Dell EMC Configuration Guide for the S3048–ON System 9.14.2.8 September 2020 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: About this Guide.........................................................................................................30 Audience.............................................................................................................................................................................. 30 Conventions........................................................................................................................................................................
Removing a Command from EXEC Mode..............................................................................................................56 Moving a Command from EXEC Privilege Mode to EXEC Mode.................................................................... 56 Allowing Access to CONFIGURATION Mode Commands................................................................................. 56 Allowing Access to Different Modes...........................................................................
Configuring MAC addresses for a do1x Profile.......................................................................................................... 83 Configuring the Static MAB and MAB Profile ...........................................................................................................84 Configuring Critical VLAN .............................................................................................................................................. 85 Enabling 802.1X..................
IP Prefix Lists.................................................................................................................................................................... 116 Configuration Task List for Prefix Lists................................................................................................................ 116 ACL Remarks................................................................................................................................................................
Enabling four-byte autonomous system numbers..............................................................................................175 Changing a BGP router ID........................................................................................................................................176 Configuring AS4 Number Representations..........................................................................................................176 Configuring a BGP peer....................................
Configuring CoPP for Protocols............................................................................................................................232 Configuring CoPP for CPU Queues......................................................................................................................233 CoPP for OSPFv3 Packets..................................................................................................................................... 234 Configuring CoPP for OSPFv3.............
Configuring the Hash Algorithm Seed..................................................................................................................266 Link Bundle Monitoring..................................................................................................................................................266 Managing ECMP Group Paths............................................................................................................................... 267 Creating an ECMP Group Bundle.
Removing a Provisioned Logical Stack Unit............................................................................................................. 289 Hitless Behavior...............................................................................................................................................................289 Graceful Restart..............................................................................................................................................................
Configuring EIS..........................................................................................................................................................325 Management Interfaces................................................................................................................................................ 325 Configuring Management Interfaces....................................................................................................................
Chapter 20: Internet Protocol Security (IPSec).........................................................................355 Configuring IPSec ..........................................................................................................................................................355 Chapter 21: IPv4 Routing........................................................................................................... 357 IP Addresses.................................................................
Implementing IPv6 with Dell EMC Networking OS................................................................................................. 378 ICMPv6..............................................................................................................................................................................380 Path MTU discovery......................................................................................................................................................
Sample Configurations................................................................................................................................................... 410 Chapter 24: Link Aggregation Control Protocol (LACP)..............................................................413 Introduction to Dynamic LAGs and LACP..................................................................................................................413 Important Points to Remember......................................
TIA Organizationally Specific TLVs....................................................................................................................... 444 Configure LLDP............................................................................................................................................................... 447 CONFIGURATION versus INTERFACE Configurations......................................................................................... 448 Enabling LLDP........................
MSDP Sample Configurations......................................................................................................................................485 Chapter 29: Multicast Listener Discovery Protocol.................................................................... 488 MLD timers........................................................................................................................................................................491 Reducing Host Response Burstiness...........
Chapter 32: Object Tracking......................................................................................................525 Object Tracking Overview............................................................................................................................................ 525 Track Layer 2 Interfaces......................................................................................................................................... 526 Track Layer 3 Interfaces....................
Overview............................................................................................................................................................................571 Implementing PBR...........................................................................................................................................................572 Configuration Task List for Policy-based Routing..................................................................................................
Using the Private VLAN Commands........................................................................................................................... 614 Configuration Task List.................................................................................................................................................. 615 Creating PVLAN ports..............................................................................................................................................
Guidelines for Configuring ECN for Classifying and Color-Marking Packets....................................................651 Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class..........................652 Classifying Incoming Packets Using ECN and Color-Marking........................................................................652 Sample configuration to mark non-ecn packets as “yellow” with single traffic class..............................
RADIUS Accounting..................................................................................................................................................688 AAA Authentication........................................................................................................................................................ 693 Configuration Task List for AAA Authentication...............................................................................................
Enabling User Lockout for Failed Login Attempts.............................................................................................748 Chapter 46: Service Provider Bridging.......................................................................................749 VLAN Stacking.................................................................................................................................................................749 Configure VLAN Stacking.......................................
Creating a Community..............................................................................................................................................776 Setting Up User-Based Security (SNMPv3)...................................................................................................... 776 Enable SNMPv3 traps.............................................................................................................................................. 777 Reading Managed Object Values.....
Enabling and Disabling a Port using SNMP...............................................................................................................807 Fetch Dynamic MAC Entries using SNMP................................................................................................................807 Example of Deriving the Interface Index Number...................................................................................................
Protocol Overview.......................................................................................................................................................... 837 Configure Spanning Tree...............................................................................................................................................837 Important Points to Remember...................................................................................................................................
Chapter 54: Tunneling............................................................................................................... 868 Configuring a Tunnel...................................................................................................................................................... 868 Configuring Tunnel Keepalive Settings......................................................................................................................869 Configuring a Tunnel Interface...........
Additional ARP Refresh on VLTi.............................................................................................................................901 PIM-Sparse Mode Support on VLT...................................................................................................................... 902 VLT Routing .............................................................................................................................................................. 904 Non-VLT ARP Sync.........
Creating a Non-Default VRF Instance................................................................................................................. 967 Assigning an Interface to a VRF............................................................................................................................ 967 Assigning a Front-end Port to a Management VRF..........................................................................................967 View VRF Instance Information..............................
Chapter 63: Standards Compliance.......................................................................................... 1022 IEEE Compliance............................................................................................................................................................1022 RFC and I-D Compliance............................................................................................................................................. 1023 General Internet Protocols.............
1 About this Guide This guide describes the protocols and features the Dell EMC Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell EMC Command Line Reference Guide for your system. S3048–ON stacking is supported with Dell EMC Networking OS version 9.7(0.1) and beyond. Though this guide contains information about protocols, it is not intended to be a complete reference.
2 Configuration Fundamentals The Dell EMC Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
● EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information. ● EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted.
uBoot BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP Navigating CLI Modes The Dell EMC Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode.
Table 1.
Table 1.
1 2 3 4 5 6 Management Member Member Member Member Member online not present not present not present not present not present S3048-ON S3048-ON 1-0(0-3932) 52 -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) ------------------------------------------------------------1 1 up AC absent 0 1 2 absent absent 0 -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -----------------------------------------------------------------1 1 up up 0 up 0 1 2 up up 0 up 0 1 3 up up 0 up 0 Speed in RPM
● Enter ? after a partial keyword lists all of the keywords that begin with the specified letters. DellEMC(conf)#cl? class-map clock DellEMC(conf)#cl ● Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword. DellEMC(conf)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone DellEMC(conf)#clock Entering and Editing Commands Notes for entering commands. ● The CLI is not case-sensitive. ● You can enter partial CLI keywords.
Command History The Dell EMC Networking OS maintains a history of previously-entered commands for each mode. For example: ● When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC mode commands. ● When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered CONFIGURATION mode commands.
6 Member not present -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) --------------------------------------------------------------------------1 1 down AC up 8128 1 2 absent absent 0 -- Fan Status -Unit Bay TrayStatus Fan0 Speed -----------------------------------------------------------------------------------1 1 up up 9900 1 2 up up 9900 1 3 up up 9900 Speed in RPM The display command displays additional configuration information.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell EMC Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
echo | ssh admin@hostname The SSH server transmits the terminal commands to the CLI shell and the results are displayed on the screen non-interactively. Executing Local CLI Scripts Using an SSH Connection You can execute CLI commands by entering a CLI script in one of the following ways: ssh username@hostname or cat < CLIscript.file > | ssh admin@hostname The script is run and the actions contained in the script are performed.
Accessing the System Remotely Configuring the system for remote access is a three-step process, as described in the following topics: 1. Configure an IP address for the management port. Configure the Management Port IP Address 2. Configure a management route with a default gateway. Configure a Management Route 3. Configure a username and password. Configure a Username and Password Configure the Management Port IP Address To access the system remotely, assign IP addresses to the management ports. 1.
○ secret: Specify a secret string for an user. ○ sha256–password: Uses sha256–based encryption method for password. ○ encryption-type: Enter the encryption type for securing an user password. There are four encryption types. ■ 0 — input the password in clear text. ■ 5 — input the password that is already encrypted using MD5 encryption method. ■ 7 — input the password that is already encrypted using DES encryption method.
Configuration File Management Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the system from EXEC Privilege mode. Copy Files to and from the System The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url. NOTE: For a detailed description of the copy command, refer to the Dell EMC Networking OS Command Reference.
Before executing any CLI command to perform file operations, you must first mount the NFS file system to a mount-point on the device. Since multiple mount-points exist on a device, it is mandatory to specify the mount-point to which you want to load the system. The /f10/mnt/nfs directory is the root of all mount-points. To mount an NFS file system, perform the following steps: Table 4.
! 24 bytes successfully copied DellEMC# DellEMC#copy tftp://10.16.127.35/username/dv-maa-test ? flash: Copy to local file system ([flash://]filepath) nfsmount: Copy to nfs mount file system (nfsmount:///filepath) running-config remote host: Destination file name [test.c]: ! 225 bytes successfully copied DellEMC# Save the Running-Configuration The running-configuration contains the current system configuration. Dell EMC Networking recommends coping your runningconfiguration to the startup-configuration.
EXEC Privilege mode show startup-config The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.
Table 6.
Table 6. Standard and Compressed Configurations (continued) Uncompressed Compressed ! interface Vlan 5 tagged te 1/1 no ip address shutdown ! interface Vlan 100 no ip address no shutdown ! interface Vlan 1000 ip address 1.1.1.1/16 no shutdown Uncompressed config size – 52 lines write memory compressed The write memory compressed CLI will write the operating configuration to the startup-config file in the compressed mode.
- - - network - network rw tftp: rw scp: You can change the default file system so that file management commands apply to a particular device or memory. To change the default directory, use the following command. ● Change the default directory. EXEC Privilege mode cd directory Enabling Software Features on Devices Using a Command Option The capability to activate software applications or components on a device using a command is supported on this platform. Starting with Release 9.4(0.
Example of the show command-history Command Example 1: Default configuration service timestamps log datetime or service timestamps log datetime localtime DellEMC(conf)#service timestamps log datetime DellEMC#show command-history - Repeated 1 time. [May 17 15:38:55]: CMD-(CLI):[service timestamps log datetime]by default from console [May 17 15:41:40]: CMD-(CLI):[write memory]by default from console - Repeated 1 time.
[May 17 15:53:10]: CMD-(CLI):[no service timestamps log]by default from console [May 17 15:53:16]: CMD-(CLI):[write memory]by default from console - Repeated 3 times. [May 17 15:53:22]: CMD-(CLI):[show logging]by default from console - Repeated 1 time. [May 17 15:53:36]: CMD-(CLI):[write memory]by default from console - Repeated 5 times.
MD5 DellEMC# verify md5 flash:file-name SHA256 DellEMC# verify sha256 flash://file-name Examples: Entering the Hash Value for Verification MD5 DellEMC# verify md5 flash://file-name 275ceb73a4f3118e1d6bcf7d75753459 SHA256 DellEMC# verify sha256 flash://file-name e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933 Using HTTP for File Transfers Stating with Release 9.3(0.1), you can use HTTP to copy files or configuration details to a remote server.
4 Management This chapter describes the different protocols or services used to manage the Dell EMC Networking system.
Removing a Command from EXEC Mode To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each command you wish to restrict.
privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword} ● Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...
DellEMC(conf-if-group-vl-1-2,gi-1/1)# no shutdown DellEMC(conf-if-group-vl-1-2,gi-1/1)# end Applying a Privilege Level to a Username To set the user privilege level, use the following command. ● Configure a privilege level for a user. CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command. ● Configure a privilege level for a user.
● Clearing Audit Logs Enabling Audit and Security Logs You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode. This command is available with or without RBAC enabled. For information about RBAC, see Role-Based Access Control. Audit Logs The audit log contains configuration events and information.
Example of the show logging auditlog Command DellEMC#show logging auditlog May 12 12:20:25: DellEMC#: %CLI-6-logging extended by admin from vty0 (10.14.1.98) May 12 12:20:42: DellEMC#: %CLI-6-configure terminal by admin from vty0 (10.14.1.98) May 12 12:20:42: DellEMC#: %CLI-6-service timestamps log datetime by admin from vty0 (10.14.1.
%CHMGR-5-CARDDETECTED: Line card 8 present %CHMGR-5-CARDDETECTED: Line card 10 present %CHMGR-5-CARDDETECTED: Line card 12 present %TSM-6-SFM_DISCOVERY: Found SFM 0 %TSM-6-SFM_DISCOVERY: Found SFM 1 %TSM-6-SFM_DISCOVERY: Found SFM 2 %TSM-6-SFM_DISCOVERY: Found SFM 3 %TSM-6-SFM_DISCOVERY: Found SFM 4 %TSM-6-SFM_DISCOVERY: Found SFM 5 %TSM-6-SFM_DISCOVERY: Found SFM 6 %TSM-6-SFM_DISCOVERY: Found SFM 7 %TSM-6-SFM_SWITCHFAB_STATE: Switch Fabric: UP %TSM-6-SFM_DISCOVERY: Found SFM 8 %TSM-6-SFM_DISCOVERY: Found 9
Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server DellEMC(conf)#ip ssh server enable 2. On the syslog server, create a reverse SSH tunnel from the syslog server to the Dell OS switch, using following syntax: ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is 10.16.131.
Configuring Login Activity Tracking To enable and configure login activity tracking, follow these steps: 1. Enable login activity tracking. CONFIGURATION mode login statistics enable After enabling login statistics, the system stores the login activity details for the last 30 days. 2. (Optional) Configure the number of days for which the system stores the user login statistics. The range is from 1 to 30.
-----------------------------------------------------------------User: admin2 Last login time: 12:49:27 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.
Restrictions for Limiting the Number of Concurrent Sessions These restrictions apply for limiting the number of concurrent sessions: ● Only the system and security administrators can limit the number of concurrent sessions and enable the clear-line option. ● Users can clear their existing sessions only if the system is configured with the login concurrent-session clearline enable command.
When you try to create more than the permitted number of sessions, the following message appears, prompting you to close one of the existing sessions. If you close any of the existing sessions, you are allowed to login. $ telnet 10.11.178.17 Trying 10.11.178.17... Connected to 10.11.178.17. Escape character is '^]'. Login: admin Password: Maximum concurrent sessions for the user reached. Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 4 vty 2 10.14.1.97 5 vty 3 10.14.1.
CONFIGURATION mode no logging monitor ● Disable console logging. CONFIGURATION mode no logging console Sending System Messages to a Syslog Server To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP. ● Specify the server to which you want to send system messages.
● Specify the size of the logging buffer. CONFIGURATION mode logging buffered size NOTE: When you decrease the buffer size, Dell EMC Networking OS deletes all messages stored in the buffer. Increasing the buffer size does not affect messages in the buffer. ● Specify the number of messages that Dell EMC Networking OS saves to its logging history table.
Configuring a UNIX Logging Facility Level You can save system log messages with a UNIX system logging facility. To configure a UNIX logging facility level, use the following command. ● Specify one of the following parameters.
line {console 0 | vty number [end-number] | aux 0} Configure the following parameters for the virtual terminal lines: ● number: the range is from zero (0) to 8. ● end-number: the range is from 1 to 8. You can configure multiple virtual terminals at one time by entering a number and an end-number. 2. Configure a level and set the maximum number of messages to print.
[May 17 15:43:16]: CMD-(CLI):[show logging]by default from console [May 17 15:43:22]: CMD-(CLI):[show command-history]by default from console DellEMC# DellEMC#show logging Syslog logging: enabled Console logging: disabled Monitor logging: level debugging Buffer logging: level debugging, 7 Messages Logged, Size (40960 bytes) Trap logging: level informational Last logging buffer cleared: May 17 15:38:38 May 17 15:43:08 %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from console May 17 15:42:52 %STKUNIT1-M:CP %FIL
DellEMC(conf)#service timestamps log uptime DellEMC#show clock 15:51:47.
%STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from console %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default - repeated 3 times %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default File Transfer Services With Dell EMC Networking OS, you can configure the system to transfer files over the network using the file transfer protocol (FTP).
CONFIGURATION mode ftp-server username username password [encryption-type] password Configure the following optional and required parameters: ○ username: enter a text string. ○ encryption-type: enter 0 for plain text or 7 for encrypted text. ○ password: enter a text string. NOTE: You cannot use the change directory (cd) command until you have configured ftp-server topdir. To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode.
● To be able to filter access exclusively using either IPv4 or IPv6 rules, use either the ipv4 or ipv6 attribute along with the access-class access-list-name command. Depending on the attribute that you specify (ipv4 or ipv6), the ACL processes either IPv4 or IPv6 rules, but not both. Using this configuration, you can set up two different types of access classes with each class processing either IPv4 or IPv6 rules separately. To apply an IP ACL to a line, Use the following command.
local Prompt for the system username and password. none Do not authenticate the user. radius Prompt for a username and password and use a RADIUS server to authenticate. tacacs+ Prompt for a username and password and use a TACACS+ server to authenticate. 1. Configure an authentication method list. You may use a mnemonic name or use the keyword default. The default authentication method for terminal lines is local and the default method list is empty.
Using Telnet to get to Another Network Device To telnet to another device, use the following commands. NOTE: The device allows 120 Telnet sessions per minute, allowing the login and logout of 10 Telnet sessions, 12 times in a minute. If the system reaches this non-practical limit, the Telnet service is stopped for 10 minutes. You can use console and SSH service to access the system during downtime. ● Telnet to a device with an IPv4 or IPv6 address.
! Locks configuration mode exclusively. DellEMC(conf)# If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears on their terminal (message 1): % Error: User "" on line console0 is in exclusive configuration mode.
● Reload the system if a configuration change to the NVRAM requires a device reload. EXEC Privilege mode reload conditional nvram-cfg-change ● Reload the system into the Dell diagnostics mode. EXEC Privilege mode reload dell-diag ● Reload the system into the ONIE mode. EXEC Privilege mode reload onie [install | uninstall | rescue] Use the install parameter to reload the system and enter the Install mode to install a networking OS.
5 802.1X 802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example). 802.
● The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. ● The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network. It translates and forwards requests and responses between the authentication server and the supplicant.
Figure 5. EAP Port-Authentication EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 6. EAP Over RADIUS RADIUS Attributes for 802.1X Support Dell EMC Networking systems include the following RADIUS attributes in all 802.
