Any Any Any frame frame frame frame ingressing ingressing ingressing ingressing on on on on a a a a VXLAN access port is not allowed to egress out of a VXLAN loopback port. VXLAN loopback port is not allowed to egress out of a VXLAN access port.
In this topology, P2 and P3 in VTEP 1 are VLT port-channels with corresponding VLT peer LAGs being P2 and P3 in VTEP 2. Similarly, P6 and P7 in VTEP 3 are VLT port-channels with corresponding VLT peer LAGs being P6 and P7 in VTEP 4. NOTE: P2, P3, P6, and P7 can be a single port or multi-port port-channels that are VLT port-channels. NOTE: The VLT VXLAN configuration for RIOT deviates from the standard VLT behavior when these physical loopbacks are provisioned as VLT port-channels.
Figure 164. Controller-based VXLAN for VLT Providing Redundancy Important Points to Remember ● The VLT peer port channel number must be the same on both VLT peers. ● before configuring controller-based VXLAN with VLT, remove any existing standalone VXLAN configuration. ● BFD tunnels come up only after the NSX controller sends tunnel details. The details come after the remote MAC addresses are downloaded from NSX controller.
bfd enable Enter the result of your step here (optional). 2. Create an uplink-state group. CONFIGURATION mode uplink-state-group group-id group-id: values are from 1 to 16. 3. Assign a VLT port channel to the uplink-state group as an upstream link. UPLINK-STATE-GROUP mode upstream interface 4. Assign a network port or port channel to the uplink-state group as a downstream link.
vlt domain domain-id The domain ID range is from 1 to 1000. Configure the same domain ID on the peer switch 2. Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages. VLT DOMAIN CONFIGURATION mode back-up destination ip-address 3. Configure the port channel to be used as the VLT interconnect between VLT peers in the domain. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 4.
vlt-peer-lag port-channel 10 no shutdown The following are some of the show command outputs on the VLT primary: DellEMC#show vlt brief VLT Domain Brief -----------------Domain ID: Role: Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: Delay-Restore Abort Threshold: Peer-Routing : Peer-Routing-Timeout timer: Multicast peer-routing timeout: D
Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C - Community, I - Isolated O - Openflow, Vx - Vxlan Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack i - Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged * NUM 1 Status Active Vx 20 Active 500 Active Description DellEMC# DellEMC# DellEMC#sh vxlan vxlan-instance 1 multicast-mac * - Active Replicator
Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: Delay-Restore Abort Threshold: Peer-Routing : Peer-Routing-Timeout timer: Multicast peer-routing timeout: DellEMC# DellEMC# DellEMC# 10 Up Up Up 1 6(8) f4:8e:38:2b:3e:85 14:18:77:0a:53:80 00:00:00:11:11:11 6(8) 90 seconds 60 seconds Enabled 0 seconds 150 seconds DellEMC#sh vxlan vxlan-insta
Tunnel : count 1 6.6.6.2 : vxlan_over_ipv4 (up) DellEMC#show vxlan vxlan-instance 1 unicast-mac-local Total Local Mac Count: 1 VNI MAC PORT 5000 00:00:00:cc:00:00 (N) Po 1 VLAN 20 DellEMC#show vxlan vxlan-instance 1 unicast-mac-remote Total Remote Mac Count: 1 VNI MAC TUNNEL 5000 00:00:bb:00:00:00 4.3.3.
Copy and paste the generated certificate to the NSX. NOTE: Once controller connectivity is established from VLT peers, if you want to generate a new certificate and use it for controller connection, generate the certificate from the node (node that is directly connected to controller). If you do not generate a new certificate from the node, system shows inconsistent behavior. 2. Create a VXLAN Gateway. To create service node, the required fields are the IP address and SSL certificate of the server.
Figure 166. Hardware Devices 3. Add a service node or replicator. Under Home > Networking and Security > Service Definition > Hardware Devices > Replication Cluster, click the Edit button. Select required hosts for replication and click OK. Figure 167. Add Service Node or Replicator NOTE: Ensure L3 reachability between the VTEP and the replicator. 4. Create Logical Switch. You can create a logical network by creating a logical switch.
