Dell Configuration Guide for the Z9000 System 9.7(0.0) July 2021 Rev.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. NOTE: A WARNING indicates a potential for property damage, personal injury, or death. © 2015- 2021 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: About this Guide.........................................................................................................25 Audience.............................................................................................................................................................................. 25 Conventions........................................................................................................................................................................
Moving a Command from EXEC Privilege Mode to EXEC Mode.................................................................... 48 Allowing Access to CONFIGURATION Mode Commands................................................................................. 48 Allowing Access to the Following Modes.............................................................................................................. 48 Applying a Privilege Level to a Username...............................................................
Chapter 6: Access Control Lists (ACLs).......................................................................................79 IP Access Control Lists (ACLs)......................................................................................................................................79 CAM Usage................................................................................................................................................................... 80 Implementing ACLs on Dell Networking OS..
BFD Packet Format....................................................................................................................................................113 BFD Sessions............................................................................................................................................................... 114 BFD Three-Way Handshake.....................................................................................................................................
Regular Expressions as Filters................................................................................................................................ 165 Redistributing Routes............................................................................................................................................... 166 Enabling Additional Paths.........................................................................................................................................
DHCP Packet Format and Options.............................................................................................................................205 Assign an IP Address using DHCP.............................................................................................................................. 206 Implementation Information..........................................................................................................................................
Protocol Overview...........................................................................................................................................................231 Ring Status................................................................................................................................................................. 232 Multiple FRRP Rings............................................................................................................................................
View Basic Interface Information................................................................................................................................263 Enabling a Physical Interface....................................................................................................................................... 265 Physical Interfaces.........................................................................................................................................................
Auto-Negotiation on Ethernet Interfaces................................................................................................................. 290 Setting the Speed and Duplex Mode of Ethernet Interfaces..........................................................................291 Set Auto-Negotiation Options............................................................................................................................... 292 View Advanced Interface Information..........................
Protocol Overview...........................................................................................................................................................315 Extended Address Space......................................................................................................................................... 315 Stateless Autoconfiguration....................................................................................................................................
Debugging IS-IS.........................................................................................................................................................349 IS-IS Metric Styles..........................................................................................................................................................350 Configure Metric Values............................................................................................................................................
Chapter 25: Link Layer Discovery Protocol (LLDP).................................................................... 384 802.1AB (LLDP) Overview............................................................................................................................................384 Protocol Data Units.................................................................................................................................................. 384 Optional TLVs.........................................
Configuring Anycast RP................................................................................................................................................ 423 Reducing Source-Active Message Flooding....................................................................................................... 424 Specifying the RP Address Used in SA Messages............................................................................................ 424 MSDP Sample Configurations..........................
Router Types..............................................................................................................................................................463 Designated and Backup Designated Routers..................................................................................................... 464 Link-State Advertisements (LSAs).......................................................................................................................464 Router Priority and Cost.............
Chapter 34: PIM Source-Specific Mode (PIM-SSM)...................................................................512 Implementation Information.......................................................................................................................................... 512 Configure PIM-SMM.......................................................................................................................................................512 Enabling PIM-SSM......................................
Honoring dot1p Priorities on Ingress Traffic.......................................................................................................550 Configuring Port-Based Rate Policing................................................................................................................. 550 Configuring Port-Based Rate Shaping................................................................................................................ 550 Policy-Based QoS Configurations........................
Modifying Global Parameters.......................................................................................................................................592 Enabling SNMP Traps for Root Elections and Topology Changes................................................................593 Modifying Interface Parameters.................................................................................................................................
VLAN Stacking................................................................................................................................................................. 631 Configure VLAN Stacking....................................................................................................................................... 632 Creating Access and Trunk Ports.........................................................................................................................
Configuring Contact and Location Information using SNMP...............................................................................658 Subscribing to Managed Object Value Updates using SNMP............................................................................. 659 Enabling a Subset of SNMP Traps............................................................................................................................. 659 Copy Configuration Files Using SNMP..........................................
Configuring Spanning Trees as Hitless...................................................................................................................... 686 STP Loop Guard..............................................................................................................................................................686 Configuring Loop Guard..........................................................................................................................................
VLT Terminology.............................................................................................................................................................. 712 Configure Virtual Link Trunking.................................................................................................................................... 712 Important Points to Remember..............................................................................................................................
Running Offline Diagnostics................................................................................................................................... 780 TRACE Logs..................................................................................................................................................................... 784 Auto Save on Crash or Rollover.............................................................................................................................
1 About this Guide This guide describes the protocols and features the Dell Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. The Z9000 platform is available with Dell Networking OS version 8.3.11.1 and beyond. Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Networking systems.
2 Configuration Fundamentals The Dell Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
● EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password section in the Getting Started chapter.
ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP GRUB Navigating CLI Modes The Dell Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode. Move linearly through the command modes, except for the end command which takes you directly to EXEC Privilege mode and the exit command which moves you up one command mode level.
Table 1.
Table 1.
7 8 9 10 11 Member Member Member Member Member not not not not not present present present present present -- Power Supplies -Unit Bay Status Type FanStatus --------------------------------------------------------------------------0 0 absent absent 0 1 up UNKNOWN up -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -----------------------------------------------------------------------------------0 0 up up 9120 up 9120 0 1 up up 9120 up 9120 Speed in RPM Dell(conf)# Undoing Commands When you ent
● Enter ? after a partial keyword lists all of the keywords that begin with the specified letters. Dell(conf)#cl? class-map clock Dell(conf)#cl ● Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword. Dell(conf)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone Dell(conf)#clock Entering and Editing Commands Notes for entering commands. ● The CLI is not case-sensitive. ● You can enter partial CLI keywords.
Command History Dell Networking OS maintains a history of previously-entered commands for each mode. For example: ● When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC mode commands. ● When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered CONFIGURATION mode commands.
The no-more command displays the output all at once rather than one screen at a time. This is similar to the terminal length command except that the no-more option affects the output of the specified command only. The save command copies the output to a file for future reference. NOTE: You can filter a single command output multiple times. The save option must be the last option entered.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) during which the line card status light emitting diodes (LEDs) blink green. The system then loads the Dell Networking Operating System (OS). Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port.Use a rollover (crossover) cable to connect the S4810 console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
The SSH server transmits the terminal commands to the CLI shell and the results are displayed on the screen non-interactively. Executing Local CLI Scripts Using an SSH Connection You can execute CLI commands by entering a CLI script in one of the following ways: ssh username@hostname or cat < CLIscript.file > | ssh admin@hostname The script is run and the actions contained in the script are performed.
Accessing the System Remotely Configuring the system for remote access is a three-step process, as described in the following topics: 1. Configure an IP address for the management port. Configure the Management Port IP Address 2. Configure a management route with a default gateway. Configure a Management Route 3. Configure a username and password. Configure a Username and Password Configure the Management Port IP Address To access the system remotely, assign IP addresses to the management ports. 1.
Configuring the Enable Password Access EXEC Privilege mode using the enable command. EXEC Privilege mode is unrestricted by default. Configure a password as a basic security measure. There are two types of enable passwords: ● enable password stores the password in the running/startup configuration using a DES encryption method. ● enable secret is stored in the running/startup configuration in using a stronger, MD5 encryption method. Dell Networking recommends using the enable secret password.
● You may not copy a file from one location to the same location. ● When copying to a server, you can only use a hostname if a domain name server (DNS) server is configured. ● The usbflash command is supported on the device. Refer to your system’s Release Notes for a list of approved USB vendors. Example of Copying a File to an FTP Server Dell#copy flash://Dell-EF-8.2.1.0.bin ftp://myusername:mypassword@10.10.10.10/ /Dell/Dell-EF-8.2.1.
Example of Copying a File to current File System Dell#copy tftp://10.16.127.35/mashutosh/dv-maa-s4810-test nfsmount:// Destination file name [dv-maa-s4810-test]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!.! 44250499 bytes successfully copied Dell# Dell#copy ftp://10.16.127.35 nfsmount: Source file name []: test.
● Save the running-configuration to a TFTP server. EXEC Privilege mode copy running-config tftp://{hostip | hostname}/ filepath/filename ● Save the running-configuration to an SCP server. EXEC Privilege mode copy running-config scp://{hostip | hostname}/ filepath/filename NOTE: When copying to a server, a host name can only be used if a DNS server is configured.
View Configuration Files Configuration files have three commented lines at the beginning of the file, as shown in the following example, to help you track the last time any user made a change to the file, which user made the changes, and when the file was last saved to the startup-configuration.
In the following example, the default storage location is changed to the external Flash of the primary RPM. File management commands then apply to the external Flash rather than the internal Flash. The bold lines show that no file system is specified and that the file is saved to an external flash.
View Command History The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer. The system generates a trace message for each executed command. No password information is saved to the file. To view the command-history trace, use the show command-history command.
3. Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256 flash://FTOSSE-9.5.0.0.bin 4. Compare the generated hash value to the expected hash value published on the iSupport page. To validate the software image on the flash drive after the image has been transferred to the system, but before the image has been installed, use the verify {md5 | sha256} [ flash://]img-file [hash-value] command in EXEC mode.
4 Management This chapter describes the different protocols or services used to manage the Dell Networking system.
Removing a Command from EXEC Mode To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each command you wish to restrict.
privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword} ● Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...
vlan VLAN keyword Dell(conf)# interface group vlan 1 - 2 , tengigabitethernet 1/1 Dell(conf-if-group-vl-1-2,te-1/1)# no shutdown Dell(conf-if-group-vl-1-2,te-1/1)# end Applying a Privilege Level to a Username To set the user privilege level, use the following command. ● Configure a privilege level for a user. CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command.
● Clearing Audit Logs Enabling Audit and Security Logs You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode. Audit Logs The audit log contains configuration events and information. The types of information in this log consist of the following: ● User logins to the switch.
May 12 12:20:42: Dell#: %CLI-6-service timestamps log datetime by admin from vty0 (10.14.1.98) For information about the logging extended command, see Enabling Audit and Security Logs Example of the show logging Command for Security Dell#show logging Jun 10 04:23:40: %STKUNIT0-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 ( 10.14.1.91 ) Clearing Audit Logs To clear audit logs, use the clear logging auditlog command in Exec mode.
Setting Up a Secure Connection to a Syslog Server You can use reverse tunneling with the port forwarding to securely connect to a syslog server. Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server Dell(conf)#ip ssh server enable 2.
Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
Changing System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands, you control the number of system messages logged. To specify the system logging settings, use the following commands. ● Specify the minimum severity level for logging to the logging buffer.
%RPM-2-MSG:CP1 %POLLMGR-2-MMC_STATE: External flash disk missing in 'slot0:' %CHMGR-5-CARDDETECTED: Line card 0 present %CHMGR-5-CARDDETECTED: Line card 2 present %CHMGR-5-CARDDETECTED: Line card 4 present %CHMGR-5-CARDDETECTED: Line card 5 present %CHMGR-5-CARDDETECTED: Line card 8 present %CHMGR-5-CARDDETECTED: Line card 10 present %CHMGR-5-CARDDETECTED: Line card 12 present %TSM-6-SFM_DISCOVERY: Found SFM 0 %TSM-6-SFM_DISCOVERY: Found SFM 1 %TSM-6-SFM_DISCOVERY: Found SFM 2 %TSM-6-SFM_DISCOVERY: Found SF
○ syslog (for syslog messages) ○ user (for user programs) ○ uucp (UNIX to UNIX copy protocol) To view nondefault settings, use the show running-config logging command in EXEC mode. Dell#show running-config logging ! logging buffered 524288 debugging service timestamps log datetime msec service timestamps debug datetime msec ! logging trap debugging logging facility user logging source-interface Loopback 0 logging 10.10.10.
To view the configuration, use the show running-config logging command in EXEC privilege mode. To disable time stamping on syslog messages, use the no service timestamps [log | debug] command. File Transfer Services With Dell Networking OS, you can configure the system to transfer files over the network using the file transfer protocol (FTP).
NOTE: You cannot use the change directory (cd) command until you have configured ftp-server topdir. To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode. Configuring FTP Client Parameters To configure FTP client parameters, use the following commands. ● Enter the following keywords and slot/port or number information: ○ ○ ○ ○ ○ For For For For For a a a a a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
Dell Networking OS Behavior: Prior to Dell Networking OS version 7.4.2.0, in order to deny access on a VTY line, apply an ACL and accounting, authentication, and authorization (AAA) to the line. Then users are denied access only after they enter a username and password. Beginning in Dell Networking OS version 7.4.2.0, only an ACL is required, and users are denied access before they are prompted for a username and password.
Setting Time Out of EXEC Privilege Mode EXEC time-out is a basic security feature that returns Dell Networking OS to EXEC mode after a period of inactivity on the terminal lines. To set time out, use the following commands. ● Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the time-out period to 0. LINE mode exec-timeout minutes [seconds] ● Return to the default time-out values.
Lock CONFIGURATION Mode Dell Networking OS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2). You can set two types of lockst: auto and manual. ● Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set auto-lock, every time a user is in CONFIGURATION mode, all other users are denied access.
4. The Grub menu displays. Enter c to get to the Grub boot load command line grub> prompt. 5. Set the system parameters to ignore the enable password when the system reloads and reboot the environment. grub>set stconfigignore=true grub>save_env stconfigignore grub>reboot 6. The Z9000 boots up with the factory default configuration. The default Dell Networking OS system prompt displays when the system boot up is complete. NOTE: Do not press any keys during the boot-up process. 7.
8. Save the running-config to the startup-config. EXEC Privilege mode copy running-config startup-config Recovering from a Failed Start on the Z9000 System A system that does not start correctly might be attempting to boot from a corrupted Dell Networking OS image or from a mis-specified location. In this case, you can restart the system and interrupt the boot process to point the system to another boot location. Use the set command, as described in the following steps.
● When you restore a single unit in a stack, only that unit is placed in standalone mode. No other units in the stack are affected. ● When you restore the units in standalone mode, the units remain in standalone mode after the restoration. ● After the restore is complete, the units power cycle immediately. The following example illustrates the restore factory-defaults command to restore the factory default settings.
To boot from flash partition B: grub> set primary_boot="f10boot flash1" To boot from network: grub> set primary_boot="f10boot tftp://10.16.127.35/FTOS-ZB.bin" 5. Assign an IP address and netmask to the Management Ethernet interface. grub> set ipaddr="10.16.151.239" grub> set netmask="255.255.0.0" 6. Assign an IP address as the default gateway for the system. grub> set gatewayip="10.16.151.254" 7. Save the modified environmental variables.
5 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: ● The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. ● The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
2. The supplicant responds with its identity in an EAP Response Identity frame. 3. The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame and forwards the frame to the authentication server. 4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests that the supplicant prove that it is who it claims to be, using a specified method (an EAP-Method).
Figure 5. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Enabling 802.1X Enable 802.1X globally. Figure 6. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode.
dot1x authentication no shutdown ! Dell# To view 802.1X configuration information for an interface, use the show dot1x interface command. In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default. Dell#show dot1x interface TenGigabitEthernet 2/1/ 802.
Configuring a Quiet Period after a Failed Authentication If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default, but you can configure this period. NOTE: The quiet period (dot1x quiet-period) is a transmit interval for after a failed authentication; the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive supplicant. To configure a quiet period, use the following command.
dot1x port-control {force-authorized | force-unauthorized | auto} The default state is auto. The example shows configuration information for a port that has been force-authorized. The bold line shows the new port-control state. Dell(conf-if-Te-1/1)#dot1x port-control force-authorized Dell(conf-if-Te-1/1)#show dot1x interface TenGigabitEthernet 1/1 802.
Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize Configuring Timeouts If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default.
Configuring Dynamic VLAN Assignment with Port Authentication Dell Networking OS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure: 1. The host sends a dot1x packet to the Dell Networking system 2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number 3.
Guest and Authentication-Fail VLANs Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured or the VLAN that the authentication server indicates in the authentication data. NOTE: Ports cannot be dynamically assigned to the default VLAN.
dot1x authentication dot1x guest-vlan 200 no shutdown Dell(conf-if-Te-2/1)# Dell(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 Dell(conf-if-Te-2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown Dell(conf-if-Te-2/1)# View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC P
6 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
When creating an access list, the sequence of the filters is important. You have a choice of assigning sequence numbers to the filters as you enter them, or the Dell Networking Operating System (OS) assigns numbers in the order the filters are created. The sequence numbers are listed in the display output of the show config and show ip accounting access-list commands.
Implementing ACLs on Dell Networking OS You can assign one IP ACL per interface with Dell Networking OS. If you do not assign an IP ACL to an interface, it is not used by the software in any other capacity. The number of entries allowed per ACL is hardware-dependent. For detailed specification on entries allowed per ACL, refer to your line card documentation.
Dell(conf-class-map)#match ip access-group acl1 Dell(conf-class-map)#exit Dell(conf)#class-map match-all cmap2 Dell(conf-class-map)#match ip access-group acl2 Dell(conf-class-map)#exit Dell(conf)#policy-map-input pmap Dell(conf-policy-map-in)#service-queue 7 class-map cmap1 Dell(conf-policy-map-in)#service-queue 4 class-map cmap2 Dell(conf-policy-map-in)#exit Dell(conf)#interface te 10/1 Dell(conf-if-te-10/1)#service-policy input pmap IP Fragment Handling Dell Networking OS supports a configurable option t
● If a packet's FO > 0, the packet is permitted. ● If a packet's FO = 0, the next ACL entry is processed. Deny ACL line with L3 information only, and the fragments keyword is present: If a packet's L3 information does match the L3 information in the ACL line, the packet's FO is checked. ● If a packet's FO > 0, the packet is denied. ● If a packet's FO = 0, the next ACL line is processed. In this first example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted.
To view the rules of a particular ACL configured on a particular interface, use the show ip accounting access-list ACL-name interface interface command in EXEC Privilege mode. The following is an example of viewing the rules of a specific ACL on an interface. Dell#show ip accounting access-list ToOspf interface gig 1/6 Standard IP access list ToOspf seq 5 deny any seq 10 deny 10.2.0.0 /16 seq 15 deny 10.3.0.0 /16 seq 20 deny 10.4.0.0 /16 seq 25 deny 10.5.0.0 /16 seq 30 deny 10.6.0.0 /16 seq 35 deny 10.7.0.
The following examples shows how to view a standard ACL filter sequence for an interface. Dell#show ip accounting access example interface gig 4/12 Extended IP access list example seq 15 deny udp any any eq 111 seq 20 deny udp any any eq 2049 seq 25 deny udp any any eq 31337 seq 30 deny tcp any any range 12345 12346 seq 35 permit udp host 10.21.126.225 10.4.5.0 /28 seq 40 permit udp host 10.21.126.226 10.4.5.0 /28 seq 45 permit udp 10.8.0.0 /16 10.50.188.118 /31 range 1812 1813 seq 50 permit tcp 10.8.0.
ip access-list extended access-list-name 2. Configure an extended IP ACL filter for UDP packets. CONFIG-EXT-NACL mode seq sequence-number {deny | permit} tcp {source mask | any | host ip-address}} [count [byte]] [order] [fragments] When you create the filters with a specific sequence number, you can create the filters in any order and the filters are placed in the correct order. NOTE: When assigning sequence numbers to filters, you may have to insert a new filter.
Configure Layer 2 and Layer 3 ACLs Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode. If both L2 and L3 ACLs are applied to an interface, the following rules apply: ● When Dell Networking OS routes the packets, only the L3 ACL governs them because they are not filtered against an L2 ACL. ● When Dell Networking OS switches the packets, first the L3 ACL filters them, then the L2 ACL filters them.
3. Apply an IP ACL to traffic entering or exiting an interface. INTERFACE mode ip access-group access-list-name {in} [implicit-permit] [vlan vlan-range | vrf vrf-range] NOTE: The number of entries allowed per ACL is hardware-dependent. For detailed specification about entries allowed per ACL, refer to your line card documentation. 4. Apply rules to the new ACL.
Dell(config-ext-nacl)#permit 1.1.1.2 Dell(config-ext-nacl)#end Dell#show ip accounting access-list ! Extended Ingress IP access list abcd on tengigabitethernet 1/1 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.
Extended Ingress IP access list abcd on tengigabitethernet 0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.
The following rules apply to prefix lists: ● A prefix list without any permit or deny filters allows all routes. ● An “implicit deny” is assumed (that is, the route is dropped) for all route prefixes that do not match a permit or deny filter in a configured prefix list. ● After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route.
seq 20 permit 0.0.0.0/0 le 32 Dell(conf-nprefixl)# NOTE: The last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded. To delete a filter, use the no seq sequence-number command in PREFIX LIST mode.
seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 seq 5 deny 100.100.1.0/24 (hit count: 0) seq 6 deny 200.200.1.0/24 (hit count: 0) seq 7 deny 200.200.2.0/24 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) The following example shows the show ip prefix-list summary command.
distribute-list prefix-list-name in [interface] ● Apply a configured prefix list to incoming routes. You can specify which type of routes are affected. If you enter the name of a non-existent prefix list, all routes are forwarded. CONFIG-ROUTER-OSPF mode distribute-list prefix-list-name out [connected | rip | static] To view the configuration, use the show config command in ROUTER OSPF mode, or the show running-config ospf command in EXEC mode. Dell(conf-router_ospf)#show config ! router ospf 34 network 10.
EXEC mode resequence prefix-list {ipv4 | ipv6} {prefix-list-name StartingSeqNum Step-to-Increment} Remarks and rules that originally have the same sequence number have the same sequence number after you apply the resequence command. The example shows the resequencing of an IPv4 access-list beginning with the number 2 and incrementing by 2. Dell(config-ext-nacl)# show config ! ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.
packet or traffic. Route maps process routes for route redistribution. For example, a route map can be called to filter only specific routes and to add a metric. Route maps also have an “implicit deny.” Unlike ACLs and prefix lists; however, where the packet or traffic is dropped, in route maps, if a route does not match any of the route map conditions, the route is not redistributed.
route-map dilling permit 10 Dell(config-route-map)# You can create multiple instances of this route map by using the sequence number option to place the route maps in the correct order. Dell Networking OS processes the route maps with the lowest sequence number first. When a configured route map is applied to a command, such as redistribute, traffic passes through all instances of that route map until a match is found. The following is an example with two instances of a route map.
Example of the match Command to Match Any of Several Values The following example shows using the match command to match any of several values. Dell(conf)#route-map force permit 10 Dell(config-route-map)#match tag 1000 Dell(config-route-map)#match tag 2000 Dell(config-route-map)#match tag 3000 In the next example, there is a match only if a route has both of the specified characteristics. In this example, there a match only if the route has a tag value of 1000 and a metric value of 2000.
match ipv6 address prefix-list-name ● Match next-hop routes specified in a prefix list (IPv4). CONFIG-ROUTE-MAP mode match ip next-hop {access-list-name | prefix-list prefix-list-name} ● Match next-hop routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode match ipv6 next-hop {access-list-name | prefix-list prefix-list-name} ● Match source routes specified in a prefix list (IPv4).
● Assign an IP address as the route’s next hop. CONFIG-ROUTE-MAP mode set next-hop ip-address ● Assign an IPv6 address as the route’s next hop. CONFIG-ROUTE-MAP mode set ipv6 next-hop ip-address ● Assign an ORIGIN attribute. CONFIG-ROUTE-MAP mode set origin {egp | igp | incomplete} ● Specify a tag for the redistributed routes. CONFIG-ROUTE-MAP mode set tag tag-value ● Specify a value as the route’s weight. CONFIG-ROUTE-MAP mode set weight value To create route map instances, use these commands.
In the following example, the redistribute ospf command with a route map is used in ROUTER RIP mode to apply a tag of 34 to all internal OSPF routes that are redistributed into RIP. Example of the redistribute Command Using a Route Tag ! router rip redistribute ospf 34 metric 1 route-map torip ! route-map torip permit 10 match route-type internal set tag 34 ! Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed.
The ACL application sends the ACL logging configuration information and other details, such as the action, sequence number, and the ACL parameters that pertain to that ACL entry. The ACL service collects the ACL log and records the following attributes per log message. ● For non-IP packets, the ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses, EtherType, and ingress interface are the logged attributes.
NOTE: This example describes the configuration of ACL logging for standard IP access lists. You can enable the logging capability for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and extended MAC ACLs. 1. Specify the maximum number of ACL logs or the threshold that can be generated by using the threshold-in-msgs count option with the seq, permit, or deny commands. Upon exceeding the specified maximum limit, the generation of ACL logs is terminated.
The ACL agent module saves monitoring details in its local database and also in the CAM region to monitor packets that match the specified criterion. The ACL agent maintains data on the source port, the destination port, and the endpoint to which the packet must be forwarded when a match occurs with the ACL entry. If you configure the flow-based enable command and do not apply an ACL on the source port or the monitored port, both flow-based monitoring and port mirroring do not function.
To view an access-list that you applied to an interface, use the show ip accounting access-list command from EXEC Privilege mode. Dell(conf)#monitor session 0 Dell(conf-mon-sess-0)#flow-based enable Dell(conf)#ip access-list ext testflow Dell(config-ext-nacl)#seq 5 permit icmp any any count bytes monitor Dell(config-ext-nacl)#seq 10 permit ip 102.1.1.
7 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This chapter describes the access control list (ACL) VLAN group and content addressable memory (CAM) enhancements.
After these verification steps are performed, the ACL manager considers the command as valid and sends the information to the ACL agent on the line card. The ACL manager notifies the ACL agent in the following cases: ● A VLAN member is added or removed from a group, and previously associated VLANs exist in the group. ● The egress ACL is applied or removed from the group and the group contains VLAN members. VLAN members are added or deleted from a VLAN, which itself is a group member.
Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters This section describes how to optimize the utilization of CAM blocks by configuring ACL VLAN groups that you can attach to VLAN interfaces and also how to configure FP blocks for different VLAN operations. Configuring ACL VLAN Groups You can create an ACL VLAN group and attach the ACL with the VLAN members. The optimization is applicable only when you create an ACL VLAN group.
Configuring FP Blocks for VLAN Parameters Use the cam-acl-vlan command to allocate the number of FP blocks for the various VLAN processes on the system. You can use the no version of this command to reset the number of FP blocks to default. By default, 0 groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not enabled by default, and you need to allocate the slices for CAM optimization. 1. Allocate the number of FP blocks for VLAN Open Flow operations.
1 --More-- | | | | | | 1 | | | | | | OUT-V6 ACL IN-L2 ACL IN-L2 FIB IN-L3 ACL IN-L3 FIB IN-L3-SysFlow | | | | | | 0 320 32768 12288 262141 2878 | | | | | | 0 0 1136 2 14 44 | | | | | | 0 320 31632 12286 262127 2834 The following sample output displays the CAM space utilization when Layer 2 and Layer 3 ACLs are configured: Dell#show cam-usage acl Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============ 11 |
● To allocate the number of FP blocks for VLAN iSCSI counters, use the cam-acl-vlan vlaniscsi <0-2> command. ● To allocate the number of FP blocks for ACL VLAN optimization feature, use the cam-acl-vlan vlanaclopt <0-2> command. To reset the number of FP blocks to the default, use the no version of these commands. By default, zero groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not enabled by default, and you need to allocate the slices for CAM optimization.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 8. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
The session is declared down if: ● A control packet is not received within the detection time. ● Sufficient echo packets are lost. ● Demand mode is active and a control packet is not received in response to a poll packet. BFD Three-Way Handshake A three-way handshake must take place between the systems that participate in the BFD session.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 10. Session State Changes Important Points to Remember ● ● ● ● ● ● Enable BFD on both ends of a link.