Configuring 802.1X Configuring 802.1X on a port is a one-step process. For more information, refer to Enabling 802.1X. Related Configuration Tasks ● ● ● ● ● ● Configuring Request Identity Re-Transmissions Forcibly Authorizing or Unauthorizing a Port Re-Authenticating a Port Configuring Timeouts Configuring a Guest VLAN Configuring an Authentication-Fail VLAN Important Points to Remember ● Dell EMC Networking OS supports 802.
DOT1X PROFILE CONFIG (conf-dot1x-profile) mac mac-address mac-address — Enter the keyword mac and type up to the 48– bit MAC addresses using the nn:nn:nn:nn:nn:nn format. A maximum of 6 MAC addresses are allowed. The following example configures 2 MAC addresses and then displays these addresses.
Auth PAE State: Backend State: Authenticated Idle Configuring Critical VLAN By default, critical-VLAN is not configured. If authentication fails because of a server which is not reachable, user session is authenticated under critical-VLAN. To configure a critical-VLAN for users or devices when authenticating server is not reachable, use the following command.
Enabling 802.1X Enable 802.1X globally. Figure 7. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode.
no ip address dot1x authentication no shutdown ! DellEMC# To view 802.1X configuration information for an interface, use the show dot1x interface command. In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default. DellEMC#show dot1x interface GigabitEthernet 2/1/ 802.
Configuring a Quiet Period after a Failed Authentication If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default. You can configure this period. NOTE: The quiet period (dot1x quiet-period) is the transmit interval after a failed authentication; the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive supplicant. To configure a quiet period, use the following command.
dot1x port-control {force-authorized | force-unauthorized | auto} The default state is auto. The example shows configuration information for a port that has been force-authorized. The bold line shows the new port-control state. DellEMC(conf-if-Gi-1/1)#dot1x port-control force-authorized DellEMC(conf-if-Gi-1/1)#show dot1x interface GigabitEthernet 1/1 802.
Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize Configuring Timeouts If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default.
Configuring Dynamic VLAN Assignment with Port Authentication Dell EMC Networking OS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure: 1. The host sends a dot1x packet to the Dell EMC Networking system 2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number 3.
Guest and Authentication-Fail VLANs Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured or the VLAN that the authentication server indicates in the authentication data. NOTE: Ports cannot be dynamically assigned to the default VLAN.
dot1x authentication dot1x guest-vlan 200 no shutdown DellEMC(conf-if-gi-2/1)# DellEMC(conf-if-gi-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 DellEMC(conf-if-gi-2/1)#show config ! interface GigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown DellEMC(conf-if-gi-2/1)# View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest VLAN or using the show dot1x interface command fr
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This section describes the access control list (ACL) virtual local area network (VLAN) group, and content addressable memory (CAM) enhancements.
The ACL manager does not notify the ACL agent in the following cases: ● The ACL VLAN group is created. ● The ACL VLAN group is deleted and it does not contain VLAN members. ● The ACL is applied or removed from a group and the ACL group does not contain a VLAN member. ● The description of the ACL group is added or removed.
acl-vlan-group {group name} 2. Add a description to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode description description 3. Add VLAN member(s) to an ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode member vlan {VLAN-range} 4. Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name.
Viewing CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL subpartitions) using the show cam-usage command in EXEC Privilege mode. Display Layer 2, Layer 3, ACL, or all CAM usage statistics.
The following output displays CAM space usage for Layer 2 ACLs: DellEMC#show cam-usage switch Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 2 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 3 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 | | IN-L3 ECMP GRP | 1024 | 0 | 1024 Codes: * - cam usage is above
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
• • • • • • • • • • Assign an IP ACL to an Interface Applying an IP ACL Configure Ingress ACLs Configure Egress ACLs IP Prefix Lists ACL Remarks ACL Resequencing Route Maps Logging of ACL Processes Flow-Based Monitoring IP Access Control Lists (ACLs) In Dell EMC Networking switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet.
CAM Optimization When you enable this command, if a policy map containing classification rules (ACL and/or dscp/ ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only one FP entry is used). When you disable this command, the system behaves as described in this chapter. Test CAM Usage This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs.
ACL Optimization If an access list contains duplicate entries, Dell EMC Networking OS deletes one entry to conserve CAM space. Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM entries to identify whether the access list is a standard or extended ACL.
Configuration Task List for Route Maps Configure route maps in ROUTE-MAP mode and apply the maps in various commands in ROUTER RIP and ROUTER OSPF modes. The following list includes the configuration tasks for route maps, as described in the following sections.
level stub-area DellEMC# The following example shows a route map with multiple instances. The show config command displays only the configuration of the current route map instance. To view all instances of a specific route map, use the show route-map command.
Configuring Match Routes To configure match criterion for a route map, use the following commands. ● Match routes with the same AS-PATH numbers. CONFIG-ROUTE-MAP mode match as-path as-path-name ● Match routes with COMMUNITY list attributes in their path. CONFIG-ROUTE-MAP mode match community community-list-name [exact] ● Match routes whose next hop is a specific interface.
To create route map instances, use these commands. There is no limit to the number of match commands per route map, but the convention is to keep the number of match filters in a route map low. Set commands do not require a corresponding match command. Configuring Set Conditions To configure a set condition, use the following commands. ● Add an AS-PATH number to the beginning of the AS-PATH. CONFIG-ROUTE-MAP mode set as-path prepend as-number [...
a routing protocol. Other attributes that can be changed include the metric type (for example, external and internal route types in OSPF) and route tag. Use the redistribute command in OSPF, RIP, ISIS, and BGP to set some of these attributes for routes that are redistributed into those protocols. Route maps add to that redistribution capability by allowing you to match specific routes and set or change more attributes when redistributing those routes.
IP Fragment Handling Dell EMC Networking OS supports a configurable option to explicitly deny IP fragmented packets, particularly second and subsequent packets. It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable to all Layer protocols (permit/deny ip/tcp/udp/icmp). ● Both standard and extended ACLs support IP fragments. ● Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these fragments.
Example of Permitting All Packets from a Specified Host DellEMC(conf)#ip access-list extended ABC DellEMC(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24 DellEMC(conf-ext-nacl)#deny ip any any fragment DellEMC(conf-ext-nacl) In the following example, the TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with TCP destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host 10.1.1.1 are permitted.
seq 20 seq 25 seq 30 seq 35 seq 40 seq 45 seq 50 DellEMC# deny deny deny deny deny deny deny 10.4.0.0 /16 10.5.0.0 /16 10.6.0.0 /16 10.7.0.0 /16 10.8.0.0 /16 10.9.0.0 /16 10.10.0.0 /16 The following example shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 25 was configured before filter 15, but the show config command displays the filters in the correct order. DellEMC(config-std-nacl)#seq 25 deny ip host 10.5.0.
seq 50 permit tcp 10.8.0.0 /16 10.50.188.118 /31 eq 49 monitor 349 seq 55 permit udp 10.15.1.0 /24 10.50.188.118 /31 range 1812 1813 To delete a filter, enter the show config command in IP ACCESS LIST mode and locate the sequence number of the filter you want to delete. Then use the no seq sequence-number command in IP ACCESS LIST mode.
NOTE: When assigning sequence numbers to filters, you may have to insert a new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or another number. The example below shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 15 was configured before filter 5, but the show config command displays the filters in the correct order. DellEMC(config-ext-nacl)#seq 15 deny ip host 112.45.0.
● When Dell EMC Networking OS switches the packets, the egress L3 ACL filters the packet. For the following features, if you enable counters on rules that have already been configured and a new rule is either inserted or prepended, all the existing counters are reset: ● L2 ingress access list ● L3 egress access list ● L2 egress access list If a rule is simply appended, existing counters are not affected. Table 7.
INTERFACE mode ip access-list [standard | extended] name To view which IP ACL is applied to an interface, use the show config command in INTERFACE mode, or use the show running-config command in EXEC mode. DellEMC(conf-if)#show conf ! interface GigabitEthernet 1/1 ip address 10.2.1.100 255.255.255.0 ip access-group nimule in no shutdown DellEMC(conf-if)# To filter traffic on Telnet sessions, use only standard ACLs in the access-class command.
Configure Egress ACLs Egress ACLs are applied to line cards and affect the traffic leaving the system. Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack — malicious and incidental — by explicitly allowing only authorized traffic. These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation. To restrict egress traffic, use an egress ACL.
1. Apply Egress ACLs to IPv4 system traffic. CONFIGURATION mode ip control-plane [egress filter] 2. Apply Egress ACLs to IPv6 system traffic. CONFIGURATION mode ipv6 control-plane [egress filter] 3. Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic.
● Use a prefix list for route redistribution For a complete listing of all commands related to prefix lists, refer to the Dell EMC Networking OS Command Line Interface Reference Guide. Creating a Prefix List To create a prefix list, use the following commands. 1. Create a prefix list and assign it a unique name. You are in PREFIX LIST mode. CONFIGURATION mode ip prefix-list prefix-name 2. Create a prefix list with a sequence number and a deny or permit action.
● le max-prefix-length: is the maximum prefix length to be matched (0 to 32). The example shows a prefix list in which the sequence numbers were assigned by the software. The filters were assigned sequence numbers based on the order in which they were configured (for example, the first filter was given the lowest sequence number). The show config command in PREFIX LIST mode displays two filters with the sequence numbers 5 and 10. DellEMC(conf-nprefixl)#permit 123.23.0.0 /16 DellEMC(conf-nprefixl)#deny 133.
● Enter RIP mode. CONFIGURATION mode router rip ● Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a nonexistent prefix list, all routes are forwarded. CONFIG-ROUTER-RIP mode distribute-list prefix-list-name in [interface] ● Apply a configured prefix list to outgoing routes. You can specify an interface or type of route. If you enter the name of a non-existent prefix list, all routes are forwarded.
You can include a remark with or without a remark number. If you do not enter a remark number, the remark inherits the sequence number of the last ACL rule. If there is no ACL rule when you enter a remark, the remark takes sequence number 5. If you configure two remarks with the same sequence number and different strings, the second one replaces the first string. You cannot configure two or more remarks with the same string and different sequence numbers.
seq 10 permit ip any any ACL Resequencing ACL resequencing allows you to re-number the rules and remarks in an access or prefix list. The placement of rules within the list is critical because packets are matched against rules in sequential order. To order new rules using the current numbering scheme, use resequencing whenever there is no opportunity. For example, the following table contains some rules that are numbered in increments of 1.
remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4 DellEMC# end DellEMC# resequence access-list ipv4 test 2 2 DellEMC# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.1 remark 6 this remark has no corresponding rule remark 8 this remark corresponds to permit ip any host 1.
Logging of ACL Processes This functionality is supported on the platform. To assist in the administration and management of traffic that traverses the device after being validated by the configured ACLs, you can enable the generation of logs for access control list (ACL) processes.
● A maximum of 125 ACL entries with permit action can be logged. A maximum of 126 ACL entries with deny action can be logged. ● For virtual ACL entries, the same match rule number is reused. Similarly, when an ACL entry is deleted that was previously enabled for ACL logging, the match rule number used by it is released back to the pool or available set of match indices so that it can be reused for subsequent allocations.
Behavior of Flow-Based Monitoring You can activate flow-based monitoring for a monitoring session using the flow-based enable command in the Monitor Session mode. When you enable this flow-based monitoring, traffic with particular flows that are traversing through the interfaces are examined in accordance with the applied ACLs. By default, flow-based monitoring is not enabled. There are two ways in which you can enable flow-based monitoring in Dell EMC Networking OS.
The show ip accounting commands have been enhanced to display whether monitoring is enabled for traffic that matches with the rules of the specific ACL. Example Output of the show Command DellEMC# show ip accounting access-list ! Extended Ingress IP access list kar on GigabitEthernet 1/1 Total cam count 1 seq 5 permit ip 192.168.20.0/24 173.168.20.
DellEMC(conf)#do show monitor session 0 DellEMC(conf-mon-sess-0)#do show monitor session 0 SessID Source Destination Dir Rate Gre-Protocol FcMonitor ------ ---------------- ---------------- --------0 Gi 1/1 Gi 1/2 rx A N/A yes Mode Source IP Dest IP DSCP TTL Drop ---- --------- -------- ---- --- ---- Flow N/A 0 No N/A 0 N/ Access Control Lists (ACLs) 127
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 9. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
State Description Init The local system is communicating. Up Both systems are exchanging control packets. The session is declared down if: ● A control packet is not received within the detection time. ● Sufficient echo packets are lost. ● Demand mode is active and a control packet is not received in response to a poll packet. BFD Three-Way Handshake A three-way handshake must take place between the systems that participate in the BFD session.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 11.
● Configure BFD for BGP ● Configure BFD for VRRP ● Configuring Protocol Liveness Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
Int: GigabitEthernet 4/24 State: Up Configured parameters: TX: 100ms, RX: 100ms, Multiplier: 4 Neighbor parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Actual parameters: TX: 100ms, RX: 100ms, Multiplier: 4 Role: Passive Delete session on Down: False Client Registered: CLI Uptime: 00:09:06 Statistics: Number of packets received from neighbor: 4092 Number of packets sent to neighbor: 4093 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Man
Establishing Sessions for Static Routes for Default VRF Sessions are established for all neighbors that are the next hop of a static route on the default VRF. Figure 12. Establishing Sessions for Static Routes To establish a BFD session, use the following command. ● Establish BFD sessions for all neighbors that are the next hop of a static route.
Example Configuration and Verification The following example contains static routes for both default and nondefault VRFs. Dell#sh run | grep bfd bfd enable ip route bfd prefix-list p4_le ip route bfd vrf vrf1 ip route bfd vrf vrf2 ip route bfd vrf vrf1 prefix-list p4_le The following example shows that sessions are created for static routes for the default VRF.
Prefix lists are used in route maps and route filtering operations. You can use prefix lists as an alternative to existing access lists (ACLs). A prefix is a portion of the IP address. Prefix lists constitute any number of bits in an IP address starting from the far left bit of the far left octet. By specifying the exactly number of bits in an IP address that belong to a prefix list, the prefix list can be used to aggregate addresses and perform some functions; for example, redistribution.
no ip route bfd [prefix-list prefix-list-name] [interval interval min_rx min_rx multiplier value role {active | passive}] Configure BFD for IPv6 Static Routes BFD offers systems a link state detection mechanism for static routes. With BFD, systems are notified to remove static routes from the routing table as soon as the link state change occurs, rather than waiting until packets fail to reach their next hop. Configuring BFD for IPv6 static routes is a three-step process: 1. Enable BFD globally. 2.
ipv6 route bfd vrf vrf-name [prefix-list prefix-list-name] [interval interval min_rx min_rx multiplier value role {active | passive}] Example Configuration and Verification The following example contains static routes for both default and nondefault VRFs. Dell#show run | grep bfd bfd enable ipv6 route bfd prefix-list p6_le ipv6 route bfd vrf vrf1 ipv6 route bfd vrf vrf2 ipv6 route bfd vrf vrf1 prefix-list p6_le The following example shows that sessions are created for static routes for the default VRF.
Changing IPv6 Static Route Session Parameters BFD sessions are configured with default intervals and a default role. The parameters you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all static routes. If you change a parameter, the change affects all sessions for static routes. To change parameters for static route sessions, use the following command . ● Change parameters for all static route sessions.
Establishing Sessions with OSPF Neighbors for the Default VRF BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 13. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. ● Enable BFD globally.
The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Gi 2/1 Up 100 100 3 O * 2.2.3.1 2.2.3.2 Gi 2/2 Up 100 100 3 O Changing OSPF Session Parameters Configure BFD sessions with default intervals and a default role.
1. Enable BFD globally. 2. Establish sessions with OSPFv3 neighbors. Related Configuration Tasks ● Changing OSPFv3 Session Parameters ● Disabling BFD for OSPFv3 Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface. Sessions are only established when the OSPFv3 adjacency is in the Full state.
bfd all-neighbors ● Establish sessions with the OSPFv3 neighbors on a single interface in a specific VRF. INTERFACE mode ipv6 ospf bfd all-neighbors ● To disable BFD on a specific OSPFv3 enabled interface, use the ipv6 ospf bfd all-neighbors disable command. You can also use the no bfd enable command to disable BFD on a specific interface. NOTE: You can create upto a maximum of 128 BFD sessions (combination of OSPFv2 and OSPFv3 with a timer of 300*300*3) for both default and nondefault VRFs.
Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role. Configure these parameters for all OSPFv3 sessions or all OSPFv3 sessions on a particular interface. If you change a parameter globally, the change affects all OSPFv3 neighbors sessions.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 14. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. ● Establish sessions with all IS-IS neighbors. ROUTER-ISIS mode bfd all-neighbors ● Establish sessions with IS-IS neighbors on a single interface.
LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Gi 2/1 Up 100 100 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface.
Figure 15. Establishing Sessions with BGP Neighbors The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: ● By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). ● By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peer-group-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
CONFIGURATION mode bfd enable 2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number 4. Enable the BGP neighbor. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group-name} no shutdown 5. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ipv6-address | peer-group name} remote-as as-number 6.
bfd enable 2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3. Specify the address family as IPv4. CONFIG-ROUTERBGP mode address-family ipv4 vrf vrf-name 4. Add an IPv4 BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ip-address | peer-group name} remote-as as-number 5. Enable the BGP neighbor. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ip-address | peer-group-name} no shutdown 6.
exit-address-family DellEMC(conf-router_bgp)# Disabling BFD for BGP You can disable BFD for BGP. To disable a BFD for BGP session with a specified neighbor, use the first command. To remove the disabled state of a BFD for BGP session with a specified neighbor, use the second command. The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the bfd all-neighbors command or configured for the peer group to which the neighbor belongs.
C I O R M V - CLI ISIS OSPF Static Route (RTM) MPLS VRRP LocalAddr * 1.1.1.3 * 2.2.2.3 * 3.3.3.3 RemoteAddr 1.1.1.2 2.2.2.2 3.3.3.2 Interface Gi 6/1 Gi 6/2 Gi 6/3 State Up Up Up Rx-int 200 200 200 Tx-int 200 200 200 Mult 3 3 3 Clients B B B The following example shows viewing BFD neighbors with full detail. The bold lines show the BFD session parameters: TX (packet transmission), RX (packet reception), and multiplier (maximum number of missed packets).
The bold line shows the message displayed when you enable BFD for BGP connections. R2# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 2 BGP table version is 0, main routing table version 0 BFD is enabled, Interval 200 Min_rx 200 Multiplier 3 Role Active 3 neighbor(s) using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 1.1.1.2 2.2.2.2 3.3.3.
... R2# show ip bgp neighbors 2.2.2.4 BGP neighbor is 2.2.2.4, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP peer-group mode BFD configuration Peer active in peer-group outbound optimization ... Configure BFD for VRRP When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the route processor module (RPM).