Figure 168. Create Logical Switch 5. Create Logical Switch Port. A logical switch port provides a logical connection point for a VM interface (VIF) and a L2 gateway connection to an external network. It binds the virtual access ports in the gateway to logical network (VXLAN) and VLAN. In the Manage Hardware Bindings window, expand a VTEP and click Add. The Manage Hardware Bindings Window opens. Click the Select link and the Specify Hardware Port window opens. Click the hardware port and click OK.
Figure 170. Create Logical Switch Port 6. (Optional) Enable or disable BFD globally. Go to Hardware Devices tab > BFD Configuration, and click the Edit button. The Edit BFD Configuration windows opens. Check or uncheck the Enable BFD check box. You can also change the probe interval if required. Figure 171. Edit VXLAN BFD Configuration NOTE: For more details about NSX controller configuration, refer to the NSX user guide from VMWare .
62 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time.
Figure 172. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
VRF supports some routing protocols only on the default VRF (default-vrf) instance. Table 1 displays the software features supported in VRF and whether they are supported on all VRF instances or only the default VRF. NOTE: To configure a router ID in a non-default VRF, configure at least one IP address in both the default as well as the non-default VRF. Table 141. Software Features Supported on VRF Feature/Capability Support Status for Default VRF Support Status for Non-default VRF 802.
DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance. VRF Configuration The VRF configuration tasks are: 1. Enabling VRF in Configuration Mode 2. Creating a Non-Default VRF 3. Assign an Interface to a VRF You can also: ● View VRF Instance Information ● Connect an OSPF Process to a VRF Instance ● Configure VRRP on a VRF Loading VRF CAM ● Load CAM memory for the VRF feature.
interface tengigabitethernet 1/1/1/1 2. Assign the interface to management VRF. INTERFACE CONFIGURATION ip vrf forwarding management Before assigning a front-end port to a management VRF, ensure that no IP address is configured on the interface. 3. Assign an IPv4 address to the interface. INTERFACE CONFIGURATION ip address 10.1.1.1/24 Before assigning a front-end port to a management VRF, ensure that no IP address is configured on the interface. 4. Assign an IPv6 address to the interface.
Table 142. Configuring VRRP on a VRF (continued) Task Command Syntax Assign an IP address to the interface Configure the VRRP group and virtual IP address View VRRP command output for the VRF vrf1 Command Mode ip address 10.1.1.1 /24 no shutdown vrrp-group 10 virtual-address 10.1.1.100 show config ----------------------------! interface TenGigabitEthernet 1/1/3/1 ip vrf forwarding vrf1 ip address 10.1.1.1/24 ! vrrp-group 10 virtual-address 10.1.1.
● ● ● ● ● ● ● ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 nd ra-lifetime — Set IPv6 Router Advertisement Lifetime nd reachable-time — Set advertised reachability time nd retrans-timer — Set NS retransmit interval used and advertised in RA nd suppress-ra — Suppress IPv6 Router Advertisements ad — IPv6 Address Detection ad autoconfig — IPv6 stateless auto-configuration address — Configure IPv6 address on an interface NOTE: The command line help still displays relevant details correspon
Figure 174. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface TenGigabitEthernet no ip address switchport no shutdown ! interface TenGigabitEthernet ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding green ip address 30.0.0.
ip vrf forwarding blue ip address 1.0.0.1/24 tagged TenGigabitEthernet 1/1/1/3 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged TenGigabitEthernet 1/1/1/3 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged TenGigabitEthernet 1/1/1/3 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.0/24 area 0 ! router ospf 2 vrf orange router-id 2.0.0.1 network 2.0.0.0/24 area 0 network 20.0.0.
! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface TenGigabitEthernet 1/1/2/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface TenGigabitEthernet 1/1/2/2 ! ip route vrf green30.0.0.0/24 3.0.0.1 ! The following shows the output of the show commands on Router 1.
----------2.0.0.0/24 20.0.0.0/24 21.0.0.0/24 C C O ------Direct, Vl 192 Direct, Te 1/1/2/1 via 2.0.0.