● Troubleshooting BFD Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet. When you enable BFD, the local system removes the route as soon as it stops receiving periodic control packets from the remote system.
Establishing a Session on Physical Ports To establish a session, enable BFD at the interface level on both ends of the link, as shown in the following illustration. The configuration parameters do not need to match. Figure 11. Establishing a BFD Session on Physical Ports 1. Enter interface mode. CONFIGURATION mode interface 2. Assign an IP address to the interface if one is not already assigned. INTERFACE mode ip address ip-address 3.
Client Registered: CLI Uptime: 00:03:57 Statistics: Number of packets received from neighbor: 1775 Number of packets sent to neighbor: 1775 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 Log messages display when you configure both interfaces for BFD. R1(conf-if-te-4/24)#00:36:01: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Down for neighbor 2.2.2.
● Enable BFD on an interface. INTERFACE mode bfd enable If you disable BFD on a local interface, this message displays: R1(conf-if-te-4/24)#01:00:52: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Ad Dn for neighbor 2.2.2.2 on interface Te 4/24 (diag: 0) If the remote system state changes due to the local state administration being down, this message displays: R2>01:32:53: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Down for neighbor 2.2.2.
To verify that sessions have been created for static routes, use the show bfd neighbors command. R1(conf)#ip route 2.2.3.0/24 2.2.2.2 R1(conf)#ip route bfd R1(conf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 2.2.2.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 13. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. ● Establish sessions with all OSPF neighbors.
C I O R - CLI ISIS OSPF Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Te 2/1 Up 100 100 3 O * 2.2.3.1 2.2.3.2 Te 2/2 Up 100 100 3 O Changing OSPF Session Parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role.
Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface. Sessions are only established when the OSPFv3 adjacency is in the Full state. To establish BFD with all OSPFv3 neighbors or with OSPFv3 neighbors on a single interface, use the following commands. ● Establish sessions with all OSPFv3 neighbors. ROUTER-OSPFv3 mode bfd all-neighbors ● Establish sessions with OSPFv3 neighbors on a single interface.
Configure BFD for IS-IS When using BFD with IS-IS, the IS-IS protocol registers with the BFD manager on the RPM. BFD sessions are then established with all neighboring interfaces participating in IS-IS. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the IS-IS protocol that a link state change occurred. Configuring BFD for IS-IS is a two-step process: 1. Enable BFD globally. 2. Establish sessions for all or particular IS-IS neighbors.
INTERFACE mode isis bfd all-neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows that IS-IS BFD sessions are enabled. R2(conf-router_isis)#bfd all-neighbors R2(conf-router_isis)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.
Configure BFD for BGP In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces. BFD for BGP does not support IPv6 and the BGP multihop feature. Prerequisites Before configuring BFD for BGP, you must first configure the following settings: 1.
BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays. Incoming BFD control packets received from the BGP neighbor are assigned to the highest priority queue within the control plane policing (COPP) framework to avoid BFD packets drops due to queue congestion. BFD notifies BGP of any failure conditions that it detects on the link. Recovery actions are initiated by BGP.
ROUTER BGP mode no neighbor {ip-address | peer-group-name} bfd disable Use BFD in a BGP Peer Group You can establish a BFD session for the members of a peer group (the neighbor peer-group-name bfd command in ROUTER BGP configuration mode).
The following example shows viewing all BFD neighbors. R2# show bfd neighbors * - Active session role Ad Dn - Admin Down B - BGP C - CLI I - ISIS O - OSPF R - Static Route (RTM) M - MPLS V - VRRP LocalAddr * 1.1.1.3 * 2.2.2.3 * 3.3.3.3 RemoteAddr 1.1.1.2 2.2.2.2 3.3.3.2 Interface Te 6/1 Te 6/2 Te 6/3 State Up Up Up Rx-int 100 100 100 Tx-int 100 100 100 Mult 3 3 3 Clients B B B The following example shows viewing BFD neighbors with full detail.
Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 The following example shows viewing configured BFD counters.
Last read 00:00:30, last write 00:00:30 Hold time is 180, keepalive interval is 60 seconds Received 8 messages, 0 in queue 1 opens, 0 notifications, 0 updates 7 keepalives, 0 route refresh requests Sent 9 messages, 0 in queue 2 opens, 0 notifications, 0 updates 7 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_R
Related Configuration Tasks ● Changing VRRP Session Parameters. ● Disabling BFD for VRRP. Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 16. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. ● Establish sessions with all VRRP neighbors.
* - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) V - VRRP LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.5.1 2.2.5.2 Te 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command. The bold line shows the VRRP BFD session. Dell(conf-if-te-4/25)#do show vrrp -----------------TenGigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1 State: Backup, Priority: 1, Master: 2.2.5.
Disabling BFD for VRRP If you disable any or all VRRP sessions, the sessions are torn down. A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to the Down state. To disable all VRRP sessions on an interface, sessions for a particular VRRP group, or for a particular VRRP session on an interface, use the following commands. ● Disable all VRRP sessions on an interface. INTERFACE mode no vrrp bfd all-neighbors ● Disable all VRRP sessions in a VRRP group.
The following example shows hexadecimal output from the debug bfd packet command. RX packet dump: 20 c0 03 18 00 00 00 05 00 00 00 04 00 01 86 a0 00 01 86 a0 00 00 00 00 00:34:13 : Sent packet for session with neighbor 2.2.2.2 on Te 4/24 TX packet dump: 20 c0 03 18 00 00 00 04 00 00 00 05 00 01 86 a0 00 01 86 a0 00 00 00 00 00:34:14 : Received packet for session with neighbor 2.2.2.
9 Border Gateway Protocol IPv4 (BGPv4) This chapter provides a general description of BGPv4 as it is supported in the Dell Networking Operating System (OS). BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
Figure 17. Internal BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 18. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor. Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies.
State Description Idle BGP initializes all resources, refuses all inbound BGP connection attempts, and initiates a TCP connection to the peer. Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state.
Figure 19. BGP Router Rules 1. Router B receives an advertisement from Router A through eBGP. Because the route is learned through eBGP, Router B advertises it to all its iBGP peers: Routers C and D. 2. Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B. 3.
In non-deterministic mode (the bgp non-deterministic-med command is applied), paths are compared in the order in which they arrive. This method can lead to Dell Networking OS choosing different best paths from a set of paths, depending on the order in which they were received from the neighbors because MED may or may not get compared between the adjacent paths.
7. 8. 9. 10. 11. 12. 13. a. This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs are compared only if the first AS in the AS_SEQUENCE is the same for both paths. b. If you entered the bgp always-compare-med command, MEDs are compared for all paths. c. Paths with no MED are treated as “worst” and assigned a MED of 4294967295. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths.
Figure 21. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 22. Multi-Exit Discriminators NOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
NOTE: Any update that contains the AS path number 0 is valid. The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
Implement BGP with Dell Networking OS The following sections describe how to implement BGP on Dell Networking OS. Additional Path (Add-Path) Support The add-path feature reduces convergence times by advertising multiple paths to its peers for the same address prefix without replacing existing paths with new ones. By default, a BGP speaker advertises only the best path to its peers for a given address prefix.
Ignore Router-ID for Some Best-Path Calculations Dell Networking OS allows you to avoid unnecessary BGP best-path transitions between external paths under certain conditions. The bgp bestpath router-id ignore command reduces network disruption caused by routing and forwarding plane changes and allows for faster convergence. Four-Byte AS Numbers Dell Networking OS supports 4-Byte (32-bit) format when configuring autonomous system numbers (ASNs).
Dynamic AS Number Notation Application Dell Networking OS applies the ASN notation type change dynamically to the running-config statements. When you apply or change an asnotation, the type selected is reflected immediately in the running-configuration and the show commands (refer to the following two examples).
Dell(conf-router_bgp)#do show ip bgp BGP table version is 28093, local router ID is 172.30.1.57 AS Number Migration With this feature you can transparently change the AS number of an entire BGP network and ensure that the routes are propagated throughout the network while the migration is in progress. When migrating one AS to another, perhaps combining ASs, an eBGP network may lose its routing to an iBGP if the ASN changes.
1. Receive and validate the update. 2. Prepend local-as 200 to as-path. 3. Prepend "65001 65002" to as-path. Local-AS is prepended before the route-map to give an impression that update passed through a router in AS 200 before it reached Router B.
● Multiple BPG process instances are not supported. Thus, the f10BgpM2PeerInstance field in various tables is not used to locate a peer. ● Multiple instances of the same NLRI in the BGP RIB are not supported and are set to zero in the SNMP query response. ● The f10BgpM2NlriIndex and f10BgpM2AdjRibsOutIndex fields are not used. ● Carrying MPLS labels in BGP is not supported. The f10BgpM2NlriOpaqueType and f10BgpM2NlriOpaquePointer fields are set to zero. ● 4-byte ASN is supported.
Table 9. BGP Default Values (continued) Item Default internal distance = 200 local distance = 200 Timers keepalive = 60 seconds holdtime = 180 seconds Add-path Disabled Enabling BGP By default, BGP is not enabled on the system. Dell Networking OS supports one autonomous system (AS) and assigns the AS number (ASN). To establish BGP sessions and route traffic, configure at least one BGP neighbor or peer. In BGP, routers with an established TCP connection are called neighbors or peers.
● peer-group name: 16 characters ● as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format) Formats: IP Address A.B.C.D You must Configure Peer Groups before assigning it a remote AS. 3. Enable the BGP neighbor. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} no shutdown NOTE: When you change the configuration of a BGP neighbor, always reset it by entering the clear ip bgp * command in EXEC Privilege mode.
The following example displays two neighbors: one is an external internal BGP neighbor and the second one is an internal BGP neighbor. The first line of the output for each neighbor displays the AS number and states whether the link is an external or internal (shown in bold). The third line of the show ip bgp neighbors output contains the BGP State. If anything other than ESTABLISHED is listed, the neighbor is not exchanging information and routes.
neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.2 no shutdown Dell# Configuring AS4 Number Representations Enable one type of AS number representation: ASPLAIN, ASDOT+, or ASDOT. Term Description ASPLAIN the method Dell Networking OS used for all previous Dell Networking OS versions. It remains the default method with Dell Networking OS. With the ASPLAIN notation, a 32–bit binary AS number is translated into a decimal value.
neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.250 no shutdown 5332332 9911991 65057 18508 12182 7018 46164 i The following example shows the bgp asnotation asdot+ command output. Dell(conf-router_bgp)#bgp asnotation asdot+ Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp asnotation asdot+ bgp four-octet-as-support neighbor 172.30.1.
To add an external BGP (EBGP) neighbor, configure the as-number parameter with a number different from the BGP as-number configured in the router bgp as-number command. To add an internal BGP (IBGP) neighbor, configure the as-number parameter with the same BGP as-number configured in the router bgp as-number command. After you create a peer group, you can use any of the commands beginning with the keyword neighbor to configure that peer group.
To view the status of peer groups, use the show ip bgp peer-group command in EXEC Privilege mode, as shown in the following example. Dell>show ip bgp peer-group Peer-group zanzibar, remote AS 65535 BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is zanzibar, peer-group internal, Number of peers in this group 26 Peer-group members (* - outbound optimized): 10.68.160.1 10.68.161.1 10.68.162.1 10.68.163.1 10.68.164.1 10.68.165.1 10.68.166.1 10.
Member of peer-group test for session parameters BGP version 4, remote router ID 30.30.30.
Configuring Passive Peering When you enable a peer-group, the software sends an OPEN message to initiate a TCP connection. If you enable passive peering for the peer group, the software does not send an OPEN message, but it responds to an OPEN message. When a BGP neighbor connection with authentication configured is rejected by a passive peer-group, Dell Networking OS does not allow another passive peer-group on the same subnet to connect with the BGP neighbor.
network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.
Enabling Graceful Restart Use this feature to lessen the negative effects of a BGP restart. Dell Networking OS advertises support for this feature to BGP neighbors through a capability advertisement. You can enable graceful restart by router and/or by peer or peer group. NOTE: By default, BGP graceful restart is disabled. The default role for BGP is as a receiving or restarting peer.
CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} graceful-restart [restart-time time-in-seconds] The default is 120 seconds. ● Local router supports graceful restart for this neighbor or peer-group as a receiver only. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} graceful-restart [role receiver-only] ● Set the maximum time to retain the restarting neighbor’s or peer-group’s stale paths.
0x6cc18d4 0x5982e44 0x67d4a14 0x559972c 0x59cd3b4 0x7128114 0x536a914 0x2ffe884 0x2ff7284 0x2ff7ec4 0x2ff8544 0x736c144 0x3b8d224 0x5eb1e44 0x5cd891c --More-- 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 162 2 31 2 10 3 1 99 4 3 1 10 1 9 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 701 209 701 209 209 209 209 701 701 209 701 701 209 701 209 2914 4713 17935 i i 19878 ? 18756 i 7018 15227 i 3356 13845 i 701 6347 7781 i 3561 9116 21350 i 1239 577 855 ? 3561 4755 17426 i 574
! router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown Dell(conf-router_bgp)#neigh 10.155.15.
○ map-name: name of a configured route map. Enabling Additional Paths The add-path feature is disabled by default. NOTE: Dell Networking OS recommends not using multipath and add path simultaneously in a route reflector. To allow multiple paths sent to peers, use the following commands. 1. Allow the advertisement of multiple paths for the same address prefix without the new paths replacing any previous ones.
To view the configuration, use the show config command in CONFIGURATION COMMUNITY-LIST or CONFIGURATION EXTCOMMUNITY LIST mode or the show ip {community-lists | extcommunity-list} command in EXEC Privilege mode.
deny deny deny deny deny Dell# 702:667 703:667 704:666 705:666 14551:666 Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. 1. Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2.
set comm-list community-list-name delete OR set community {community-number | local-as | no-advertise | no-export | none} Configure a community list by denying or permitting specific community numbers or types of community. ● community-number: use AA:NN format where AA is the AS number (2 or 4 Bytes) and NN is a value specific to that autonomous system. ● local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED and are not sent to EBGP peers.
CONFIG-ROUTER-BGP mode bgp always-compare-med By default, this comparison is not performed. ● Change the bestpath MED selection. CONFIG-ROUTER-BGP mode bgp bestpath med {confed | missing-as-best} ○ confed: Chooses the bestpath MED comparison of paths learned from BGP confederations. ○ missing-as-best: Treat a path missing an MED as the most preferred one. To view the nondefault values, use the show config command in CONFIGURATION ROUTER BGP mode.
You can also use route maps to change this and other BGP attributes. For example, you can include the second command in a route map to specify the next hop address. ● Disable next hop processing and configure the router as the next hop for a BGP neighbor. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} next-hop-self ● Sets the next hop address. CONFIG-ROUTE-MAP mode set next-hop ip-address Changing the WEIGHT Attribute To change how the WEIGHT attribute is used, enter the first command.
● AS-PATH ACLs (using the neighbor filter-list command) ● route maps (using the neighbor route-map command) Prior to filtering BGP routes, create the prefix list, AS-PATH ACL, or route map. For configuration information about prefix lists, AS-PATH ACLs, and route maps, refer to Access Control Lists (ACLs). NOTE: When you configure a new set of BGP policies, to ensure the changes are made, always reset the neighbor or peer group by using the clear ip bgp command in EXEC Privilege mode.
3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Filter routes based on the criteria in the configured route map. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} Configure the following parameters: ● ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. ● map-name: enter the name of a configured route map. ● in: apply the route map to inbound routes.
With route reflection configured properly, IBGP routers are not fully meshed within a cluster but all receive routing information. Configure clusters of routers where one router is a concentration router and the others are clients who receive their updates from the concentration router. To configure a route reflector, use the following commands. ● Assign an ID to a router reflector cluster. CONFIG-ROUTER-BGP mode bgp cluster-id cluster-id You can have multiple clusters in an AS.
● Specifies the confederation ID. CONFIG-ROUTER-BGP mode bgp confederation identifier as-number ○ as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). ● Specifies which confederation sub-AS are peers. CONFIG-ROUTER-BGP mode bgp confederation peers as-number [... as-number] ○ as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). All Confederation routers must be either 4 Byte or 2 Byte. You cannot have a mix of router ASN support.
CONFIG-ROUTE-MAP mode set dampening half-life reuse suppress max-suppress-time ○ half-life: the range is from 1 to 45. Number of minutes after which the Penalty is decreased. After the router assigns a Penalty of 1024 to a route, the Penalty is decreased by half after the half-life period expires. The default is 15 minutes. ○ reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value.
34298 BGP path attribute entrie(s) using 1920688 bytes of memory 29577 BGP AS-PATH entrie(s) using 1384403 bytes of memory 184 BGP community entrie(s) using 7616 bytes of memory Dampening enabled. 0 history paths, 0 dampened paths, 0 penalized paths Neighbor AS MsgRcvd MsgSent TblVer 10.114.8.34 18508 82883 79977 780266 10.114.8.
To use soft reconfiguration (or soft reset) without preconfiguration, both BGP peers must support the soft route refresh capability, which is advertised in the open message sent when the peers establish a TCP session. To determine whether a BGP router supports this capability, use the show ip bgp neighbors command. If a router supports the route refresh capability, the following message displays: Received route refresh capability from peer.
Set a Clause with a Continue Clause If the route-map entry contains sets with the continue clause, the set actions operation is performed first followed by the continue clause jump to the specified route map entry. ● If a set actions operation occurs in the first route map entry and then the same set action occurs with a different value in a subsequent route map entry, the last set of actions overrides the previous set of actions with the same set command.
debug ip bgp [ip-address | peer-group peer-group-name] [in | out] ● View information about BGP route being dampened. EXEC Privilege mode debug ip bgp dampening [in | out] ● View information about local BGP state changes and other BGP events. EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] events [in | out] ● View information about BGP KEEPALIVE messages.
ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) For address family: IPv4 Unicast BGP table version 1395, neighbor version 1394 Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by peer Prefixes advertised 0, rejected 0, 0 withdrawn from peer Connections established 3; dropped 2 Last reset 00:00:12, due to Missing well known attribute Notification History 'UPDATE error/Missing well-known attr' Sent :
[. . .] Outgoing packet capture enabled for BGP neighbor 20.20.20.
Figure 24. Sample Configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int te 1/21 R1(conf-if-te-1/21)#ip address 10.0.1.21/24 R1(conf-if-te-1/21)#no shutdown R1(conf-if-te-1/21)#show config ! interface TengigabitEthernet 1/21 ip address 10.0.1.
R1(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0 R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 update-source Loopback 0 neighbor 192 168 128 3 no shutdown Example of Enabling BGP (Router 2) R2# conf R2(conf)#int loop 0 R2(conf-if-lo-0)#ip address 192.168.128.
ip address 10.0.3.33/24 no shutdown R3(conf-if-lo-0)#int te 3/21 R3(conf-if-te-3/21)#ip address 10.0.2.3/24 R3(conf-if-te-3/21)#no shutdown R3(conf-if-te-3/21)#show config ! interface TengigabitEthernet 3/21 ip address 10.0.2.3/24 no shutdown R3(conf-if-te-3/21)# R3(conf-if-te-3/21)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#network 192.168.128.0/24 R3(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R3(conf-router_bgp)#neighbor 192.168.128.
Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 1, neighbor version 1 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Connections established 2; dropped 1 Last reset 00:00:57, due to user reset Notification History 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:00:57 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Local host: 192.168.128.
Example of Enabling Peer Groups (Router 3) R3#conf R3(conf)#router bgp 100 R3(conf-router_bgp)# neighbor AAA peer-group R3(conf-router_bgp)# neighbor AAA no shutdown R3(conf-router_bgp)# neighbor CCC peer-group R3(conf-router_bgp)# neighbor CCC no shutdown R3(conf-router_bgp)# neighbor 192.168.128.2 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.2 no shutdown R3(conf-router_bgp)# neighbor 192.168.128.1 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.
10 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On Dell Networking systems, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies.
Table 10. Default Cam Allocation Settings (continued) CAM Allocation Setting fedgovacl 0 The following additional CAM allocation settings are supported on the S6000, S4810, S4820T, or S6000–ON platforms. Table 11. Additional Default CAM Allocation Settings Additional CAM Allocation Setting FCoE ACL (fcoeacl) 0 ISCSI Opt ACL (iscsioptacl) 0 The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 10).
4. Reload the system. EXEC Privilege mode reload Test CAM Usage Use this command to determine whether sufficient CAM space is available to enable a service-policy. Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege mode to verify the actual CAM space required. The Status column in the command output indicates whether or not the policy can be enabled.
View CAM-ACL Settings Thisshow cam-acl command shows the cam-acl setting that will be loaded after the next reload.
EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : 0 0 0 0 0 0 0 -- Stack unit 0 -Current Settings(in block sizes) 1 block = 128 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsiOptAcl : 0 ipv4pbr : 0 vrfv4Acl : 0 Openflow : 0 fedgovacl : 0 -- Stack unit 7 -Current Settings(in block sizes) 1 block = 128 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl :
| | | | | | Codes: * - cam usage Dell# OUT-L3 ACL | OUT-V6 ACL | OUT-L2 ACL | is above 90%. 158 158 206 | | | 5 | 0 | 7 | 153 158 199 CAM Optimization When you enable this command, if a Policy Map containing classification rules (ACL and/or dscp/ ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only 1 FP entry is used). Troubleshoot CAM Profiling The following section describes CAM profiling troubleshooting.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 26. CoPP Implemented Versus CoPP Not Implemented Topics: • Configure Control Plane Policing Configure Control Plane Policing The system can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
Dell(conf-ipv6-acl-cpuqos)#permit vrrp Dell(conf-ipv6-acl-cpuqos)#exit The following example shows creating the QoS input policy.
3. Enter Control Plane mode. CONFIGURATION mode control-plane-cpuqos 4. Assign a CPU queue-based service policy on the control plane in cpu-qos mode. Enabling this command sets the queue rates according to those configured. CONTROL-PLANE mode service-policy rate-limit-cpu-queues name The following example shows creating the QoS policy.
Currently, there are 4 Queues for data and 4 for control in both front-end and back-plane ports. In stacked systems, the control streams that reach standby or slave units will be tunneled through the backplane ports across stack-units to reach the CPU of the master unit. In this case, the packets that reach slave unit’s CMIC via queues 0 – 7 will take same queues 0 – 7 on the back-plane ports while traversing across units and finally on the master CMIC, they are queued on the same queues 0 – 7.
■ Unknown traffic in IP Subnet range ■ Unknown traffic hitting the default route entry. ● Multicast NDP packets ○ NDP packets with destination MAC is multicast ■ DST MAC 33:33:XX:XX:XX:XX ● NDP Packets in VLT peer routing enable ○ VLT peer routing enable cases each VLT node will have route entry for link local address of both self and peer VLT node. Peer VLT link local entry will have egress port as ICL link. And Actual link local address will have entry to CopyToCpu.
Catch-All Entry for IPv6 Packets Dell Networking OS currently supports configuration of IPv6 subnets greater than /64 mask length, but the agent writes it to the default LPM table where the key length is 64 bits. The device supports table to store up to 256 subnets of maximum of /128 mask lengths. This can be enabled and agent can be modified to update the /128 table for mask lengths greater than /64. This will restrict the subnet sizes to required optimal level which would avoid these NDP attacks.
Show Commands The following section describes the CoPP show commands. To view the rates for each queue, use the show cpu-queue rate cp command. Example of Viewing Queue Rates Dell#show cpu-queue rate cp Service-Queue Rate (PPS) -------------- ----------Q0 1300 Q1 300 Q2 300 Q3 300 Q4 2000 Q5 400 Q6 400 Q7 1100 Dell# To view the queue mapping for each configured protocol, use the show ip protocol-queue-mapping command.
VRRP any any Dell# 204 Control Plane Policing (CoPP) _ Q7 CP _
12 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters. Multiple servers might respond to a single DHCPDISCOVER; the client might wait a period of time and then act on the most preferred offer.
● Dell Networking OS provides 40K entries that can be divided between leased addresses and excluded addresses. By extension, the maximum number of pools you can configure depends on the subnet mask that you give to each pool. For example, if all pools were configured for a /24 mask, the total would be 40000/253 (approximately 158). If the subnet is increased, more pools can be configured. The maximum subnet that can be configured for a single pool is /17.
● prefix-length: specifies the number of bits used for the network portion of the address you specify. The prefix-length range is from 17 to 31. 4. Display the current pool configuration. DHCP mode show config After an IP address is leased to a client, only that client may release the address. Dell Networking OS performs a IP + MAC source address validation to ensure that no client can release another clients address.
Configure a Method of Hostname Resolution Dell systems are capable of providing DHCP clients with parameters for two methods of hostname resolution—using DNS or NetBIOS WINS. Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1. Create a domain. DHCP domain-name name 2. Specify in order of preference the DNS servers that are available to a DHCP client.
Debugging the DHCP Server To debug the DHCP server, use the following command. ● Display debug information for DHCP server. EXEC Privilege mode debug ip dhcp server [events | packets] Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. ● Clear DHCP binding entries for the entire binding table. EXEC Privilege mode. clear ip dhcp binding ● Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode.
Figure 29. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int tengigabitethernet 1/3 TenGigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: ● The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (Dell Networking OS version and a configuration file). BMP is enabled as a factory-default setting on a switch.
DHCP Client Operation with Other Features The DHCP client operates with other Dell Networking OS features, as the following describes. Stacking The DHCP client daemon runs only on the master unit and handles all DHCP packet transactions. It periodically synchronizes the lease file with the standby unit. When a stack failover occurs, the new master requires the same DHCP server-assigned IP address on DHCP client interfaces.
Configure the System for User Port Stacking (Option 230) Set the stacking-option variable to provide stack-port detail on the DHCP server when you set the DHCP offer. A stack can be formed when the units are connected. Option 230 is the option for user port stacking. Use it to create up to eight stack groups. Define the configuration parameters on the DHCP server for each chassis based on the chassis MAC address.
DHCP Snooping DHCP snooping protects networks from spoofing. In the context of DHCP snooping, ports are either trusted or not trusted. By default, all ports are not trusted. Trusted ports are ports through which attackers cannot connect. Manually configure ports connected to legitimate servers and relay agents as trusted.
ipv6 dhcp snooping vlan vlan-id Adding a Static Entry in the Binding Table To add a static entry in the binding table, use the following command. ● Add a static entry in the binding table. EXEC Privilege mode ip dhcp snooping binding mac Adding a Static IPV6 DHCP Snooping Binding Table To add a static entry in the snooping database, use the following command. ● Add a static entry in the snooping binding table.