To establish sessions with all VRRP neighbors, use the following command. ● Establish sessions with all VRRP neighbors. INTERFACE mode vrrp bfd all-neighbors Establishing VRRP Sessions on VRRP Neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. VRRP BFD sessions on the backup router cannot change to the UP state. Configure the master router to establish an individual VRRP session the backup router.
vrrp bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] ● Change parameters for a particular VRRP session. INTERFACE mode vrrp bfd neighbor ip-address interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command. Disabling BFD for VRRP If you disable any or all VRRP sessions, the sessions are torn down.
9 Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) is an interdomain routing protocol that manages routing between edge routers. BGP uses an algorithm to exchange routing information between switches enabled with BGP. BGP determines a path to reach a particular destination using certain attributes while avoiding routing loops. BGP selects a single path as the best path to a destination network or host. You can also influence BGP to select different path by altering some of the BGP attributes.
The devices within an AS (AS1 or AS2, as seen in the following illustration) exchange routing information using Internal BGP (IBGP), whereas the devices in different AS communicate using External BGP (EBGP). IBGP provides routers inside the AS with the knowledge to reach routers external to the AS. EBGP routers exchange information with other EBGP routers as well as IBGP routers to maintain connectivity and accessibility. Figure 17.
Figure 18. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. AS4 Number Representation Dell EMC Networking OS supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If 4-Byte AS numbers are not implemented, only ASPLAIN representation is supported.
● All AS numbers between 0 and 65535 are represented as a decimal number, when entered in the CLI and when displayed in the show commands outputs. ● AS Numbers larger than 65535 is represented using ASDOT notation as .. For example: AS 65546 is represented as 1.10. ASDOT representation combines the ASPLAIN and ASDOT+ representations.
DellEMC(conf-router_bgp)#do sho ip bgp BGP table version is 28093, local router ID is 172.30.1.57 AS4 SUPPORT DISABLED DellEMC(conf-router_bgp)#no bgp four-octet-as-support DellEMC(conf-router_bgp)#sho conf ! router bgp 100 neighbor 172.30.1.250 local-as 65057 DellEMC(conf-router_bgp)#do show ip bgp BGP table version is 28093, local router ID is 172.30.1.57 Four-Byte AS Numbers You can use the 4-Byte (32-bit) format when configuring autonomous system numbers (ASNs).
State Description Idle BGP initializes all resources, refuses all inbound BGP connection attempts, and initiates a TCP connection to the peer. Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state.
Best Path Selection Criteria Paths for active routes are grouped in ascending order according to their neighboring external AS number (BGP best path selection is deterministic by default, which means the bgp non-deterministic-med command is NOT applied). The best path in each group is selected based on specific criteria. Only one “best path” is selected at a time. If any of the criteria results in more than one path, BGP moves on to the next option in the list.
6. Prefer the path with the lowest multi-exit discriminator (MED) attribute. The following criteria apply: a. This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs are compared only if the first AS in the AS_SEQUENCE is the same for both paths. b. If you entered the bgp always-compare-med command, MEDs are compared for all paths. c. Paths with no MED are treated as “worst” and assigned a MED of 4294967295. 7.
Figure 20. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 21. Multi-Exit Discriminators NOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
unicast and multicast BGP database to form a routing table for unicast and multicast. You can configure BGP peers that exchange both unicast and multicast Network Layer Reachability Information (NLRI) in which MBGP routes is redistributed into BGP. The default is IPv4 unicast. IPv4 and IPv6 address family The IPv4 address family configuration in Dell EMC Networking OS is used for identifying routing sessions for protocols that use IPv4 address. You can specify multicast within the IPv4 address family.
BGP global configuration default values By default, BGP is disabled. The following table displays the default values for BGP on Dell EMC Networking OS. Table 9. BGP Default Values Item Default BGP Neighbor Adjacency changes All BGP neighbor changes are logged.
● If the redistribute command has metric configured (route-map set metric or redistribute route-type metric) and the BGP peer outbound route-map has metric-type internal configured, BGP advertises the metric configured in the redistribute command as MED. ● If BGP peer outbound route-map has metric configured, all other metrics are overwritten by this configuration. NOTE: When redistributing static, connected, or OSPF routes, there is no metric option.
Figure 22. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH.
● Configure inbound BGP soft-reconfiguration on a peer for f10BgpM2PrefixInPrefixesRejected to display the number of prefixes filtered due to a policy. If you do enable BGP soft-reconfig, the denied prefixes are not accounted for. ● F10BgpM2AdjRibsOutRoute stores the pointer to the NLRI in the peer's Adj-Rib-Out. ● PA Index (f10BgpM2PathAttrIndex field in various tables) is used to retrieve specific attributes from the PA table.
Basic BGP configuration tasks The following sections describe how to configure a basic BGP network and the basic configuration tasks that are required for the BGP to be up and running.
neighbor {ip-address | ipv6-address| peer-group name} remote-as as-number ● ip-address: IPv4 address of the neighbor ● ipv6-address: IPv6 address of the neighbor ● peer-group name: Name of the peer group. It can contain 16 characters. ● as-number: Autonomous number NOTE: Neighbors that are defined using the neighbor remote-as command in the CONFIGURATION-ROUTERBGP mode exchange IPv4 unicast address prefixes only. 3. Enable the BGP neighbor.
The third line of the show ip bgp neighbors output contains the BGP State. If anything other than ESTABLISHED is listed, the neighbor is not exchanging information and routes. For more information about using the show ip bgp neighbors command, refer to the Dell EMC Networking OS Command Line Interface Reference Guide. The following example shows the show ip bgp neighbors command output. DellEMC#show ip bgp neighbors BGP neighbor is 20.20.20.1, remote AS 20, external link BGP remote router ID 1.1.1.
1 neighbor(s) using 40960 bytes of memory Neighbor 20.20.20.1 AS 200 MsgRcvd 0 MsgSent 0 TblVer 0 InQ 0 OutQ Up/Down State/Pfx 0 00:00:00 0 Changing a BGP router ID BGP uses the configured router ID to identify the devices in the network. By default, the router ID is the highest IP address of the Loopback interface. If no Loopback interfaces are configured, the highest IP address of a physical interface on the router is used as the BGP router ID.
CONFIG-ROUTER-BGP mode bgp asnotation asplain NOTE: ASPLAIN is the default method Dell EMC Networking OS uses and does not appear in the configuration display. ● Enable ASDOT AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot ● Enable ASDOT+ AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot+ The following example shows the bgp asnotation asplain command output.
● Enter the router configuration mode and the AS number. CONFIG mode router bgp as-number ● Add the IP address of the neighbor for the specified autonomous system. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6–address | peer-group-name} remote-as as-number ● Enable the neighbor. CONFIG-ROUTERBGP mode neighbor ip-address | ipv6-address | peer-group-name no shutdown ● Specify the IPv4 address family configuration.
To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes. Example-Configuring BGP routing between peers Example of enabling BGP in Router A Following is an example to enable BGP configuration in the router A. RouterA# configure terminal RouterA(conf)# router bgp 40000 RouterA(conf-router_bgp)# bgp router-id 10.1.1.99 RouterA(conf-router_bgp)# timers bgp 80 130 RouterA(conf-router_bgp)# neighbor 192.
Configuration rules in a peer group: ● You must create a peer group first before adding the neighbors in the peer group. ● If you remove any configuration parameters from a peer group, it will apply to all the neighbors configured under that peer group. ● If you have not configured a parameter for an individual neighbor in the peer group, the neighbor uses the value configured in the peer group. ● If you reset any parameter for an individual neighbor, it will override the value set in the peer group.
To add an external BGP (EBGP) neighbor, configure the as-number parameter with a number different from the BGP asnumber configured in the router bgp as-number command. To add an internal BGP (IBGP) neighbor, configure the as-number parameter with the same BGP as-number configured in the router bgp as-number command. After you create a peer group, you can use any of the commands beginning with the keyword neighbor to configure that peer group.
Number of peers in this group 1 Peer-group members (* - outbound optimized): 2001::1 Example-Configuring BGP peer groups The following example configurations show how to enable BGP and set up some peer groups. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes.
ip address 10.0.1.21/24 no shutdown R1(conf-if-gi-1/21)#int gi 1/31 R1(conf-if-gi-1/31)#ip address 10.0.3.31/24 R1(conf-if-gi-1/31)#no shutdown R1(conf-if-gi-1/31)#show config ! interface GigabitEthernet 1/31 ip address 10.0.3.31/24 no shutdown R1(conf-if-gi-1/31)#exit R1(conf)#ip route 192.168.128.2/32 10.0.1.22 R1(conf)#router bgp 99 R1(conf-router_bgp)#neighbor 192.168.128.2 remote 99 R1(conf-router_bgp)#neighbor 192.168.128.2 no shut R1(conf-router_bgp)#neighbor 192.168.128.
Example of Enabling BGP (Router 3) R3#conf R3(conf)#int gi 3/11 R3(conf-if-gi-3/11)#ip address 10.0.3.33/24 R3(conf-if-gi-3/11)#no shutdown R3(conf-if-gi-3/11)#show config ! interface GigabitEthernet 3/11 ip address 10.0.3.33/24 no shutdown R3(conf-if-gi-3/11)#int gi 3/21 R3(conf-if-gi-3/21)#ip address 10.0.2.3/24 R3(conf-if-gi-3/21)#no shutdown R3(conf-if-gi-3/21)#show config ! interface GigabitEthernet 3/21 ip address 10.0.2.
2 BGP AS-PATH entrie(s) using 74 bytes of memory 2 neighbor(s) using 8672 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ 192.168.128.2 99 23 24 0 0 OutQ Up/Down State/Pfx 0 00:06:11 0 Example of Enabling Peer Groups (Router 2) R2#conf R2(conf)#router bgp 99 R2(conf-router_bgp)# neighbor CCC peer-group R2(conf-router_bgp)# neighbor CC no shutdown R2(conf-router_bgp)# neighbor BBB peer-group R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.
192.168.128.1 192.168.128.2 99 99 93 122 99 120 1 1 0 0 (0) (0) 00:00:15 1 00:00:11 1 Advanced BGP configuration tasks The following sections describe how to configure the advanced (optional) BGP configuration tasks. Route-refresh and Soft-reconfiguration BGP soft-reconfiguration allows for faster and easier route changing. Changing routing policies typically requires a reset of BGP sessions (the TCP connection) for the policies to take effect.
DellEMC(conf-router_bgp)# neighbor 10.108.1.1 soft-reconfiguration inbound DellEMC(conf-router_bgp)# exit Route-refresh This section explains how the soft-reconfiguration and route-refresh works. Soft-reconfiguration has to be configured explicitly for a neighbor unlike route refresh, which is automatically negotiated between BGP peers when establishing a peer session.
IPv4 and IPv6 route-refresh updates are sent. Following is an example configuration in which IPv6 prefixes is enabled for a IPv6 neighbor and the corresponding route-refresh message: DellEMC(conf-router_bgp)# show config ! router bgp 100 redistribute connected neighbor 20.1.1.2 remote-as 200 neighbor 20.1.1.
aggregate-address ip-address mask [advertise-map map-name] [as-set] [attribute-map mapname] [summary-only] [suppress-map map-name] ○ as-set- Specify that the advertised path of this route is an AS_SET. ○ summary-only-Create aggregate route and suppress advertisements of specific routes to all neighbors. ○ suppress-map map-name-Create aggregate route by suppressing the advertisements of specific routes. ○ advertise-map map-name-Create aggregate route by advertising specific routes.
The suppress-map keyword creates the aggregate route but suppress the advertisement of specified routes. The routes that are suppressed are not advertised to the neighbors. You can use match clause of route maps to selectively suppress the specific route from the aggregate routes. Following is the sample configuration to suppress the advertisement of specific aggregate routes. DellEMC# configure terminal DellEMC(conf)# router bgp 100 DellEMC(conf-router_bgp)# aggregate-address 10.1.1.
Regular Expression Definition _ (underscore) Matches a ^, a $, a comma, a space, or a {, or a }. Placed on either side of a string to specify a literal and disallow substring matching. You can precede or follow numerals enclosed by underscores by any of the characters listed. | (pipe) Matches characters on either side of the metacharacter; logical OR. As seen in the following example, the expressions are displayed when using the show commands.
NOTE: You can create inbound and outbound policies. Each of the commands used for filtering has in and out parameters that you must apply. In Dell EMC Networking OS, the order of preference varies depending on whether the attributes are applied for inbound updates or outbound updates.
● If none of the routes match any of the filters in the prefix list, the route is denied. This action is called an implicit deny. (If you want to forward all routes that do not match the prefix list criteria, you must configure a prefix list filter to permit all routes. For example, you could have the following filter as the last filter in your prefix list permit 0.0.0.0/0 le 32). ● After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route.
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode. Filtering on an AS-Path Attribute You can use the BGP attribute, AS_PATH, to manipulate routing policies. The AS_PATH attribute contains a sequence of AS numbers representing the route’s path. As the route traverses an AS, the ASN is prepended to the route.
20 0 --More-- 64801 i Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. 1. Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2. Configure a match filter for all routes meeting the criteria in the IP community or IP extended community list.
The BGP fast fall-over feature is configured on a per-neighbor or peer-group basis and is disabled by default. To enable the BGP fast fall-over feature, use the following command. ● Enable BGP fast fall-over. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} fall-over To disable fast fall-over, use the [no] neighbor [ip-address | ipv6-address | peer-group] fall-over command in CONFIGURATION ROUTER BGP mode.
To verify that fast fall-over is enabled on a peer-group, use the show ip bgp peer-group command (shown in bold). DellEMC#show ip bgp peer-group Peer-group test fall-over enabled BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 10.10.10.
Enabling Graceful Restart Use this feature to lessen the negative effects of a BGP restart. Dell EMC Networking OS advertises support for this feature to BGP neighbors through a capability advertisement. You can enable graceful restart by router and/or by peer or peer group. NOTE: By default, BGP graceful restart is disabled. The default role for BGP is as a receiving or restarting peer.
Redistributing Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the BGP process. You can configure the device to redistribute ISIS, OSPF, static, or directly connected routes into BGP process using the redistribute command. To add routes from other routing instances or protocols, use any of the following commands in ROUTER BGP mode. ● Include directly connected or user-configured (static) routes into BGP.
To allow multiple paths sent to peers, use the following commands. 1. Allow the advertisement of multiple paths (send, receive or both). CONFIG-ROUTER-BGP or CONFIG-ROUTER-BGP-AF mode bgp add-path [both | enable | receive | send] path-count Configure the following parameters: ● ● ● ● ● both: Indicate that the system sends and accepts multiple paths from peers. enable: Indicate that the system enables add-path support for the node. send: Indicate that the system sends multiple paths to peers.
{deny | permit} {community-number | local-AS | no-advertise | no-export | quote-regexp regular-expression-list | regexp regular-expression} ● community-number: use AA:NN format where AA is the AS number (2 Bytes or 4 Bytes) and NN is a value specific to that autonomous system. ● local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED. ● no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE. ● no-export: routes with the COMMUNITY attribute of NO_EXPORT.
deny 701:20 deny 702:20 deny 703:20 deny 704:20 deny 705:20 deny 14551:20 deny 701:112 deny 702:112 deny 703:112 deny 704:112 deny 705:112 deny 14551:112 deny 701:667 deny 702:667 deny 703:667 deny 704:666 deny 705:666 deny 14551:666 DellEMC# Configure BGP attributes Following sections explain how to configure the BGP attributes such as MED, COMMUNITY, WEIGHT, and LOCAL_PREFERENCE.
extended- Allows to send the extended community attribute to a BGP neighbor or peer group. standard- Allows to send the standard community attribute to a BGP neighbor or peer group. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. If you want to remove or add a specific COMMUNITY number from a BGP path, you must create a route map with one or both of the following statements in the route map. Then apply that route map to a BGP neighbor or peer group. 1.
*>i 6.10.0.0/15 *>i 6.14.0.0/15 *>i 6.133.0.0/21 *>i 6.151.0.0/16 --More-- 195.171.0.16 205.171.0.16 205.171.0.16 205.171.0.16 100 100 100 100 0 0 0 0 209 209 209 209 7170 7170 7170 7170 1455 1455 1455 1455 i i i i Changing the LOCAL_PREFERENCE Attribute In Dell EMC Networking OS, you can change the value of the LOCAL_PREFERENCE attribute, so that the preferred path can be changed. To change the default values of this attribute for all routes received by the router, use the following command.
In the above example configuration, a route-map named route1 is created with a clause to set the specified local preference value, which is 140. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a routemap configuration, use the show route-map command in EXEC Privilege mode.
Enabling Multipath By default, the software allows one path to a destination. You can enable multipath to allow up to 64 parallel paths to a destination. You can configure the maximum number of parallel routes (multipath support) to a destination in BGP. NOTE: Dell EMC Networking recommends not using multipath and add path simultaneously in a route reflector. To allow more than one path, use the following command. ● Enable multiple parallel paths.
2. Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B. 3. Router D does not advertise the route to Router C because Router C is a nonclient peer and the route advertisement came from Router B who is also a nonclient peer. 4. Router D does reflect the advertisement to Routers E and G because they are client peers of Router D. 5.
● Attribute change When dampening is applied to a route, its path is described by one of the following terms: ● history entry — an entry that stores information on a downed route ● dampened path — a path that is no longer advertised ● penalized path — a path that is assigned a penalty To configure route flap dampening parameters, set dampening parameters using a route map, clear information on route dampening and return suppressed routes to active state, view statistics on route flapping, or change the path
CONFIG-ROUTER-BGP mode bgp non-deterministic-med NOTE: When you change the best path selection method, path selection for existing paths remains unchanged until you reset it by entering the clear ip bgp command in EXEC Privilege mode. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. The following example shows how to configure values to reuse or restart a route.
CONFIG-ROUTER-BGP mode neighbors {ip-address | ipv6-address | peer-group-name} timers keepalive holdtime ○ keepalive: Time interval, in seconds, between keepalive messages sent to the neighbor routers. The range is from 1 to 65535. The default is 60 seconds. ○ holdtime: Time interval, in seconds, between the last keepalive message and declaring the BGP peer is dead. The range is from 3 to 65536. The default is 180 seconds. ● Configure timer values for all neighbors.
CONFIGURATION Mode router bgp as-number 2. In ROUTER BGP mode, enter the following command: ROUTER BGP Mode shutdown all You can use the no shutdown all command in the ROUTER BGP mode to re-enable all the BGP interface. You can also enable or disable BGP neighbors corresponding to the IPv4 unicast or multicast address families and the IPv6 unicast address family. To enable or disable BGP neighbors corresponding to the IPv4 unicast address families, use the following commands: 1.