Configuring Route Leaking without Filtering Criteria You can use the ip route-export tag command to export all the IPv4 routes corresponding to a source VRF. For leaking IPv6 routes, use the ipv6 route-export tag command. This action exposes source VRF's routes (IPv4 or IPv6 depending on the command that you use) to various other VRFs. The destinations or target VRFs then import these IPv4 or IPv6 routes using the ip route-import tag or the ipv6 route-import tag command respectively.
ip route-import 1:1 8. Configure the export target in VRF-blue. ip route-import 3:3 9. Configure VRF-green. ip vrf vrf-green interface-type slot/port[/subport] ip vrf forwarding VRF-green ip address ip—address mask A non-default VRF named VRF-green is created and the interface is assigned to it. 10. Configure the import target in the source VRF VRF-Shared for reverse communication with VRF-red and VRF-blue.
DellEMC# show ip route vrf VRF-Blue O 22.2.2.2/32 via 122.2.2.2 00:00:11 C O C 122.2.2.0/24 44.4.4.4/32 144.4.4.0/24 110/0 Direct, Te 1/1/2/1 0/0 via vrf-shared:144.4.4.4 0/0 Direct, vrf-shared:Te 1/1/4/1 22:39:61 00:32:36 0/0 00:32:36 DellEMC# show ip route vrf VRF-Green O 33.3.3.3/32 00:00:11 via 133.3.3.3 C Direct, Te 1/1/3/1 0/0 133.3.3.0/24 110/0 22:39:61 DellEMC# show ip route vrf VRF-Shared O 11.1.1.1/32 via VRF-Red:111.1.1.1 110/0 00:00:10 C 111.1.1.
While importing these routes into VRF-blue, you can further specify match conditions at the import end to define the filtering criteria based on which the routes are imported into VRF-blue. You can define a route-map import_ospf_protocol and then specify the match criteria as OSPF using the match source-protocol ospf command. You can then use the ip route-import route-map command to import routes matching the filtering criteria defined in the import_ospf_protocol route-map.
The show VRF commands displays the following output: DellEMC# show ip route vrf VRF-Blue C 122.2.2.0/24 Direct, Te 1/1/2/1 0/0 O 22.2.2.2/32 via 122.2.2.2 110/0 00:00:11 O 44.4.4.4/32 22:39:61 via vrf-red:144.4.4.4 0/0 00:32:36 << only OSPF and BGP leaked from VRF-red Important Points to Remember ● Only Active routes are eligible for leaking. For example, if VRF-A has two routes from BGP and OSPF, in which the BGP route is not active. In this scenario, the OSPF route takes precedence over BGP.
63 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. Topics: • • • • • • VRRP Overview VRRP Benefits VRRP Implementation VRRP Configuration Sample Configurations Proxy Gateway with VRRP VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network.
Figure 175. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. Endstation connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. In conjunction with Virtual Link Trunking (VLT), you can configure optimized forwarding with virtual router redundancy protocol (VRRP).
NOTE: In a VLT environment, VRRP configuration acts as active-active and if route is not present in any of the VRRP nodes, the packet to the destination is dropped on that VRRP node. Table 143.
The following examples how to configure VRRP. DellEMC(conf)#interface tengigabitethernet 1/1/1/1 DellEMC(conf-if-te-1/1/1/1)#vrrp-group 111 DellEMC(conf-if-te-1/1/1/1-vrid-111)# The following examples how to verify the VRRP configuration. DellEMC(conf-if-te-1/1/1/1)#show conf ! interface TenGigabitEthernet 1/1/1/1 ip address 10.10.10.
3. Set the backup switches to version 3. Dell_backup_switch1(conf-if-te-1/1/1/1-vrid-100)#version 3 Dell_backup_switch2(conf-if-te-1/1/2/1-vrid-100)#version 3 Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID). A VRRP group does not transmit VRRP packets until you assign the Virtual IP address to the VRRP group.
virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 ! vrrp-group 222 no shutdown The following example shows the same VRRP group (VRID 111) configured on multiple interfaces on different subnets. DellEMC#show vrrp -----------------TenGigabitEthernet 1/1/1/1, VRID: 111, Version: 2 Net: 10.10.10.1 VRF: 0 default State: Master, Priority: 255, Master: 10.10.10.
Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------TenGigabitEthernet 1/1/2/1, VRID: 111, Net: 10.10.2.1 VRF: 0 default State: Master, Priority: 125, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 601, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.
● Prevent any BACKUP router with a higher priority from becoming the MASTER router. INTERFACE-VRID mode no preempt Re-enable preempt by entering the preempt command. When you enable preempt, it does not display in the show commands, because it is a default setting. The following example shows how to disable preempt using the no preempt command.
The following example shows how to change the advertise interval using the advertise-interval command. DellEMC(conf-if-te-1/1/1/1)#vrrp-group 111 DellEMC(conf-if-te-1/1/1/1-vrid-111)#advertise-interval 10 DellEMC(conf-if-te-1/1/1/1-vrid-111)# The following example shows how to verify the advertise interval change using the show conf command.
INTERFACE-VRID mode track interface [priority-cost cost] The cost range is from 1 to 254. The default is 10. ● (Optional) Display the configuration and the UP or DOWN state of tracked objects, including the client (VRRP group) that is tracking an object’s state. EXEC mode or EXEC Privilege mode show track ● (Optional) Display the configuration and the UP or DOWN state of tracked interfaces and objects in VRRP groups, including the time since the last change in an object’s state.
Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 310 Virtual MAC address: 00:00:5e:00:02:01 Virtual IP address: 2007::1 fe80::1 Tracking states for 2 resource Ids: 2 - Up IPv6 route, 2040::/64, priority-cost 20, 00:02:11 3 - Up IPv6 route, 2050::/64, priority-cost 30, 00:02:11 The following example shows verifying the VRRP configuration on an interface.
Sample Configurations Before you set up VRRP, review the following sample configurations. VRRP for an IPv4 Configuration The following configuration shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
R2(conf-if-te-1/1/3/1-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-1/1/3/1-vrid-99)#no shut R2(conf-if-te-1/1/3/1)#show conf ! interface TenGigabitEthernet 1/1/3/1 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.3 no shutdown R2(conf-if-te-1/1/3/1)#end R2#show vrrp -----------------TenGigabitEthernet 1/1/3/1, VRID: 99, Net: 10.1.1.1 VRF: 0 default State: Master, Priority: 200, Master: 10.1.1.
Figure 177. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-1/1/1/1)#end R2#show vrrp -----------------TenGigabitEthernet 1/1/1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 135 Virtual MAC address: 00:00
Both Switch-1 and Switch-2 have three VRF instances defined: VRF-1, VRF-2, and VRF-3. Each VRF has a separate physical interface to a LAN switch and an upstream VPN interface to connect to the Internet. Both Switch-1 and Switch-2 use VRRP groups on each VRF instance in order that there is one MASTER and one backup router for each VRF. In VRF-1 and VRF-2, Switch-2 serves as owner-master of the VRRP group and Switch-1 serves as the backup. On VRF-3, Switch-1 is the ownermaster and Switch-2 is the backup.
% Info: The VRID used by the VRRP group 11 in VRF 2 will be 178. S1(conf-if-te-1/1/2/1-vrid-101)#priority 100 S1(conf-if-te-1/1/2/1-vrid-101)#virtual-address 10.10.1.2 S1(conf-if-te-1/1/2/1)#no shutdown ! S1(conf)#interface TenGigabitEthernet 1/1/3/1 S1(conf-if-te-1/1/3/1)#ip vrf forwarding VRF-3 S1(conf-if-te-1/1/3/1)#ip address 20.1.1.5/24 S1(conf-if-te-1/1/3/1)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243.
VLAN Scenario In another scenario, to connect to the LAN, VRF-1, VRF-2, and VRF-3 use a single physical interface with multiple tagged VLANs (instead of separate physical interfaces). In this case, you configure three VLANs: VLAN-100, VLAN-200, and VLAN-300. Each VLAN is a member of one VRF. A physical interface ( tengigabitethernet 1/1/1/1) attaches to the LAN and is configured as a tagged interface in VLAN-100, VLAN-200, and VLAN-300. The rest of this example is similar to the non-VLAN scenario.
Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 419, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.