Relay Information-option packets Relay Trust downstream packets Snooping packets : 0 : 0 : 0 Packets received on snooping disabled L3 Ports Snooping packets processed on L2 vlans : 0 : 142 DHCP Binding File Details Invalid File Invalid Binding Entry Binding Entry lease expired List of Trust Ports List of DHCP Snooping Enabled Vlans List of DAI Trust ports : 0 : 0 : 0 :Te 1/4 :Vl 10 :Te 1/4 Displaying the Contents of the DHCPv6 Binding Table To display the contents of the DHCP IPv6 binding table, use t
To view the number of entries in the table, use the show ip dhcp snooping binding command. This output displays the snooping binding table created using the ACK packets from the trusted port. Dell#show ip dhcp snooping binding Codes : S - Static D - Dynamic IP Address MAC Address Expires(Sec) Type VLAN Interface ================================================================ 10.1.1.251 00:00:4d:57:f2:50 172800 D Vl 10 Te 1/2 10.1.1.252 00:00:4d:57:e6:f6 172800 D Vl 10 Te 1/1 10.1.1.
are for DAI; to enable DAI on 16 VLANs, seven more entries are required. 87 L2Protocol + 13 additional L2Protocol + 15 L2SystemFlow + 7 additional L2SystemFlow equals 122. Configuring Dynamic ARP Inspection To enable dynamic ARP inspection, use the following commands. 1. Enable DHCP snooping. 2. Validate ARP frames against the DHCP snooping binding table. INTERFACE VLAN mode arp inspection To view entries in the ARP database, use the show arp inspection database command.
Table 13. Three Types of Source Address Validation (continued) Source Address Validation Description DHCP MAC Source Address Validation Verifies a DHCP packet’s source hardware address matches the client hardware address field (CHADDR) in the payload. IP+MAC Source Address Validation Verifies that the IP source address and MAC source address are a legitimate pair.
CONFIGURATION mode cam-acl l2acl 2. Save the running-config to the startup-config. EXEC Privilege mode copy running-config startup-config 3. Reload the system. EXEC Privilege reload 4. Do one of the following. ● Enable IP+MAC SAV. INTERFACE mode ip dhcp source-address-validation ipmac ● Enable IP+MAC SAV with VLAN option.
To clear the number of SAV dropped packets on a particular interface, use the clear ip dhcp snooping sourceaddress-validation discard-counters interface interface command.
13 Equal Cost Multi-Path (ECMP) Equal cost multi-path (ECMP) is supported on Dell Networking OS. Topics: • • ECMP for Flow-Based Affinity Link Bundle Monitoring ECMP for Flow-Based Affinity Flow-based affinity includes the following: ● Link Bundle Monitoring Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features.
Configuring the Hash Algorithm Seed Deterministic ECMP sorts ECMPs in order even though RTM provides them in a random order. However, the hash algorithm uses as a seed the lower 12 bits of the chassis MAC, which yields a different hash result for every chassis. This behavior means that for a given flow, even though the prefixes are sorted, two unrelated chassis can select different hops.
To configure the maximum number of paths, use the following command. NOTE: Save the new ECMP settings to the startup-config (write-mem) then reload the system for the new settings to take effect. ● Configure the maximum number of paths per ECMP group. CONFIGURATION mode. ip ecmp-group maximum-paths {2-64} ● Enable ECMP group path management. CONFIGURATION mode. ip ecmp-group path-fallback Dell(conf)#ip ecmp-group maximum-paths 3 User configuration has been changed.
Dell(conf-ecmp-group-5)#show config ! ecmp-group 5 interface tengigabitethernet 1/2 interface tengigabitethernet 1/3 link-bundle-monitor enable Dell(conf-ecmp-group-5)# Equal Cost Multi-Path (ECMP) 227
14 Enabling FIPS Cryptography This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms. This feature provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module.
● All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed. ● Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. ● FIPS mode is enabled. ○ If you enable the SSH server when you enter the fips mode enable command, it is re-enabled for version 2 only. ○ If you re-enable the SSH server, a new RSA host key-pair is generated automatically. You can also manually create this key-pair using the crypto key generate command.
Current Type Master priority Hardware Rev Num Ports Up Time Dell Networking Jumbo Capable POE Capable FIPS Mode Burned In MAC No Of MACs ... : S4810 - 52-port GE/TE/FG (SE) : 0 : 3.0 : 64 : 7 hr, 3 min OS Version : 4810-8-3-7-1061 : yes : no : enabled : 00:01:e8:8a:ff:0c : 3 Disabling FIPS Mode The following describes disabling FIPS mode. When you disable FIPS mode, the following changes occur: ● The SSH server disables. ● All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, close.
15 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. ● The Master node transmits ring status check frames at specified intervals. ● You can run multiple physical rings on the same switch. ● One Master node per ring — all other nodes are Transit.
Concept Explanation ● Hello RHF (HRHF) — These frames are processed only on the Master node’s Secondary port. The Transit nodes pass the HRHF through without processing it. An HRHF is sent at every Hello interval. ● Topology Change RHF (TCRHF) — These frames contains ring status, keepalive, and the control and member VLAN hash. The TCRHF is processed at each node of the ring.
Be ● ● ● ● ● ● ● ● sure to follow these guidelines: All VLANS must be in Layer 2 mode. You can only add ring nodes to the VLAN. A control VLAN can belong to one FRRP group only. Tag control VLAN ports. All ports on the ring must use the same VLAN ID for the control VLAN. You cannot configure a VLAN as both a control VLAN and member VLAN on the same ring. Only two interfaces can be members of a control VLAN (the Master Primary and Secondary ports).
To create the Members VLANs for this FRRP group, use the following commands on all of the Transit switches in the ring. 1. Create a VLAN with this ID number. CONFIGURATION mode. interface vlan vlan-id VLAN ID: the range is from 1 to 4094. 2. Tag the specified interface or range of interfaces to this VLAN. CONFIG-INT-VLAN mode. tagged interface slot/port {range} Interface: ● Slot/Port: Slot and Port ID for the interface. Range is entered Slot/Port-PortSlot/Port.
clear frrp ring-id Ring ID: the range is from 1 to 255. ● Clear the counters associated with all FRRP groups. EXEC PRIVELEGED mode. clear frrp Viewing the FRRP Configuration To view the configuration for the FRRP group, use the following command. ● Show the configuration for this FRRP group. CONFIG-FRRP mode. show configuration Viewing the FRRP Information To view general FRRP information, use one of the following commands. ● Show the information for the identified FRRP group.
interface TenGigabitEthernet 1/34 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TenGigabitEthernet 1/24,34 no shutdown ! interface Vlan 201 no ip address tagged TenGigabitEthernet 1/24,34 no shutdown ! protocol frrp 101 interface primary TenGigabitEthernet 1/24 secondary TenGigabitEthernet 1/34 control-vlan 101 member-vlan 201 mode master no disable Example of R2 TRANSIT interface TenGigabitEthernet 2/14 no ip address switchport no shutdown ! interface TenGigabitEthernet 2/3
no shutdown ! protocol frrp 101 interface primary TenGigabitEthernet 3/21 secondary TenGigabitEthernet 3/14 control-vlan 101 member-vlan 201 mode transit no disable Force10 Resilient Ring Protocol (FRRP) 239
16 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP) is supported on Dell Networking OS. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GVRP, defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, that type of port is referred to as a VLAN trunk port, but it is not necessary to specifically identify to the Dell Networking OS that the port is a trunk port. Figure 30.
gvrp enable Dell(conf)#protocol gvrp Dell(config-gvrp)#no disable Dell(config-gvrp)#show config ! protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. ● Enable GVRP on a Layer 2 interface.
gvrp registration forbidden 45-46 no shutdown Dell(conf-if-te-1/21)# Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings. ● Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The Dell Networking OS default is 200ms.
17 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is supported on Dell Networking OS. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. IGMP is a Layer 3 multicast protocol that hosts use to join or leave a multicast group.
IGMP messages are encapsulated in IP packets, as shown in the following illustration. Figure 31. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. ● Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. ● To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1. Include messages prevents traffic from all other sources in the group from reaching the subnet.
Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
● ● ● ● ● ● Adjusting Timers Preventing a Host from Joining a Group Enabling IGMP Immediate-Leave IGMP Snooping Fast Convergence after MSTP Topology Changes Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. ● View IGMP-enabled interfaces.
Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command. ● View both learned and statically configured IGMP groups. EXEC Privilege mode show ip igmp groups Dell# show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface 225.1.1.1 TenGigabitEthernet 1/1 225.1.2.1 TenGigabitEthernet 1/1 Mode IGMPV2 IGMPV2 Uptime 00:11:19 00:10:19 Expires 00:01:50 00:01:50 Last Reporter 165.87.34.100 165.87.31.
Adjusting the IGMP Querier Timeout Value If there is more than one multicast router on a subnet, only one is elected to be the querier, which is the router that sends queries to the subnet. 1. Routers send queries to the all multicast systems address, 224.0.0.1. Initially, all routers send queries. 2. When a router receives a query, it compares the IP address of the interface on which it was received with the source IP address given in the query.
IGMP Snooping IGMP snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers. Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device.
INTERFACE VLAN mode show config Dell(conf-if-vl-100)#show config ! interface Vlan 100 no ip address ip igmp snooping fast-leave shutdown Dell(conf-if-vl-100)# Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. When you configure the no ip igmp snooping flood command, the system drops the packets immediately.
Adjusting the Last Member Query Interval To adjust the last member query interval, use the following command. When the querier receives a Leave message from a receiver, it sends a group-specific query out of the ports specified in the forwarding table. If no response is received, it sends another. The amount of time that the querier waits to receive a response to the initial query before sending a second one is the last member query interval (LMQI).
Protocol Separation When you configure the application application-type command to configure a set of management applications with TCP/UDP port numbers to the OS, the following table describes the association between applications and their port numbers. Table 14.
● In this mode, you can run the application and no application commands ● Applications can be configured or unconfigured as management applications using the application or no application command. All configured applications are considered as management applications and the rest of them as non-management applications. ● All the management routes (connected, static and default) are duplicated and added to the management EIS routing table.
Handling of Switch-Initiated Traffic When the control processor (CP) initiates a control packet, the following processing occurs: ● TCP/UDP port number is extracted from the sockaddr structure in the in_selectsrc call which is called as part of the connect system call or in the ip_output function.
● Rest of the response traffic is handled as per existing behavior by doing route lookup in the default routing table. So if the traffic is destined to the front-end port IP address, the response is sent out by doing a route lookup in the default routing table, which is an existing behavior. Consider a sample topology in which ip1 is an address assigned to the management port and ip2 is an address assigned to any of the front panel port. A and B are end users on the management and front-panel port networks.
This phenomenon occurs where traffic is transiting the switch. Traffic has not originated from the switch and is not terminating on the switch. ● Drop the packets that are received on the front-end data port with destination on the management port. ● Drop the packets that received on the management port with destination as the front-end data port. Switch-Destined Traffic This phenomenon occurs where traffic is terminated on the switch.
Protocol Behavior when EIS is Enabled Behavior when EIS is Disabled tftp EIS Behavior Default Behavior icmp (ping and traceroute) EIS Behavior for ICMP Default Behavior Behavior of Various Applications for Switch-Destined Traffic This section describes the different system behaviors that occur when traffic is terminated on the switch. Traffic has not originated from the switch and is not transiting the switch.
● When ARP learn enable is enabled, the switch learns ARP entries for ARP Request packets even if the packet is not destined to an IP configured in the box. ● The ARP learn enable feature is not applicable to the EIS routing table.
18 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell Networking Operating System (OS). ● 10 Gigabit Ethernet / 40 Gigabit Ethernet interfaces are supported on the Z9000 platform.
• • • • • • • • Link Bundle Monitoring Using Ethernet Pause Frames for Flow Control Configure the MTU Size on an Interface Port-Pipes Auto-Negotiation on Ethernet Interfaces View Advanced Interface Information Dynamic Counters Enhanced Validation of Interface Ranges Interface Types The following table describes different interface types.
ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:09:54 Queueing strategy: fifo Input Statistics: 0 packets, 0 bytes 0 Vlans 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 3 packets, 192 bytes, 0 underruns 3 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 51
Enabling a Physical Interface After determining the type of physical interfaces available, to enable and configure the interfaces, enter INTERFACE mode by using the interface interface slot/port command. 1. Enter the keyword interface then the type of interface and slot/port information. CONFIGURATION mode interface interface ● For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
Type of Interface Possible Modes Requires Creation Default State Management N/A No Shutdown (disabled) Loopback Layer 3 Yes No shutdown (enabled) Null interface N/A No Enabled Port Channel Layer 2 Yes Shutdown (disabled) Yes, except for the default VLAN.
● Enable the interface. INTERFACE mode no shutdown If an interface is in the incorrect layer mode for a given command, an error message is displayed (shown in bold). In the following example, the ip address command triggered an error message because the interface is in Layer 2 mode and the ip address command is a Layer 3 command only. Dell(conf-if)#show config ! interface TenGigabitEthernet 1/2 no ip address switchport no shutdown Dell(conf-if)#ip address 10.10.1.
When you enable this feature, all management routes (connected, static, and default) are copied to the management EIS routing table. Use the management route command to add new management routes to the default and EIS routing tables. Use the show ip management-eis-route command to view the EIS routes. Important Points to Remember ● Deleting a management route removes the route from both the EIS routing table and the default routing table.
Configuring Management Interfaces on the S-Series You can manage the S-Series from any port. To configure an IP address for the port, use the following commands. There is no separate management routing table, so configure all routes in the IP routing table (the ip route command). ● Configure an IP address. INTERFACE mode ip address ● Enable the interface. INTERFACE mode no shutdown ● The interface is the management interface.
NOTE: You cannot assign an IP address to the default VLAN, which is VLAN 1 (by default). To assign another VLAN ID to the default VLAN, use the default vlan-id vlan-id command. To assign an IP address to an interface, use the following command. ● Configure an IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] ○ ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in slash format (/24).
Port Channel Interfaces Port channel interfaces support link aggregation, as described in IEEE Standard 802.3ad. This section covers the following topics: ● Port Channel Definition and Standards ● Port Channel Benefits ● Port Channel Implementation ● Configuration Tasks for Port Channel Interfaces Port Channel Definition and Standards Link aggregation is defined by IEEE 802.
10/100/1000 Mbps Interfaces in Port Channels When both 10/100/1000 interfaces and GigE interfaces are added to a port channel, the interfaces must share a common speed. When interfaces have a configured speed different from the port channel speed, the software disables those interfaces. The common speed is determined when the port channel is first enabled. At that time, the software checks the first interface listed in the port channel configuration.
Adding a Physical Interface to a Port Channel The physical interfaces in a port channel can be on any line card in the chassis, but must be the same physical type. NOTE: Port channels can contain a mix of Gigabit Ethernet and 10/100/1000 Ethernet interfaces, but Dell Networking OS disables the interfaces that are not the same speed of the first channel member in the port channel (refer to 10/100/1000 Mbps Interfaces in Port Channels).
4857 64-byte pkts, 17570 over 64-byte pkts, 35209 over 127-byte pkts 69164 over 255-byte pkts, 143346 over 511-byte pkts, 942523 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 42 CRC, 0 IP Checksum, 0 overrun, 0 discarded 2456590833 packets output, 203958235255 bytes, 0 underruns Output 1640 Multicasts, 56612 Broadcasts, 2456532581 Unicasts 2456590654 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 5 minutes): Input 00.
Dell(conf-if-po-4)#int port 3 Dell(conf-if-po-3)#channel tengi 1/8 Dell(conf-if-po-3)#sho conf ! interface Port-channel 3 no ip address channel-member TenGigabitEthernet 1/8 shutdown Dell(conf-if-po-3)# Configuring the Minimum Oper Up Links in a Port Channel You can configure the minimum links in a port channel (LAG) that must be in “oper up” status to consider the port channel to be in “oper up” status. To set the “oper up” status of your links, use the following command.
Assigning an IP Address to a Port Channel You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols. To assign an IP address, use the following command. ● Configure an IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] ○ ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in slash format (/24). ○ secondary: the IP address is the interface’s backup IP address.
○ mac [dest-mac | source-dest-mac | source-mac] — Distribute IPV4 traffic based on the destination or source MAC address, or both, along with the VLAN, Ethertype, source module ID and source port ID. ○ tcp-udp enable — Distribute traffic based on the TCP/UDP source and destination ports. ○ ingress-port — Option to Source Port Id for ECMP/ LAG hashing. ○ ipv6-selection— Set the IPV6 key fields to use in hash computation. ○ tunnel— Set the tunnel key fields to use in hash computation.
● xor16 — uses 16 bit XOR. Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range. Bulk configuration excludes from configuration any non-existing interfaces from an interface range.
Example of the interface range Command (Multiple Ranges) Dell(conf)#interface range tengigabitethernet 1/5 - 10 , tengigabitethernet 1/1 , vlan 1 Dell(conf-if-range-te-1/1,te-1/5-10,vl-1)# Exclude Duplicate Entries The following is an example showing how duplicate entries are omitted from the interface-range prompt.
Defining Interface Range Macros You can define an interface-range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface-range macro command string, define the macro. To define an interface-range macro, use the following command. ● Defines the interface-range macro and saves it in the running configuration file.
● c — Clear screen ● a — Page down ● q — Quit Dell#monitor interface Te 3/1 Dell uptime is 1 day(s), 4 hour(s), 31 minute(s) Monitor time: 00:00:00 Refresh Intvl.
show tdr tengigabitethernet slot/port Splitting QSFP Ports to SFP+ Ports The platform supports splitting a single 40G QSFP port into four 10G SFP+ ports using one of the supported breakout cables (for a list of supported cables, refer to the Installation Guide or the Release Notes). NOTE: When you split a 40G port (such as fo 1/4) into four 10G ports, the 40G interface configuration is still available in the startup configuration when you save the running configuration by using the write memory command.
Important Points to Remember ● Before using the QSA to convert a 40 Gigabit Ethernet port to a 10 Gigabit SFP or SFP+ port, you must enable 40 G to 4*10 fan-out mode on the device. ● When you insert a QSA into a 40 Gigabit port, you can use only the first 10 Gigabit port in the fan-out mode to plug-in SFP or SFP+ cables. The remaining three 10 Gigabit ports are perceived to be in Link Down state and are unusable. ● You cannot use QSFP optical cables in a QSA setup.
valid and the output shows that pluggable media (optical cables) is inserted into these ports. This is a software limitation for this release. Dell#show interfaces tengigabitethernet 0/1 transceiver SFP+ 0 Serial ID Base Fields SFP+ 0 Id = 0x0d SFP+ 0 Ext Id = 0x00 SFP+ 0 Connector = 0x23 ………………………. Dell#show interfaces tengigabitethernet 0/2 transceiver SFP+ 0 Serial ID Base Fields SFP+ 0 Id = 0x0d SFP+ 0 Ext Id = 0x00 SFP+ 0 Connector = 0x23 ……………………….
SFP 0 Id SFP 0 Ext Id SFP 0 Connector SFP 0 Transceiver Code SFP 0 Encoding ……………… = = = = = 0x0d 0x00 0x23 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Dell#show interfaces tengigabitethernet 0/8 transceiver QSFP 0 Serial ID Base Fields QSFP 0 Id = 0x0d QSFP 0 Ext Id = 0x00 QSFP 0 Connector = 0x23 QSFP 0 Transceiver Code = 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 QSFP 0 Encoding = 0x00 ……………… ……………… QSFP 0 Diagnostic Information =================================== QSFP 0 Rx Power measurement type = OMA =
tengigabitethernet 0/1 is up, line protocol is down Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, SFP+ type is 10GBASE-SX ……….
Link Dampening Interface state changes occur when interfaces are administratively brought up or down or if an interface state changes. Every time an interface changes a state or flaps, routing protocols are notified of the status of the routes that are affected by the change in state. These protocols go through the momentous task of re-converging. Flapping; therefore, puts the status of entire network at risk of transient loops and black holes.
Clearing Dampening Counters To clear dampening counters and accumulated penalties, use the following command. ● Clear dampening counters. clear dampening Dell# clear dampening interface Te 1/1 Dell# show interfaces dampening TenGigabitEthernet1/1 InterfaceStateFlapsPenaltyHalf-LifeReuseSuppressMax-Sup Te 1/1Up00205001500300 Link Dampening Support for XML View the output of the following show commands in XML by adding | display xml to the end of the command.
Using Ethernet Pause Frames for Flow Control Ethernet pause frames and threshold settings are supported on the Dell Networking OS. Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it. The destination sends a PAUSE frame back to the source, stopping the sender’s transmission for a period of time.
Configure the MTU Size on an Interface If a packet includes a Layer 2 header, the difference in bytes between the link MTU and IP MTU must be enough to include the Layer 2 header. For example, for VLAN packets, if the IP MTU is 1400, the Link MTU must be no less than 1422: 1400-byte IP MTU + 22-byte VLAN Tag = 1422-byte link MTU The MTU range is from 592 to 12000, with a default of 1500. IP MTU automatically configures.
NOTE: As a best practice, Dell Networking recommends keeping auto-negotiation enabled. Only disable auto-negotiation on switch ports that attach to devices not capable of supporting negotiation or where connectivity issues arise from interoperability issues. For 10/100/1000 Ethernet interfaces, the negotiation auto command is tied to the speed command. Auto-negotiation is always enabled when the speed command is set to 1000 or auto.
Te 1/12 Down [output omitted] Auto Auto -- In the previous example, several ports display “Auto” in the Speed field. In the following example, the speed of port 1/1 is set to 100Mb and then its auto-negotiation is disabled.
Adjusting the Keepalive Timer To change the time interval between keepalive messages on the interfaces, use the keepalive command. The interface sends keepalive messages to itself to test network connectivity on the interface. To change the default time interval between keepalive messages, use the following command. ● Change the default interval between keepalive messages. INTERFACE mode keepalive [seconds] ● View the new setting.
Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG. The following example shows how to configure rate interval when changing the default value.
Dynamic Counters By default, counting is enabled for IPFLOW, IPACL, L2ACL, L2FIB. For the remaining applications, Dell Networking OS automatically turns on counting when you enable the application, and is turned off when you disable the application. NOTE: If you enable more than four counter-dependent applications on a port pipe, there is an impact on line rate performance.
Enhanced Validation of Interface Ranges This functionality is supported on the Z9000 platform. You can avoid specifying spaces between the range of interfaces, separated by commas, that you configure by using the interface range command. For example, if you enter a list of interface ranges, such as interface range fo 2/0-1,te 10/0,gi 3/0,fa 0/0, this configuration is considered valid. The comma-separated list is not required to be separated by spaces in between the ranges.
19 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is available on Dell Networking OS. IPSec is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. ● Transport mode — (default) Use to encrypt only the payload of the packet.
match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3. Apply the crypto policy to management traffic.
20 IPv4 Routing IPv4 routing is supported on Dell Networking OS. The Dell Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
• Troubleshooting UDP Helper IP Addresses Dell Networking OS supports IP version 4, as described in RFC 791. Dell Networking OS also supports classful routing and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks. Supernetting, which increases the number of subnets, is also supported. To subnet, you add a mask to the IP address to separate the network and host portions of the IP address.
ip address ip-address mask [secondary] ● ip-address mask: the IP address must be in dotted decimal format (A.B.C.D). The mask must be in slash prefixlength format (/24). ● secondary: add the keyword secondary if the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. To view the configuration, use the show config command in INTERFACE mode or use the show ip interface command in EXEC privilege mode, as shown in the second example.
S 6.1.2.13/32 S 6.1.2.14/32 S 6.1.2.15/32 S 6.1.2.16/32 S 6.1.2.17/32 S 11.1.1.0/24 Direct, Lo 0 --More-- via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, Direct, Nu 0 Dell#show ip route static Destination Gateway ----------------S 2.1.2.0/24 Direct, Nu 0 S 6.1.2.0/24 via 6.1.20.2, S 6.1.2.2/32 via 6.1.20.2, S 6.1.2.3/32 via 6.1.20.2, S 6.1.2.4/32 via 6.1.20.2, S 6.1.2.5/32 via 6.1.20.2, S 6.1.2.6/32 via 6.1.20.2, S 6.1.2.7/32 via 6.1.20.2, S 6.1.2.8/32 via 6.1.20.2, S 6.1.2.
Configure Static Routes for the Management Interface When an IP address that a protocol uses and a static management route exists for the same prefix, the protocol route takes precedence over the static management route. To configure a static route for the management port, use the following command. ● Assign a static route to point to the management interface or forwarding router.
PMTD is enabled by default on the switches that support this capability. To enable PMTD to function correctly, you must enter the ip unreachables command on a VLAN interface to enable the generation of ICMP unreachable messages. PMTD is supported on all the layer 3 VLAN interfaces. Because all of the Layer 3 interfaces are mapped to the VLAN ID of 4095 when VLAN sub-interfaces are configured on it, it is not possible to configure unique layer 3 MTU values for each of the layer 3 interfaces.
Dell>show ip tcp reduced-syn-ack-wait Enabling Directed Broadcast By default, Dell Networking OS drops directed broadcast packets destined for an interface. This default setting provides some protection against denial of service (DoS) attacks. To enable Dell Networking OS to receive directed broadcasts, use the following command. ● Enable directed broadcast. INTERFACE mode ip directed-broadcast To view the configuration, use the show config command in INTERFACE mode.
Specifying the Local System Domain and a List of Domains If you enter a partial domain, Dell Networking OS can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. Dell Networking OS searches the host table first to resolve the partial domain. The host table contains both statically configured and dynamically learnt host and IP addresses.
ARP Dell Networking OS uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, Dell Networking OS creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time.
Enabling Proxy ARP By default, Proxy ARP is enabled. To disable Proxy ARP, use the no proxy-arp command in the interface mode. To re-enable Proxy ARP, use the following command. ● Re-enable Proxy ARP. INTERFACE mode ip proxy-arp To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output.
CONFIGURATION mode arp learn-enable ARP Learning via ARP Request In Dell Networking OS versions prior to 8.3.1.0, Dell Networking OS learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address. If the target IP does not match the incoming interface, the packet is dropped. If there is an existing entry for the requesting host, it is updated. Figure 36.
● Set the number of ARP retries. CONFIGURATION mode arp retries number The default is 5. The range is from 1 to 20. ● Set the exponential timer for resending unresolved ARPs. CONFIGURATION mode arp backoff-time The default is 30. The range is from 1 to 3600. ● Display all ARP entries learned via gratuitous ARP.
UDP Helper User datagram protocol (UDP) helper allows you to direct the forwarding IP/UDP broadcast traffic by creating special broadcast addresses and rewriting the destination IP address of packets to match those addresses. Configure UDP Helper Configuring Dell Networking OS to direct UDP broadcast is a two-step process: 1. Enable UDP helper and specify the UDP ports for which traffic is forwarded. Refer to Enabling UDP Helper. 2.
! interface Vlan 100 ip address 1.1.0.1/24 ip udp-broadcast-address 1.1.255.255 untagged GigabitEthernet 1/2 no shutdown To view the configured broadcast address for an interface, use show interfaces command. R1_E600(conf)#do show interfaces vlan 100 Vlan 100 is up, line protocol is down Address is 00:01:e8:0d:b9:7a, Current address is 00:01:e8:0d:b9:7a Interface index is 1107787876 Internet address is 1.1.0.1/24 IP UDP-Broadcast address is 1.1.255.
Figure 38. UDP Helper with Broadcast-All Addresses UDP Helper with Subnet Broadcast Addresses When the destination IP address of an incoming packet matches the subnet broadcast address of any interface, the system changes the address to the configured broadcast address and sends it to matching interface. In the following illustration, Packet 1 has the destination IP address 1.1.1.255, which matches the subnet broadcast address of VLAN 101.