Meaning, BGP neighbors corresponding to the IPv4 unicast or multicast address family and the IPv6 unicast address family that were explicitly disabled before the global shutdown remains in disabled state. Use the no shutdown address-familyipv4-unicast, no shutdown address-family-ipv4-multicast, or no shutdown address-family-ipv6unicast commands to enable these neighbors. NOTE: This behavior applies to all BGP neighbors.
bgp confederation peers as-number [... as-number] ○ as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). All Confederation routers must be either 4 Byte or 2 Byte. You cannot have a mix of router ASN support. To view the configuration, use the show config command in CONFIGURATION ROUTER BGP mode. Configuring a BGP VRF address family To perform BGP configuration between two neighbors that must exchange IPv6 or IPv4 VRF information, use the following commands.
Neighbor 50.0.0.2 AS 200 MsgRcvd 0 MsgSent 0 TblVer 0 InQ 0 OutQ Up/Down State/Pfx 0 00:00:00 0 Following is the output of show running-config bgp command for the above configuration. DellEMC#show running-config bgp ! router bgp 10 bgp router-id 1.1.1.1 network 10.10.21.0/24 bgp four-octet-as-support neighbor 20.20.20.1 remote-as 65550 neighbor 20.20.20.1 no shutdown ! address-family ipv4 vrf vrf1 neighbor 50.0.0.2 maximum-prefix 10000 warning-only neighbor 50.0.0.2 remote-as 200 neighbor 50.0.0.
neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.2 no shutdown R2(conf-router_bgp)# Allowing an AS Number to Appear in its Own AS Path This command allows you to set the number of times a particular AS number can occur in the AS path.
The default is IPv4 Unicast routes. When you configure a peer to support IPv4 multicast, Dell EMC Networking OS takes the following actions: ● Send a capability advertisement to the peer in the BGP Open message specifying IPv4 multicast as a supported AFI/SAFI (Subsequent Address Family Identifier). ● If the corresponding capability is received in the peer’s Open message, BGP marks the peer as supporting the AFI/SAFI.
Following is the output of show ip bgp ipv6 unicast summary command for the above configuration example. DellEMC#show ip bgp ipv6 unicast summary BGP router identifier 1.1.1.
Neighbor 20.20.20.2 30.30.30.1 2001::2 AS 200 20 200 MsgRcvd 10 0 40 MsgSent 20 0 45 TblVer 0 0 0 InQ 0 0 0 OutQ 0 0 0 Up/Down 00:06:11 00:00:00 00:03:14 State/Pfx 0 0 0 The same output will be displayed when using show ip bgp ipv4 unicast summary command. Following is the sample output of show ip bgp ipv4 multicast summary command. R1# show ip bgp ipv4 multicast summary BGP router identifier 1.1.1.
Following is the output of show ip bgp ipv6 unicast summary command for the above configuration example. R2#show ip bgp ipv6 unicast summary BGP router identifier 2.2.2.2, local AS number 200 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 2 neighbor(s) using 24576 bytes of memory Neighbor 20.20.20.
Following is the show running-config command output for the above configuration. DellEMC# show running-config bgp ! router bgp 655 bgp router-id 1.1.1.1 neighbor 10.1.1.2 remote-as 20 neighbor 10.1.1.2 auto-local-address neighbor 10.1.1.2 no shutdown ! address-family ipv6 unicast neighbor 10.1.1.2 activate exit-address-family ! Example configuration performed in R2 DellEMC# configure terminal DellEMC(conf)# router bgp 20 DellEMC(conf-router_bgp)# neighbor 10.1.1.
Debugging BGP To enable BGP debugging, use any of the following commands. ● View all information about BGP, including BGP events, keepalives, notifications, and updates. EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] [in | out] ● View information about BGP route being dampened. EXEC Privilege mode debug ip bgp dampening [in | out] ● View information about local BGP state changes and other BGP events.
3 opens, 2 notifications, 0 updates 43 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) For address family: IPv4 Unicast BGP table version 1395, neighbor version 1394 Prefixes accepted 1
10 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On Dell EMC Networking systems, CAM stores Layer 2 (L2) and Layer 3 (L3) forwarding information, access-lists (ACLs), flows, and routing policies.
Table 12. Default Cam Allocation Settings (continued) CAM Allocation Setting vrfv4Acl 0 Openflow 0 fedgovacl 0 NOTE: When you reconfigure CAM allocation, use the nlbclusteracl number command to change the number of NLB ARP entries. The range is from 0 to 2. The default value is 0. At the default value of 0, eight NLB ARP entries are available for use. This platform supports upto 512 CAM entries. Select 1 to configure 256 entries. Select 2 to configure 1024 entries.
number ipv4pbr number openflow number | fcoe number iscsioptacl number [vrfv4acl number] [radius-v4acl number] NOTE: If you do not enter the allocation values for the CAM regions, the value is 0. 3. Execute write memory and verify that the new settings are written to the CAM on the next boot. EXEC Privilege mode show cam-acl 4. Reload the system. EXEC Privilege mode reload Test CAM Usage To determine whether sufficient CAM space is available to enable a service-policy, use the test-cam-usage command.
IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 DellEMC(conf)# NOTE: If you change the cam-acl setting from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis.
VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : 0 0 0 0 0 0 0 0 DellEMC# View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4 and IPv6 Flow and Layer 2 ACL sub-partitions) using the show cam-usage command in EXEC Privilege mode The following output shows CAM blocks usage for Layer 2 and Layer 3 ACLs and other processes that use CAM space: Example of the show cam-usage Command Configuring CAM Threshold an
● Add or delete an ACL rule Example of Syslog message on CAM usage Following table shows few possible scenarios during which the syslog message appear on re-configuring the CAM usage threshold value. Consider if the last CAM threshold was set to 90 percent and now you re-configure the CAM threshold to 80. And, if the current CAM usage is 85 percent, then the system displays the syslog message saying that the CAM usage is above the configured CAM threshold value. Table 14.
Dell EMC Networking OS supports the ability to view the actual CAM usage before applying a service-policy. The test camusage service-policy command provides this test framework. For more information, refer to Pre-Calculating Available QoS CAM Space.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 28. CoPP Implemented Versus CoPP Not Implemented Topics: • Configure Control Plane Policing Configure Control Plane Policing The system can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
DellEMC(conf)#mac access-list extended lacp cpu-qos DellEMC(conf-mac-acl-cpuqos)#permit lacp DellEMC(conf-mac-acl-cpuqos)#exit DellEMC(conf)#ipv6 access-list ipv6-icmp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit icmp DellEMC(conf-ipv6-acl-cpuqos)#exit DellEMC(conf)#ipv6 access-list ipv6-vrrp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit vrrp DellEMC(conf-ipv6-acl-cpuqos)#exit The following example shows creating the QoS input policy.
1. Create a QoS input policy for the router and assign the policing. CONFIGURATION mode qos-policy-input name cpu-qos 2. Create an input policy-map to assign the QoS policy to the desired service queues.l. CONFIGURATION mode policy-map--input name cpu-qos service-queue queue-number qos-policy name 3. Enter Control Plane mode. CONFIGURATION mode control-plane-cpuqos 4. Assign a CPU queue-based service policy on the control plane in cpu-qos mode.
CPU Processing of CoPP Traffic The systems use FP rules to take the packets to control plane by CopyToCPU or redirect packet to CPU port. Only 8 CPU queues are used while sending the packet to CPU. The CPU Management Interface Controller (CMIC) interface on all the systems supports 48 queues in hardware.
NDP Packets Neighbor discovery protocol has 4 types of packets NS, NA, RA, RS. These packets need to be taken to CPU for neighbor discovery. ● Unicast NDP packets: ○ Packets hitting the L3 host/route table and discovered as local terminated packets/CPU bound traffic. For CPU bound traffic route entry have CPU action. Below are packets are CPU bound traffic. ■ Packets destined to chassis.
Catch-All Entry for IPv6 Packets Dell EMC Networking OS currently supports configuration of IPv6 subnets greater than /64 mask length, but the agent writes it to the default LPM table where the key length is 64 bits. The device supports table to store up to 256 subnets of maximum of /128 mask lengths. This can be enabled and agent can be modified to update the /128 table for mask lengths greater than /64. This will restrict the subnet sizes to required optimal level which would avoid these NDP attacks.
Displaying CoPP Configuration The CLI provides show commands to display the protocol traffic assigned to each control-plane queue and the current rate-limit applied to each queue. Other show commands display statistical information for trouble shooting CoPP operation. To view the rates for each queue, use the show cpu-queue rate cp command.
Example of Viewing Queue Mapping for IPv6 Protocols DellEMC#show ipv6 protocol-queue-mapping Protocol Src-Port Dst-Port TcpFlag Queue EgPort Rate (kbps) --------------- -------- ------- ----- ------ ----------TCP (BGP) any/179 179/any _ Q6 CP _ ICMP any any _ Q6 CP _ VRRP any any _ Q7 CP _ DellEMC# Control Plane Policing (CoPP) 239
12 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network endstations (hosts) based on configuration policies determined by network administrators.
The following table lists common DHCP options. Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Assign an IP Address using DHCP The following section describes DHCP and the client in a network. When a client joins a network: 1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters.
● Dell EMC Networking OS provides 40000 entries that can be divided between leased addresses and excluded addresses. By extension, the maximum number of pools you can configure depends on the subnet mask that you give to each pool. For example, if all pools were configured for a /24 mask, the total would be 40000/253 (approximately 158). If the subnet is increased, more pools can be configured. The maximum subnet that can be configured for a single pool is /17.
network network/prefix-length ● network: the subnet address. ● prefix-length: specifies the number of bits used for the network portion of the address you specify. The prefix-length range is from 17 to 31. 4. Display the current pool configuration. DHCP mode show config After an IP address is leased to a client, only that client may release the address. Dell EMC Networking OS performs a IP + MAC source address validation to ensure that no client can release another clients address.
DHCP default-router address Configure a Method of Hostname Resolution Dell systems are capable of providing DHCP clients with parameters for two methods of hostname resolution—using DNS or NetBIOS WINS. Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1. Create a domain. DHCP domain-name name 2. Specify in order of preference the DNS servers that are available to a DHCP client.
● hardware-address: the client MAC address. ● type: the protocol of the hardware platform. The default protocol is Ethernet. Debugging the DHCP Server To debug the DHCP server, use the following command. ● Display debug information for DHCP server. EXEC Privilege mode debug ip dhcp server [events | packets] Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. ● Clear DHCP binding entries for the entire binding table.
Figure 31. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gigabitethernet 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: ● The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (Dell EMC Networking OS version and a configuration file). BMP is enabled as a factory-default setting on a switch.
To renew the lease time of the dynamically acquired IP, use the renew dhcp command on an interface already configured with a dynamic IP address. NOTE: To verify the currently configured dynamic IP address on an interface, use the show ip dhcp lease command. The show running-configuration command output only displays ip address dhcp. The currently assigned dynamic IP address does not display. To configure and view an interface as a DHCP client to receive an IP address, use the following commands. 1.
● Management routes added by the DHCP client are not added to the running configuration. NOTE: Management routes added by the DHCP client include the specific routes to reach a DHCP server in a different subnet and the management route. DHCP Client Operation with Other Features The DHCP client operates with other Dell EMC Networking OS features, as the following describes. Stacking The DHCP client daemon runs only on the master unit and handles all DHCP packet transactions.
DHCP Relay When DHCP Server and Client are in Different VRFs When the DHCP server and DHCP clients belong to different VRFs on the relay agent, you can configure the system to leak routes across VRFs. You can configure the system to leak the following routes across VRFs: ● Connected routes ● The complete routing table ● Selective routes The following illustration depicts the topology in which routes are leaked between VRFs in the relay agent.
ip vrf VRF_2 ip route-import 2:2 ip route-export 1:1 ! ! route-map map1 permit 10 match ip address ip1 ! route-map map2 permit 20 match ip address ip2 ! ip prefix-list ip1 seq 5 permit 20.0.0.0/24 <----- This is needed for data forwarding seq 10 permit 20.0.0.2/32 <---- This is specific to internal operation of DHCP relay ! ip prefix-list ip2 seq 5 permit 10.0.0.
Dell(conf-if-lo-1)# ipv6 address 1::1/128 Dell(conf-if-lo-1)# no shutdown To configure the loopback interface as IPv4 or IPv6 DHCP relay source interface, enter the following commands in the CONFIGURATION MODE.
Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# ip vrf forwarding vrf1 ip address 4.0.0.1/24 ipv6 address 4::1/64 tagged fortyGigE 0/4 ip helper-address vrf vrf1 100.0.0.1 ipv6 helper-address vrf vrf1 100::1 ip dhcp relay source-interface loopback 3 ipv6 dhcp relay source-interface loopback 3 3. In the below configuration, the DHCP relay source interface is not configured in the VLAN interface.
● Default Agent Circuit ID is constructed in the format VLANID:LagID:SlotID:PortStr. When the port is fanned-out, the PortStr is represented as mainPort:subPort (all in ASCII format). ● Default Agent Remote ID is the system MAC address (in binary format). The following example shows the format of the Circuit ID - 723:0:1:1. Table 17. Circuit ID Format VLAN ID LAG ID Slot ID Port Str 723 0 1 1 The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server.
When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages — containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on a trusted port, it adds an entry to the table.
ip dhcp snooping vlan name Enabling IPv6 DHCP Snooping To enable IPv6 DHCP snooping, use the following commands. 1. Enable IPv6 DHCP snooping globally. CONFIGURATION mode ipv6 dhcp snooping 2. Specify ports connected to IPv6 DHCP servers as trusted. INTERFACE mode ipv6 dhcp snooping trust 3. Enable IPv6 DHCP snooping on a VLAN or range of VLANs.
Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. ● Display the DHCP snooping information. EXEC Privilege mode show ip dhcp snooping ● Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping binding View the DHCP snooping statistics with the show ip dhcp snooping command.
10.1.1.11 10.1.1.25 00:00:a0:00:00:00 00:00:a0:00:00:00 39736 162 S D Vl 200 Vl 200 Po 10 Po 10 The following example shows a sample output of the show ip dhcp snooping binding command for a device connected to one of the VLT peers only (orphaned). The physical interface is the one that is directly connected to the VLT peer.
Drop DHCP Packets on Snooped VLANs Only Binding table entries are deleted when a lease expires or the relay agent encounters a DHCPRELEASE. Line cards maintain a list of snooped VLANs. When the binding table fills, DHCP packets are dropped only on snooped VLANs, while such packets are forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made. However, DHCP release and decline packets are allowed so that the DHCP snooping table can decrease in size.
arp inspection To view entries in the ARP database, use the show arp inspection database command. DellEMC#show arp inspection database Protocol Address Age(min) Hardware Address Interface VLAN CPU --------------------------------------------------------------------Internet 10.1.1.251 00:00:4d:57:f2:50 Gi 1/2 Vl 10 CP Internet 10.1.1.252 00:00:4d:57:e6:f6 Gi 1/1 Vl 10 CP Internet 10.1.1.253 00:00:4d:57:f8:e8 Gi 1/3 Vl 10 CP Internet 10.1.1.
arp inspection-trust Dynamic ARP inspection is supported on Layer 2 and Layer 3. Source Address Validation Using the DHCP binding table, Dell EMC Networking OS can perform three types of source address validation (SAV). Table 18. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table.
● Enable DHCP MAC SAV. CONFIGURATION mode ip dhcp snooping verify mac-address Enabling IP+MAC Source Address Validation IP source address validation (SAV) validates the IP source address of an incoming packet and optionally the VLAN ID of the client against the DHCP snooping binding table. IP+MAC SAV ensures that the IP source address and MAC source address are a legitimate pair, rather than validating each attribute individually. You cannot configure IP+MAC SAV with IP SAV. 1.
Clearing the Number of SAV Dropped Packets To clear the number of SAV dropped packets, use the clear ip dhcp snooping source-address-validation discard-counters command. DellEMC>clear ip dhcp snooping source-address-validation discard-counters To clear the number of SAV dropped packets on a particular interface, use the clear ip dhcp snooping sourceaddress-validation discard-counters interface interface command.
13 Equal Cost Multi-Path (ECMP) This chapter describes configuring ECMP. This chapter describes configuring ECMP. Topics: • • ECMP for Flow-Based Affinity Link Bundle Monitoring ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features.
Configuring the Hash Algorithm Seed Deterministic ECMP sorts ECMPs in order even though RTM provides them in a random order. However, the hash algorithm uses as a seed the lower 12 bits of the chassis MAC, which yields a different hash result for every chassis. This behavior means that for a given flow, even though the prefixes are sorted, two unrelated chassis can select different hops.
Managing ECMP Group Paths To avoid path degeneration, configure the maximum number of paths for an ECMP route that the L3 CAM can hold. When you do not configure the maximum number of routes, the CAM can hold a maximum ECMP per route. To configure the maximum number of paths, use the following command. NOTE: For the new settings to take effect, save the new ECMP settings to the startup-config (write-mem) then reload the system. ● Configure the maximum number of paths per ECMP group. CONFIGURATION mode.
NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indices are generated in even numbers (0, 2, 4, 6... 1022) and are for information only. You can configure ecmp-group with id 2 for link bundle monitoring. This ecmp-group is different from the ecmp-group index 2 that is created by configuring routes and is automatically generated.
14 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a softwarebased cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell EMC Networking platforms.
Enabling FIPS Mode To enable or disable FIPS mode, use the console port. Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. When you enable FIPS mode, the following actions are taken: ● ● ● ● If enabled, the SSH server is disabled. All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.
The following example shows the show system command. Disabling FIPS Mode When you disable FIPS mode, the following changes occur: ● ● ● ● ● ● ● The SSH server disables. All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, close. Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. FIPS mode disables. The SSH server re-enables. The Telnet server re-enables (if it is present in the configuration).
15 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) and may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
Figure 32. Example of Multiple Rings Connected by Single Switch Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. ● ● ● ● ● ● ● ● ● ● The Master node transmits ring status check frames at specified intervals. You can run multiple physical rings on the same switch.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202, as shown in the illustration in Member VLAN Spanning Two Rings Connected by One Switch. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose.
● ● ● ● The control VLAN cannot have members that are not ring ports. If multiple rings share one or more member VLANs, they cannot share any links between them. Member VLANs across multiple rings are not supported in Master nodes. Each ring has only one Master node; all others are transit nodes. FRRP Configuration These are the tasks to configure FRRP.