Virtual MAC address: 00:00:5e:00:01:0a Virtual IP address: 20.1.1.100 Authentication: (none) DellEMC#show vrrp vrf vrf2 port-channel 1 -----------------Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 419, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.
Figure 179. VRRP for IPv6 Topology NOTE: This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, and so on.
NOTE: The virtual IPv6 address you configure should be the same as the IPv6 subnet to which the interface belongs.
00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 DellEMC#show vrrp tengigabitethernet 1/1/8/1 TenGigabitEthernet 1/1/8/1, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:e9ed VRF: 0 default State: Master, Priority: 110, Master: fe80::201:e8ff:fe8a:e9ed (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 120 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 De
This is achieved by configuring same VRRP group IDs to the extended L3 VLANs and VRRP stays active-active across all four VLT nodes even though they are in two different VLT domains. The following illustration shows a sample configuration with two data centers: ● ● ● ● ● ● ● Server racks, Rack 1 and Rack 2, are part of data centers DC1 and DC2, respectively. Rack 1 is connected to devices A1 and B1 in a Layer 2 network segment. Rack 2 is connected to devices A2 and B2 in a Layer 2 network segment.
unit-id 0 peer-routing interface port-channel 128 channel member ten 1/1/1 channel member ten 1/1/2 no shutdown int ten 1/5/1 port-channel-protocol lacp port-channel 10 mode active no shut int ten 1/4/1 port-channel-protocol lacp port-channel 20 mode active no shut interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.
interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.2/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.0/24 area 0 Sample configuration of C2: vlt domain 10 peer-link port-channel 128 back-up destination 10.16.140.
int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.0/24 area 0 Sample configuration of D2: vlt domain 10 peer-link port-channel 128 back-up destination 10.16.140.
64 Debugging and Diagnostics This chapter describes debugging and diagnostics for the device. Topics: • • • • • • • • • • Offline Diagnostics Trace Logs Auto Save on Crash or Rollover Hardware Watchdog Timer Enabling Environmental Monitoring Buffer Tuning Troubleshooting Packet Loss Enabling Application Core Dumps Mini Core Dumps Enabling TCP Dumps Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware.
through the unit. Please make sure that stacking/fanout not configured for Diagnostics execution. Also reboot/online command is necessary for normal operation after the offline command is issued. Proceed with Offline [confirm yes/no]:yes After the system goes offline, you must reload or run the online stack-unit stack-unit-number command for the normal operation. 2. Confirm the offline status. EXEC Privilege mode show system brief 3. Start diagnostics on the unit.
Enabling Environmental Monitoring The device components use environmental monitoring hardware to detect transmit power readings, receive power readings, and temperature updates. To receive periodic power updates, you must enable the following command. ● Enable environmental monitoring.
-- Temperature Limits (deg C) ------------------------ --------------------------------------------Minor Minor Off Major Major Off Shutdown Bcm56960 100 99 105 104 110 -- Temperature Limits (deg C) ------------------------ --------------------------------------------Minor Minor Off Major Major Off Shutdown Bcm56960 100 99 105 104 110 -- Temperature Limits (deg C) ------------------------ --------------------------------------------Minor Minor Off Major Major Off Shutdown SwitchOn 47 46 50 49 NA -- Temperatu
NOTE: Exercise care when removing a card; if it has exceeded the major or shutdown thresholds, the card could be hot to the touch. Recognize an Under-Voltage Condition If the system detects an under-voltage condition, it sends an alarm. To recognize this condition, look for the following system message: %CHMGR-1-CARD_SHUTDOWN: Major alarm: stack unit 2 down - auto-shutdown due to under voltage. This message indicates that the specified card is not receiving enough power.
Dell EMC Networking OS provides two predefined buffer profiles, one for single-queue (for example, non-quality-of-service [QoS]) applications, and one for four-queue (for example, QoS) applications. You must reload the system for the global buffer profile to take effect, a message similar to the following displays: % Info: For the global pre-defined buffer profile to take effect, please save the config and reload the system..
Displaying Drop Counters To display drop counters, use the following commands. ● Identify which stack unit and port pipe is experiencing internal drops. show hardware stack-unit stack-unit-number drops [unit unit-number] ● Identify which interface is experiencing internal drops.