Figure 40. UDP Helper with Configured Broadcast Addresses UDP Helper with No Configured Broadcast Addresses The following describes UDP helper with no broadcast addresses configured. ● If the incoming packet has a broadcast destination IP address, the unaltered packet is routed to all Layer 3 interfaces. ● If the Incoming packet has a destination IP address that matches the subnet broadcast address of any interface, the unaltered packet is routed to the matching interfaces.
21 IPv6 Routing Internet protocol version 6 (IPv6) routing is supported on Dell Networking OS. NOTE: The IPv6 basic commands are supported on all platforms. However, not all features are supported on all platforms, nor for all releases. To determine the Dell Networking Operating System (OS) version supporting which features and platforms, refer to Implementing IPv6 with Dell Networking OS. IPv6 is the successor to IPv4.
● Prefix Renumbering — Useful in transparent renumbering of hosts in the network when an organization changes its service provider. NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration. NOTE: Dell Networking OS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS).
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 41. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Value Description 0 Hop-by-Hop option header 4 IPv4 6 TCP 8 Exterior Gateway Protocol (EGP) 41 IPv6 43 Routing header 44 Fragmentation header 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current listing, refer to the Internet Assigned Numbers Authority (IANA) web page at .
Hop-by-Hop Options Header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path. It follows the IPv6 header and is designated by the Next Header value 0 (zero). When a Hop-by-Hop Options header is not included, the router knows that it does not have to process any router specific information and immediately processes the packet to its final destination.
Link-local Addresses Link-local addresses, starting with fe80:, are assigned only in the local link area. The addresses are generated usually automatically by the operating system's IP layer for each network interface. This provides instant automatic network connectivity for any IPv6 host and means that if several hosts connect to a common hub or switch, they have an instant communication path via their link-local IPv6 address. Link-local addresses cannot be routed to the public Internet.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location Z9000 Multiprotocol BGP extensions for IPv6 8.3.11 IPv6 BGP in the Dell Networking OS Command Line Reference Guide. IPv6 BGP MD5 Authentication 8.3.11 IPv6 BGP in the Dell Networking OS Command Line Reference Guide. IS-IS for IPv6 8.3.11 Intermediate System to Intermediate System IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide. IS-IS for IPv6 support for redistribution 8.3.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location Z9000 MLDv1/v2 N/A IPv6 PIM in the Dell Networking OS Command Line Reference Guide. ICMPv6 ICMP for IPv6 combines the roles of ICMP, IGMP and ARP in IPv4. Like IPv4, it provides functions for reporting delivery and forwarding errors, and provides a simple echo service for troubleshooting. The Dell Networking OS implementation of ICMPv6 is based on RFC 4443.
IPv6 Neighbor Discovery NDP is a top-level protocol for neighbor discovery on an IPv6 network. In lieu of address resolution protocol (ARP), NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes. Using these messages, an IPv6 device learns the link-layer addresses for neighbors known to reside on attached links, quickly purging cached values that become invalid.
Configuring the IPv6 Recursive DNS Server You can configure up to four Recursive DNS Server (RDNSS) addresses to be distributed via IPv6 router advertisements to an IPv6 device, using the ipv6 nd dns-server ipv6-RDNSS-address {lifetime | infinite} command in INTERFACE CONFIG mode. The lifetime parameter configures the amount of time the IPv6 host can use the IPv6 RDNSS address for name resolution. The lifetime range is 0 to 4294967295 seconds.
Displaying IPv6 RDNSS Information To display IPv6 interface information, including IPv6 RDNSS information, use the show ipv6 interface command in EXEC or EXEC Privilege mode. Examples of Displaying IPv6 RDNSS Information The following example displays IPv6 RDNSS information. The output in the last 3 lines indicates that the IPv6 RDNSS was correctly configured on interface te 1/1.
Configuration Tasks for IPv6 The following are configuration tasks for the IPv6 protocol. ● ● ● ● ● ● ● Adjusting Your CAM-Profile Assigning an IPv6 Address to an Interface Assigning a Static IPv6 Route Configuring Telnet with IPv6 SNMP over IPv6 Showing IPv6 Information Clearing IPv6 Routes Adjusting Your CAM-Profile Although adjusting your CAM-profile is not a mandatory step, if you plan to implement IPv6 ACLs, adjust your CAM settings. The CAM space is allotted in FP blocks.
● Enter the IPv6 Address for the device. CONFIG-INTERFACE mode ipv6 address ipv6 address/mask ○ ipv6 address: x:x:x:x::x ○ mask: The prefix length is from 0 to 128 NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits. Separate each group by a colon (:). Omitting zeros is accepted as described in Addressing. Assigning a Static IPv6 Route To configure IPv6 static routes, use the ipv6 route command.
● ● ● ● ● ● snmp-server snmp-server snmp-server snmp-server snmp-server snmp-server host user ipv6 community ipv6 community access-list-name ipv6 group ipv6 group access-list-name ipv6 Showing IPv6 Information View specific IPv6 configuration with the following commands. ● List the IPv6 show options.
Valid lifetime: 2592000, Preferred lifetime: 604800 Advertised by: fe80::201:e8ff:fe8b:3166 Global Anycast address(es): Joined Group address(es): ff02::1 ff02::1:ff8b:386e ND MTU is 0 ICMP redirects are not sent DAD is enabled, number of DAD attempts: 3 ND reachable time is 32000 milliseconds ND base reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND hop limit is 64 Showing IPv6 Routes To view the global IPv6 routing information, use the following command.
C 601::/64 [0/0] Direct, Te 1/24, 00:34:18 C 912::/64 [0/0] Direct, Lo 2, 00:02:33 O IA 999::1/128 [110/2] via fe80::201:e8ff:fe8b:3166, Te 1/24, 00:01:30 L fe80::/10 [0/0] Direct, Nu 0, 00:34:42 Dell# The following example shows the show ipv6 route static command.
Configuring IPv6 RA Guard The IPv6 Router Advertisement (RA) guard allows you to block or reject the unwanted router advertisement guard messages that arrive at the network device platform. To configure the IPv6 RA guard, perform the following steps: 1. Configure the terminal to enter the Global Configuration mode. EXEC Privilege mode configure terminal 2. Enable the IPv6 RA guard. CONFIGURATION mode ipv6 nd ra-guard enable 3. Create the policy.
POLICY LIST CONFIGURATION mode reachable—time value The reachability time range is from 0 to 3,600,000 milliseconds. 14. Set the advertised retransmission time. POLICY LIST CONFIGURATION mode retrans—timer value The retransmission time range is from 100 to 4,294,967,295 milliseconds. 15. Display the configurations applied on the RA guard policy mode.
EXEC Privilege mode debug ipv6 nd ra-guard [interface_type slot/port | count value] The count range is from 1 to 65534. The default is infinity. For a complete listing of all commands related to IPv6 RA Guard, refer to Dell Networking OS Command Line Reference Guide.
22 Intermediate System to Intermediate System Intermediate system to intermediate system (Is-IS) is supported on Dell Networking OS. ● IS-IS is supported on the Z9000 with Dell Networking OS 9.0(0.0). ● ● The IS-IS protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. ● The IS-IS protocol standards are listed in the Standards Compliance chapter.
● system address — the router’s MAC address. ● N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.0001) are the area address. The system portion is 000c.000a.4321 and the last byte is always 0. Figure 44. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases.
Interface Support MT IS-IS is supported on physical Ethernet interfaces, physical synchronous optical network technologies (SONET) interfaces, port-channel interfaces (static and dynamic using LACP), and virtual local area network (VLAN) interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions.
new TLVs are IPv6 Reachability and IPv6 Interface Address. Also, a new IPv6 protocol identifier has also been included in the supported TLVs. The new TLVs use the extended metrics and up/down bit semantics. Multi-topology IS-IS adds TLVs: ● MT TLV — contains one or more Multi-Topology IDs in which the router participates. This TLV is included in IIH and the first fragment of an LSP. ● MT Intermediate Systems TLV — appears for every topology a node supports.
● ● ● ● ● ● ● ● Changing LSP Attributes Configuring the IS-IS Metric Style Configuring IS-IS Cost Changing the IS-Type Controlling Routing Updates Configuring Authentication Passwords Setting the Overload Bit Debuging IS-IS Enabling IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process and assign a NET address.
The IPv6 address must be on the same subnet as other IS-IS neighbors, but the IP address does not need to relate to the NET address. 6. Enable IS-IS on the IPv4 interface. ROUTER ISIS mode ip router isis [tag] If you configure a tag variable, it must be the same as the tag variable assigned in step 1. 7. Enable IS-IS on the IPv6 interface. ROUTER ISIS mode ipv6 router isis [tag] If you configure a tag variable, it must be the same as the tag variable assigned in step 1. The default IS type is level-1-2.
Configuring Multi-Topology IS-IS (MT IS-IS) To configure multi-topology IS-IS (MT IS-IS), use the following commands. 1. Enable multi-topology IS-IS for IPv6. ROUTER ISIS AF IPV6 mode multi-topology [transition] Enter the keyword transition to allow an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.
● Configure the time for the graceful restart timer T2 that a restarting router uses as the wait time for each database to synchronize. ROUTER-ISIS mode graceful-restart t2 {level-1 | level-2} seconds ○ level-1, level-2: identifies the database instance type to which the wait interval applies. The range is from 5 to 120 seconds. The default is 30 seconds.
Interface Index 0x62cc03a, Local circuit ID 1 Level-1 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.01 Hello Interval: 10, Hello Multiplier: 3, CSNP Interval: 10 Number of active level-1 adjacencies: 1 Level-2 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
Configuring the IS-IS Cost When you change from one IS-IS metric style to another, the IS-IS metric value could be affected. For each interface with IS-IS enabled, you can assign a cost or metric that is used in the link state calculation. To change the metric or cost of the interface, use the following commands. ● Assign an IS-IS metric. INTERFACE mode isis metric default-metric [level-1 | level-2] ○ default-metric: the range is from 0 to 63 if the metric-style is narrow, narrow-transition, or transition.
is-type {level-1 | level-1-2 | level-2} To view which IS-type is configured, use the show isis protocol command in EXEC Privilege mode. The show config command in ROUTER ISIS mode displays only non-default information. If you do not change the IS-type, the default value (level-1-2) is not displayed. The default is Level 1-2 router. When the IS-type is Level 1-2, the software maintains two Link State databases, one for each level. To view the Link State databases, use the show isis database command.
○ ○ ○ ○ ○ For For For For For a a a a a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Loopback interface, enter the keyword loopback then a number from 0 to 16383. port channel interface, enter the keywords port-channel then a number. VLAN interface, enter the keyword vlan then a number from 1 to 4094.
Redistributing IPv4 Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the IS-IS process. With the redistribute command syntax, you can include BGP, OSPF, RIP, static, or directly connected routes in the IS-IS process. NOTE: Do not route iBGP routes to IS-IS unless there are route-maps associated with the IS-IS redistribution. To add routes from other routing instances or protocols, use the following commands.
○ ○ ○ ○ ○ ○ ○ ○ process-id: the range is from 1 to 65535. level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. metric value: the range is from 0 to 16777215. The default is 0. metric value: the range is from 0 to 16777215. The default is 0. match external: the range is 1 or 2. match internal metric-type: external or internal. map-name: name of a configured route map.
Dell#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000003 0x07BF eljefe.00-00 * 0x0000000A 0xF963 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.00-00 0x00000002 0xD1A7 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000006 0xC38A eljefe.00-00 * 0x0000000E 0x53BF eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
To disable all debugging, use the undebug all command. IS-IS Metric Styles The following sections provide additional information about the IS-IS metric styles.
Table 19. Metric Value When the Metric Style Changes (continued) Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value NOTE: A truncated value is a value that is higher than 63, but set back to 63 because the higher value is not supported. wide narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Table 20. Metric Value when the Metric Style Changes Multiple Times (continued) Beginning Metric Style Next Metric Style Resulting Metric Value Next Metric Style Final Metric Value wide transition transition truncated value narrow transition default value (10). A message is sent to the logging buffer Leaks from One Level to Another In the following scenarios, each IS-IS level is configured with a different metric style. Table 21.
NOTE: Whenever you make IS-IS configuration changes, clear the IS-IS process (re-started) using the clear isis command. The clear isis command must include the tag for the ISIS process. The following example shows the response from the router: Dell#clear isis * % ISIS not enabled. Dell#clear isis 9999 * You can configure IPv6 IS-IS routes in one of the following three different methods: ● Congruent Topology — You must configure both IPv4 and IPv6 addresses on the interface.
IS-IS Sample Configuration — Multi-topology Dell (conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell (conf-if-te-3/17)# Dell (conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
23 Link Aggregation Control Protocol (LACP) Link aggregation control protocol (LACP) is supported on Dell Networking OS.
NOTE: There is no configuration on the interface because that condition is required for an interface to be part of a LAG. ● You can configure link dampening on individual members of a LAG. ● You can configure a maximum of 128 port-channels with up to 16 members per channel. LACP Modes Dell Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. ● Off — In this state, an interface is not capable of being part of a dynamic LAG.
● Setting the LACP Long Timeout ● Monitoring and Debugging LACP ● Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. ● Create a dynamic port channel (LAG). CONFIGURATION mode interface port-channel ● Create a dynamic port channel (LAG).
Setting the LACP Long Timeout PDUs are exchanged between port channel (LAG) interfaces to maintain LACP sessions. PDUs are transmitted at either a slow or fast transmission rate, depending upon the LACP timeout value. The timeout value is the amount of time that a LAG interface waits for a PDU from the remote system before bringing the LACP session down. The default timeout value is 1 second. You can configure the default timeout value to be 30 seconds.
Figure 46. Shared LAG State Tracking To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). Dell Networking OS has the ability to bring LAG 2 down if LAG 1 fails, so that traffic can be redirected. This redirection is what is meant by shared LAG state tracking. To achieve this functionality, you must group LAG 1 and LAG 2 into a single entity, called a failover group. Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group.
Figure 47. Configuring Shared LAG State Tracking The following are shared LAG state tracking console messages: ● 2d1h45m: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 1 ● 2d1h45m: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 To view the status of a failover group member, use the show interface port-channel command.
LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 48. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unicasts 0 Vlans, 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec,0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec,0 packets/sec, 0.
Figure 50.
Figure 51.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp Bravo(conf-if-gi-3/21-lacp)#port-channel 10 mode active Bravo(conf-if-gi-3/21-lacp)#no shut Bravo(conf-if-gi-3/21)#end ! interface GigabitEthernet 3/21 no ip address ! port-channel-
Figure 52.
Figure 53.
Figure 54. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
This capability detects whether the configured applications or utilities are causing traffic to be unevenly distributed on a hiGig link bundle for best performance. This capability to monitor the port channel bundles is applicable for any platform that contains backplane high-Gigabit Ethernet links.
● If unevenness is observed over three consecutive measurements, an alarm event is generated. The rateInterval for Hg stats polling (default 15 seconds) determines the time interval between two measurements. Alarm clear is sent when evenness is observed for three successive rate intervals. If individual link utilization information is not available for a given timestamp, link bundle utilization is not calculated at that timestamp. The previous known record shall be used for the alarm calculation.
Until Dell Networking OS Release 9.2(0.0), the show commands displayed only the details computed by the buffer statistics tracking counters for the egress queues. You can use the show hardware stack-unit buffer unit command to display the buffer statistics and queue information. You can use the clear hardware stackunit command to reset the statistical details associated with high-Gigabit Ethernet ports.
24 Layer 2 Layer 2 features are supported on Dell Networking OS. Topics: • • • • • Manage the MAC Address Table MAC Learning Limit NIC Teaming Configure Redundant Pairs Far-End Failure Detection Manage the MAC Address Table Dell Networking OS provides the following management activities for the MAC address table.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. ● Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. ● Display the contents of the MAC address table.
Setting the MAC Learning Limit To set a MAC learning limit on an interface, use the following command. ● Specify the number of MAC addresses that the system can learn off a Layer 2 interface. INTERFACE mode mac learning-limit address_limit Three options are available with the mac learning-limit command: ○ dynamic ○ no-station-move ○ station-move NOTE: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations.
mac learning-limit no-station-move The no-station-move option, also known as “sticky MAC,” provides additional port security by preventing a station move. When you configure this option, the first entry in the table is maintained instead of creating an entry on the new interface. no-station-move is the default behavior. Entries created before you set this option are not affected. To display a list of all interfaces with a MAC learning limit, use the following command.
● Display a list of all of the interfaces configured with MAC learning limit or station move violation. CONFIGURATION mode show mac learning-limit violate-action NOTE: When the MAC learning limit (MLL) is configured as no-station-move, the MLL will be processed as static entries internally. For static entries, the MAC address will be installed in all port-pipes, irrespective of the VLAN membership.
is learned on the same port where the ARP is resolved (in the previous example, this location is Port 0/5 of the switch). To ensure that the MAC address is disassociated with one port and re-associated with another port in the ARP table, configure the mac-address-table station-move refresh-arp command on the Dell Networking switch at the time that NIC teaming is being configured on the server.
Figure 57. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
As shown in the previous illustration, interface 3/41 is a backup interface for 3/42, and 3/42 is in the Down state. If 3/41 fails, 3/42 transitions to the Up state, which makes the backup link active. A message similar to the following message appears whenever you configure a backup port.
Po 1 and Te 1/2 Dell(conf-if-po-1)# Far-End Failure Detection FEFD is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval. You can enable FEFD globally or locally on an interface basis. Disabling the global FEFD configuration does not disable the interface configuration. Figure 58.
4. If the FEFD enabled system is configured to use FEFD in Normal mode and neighboring echoes are not received after three intervals, (you can set each interval can be set between 3 and 300 seconds) the state changes to unknown. 5. If the FEFD system has been set to Aggressive mode and neighboring echoes are not received after three intervals, the state changes to Err-disabled.
Dell#show fefd FEFD is globally 'ON', interval is 3 seconds, mode is 'Normal'. INTERFACE MODE Te Te Te Te Normal Normal Normal Normal 1/1 1/2 1/3 1/4 INTERVAL (second) 3 3 3 3 STATE Bi-directional Admin Shutdown Admin Shutdown Admin Shutdown Dell#show run fefd ! fefd-global mode normal fefd-global interval 3 Enabling FEFD on an Interface To enable, change, or disable FEFD on an interface, use the following commands. ● Enable FEFD on a per interface basis. INTERFACE mode fefd ● Change the FEFD mode.
Debugging FEFD To debug FEFD, use the first command. To provide output for each packet transmission over the FEFD enabled connection, use the second command. ● Display output whenever events occur that initiate or disrupt an FEFD enabled connection. EXEC Privilege mode debug fefd events ● Provide output for each packet transmission over the FEFD enabled connection.
25 Link Layer Discovery Protocol (LLDP) The link layer discovery protocol (LLDP) is supported on Dell Networking OS. Topics: • • • • • • • • • • • • • • • 802.
TLVs are encapsulated in a frame called an LLDP data unit (LLDPDU) (shown in the following table), which is transmitted from one LLDP-enabled device to its LLDP-enabled neighbors. LLDP is a one-way protocol. LLDP-enabled devices (LLDP agents) can transmit and/or receive advertisements, but they cannot solicit and do not respond to advertisements. There are five types of TLVs. All types are mandatory in the construction of an LLDPDU except Optional TLVs.
Figure 61. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Networking system to advertise any or all of these TLVs. Table 24. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. Dell Networking OS does not currently support this TLV.
Table 24. Optional TLV Types (continued) Type TLV Description 127 Power via MDI Dell Networking supports the LLDP-MED protocol, which recommends that Power via MDI TLV be not implemented, and therefore Dell Networking implements Extended Power via MDI TLV only. 127 Link Aggregation Indicates whether the link is capable of being aggregated, whether it is currently in a LAG, and the port identification of the LAG. Dell Networking OS does not currently support this TLV.
Table 25. TIA-1057 (LLDP-MED) Organizationally Specific TLVs (continued) Type SubType TLV Description 127 3 Location Identification Indicates that the physical location of the device expressed in one of three possible formats: ● Coordinate Based LCI ● Civic Address LCI ● Emergency Call Services ELIN 127 4 Location Identification Indicates power requirements, priority, and power status. Inventory Management TLVs Implementation of this set of TLVs is optional in LLDPMED devices.
Figure 62. LLDP-MED Capabilities TLV Table 26. Dell Networking OS LLDP-MED Capabilities Bit Position TLV Dell Networking OS Support 0 LLDP-MED Capabilities Yes 1 Network Policy Yes 2 Location Identification Yes 3 Extended Power via MDI-PSE Yes 4 Extended Power via MDI-PD No 5 Inventory No 6–15 reserved No Table 27.
Table 28. Network Policy Applications (continued) Type Application Description 1 Voice Specify this application type for dedicated IP telephony handsets and other appliances supporting interactive voice services. 2 Voice Signaling Specify this application type only if voice control packets use a separate network policy than voice data.
Figure 64. Extended Power via MDI TLV Configure LLDP Configuring LLDP is a two-step process. 1. Enable LLDP globally. 2. Advertise TLVs out of an interface. Related Configuration Tasks ● ● ● ● ● ● Viewing the LLDP Configuration Viewing Information Advertised by Adjacent LLDP Agents Configuring LLDPDU Intervals Configuring Transmit and Receive Mode Configuring a Time to Live Debugging LLDP Important Points to Remember ● LLDP is enabled by default.
mode multiplier no show LLDP mode configuration (default = rx and tx) LLDP multiplier configuration Negate a command or set its defaults Show LLDP configuration Dell(conf-lldp)#exit Dell(conf)#interface tengigabitethernet 1/3 Dell(conf-if-te-1/3)#protocol lldp Dell(conf-if-te-1/3-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol on this interface end Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode configuration (default = rx an
Disabling and Undoing LLDP on Management Ports To disable or undo LLDP on management ports, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION mode. protocol lldp 2. Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode. management-interface 3. Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no.
Figure 65. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command. ● Display the LLDP configuration.
show lldp neighbors detail Example of Viewing Brief Information Advertised by Neighbors Dell(conf-if-te-1/3-lldp)#end Dell (conf-if-te-1/3)#do show lldp neighbors Loc PortID Rem Host Name Rem Port Id Rem Chassis Id -------------------------------------------------------------------Te 1/1 TenGigabitEthernet 1/5 00:01:e8:05:40:46 Te 1/2 TenGigabitEthernet 1/6 00:01:e8:05:40:46 Dell (conf-if-te-1/3)# Example of Viewing Details Advertised by Neighbors Dell#show lldp neighbors detail ============================
no disable R1(conf-lldp)#mode ? rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description mode tx no disable R1(conf-lldp)#no mode R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disa
no disable R1(conf-lldp)# Configuring a Time to Live The information received from a neighbor expires after a specific amount of time (measured in seconds) called a time to live (TTL). The TTL is the product of the LLDPDU transmit interval (hello) and an integer called a multiplier. The default multiplier is 4, which results in a default TTL of 120 seconds. ● Adjust the TTL value. CONFIGURATION mode or INTERFACE mode. multiplier ● Return to the default multiplier value.
Figure 66. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects Dell Networking OS supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: ● received and transmitted TLVs ● the LLDP configuration on the local agent ● IEEE 802.1AB Organizationally Specific TLVs ● received and transmitted LLDP-MED TLVs Table 29.
Table 29. LLDP Configuration MIB Objects (continued) MIB Object Category LLDP Statistics LLDP Variable LLDP MIB Object Description mibMgmtAddrInstanceTxEnable lldpManAddrPortsTxEnable The management addresses defined for the system and the ports through which they are enabled for transmission. statsAgeoutsTotal lldpStatsRxPortAgeoutsTotal Total number of times that a neighbor’s information is deleted on the local system due to an rxInfoTTL timer expiration.
Table 30.
Table 32.
Table 32.
26 Microsoft Network Load Balancing This functionality is supported on Dell Networking OS. Network Load Balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems. NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
Limitations With Enabling NLB on Switches The following limitations apply to switches on which you configure NLB: ● The NLB unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN. When a large volume of traffic is processed, the clustering performance might be impacted in a small way. This limitation is applicable to switches that perform unicast flooding in the software. ● The ip vlan-flooding command applies globally across the system and for all VLANs.
through ARP packets, which had the Ethernet MAC SA different from the MAC information inside the ARP packet. This unicast data traffic flooding occurs only for those packets that use these ARP entries. CONFIGURATION mode ip vlan-flooding To enable a switch for multicast NLB mode of functioning, perform the following steps: 1.
27 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 68.
Implementation Information The Dell Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process. 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Refer to the following figures. The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP.
Figure 69.
Figure 70.
Figure 71.
Figure 72. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.
Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3_E600#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
CONFIGURATION mode clear ip msdp sa-cache [group-address | local | rejected-sa] Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error. ● Cache rejected sources.
Figure 73.
Figure 74.
Figure 75.
Figure 76. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. ● Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check. Dell(conf)#ip msdp peer 10.0.50.
Dell#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Reason Rpf-Fail Rpf-Fail Rpf-Fail Limiting the Source-Active Messages from a Peer To limit the source-active messages from a peer, use the following commands. 1.
Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1. OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache. CONFIGURATION mode ip msdp cache-rejected-sa 2. Prevent the system from caching remote sources learned from a specific peer based on source and group. CONFIGURATION mode ip msdp sa-filter list out peer list ext-acl As shown in the following example, R1 is advertising source 10.11.4.2.
R1_E600(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 local R3_E600(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 192.168.0.
Clearing Peer Statistics To clear the peer statistics, use the following command. ● Reset the TCP connection to the peer and clear all peer statistics. CONFIGURATION mode clear ip msdp peer peer-address R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
● lack of scalable register decasulation: With only a single RP per group, all joins are sent to that RP regardless of the topological distance between the RP, sources, and receivers, and data is transmitted to the RP until the SPT switch threshold is reached. ● slow convergence when an active RP fails: When you configure multiple RPs, there can be considerable convergence delay involved in switching to the backup RP.
3. In each routing domain that has multiple RPs serving a group, create another Loopback interface on each RP serving the group with a unique IP address. CONFIGURATION mode interface loopback 4. Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5. Advertise the network of each of the unique Loopback addresses throughout the network.
router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.22 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.22 ip msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 The following example shows an R2 configuration for MSDP with Anycast RP.
ip address 10.11.0.32/24 no shutdown interface TenGigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.
! ip route 192.168.0.1/32 10.11.0.23 ip route 192.168.0.22/32 10.11.0.23 ! ip pim rp-address 192.168.0.3 group-address 224.0.0.0/4 MSDP Sample Configurations The following examples show the running-configurations described in this chapter. For more information, refer to the illustrations in the Related Configuration Tasks section. MSDP Sample Configuration: R1 Running-Config ip multicast-routing ! interface TenGigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.
router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.2/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 update-source Loopback 0 neighbor 192.168.0.3 no shutdown ! ip route 192.168.0.3/32 10.11.0.32 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.
ip address 10.10.42.1/24 no shutdown ! interface TenGigabitEthernet 4/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.4/32 no shutdown ! router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.168.0.4/32 area 0 ! ip pim rp-address 192.168.0.3 group-address 224.0.0.
28 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) is supported on Dell Networking OS. Protocol Overview MSTP — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances.