Interface: ● For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. ● For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. 3. Assign the Primary and Secondary ports and the control VLAN for the ports on the ring. CONFIG-FRRP mode. interface primary interface secondary interface control-vlan vlan id Interface: ● For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information.
VLAN ID: Identification number of the Control VLAN. 4. Configure a Transit node. CONFIG-FRRP mode. mode transit 5. Identify the Member VLANs for this FRRP group. CONFIG-FRRP mode. member-vlan vlan-id {range} VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. 6. Enable this FRRP group on this switch. CONFIG-FRRP mode. no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time 3 times the Hello-Interval.
show frrp ring-id Ring ID: the range is from 1 to 255. ● Show the state of all FRRP groups. EXEC or EXEC PRIVELEGED mode. show frrp summary Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks ● ● ● ● ● Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only.
switchport no shutdown ! interface GigabitEthernet 2/31 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 2/14 secondary GigabitEthernet 2/31 control-vlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface GigabitEthernet 3/14 no ip address switchport no shutdown ! interface GigabitEthern
Figure 33. FRRP Ring Connecting VLT Devices You can also configure an FRRP ring where both the VLT peers are connected to the FRRP ring and the VLTi acts as the primary interface for the FRRP Master and transit nodes. This active-active FRRP configuration blocks the FRRP ring on a per VLAN or VLAN group basis enabling the configuration to spawn across different set of VLANs.
control VLAN, multiple member VLANS are configured (for example, M1 to M10) that carry the data traffic across the FRRP rings. The secondary port P2 is tagged to the control VLAN (V1). VLTi is implicitly tagged to the member VLANs when these VLANs are configured in the VLT peer. As a result of the VLT Node2 configuration on R2, the secondary interface P2 is blocked for the member VLANs (M11 to Mn). Following figure illustrated the FRRP Ring R1 topology: Figure 34.
16 GARP VLAN Registration Protocol (GVRP) The generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 35. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
gvrp enable DellEMC(conf)#protocol gvrp DellEMC(config-gvrp)#no disable DellEMC(config-gvrp)#show config ! protocol gvrp no disable DellEMC(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. ● Enable GVRP on a Layer 2 interface.
no shutdown DellEMC(conf-if-gi-1/21)# Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings. ● Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The Dell EMC Networking OS default is 200ms.
17 High Availability (HA) High availability (HA) is supported on Dell EMC Networking OS. HA is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. To support all the features within the HA collection, you should have the latest boot code. The following table lists the boot code requirements as of this Dell EMC Networking OS release. Table 19. Boot Code Requirements Component Boot Code S3048–ON 1 2.0.
Stack-unit Redundancy Role: Stack-unit State: Stack-unit SW Version: Link to Peer: Peer Stack-unit: Primary Active 9.6(0.
Disabling Auto-Reboot To disable auto-reboot, use the following command. ● Prevent a failed stack unit from rebooting after a failover. CONFIGURATION mode redundancy disable-auto-reboot Pre-Configuring a Stack Unit Slot You may also pre-configure an empty stack unit slot with a logical stack unit. To pre-configure an empty stack unit slot, use the following command. ● Pre-configure an empty stack unit slot with a logical stack unit.
● Open shortest path first ● Protocol independent multicast — sparse mode ● Intermediate system to intermediate system Software Resiliency During normal operations, Dell EMC Networking OS monitors the health of both hardware and software components in the background to identify potential failures, even before these failures manifest. Software Component Health Monitoring On each of the line cards and the stack unit, there are a number of software components.
System Log Event messages provide system administrators diagnostics and auditing information. Dell EMC Networking OS sends event messages to the internal buffer, all terminal lines, the console, and optionally to a syslog server. For more information about event messages and configurable options, refer to Management. Hot-Lock Behavior Dell EMC Networking OS hot-lock features allow you to append and delete their corresponding content addressable memory (CAM) entries dynamically without disrupting traffic.
18 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 36. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. ● Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. ● To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1. Include messages prevents traffic from all other sources in the group from reaching the subnet.
Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
● ● ● ● ● ● Adjusting Timers Preventing a Host from Joining a Group Enabling IGMP Immediate-Leave IGMP Snooping Fast Convergence after MSTP Topology Changes Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. ● View IGMP-enabled IPv4 interfaces. EXEC Privilege mode show ip igmp interface ● View IGMP-enabled IPv6 interfaces.
ip igmp version DellEMC(conf-if-gi-1/13)#ip igmp version 3 DellEMC(conf-if-gi-1/13)#do show ip igmp interface GigabitEthernet 1/13 is up, line protocol is down Inbound IGMP access group is not set Interface IGMP group join rate limit is not set Internet address is 1.1.1.
The maximum response time is the amount of time that the querier waits for a response to a query before taking further action. The querier advertises this value in the query (refer to the illustration in IGMP Version 2). Lowering this value decreases leave latency but increases response burstiness because all host membership reports must be sent before the maximum response time expires. Inversely, increasing this value decreases burstiness at the expense of leave latency.
Figure 41. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 20. Preventing a Host from Joining a Group — Description Location Description 1/21 ● ● ● ● Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 ● ● ● ● Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 ● ● ● ● Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.
Table 20. Preventing a Host from Joining a Group — Description (continued) Location Description 2/11 ● ● ● ● Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 ● ● ● ● Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 ● ● ● ● Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 ● ● ● ● Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
View the enable status of this feature using the command from EXEC Privilege mode, as shown in the example in Selecting an IGMP Version. IGMP Snooping IGMP snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers.
● Configure the switch to remove a group-port association after receiving an IGMP Leave message. INTERFACE VLAN mode ip igmp fast-leave ● View the configuration.
Adjusting the Last Member Query Interval To adjust the last member query interval, use the following command. When the querier receives a Leave message from a receiver, it sends a group-specific query out of the ports specified in the forwarding table. If no response is received, it sends another. The amount of time that the querier waits to receive a response to the initial query before sending a second one is the last member query interval (LMQI).
Protocol Separation When you configure the application application-type command to configure a set of management applications with TCP/UDP port numbers to the OS, the following table describes the association between applications and their port numbers. Table 21.
● The CLI prompt changes to the EIS mode. ● In this mode, you can run the application and no application commands ● Applications can be configured or unconfigured as management applications using the application or no application command. All configured applications are considered as management applications and the rest of them as non-management applications. ● All the management routes (connected, static and default) are duplicated and added to the management EIS routing table.
Handling of Switch-Initiated Traffic When the control processor (CP) initiates a control packet, the following processing occurs: ● TCP/UDP port number is extracted from the sockaddr structure in the in_selectsrc call which is called as part of the connect system call or in the ip_output function.
● Rest of the response traffic is handled as per existing behavior by doing route lookup in the default routing table. So if the traffic is destined to the front-end port IP address, the response is sent out by doing a route lookup in the default routing table, which is an existing behavior. Consider a sample topology in which ip1 is an address assigned to the management port and ip2 is an address assigned to any of the front panel port. A and B are end users on the management and front-panel port networks.
This phenomenon occurs where traffic is transiting the switch. Traffic has not originated from the switch and is not terminating on the switch. ● Drop the packets that are received on the front-end data port with destination on the management port. ● Drop the packets that received on the management port with destination as the front-end data port. Switch-Destined Traffic This phenomenon occurs where traffic is terminated on the switch.
Table 23. Behavior of Various Applications for Switch-Initiated Traffic (continued) Protocol Behavior when EIS is Enabled Behavior when EIS is Disabled telnet EIS Behavior Default Behavior tftp EIS Behavior Default Behavior icmp (ping and traceroute) EIS Behavior for ICMP Default Behavior Behavior of Various Applications for Switch-Destined Traffic This section describes the different system behaviors that occur when traffic is terminated on the switch.
● If DHCP Client is enabled on the management port, a management default route is installed to the switch. ● If management EIS is enabled, this default route is added to the management EIS routing table and the default routing table. ARP learn enable ● When ARP learn enable is enabled, the switch learns ARP entries for ARP Request packets even if the packet is not destined to an IP configured in the box. ● The ARP learn enable feature is not applicable to the EIS routing table.
19 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell EMC Networking Operating System (OS). The system supports 1 Gigabit Ethernet and 10 Gigabit Ethernet interfaces.
• • • • • • • • • • • • • Defining Interface Range Macros Monitoring and Maintaining Interfaces Configuring wavelength for 10–Gigabit SFP+ optics Link Dampening Link Bundle Monitoring Using Ethernet Pause Frames for Flow Control Configure the MTU Size on an Interface Port-Pipes Auto-Negotiation on Ethernet Interfaces View Advanced Interface Information Configuring the Traffic Sampling Size Globally Dynamic Counters Discard Counters Interface Types The following table describes different interface types.
Hardware is Force10Eth, address is 00:01:e8:05:f3:6a Current address is 00:01:e8:05:f3:6a Pluggable media present, XFP type is 10GBASE-LR. Medium is MultiRate, Wavelength is 1310nm XFP receive power reading is -3.7685 Interface index is 67436603 Internet address is 65.113.24.
Resetting an Interface to its Factory Default State You can reset the configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1. View the configurations applied on an interface. INTERFACE mode show config DellEMC(conf-if-gi-1/5)#show config ! interface GigabitEthernet 1/5 no ip address portmode hybrid switchport rate-interval 8 mac learning-limit 10 no-station-move no shutdown 2. Reset an interface to its factory default state.
Enabling Energy Efficient Ethernet Energy Efficient Ethernet (EEE) is an IEEE 802.3 az standard that reduces power consumptions on Ethernet ports. EEE stops the transmission when there is no data to be transmitted and resumes the transmission at the arrival of new packets. You can enable EEE only on one Gigabit and ten Gigabit native or optional module copper ports. 1. To enable EEE, use the eee command. INTERFACE mode Dell(conf)# interface gigabitethernet 1/1 Dell(conf-if-gi-1/1)# eee 2.
Pluggable media present, Media type is unknown Wavelength unknown Interface index is 100992002 Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed auto Flowcontrol rx on tx off ARP type: ARPA, ARP Timeout 04:00:00 Energy Efficient Ethernet : Yes Last clearing of "show interface" counters 3d17h53m Queueing strategy: fifo Input Statistics: 0 packets, 0 bytes 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multica
RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX 318 - Byte Counter Control Frame Counter Pause Control Frame Counter Oversized Frame Counter Jabber Frame Counter VLAN Tag Frame Counter Double VLAN Tag Frame Counter RUNT Frame Counter Fragment Counter VLAN Tagged Packets Ingress Dropped Packet MTU Check Error Frame Counter PFC Frame Prio
TX - Debug Counter 10 TX - Debug Counter 11 TX - EEE LPI Event Counter TX - EEE LPI Duration Counter <
TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - Good Packet Counter Packet/Frame Counter Unicast Frame Counter Multicast Frame Counter Broadcast Frame Counter Byte Counter Control Frame Counter Pause Control Frame Counter Oversized Frame Counter Jabber Counter VLAN Tag Frame Counter Double VLAN Tag Frame Counter RUNT Frame Counter Fragment Counter PFC Frame Priority 0 PFC Frame Priority 1 PFC Frame Priority 2 PFC Frame Priority 3 PFC Frame Prio
Physical Interfaces The Management Ethernet interface is a single RJ-45 Fast Ethernet port on a switch. The interface provides dedicated management access to the system. Stack-unit interfaces support Layer 2 and Layer 3 traffic over the 1-Gigabit Ethernet and 10-Gigabit Ethernet. interfaces. These interfaces can also become part of virtual interfaces such as virtual local area networks (VLANs) or port channels. For more information about VLANs, refer to Bulk Configuration.
● Enable Layer 2 data transmissions through an individual interface. INTERFACE mode switchport DellEMC(conf-if)#show config ! interface Port-channel 1 no ip address switchport no shutdown DellEMC(conf-if)# Configuring Layer 2 (Interface) Mode To configure an interface in Layer 2 mode, use the following commands. ● Enable the interface. INTERFACE mode no shutdown ● Place the interface in Layer 2 (switching) mode.
Configuring Layer 3 (Interface) Mode To assign an IP address, use the following commands. ● Enable the interface. INTERFACE mode no shutdown ● Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx). Add the keyword secondary if the IP address is the interface’s backup IP address. You can only configure one primary IP address per interface.
Following is the sample syslog displayed when the timer for Err-disable recovery is started: May 8 17:18:57 %STKUNIT1-M:CP %IFMGR-5-ERR_DIS_RECOVERY_TIMER_START: 180 seconds timer started to attempt recovery of interface Gi 2/18 from error disabled state caused by bpdu-guard. Following is the sample syslog displayed when the recovery action is complete: May 8 17:21:57 %STKUNIT1-M:CP %IFMGR-5-ERR_DIS_RECOVERY_COMPLETE: Error Disable Recovery timer expired for interface Gi 2/18.
● If the management port is down or route lookup fails in the management EIS routing table, the outgoing interface is selected based on route lookup from the default routing table. ● If a route in the EIS table conflicts with a front-end port route, the front-end port route has precedence. ● Due to protocol, ARP packets received through the management port create two ARP entries (one for the lookup in the EIS table and one for the default routing table).
● IPv6 secondary addresses on management interfaces: ○ across a platform must be in the same subnet. ○ must not match the virtual IP address and must not be in the same subnet as the virtual IP. DellEMC#show interfaces managementethernet 1/1 ManagementEthernet 1/1 is up, line protocol is up Hardware is DellForce10Eth, address is 00:01:e8:a0:bf:f3 Current address is 00:01:e8:a0:bf:f3 Pluggable media not present Interface index is 302006472 Internet address is 10.16.130.
no shutdown ● The interface is the management interface. INTEFACE mode description To display the configuration for a given port, use the show interface command in EXEC Privilege mode, as shown in the following example. To display the routing table, use the show ip route command in EXEC Privilege mode.
○ secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. interface Vlan 10 ip address 1.1.1.2/24 tagged GigabitEthernet 2/2-2/13 tagged GigabitEthernet 5/1 ip ospf authentication-key force10 ip ospf cost 1 ip ospf dead-interval 60 ip ospf hello-interval 15 no shutdown ! Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally.
Use the port-delay-restore command and ensure to specify a value between 1 second and 300 seconds. DellEMC(conf)#port-delay-restore 300 Use the no port-delay-restore command to disable the feature. DellEMC(conf)#no port-delay-restore If you would like to turn this feature off for an individual interface, enter the INTERFACE mode and use the no port-delayrestore command.
Member ports of a LAG are added and programmed into the hardware in a predictable order based on the port ID, instead of in the order in which the ports come up. With this implementation, load balancing yields predictable results across device reloads. A physical interface can belong to only one port channel at a time. Each port channel must contain interfaces of the same interface type/speed. Port channels can contain a mix of 1G/10G/40G.
no shutdown After you enable the port channel, you can place it in Layer 2 or Layer 3 mode. To place the port channel in Layer 2 mode or configure an IP address to place the port channel in Layer 3 mode, use the switchport command. You can configure a port channel as you would a physical interface by enabling or configuring protocols or assigning access control lists.
LineSpeed 2000 Mbit Members in this channel: Gi 1/10 Gi 1/17 ARP type: ARPA, ARP timeout 04:00:00 Last clearing of "show interface" counters 00:00:00 Queueing strategy: fifo 1212627 packets input, 1539872850 bytes Input 1212448 IP Packets, 0 Vlans 0 MPLS 4857 64-byte pkts, 17570 over 64-byte pkts, 35209 over 127-byte pkts 69164 over 255-byte pkts, 143346 over 511-byte pkts, 942523 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 42 CRC, 0 IP Checksum, 0 overrun, 0 discarded
The following example shows moving an interface from port channel 4 to port channel 3.
EXEC Privilege mode show vlan Configuring VLAN Tags for Member Interfaces To configure and verify VLAN tags for individual members of a port channel, perform the following: 1. Configure VLAN membership on individual ports INTERFACE mode DellEMC(conf-if)#vlan tagged 2,3-4 2. Use the switchport command in INTERFACE mode to enable Layer 2 data transmissions through an individual interface INTERFACE mode DellEMC(conf-if)#switchport 3.
When you disable a port channel, all interfaces within the port channel are operationally down also. Load Balancing Through Port Channels Dell EMC Networking OS uses hash algorithms for distributing traffic evenly over channel members in a port channel (LAG). The hash algorithm distributes traffic among Equal Cost Multi-path (ECMP) paths and LAG members. The distribution is based on a flow, except for packet-based hashing. A flow is identified by the hash and is assigned to one link.
● ● ● ● ● ● ● ● crc-upper — uses the upper 32 bits of the hash key to compute the egress port. dest-ip — uses destination IP address as part of the hash key. lsb — uses the least significant bit of the hash key to compute the egress port. xor1 — uses Upper 8 bits of CRC16-BISYNC and lower 8 bits of xor1 xor2 — Upper 8 bits of CRC16-BISYNC and lower 8 bits of xor2 xor4 —Upper 8 bits of CRC16-BISYNC and lower 8 bits of xor4 xor8 — Upper 8 bits of CRC16-BISYNC and lower 8 bits of xor8 xor16 — uses 16 bit XOR.
Create a Single-Range The following is an example of a single range. Example of the interface range Command (Single Range) DellEMC(config)# interface range gigabitethernet 1/1 - 1/23 DellEMC(config-if-range-gi-1/1-1/23)# no shutdown DellEMC(config-if-range-gi-1/1-1/23)# Create a Multiple-Range The following is an example of multiple range.
Commas The following is an example of how to use commas to add different interface types to a range of interfaces. Example of Adding Interface Ranges DellEMC(config-if)# interface range gigabitethernet 5/1 - 23, gigabitethernet 1/1 - 1/2 DellEMC(config-if-range-gi-5/1-23,gi1/1-1/2)# no shutdown DellEMC(config-if-range-gi-5/1-23,gi1/1-1/2)# Add Ranges The following example shows how to use commas to add VLAN and port-channel interfaces to the range.
Monitoring and Maintaining Interfaces Monitor interface statistics with the monitor interface command. This command displays an ongoing list of the interface status (up/down), number of packets, traffic statistics, and so on. To view the interface’s statistics, use the following command. ● View the interface’s statistics. EXEC Privilege mode Enter the type of interface and the interface information: ○ For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information.
Maintenance Using TDR The time domain reflectometer (TDR) is supported on all Dell EMC Networking switches. TDR is an assistance tool to resolve link issues that helps detect obvious open or short conditions within any of the four copper pairs. TDR sends a signal onto the physical cable and examines the reflection of the signal that returns. By examining the reflection, TDR is able to indicate whether there is a cable fault (when the cable is broken, becomes unterminated, or if a transceiver is unplugged).