Ingress FCS Drops Error Ratio : 0.0E0 DellEMC# Dataplane Statistics The show hardware stack-unit cpu data-plane statistics command provides insight into the packet types coming to the CPU. The show hardware stack-unit cpu party-bus statistics command displays input and output statistics on the party bus, which carries inter-process communication traffic between CPUs. The command output in the following example has been augmented, providing detailed RX/ TX packet statistics on a per-queue basis.
1649566 packets, 1935316203 bytes 0 errors Display Stack Port Statistics The show hardware stack-unit stack-port command displays input and output statistics for a stack-port interface.
RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX 1104 - Unicast Packet Counter 64 Byte Frame Counter 65 to 127 Byte Frame Counter 128 to 255 Byte Frame Counter 256 to 511 Byte Frame Counter 512 to 1023 Byte Frame Counter 1024 to 1518 Byte Frame Counter 1519 to 1522 Byte Good VLAN Frame Counter 1519 to 2047 Byte Frame Counter 2048 to 4095
TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - PFC Frame Priority PFC Frame Priority PFC Frame Priority PFC Frame Priority Debug Counter 0 Debug Counter 1 Debug Counter 2 Debug Counter 3 Debug Counter 4 Debug Counter 5 Debug Counter 6 Debug Counter 7 Debug Counter 8 Debug Counter 9 Debug Counter 10 Debug Counter 11 4 5 6 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Enabling Application Core Dumps Application core dumps are disabled by default. A core dump file can be very large.
17 18 19 20 21 22 23 24 25 26 27 28 -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx 803356 1523099 1828006 161797 43275928 1810311 1812442 1810601 1800256 1798111 1887496 1913790 Jul Jul Aug Aug Sep Sep Sep Sep Sep Sep Sep Sep 29 29 10 28 30 10 10 10 10 10 23 23 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 22:45:22 22:48:26 18:34:16 03:59:48 09:29:24 05:30:58 05:34:00 05:37:02 08:54:46 08:57:48 05:28:14 06:33:40 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00
65 Standards Compliance This chapter describes standards compliance for Dell EMC Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell EMC Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance Dell EMC Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell EMC Networking OS first supports the standard. General Internet Protocols The following table lists the Dell EMC Networking OS support per platform for general internet protocols. Table 145.
Table 145. General Internet Protocols (continued) R F C # Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 6 0 Transfer Protocol 2 4 7 4 Definition of 7.7.1 the Differentiate d Services Field (DS Field) in the IPv4 and IPv6 Headers 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 PPP over 61 SONET/SD 5 H 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 6 9 8 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.
Table 146. General IPv4 Protocols (continued) RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 103 DOMAIN NAMES 5 IMPLEMENTATION AND SPECIFICATION (client) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 104 A Standard for the 2 Transmission of IP Datagrams over IEEE 802 Networks 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1191 Path MTU Discovery 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
Table 147. General IPv6 Protocols (continued) RFC Full Name # S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 246 2 (Par tial) IPv6 Stateless Address Autoconfiguration 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 246 4 Transmission of IPv6 Packets over Ethernet Networks 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 267 5 IPv6 Jumbograms 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2711 IPv6 Router Alert Option 8.3.12.0 9.8(0.
Table 148. Border Gateway Protocol (BGP) (continued) RFC# Full Name SSeries/ZSeries S3048–ON S4048–ON Z9100–ON S4048TON S6010–ON 2842 Capabilities Advertisement with BGP-4 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2858 Multiprotocol Extensions for BGP-4 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2918 Route Refresh Capability for BGP-4 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 3065 Autonomous System Confederations for BGP 7.8.1 9.
Intermediate System to Intermediate System (IS-IS) The following table lists the Dell EMC Networking OS support per platform for IS-IS protocol. Table 150. Intermediate System to Intermediate System (IS-IS) RFC# Full Name S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1142 OSI IS-IS Intra-Domain Routing Protocol (ISO DP 10589) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.