• • • • Configuring an EdgePort Flush MAC Addresses after a Topology Change MSTP Sample Configurations Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell Networking OS supports four variations of spanning tree, as shown in the following table. Table 33. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. ● Within an MSTI, only one path from any bridge to any other bridge is enabled. ● Bridges block a redundant path by disabling one of the link ports. 1. Enter PROTOCOL MSTP mode. CONFIGURATION mode protocol spanning-tree mstp 2. Enable MSTP.
All bridges in the MSTP region must have the same VLAN-to-instance mapping. To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode. Dell(conf-mstp)#name my-mstp-region Dell(conf-mstp)#exit Dell(conf)#do show spanning-tree mst config MST region name: my-mstp-region Revision: 0 MSTI VID 1 100 2 200-300 To view the forwarding/discarding state of the ports participating in an MSTI, use the show spanning-tree msti command from EXEC Privilege mode.
R3(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 MSTI 2 bridge-priority 0 Interoperate with Non-Dell Networking OS Bridges Dell Networking OS supports only one MSTP region. A ● ● ● region is a combination of three unique qualities: Name is a mnemonic string you assign to the region. The default region name on Dell Networking OS is null. Revision is a 2-byte number. The default revision number on Dell Networking OS is 0.
NOTE: Dell Networking recommends that only experienced network administrators change MSTP parameters. Poorly planned modification of MSTP parameters can negatively affect network performance. To change the MSTP parameters, use the following commands on the root bridge. 1. Change the forward-delay parameter. PROTOCOL MSTP mode forward-delay seconds The range is from 4 to 30. The default is 15 seconds. 2. Change the hello-time parameter.
Table 34. Default Values for Port Costs by Interface Port Cost Default Value 100-Mb/s Ethernet interfaces 200000 1-Gigabit Ethernet interfaces 20000 10-Gigabit Ethernet interfaces 2000 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 To change the port cost or priority of an interface, use the following commands. 1. Change the port cost of an interface.
■ ■ Disable spanning tree on the interface (using the no spanning-tree command in INTERFACE mode). Disabling global spanning tree (using the no spanning-tree command in CONFIGURATION mode). To verify that EdgePort is enabled, use the show config command from INTERFACE mode.
2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 2/11,31 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 2/11,31 no shutdown Router 3 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
spanning-tree spanning-tree spanning-tree spanning-tree spanning-tree MSTi MSTi MSTi MSTi MSTi instance 1 vlan 1 100 instance 2 vlan 2 200 vlan 2 300 (Step 2) interface 1/0/31 no shutdown spanning-tree port mode enable switchport protected 0 exit interface 1/0/32 no shutdown spanning-tree port mode enable switchport protected 0 exit (Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debuggin
○ Are there “extra” MSTP instances in the Sending or Received logs? This may mean that an additional MSTP instance was configured on one router but not the others. The following example shows the show run spanning-tree mstp command. Dell#show run spanning-tree mstp ! protocol spanning-tree mstp name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 The following example shows viewing the debug log of a successful MSTP configuration.
29 Multicast Features Multicast features are supported on Dell Networking OS. NOTE: Multicast is supported on secondary IP addresses on the platform. NOTE: Multicast routing for IPv6 is not supported. NOTE: Multicast routing is supported across default and non-default VRFs.
Figure 80. Multicast with ECMP Implementation Information Because protocol control traffic in Dell Networking OS is redirected using the MAC address, and multicast control traffic and multicast data traffic might map to the same MAC address, Dell Networking OS might forward data traffic with certain MAC addresses to the CPU in addition to control traffic. As the upper5 bits of an IP Multicast address are dropped in the translation, 32 different multicast group IDs all map to the same Ethernet address.
First Packet Forwarding for Lossless Multicast All initial multicast packets are forwarded to receivers to achieve lossless multicast. In previous versions, when the Dell Networking system is an RP, all initial packets are dropped until PIM creates an (S,G) entry. When the system is an RP and a Source DR, these initial packet drops represent a loss of native data, and when the system is an RP only, the initial packets drops represent a loss of register packets.
ip multicast-limit The range if from 1 to 16000. The default is 4000. NOTE: The IN-L3-McastFib CAM partition is used to store multicast routes and is a separate hardware limit that exists per port-pipe. Any software-configured limit may supersede by this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit the ip multicast-limit command sets is reached.
Figure 81. Preventing a Host from Joining a Group Table 35. Preventing a Host from Joining a Group — Description Location Description 1/21 ● ● ● ● Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 ● ● ● ● Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 ● ● ● ● Interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.
Table 35. Preventing a Host from Joining a Group — Description (continued) Location Description ● ip address 10.11.12.2/24 ● no shutdown 2/31 ● ● ● ● Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 ● ● ● ● Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 ● ● ● ● Interface TenGigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
Preventing a Source from Registering with the RP To prevent the PIM source DR from sending register packets to RP for the specified multicast source and group, use the following command. If the source DR never sends register packets to the RP, no hosts can ever discover the source and create a shortest path tree (SPT) to it. ● Prevent a source from transmitting to a particular group.
Table 36. Preventing a Source from Transmitting to a Group — Description (continued) Location Description ● no shutdown 1/31 ● ● ● ● Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 ● ● ● ● Interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 ● ● ● ● Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.
Excessive traffic is generated when the join process from the RP back to the source is blocked due to a new source group being permitted in the join-filter. This results in the new source becoming stuck in registering on the DR and the continuous generation of UDP-encapsulated registration messages between the DR and RP routers which are being sent to the CPU. ● Prevent the PIM SM router from creating state based on multicast source and/ or group.
30 Object Tracking IPv4/IPv6 object tracking is available on Dell Networking OS. Object tracking allows the Dell Networking Operating System (OS) client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 83. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: ● UP and DOWN thresholds used to report changes in a route metric. ● A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table. Specify a tracked route by its IPv4/IPv6 address and prefix-length, and optionally, by a virtual routing and forwarding (VRF) instance name if the route to be tracked is part of a VRF. The next-hop address is not part of the definition of the tracked object. A tracked route matches a route in the routing table only if the exact address and prefix length match an entry in the routing table.
Set Tracking Delays You can configure an optional UP and/or DOWN timer for each tracked object to set the time delay before a change in the state of a tracked object is communicated to clients. The configured time delay starts when the state changes from UP to DOWN or vice-versa. If the state of an object changes back to its former UP/DOWN state before the timer expires, the timer is cancelled and the client is not notified.
track object-id interface interface line-protocol Valid object IDs are from 1 to 65535. 2. (Optional) Configure the time delay used before communicating a change in the status of a tracked interface. OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0. 3. (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters. 4.
Valid delay times are from 0 to 180 seconds. The default is 0. 3. (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters. 4. (Optional) Display the tracking configuration and the tracked object’s status.
○ If the scaled metric for a route entry is less than or equal to the UP threshold, the state of a route is UP. ○ If the scaled metric for a route is greater than or equal to the DOWN threshold or the route is not entered in the routing table, the state of a route is DOWN. The UP and DOWN thresholds are user-configurable for each tracked route. The default UP threshold is 254; the default DOWN threshold is 255.
Dell(conf)#track 4 ip route 3.1.1.
7. Dell(conf)#track 6 ip route 2.1.1.0/24 metric threshold Dell(conf-track-6)#delay down 20 Dell(conf-track-6)#delay up 20 Dell(conf-track-6)#description track ip route metric Dell(conf-track-6)#threshold metric down 40 Dell(conf-track-6)#threshold metric up 40 Dell(conf-track-6)#exit Dell(conf)#track 10 ip route 3.1.1.
ResId State 1 Resource LastChange IP route reachability Parameter 10.16.0.0/16 Dell#show track resolution IP Route Resolution ISIS 1 OSPF 1 IPv6 Route Resolution ISIS 1 Dell#show track vrf red Track 5 IP route 192.168.0.0/24 reachability, Vrf: red Reachability is Up (CONNECTED) 3 changes, last change 00:02:39 First-hop interface is GigabitEthernet 13/4 Dell#show running-config track track 1 ip route 23.0.0.
31 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 84. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. In this case, backbone connectivity must be restored through virtual links. Virtual links are configured between any backbone routers that share a link to a non-backbone area and function as if they were direct links.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
● Type 3: Summary LSA (OSPFv2), Inter-Area-Prefix LSA (OSPFv3) — An ABR takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to. The link-state ID of the Type 3 LSA is the destination network number. ● Type 4: AS Border Router Summary LSA (OSPFv2), Inter-Area-Router LSA (OSPFv3) — In some cases, Type 5 External LSAs are flooded to areas where the detailed next-hop information may not be available.
Figure 86. Priority and Cost Examples OSPF with Dell Networking OS Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2. Within that 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. Dell Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell Networking OS supports only one OSPFv3 process per VRF.
Graceful Restart Graceful restart for OSPFv2 and OSPFv3 are supported on the Z-Series platform in Helper mode only. When a router goes down without a graceful restart, there is a possibility for loss of access to parts of the network due to ongoing network topology changes. Additionally, LSA flooding and reconvergence can cause substantial delays. It is, therefore, desirable that the network maintains a stable topology if it is possible for data flow to continue uninterrupted.
NOTE: The faster the convergence, the more frequent the route calculations and updates. This impacts CPU utilization and may impact adjacency stability in larger topologies. Multi-Process OSPFv2 (IPv4 only) Multi-process OSPF is supported on the Z9000 platform with Dell Networking OS version 7.8.1.0 and later, and is supported on OSPFv2 with IPv4 only. Multi-process OSPF allows multiple OSPFv2 processes on a single router.
Rcv. v:2 t:4(LSUpd) l:100 rid:6.1.0.0 aid:0 chk:0xccbd aut:0 auk: keyid:0 from:Gi 10/21 Number of LSA:2 LSType:Type-5 AS External(5) Age:1 Seq:0x8000000c id:170.1.1.0 Adv:6.1.0.0 Netmask:255.255.255.0 fwd:0.0.0.0 E2, tos:0 metric:0 LSType:Type-5 AS External(5) Age:1 Seq:0x8000000c id:170.1.2.0 Adv:6.1.0.0 Netmask:255.255.255.0 fwd:0.0.0.0 E2, tos:0 metric:0 To confirm that you enabled RFC-2328–compliant OSPF flooding, use the show ip ospf command. Dell#show ip ospf Routing Process ospf 1 with ID 2.2.2.
Configuration Information The interfaces must be in Layer-3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode. NOTE: Loop back routes are not installed in the Route Table Manager (RTM) as non-active routes.
CONFIGURATION mode router ospf process-id [vrf {vrf name}] ● vrf name: enter the keyword VRF and the instance name to tie the OSPF instance to the VRF. All network commands under this OSPF instance are later tied to the VRF instance. The range is from 0 to 65535. The OSPF process ID is the identifying number assigned to the OSPF process. The router ID is the IP address associated with the OSPF process.
CONFIG-INTERFACE mode no shutdown 3. Return to CONFIGURATION mode to enable the OSPFv2 process globally. CONFIGURATION mode router ospf process-id [vrf] The range is from 0 to 65535. After the OSPF process and the VRF are tied together, the OSPF process ID cannot be used again in the system. If you try to enable more OSPF processes than available Layer 3 interfaces, the following message displays: C300(conf)#router ospf 1 % Error: No router ID available.
Dell(conf-router_ospf-1)#network 20.20.20.20/24 area 2 Dell(conf-router_ospf-1)# Dell# Dell Networking recommends using the interface IP addresses for the OSPFv2 router ID for easier management and troubleshooting. To view the configuration, use the show config command in CONFIGURATION ROUTER OSPF mode. OSPF, by default, sends hello packets out to all physical interfaces assigned an IP address that is a subset of a network on which OSPF is enabled.
To ensure connectivity in your OSPFv2 network, never configure the backbone area as a stub area. To configure a stub area, use the following commands. 1. Review all areas after they were configured to determine which areas are NOT receiving type 5 LSAs. EXEC Privilege mode show ip ospf process-id [vrf] database database-summary 2. Enter CONFIGURATION mode. EXEC Privilege mode configure 3. Enter ROUTER OSPF mode.
When you configure a passive interface, the show ip ospf process-id interface command adds the words passive interface to indicate that the hello packets are not transmitted on that interface (shown in bold). Dell#show ip ospf 34 int TenGigabitEthernet 1/1 is up, line protocol is down Internet Address 10.1.2.100/24, Area 1.1.1.1 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DOWN, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 0.0.0.
The following examples shows how to disable fast-convergence. Dell#(conf-router_ospf-1)#no fast-converge Dell#(conf-router_ospf-1)#ex Dell#(conf)#ex Dell##show ip ospf 1 Routing Process ospf 1 with ID 192.168.67.
○ seconds: the range is from 1 to 65535 (the default is 5 seconds). The retransmit interval must be the same on all routers in the OSPF network. ● Change the wait period between link state update packets sent out the interface. CONFIG-INTERFACE mode ip ospf transmit-delay seconds ○ seconds: the range is from 1 to 65535 (the default is 1 second). The transmit delay must be the same on all routers in the OSPF network.
Enabling OSPFv2 Graceful Restart Graceful restart is enabled for the global OSPF process. For more information, refer to Graceful Restart. The Dell Networking implementation of OSPFv2 graceful restart enables you to specify: ● grace period — the length of time the graceful restart process can last before OSPF terminates it. ● helper-reject neighbors — the router ID of each restart router that does not receive assistance from the configured router.
graceful-restart helper-reject 10.1.1.1 graceful-restart helper-reject 20.1.1.1 network 10.0.2.0/24 area 0 Dell# Creating Filter Routes To filter routes, use prefix lists. OSPF applies prefix lists to incoming or outgoing routes. Incoming routes must meet the conditions of the prefix lists. If they do not, OSPF does not add the route to the routing table. Configure the prefix list in CONFIGURATION PREFIX LIST mode prior to assigning it to the OSPF process.
To view the current OSPF configuration, use the show running-config ospf command in EXEC mode or the show config command in ROUTER OSPF mode. Dell(conf-router_ospf)#show config ! router ospf 34 network 10.1.2.32 0.0.0.255 area 2.2.2.2 network 10.1.3.24 0.0.0.255 area 3.3.3.3 distribute-list dilling in Dell(conf-router_ospf)# Troubleshooting OSPFv2 Dell Networking OS has several tools to make troubleshooting easier.
To ○ ○ ○ ○ view debug messages for a specific operation, enter one of the optional keywords: event: view OSPF event messages. packet: view OSPF packet information. spf: view SPF information. database-timers rate-limit: view the LSAs currently in the queue. Dell#show run ospf ! router ospf 3 ! router ospf 4 router-id 4.4.4.4 network 4.4.4.0/28 area 1 ! router ospf 5 ! router ospf 6 ! router ospf 7 mib-binding ! router ospf 8 ! router ospf 90 area 2 virtual-link 4.4.4.4 area 2 virtual-link 90.90.90.
Figure 87. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Te 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface TenGigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface TenGigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.
OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface TenGigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface TenGigabitEthernet 2/2 ip address 10.2.22.
CONF-INT-type slot/port mode no shutdown Assigning Area ID on an Interface To assign the OSPFv3 process to an interface, use the following command. The ipv6 ospf area command enables OSPFv3 on an interface and places the interface in the specified area. Additionally, the command creates the OSPFv3 process with ID on the router. OSPFv2 requires two commands to accomplish the same tasks — the router ospf command to create the OSPF process, then the network area command to enable OSPFv2 on an interface.
Configuring Passive-Interface To suppress the interface’s participation on an OSPFv3 interface, use the following command. This command stops the router from sending updates on that interface. ● Specify whether some or all some of the interfaces are passive. CONF-IPV6-ROUTER-OSPF mode passive-interface {interface slot/port} Interface: identifies the specific interface that is passive. ○ For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
Enabling OSPFv3 Graceful Restart For more information about graceful restart, refer to Graceful Restart. By default, OSPFv3 graceful restart is disabled and functions only in a helper role to help restarting neighbor routers in their graceful restarts when it receives a Grace LSA. To enable OSPFv3 graceful restart, enter the ipv6 router ospf process-id command to enter OSPFv3 configuration mode. Then configure a grace period using the graceful-restart grace-period command.
The following example shows the show run ospf command. Dell#show run ospf ! router ospf 1 router-id 200.1.1.1 log-adjacency-changes graceful-restart grace-period 180 network 20.1.1.0/24 area 0 network 30.1.1.0/24 area 0 ! ipv6 router ospf 1 log-adjacency-changes graceful-restart grace-period 180 The following example shows the show ipv6 ospf database database-summary command. Dell#show ipv6 ospf database database-summary ! OSPFv3 Router with ID (200.1.1.
IPsec is a set of protocols developed by the internet engineering task force (IETF) to support secure exchange of packets at the IP layer. IPsec supports two encryption modes: transport and tunnel. ● Transport mode — encrypts only the data portion (payload) of each packet, but leaves the header untouched. ● Tunnel mode — is more secure and encrypts both the header and payload. On the receiving side, an IPsec-compliant device decrypts each packet.
security policy at an interface or area level, specify 7 for [key-encryption-type] when you enter the ipv6 ospf authentication ipsec or ipv6 ospf encryption ipsec command.
ipv6 ospf encryption {null | ipsec spi number esp encryption-algorithm [key-encryptiontype] key authentication-algorithm [key-authentication-type] key} ○ null: causes an encryption policy configured for the area to not be inherited on the interface. ○ ipsec spi number: is the security policy index (SPI) value. The range is from 256 to 4294967295. ○ esp encryption-algorithm: specifies the encryption algorithm used with ESP. The valid values are 3DES, DES, AES-CBC, and NULL.
show crypto ipsec policy Configuring IPsec Encryption for an OSPFv3 Area To configure, remove, or display IPsec encryption in an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec encryption in an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)). The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router.
To display information on the SAs used on a specific interface, enter interface interface, where interface is one of the following values: ○ For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. ○ For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. ○ For a port channel interface, enter the keywords port-channel then a number. ○ For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
in use settings : {Transport, } replay detection support : N STATUS : ACTIVE inbound esp sas outbound esp sas Interface: TenGigabitEthernet 1/2 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detec
show ipv6 ospf database ● View the configuration of OSPFv3 neighbors. EXEC Privilege mode show ipv6 ospf neighbor ● View debug messages for all OSPFv3 interfaces. EXEC Privilege mode debug ipv6 ospf [event | packet] {type slot/port} ○ ○ ○ ○ 494 For For For For a a a a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
32 Policy-based Routing (PBR) Policy-based Routing (PBR) allows a switch to make routing decisions based on policies applied to an interface.
To enable a PBR, you create a redirect list. Redirect lists are defined by rules, or routing policies.
Implementing Policy-based Routing with Dell Networking OS ● Non-contiguous bitmasks for PBR ● Hot-Lock PBR Non-contiguous bitmasks for PBR Non-contiguous bitmasks for PBR allows more granular and flexible control over routing policies. Network addresses that are in the middle of a subnet can be included or excluded. Specific bitmasks can be entered using the dotted decimal format. Non-contiguous bitmask example Dell#show ip redirect-list IP redirect-list rcl0: Defined as: seq 5 permit ip 200.200.200.
seq {number} redirect {ip-address | tunnel tunnel-id} [track }{ipprotocol-number | protocol-type [bit]} {source mask | any | host ip-address} {destination mask | any | host ip-address} CONF-REDIRECT-LIST Configure a rule for the redirect list. number is the number in sequence to initiate this ru ip-address is the Forwarding router’s address tunnel is used to configure the tunnel settings. tunnel-id is used to redirect the traffic. track is used to track the object-id.
Multiple rules can be applied to a single redirect-list. The rules are applied in ascending order, starting with the rule that has the lowest sequence number in a redirect-list displays the correct method for applying multiple rules to one list.
FORMAT: up to 16 characters Delete the redirect list from this interface with the [no] ip redirect-gr In this example, the list “xyz” is applied to the tenGigabitEthernet 2/1 interface.
seq 45 redirect 31.1.1.2 track 200 ip 12.0.0.0 255.0.0.197 13.0.0.0 255.0.0.197, 200 [up], Next-hop reachable (via Te 1/32) , 200 [up], Next-hop reachable (via Vl 20) , 200 [up], Next-hop reachable (via Po 5) , 200 [up], Next-hop reachable (via Po 7) , 200 [up], Next-hop reachable (via Te 2/18) , 200 [up], Next-hop reachable (via Te 2/19) Track Track Track Track Track Track Use the show ip redirect-list (without the list name) to display all the redirect-lists configured on the device.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.254 ip 192.
View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23) seq 10 redirect 10.99.99.254 ip 192.168.2.
Applied interfaces: Te 2/28 Dell# Configuration Tasks for Creating a PBR list using Explicit Track Objects for Tunnel Interfaces Creating steps for Tunnel Interfaces: Dell#configure terminal Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#tunnel destination 40.1.1.2 Dell(conf-if-tu-1)#tunnel source 40.1.1.1 Dell(conf-if-tu-1)#tunnel mode ipip Dell(conf-if-tu-1)#tunnel keepalive 60.1.1.2 Dell(conf-if-tu-1)#ip address 60.1.1.
Verify the Applied Redirect Rules: Dell#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.0/24, Track 1 [up], Nexthop reachable (via Te 1/32) seq 10 redirect tunnel 1 track 1 tcp any any, Track 1 [up], Next-hop reachable (via Te 1/32) seq 15 redirect tunnel 1 track 1 udp 155.55.0.0/16 host 144.144.144.144, Track 1 [up], Next-hop reachable (via Te 1/32) seq 20 redirect tunnel 2 track 2 tcp 155.55.2.0/24 222.22.2.
33 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is supported on Dell Networking OS. PIM-SM is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
3. If a host on the same subnet as another multicast receiver sends an IGMP report for the same multicast group, the gateway takes no action. If a router between the host and the RP receives a PIM Join message for which it already has a (*,G) entry, the interface on which the message was received is added to the outgoing interface list associated with the (*,G) entry, and the message is not (and does not need to be) forwarded towards the RP.
Related Configuration Tasks The following are related PIM-SM configuration tasks. ● ● ● ● Configuring S,G Expiry Timers Configuring a Static Rendezvous Point Configuring a Designated Router Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1. Enable multicast routing on the system. CONFIGURATION mode ip multicast-routing 2. Enable PIM-Sparse mode.
TenGigabitEthernet 2/13 --More-- Configuring S,G Expiry Timers By default, S, G entries expire in 210 seconds. You can configure a global expiry time (for all [S,G] entries) or configure an expiry time for a particular entry. If you configure both, the ACL supersedes the global configuration for the specified entries. When you create, delete, or update an expiry time, the changes are applied when the keep alive timer refreshes.
Dell#sh run pim ! ip pim rp-address 1.1.1.1 group-address 224.0.0.0/4 Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. Use the following command if you have configured a static RP for a group.
● Create multicast boundaries and domains by filtering inbound and outbound BSR messages per interface. ip pim bsr-border ● Remove candidate RP advertisements. clear ip pim rp-mapping Enabling PIM-SM Graceful Restart To enable PIM-SM graceful restart, use the following commands. ● Enable PIM-SM graceful restart (non-stop forwarding capability). CONFIGURATION mode ip pim graceful-restart nsf ○ (option) restart-time: the time the Dell Networking system requires to restart. The default value is 180 seconds.
34 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is supported on Dell Networking OS. PIM-SSM is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Related Configuration Tasks ● Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode.
Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.
Group Address Interface Mode Uptime 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:36 Member Ports: Te 1/1/1 R1(conf)#do show ip igmp ssm-map 239.0.0.2 SSM Map Information Group : 239.0.0.2 Source(s) : 10.11.5.2 R1(conf)#do show ip igmp groups detail Interface Group Uptime Expires Router mode Last reporter Last reporter mode Last report Group source Source address 10.11.5.2 00:00:01 Expires Never Last Reporter 10.11.3.2 Vlan 300 239.0.0.2 00:00:01 Never IGMPv2-Compat 10.11.3.
35 Port Monitoring Port monitoring is supported on Dell Networking OS. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
The maximum number of destination ports that can be supported is 4 per port pipe. In the following examples, ports 1/13, 1/14, 1/15, and 1/16 all belong to the same port-pipe. They are pointing to four different destinations (1/1, 1/2, 1/3, and 1/37). Now it is not possible for another source port from the same port-pipe (for example, 1/17) to point to another new destination (for example, 1/4).
Figure 88. Port Monitoring Configurations on the S-Series Dell Networking OS Behavior: All monitored frames are tagged if the configured monitoring direction is egress (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port. If the MD port is a Layer 2 port, the frames are tagged with the VLAN ID of the VLAN to which the MD belongs. If the MD port is a Layer 3 port, the frames are tagged with VLAN ID 4095.
------ -----0 Te 1/1 0 Po 10 ----------Te 1/2 Te 1/2 --rx rx ---- --------Port N/A Port N/A Dell(conf)#monitor session 1 Dell(conf-mon-sess-1)#source vl 40 dest ten 1/3 dir rx Dell(conf-mon-sess-1)#flow-based enable Dell(conf-mon-sess-1)#exit Dell(conf)#do show monitor session SessID Source Destination Dir Mode Source IP ------ ------------------ ---- --------0 Te 1/1 Te 1/2 rx Port N/A 0 Po 10 Te 1/2 rx Port N/A 1 Vl 40 Te 1/3 rx Flow N/A -------N/A N/A Dest IP -------N/A N/A N/A Note: Source as VLA
ip access-list Refer to Access Control Lists (ACLs). 3. Apply the ACL to the monitored port. INTERFACE mode ip access-group access-list To view an access-list that you applied to an interface, use the show ip accounting access-list command from EXEC Privilege mode. Dell(conf)#monitor session 0 Dell(conf-mon-sess-0)#flow-based enable Dell(conf)#ip access-list ext testflow Dell(config-ext-nacl)#seq 5 permit icmp any any count bytes monitor Dell(config-ext-nacl)#seq 10 permit ip 102.1.1.
The reserved VLANs transport the mirrored traffic in sessions (blue pipes) to the destination analyzers in the local network. Two destination sessions are shown: one for the reserved VLAN that transports orange-circle traffic; one for the reserved VLAN that transports green-circle traffic.
● To associate with destination session, the reserved VLAN can have multiple member ports. ● Reserved Vlan cannot have untagged ports In the reserved L2 VLAN used for remote port mirroring: ● MAC address learning in the reserved VLAN is automatically disabled. ● The reserved VLAN for remote port mirroring can be automatically configured in intermediate switches by using GVRP. ● There is no restriction on the VLAN IDs used for the reserved remote-mirroring VLAN. Valid VLAN IDs are from 2 to 4094.
To display the currently configured source and destination sessions for remote port mirroring on a switch, enter the show monitor session command in EXEC Privilege mode.