● suppress-threshold— The suppress threshold is a value that triggers a flapping interface to dampen. The system adds penalty when the interface state goes up and down. When the accumulated penalty reaches the default or configured suppress threshold, the interface state changes to Error-Disabled state. The range of suppress threshold is from 1 to 20000. The default is 2500. ● half-life— The accumulated penalty decays exponentially based on the half-life period.
Figure 42. Interface State Change Consider an interface periodically flaps as shown above. Every time the interface goes down, a penalty (1024) is added. In the above example, during the first interface flap (flap 1), the penalty is added to 1024. And, the accumulated penalty will exponentially decay based on the set half-life, which is set as 10 seconds in the above example. During the second interface flap (flap 2), again the penalty (1024) is accumulated.
Enabling Link Dampening To enable link dampening, use the following command. ● Enable link dampening. INTERFACE mode dampening To view the link dampening configuration on an interface, use the show config command. R1(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode.
Configure MTU Size on an Interface In Dell EMC Networking OS, Maximum Transmission Unit (MTU) is defined as the entire Ethernet packet (Ethernet header + FCS + payload). The following table lists the range for each transmission media. Transmission Media MTU Range (in bytes) Ethernet 594-12000 = link MTU 576-9234 = IP MTU Link Bundle Monitoring Monitoring linked LAG bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time.
The globally assigned 48-bit Multicast address 01-80-C2-00-00-01 is used to send and receive pause frames. To allow fullduplex flow control, stations implementing the pause operation instruct the MAC to enable reception of frames with destination address equal to this multicast address. The PAUSE frame is defined by IEEE 802.3x and uses MAC Control frames to carry the PAUSE commands. Ethernet pause frames are supported on full duplex only.
For example, for VLAN packets, if the IP MTU is 1400, the Link MTU must be no less than 1422: 1400-byte IP MTU + 22-byte VLAN Tag = 1422-byte link MTU The following table lists the various Layer 2 overheads found in the Dell EMC Networking OS and the number of bytes. Table 27.
Setting the Speed of Ethernet Interfaces To discover whether the remote and local interface requires manual speed synchronization, and to manually synchronize them if necessary, use the following command sequence. 1. Determine the local interface status. Refer to the following example. EXEC Privilege mode show interfaces [interface | stack—unit stack-unit-number] status 2. Determine the remote interface status.
! interface GigabitEthernet 1/1 no ip address speed 100 duplex full no shutdown Set Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/ forced slave once auto-negotiation is enabled. CAUTION: Ensure that only one end of the node is configured as forced-master and the other is configured as forced-slave.
The following example lists the possible show commands that have the configured keyword available: DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show interfaces configured interfaces stack-unit 1 configured interfaces tengigabitEthernet 1 configured ip interface configured ip interface stack-unit 1 configured ip interface tengigabitEthernet 1 configured ip interface br configured ip interface br stack-unit 1 configu
0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
SFP+ receive power reading is -36.
NOTE: If you enable more than four counter-dependent applications on a port pipe, there is an impact on line rate performance. The following counter-dependent applications are supported by Dell EMC Networking OS: ● ● ● ● ● ● ● ● ● ● ● Egress VLAN Ingress VLAN Next Hop 2 Next Hop 1 Egress ACLs ILM IP FLOW IP ACL IP FIB L2 ACL L2 FIB Clearing Interface Counters The counters in the show interfaces command are reset by the clear counters command.
when a packet matches an FP entry, irrespective of the action defined in the FP entry to avoid pipeline processing in the hardware. Display discard counters ● View the discard counters.
2. 3. 4. 5. ● ARP reply packets ● GVRP traffic redirects ● LACP traffic redirects ● Common VLT control frames Packets are dropped due to user defined ACLs. Multicast traffic with the TTL value 1. Multicast traffic is not part of any group or special group that has to be processed by the CPU. In addition to the above protocols, the filter processor rule also drops Yellow and Red packets if QoS is configured on the system.
20 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. ● Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3. Apply the crypto policy to management traffic.
21 IPv4 Routing The Dell EMC Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell EMC Networking OS.
IP Addresses Dell EMC Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks. Supernetting, which increases the number of subnets, is also supported. To subnet, you add a mask to the IP address to separate the network and host portions of the IP address.
INTERFACE mode ip address ip-address mask [secondary] ● ip-address mask: the IP address must be in dotted decimal format (A.B.C.D). The mask must be in slash prefixlength format (/24). ● secondary: add the keyword secondary if the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. To view the configuration, use the show config command in INTERFACE mode or use the show ip interface command in EXEC privilege mode, as shown in the second example.
S 6.1.2.7/32 S 6.1.2.8/32 S 6.1.2.9/32 S 6.1.2.10/32 S 6.1.2.11/32 S 6.1.2.12/32 S 6.1.2.13/32 S 6.1.2.14/32 S 6.1.2.15/32 S 6.1.2.16/32 S 6.1.2.17/32 S 11.1.1.0/24 Direct, Lo 0 --More-- via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.
Configure Static Routes for the Management Interface When an IP address that a protocol uses and a static management route exists for the same prefix, the protocol route takes precedence over the static management route. To configure a static route for the management port, use the following command. ● Assign a static route to point to the management interface or forwarding router.
Using the Configured Source IP Address in ICMP Messages ICMP error or unreachable messages are now sent with the configured IP address of the source interface instead of the frontend port IP address as the source IP address. Enable the generation of ICMP unreachable messages through the ip unreachable command in Interface mode. When a ping or traceroute packet from an endpoint or a device arrives at the null 0 interface configured with a static route, it is discarded.
● Enable directed broadcast. INTERFACE mode ip directed-broadcast To view the configuration, use the show config command in INTERFACE mode. Resolution of Host Names Domain name service (DNS) maps host names to IP addresses. This feature simplifies commands such as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default.
Specifying the Local System Domain and a List of Domains If you enter a partial domain, Dell EMC Networking OS can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. Dell EMC Networking OS searches the host table first to resolve the partial domain. The host table contains both statically configured and dynamically learnt host and IP addresses.
ARP Dell EMC Networking OS uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, Dell EMC Networking OS creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time.
Enabling Proxy ARP By default, Proxy ARP is enabled. To disable Proxy ARP, use the no proxy-arp command in the interface mode. To re-enable Proxy ARP, use the following command. ● Re-enable Proxy ARP. INTERFACE mode ip proxy-arp To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output.
ARP Learning via ARP Request In Dell EMC Networking OS versions prior to 8.3.1.0, Dell EMC Networking OS learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address. If the target IP does not match the incoming interface, the packet is dropped. If there is an existing entry for the requesting host, it is updated. Figure 43.
The default is 5. The range is from 1 to 20. ● Set the exponential timer for resending unresolved ARPs. CONFIGURATION mode arp backoff-time The default is 30. The range is from 1 to 3600. ● Display all ARP entries learned via gratuitous ARP. EXEC Privilege mode show arp retries ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply).
Figure 45. ICMP Redirect Host H is connected to the same Ethernet segment as SW1 and SW2. SW1 and SW2 are multi-layer switches which can route packets. The default gateway of Host H is configured as SW1. Although the best route to the remote branch office host may be through SW2, Host H sends a packet destined for Host R to its default gateway — SW1.
○ UDP broadcast traffic with port number 67 or 68 are unicast to the dynamic host configuration protocol (DHCP) server per the ip helper-address configuration whether or not the UDP port list contains those ports. ○ If the UDP port list contains ports 67 or 68, UDP broadcast traffic is forwarded on those ports. Enabling UDP Helper To enable UDP helper, use the following command. ● Enable UPD helper.
Figure 46. UDP Helper with Broadcast-All Addresses UDP Helper with Subnet Broadcast Addresses When the destination IP address of an incoming packet matches the subnet broadcast address of any interface, the system changes the address to the configured broadcast address and sends it to matching interface. In the following illustration, Packet 1 has the destination IP address 1.1.1.255, which matches the subnet broadcast address of VLAN 101.
Figure 48. UDP Helper with Configured Broadcast Addresses UDP Helper with No Configured Broadcast Addresses The following describes UDP helper with no broadcast addresses configured. ● If the incoming packet has a broadcast destination IP address, the unaltered packet is routed to all Layer 3 interfaces. ● If the Incoming packet has a destination IP address that matches the subnet broadcast address of any interface, the unaltered packet is routed to the matching interfaces.
22 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell EMC Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
● Duplicate Address Detection (DAD) — Before configuring its IPv6 address, an IPv6 host node device checks whether that address is used anywhere on the network using this mechanism. ● Prefix Renumbering — Useful in transparent renumbering of hosts in the network when an organization changes its service provider. NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 49. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Value Description 43 Routing header 44 Fragmentation header 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current listing, refer to the Internet Assigned Numbers Authority (IANA) web page at . Hop Limit (8 bits) The Hop Limit field shows the number of hops remaining for packet processing.
This field identifies the type of header following the Hop-by-Hop Options header and uses the same values. ● Header Extension Length (1 byte) This field identifies the length of the Hop-by-Hop Options header in 8-byte units, but does not include the first 8 bytes. Consequently, if the header is less than 8 bytes, the value is 0 (zero). ● Options (size varies) This field can contain one or more options. The first byte if the field identifies the Option type, and directs the router how to handle the option.
Static and Dynamic Addressing Static IPv6 addresses are manually assigned to a computer by an administrator. Dynamic IPv6 addresses are assigned either randomly or by a server using dynamic host configuration protocol (DHCP). Even though IPv6 addresses assigned using DHCP may stay the same for long periods of time, they can change. In some cases, a network administrator may implement dynamically assigned static IPv6 addresses.
Table 28. Dell EMC Networking OS versions and supported platforms with IPv6 support (continued) Feature and Functionality Dell EMC Networking OS Release Introduction Documentation and Chapter Location S3048–ON IS-IS for IPv6 9.7.(0.1) Intermediate System to Intermediate System IPv6 IS-IS in the Dell EMC Networking OS Command Line Reference Guide. IS-IS for IPv6 support for redistribution 9.7.(0.
ICMPv6 ICMP for IPv6 combines the roles of ICMP, IGMP and ARP in IPv4. Like IPv4, it provides functions for reporting delivery and forwarding errors, and provides a simple echo service for troubleshooting. The Dell EMC Networking OS implementation of ICMPv6 is based on RFC 4443. Generally, ICMPv6 uses two message types: ● Error reporting messages indicate when the forwarding or delivery of the packet failed at the destination or intermediate node.
NOTE: If a neighboring node does not have an IPv6 address assigned, it must be manually pinged to allow the IPv6 device to determine the relationship of the neighboring node. NOTE: To avoid problems with network discovery, Dell EMC Networking recommends configuring the static route last or assigning an IPv6 address to the interface and assigning an address to the peer (the forwarding router’s address) less than 10 seconds apart. With ARP, each node broadcasts ARP requests on the entire link.
The lifetime parameter configures the amount of time the IPv6 host can use the IPv6 RDNSS address for name resolution. The lifetime range is 0 to 4294967295 seconds. When the maximum lifetime value, 4294967295, or the infinite keyword is specified, the lifetime to use the RDNSS address does not expire. A value of 0 indicates to the host that the RDNSS address should not be used. You must specify a lifetime using the lifetime or infinite parameter.
Displaying IPv6 RDNSS Information To display IPv6 interface information, including IPv6 RDNSS information, use the show ipv6 interface command in EXEC or EXEC Privilege mode. Examples of Displaying IPv6 RDNSS Information The following example displays IPv6 RDNSS information. The output in the last 3 lines indicates that the IPv6 RDNSS was correctly configured on interface te 1/1.
Configuration Tasks for IPv6 The following are configuration tasks for the IPv6 protocol. ● ● ● ● ● ● ● Adjusting Your CAM-Profile Assigning an IPv6 Address to an Interface Assigning a Static IPv6 Route Configuring Telnet with IPv6 SNMP over IPv6 Showing IPv6 Information Clearing IPv6 Routes Adjusting Your CAM-Profile Although adjusting your CAM-profile is not a mandatory step, if you plan to implement IPv6 ACLs, adjust your CAM settings. The CAM space is allotted in FP blocks.
You can configure up to two IPv6 addresses on management interfaces, allowing required default router support on the management port that is acting as host, per RFC 4861. Data ports support more than two IPv6 addresses. When you configure IPv6 addresses on multiple interfaces (the ipv6 address command) and verify the configuration (the show ipv6 interfaces command), the same link local (fe80) address is displayed for each IPv6 interface. ● Enter the IPv6 Address for the device.
NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing. SNMP over IPv6 You can configure SNMP over IPv6 transport so that an IPv6 host can perform SNMP queries and receive SNMP notifications from a device running Dell EMC Networking OS IPv6. The Dell EMC Networking OS SNMP-server commands for IPv6 have been extended to support IPv6.
○ For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
static 0 0 Total 5 0 The following example shows the show ipv6 route command.
● Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} ○ *: all routes. ○ ipv6 address: the format is x:x:x:x::x. ○ mask: the prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing.
The hop limit range is from 0 to 254. 6. Set the managed address configuration flag. POLICY LIST CONFIGURATION mode managed-config-flag {on | off} 7. Enable verification of the sender IPv6 address in inspected messages from the authorized device source access list. POLICY LIST CONFIGURATION mode match ra{ipv6-access-list name | ipv6-prefix-list name | mac-access-list name} 8. Enable verification of the advertised other configuration parameter. POLICY LIST CONFIGURATION mode other-config-flag {on | off} 9.
Configuring IPv6 RA Guard on an Interface To configure the IPv6 Router Advertisement (RA) guard on an interface, perform the following steps: 1. Configure the terminal to enter the Interface mode. CONFIGURATION mode interface interface-type slot/port 2. Apply the IPv6 RA guard to a specific interface. INTERFACE mode ipv6 nd ra-guard attach policy policy-name [vlan [vlan 1, vland 2, vlan 3.....]] 3. Display the configurations applied on all the RA guard policies or a specific RA guard policy.
23 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell EMC Networking supports both IPv4 and IPv6 versions of IS-IS.
Figure 52. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases. Use this feature to place a virtual physical topology into logical routing domains, which can each support different routing and security policies. All routers on a LAN or point-to-point must have at least one common supported topology when operating in Multi-Topology ISIS mode.
Graceful Restart Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change. Normally, when an IS-IS router is restarted, temporary disruption of routing occurs due to events in both the restarting router and the neighbors of the restarting router.
● ● ● ● Processes IPv6 information received in the PDUs. Computes routes to IPv6 destinations. Downloads IPv6 routes to the RTM for installing in the FIB. Accepts external IPv6 information and advertises this information in the PDUs. The following table lists the default IS-IS values. Table 29.
In IS-IS, neighbors form adjacencies only when they are same IS type. For example, a Level 1 router never forms an adjacency with a Level 2 router. A Level 1-2 router forms Level 1 adjacencies with a neighboring Level 1 router and forms Level 2 adjacencies with a neighboring Level 2 router. NOTE: Even though you enable IS-IS globally, enable the IS-IS process on an interface for the IS-IS process to exchange protocol information and form adjacencies. To configure IS-IS globally, use the following commands.
To view the IS-IS configuration, enter the show isis protocol command in EXEC Privilege mode or the show config command in ROUTER ISIS mode. DellEMC#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
2. Exclude this router from other router’s SPF calculations. ROUTER ISIS AF IPV6 mode set-overload-bit 3. Set the minimum interval between SPF calculations. ROUTER ISIS AF IPV6 mode spf-interval [level-l | level-2 | interval] [initial_wait_interval [second_wait_interval]] Use this command for IPv6 route computation only when you enable multi-topology. If using single-topology mode, to apply to both IPv4 and IPv6 route computations, use the spf-interval command in CONFIG ROUTER ISIS mode. 4.
graceful-restart t3 {adjacency | manual seconds} ○ adjacency: the restarting router receives the remaining time value from its peer and adjusts its T3 value so if user has configured this option. ○ manual: allows you to specify a fixed value that the restarting router should use. The range is from 50 to 120 seconds. The default is 30 seconds. NOTE: If this timer expires before the synchronization has completed, the restarting router sends the overload bit in the LSP.
Restart Capable Neighbors: 2, In Start: 0, In Restart: 0 DellEMC# Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary. To change the defaults, use any or all of the following commands. ● Set interval between LSP generation.
example, if you configure the metric as narrow, and a link state PDU (LSP) with wide metrics is received, the route is not installed. Dell EMC Networking OS supports the following IS-IS metric styles. Table 30. Metric Styles Metric Style Characteristics Cost Range Supported on IS-IS Interfaces narrow Sends and accepts narrow or old TLVs (Type, Length, Value). 0 to 63 wide Sends and accepts wide or new TLVs. 0 to 16777215 transition Sends both wide (new) and narrow (old) TLVs.
○ default-metric: the range is from 0 to 63 if the metric-style is narrow, narrow-transition, or transition. The range is from 0 to 16777215 if the metric style is wide or wide transition. ● Assign a metric for an IPv6 link or interface. INTERFACE mode isis ipv6 metric default-metric [level-1 | level-2] ○ default-metric: the range is from 0 to 63 for narrow and transition metric styles. The range is from 0 to 16777215 for wide metric styles. The default is 10. The default level is level-1.
The default is Level 1-2 router. When the IS-type is Level 1-2, the software maintains two Link State databases, one for each level. To view the Link State databases, use the show isis database command. DellEMC#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000003 0x07BF eljefe.00-00 * 0x00000009 0xF76A eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
○ For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. ● Apply a configured prefix list to all outgoing IPv4 IS-IS routes. ROUTER ISIS mode distribute-list prefix-list-name out [bgp as-number | connected | ospf process-id | rip | static] You can configure one of the optional parameters: ○ connected: for directly connected routes. ○ ospf process-id: for OSPF routes only. ○ rip: for RIP routes only. ○ static: for user-configured routes. ○ bgp: for BGP routes only.
Redistributing IPv4 Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the IS-IS process. With the redistribute command syntax, you can include BGP, OSPF, RIP, static, or directly connected routes in the IS-IS process. NOTE: Do not route iBGP routes to IS-IS unless there are route-maps associated with the IS-IS redistribution. To add routes from other routing instances or protocols, use the following commands.
redistribute ospf process-id [level-1| level-1-2 | level-2] [metric value] [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map mapname] Configure the following parameters: ○ ○ ○ ○ ○ ○ ○ ○ process-id: the range is from 1 to 65535. level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. metric value: the range is from 0 to 16777215. The default is 0. metric value: the range is from 0 to 16777215. The default is 0.
no set-overload-bit When the bit is set, a 1 is placed in the OL column in the show isis database command output. The overload bit is set in both the Level-1 and Level-2 database because the IS type for the router is Level-1-2. DellEMC#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000003 0x07BF eljefe.00-00 * 0x0000000A 0xF963 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
Dell EMC Networking OS displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode. To disable a specific debug command, enter the keyword no then the debug command. For example, to disable debugging of IS-IS updates, use the no debug isis updates-packets command. To disable all IS-IS debugging, use the no debug isis command. To disable all debugging, use the undebug all command.