Routing Information Protocol (RIP) The following table lists the Dell EMC Networking OS support per platform for RIP protocol. Table 151. Routing Information Protocol (RIP) RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 105 8 Routing Information Protocol 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 245 RIP Version 3 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4191 Default Router Preferences and More-Specific Routes 8.3.12.0 9.8(0.
Table 153. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1156 Management Information Base for Network Management of TCP/IP-based internets 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 1157 A Simple Network Management 7.6.1 Protocol (SNMP) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 1212 Concise MIB Definitions 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
Table 153. Network Management (continued) RFC# Full Name 2575 S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON View-based Access Control 7.6.1 Model (VACM) for the Simple Network Management Protocol (SNMP) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2576 Coexistence Between Version 1, 7.6.1 Version 2, and Version 3 of the Internet-standard Network Management Framework 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2578 Structure of Management Information Version 2 (SMIv2) 7.
Table 153. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Network Management Protocol (SNMP) 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3434 Remote Monitoring MIB Extensions for High Capacity Alarms, High-Capacity Alarm Table (64 bits) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3580 IEEE 802.
Table 153. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON IEEE Management Information Base 7.7.1 802.1A module for LLDP configuration, B statistics, local system data and remote systems data components. 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) IEEE The LLDP Management 802.1A Information Base extension B module for IEEE 802.1 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) 7.7.1 9.8(0.0P2) 9.8(0.
Table 153. Network Management (continued) RFC# Full Name FORC E10-IFEXTEN SIONMIB S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Force10 Enterprise IF Extension 7.6.1 MIB (extends the Interfaces portion of the MIB-2 (RFC 1213) by providing proprietary SNMP OIDs for other counters displayed in the "show interfaces" output) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORC E10LINKA GGMIB Force10 Enterprise Link Aggregation MIB 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
Table 153. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON ALAR M-MIB MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/CSPortal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/CSPortal20/Main/Login.aspx Some pages of iSupport require a login.
66 X.509v3 supports X.509v3 standards. Topics: • • • • • • • • • Introduction to X.509v3 certificates X.509v3 support in Information about installing CA certificates Information about Creating Certificate Signing Requests (CSR) Information about installing trusted certificates Transport layer security (TLS) Online Certificate Status Protocol (OSCP) Verifying certificates Event logging Introduction to X.509v3 certificates X.
Advantages of X.509v3 certificates Public key authentication is preferred over password-based authentication, although both may be used in conjunction, for various reasons. Public-key authentication provides the following advantages over normal password-based authentication: ● Public-key authentication avoids the human problems of low-entropy password selection and provides more resistance to brute-force attacks than password-based authentication.
The other hosts on the network, such as the SUT switch, syslog server, and OCSP server, generate private keys and create Certificate Signing Requests (CSRs). The hosts then upload the CSRs to the Intermediate CA or make the CSRs available for the Intermediate CA to download. generates a CSR using the crypto cert generate request command. The hosts on the network (SUT, syslog, OCSP…) also download and install the CA certificates from the Root and Intermediate CAs.
After the CA certificate is installed, the system can secure communications with TLS servers by verifying certificates that are signed by the CA. Installing CA certificate To install a CA certificate, enter the crypto ca-cert install {path} command in Global Configuration mode. Information about Creating Certificate Signing Requests (CSR) Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA. In order for a device to get a X.
● ● ● ● ● ● Organization Unit Name Common Name Email address Validity Length Alternate Name NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell EMC Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS.
When not operating in FIPS mode, the system may support TLS 1.0 up to 1.2, and older ciphers and hashes: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS compression is disabled by default.
Configuring OCSP behavior You can configure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders. To configure this behavior, follow this step: In CONFIGURATION mode, enter the following command: crypto x509 ocsp {[nonce] [sign-request]} Both the none and sign-request parameters are optional. The default behavior is to not use these two options.
Verifying Client Certificates Verifying client certificates is optional in the TLS protocol and is not explicitly required by Common Criteria. However, TLS-protected Syslog and RADIUS protocols mandate that certificate-based mutual authentication be performed. Event logging The system logs the following events: ● ● ● ● ● A CA certificate is installed or deleted. A self-signed certificate and private key are generated. An existing host certificate, a private key, or both are deleted.