Dell(conf-mon-sess-1)#no disable Dell(conf-mon-sess-1)#exit Dell(conf)#inte vlan 100 Dell(conf-if-vl-100)#tagged te 1/7 Dell(conf-if-vl-100)#exit Dell(conf)#interface vlan 20 Dell(conf-if-vl-20)#mode remote-port-mirroring Dell(conf-if-vl-20)#tagged te 1/6 Dell(conf-if-vl-20)#exit Dell(conf)#monitor session 2 type rpm Dell(conf-mon-sess-2)#source vlan 100 destination remote-vlan 20 dir rx Dell(conf-mon-sess-2)#no disable Dell(conf-mon-sess-2)#flow-based enable Dell(conf-mon-sess-2)#exit Dell(conf)#mac access
Dell(conf)#inte vlan 10 Dell(conf-if-vl-10)#mode remote-port-mirroring Dell(conf-if-vl-10)#tagged te 1/1 Dell(conf-if-vl-10)#exit Dell(conf)#inte vlan 20 Dell(conf-if-vl-20)#mode remote-port-mirroring Dell(conf-if-vl-20)#tagged te 1/2 Dell(conf-if-vl-20)#exit Dell(conf)#interface vlan 30 Dell(conf-if-vl-30)#mode remote-port-mirroring Dell(conf-if-vl-30)#tagged te 1/3 Dell(conf-if-vl-30)#exit Dell(conf)#monitor session 1 type rpm Dell(conf-mon-sess-1)#source remote-vlan 10 dest te 1/4 Dell(conf-mon-sess-1)#e
5. Show the output for the LACP. Dell#show interfaces port-channel brief Codes: L - LACP Port-channel O - OpenFlow Controller Port-channel LAG L1 L2 Dell# Mode L3 L2 Status up up Uptime 00:01:17 00:00:58 Ports Te 1/4 Te 1/5 (Up) (Up) Configuring the Encapsulated Remote Port Mirroring The ERPM session copies traffic from the source ports/lags or source VLANs and forwards the traffic using routable GREencapsulated packets to the destination ip address specified in the session.
3 source Interface | Range Specify the port or list of ports that needs to be monitored 4 direction Specify rx, tx or both in case to monitor ingress/ egress or both ingress and egress packets on the specified port.. 5 erpm source-ip dest-ip Specify the source ip address and the destination ip where the packet needs to be sent. 6 flow-based enable Specify flow-based enable for mirroring on a flow by flow basis and also for vlan as source.
ERPM Behavior on a typical Dell Networking OS The Dell Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported. As seen in the above figure, the packets received/transmitted on Port A will be encapsulated with an IP/GRE header plus a new L2 header and sent to the destination ip address (Port D’s ip address) on the sniffer.
○ Download/ Write a small script (for example: erpm.py) such that it will strip the given ERPM packet starting from the bit where GRE header ends. Basically all the bits after 0x88BE need to be removed from the packet and sent out through another interface. ○ This script erpm.zip is available for download at the following location: http://en.community.dell.com/techcenter/ networking/m/force10_networking_scripts/20438882.aspx ○ Unzip the erpm.zip and copy the erpm.py file to the Linux server.
36 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on Dell Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell Networking OS Command Line Reference Guide. Private VLANs extend the Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
● Community port — a port that belongs to a community VLAN and is allowed to communicate with other ports in the same community VLAN and with promiscuous ports. ● Host port — in the context of a private VLAN, is a port in a secondary VLAN: ○ The port must first be assigned that role in INTERFACE mode. ○ A port assigned the host role cannot be added to a regular VLAN. ● Isolated port — a port that, in Layer 2, can only communicate with promiscuous ports that are in the same PVLAN.
Configuration Task List The following sections contain the procedures that configure a private VLAN. ● ● ● ● Creating Creating Creating Creating PVLAN Ports a Primary VLAN a Community VLAN an Isolated VLAN Creating PVLAN ports PVLAN ports are ports that will be assigned to the PVLAN. 1. Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2. Enable the port. INTERFACE mode no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4.
CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 4. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: ● Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). ● Specified with this command even before they have been created.
You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add host (isolated) ports to the VLAN. Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make an isolated VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 90. Sample Private VLAN Topology The following configuration is based on the example diagram for the Z9500: ● Te 1/1 and Te 1/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. ● Te 1/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. ● Te 1/24 and Te 1/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
● The S4810 ports would have the same intra-switch communication characteristics as described for the Z9500. ● For transmission between switches, tagged packets originating from host PVLAN ports in one secondary VLAN and destined for host PVLAN ports in the other switch travel through the promiscuous ports in the local VLAN 4000 and then through the trunk ports (1/25 in each switch). Inspecting the Private VLAN Configuration The standard methods of inspecting configurations also apply in PVLANs.
G - GVRP tagged, M - Vlan-stack NUM * 1 100 P 200 I 201 Status Inactive Inactive Inactive Inactive Description Q Ports primary VLAN in PVLAN T Te 1/19-20 isolated VLAN in VLAN 200 T Te 1/21 The following example shows viewing a private VLAN configuration.
37 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is supported on Dell Networking OS.
Figure 91. Per-VLAN Spanning Tree The Dell Networking OS supports three other variations of spanning tree, as shown in the following table. Table 37. Spanning Tree Variations Dell Networking OS Supports Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
4. Optionally, for load balancing, select a nondefault bridge-priority for a VLAN.
Figure 92. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. ● Assign a bridge priority.
BPDU sent 1159, received 632 The port is not in the Edge port mode Port 385 (TenGigabitEthernet 1/32) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.385 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.
Table 38. Default Values for Port Cost (continued) Port Cost Default Value 1-Gigabit Ethernet interfaces 20000 10-Gigabit Ethernet interfaces 2000 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 NOTE: The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs. Other implementations use IEEE 802.1w costs as the default costs.
● The reset linecard command does not clear the Error Disabled state of the port or the hardware Disabled state. The interface continues to be disables in the hardware. ● You can clear the Error Disabled state with any of the following methods: ○ Perform a shutdown command on the interface. ○ Disable the shutdown-on-violation command on the interface (the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command).
Dell(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.73f7 We are the root of Vlan 5 Configured hello time 2, max age 20, forward delay 15 PVST+ Sample Configurations The following examples provide the running configurations for the topology shown in the previous illustration.
no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown ! protocol spanning-tree pvst no disable vlan 200 bridge-priority 4096 Example of PVST+ Configuration (R3) interface TenGigabitEthernet 3/12 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/22 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 3/12,22 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 3/12,22 no shutdown ! inte
38 Quality of Service (QoS) Quality of service (QoS) is supported on Dell Networking OS. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 39.
Table 39. Dell Networking Operating System (OS) Support for Port-Based, Policy-Based Features (continued) Feature Direction Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 94.
• • Applying Layer 2 Match Criteria on a Layer 3 Interface Applying DSCP and VLAN Match Criteria on a Service Queue Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
Honoring dot1p Priorities on Ingress Traffic By default, Dell Networking OS does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries.
rate shape ● Apply rate shaping to a queue. QoS Policy mode rate-shape Dell#configure terminal Dell(conf)#interface tengigabitethernet 1/1 Dell(conf-if-te-1/1)#rate shape 500 50 Dell(conf-if-te-1/1)#end Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 95.
Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value or IP precedence, and characteristics defined in an IP ACL. You can also use VLAN IDs and VRF IDs to classify the traffic using layer 3 class-maps. You may specify more than one DSCP and IP precedence value, but only one value must match to trigger a positive match for the class map. NOTE: IPv6 and IP-any class maps cannot match on ACLs or VLANs. Use step 1 or step 2 to start creating a Layer 3 class map.
Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the class-map command. A Layer 2 class map differentiates traffic according to 802.1p value and/or VLAN and/or characteristics defined in a MAC ACL.. Use Step 1 or Step 2 to start creating a Layer 2 class map. 1. Create a match-any class map. CONFIGURATION mode class-map match-any 2. Create a match-all class map. CONFIGURATION mode class-map match-all 3.
The following example shows incorrect traffic classifications.
● Layer 3 — QoS input policies allow you to rate police and set a DSCP or dot1p value. In addition, you can configure a drop precedence for incoming packets based on their DSCP value by using a DSCP color map. For more information, see DSCP Color Maps. ● Layer 2 — QoS input policies allow you to rate police and set a dot1p value. Output QoS policies regulate egress traffic. The regulation mechanisms for output QoS policies are bandwidth percentage, scheduler strict, rate shaping and WRED.
Configuring Policy-Based Rate Shaping To configure policy-based rate shaping, use the following command. ● Configure rate shape egress traffic. QOS-POLICY-OUT mode rate-shape Allocating Bandwidth to Queue Schedule packets for egress based on Deficit Round Robin (DRR). These strategies both offer a guaranteed data rate. The following table lists the default bandwidth weights for each queue, and their equivalent percentage which is derived by dividing the bandwidth weight by the sum of all queue weights.
Applying a Class-Map or Input QoS Policy to a Queue To apply a class-map or input QoS policy to a queue, use the following command. ● Assign an input QoS policy to a queue. POLICY-MAP-IN mode service-queue Applying an Input QoS Policy to an Input Policy Map To apply an input QoS policy to an input policy map, use the following command. ● Apply an input QoS policy to an input policy map.
Table 43. Default dot1p to Queue Mapping (continued) dot1p Queue ID 3 3 4 4 5 5 6 6 7 7 The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN. ● Enable the trust dot1p feature. POLICY-MAP-IN mode trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0.
DSCP Color Maps This section describes how to configure color maps and how to display the color map and color map configuration. This sections consists of the following topics: ● Creating a DSCP Color Map ● Displaying Color Maps ● Display Color Map Configuration Creating a DSCP Color Map You can create a DSCP color map to outline the differentiated services codepoint (DSCP) mappings to the appropriate color mapping (green, yellow, red) for the input traffic.
Displaying DSCP Color Maps To display DSCP color maps, use the show qos dscp-color-map command in EXEC mode. Examples for Creating a DSCP Color Map Display all DSCP color maps. Dell# show qos dscp-color-map Dscp-color-map mapONE yellow 4,7 red 20,30 Dscp-color-map mapTWO yellow 16,55 Display a specific DSCP color map.
3. Apply the policy map to an interface. Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. ● Apply an output QoS policy to queues. INTERFACE mode service-queue Specifying an Aggregate QoS Policy To specify an aggregate QoS policy, use the following command. ● Specify an aggregate QoS policy. POLICY-MAP-OUT mode policy-aggregate Applying an Output Policy Map to an Interface To apply an output policy map to an interface, use the following command.
Enabling Strict-Priority Queueing Strict-priority means that Dell Networking OS de-queues all packets from the assigned queue before servicing any other queues. ● The strict-priority supersedes bandwidth-percentage configuration. ● A queue with strict priority can starve other queues in the same port-pipe. ● Assign strict priority to one unicast queue. CONFIGURATION mode strict-priority The range is from 1 to 3.
WRED mode threshold Applying a WRED Profile to Traffic After you create a WRED profile, you must specify to which traffic Dell Networking OS should apply the profile. Dell Networking OS assigns a color (also called drop precedence) — red, yellow, or green — to each packet based on it DSCP value before queuing it. DSCP is a 6–bit field. Dell Networking uses the first three bits (LSB) of this field (DP) to determine the drop precedence.
Specifically: ● Available CAM — the available number of CAM entries in the specified CAM partition for the specified line card or stack-unit port-pipe. ● Estimated CAM — the estimated number of CAM entries that the policy will consume when it is applied to an interface. ● Status — indicates whether the specified policy-map can be completely applied to an interface in the port-pipe.
Global Service Pools With WRED and ECN Settings A global buffer pool, whichis a shared buffer pool accessed by multiple queues when the minimum guaranteed buffers for the queue are consumed, can be configured on the Z9000 platform. Support for global service pools is now available. You can configure global service pools that are shared buffer pools accessed by multiple queues when the minimum guaranteed buffers for the queue are consumed.
Z9000 platform. A global buffer pool that is a shared buffer pool accessed by multiple queues when the minimum guaranteed buffers for the queue are consumed can be configured on the Z9000 platform. WRED drops packets when the average queue length exceeds the configured threshold value to signify congestion. Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded.
In the existing software, ECE/CWR TCP flag qualifiers are not supported. ● Because this functionality forcibly marks all the packets matching the specific match criteria as ‘yellow’, Dell Networking OS does not support Policer based coloring and this feature concurrently.
Match qualifiers can be directly configured in the class-map command or it can be specified through one or more ACL which in turn specifies the combination of match qualifiers. Until Release 9.3(0.0), support is available for classifying traffic based on the 6-bit DSCP field of the IPv4 packet. As a part of this feature, the 2-bit ECN field of the IPv4 packet will also be available to be configured as one of the match qualifier.
● match ip dscp ● match ip precedence ● match ip vlan Sample configuration to mark non-ecn packets as “yellow” with single traffic class Consider the use case where the packet with DSCP value “40” need to be enqueued in queue#2 and packets with DSCP value as 50 need to be enqueued in queue#3. And all the packets with ecn value as ‘0’ must be marked as ‘yellow’. The above requirement can be achieved using either of the two approaches. The above requirement can be achieved using either of the two approaches.
class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50_ecn ! policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Applying Layer 2 Match Criteria on a Layer 3 Interface To process Layer 3 packets that contain a dot1p (IEEE 802.1p) VLAN Layer 2 header, configure VLAN tags on a Layer 3 port interface which is configured with an IP address but has no VLAN associated with it.
CONFIGURATION mode Dell(conf)#qos-policy-input pp_qospolicy 5. Configure the DSCP value to be set on matched packets. QOS-POLICY-IN mode Dell(conf-qos-policy-in)#set ip-dscp 5 6. Create an input policy map. CONFIGURATION mode Dell(conf)#policy-map-input pp_policmap 7. Create a service queue to associate the class map and QoS policy map.
39 Routing Information Protocol (RIP) Routing information protocol (RIP) is supported on Dell Networking OS. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter. Topics: • • • Protocol Overview Implementation Information Configuration Information Protocol Overview RIP is the oldest interior gateway protocol.
Table 45. RIP Defaults Feature Default Interfaces running RIP ● Listen to RIPv1 and RIPv2 ● Transmit RIPv1 RIP timers ● ● ● ● Auto summarization Enabled ECMP paths supported 16 update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Configuration Information By default, RIP is disabled in Dell Networking OS. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
To view the global RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. Dell(conf-router_rip)#show config ! router rip network 10.0.0.0 Dell(conf-router_rip)# When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes. Dell#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 1/4 160.160.0.0/16 auto-summary 2.0.0.
31.0.0.0/8 auto-summary 192.162.2.0/24 [120/1] via 29.10.10.12, 00:01:21, Fa 1/49 192.162.2.0/24 auto-summary 192.161.1.0/24 [120/1] via 29.10.10.12, 00:00:27, Fa 1/49 192.161.1.0/24 auto-summary 192.162.3.0/24 [120/1] via 29.10.10.12, 00:01:22, Fa 1/49 192.162.3.0/24 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes.
Adding RIP Routes from Other Instances In addition to filtering routes, you can add routes from other routing instances or protocols to the RIP process. With the redistribute command, you can include open shortest path first (OSPF), static, or directly connected routes in the RIP process. To add routes from other routing instances or protocols, use the following commands. ● Include directly connected or user-configured (static) routes in RIP.
Incoming filter for all interfaces is Default redistribution metric is 1 Default version control: receive version 2, send version 2 Interface Recv Send TenGigabitEthernet 1/1 2 2 Routing for Networks: 10.0.0.0 Routing Information Sources: Gateway Distance Last Update Distance: (default is 120) Dell# To configure an interface to receive or send both versions of RIP, include 1 and 2 in the command syntax.
Summarize Routes Routes in the RIPv2 routing table are summarized by default, thus reducing the size of the routing table and improving routing efficiency in large networks. By default, the autosummary command in ROUTER RIP mode is enabled and summarizes RIP routes up to the classful network boundary. If you must perform routing between discontiguous subnets, disable automatic summarization. With automatic route summarization disabled, subnets are advertised.
Dell#debug ip rip RIP protocol debug is ON Dell# To disable RIP, use the no debug ip rip command. RIP Configuration Example The examples in this section show the command sequence to configure RIPv2 on the two routers shown in the following illustration — Core 2 and Core 3. The host prompts used in the following example reflect those names.
The following example shows the show ip rip database command to view the learned RIP routes on Core 2. Core2(conf-router_rip)#end 00:12:24: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console Core2#show ip rip database Total number of routes in RIP database: 7 10.11.30.0/24 [120/1] via 10.11.20.1, 00:00:03, TenGigabitEthernet 2/3 10.300.10.0/24 directly connected,TenGigabitEthernet 2/4 10.200.10.0/24 directly connected,TenGigabitEthernet 2/5 10.11.20.
Routing Information Sources: Gateway Distance Last Update 10.11.20.1 120 00:00:12 Distance: (default is 120) Core2# RIP Configuration on Core3 The following example shows how to configure RIPv2 on a host named Core3. Core3(conf-if-te-3/21)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.0 Core3(conf-router_rip)#network 192.168.2.0 Core3(conf-router_rip)#network 10.11.30.0 Core3(conf-router_rip)#network 10.11.20.
Gateway of last resort is not set Destination Gateway Dist/Metric Last Change ----------- ------- --------------------R 10.11.10.0/24 via 10.11.20.2, Te 3/21 120/1 00:01:14 C 10.11.20.0/24 Direct, Te 3/21 0/0 00:01:53 C 10.11.30.0/24 Direct, Te 3/11 0/0 00:06:00 R 10.200.10.0/24 via 10.11.20.2, Te 3/21 120/1 00:01:14 R 10.300.10.0/24 via 10.11.20.2, Te 3/21 120/1 00:01:14 C 192.168.1.0/24 Direct, Te 3/23 0/0 00:06:53 C 192.168.2.
10.11.10.0 10.11.20.0 The following example shows viewing the RIP configuration on Core 3. ! interface TenGigabitEthernet 3/1 ip address 10.11.30.1/24 no shutdown ! interface TenGigabitEthernet 3/2 ip address 10.11.20.1/24 no shutdown ! interface TenGigabitEthernet 3/4 ip address 192.168.1.1/24 no shutdown ! interface TenGigabitEthernet 3/5 ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
40 Remote Monitoring (RMON) Remote monitoring (RMON) is supported on Dell Networking OS. RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment.
Setting the rmon Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. ● Set an alarm on any MIB object.
○ owner string: (Optional) owner of this event, which is identical to the eventOwner in the eventTable of the RMON MIB. Default is a null-terminated string. To disable RMON on the interface, use the no form of this command. In the following example, the configuration creates RMON event number 1, with the description “High ifOutErrors”, and generates a log entry when an alarm triggers the event. The user nms1 owns the row that is created in the event table by this command.
The following command example enables an RMON MIB collection history group of statistics with an ID number of 20 and an owner of john, both the sampling interval and the number of buckets use their respective defaults.
41 Rapid Spanning Tree Protocol (RSTP) Rapid spanning tree protocol (RSTP) is supported on Dell Networking OS.
● ● ● ● Configuring Spanning Trees as Hitless Enabling SNMP Traps for Root Elections and Topology Changes Configuring Fast Hellos for Link State Detection Flush MAC Addresses after a Topology Change Important Points to Remember ● RSTP is disabled by default. ● Dell Networking OS supports only one Rapid Spanning Tree (RST) instance. ● All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology.
Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. ● Only one path from any bridge to any other bridge is enabled. ● Bridges block a redundant path by disabling one of the link ports. To enable RSTP globally for all Layer 2 interfaces, use the following commands. 1.
To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Te 3/4 R3# Altr 128.684 128 20000 BLK 20000 P2P No Adding and Removing Interfaces To add and remove interfaces, use the following commands. To add an interface to the Rapid Spanning Tree topology, configure it for Layer 2 and it is automatically added. If you previously disabled RSTP on the interface using the command no spanning-tree 0 command, re-enable it using the spanning-tree 0 command. ● Remove an interface from the Rapid Spanning Tree topology.
NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. ● Change the max-age parameter. PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode.
Influencing RSTP Root Selection RSTP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. To change the bridge priority, use the following command. ● Assign a number as the bridge priority or designate it as the primary or secondary root. PROTOCOL SPANNING TREE RSTP mode bridge-priority priority-value ○ priority-value The range is from 0 to 65535.
Dell(conf-if-te-2/1)#show config ! interface TenGigabitEthernet 2/1 no ip address switchport spanning-tree rstp edge-port shutdown Dell(conf-if-te-2/1)# Configuring Fast Hellos for Link State Detection To achieve sub-second link-down detection so that convergence is triggered faster, use RSTP fast hellos. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed.
42 Software-Defined Networking (SDN) Dell Networking operating software supports Software-Defined Networking (SDN). For more information, refer to the SDN Deployment Guide.
43 Security Security features are supported on Dell Networking OS. This chapter describes several ways to provide security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
aaa accounting {commands | exec | suppress | system level} {default | name} {start-stop | wait-start | stop-only} {tacacs+} The variables are: ○ system: sends accounting information of any other AAA configuration. ○ exec: sends accounting information when a user has logged in to EXEC mode. ○ command level: sends accounting of commands executed at the specified privilege level. ○ suppress: Do not generate accounting records for a specific type of user.
Monitoring AAA Accounting Dell Networking OS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command. ● Step through all active sessions and print all the accounting records for the actively accounted functions.
Configuring AAA Authentication Login Methods To configure an authentication method and method list, use the following commands. Dell Networking OS Behavior: If you use a method list on the console port in which RADIUS or TACACS is the last authentication method, and the server is not reachable, Dell Networking OS allows access even though the username and password credentials cannot be verified.
2. Establish a host address and password. CONFIGURATION mode radius-server host x.x.x.x key some-password 3. Establish a host address and password. CONFIGURATION mode tacacs-server host x.x.x.x key some-password To get enable authentication from the RADIUS server and use TACACS as a backup, issue the following commands. The following example shows enabling authentication from the RADIUS server.
AAA Authorization Dell Networking OS enables AAA new-model by default. You can set authorization to be either local or remote. Different combinations of authentication and authorization yield different results. By default, Dell Networking OS sets both to local. Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network. However, at times, you might need to allow others access to the router and you can limit that access to a subset of commands.
Configure the optional and required parameters: ○ name: Enter a text string up to 63 characters long. ○ access-class access-list-name: Enter the name of a configured IP ACL. ○ nopassword: Do not require the user to enter a password. ○ encryption-type: Enter 0 for plain text or 7 for encrypted text. ○ password: Enter a string. ○ privilege level The range is from 0 to 15. ○ Secret:Specify the secret for the user To view username, use the show users command in EXEC Privilege mode.
● password: Enter a string. Specify the password for the user. ● Secret: Specify the secret for the user. 2. Configure a password for privilege level. CONFIGURATION mode enable password [level level] [encryption-mode] password Configure the optional and required parameters: ● level level: specify a level from 0 to 15. Level 15 includes all levels. ● encryption-type: enter 0 for plain text or 7 for encrypted text. ● password: enter a string up to 32 characters long.
Current privilege level is 8 Dell#? configure Configuring from terminal disable Turn off privileged commands enable Turn on privileged commands exit Exit from the EXEC no Negate a command show Show running system information terminal Set terminal line parameters traceroute Trace route to destination Dell#confi Dell(conf)#? end Exit from Configuration mode exit Exit from Configuration mode no Reset a command snmp-server Modify SNMP parameters Dell(conf)# Specifying LINE Mode Password and Privilege You can s
1. Connect to the Z9000 system using a console. 2. Disconnect and reconnect the power cord on the system to cycle the power. 3. During system boot, press ESC when prompted to display the Grub Menu (see Example 1). 4. During system boot, press ESC when prompted during the countdown to stop the auto-boot process (see Example 2). 5. Press C to access the Grub boot loader command line prompt. 6. Enter the following commands at the Grub command line prompt (grub>).
RADIUS Authentication Dell Networking OS supports RADIUS for user authentication (text password) at login and can be specified as one of the login authentication methods in the aaa authentication login command. Idle Time Every session line has its own idle-time. If the idle-time value is not changed, the default value of 30 minutes is used. RADIUS specifies idle-time allow for a user during a session before timeout. When a user logs in, the lower of the two idle-time values (configured or default) is used.
NOTE: RADIUS authentication and authorization are done in a single step. Hence, authorization cannot be used independent of authentication. However, if you have configured RADIUS authorization and have not configured authentication, a message is logged stating this. During authorization, the next method in the list (if present) is used, or if another method is not present, an error is reported.
○ key [encryption-type] key: enter 0 for plain text or 7 for encrypted text, and a string for the key. The key can be up to 42 characters long. This key must match the key configured on the RADIUS server host. If you do not configure these optional parameters, the global default values for all RADIUS host are applied. To specify multiple RADIUS server hosts, configure the radius-server host command multiple times.
TACACS+ Dell Networking OS supports terminal access controller access control system (TACACS+ client, including support for login authentication. Configuration Task List for TACACS+ The following list includes the configuration task for TACACS+ functions.
aaa authentication enable LOCAL enable tacacs+ aaa authentication login default tacacs+ local aaa authentication login LOCAL local tacacs+ aaa authorization exec default tacacs+ none aaa authorization commands 1 default tacacs+ none aaa authorization commands 15 default tacacs+ none aaa accounting exec default start-stop tacacs+ aaa accounting commands 1 default start-stop tacacs+ aaa accounting commands 15 default start-stop tacacs+ Dell(conf)# Dell(conf)#do show run tacacs+ ! tacacs-server key 7 d05206c30
If you do not configure these optional parameters, the default global values are applied. To specify multiple TACACS+ server hosts, configure the tacacs-server host command multiple times. If you configure multiple TACACS+ server hosts, Dell Networking OS attempts to connect with them in the order in which they were configured. To view the TACACS+ configuration, use the show running-config tacacs+ command in EXEC Privilege mode.
hostname is the IP address or host name of the remote device. Enter an IPv4 or IPv6 address in dotted decimal format (A.B.C.D). ● SSH V2 is enabled by default on all the modes. ● Display SSH connection information. EXEC Privilege mode show ip ssh The following example uses the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. Dell(conf)#ip ssh server version 2 Dell(conf)#do show ip ssh SSH server : enabled. SSH server version : v2.
Configuring When to Re-generate an SSH Key You can configure the time-based or volume-based rekey threshold for an SSH session. If both threshold types are configured, the session rekeys when either one of the thresholds is reached. To configure the time or volume rekey threshold at which to re-generate the SSH key during an SSH session, use the ip ssh rekey [time rekey-interval] [volume rekey-limit] command. CONFIGURATION mode.
● hmac-md5 ● hmac-md5-96 ● hmac-sha1 ● hmac-sha1-96 ● hmac-sha2-256 ● hmac-sha2-256-96 The default HMAC algorithms are the following: ● hmac-md5 ● hmac-md5-96 ● hmac-sha1 ● hmac-sha1-96 ● hmac-sha2-256 ● hmac-sha2-256-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list.
Secure Shell Authentication Secure Shell (SSH) is enabled by default using the SSH Password Authentication method. Enabling SSH Authentication by Password Authenticate an SSH client by prompting for a password when attempting to connect to the Dell Networking system. This setup is the simplest method of authentication and uses SSH version 1. To enable SSH password authentication, use the following command. ● Enable SSH password authentication.
Configuring Host-Based SSH Authentication Authenticate a particular host. This method uses SSH version 2. To configure host-based authentication, use the following commands. 1. Configure RSA Authentication. Refer to Using RSA Authentication of SSH. 2. Create shosts by copying the public RSA key to the file shosts in the directory .ssh, and write the IP address of the host to the file. cp /etc/ssh/ssh_host_rsa_key.pub /.ssh/shosts Refer to the first example. 3.