Table 31. Metric Value When the Metric Style Changes (continued) Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value wide transition truncated value (the truncated value appears in the LSP only). The original isis metric value is displayed in the show config and show runningconfig commands and is used if you change back to transition metric style. NOTE: A truncated value is a value that is higher than 63, but set back to 63 because the higher value is not supported.
Table 32. Metric Value when the Metric Style Changes Multiple Times (continued) Beginning Metric Style Next Metric Style Resulting Metric Value Next Metric Style Final Metric Value wide transition transition truncated value wide transition original value is recovered wide transition truncated value narrow default value (10). A message is sent to the logging buffer wide transition transition truncated value narrow transition default value (10).
You can copy and paste from these examples to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes. NOTE: Whenever you make IS-IS configuration changes, clear the IS-IS process (re-started) using the clear isis command. The clear isis command must include the tag for the ISIS process. The following example shows the response from the router: DellEMC#clear isis * % ISIS not enabled.
metric-style wide level-2 net 34.0000.0000.AAAA.00 DellEMC(conf-router_isis)# IS-IS Sample Configuration — Multi-topology DellEMC(conf-if-gi-3/17)#show config ! interface GigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown DellEMC(conf-if-gi-3/17)# DellEMC(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
24 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic.
NOTE: There is no configuration on the interface because that condition is required for an interface to be part of a LAG. ● You can configure link dampening on individual members of a LAG. LACP Modes Dell EMC Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. ● Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state.
● ● ● ● Configuring the LAG Interfaces as Dynamic Setting the LACP Long Timeout Monitoring and Debugging LACP Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. ● Create a dynamic port channel (LAG). CONFIGURATION mode interface port-channel ● Create a dynamic port channel (LAG).
Setting the LACP Long Timeout PDUs are exchanged between port channel (LAG) interfaces to maintain LACP sessions. PDUs are transmitted at either a slow or fast transmission rate, depending upon the LACP timeout value. The timeout value is the amount of time that a LAG interface waits for a PDU from the remote system before bringing the LACP session down. The default timeout value is 1 second. You can configure the default timeout value to be 30 seconds.
Figure 54. Shared LAG State Tracking To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). Dell EMC Networking OS has the ability to bring LAG 2 down if LAG 1 fails, so that traffic can be redirected. This redirection is what is meant by shared LAG state tracking. To achieve this functionality, you must group LAG 1 and LAG 2 into a single entity, called a failover group.
Figure 55. Configuring Shared LAG State Tracking The following are shared LAG state tracking console messages: ● 2d1h45m: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 1 ● 2d1h45m: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 To view the status of a failover group member, use the show interface port-channel command.
LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 56. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unicasts 0 Vlans, 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec,0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec,0 packets/sec, 0.
Figure 58.
Figure 59.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp Bravo(conf-if-gi-3/21-lacp)#port-channel 10 mode active Bravo(conf-if-gi-3/21-lacp)#no shut Bravo(conf-if-gi-3/21)#end ! interface GigabitEthernet 3/21 no ip address ! port-channel-
Figure 60.
Figure 61.
Figure 62. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
25 Layer 2 This chapter describes the Layer 2 features supported on the device. Topics: • • • • • Manage the MAC Address Table MAC Learning Limit NIC Teaming Configure Redundant Pairs Far-End Failure Detection Manage the MAC Address Table You can perform the following management tasks in the MAC address table.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. ● Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. ● Display the contents of the MAC address table.
NOTE: When the system receives SLF packets with about 25000 packets per second and 2500 packets per burst, the system does not learn all MAC addresses. The system learns all MAC addresses on subsequent reception of packets. Setting the MAC Learning Limit To set a MAC learning limit on an interface, use the following command. ● Specify the number of MAC addresses that the system can learn off a Layer 2 interface.
For example, if you disconnect a network device from one interface and reconnect it to another interface, the MAC address is learned on the new interface. When the system detects this “station move,” the system clears the entry learned on the original interface and installs a new entry on the new interface. mac learning-limit no-station-move The no-station-move option, also known as “sticky MAC,” provides additional port security by preventing a station move.
station-move-violation shutdown-offending ● Shut down both the first and second port to learn the MAC address. INTERFACE mode station-move-violation shutdown-both ● Display a list of all of the interfaces configured with MAC learning limit or station move violation. CONFIGURATION mode show mac learning-limit violate-action NOTE: When the MAC learning limit (MLL) is configured as no-station-move, the MLL will be processed as static entries internally.
Enabling port security You can enable or disable port security feature globally on the Dell EMC Networking OS. You can configure all the MAC address learning limit configurations, only if the port security is enabled on the Dell EMC Networking OS. If the port security feature is disabled, all the interface level configurations are reset and all dynamically learnt MAC addresses on the interfaces configured with MAC address learning limit are cleared.
Figure 64. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 65. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
As shown in the above illustration, interface 3/41 is a backup interface for 3/42, and 3/42 is in the Down state. If 3/41 fails, 3/42 transitions to the Up state, which makes the backup link active. A message similar to the following message appears whenever you configure a backup port.
Apr 9 00:16:29: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Gi 1/2 DellEMC(conf-if-po-1)# Far-End Failure Detection Far-end failure detection (FEFD) is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval. You can enable FEFD globally or locally on an interface basis.
3. When the local interface receives the echoed packet from the remote end, the local interface transitions to the Bi-directional state. 4. If the FEFD enabled system is configured to use FEFD in Normal mode and neighboring echoes are not received after three intervals, (you can set each interval can be set between 3 and 300 seconds) the state changes to unknown. 5.
fefd-global {interval | mode} To display information about the state of each interface, use the show fefd command in EXEC privilege mode. DellEMC#show fefd FEFD is globally 'ON', interval is 3 seconds, mode is 'Normal'.
Debugging FEFD To debug FEFD, use the first command. To provide output for each packet transmission over the FEFD enabled connection, use the second command. ● Display output whenever events occur that initiate or disrupt an FEFD enabled connection. EXEC Privilege mode debug fefd events ● Provide output for each packet transmission over the FEFD enabled connection.
26 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). Topics: • • • • • • • • • • • • • • • • • • 802.
Figure 67. Type, Length, Value (TLV) Segment TLVs are encapsulated in a frame called an LLDP data unit (LLDPDU) (shown in the following table), which is transmitted from one LLDP-enabled device to its LLDP-enabled neighbors. LLDP is a one-way protocol. LLDP-enabled devices (LLDP agents) can transmit and/or receive advertisements, but they cannot solicit and do not respond to advertisements. There are five types of TLVs. All types are mandatory in the construction of an LLDPDU except Optional TLVs.
Optional TLVs The Dell EMC Networking OS supports these optional TLVs: management TLVs, IEEE 802.1 and 802.3 organizationally specific TLVs, and TIA-1057 organizationally specific TLVs. Management TLVs A management TLV is an optional TLVs sub-type. This kind of TLV contains essential management information about the sender. Organizationally Specific TLVs A professional organization or a vendor can define organizationally specific TLVs.
Table 36. Optional TLV Types (continued) Type TLV Description port belongs (and the untagged VLAN to which a port belongs if the port is in Hybrid mode). 127 Protocol Identity Indicates the protocols that the port can process. Dell EMC Networking OS does not currently support this TLV. 127 MAC/PHY Configuration/Status Indicates the capability and current setting of the duplex status and bit rate, and whether the current settings are the result of auto-negotiation.
TIA Organizationally Specific TLVs The Dell EMC Networking system is an LLDP-MED Network Connectivity Device (Device Type 4). Network connectivity devices are responsible for: ● transmitting an LLDP-MED capability TLV to endpoint devices ● storing the information that endpoint devices advertise The following table describes the five types of TIA-1057 Organizationally Specific TLVs. Table 37.
Table 37. TIA-1057 (LLDP-MED) Organizationally Specific TLVs (continued) Type SubType TLV Description 127 11 Inventory — Asset ID Indicates a user specified device number to manage inventory. 127 12–255 Reserved — LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV.
LLDP-MED Network Policies TLV A network policy in the context of LLDP-MED is a device’s VLAN configuration and associated Layer 2 and Layer 3 configurations. LLDP-MED network policies TLV include: ● ● ● ● VLAN ID VLAN tagged or untagged status Layer 2 priority DSCP value An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined.
Extended Power via MDI TLV The extended power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices. Advertise the extended power via MDI on all ports that are connected to an 802.3af powered, LLDP-MED endpoint device. ● Power Type — there are two possible power types: power source entity (PSE) or power device (PD). The Dell EMC Networking system is a PSE, which corresponds to a value of 0, based on the TIA-1057 specification.
● 802.1X controlled ports do not allow LLDPDUs until the connected device is authenticated. CONFIGURATION versus INTERFACE Configurations All LLDP configuration commands are available in PROTOCOL LLDP mode, which is a sub-mode of the CONFIGURATION mode and INTERFACE mode. ● Configurations made at the CONFIGURATION level are global; that is, they affect all interfaces on the system.
To undo an LLDP configuration, precede the relevant command with the keyword no. Enabling LLDP on Management Ports LLDP on management ports is enabled by default. To enable LLDP on management ports, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION mode protocol lldp 2. Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode management-interface 3. Enable LLDP.
● For TIA-1057 TLVs: ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ guest-voice guest-voice-signaling location-identification power-via-mdi softphone-voice streaming-video video-conferencing video-signaling voice voice-signaling In the following example, LLDP is enabled globally. R1 and R2 are transmitting periodic LLDPDUs that contain management, 802.1, and 802.3 TLVs. Figure 73.
The system processes each LLDP frame to retrieve the OUI, subtype, and data length, and stores the retrieved data of organizational specific unrecognized LLDP TLVs in a list. The stored list of organizational TLVs is removed when the neighbor is lost or neighbor ages out. The software assigns a temporary identification index for each unrecognized organizational specific LLDP TLVs upon receiving more than one TLV with the same OUI and subtype, but with different organizationally defined information strings.
Viewing Information Advertised by Adjacent LLDP Neighbors To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands. ● Display brief information about adjacent devices. show lldp neighbors ● Display all of the information that neighbors are advertising.
1000BASE-T half duplex mode Operational MAU type: unknown UnknownTLVList: OrgUnknownTLVList: ((f8-b1-56), 24, 1) ((f8-b1-56), 23, 1) ((f8-b1-56), 22, 1) ((f8-b1-56), 21, 7) ((00-80-c2), 7, 5) --------------------------------------------------------------------------Following note is applicable only in platforms that support 25G interfaces: NOTE: Since different port types are shown in two letters, the 25G interface is represented as tf (Twentyfive) in show lldp neighbors output.
Total Neighbor information Age outs: 0 Total Multiple Neighbors Detected: 0 Total Frames Discarded: 0 Total In Error Frames: 0 Total Unrecognized TLVs: 1056 Total TLVs Discarded: 0 Next packet will be sent after 16 seconds The neighbors are given below: ----------------------------------------------------------------------Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 4c:76:25:f4:ab:01 Remote Port Subtype: Interface name (5) Remote Port ID: fortyGigE 1/2/8/1 Local Port ID: GigabitEthernet 1/2
R1(conf-lldp)#hello 25 R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description hello 25 no disable R1(conf-lldp)#no hello R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Configuring LLDP Notification I
● Transmit only. CONFIGURATION mode or INTERFACE mode mode tx ● Receive only. CONFIGURATION mode or INTERFACE mode mode rx ● Return to the default setting.
<2-10> Multiplier (default=4) R1(conf-lldp)#multiplier 5 R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description multiplier 5 no disable R1(conf-lldp)#no multiplier R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(c
Example of debug lldp Command Output with Unrecognized Reserved and Organizational Specific LLDP TLVs The following is an example of LLDPDU with both (Reserved and Organizational specific) unrecognized TLVs.
Table 41. LLDP Configuration MIB Objects (continued) MIB Object Category LLDP Variable LLDP MIB Object Description statsFramesInTotal lldpStatsRxPortFramesTotal Total number of LLDP frames received through the port. statsFramesOutTotal lldpStatsTxPortFramesTotal Total number of LLDP frames transmitted through the port. statsTLVsDiscardedTotal lldpStatsRxPortTLVsDiscardedTot al Total number of TLVs received then discarded.
Table 42. LLDP System MIB Objects (continued) TLV Type TLV Name TLV Variable interface number OID System LLDP MIB Object Remote lldpRemManAddrIfSubtyp e Local lldpLocManAddrIfId Remote lldpRemManAddrIfId Local lldpLocManAddrOID Remote lldpRemManAddrOID Table 43. LLDP 802.
Table 44.
Table 44.
27 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
Limitations of the NLB Feature The following limitations apply to switches on which you configure NLB: ● The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN. When a large volume of traffic is processed, the clustering performance might be impacted in a small way. This limitation is applicable to switches that perform unicast flooding in the software. ● The ip vlan-flooding command applies globally across the system and for all VLANs.
There might be some ARP table entries that are resolved through ARP packets, which had the Ethernet MAC SA different from the MAC information inside the ARP packet. This unicast data traffic flooding occurs only for those packets that use these ARP entries. Enabling a Switch for Multicast NLB To enable a switch for Multicast NLB mode, perform the following steps: 1.
28 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell EMC Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 76.
Implementation Information The Dell EMC Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process. 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Refer to the following figures. The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP.
Figure 77.
Figure 78.
Figure 79.
Figure 80. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
Clearing the Source-Active Cache To clear the source-active cache, use the following command. ● Clear the SA cache of all, local, or rejected entries, or entries for a specific group. CONFIGURATION mode clear ip msdp sa-cache [group-address | local | rejected-sa] Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error.
Figure 81.
Figure 82.
Figure 83. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. ● Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check. DellEMC(conf)#ip msdp peer 10.0.50.
DellEMC#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Reason Rpf-Fail Rpf-Fail Rpf-Fail Limiting the Source-Active Messages from a Peer To limit the source-active messages from a peer, use the following commands. 1.
Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1. OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache. CONFIGURATION mode ip msdp cache-rejected-sa 2. Prevent the system from caching remote sources learned from a specific peer based on source and group. CONFIGURATION mode ip msdp sa-filter list out peer list ext-acl As shown in the following example, R1 is advertising source 10.11.4.2.
MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 local R3(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 192.168.0.1 Expire 70 UpTime 00:27:20 Expire 1 UpTime 00:10:29 [Router 3] R3(conf)#do show ip msdp sa-cache R3(conf)# To display the configured SA filters for a peer, use the show ip msdp peer command from EXEC Privilege mode.
CONFIGURATION mode clear ip msdp peer peer-address R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.3(639) Connect Source: Lo 0 State: Established Up/Down Time: 00:04:26 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 5/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none R3(conf)#do clear ip msdp peer 192.168.0.1 R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.
Anycast RP relieves these limitations by allowing multiple RPs per group, which can be distributed in a topologically significant manner according to the locations of the sources and receivers. 1. All the RPs serving a given group are configured with an identical anycast address. 2. Sources then register with the topologically closest RP. 3. RPs use MSDP to peer with each other using a unique address. Figure 84.
4. Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5. Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP.
! ip ip ip ip ip multicast-msdp msdp peer 192.168.0.3 connect-source Loopback 1 msdp peer 192.168.0.22 connect-source Loopback 1 msdp mesh-group AS100 192.168.0.22 msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 The following example shows an R2 configuration for MSDP with Anycast RP. ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.
ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.
! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R2 Running-Config ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.
redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.23 MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface GigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.
29 Multicast Listener Discovery Protocol Dell Networking OS Supports Multicast Listener Discovery (MLD) protocol. Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
Joining a Multicast Group The Querier periodically sends a General Query to the all-nodes multicast address FF02::1. A host that wants to join a multicast group responds to the general query with a report that contains the group address; the report is also addressed to the group (in the IPv6 Destination Address field). To avoid duplicate reporting, any host that hears a report from another host for the same group in which it itself is interested cancels its report for that group.
| | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +. -+ . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version 2 multicast listener reports are sent by IP nodes to report (to neighboring routers) the current multicast listening state, or changes in the multicast listening state, of their interfaces.
| | * Source Address [1] * | | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +-+ . . . . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Auxiliary Data . . .
report when the timer expires. Increasing this value spreads host responses over a greater period of time, and so reduces response burstiness. To adjust the query response time, use the following command: INTERFACE Mode ipv6 mld query-max-resp-time Configuring MLD Version To configure MLD version on the system, follow this procedure: Select the MLD version INTERFACE Mode ipv6 mld version {1 | 2} If you do not configure the MLD version, the system defaults to version 2.
retransmissions. Lowering the Last Listener Query Interval reduces the time to detect that there are no remaining receivers for a group, and so can reduce the amount of unnecessarily forwarded traffic. To adjust the last-member query interval, use the following command: INTERFACE Mode ipv6 mld last-member-query-interval Displaying MLD groups table Display MLD groups. Group information can be filtered.
Enable MLD Snooping MLD is automatically enabled when you enable IPv6 PIM, but MLD snooping must be explicitly enabled. To enable MLD snooping, use the following command: CONFIGURATION Mode ipv6 mld snooping enable Disable MLD Snooping When MLD is enabled globally, it is by default enabled on all the VLANs.
2. To display the MLD explicit-tracking table, use the following command. EXEC Pivilege show ipv6 mld snooping groups explicit Display the MLD Snooping Table 1. To display the MLD snooping table, use the following command: EXEC Privilege show ipv6 mroute snooping vlan 2.
30 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview MSTP — specified in IEEE 802.
• • • • • • • Modifying Global Parameters Modifying the Interface Parameters Setting STP path cost as constant Configuring an EdgePort Flush MAC Addresses after a Topology Change MSTP Sample Configurations Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell EMC Networking OS supports four variations of spanning tree, as shown in the following table. Table 45. Spanning Tree Variations Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .
● Prevent Network Disruptions with BPDU Guard ● Enabling SNMP Traps for Root Elections and Topology Changes ● Configuring Spanning Trees as Hitless Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. ● Within an MSTI, only one path from any bridge to any other bridge is enabled.
! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping. To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode.