Using Client-Based SSH Authentication To SSH from the chassis to the SSH client, use the following command. This method uses SSH version 1 or version 2. If the SSH port is a non-default value, use the ip ssh server port number command to change the default port number. You may only change the port number when SSH is disabled. Then use the -p option with the ssh command. ● SSH from the chassis to the SSH client. ssh ip_address Dell#ssh 10.16.127.
Table 48. VTY Access (continued) Authentication Method VTY access-class support? Username access-class support? Remote authorization support? RADIUS YES NO YES (with Dell Networking OS version 6.1.1.
Dell(conf-ext-nacl)#deny any Dell(conf)# Dell(conf)#aaa authentication login tacacsmethod tacacs+ Dell(conf)#tacacs-server host 256.1.1.
● Displaying Accounting for User Roles ● Displaying Information About Roles Logged into the Switch ● Display Role Permissions Assigned to a Command Overview of RBAC With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role. Users are granted permissions based on their user roles, not on their individual user ID. User roles are created for job functions and through those roles they acquire the permissions to perform their associated job function.
You could also use the default authentication method to apply to all the LINES (console port, VTY). NOTE: The authentication method list should be in the same order as the authorization method list. For example, if you configure the authentication method list in the following order (TACACS+, local), Dell Networking recommends that authorization method list is configured in the same order (TACACS+, local). 4. Specify authorization method list (RADIUS, TACACS+, or Local).
User Roles This section describes how to create a new user role and configure command permissions and contains the following topics. ● Creating a New User Role ● Modifying Command Permissions for Roles ● Adding and Deleting Users from a Role Creating a New User Role Instead of using the system defined user roles, you can create a new user role that best matches your organization. When you create a new user role, you can first inherit permissions from one of the system defined roles.
Modifying Command Permissions for Roles You can modify (add or delete) command permissions for newly created user roles and system defined roles using the role mode { { { addrole | deleterole } role-name } | reset } command command in Configuration mode. NOTE: You cannot modify system administrator command permissions. If you add or delete command permissions using the role command, those changes only apply to the specific user role. They do not apply to other roles that have inheritance from that role.
The following example shows that the secadmin role can now access Interface mode (highlighted in bold). Role Inheritance netoperator netadmin secadmin sysadmin Modes Exec Config Interface Router IP RouteMap Protocol MAC Exec Config Interface Line Exec Config Interface Line Router IP RouteMap Protocol MAC Example: Remove Security Administrator Access to Line Mode.
The following example adds a user, to the secadmin user role. Dell (conf)#username john role secadmin password 0 password AAA Authentication and Authorization for Roles This section describes how to configure AAA Authentication and Authorization for Roles.
Examples of Applying a Method List The following configuration example applies a method list: TACACS+, RADIUS and local: ! radius-server host 10.16.150.203 key ! tacacs-server host 10.16.150.203 key ! aaa authentication login ucraaa tacacs+ radius local aaa authorization exec ucraaa tacacs+ radius local aaa accounting commands role netadmin ucraaa start-stop tacacs+ ! The following configuration example applies a method list other than default to each VTY line.
Configuring TACACS+ and RADIUS VSA Attributes for RBAC For RBAC and privilege levels, the Dell Networking OS RADIUS and TACACS+ implementation supports two vendor-specific options: privilege level and roles. The Dell Networking vendor-ID is 6027 and the supported option has attribute of type string, which is titled “Force10-avpair”.
Applying an Accounting Method to a Role To apply an accounting method list to a role executed by a user with that user role, use the accounting command in LINE mode. accounting {exec | commands {level | role role-name}} method-list Example of Applying an Accounting Method to a Role The following example applies the accounting default method to the user role secadmin (security administrator).
Displaying Role Permissions Assigned to a Command To display permissions assigned to a command, use the show role command in EXEC Privilege mode. The output displays the user role and or permission level.
44 Service Provider Bridging Service provider bridging is supported on Dell Networking OS. Topics: • • • • • VLAN Stacking VLAN Stacking Packet Drop Precedence Dynamic Mode CoS for VLAN Stacking Layer 2 Protocol Tunneling Provider Backbone Bridging VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 99. VLAN Stacking in a Service Provider Network Important Points to Remember ● Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. ● Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
Related Configuration Tasks ● ● ● ● Configuring the Protocol Type Value for the Outer VLAN Tag Configuring Dell Networking OS Options for Trunk Ports Debugging VLAN Stacking VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. ● Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN.
* 1 2 3 4 5 6 Active Inactive Inactive Inactive Inactive Active Dell# U Te 3/0-5,18 M Po1(Te 3/14-15) M Te 3/13 Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. ● Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100. To display the S-Tag TPID for a VLAN, use the show running-config command from EXEC privilege mode.
x - Dot1x untagged, X - Dot1x tagged G - GVRP tagged, M - Vlan-stack NUM * 1 100 101 103 Status Inactive Inactive Inactive Inactive Description Q Ports U Te 1/1 T Te 1/1 M Te 1/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. ● Debug the internal state and membership of a VLAN and its ports. debug member The port notations are as follows: ● MT — stacked trunk ● MU — stacked access port ● T — 802.1Q trunk port ● U — 802.
system is able to differentiate between 0x8100 and untagged traffic and maps each to the appropriate VLAN, as shown by the packet originating from Building A. Therefore, a mismatched TPID results in the port not differentiating between tagged and untagged traffic. Figure 100.
Figure 101.
Figure 102. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults. In this case, the CFI is affected according to the following table. Table 49.
Table 49. Drop Eligibility Behavior (continued) Ingress Egress Access Port Trunk Port DEI Disabled DEI Enabled Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 To enable drop eligibility globally, use the following command. ● Make packets eligible for dropping based on their DEI value. CONFIGURATION mode dei enable By default, packets are colored green, and DEI is marked 0 on egress.
Dell#show interface dei-mark Default CFI/DEI Marking: 0 Interface Drop precedence CFI/DEI -------------------------------Te 1/1 Green 0 Te 1/1 Yellow 1 Te 2/9 Yellow 0 Te 2/10 Yellow 0 Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.1p priority bits in the tag to indicate the level of QoS desired. When an S-Tag is added to incoming customer frames, the 802.
class-map match-any a layer2 match mac access-group a ! mac access-list standard a seq 5 permit any ! qos-policy-input 3 layer2 rate-police 40 Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3. All other packets will have outer dot1p 0 and hence are queued to Queue 1. They are therefore policed according to qos-policy-input 1.
Layer 2 Protocol Tunneling Spanning tree bridge protocol data units (BPDUs) use a reserved destination MAC address called the bridge group address, which is 01-80-C2-00-00-00. Only spanning-tree bridges on the local area network (LAN) recognize this address and process the BPDU.
8.2.1.0 and later, the L2PT MAC address is user-configurable, so you can specify an address that non-Dell Networking systems can recognize and rewrite the address at egress edge. Figure 105. VLAN Stacking with L2PT Implementation Information ● L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. ● No protocol packets are tunneled when you enable VLAN stacking. ● L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command.
protocol-tunnel enable 3. Tunnel BPDUs the VLAN. INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell Networking OS uses a Dell Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command. ● Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network.
Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. 802.
45 sFlow Configuring sFlow is supported on Dell Networking OS. Topics: • • • • • • • • • • • Overview Implementation Information Enabling Extended sFlow Enabling and Disabling sFlow on an Interface Enabling sFlow Max-Header Size Extended sFlow Show Commands Configuring Specify Collectors Changing the Polling Intervals Back-Off Mechanism sFlow on LAG ports Enabling Extended sFlow Overview The Dell Networking Operating System (OS) supports sFlow version 5.
Important Points to Remember ● The Dell Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. ● By default, sFlow collection is supported only on data ports. If you want to enable sFlow collection through management ports, use the management egress-interface-selection and application sflow-collector commands in Configuration and EIS modes respectively. ● Dell Networking OS exports all sFlow packets to the collector. A small sampling rate can equate to many exported packets.
0 0 0 0 0 collectors configured UDP packets exported UDP packets dropped sFlow samples collected sFlow samples dropped due to sub-sampling Enabling and Disabling sFlow on an Interface By default, sFlow is disabled on all interfaces. This CLI is supported on physical ports and link aggregation group (LAG) ports. To enable sFlow on a specific interface, use the following command. ● Enable sFlow on an interface.
Example of the show running-config sflow Command Dell#show running-config sflow ! sflow collector 100.1.1.12 agent-addr 100.1.1.1 sflow enable sflow max-header-size extended Dell#show run int tengigabitEthernet 1/10 ! interface TenGigabitEthernet 1/10 no ip address switchport sflow ingress-enable sflow max-header-size extended no shutdown sFlow Show Commands Dell Networking OS includes the following sFlow display commands.
The following example shows the show sflow interface command. Dell#show sflow interface tengigabitethernet 1/1 Te 1/1 sFlow type :Ingress Configured sampling rate :16384 Actual sampling rate :16384 Counter polling interval :20 Extended max header size :128 Samples rcvd from h/w :0 The following example shows the show running-config interface command.
To configure the polling intervals globally (in CONFIGURATION mode) or by interface (in INTERFACE mode), use the following command. ● Change the global default counter polling interval. CONFIGURATION mode or INTERFACE mode sflow polling-interval interval value ○ interval value: in seconds. The range is from 15 to 86400 seconds. The default is 20 seconds.
stack-unit 0 Port set 0 Te 1/1: configured rate 16384, actual rate 16384 Dell# If you did not enable any extended information, the show output displays the following (shown in bold).
46 Simple Network Management Protocol (SNMP) Simple network management protocol (SNMP) is supported on Dell Networking OS. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
● SNMP traps for the spanning tree protocol (STP) and multiple spanning tree protocol (MSTP) state changes are based on BRIDGE MIB (RFC 1483) for STP and IEEE 802.1 draft ruzin-mstp-mib-02 for MSTP. SNMPv3 Compliance With FIPS This functionality is supported on the Z9000 platform. SNMPv3 is compliant with the Federal information processing standard (FIPS) cryptography standard. The Advanced Encryption Standard (AES) Cipher Feedback (CFB) 128-bit encryption algorithm is in compliance with RFC 3826.
Configuration Task List for SNMP Configuring SNMP version 1 or version 2 requires a single step. NOTE: The configurations in this chapter use a UNIX environment with net-snmp version 5.4. This environment is only one of many RFC-compliant SNMP utilities you can use to manage your Dell Networking system using SNMP. Also, these configurations use SNMP version 2c. ● Creating a Community Configuring SNMP version 3 requires configuring SNMP users in one of three methods.
Dell Networking OS enables SNMP automatically when you create an SNMP community and displays the following message. You must specify whether members of the community may only retrieve values (read), or retrieve and alter values (read-write). 22:31:23: %STKUNIT0-P:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP WARM_START. To choose a name for the community you create, use the following command. ● Choose a name for the community.
● Configure the user with a secure authorization password and privacy password. CONFIGURATION mode snmp-server user name group-name {oid-tree} auth md5 auth-password priv des56 priv password ● Configure an SNMPv3 view. CONFIGURATION mode snmp-server view view-name oid-tree {included | excluded} Dell(conf)#snmp-server host 1.1.1.
Writing Managed Object Values You may only alter (write) a managed object value if your management station is a member of the same community as the SNMP agent, and the object is writable. Use the following command to write or write-over the value of a managed object. ● To write or write-over the value of a managed object. snmpset -v version -c community agent-ip {identifier.instance | descriptor.instance}syntax value > snmpset -v 2c -c mycommunity 10.11.131.161 sysName.0 s "R5" SNMPv2-MIB::sysName.
Subscribing to Managed Object Value Updates using SNMP By default, the Dell Networking system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system. Dell Networking OS supports the following three sets of traps: ● RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss.
LINECARDUP: %sLine card %d is up CARD_MISMATCH: Mismatch: line card %d is type %s - type %s required.
%ECFM-5-ECFM_RDI_ALARM: RDI Defect detected by MEP 3 in Domain customer1 at Level 7 VLAN 1000 entity Enable entity change traps Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1487406) 4:07:54.06, SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 4 Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1488564) 4:08:05.64, SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.
Table 51. MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Object Values Description copySrcFileName .1.3.6.1.4.1.6027.3.5.1.1.1.1.4 Path (if the file is not in the current directory) and filename. Specifies name of the file. ● If copySourceFileType is set to runningconfig or startup-config, copySrcFileName is not required. copyDestFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.5 1 = Dell Networking OS file Specifies the type of file to copy to.
2. Copy the f10-copy-config.mib MIB from the Dell iSupport web page to the server to which you are copying the configuration file. 3. On the server, use the snmpset command as shown in the following example. snmpset -v snmp-version -c community-name -m mib_path/f10-copy-config.mib force10systemip-address mib-object.index {i | a | s} object-value... ● Every specified object must have an object value and must precede with the keyword i. Refer to the previous table.
snmpset -c private -v 2c force10system-ip-address copySrcFileType.index i 3 copyDestFileType.index i 2 The following example shows how to copy configuration files from a UNIX machine using the object name. > snmpset -c public -v 2c -m ./f10-copy-config.mib 10.11.131.162 copySrcFileType.7 i 3 copyDestFileType.7 i 2 FTOS-COPY-CONFIG-MIB::copySrcFileType.7 = INTEGER: runningConfig(3) FTOS-COPY-CONFIG-MIB::copyDestFileType.
Copy a Binary File to the Startup-Configuration To copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP, use the following command. ● Copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.index i 4 copySrcFileName.index s filepath/filename copyDestFileType.index i 3 copyServerAddress.
index: the index value used in the snmpset command used to complete the copy operation. NOTE: You can use the entire OID rather than the object name. Use the form: OID.index. The following examples show the snmpget command to obtain a MIB object value. These examples assume that: ● the server OS is UNIX ● you are using SNMP version 2c ● the community name is public ● the file f10-copy-config.mib is in the current directory NOTE: In UNIX, enter the snmpset command for help using this command.
MIB Support to Display the Software Core Files Generated by the System Dell Networking provides MIB objects to display the software core files generated by the system. The chSysSwCoresTable contains the list of software core files generated by the system. The following table lists the related MIB objects. Table 54. MIB Objects for Displaying the Software Core Files Generated by the System MIB Object OID Description chSysSwCoresTable 1.3.6.1.4.1.6027.3.10.1.2.
Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object. The snmpset operation shown in the following example creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. > snmpset -v2c -c mycommunity 123.45.6.78 .1.3.6.1.2.1.17.7.1.4.3.1.5.10 i 4 SNMPv2-SMI::mib-2.17.7.1.4.3.1.5.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" .1.3.6.1.2.1.17.7.1.4.3.1.4.1107787786 x "40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.
respectively To set time to wait till bgp session are up set 1.3.6.1.4.1.6027.3.18.1.3 and 1.3.6.1.4.1.6027.3.18.1.6 Enabling and Disabling a Port using SNMP To enable and disable a port using SNMP, use the following commands. 1. Create an SNMP community on the Dell system. CONFIGURATION mode snmp-server community 2. From the Dell Networking system, identify the interface index of the port for which you want to change the admin status.
The value of dot1dTpFdbPort is the port number of the port off which the system learns the MAC address. In this case, of TenGigabitEthernet 1/21, the manager returns the integer 118.
● Display the interface index number. EXEC Privilege mode show interface To view the system image on Flash Partition A, use the chSysSwInPartitionAImgVers object or, to view the system image on Flash Partition B, use the chSysSwInPartitionBImgVers object. Table 56. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImgVers 1.3.6.1.4.1.6027.3.10.1.2.8.1.11 List the version string of the system image in Flash Partition A.
SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.4.1.0.0.0.0.0.1.1 = INTEGER: 1 << Status active, 2 – status inactive Layer 3 LAG does not include this support. SNMP trap works for the Layer 2 / Layer 3 / default mode LAG. Example of Viewing Changed Interface State for Monitored Ports SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500842) 23:36:48.42 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkDown IF-MIB::ifIndex.33865785 = INTEGER: 33865785 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.
47 Storm Control Storm control is supported on Dell Networking OS. The storm control feature allows you to control unknown-unicast and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. Topics: • Configure Storm Control Configure Storm Control Storm control is supported in INTERFACE mode and CONFIGURATION mode.
48 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell Networking OS.
Related Configuration Tasks ● ● ● ● ● ● ● ● Adding an Interface to the Spanning Tree Group Modifying Global Parameters Modifying Interface STP Parameters Enabling PortFast Prevent Network Disruptions with BPDU Guard STP Root Guard Enabling SNMP Traps for Root Elections and Topology Changes Configuring Spanning Trees as Hitless Important Points to Remember ● STP is disabled by default. ● The Dell Networking OS supports only one spanning tree instance (0).
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 106. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface.
no shutdown Dell(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default. When you enable STP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the Spanning Tree topology. ● Only one path from any bridge to any other bridge participating in STP is enabled. ● Bridges block a redundant path by disabling one of the link ports. Figure 107.
To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP. NOTE: Dell Networking recommends that only experienced network administrators change the spanning tree parameters. Poorly planned modification of the spanning tree parameters can negatively affect network performance. The following table displays the default values for STP. Table 58.
● Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost. The default values are listed in Modifying Global Parameters. To change the port cost or priority of an interface, use the following commands. ● Change the port cost of an interface. INTERFACE mode spanning-tree 0 cost cost The range is from 0 to 65535. The default values are listed in Modifying Global Parameters. ● Change the port priority of an interface.
Prevent Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
Figure 108. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: ● is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. ● drops the BPDU after it reaches the RPM and generates a console message.
Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. ● Assign a number as the bridge priority or designate it as the root or secondary root.
Figure 109. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: ● Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps individually or collectively, use the following commands. ● Enable SNMP traps for spanning tree state changes. snmp-server enable traps stp ● Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
Figure 110. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with loop guard: ● Loop guard is supported on any STP-enabled port or port-channel interface.
● When used in a PVST+ network, STP loop guard is performed per-port or per-port channel at a VLAN level. If no BPDUs are received on a VLAN interface, the port or port-channel transitions to a Loop-Inconsistent (Blocking) state only for this VLAN. To enable a loop guard on an STP-enabled port or port-channel interface, use the following command. ● Enable loop guard on a port or port-channel interface.
49 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell Networking Operating System (OS) command line interfaces (CLIs) and hardware settings.
Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks.
To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. R6_E300(conf)#do show ntp status Clock is synchronized, stratum 2, reference is 192.168.1.1 frequency is -369.623 ppm, stability is 53.319 ppm, precision is 4294967279 reference time is CD63BCC2.0CBBD000 (16:54:26.049 UTC Thu Mar 12 2009) clock offset is 997.529984 msec, root delay is 0.00098 sec root dispersion is 10.04271 sec, peer dispersion is 10032.
○ For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. ○ For a port channel interface, enter the keywords port-channel then a number. ○ For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. To view the configuration, use the show running-config ntp command in EXEC privilege mode (refer to the example in Configuring NTP Authentication).
To configure the switch as NTP Server use the ntp master command. stratum number identifies the NTP Server's hierarchy. The following example shows configuring an NTP server. R6_E300(conf)#1w6d23h : NTP: xmit packet to 192.168.1.1: leap 0, mode 3, version 3, stratum 2, ppoll 1024 rtdel 0219 (8.193970), rtdsp AF928 (10973.266602), refid C0A80101 (192.168.1.1) ref CD7F4F63.6BE8F000 (14:51:15.421 UTC Thu Apr 2 2009) org CD7F4F63.68000000 (14:51:15.406 UTC Thu Apr 2 2009) rec CD7F4F63.
● Transmit Timestamp — the departure time on the server of the current NTP message from the sender. ● Filter dispersion — the error in calculating the minimum delay from a set of sample data from a peer. To view the NTP configuration, use the show running-config ntp command in EXEC privilege mode. The following example shows an encrypted authentication key (in bold). All keys are encrypted. Dell#show running ntp ! ntp authenticate ntp authentication-key 345 md5 5A60910F3D211F02 ntp server 11.1.1.
To set the clock timezone, use the following command. ● Set the clock to the appropriate timezone. CONFIGURATION mode clock timezone timezone-name offset ○ timezone-name: enter the name of the timezone. Do not use spaces. ○ offset: enter one of the following: ■ a number from 1 to 23 as the number of hours in addition to UTC for the timezone. ■ a minus sign (-) then a number from 1 to 23 as the number of hours.
Setting Recurring Daylight Saving Time Set a date (and time zone) on which to convert the switch to daylight saving time on a specific day every year. If you have already set daylight saving for a one-time setting, you can set that date and time as the recurring setting with the clock summer-time time-zone recurring command. To set a recurring daylight saving time, use the following command. ● Set the clock to the appropriate timezone and adjust to daylight saving time every year.
pacific Sun Nov 1 2009" System Time and Date 697
50 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported.
tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.1/24 Dell(conf-if-tu-3)#ipv6 address 3::1/64 Dell(conf-if-tu-3)#no shutdown Dell(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
The following sample configuration shows how to use the tunnel interface configuration commands. Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 ip address 20.1.1.1/24 ipv6 address 20:1::1/64 no shutdown Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#ip unnumbered tengigabitethernet 1/1 Dell(conf-if-tu-1)#ipv6 unnumbered tengigabitethernet 1/1 Dell(conf-if-tu-1)#tunnel source 40.1.1.
Dell(conf-if-tu-1)#no shutdown Dell(conf-if-tu-1)#show config ! interface Tunnel 1 ip address 1.1.1.1/24 ipv6 address 1abd::1/64 tunnel source anylocal tunnel allow-remote 40.1.1.2 tunnel mode ipip decapsulate-any no shutdown Guidelines for Configuring Multipoint Receive-Only Tunnels ● Maximum number of allowed remote end-points that can be configured for a single multipoint receive-only tunnel is eight.
51 Upgrade Procedures To find the upgrade procedures, go to the Dell Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell Networking OS version. To upgrade your system type, follow the procedures in the Dell Networking OS Release Notes. Get Help with Upgrades Direct any questions or concerns about the Dell Networking OS upgrade procedures to the Dell Technical Support Center. You can reach Technical Support: ● On the web: http://www.dell.
52 Virtual LANs (VLANs) Virtual LANs (VLANs) are supported on Dell Networking OS. VLANs are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The Dell Networking Operating System (OS) supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN. For more information about assigning IP addresses, refer to Assigning an IP Address to a VLAN. ● Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN.
● The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). ● Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard. Some devices that are not compliant with IEEE 802.3 may not support the larger frame size.
Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands. To place an interface in Layer 2 mode, use the switchport command. You can further designate these Layer 2 interfaces as tagged or untagged. For more information, refer to the Interfaces chapter and Configuring Layer 2 (Data Link) Mode.
When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN. If the tagged interface is removed from the only VLAN to which it belongs, the interface is placed in the Default VLAN as an untagged interface. Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1. Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface.
Assigning an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces. The shutdown command in INTERFACE mode does not affect Layer 2 traffic on the interface; the shutdown command only prevents Layer 3 traffic from traversing over the interface. NOTE: You cannot assign an IP address to the Default VLAN (VLAN 1).
Enabling Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured. This presents a vulnerability because both interfaces are initially placed in the native VLAN, VLAN 1, and for that period customers are able to access each other's networks.
53 Virtual Link Trunking (VLT) Virtual link trunking (VLT) is supported on Dell Networking OS.
The following example shows VLT deployed on switches. The switches appear as a single virtual switch from the point of view of the switch or server supporting link aggregation control protocol (LACP). Figure 113. VLT on Switches VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing.
Figure 114. Enhanced VLT VLT Terminology The following are key VLT terms. ● Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. ● VLT backup link — The backup link monitors the vitality of VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. ● VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches.
● Ensure that the spanning tree root bridge is at the Aggregation layer. If you enable RSTP on the VLT device, refer to RSTP and VLT for guidelines to avoid traffic loss. ● If you reboot both VLT peers in BMP mode and the VLT LAGs are static, the DHCP server reply to the DHCP discover offer may not be forwarded by the ToR to the correct node. To avoid this scenario, configure the VLT LAGs to the ToR and the ToR port channel to the VLT peers with LACP.
○ A VLT domain supports two chassis members, which appear as a single logical device to network access devices connected to VLT ports through a port channel. ○ A VLT domain consists of the two core chassis, the interconnect trunk, backup link, and the LAG members connected to attached devices. ○ Each VLT domain has a unique MAC address that you create or VLT creates automatically. ○ ARP tables are synchronized between the VLT peer nodes.
● ● ● ● ● ● ○ If the size of the MTU for VLTi members is less than 1496 bytes, MAC addresses may not be synced. Dell Networking recommends retaining the default MTU allocation (1554 bytes) for VLTi members. VLT backup link ○ In the backup link between peer switches, heartbeat messages are exchanged between the two chassis for health checks. The default time interval between heartbeat messages over the backup link is 1 second. You can configure this interval. The range is from 1 to 5 seconds.
○ In a VLT domain, VRRP interoperates with virtual link trunks that carry traffic to and from access devices (refer to Overview). The VLT peers belong to the same VRRP group and are assigned master and backup roles. Each peer actively forwards L3 traffic, reducing the traffic flow over the VLT interconnect. ○ VRRP elects the router with the highest priority as the master in the VRRP group.
● Configure any ports at the edge of the spanning tree’s operating domain as edge ports, which are directly connected to end stations or server racks. Disable RSTP on ports connected directly to Layer 3-only routers not running STP or configure them as edge ports. ● Ensure that the primary VLT node is the root bridge and the secondary VLT peer node has the second-best bridge ID in the network.
If you enable IGMP snooping, IGMP queries are also sent out on the VLT ports at this time allowing any receivers to respond to the queries and update the multicast table on the new node. This delay in bringing up the VLT ports also applies when the VLTi link recovers from a failure that caused the VLT ports on the secondary VLT peer node to be disabled.
domain. This does not apply to server-side L2 VLT ports because they do not connect to any PIM routers. These VLT ports can be members of multiple PIM-enabled L3 VLANs for compatibility with IGMP. To route traffic to and from the multicast source and receiver, enable PIM on the L3 side connected to the PIM router using the ip pim sparse-mode command. Each VLT peer runs its own PIM protocol independently of other VLT peers.
vlt domain domain-id 2. Enable peer-routing. VLT DOMAIN mode peer-routing 3. Configure the peer-routing timeout. VLT DOMAIN mode peer-routing—timeout value value: Specify a value (in seconds) from 1 to 65535. The default value is infinity (without configuring the timeout).
4. Configure a PIM-SM compatible VLT node as a designated router (DR). For more information, refer to Configuring a Designated Router. 5. Configure a PIM-enabled external neighboring router as a rendezvous point (RP). For more information, refer to Configuring a Static Rendezvous Point. 6. Configure the VLT VLAN routing metrics to prefer VLT VLAN interfaces over non-VLT VLAN interfaces. For more information, refer to Classify Traffic. 7.
In the case of a primary VLT switch failure, the secondary switch starts sending BPDUs with its own bridge ID and inherits all the port states from the last synchronization with the primary switch. An access device never detects the change in primary/ secondary roles and does not see it as a topology change. The following examples show the RSTP configuration that you must perform on each peer switch to prevent forwarding loops.
4. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 5. Repeat Steps 1 to 4 on the VLT peer switch to configure the VLT interconnect. Enabling VLT and Creating a VLT Domain To enable VLT and create a VLT domain, use the following steps. 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id The domain ID range is from 1 to 1000.
To set an amount of time, in seconds, to delay the system from restoring the VLT port, use the delay-restore command at any time. For more information, refer to VLT Port Delayed Restoration. Configuring a VLT Port Delay Period To configure a VLT port delay period, use the following commands. 1. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs from 1 to 1000. 2.
Connecting a VLT Domain to an Attached Access Device (Switch or Server) To connect a VLT domain to an attached access device, use the following commands. On a VLT peer switch: To connect to an attached device, configure the same port channel ID number on each peer switch in the VLT domain. 1. Configure the same port channel to be used to connect to an attached device and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number 2. Remove an IP address from the interface.
Configuring Enhanced VLT (eVLT) (Optional) To configure enhanced VLT (eVLT) between two VLT domains on your network, use the following procedure. For a sample configuration, refer to eVLT Configuration Example. To set up the VLT domain, use the following commands. 1. Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode.
Enter the same port-channel number configured with the peer-link port-channel command in the Enabling VLT and Creating a VLT Domain. 9. Place the interface in Layer 2 mode. INTERFACE PORT-CHANNEL mode switchport 10. Associate the port channel to the corresponding port channel in the VLT peer for the VLT connection to an attached device. INTERFACE PORT-CHANNEL mode vlt-peer-lag port-channel id-number Valid port-channel ID numbers are from 1 to 128. 11. Ensure that the port channel is active.
EXEC mode or EXEC Privilege mode show interfaces interface 8. Configure the VLT links between VLT peer 1 and VLT peer 2 to the top of rack unit (shown in the following example). 9. Configure the static LAG/LACP between ports connected from VLT peer 1 and VLT peer 2 to the top of rack unit. EXEC Privilege mode show running-config entity 10. Configure the VLT peer link port channel id in VLT peer 1 and VLT peer 2. EXEC mode or EXEC Privilege mode show interfaces interface 11.
s4810-4# s4810-4#show running-config interface managementethernet 0/0 ip address 10.11.206.58/16 no shutdown Configure the VLT links between VLT peer 1 and VLT peer 2 to the Top of Rack unit. In the following example, port Te 1/4 in VLT peer 1 is connected to Te 1/8 of TOR and port Te 1/18 in VLT peer 2 is connected to Te 1/30 of TOR. 1. Configure the static LAG/LACP between the ports connected from VLT peer 1 and VLT peer 2 to the Top of Rack unit. 2.
L 100 L2 up 03:33:48 Te 1/8 (Up) Te 1/30 (Up) Verify VLT is up. Verify that the VLTi (ICL) link, backup link connectivity (heartbeat status), and VLT peer link (peer chassis) are all up.
Configure PVST+ on VLT Peers to Prevent Forwarding Loops (VLT Peer 2) Dell_VLTpeer2(conf)#protocol spanning-tree pvst Dell_VLTpeer2(conf-pvst)#no disable Dell_VLTpeer2(conf-pvst)#vlan 1000 bridge-priority 4096 Configure both ends of the VLT interconnect trunk with identical PVST+ configurations. When you enable VLT, the show spanning-tree pvst brief command output displays VLT information.
eVLT Configuration Step Examples In Domain 1, configure the VLT domain and VLTi on Peer 1. Domain_1_Peer1#configure Domain_1_Peer1(conf)#interface port-channel 1 Domain_1_Peer1(conf-if-po-1)# channel-member TenGigabitEthernet 1/8-9 Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.
Configure eVLT on Peer 3. Domain_2_Peer3(conf)#interface port-channel 100 Domain_2_Peer3(conf-if-po-100)# switchport Domain_2_Peer3(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_2_Peer3(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 3.
The following example shows how to configure the VLTi port as a static multicast router port for the VLAN. VLT_Peer1(conf)#interface vlan 4001 VLT_Peer1(conf-if-vl-4001)#ip igmp snooping mrouter interface port-channel 128 VLT_Peer1(conf-if-vl-4001)#exit VLT_Peer1(conf)#end The following example shows how to repeat these steps on VLT Peer Node 2. VLT_Peer2(conf)#ip multicast-routing VLT_Peer2(conf)#interface vlan 4001 VLT_Peer2(conf-if-vl-4001)#ip address 140.0.0.
■ For a port channel interface, enter the keywords port-channel then a number. The following example shows the show vlt backup-link command. Dell_VLTpeer1# show vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.
Dell_VLTpeer2# show vlt detail Local LAG Id -----------2 100 Peer LAG Id ----------127 100 Local Status -----------UP UP Peer Status ----------UP UP Active VLANs ------------20, 30 10, 20, 30 The following example shows the show vlt role command.
Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e88a.dff8 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 4096, Address 0001.e88a.d656 Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- -------- ---- ------- --------- ------- -----------------Po 1 128.2 128 200000 DIS 800 4096 0001.e88a.d656 128.2 Po 3 128.4 128 200000 DIS 800 4096 0001.e88a.d656 128.4 Po 4 128.
Dell_VLTpeer1(conf-if-po-100)#no shutdown Dell_VLTpeer1(conf-if-po-100)#exit Configure the port channel to an attached device.
Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged G - GVRP tagged, M - Vlan-stack, H - Hyperpull tagged NUM Status Description Q Ports 10 Active U Po110(Fo 1/48) T Po100(Fo 1/56,60) Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access Switch) On an access device, verify the port-channel connection to a VLT domain.
Table 59. Troubleshooting VLT (continued) Description Behavior at Peer Up Behavior During Run Time Action to Take Spanning tree mismatch at port level A syslog error message is generated. A one-time informational syslog message is generated. Correct the spanning tree configuration on the ports. System MAC mismatch A syslog error message and an A syslog error message and an Verify that the unit ID of VLT SNMP trap are generated. SNMP trap are generated.
The association of PVLAN with the VLT LAG must also be identical. After the VLT LAG is configured to be a member of either the primary or secondary PVLAN (which is associated with the primary), ICL becomes an automatic member of that PVLAN on both switches. This association helps the PVLAN data flow received on one VLT peer for a VLT LAG to be transmitted on that VLT LAG from the peer. You can associate either a VLT VLAN or a VLT LAG to a PVLAN.
particular VLAN are either synchronized with the other peers, or MAC addresses synchronized from the other peers on the same VLAN are deleted. This method of processing occurs when the PVLAN mode of VLT LAGs is modified. Because the VLTi link is only a member of symmetric VLT PVLANs, MAC synchronization takes place directly based on the membership of the VLTi link in a VLAN and the VLT LAG mode.
Table 60.
Configuring a VLT VLAN or LAG in a PVLAN You can configure the VLT peers or nodes in a private VLAN (PVLAN). Because the VLT LAG interfaces are terminated on two different nodes, PVLAN configuration of VLT VLANs and VLT LAGs are symmetrical and identical on both the VLT peers. PVLANs provide Layer 2 isolation between ports within the same VLAN. A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair.
interface interface 2. Enable the port. INTERFACE mode no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4. Select the PVLAN mode. INTERFACE mode switchport mode private-vlan {host | promiscuous | trunk} ● host (isolated or community VLAN port) ● promiscuous (intra-VLAN communication port) ● trunk (inter-switch PVLAN hub port) 5. Access INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces. CONFIGURATION mode interface vlan vlan-id 6. Enable the VLAN.
two VLT nodes. Assume that the VLAN 100 IP address in node 1 is 10.1.1.1/24 and VLAN 100 IP address in node 2 is 20.1.1.2/24. In this case, if the ARP request for 20.1.1.1 reaches node 1, node 1 will not perform the ARP request for 20.1.1.2. Proxy ARP is supported only for the IP address belongs to the received interface IP network. Proxy ARP is not supported if the ARP requested IP address is different from the received interface IP subnet.
You can configure VLT nodes, which function as RP, as Multicast Source Discovery Protocol (MSDP) peers in different domains. However, you cannot configure the VLT peers as MSDP peers in the same VLT domain. In such instances, the VLT peer does not support the RP functionality. If the same source or RP can be accessed over both a VLT and a non-VLT VLAN, configure better metrics for the VLT VLANs.
Dell(conf-if-po-10)#switchport Dell(conf-if-po-10)#vlt-peer-lag port-channel 10 Dell(conf-if-po-10)#vlan-stack access Dell(conf-if-po-10)#no shutdown Dell#show running-config interface port-channel 10 ! interface Port-channel 10 no ip address switchport vlan-stack access vlt-peer-lag port-channel 10 no shutdown Dell# Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)#vlt-peer-lag port-channel 20 Dell(conf-if-po-20)#vlan-stack trunk Dell(conf-if-po-20)#no shutdown Dell#sh
Dell(conf-vlt-domain)#system-mac mac-address 00:00:00:11:11:11 Dell(conf-vlt-domain)#unit-id 1 Dell(conf-vlt-domain)# Dell#show running-config vlt vlt domain 1 peer-link port-channel 1 back-up destination 10.16.151.
o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack i - Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged NUM 50 Status Active Description Dell# 750 Virtual Link Trunking (VLT) Q M M V Ports Po10(Te 1/8) Po20(Te 1/20) Po1(Te 1/30-32)
54 VLT Proxy Gateway The Virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a L3 end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, refer to Dell Networking OS Command Line Reference Guide.
Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable this functionality: 1. The proxy gateway is supported only for VLT; for example, across VLT domain. 2. You must enable the VLT peer-routing command for the VLT proxy gateway to function. 3. The current design does not handle asymmetric virtual local area network (VLAN) configuration scenarios such as the same VLAN configured with L2 mode on one VLT domain and L3 mode on another VLT domain.
13. When a Virtual Machine (VM) moves from one VLT domain to the another VLT domain, the VM host send the gratuitous ARP (GARP) , which in-turn triggers a mac movement from the previous VLT domain to the newer VLT domain. 14. After a station move, if a host sends a TTL1 packet destined to its gateway; for example, a previous VLT node, the packet may be dropped. 15.
● No interface– level LLDP disable CLIs on the interfaces configured for proxy gateway, and you must enable both transmission and reception ● You must connect both units of the remote VLT domain by the port channel member.
Sample Scenario for VLT Proxy Gateway 1. The above figure show a sample VLT Proxy gateway scenario. Their are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This undergo sub-optimal routing with the VLT Proxy Gateway LLDP method. For VLT Proxy Gateway to work in this scenario you must configure the , VLT-peer-mac transmit command under VLT Domain Proxy Gateway LLDP mode, in both C and D (VLT domain 1) and C1 and D1 (VLT domain 2).
Static Configuration Method Dell(conf-vlt-domain)#proxy-gateway static Dell(conf-vlt-domain-pxy-gw-static)#remote-mac-address excludevlan 10 5. Packet duplication may happen with “Exclude-VLAN” configuration – Assume exclude-vlan (say VLAN 10) is configured in C and D and in C1 and D1; If packets for VLAN 10 with C’s MAC address (C is in VLT domain 1) gets an L3 hit at C1 in VLT domain 2, they are switched to both D1 (via ICL) and C via inter DC link. This may lead to packet duplication.
55 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is supported on Dell Networking OS. Topics: • • • • • VRRP Overview VRRP Benefits VRRP Implementation VRRP Configuration Sample Configurations VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
Figure 117. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
Table 61. Recommended VRRP Advertise Intervals on the Z9000 Recommended Advertise Interval Groups/Interface Total VRRP Groups Less than 250 1 second 12 Between 250 and 450 2–3 seconds 24 Between 450 and 600 3–4 seconds 36 Between 600 and 800 4 seconds 48 Between 800 and 1000 5 seconds 84 Between 1000 and 1200 7 seconds 100 Between 1200 and 1500 8 seconds 120 VRRP Configuration By default, VRRP is not configured.
The following examples how to configure VRRP. Dell(conf)#interface tengigabitethernet 1/1 Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)# The following examples how to verify the VRRP configuration. Dell(conf-if-te-1/1)#show conf ! interface TenGigabitEthernet 1/1 ip address 10.10.10.
3. Set the backup switches to version 3. Dell_backup_switch1(conf-if-te-1/1-vrid-100)#version 3 Dell_backup_switch2(conf-if-te-1/2-vrid-100)#version 3 Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID). A VRRP group does not transmit VRRP packets until you assign the Virtual IP address to the VRRP group. For more information, refer to VRRP Implementation.
virtual-address 10.10.10.2 virtual-address 10.10.10.3 ! vrrp-group 222 no shutdown The following example shows the same VRRP group (VRID 111) configured on multiple interfaces on different subnets. Dell#show vrrp -----------------TenGigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.
TenGigabitEthernet 1/2, VRID: 111, Net: 10.10.2.1 State: Master, Priority: 125, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 601, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.3 Authentication: (none) Configuring VRRP Authentication Simple authentication of VRRP packets ensures that only trusted routers participate in VRRP processes.
The following example shows how to disable preempt using the no preempt command. Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)#no preempt Dell(conf-if-te-1/1-vrid-111)# The following example shows how to verify preempt is disabled using the show conf command. Dell(conf-if-te-1/1-vrid-111)#show conf ! vrrp-group 111 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.
advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 Track an Interface or Object You can set Dell Networking OS to monitor the state of any interface according to the virtual group. Each VRRP group can track up to 12 interfaces and up to 20 additional objects, which may affect the priority of the VRRP group.
EXEC mode or EXEC Privilege mode show running-config interface interface The following example shows how to configure tracking using the track command. Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)#track Tengigabitethernet 1/2 The following example shows how to verify tracking using the show conf command.
vrrp-ipv6-group 1 track 2 priority-cost 20 track 3 priority-cost 30 virtual-address 2007::1 virtual-address fe80::1 no shutdown Setting VRRP Initialization Delay When configured, VRRP is enabled immediately upon system reload or boot. You can delay VRRP initialization to allow the IGP and EGP protocols to be enabled prior to selecting the VRRP Master. This delay ensures that VRRP initializes with no errors or conflicts. You can configure the delay for up to 15 minutes, after which VRRP enables normally.
Figure 118. VRRP for IPv4 Topology Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#interface tengigabitethernet 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.
State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#interface tengigabitethernet 3/21 R3(conf-if-te-3/21)#ip address 10.1.1.2/24 R3(conf-if-te-3/21)#vrrp-group 99 R3(conf-if-te-3/21-vrid-99)#virtual 10.1.1.
Figure 119. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-1/1)#end R2#show vrrp -----------------TenGigabitEthernet 1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default-vrf State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 135 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP a
VRRP groups on each VRF instance in order that there is one MASTER and one backup router for each VRF. In VRF-1 and VRF-2, Switch-2 serves as owner-master of the VRRP group and Switch-1 serves as the backup. On VRF-3, Switch-1 is the owner-master and Switch-2 is the backup. In VRF-1 and VRF-2 on Switch-2, the virtual IP and node IP address, subnet, and VRRP group are the same.
S1(conf-if-te-1/2)#no shutdown ! S1(conf)#interface TenGigabitEthernet 1/3 S1(conf-if-te-1/3)#ip vrf forwarding VRF-3 S1(conf-if-te-1/3)#ip address 20.1.1.5/24 S1(conf-if-te-1/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-1/3-vrid-105)#priority 255 S1(conf-if-te-1/3-vrid-105)#virtual-address 20.1.1.5 S1(conf-if-te-1/3)#no shutdown Dell#show vrrp tengigabitethernet 2/8 -----------------TenGigabitEthernet 2/8, IPv4 VRID: 1, Version: 2, Net: 10.1.1.
This VLAN scenario often occurs in a service-provider network in which you configure VLAN tags for traffic from multiple customers on customer-premises equipment (CPE), and separate VRF instances associated with each VLAN are configured on the provider edge (PE) router in the point-of-presence (POP).
10.1.1.100 Authentication: (none) VRRP in VRF: Switch-2 VLAN Configuration Switch-2 S2(conf)#ip vrf VRF-1 1 ! S2(conf)#ip vrf VRF-2 2 ! S2(conf)#ip vrf VRF-3 3 ! S2(conf)#interface TenGigabitEthernet 1/1 S2(conf-if-te-1/1)#no ip address S2(conf-if-te-1/1)#switchport S2(conf-if-te-1/1)#no shutdown ! S2(conf-if-te-1/1)#interface vlan 100 S2(conf-if-vl-100)#ip vrf forwarding VRF-1 S2(conf-if-vl-100)#ip address 10.10.1.
-----------------Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 419, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.
Figure 121. VRRP for IPv6 Topology NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be master even if one of two routers has a higher IP or IPv6 address.
interface TenGigabitEthernet 1/1 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-1/1)#end R2#show vrrp -----------------TenGigabitEthernet 1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 135 Virtual MAC addr
State: Master, Priority: 110, Master: fe80::201:e8ff:fe8a:e9ed (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 120 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 Dell# Dell#show vrrp vrf vrf1 vlan 400 Vlan 400, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:e9ed VRF: 1 vrf1 State: Master, Priority: 200, Master: fe80::201:e8ff:fe8a:e9ed (local) Hold Down: 0 centi
56 Z-Series Debugging and Diagnostics This chapter describes debugging and diagnostics for the Z-Series platform. Topics: • • • • • • • • • • • Offline Diagnostics TRACE Logs Last Restart Reason Hardware Watchdog Timer show hardware Commands Environmental Monitoring Buffer Tuning Troubleshooting Packet Loss Enabling Application Core Dumps Mini Core Dumps Enabling TCP Dumps Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware.
NOTE: The system reboots when the offline diagnostics completes. This is an automatic process in default mode. A warning message appears when you implement the offline stack-unit command: Warning - offline of stack unit will bring down all the protocols and the unit will be operationally down, except for running Diagnostics. Proceed with OfflineDiags [confirm yes/no]:y 2. Confirm offline status. EXEC Privilege mode show system brief Results are captured in one file whether for one unit or multiple units. 3.
-- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed ---------------------------------------0 0 up up 0 up 0 0 1 up up 16000 up 16000 0 2 up up 16000 up 16000 0 3 up up 16000 up 16000 Speed in RPM Dell# As shown in the following output example, log messages differ somewhat when diagnostics are done on a standalone unit.
diagS3240GetPsuOnStatus[580]: ERROR: PSU-1 is not present... diagS3240PsuTemperatureTest[258]: ERROR: Getting PSU -1 power status failed.. Test 3.001 - Psu temperature read test .............................. FAIL Test 3 - Psu Temperature Test ...................................... FAIL + TEST - 4 PSU [0] Fan Speed ---> 17441 RPM Test 4.000 - Psu Fan Speed Monitor Test ............................. PASS diagS3240GetPsuOnStatus[580]: ERROR: PSU-1 is not present...
CPU Version : Intel I386 Stack Unit Board temperature : 30 Degree C Stack Unit Number : 0 Serial Number : Z1FX111100005 Part Number : 7520051802 Product Revision : 02 Version : 8-3-11-631 --More- TRACE Logs In addition to the syslog buffer, to report hardware and software events and status information, Dell Networking OS buffers trace messages which are continuously written by various Dell Networking OS software tasks. Each TRACE message provides the date, time, and name of the Dell Networking OS process.
show hardware stack-unit {0-11} cpu management statistics ● View driver-level statistics for the data-plane port on the CPU for the specified stack-unit. show hardware stack-unit {0-11} cpu data-plane statistics It provides insight into the packet types entering the CPU to see whether CPU-bound traffic is internal (IPC traffic) or network control traffic, which the CPU must process. ● View the modular packet buffers details per stack unit and the mode of allocation.
Table 62.
Environmental Monitoring The Z9000 components use environmental monitoring hardware to detect transmit power readings, receive power readings, and temperature updates. To receive periodic power updates, enable the enable optic-info-update interval command. The output in the following example displays the environment status of the RPM.
Recognize an Under-Voltage Condition If the system detects an under-voltage condition, it declares an alarm. To recognize this condition, look for the system messages shown in the following example. %CHMGR-1-CARD_SHUTDOWN: Major alarm: Line card 2 down - auto-shutdown due to under voltage This message indicates that the specified card is not receiving enough power. In response, the system first shuts down Power over Ethernet (PoE).
Forwarding processor (FP) ASICs provide Ethernet MAC functions, queueing and buffering, as well as store feature and forwarding tables for hardware-based lookup and forwarding decisions. The 1G and 10G interfaces use different FPs. You can tune buffers at three locations. 1. CSF — Output queues going from the CSF. 2. FP Uplink — Output queues going from the FP to the CSF IDP links. 3. Front-End Link — Output queues going from the FP to the front-end PHY.
Buffer Tuning Points Decide to Tune Buffers Dell Networking recommends exercising caution when configuring any non-default buffer settings, as tuning can significantly affect system performance. The default values work for most cases. As ● ● ● a guideline, consider tuning buffers if traffic is very bursty (and coming from several interfaces). In this case: Reduce the dedicated buffer on all queues/interfaces. Increase the dynamic buffer on all interfaces.
● Change the maximum number of dynamic buffers an interface can request. BUFFER PROFILE mode buffer dynamic ● Change the number of packet-pointers per queue. BUFFER PROFILE mode buffer packet-pointers ● Apply the buffer profile to a line card. CONFIGURATION mode buffer fp-uplink linecard ● Apply the buffer profile to a CSF to FP link.
switchport no shutdown buffer-policy myfsbufferprofile Dell#show buffer-profile detail int gi 0/10 Interface Gi 0/10 Buffer-profile fsqueue-fp Dynamic buffer 1256.00 (Kilobytes) Queue# Dedicated Buffer Buffer Packets (Kilobytes) 0 3.00 256 1 3.00 256 2 3.00 256 3 3.00 256 4 3.00 256 5 3.00 256 6 3.00 256 7 3.00 256 Dell#show buffer-profile detail fp-uplink stack-unit 0 port-set 0 Linecard 0 Port-set 0 Buffer-profile fsqueue-hig Dynamic Buffer 1256.
Troubleshooting Packet Loss The show hardware stack-unit commands are intended primarily to troubleshoot packet loss. ● ● ● ● ● ● ● ● ● ● ● ● show hardware stack-unit cpu data-plane statistics show hardware stack-unit cpu party-bus statistics show hardware stack-unit 0-7 drops unit 0-5 port 0-49 show hardware stack-unit 0-7 unit 0-5 {counters | details | port-stats [detail] | register | execute-shell-cmd | ipmc-replication | table-dump}: show hardware {layer2| layer3} {e.g.
Internal 39 Internal 40 Internal 41 value = 0 = 0x0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Displaying Dataplane Statistics The show hardware stack-unit cpu data-plane statistics command provides insight into the packet types coming to the CPU. As shown in the following example, the show hardware stack-unit cpu data-plane statistics command output has been augmented, providing detailed RX/TX packet statistics on a per-queue basis.
Displaying Stack Member Counters The show hardware stack-unit 0–7 {counters | details | port-stats [detail] | register} command displays internal receive and transmit statistics, based on the selected command option. ● RIPC4.ge0 RUC.ge0 RDBGC0.ge0 RDBGC1.ge0 RDBGC5.ge0 RDBGC7.ge0 GR64.ge0 GR127.ge0 GR255.ge0 GRPKT.ge0 GRBYT.ge0 GRMCA.ge0 GRBCA.ge0 GT64.ge0 GT127.ge0 GT255.ge0 GT511.ge0 GTPKT.ge0 GTBCA.ge0 GTBYT.ge0 RUC.cpu0 TDBGC6.
panic string is : ----------------------STACK TRACE START--------------0035d60c : 00274f8c : 0024e2b0 : 0024dee8 : 0024d9c4 : 002522b0 : 0026a8d0 : 0026a00c : ------------------------STACK TRACE END------------------------------------------FREE MEMORY--------------uvmexp.
57 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking Operating System (OS), Dell Networking OS also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance Dell Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell Networking OS first supports the standard. General Internet Protocols The following table lists the Dell Networking OS support per platform for general internet protocols. Table 64. General Internet Protocols RFC# Full Name S-Series 768 User Datagram Protocol 7.6.1 793 Transmission Control Protocol 7.6.
Table 65. General IPv4 Protocols (continued) RFC# Full Name S-Series 1042 A Standard for the Transmission of IP Datagrams over IEEE 802 Networks 7.6.1 1191 Path MTU Discovery 7.6.1 1305 Network Time Protocol (Version 3) Specification, Implementation and Analysis 7.6.1 1519 Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy 7.6.1 1542 Clarifications and Extensions for the Bootstrap Protocol 7.6.1 1812 Requirements for IP Version 4 Routers 7.6.
Table 66. General IPv6 Protocols (continued) RFC# Full Name S-Series 5175 IPv6 Router Advertisement Flags Option 8.3.12.0 Border Gateway Protocol (BGP) The following table lists the Dell Networking OS support per platform for BGP protocols. Table 67. Border Gateway Protocol (BGP) RFC# Full Name S-Series/Z-Series 1997 BGP ComAmtturnibituitees 7.8.1 2385 Protection of BGP Sessions via the TCP MD5 Signature Option 7.8.1 2439 BGP Route Flap Damping 7.8.
Intermediate System to Intermediate System (IS-IS) The following table lists the Dell Networking OS support per platform for IS-IS protocol. Table 69.
Table 71. Multicast (continued) RFC# Full Name S-Series 2236 Internet Group Management Protocol, Version 2 7.8.1 2710 Multicast Listener Discovery (MLD) for IPv6 3376 Internet Group Management Protocol, Version 3 7.8.1 3569 An Overview of Source-Specific Multicast (SSM) 7.8.
Table 72. Network Management (continued) RFC# Full Name S4810 2012 SNMPv2 Management Information Base for the Transmission Control Protocol using SMIv2 7.6.1 2013 SNMPv2 Management 7.6.1 Information Base for the User Datagram Protocol using SMIv2 2024 Definitions of Managed Objects for Data Link Switching using SMIv2 7.6.1 2096 IP Forwarding Table MIB 7.6.
Table 72. Network Management (continued) RFC# Full Name S4810 S4820T Z-Series 9.5.(0.0) 9.5.(0.0) 9.5.(0.0) 9.5.(0.0) radiusAuthClientUnknownTypes radiusAuthClientPacketsDroppe d 2698 A Two Rate Three Color Marker 9.5.(0.0) 3635 Definitions of Managed Objects for the Ethernet-like Interface Types 2674 Definitions of Managed Objects 7.6.
Table 72. Network Management (continued) RFC# Full Name S4810 S4820T Z-Series 4750 OSPF Version 2 Management Information Base 9.5.(0.0) 9.5.(0.0) 9.5.(0.0) 4502 RMON v2 MIB 9.5(0.0) 9.5(0.0) 9.5(0.0) 5060 Protocol Independent Multicast MIB 7.8.1 ANSI/TIA-1057 The LLDP Management Information Base extension module for TIA-TR41.4 Media Endpoint Discovery information 7.7.1 draft-grant-tacacs -02 The TACACS+ Protocol 7.6.
Table 72. Network Management (continued) RFC# Full Name S4810 sFlow.org sFlow Version 5 MIB 7.7.1 FORCE10-BGP4-V2MIB Force10 BGP MIB (draft-ietfidr-bgp4-mibv2-05) 7.8.1 f10–bmp-mib Force10 Bare Metal Provisioning 9.2(0.0) MIB FORCE10-FIB-MIB Force10 CIDR Multipath Routes MIB (The IP Forwarding Table provides information that you can use to determine the egress port of an IP packet and troubleshoot an IP reachability issue.
You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/CSPortal20/Main/Login.aspx Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/AccountRequest/AccountRequest.aspx If you have forgotten or lost your account information, contact Dell TAC for assistance.