To view the bridge priority, use the show config command from PROTOCOL MSTP mode. R3(conf-mstp)#msti 2 bridge-priority 0 1d2h51m: %RPM0-P:RP2 %SPANMGR-5-STP_ROOT_CHANGE: MSTP root changed for instance 2. My Bridge ID: 0:0001.e809.c24a Old Root: 32768:0001.e806.953e New Root: 0:0001.e809.c24a R3(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 MSTI 2 bridge-priority 0 Interoperate with Non-Dell Bridges Dell EMC Networking OS supports only one MSTP region.
● Hello-time — the time interval in which the bridge sends MSTP bridge protocol data units (BPDUs). ● Max-age — the length of time the bridge maintains configuration information before it refreshes that information by recomputing the MST topology. ● Max-hops — the maximum number of hops a BPDU can travel before a receiving switch discards it. NOTE: Dell EMC Networking recommends that only experienced network administrators change MSTP parameters.
The following lists the default values for port cost by interface. Table 46.
Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode, an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states. The bpduguard shutdown-on-violation option causes the interface hardware to be shut down when it receives a BPDU.
MSTP Sample Configurations The running-configurations support the topology shown in the following illustration. The configurations are from Dell EMC Networking OS systems. Figure 86. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3.
no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
(Step 2) interface GigabitEthernet 3/11 no ip address switchport no shutdown ! interface GigabitEthernet 3/21 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged GigabitEthernet 3/11,21 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 3/11,21 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 3/11,21 no shutdown SFTOS Example Running-Configuration This example uses the following steps: 1.
tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. ● Display BPDUs. EXEC Privilege mode debug spanning-tree mstp bpdu ● Display MSTP-triggered topology change messages. debug spanning-tree mstp events To ensure all the necessary parameters match (region name, region version, and VLAN to instance mapping), examine your individual routers.
Brg/Port Prio: 32768/128, Rem Hops: 20 4w0d4h : MSTP: Received BPDU on Gi 2/21 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x78 (Indicates MSTP routers are in the [single] region.) CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.953e, CIST Port Id: 128:470 Msg Age: 0, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver3 Len: 96 Name: Tahiti, Rev: 123 (MSTP region name and revision), Int Root Path Cost: 0 Rem Hops: 19, Bridge Id: 32768:0001.e8d5.
31 Multicast Features NOTE: Multicast routing is supported on secondary IP addresses; it is not supported on IPv6. NOTE: Multicast routing is supported across default and non-default virtual routing and forwarding (VRFs).
Protocol Ethernet Address RIP 01:00:5e:00:00:09 NTP 01:00:5e:00:01:01 VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d ● ● ● ● The Dell EMC Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. Multicast is not supported on secondary IP addresses. If you enable multicast routing, egress Layer 3 ACL is not applied to multicast data traffic. Multicast traffic can be forwarded to a maximum of 15 VLANs with the same outgoing interface.
● Limit the total number of multicast routes on the system. CONFIGURATION mode ip multicast-limit The range is from 1 to 16000. The default is 4000. NOTE: The IN-L3-McastFib CAM partition stores multicast routes and is a separate hardware limit that exists per portpipe. Any software-configured limit may supersede this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit is reached using the ip multicast-limit command.
Figure 87. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 47. Preventing a Host from Joining a Group — Description Location Description 1/21 ● ● ● ● Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 ● ● ● ● Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 ● ● ● ● Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.
Table 47. Preventing a Host from Joining a Group — Description (continued) Location Description 2/11 ● ● ● ● Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 ● ● ● ● Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 ● ● ● ● Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 ● ● ● ● Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
ip pim register-filter In the following example, Source 1 and Source 2 are both transmitting packets for groups 239.0.0.1 and 239.0.0.2. R3 has a PIM register filter that only permits packets destined for group 239.0.0.2. An entry is created for group 239.0.0.1 in the routing table, but no outgoing interfaces are listed. R2 has no filter, so it is allowed to forward both groups. As a result, Receiver 1 receives only one transmission, while Receiver 2 receives duplicate transmissions. Figure 88.
Table 48. Preventing a Source from Transmitting to a Group — Description (continued) Location Description ● no shutdown 2/1 ● ● ● ● Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 ● ● ● ● Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 ● ● ● ● Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 ● ● ● ● Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
generation of user datagram protocol (UDP)-encapsulated registration messages between the DR and RP routers which are being sent to the CPU. ● Prevent the PIM SM router from creating a state based on multicast source and/or group. ip pim join-filter NOTE: When you configure a join filter, it is applicable for both ingress and egress flows. There is no option to specify in or out parameters while configuring a join filter.
Printing Multicast Traceroute (mtrace) Paths Dell EMC Networking OS supports Multicast traceroute. MTRACE is an IGMP-based tool that prints the network path that a multicast packet takes from a source to a destination, for a particular group. Dell EMC Networking OS has mtrace client and mtrace transit functionality. ● MTRACE Client — an mtrace client transmits mtrace queries and print the details from received responses.
Table 49. mtrace Command Output — Explained Command Output Description Querying reverse path for source 103.103.103.3 to destination 1.1.1.1 via group 226.0.0.3 mtrace traverses the reverse path from the given destination to the given source for the given group From source (?) to destination (?) In case the provided source or destination IP can be resolved to a hostname the corresponding name will be displayed. In cases where the IP cannot be resolved, it is displayed as (?) 0 1.1.1.
Table 50. Supported Error Codes (continued) Error Code Error Name Description 0x0A NO_MULTICAST Traceroute request arrived on an interface which is not enabled for multicast. 0x81 NO_SPACE There is not enough room to insert another response data block in the packet. mtrace Scenarios This section describes various scenarios that may result when an mtrace command is issued. The following table describes various scenarios when the mtrace command is issued: Table 51.
Table 51. Mtrace Scenarios (continued) Scenario Output --------* - Any PIM enabled interface on this node You invoke a weak mtrace request by specifying only the source without specifying the mulicast tree or multicast group information for the source. Mtrace traces a path towards the source by using the RPF neighbor at each node. R1>mtrace 103.103.103.3 Type Ctrl-C to abort. Querying reverse path for source 103.103.103.
Table 51. Mtrace Scenarios (continued) Scenario Output -2 12.12.12.1 PIM Reached RP/Core shared tree ----------------------------------------------------------------- When you issue the mtrace command with the source and multicast group information, if a multicast route is not present on a particular node, then the NO ROUTE error code is displayed on the node. In this scenario, the Source Network/Mask column for that particular node displays the the value as default.
Table 51. Mtrace Scenarios (continued) Scenario Output 6.6.6.0/24 -2 20.20.20.2 PIM 6.6.6.0/24 -3 10.10.10.1 PIM Multicast disabled 6.6.6.0/24 ----------------------------------------------------------------- If the destination provided in the command is not a valid receiver for the multicast group, the last hop router for the destination provides the WRONG LAST HOP error code. If the last-hop router contains a path to the source, the path is traced irrespective of the incorrect destination.
Table 51. Mtrace Scenarios (continued) Scenario Output |Hop| OIF IP |Proto| Forwarding Code |Source Network/Mask| ---------------------------------------------------------------0 1.1.1.1 --> Destination -1 * * * * ----------------------------------------------------------------Timed out receiving responses Perhaps no local router has a route for source, the receiver is not a member of the multicast group or the multicast ttl is too low.
Table 51. Mtrace Scenarios (continued) Scenario Output R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort. Querying reverse path for source 6.6.6.6 to destination 4.4.4.5 via RPF From source (?) to destination (?) ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/Mask| ---------------------------------------------------------------0 4.4.4.5 --> Destination -1 4.4.4.4 PIM 6.6.6.0/24 -2 20.20.20.2 PIM 6.6.6.0/24 -3 10.10.10.1 PIM RPF Interface 6.
32 Object Tracking IPv4 or IPv6 object tracking is available on Dell EMC Networking OS. Object tracking allows the Dell EMC Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell EMC Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 89. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: ● UP and DOWN thresholds used to report changes in a route metric. ● A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table. Specify a tracked route by its IPv4 or IPv6 address and prefix-length. Optionally specify a tracked route by a virtual routing and forwarding (VRF) instance name if the route to be tracked is part of a VRF. The next-hop address is not part of the definition of the tracked object.
Set Tracking Delays You can configure an optional UP and/or DOWN timer for each tracked object to set the time delay before a change in the state of a tracked object is communicated to clients. The configured time delay starts when the state changes from UP to DOWN or the opposite way. If the state of an object changes back to its former UP/DOWN state before the timer expires, the timer is cancelled and the client is not notified.
OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0. 3. (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters. 4. (Optional) Display the tracking configuration and the tracked object’s status.
The default is 0. 3. (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters. 4. (Optional) Display the tracking configuration and the tracked object’s status.
priority over a higher value. The resulting scaled value is compared against the configured threshold values to determine the state of a tracked route as follows: ○ If the scaled metric for a route entry is less than or equal to the UP threshold, the state of a route is UP. ○ If the scaled metric for a route is greater than or equal to the DOWN threshold or the route is not entered in the routing table, the state of a route is DOWN. The UP and DOWN thresholds are user-configurable for each tracked route.
2 changes, last change 00:02:49 Tracked by: DellEMC#configure DellEMC(conf)#track 4 ip route 3.1.1.
2. Configure object tracking on the metric of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} metric threshold [vrf vrf-name] Valid object IDs are from 1 to 500. Enter an IPv4 address in dotted decimal format. Valid IPv4 prefix lengths are from /0 to /32. Enter an IPv6 address in X:X:X:X::X format. Valid IPv6 prefix lengths are from /0 to /128. (Optional) E-Series only: For an IPv4 route, you can enter a VRF name. 3.
● Display the configuration and status of currently tracked Layer 2 or Layer 3 interfaces, IPv4 or IPv6 routes, and a VRF instance. show track [object-id [brief] | interface [brief] [vrf vrf-name] | ip route [brief] [vrf vrf-name] | resolution | vrf vrf-name [brief] | brief] ● Use the show running-config track command to display the tracking configuration of a specified object or all objects that are currently configured on the router.
Example of Viewing Object Tracking Configuration DellEMC#show running-config track track 1 ip route 23.0.0.0/8 reachability track 2 ipv6 route 2040::/64 metric threshold delay down 3 delay up 5 threshold metric up 200 track 3 ipv6 route 2050::/64 reachability track 4 interface GigabitEthernet 1/4 ip routing track 5 ip route 192.168.0.
33 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell EMC Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell EMC Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 90. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. NOTE: If you configure two non-backbone areas, then you must enable the B bit in OSPF.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
● Type 3: Summary LSA (OSPFv2), Inter-Area-Prefix LSA (OSPFv3) — An ABR takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to. The link-state ID of the Type 3 LSA is the destination network number. ● Type 4: AS Border Router Summary LSA (OSPFv2), Inter-Area-Router LSA (OSPFv3) — In some cases, Type 5 External LSAs are flooded to areas where the detailed next-hop information may not be available.
Figure 92. Priority and Cost Examples OSPF with Dell EMC Networking OS The Dell EMC Networking OS supports up to 16,000 OSPF routes for OSPFv2. Dell EMC Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell EMC Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell EMC Networking OS supports only one OSPFv3 process per VRF. OSPFv2 and OSPFv3 can co-exist but you must configure them individually.
OSPF graceful restart understands that in a modern router, the control plane and data plane functionality are separate, restarting the control plane functionality (such as the failover of the active RPM to the backup in a redundant configuration), does not necessarily have to interrupt the forwarding of data packets.
Multi-Process OSPFv2 with VRF Multi-process OSPF with VRF is supported on the Dell EMC Networking OS. Only one OSPFv2 process per VRF is supported. Multi-process OSPF allows multiple OSPFv2 processes on a single router. Multiple OSPFv2 processes allow for isolating routing domains, supporting multiple route policies and priorities in different domains, and creating smaller domains for easier management. Each OSPFv2 process has a unique process ID and must have an associated router ID.
Adjacent with neighbor 1.1.1.1 (Backup Designated Router) DellEMC(conf-if-gi-2/2)# Configuration Information The interfaces must be in Layer 3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode.
For a complete list of the OSPF commands, refer to the OSPF section in the Dell EMC Networking OS Command Line Reference Guide document. Enabling OSPFv2 To enable Layer 3 routing, assign an IP address to an interface (physical or Loopback). By default, OSPF, similar to all routing protocols, is disabled. You must configure at least one interface for Layer 3 before enabling OSPFv2 globally. If implementing multi-process OSPF, create an equal number of Layer 3 enabled interfaces and OSPF process IDs.
show ip ospf process-id DellEMC#show ip ospf 55555 Routing Process ospf 55555 with ID 10.10.10.10 Supports only single TOS (TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 DellEMC# Assigning an OSPFv2 Area After you enable OSPFv2, assign the interface to an OSPF area. Set up OSPF areas and enable OSPFv2 on an interface with the network command. You must have at least one AS area: Area 0. This is the backbone area.
To view the configuration, use the show config command in CONFIGURATION ROUTER OSPF mode. OSPF, by default, sends hello packets out to all physical interfaces assigned an IP address that is a subset of a network on which OSPF is enabled. To view currently active interfaces and the areas assigned to them, use the show ip ospf interface command. Example of Viewing Active Interfaces and Assigned Areas DellEMC>show ip ospf 1 interface GigabitEthernet 1/17 is up, line protocol is up Internet Address 10.2.2.
show ip ospf process-id [vrf] database database-summary 2. Enter CONFIGURATION mode. EXEC Privilege mode configure 3. Enter ROUTER OSPF mode. CONFIGURATION mode router ospf process-id [vrf] Process ID is the ID assigned when configuring OSPFv2 globally. 4. Configure the area as a stub area. CONFIG-ROUTER-OSPF-id mode area area-id stub [no-summary] Use the keywords no-summary to prevent transmission into the area of summary ASBR LSAs. Area ID is the number or IP address assigned when creating the area.
Internet Address 10.1.2.100/24, Area 1.1.1.1 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DOWN, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 0.0.0.0 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.0 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 13:39:46 Neighbor Count is 0, Adjacent neighbor count is 0 GigabitEthernet 2/1 is up, line protocol is down Internet Address 10.1.3.
Routing Process ospf 1 with ID 192.168.67.2 Supports only single TOS (TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Convergence Level 0 Min LSA origination 5 secs, Min LSA arrival 1 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 DellEMC# Changing OSPFv2 Parameters on Interfaces In Dell EMC Networking OS, you can modify the OSPF settings on the interfaces. Some interface parameter values must be consistent across all interfaces to avoid routing errors.
The retransmit interval must be the same on all routers in the OSPF network. ● Change the wait period between link state update packets sent out the interface. CONFIG-INTERFACE mode ip ospf transmit-delay seconds ○ seconds: the range is from 1 to 65535 (the default is 1 second). The transmit delay must be the same on all routers in the OSPF network. To view interface configurations, use the show config command in CONFIGURATION INTERFACE mode.
● grace period — the length of time the graceful restart process can last before OSPF terminates it. ● helper-reject neighbors — the router ID of each restart router that does not receive assistance from the configured router. ● mode — the situation or situations that trigger a graceful restart. ● role — the role or roles the configured router can perform. NOTE: By default, OSPFv2 graceful restart is disabled. To enable and configure OSPFv2 graceful restart, use the following commands. 1.
Creating Filter Routes To filter routes, use prefix lists. OSPF applies prefix lists to incoming or outgoing routes. Incoming routes must meet the conditions of the prefix lists. If they do not, OSPF does not add the route to the routing table. Configure the prefix list in CONFIGURATION PREFIX LIST mode prior to assigning it to the OSPF process. ● Create a prefix list and assign it a unique name. CONFIGURATION mode ip prefix-list prefix-name You are in PREFIX LIST mode.
router ospf 34 network 10.1.2.32 0.0.0.255 area 2.2.2.2 network 10.1.3.24 0.0.0.255 area 3.3.3.3 distribute-list dilling in DellEMC(conf-router_ospf)# Troubleshooting OSPFv2 Use the information in this section to troubleshoot OSPFv2 operation on the switch. Be sure to check the following, as these questions represent typical issues that interrupt an OSPFv2 process. NOTE: The following tasks are not a comprehensive; they provide some examples of typical troubleshooting checks.
○ database-timers rate-limit: view the LSAs currently in the queue. DellEMC#show run ospf ! router ospf 4 router-id 4.4.4.4 network 4.4.4.0/28 area 1 ! ipv6 router ospf 999 default-information originate always router-id 10.10.10.10 DellEMC# Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations.
ip address 192.168.10.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.20.0/24 area 0 network 10.1.1.0/24 area 0 network 10.2.13.0/24 area 0 ! interface Loopback 30 ip address 192.168.20.100/24 no shutdown ! interface GigabitEthernet 3/1 ip address 10.1.1.2/24 no shutdown ! interface GigabitEthernet 3/2 ip address 10.2.13.3/24 no shutdown OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.30.0/24 area 0 network 10.1.11.0/24 area 0 network 10.2.13.
3. No-summary – To act as totally stubby area — NSSA area can be converted intoa totally stubby area to reduce the number of Type-3 LSAs. Once it is configured, NSSA ABR will inject Type-3 LSAs into the NSSA area for default routes. The remaining Type-3 LSAs are not allowed inside this area. Configuration Task List for OSPFv3 (OSPF for IPv6) This section describes the configuration tasks for Open Shortest Path First version 3 (OSPF for IPv6) on the switch.
INTERFACE mode ipv6 ospf interface-cost ○ interface-cost:The range is from 1 to 65535. Default cost is based on the bandwidth. ● Specify how the OSPF interface cost is calculated based on the reference bandwidth method. The cost of an interface is calculated as Reference Bandwidth/Interface speed. ROUTER OSPFv3 auto-cost [reference-bandwidth ref-bw] To return to the default bandwidth or to assign cost based on the interface type, use the no auto-cost [referencebandwidth ref-bw] command.
router-id {number} ○ number: the IPv4 address. The format is A.B.C.D. NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. ● Disable OSPF. CONFIGURATION mode no ipv6 router ospf process-id ● Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Assigning OSPFv3 Process ID and Router ID to a VRF To assign, disable, or reset OSPFv3 on a non-default VRF, use the following commands. ● Enable the OSPFv3 process on a non-default VRF and enter OSPFv3 mode.
● Specify whether some or all some of the interfaces are passive. CONF-IPV6-ROUTER-OSPF mode passive-interface {interface-type} Interface: identifies the specific interface that is passive. ○ ○ ○ ○ For For For For a a a a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. port channel interface, enter the keywords port-channel then a number.
By default, OSPFv3 graceful restart is disabled and functions only in a helper role to help restarting neighbor routers in their graceful restarts when it receives a Grace LSA. To enable OSPFv3 graceful restart, enter the ipv6 router ospf process-id command to enter OSPFv3 configuration mode. Then configure a grace period using the graceful-restart grace-period command. The grace period is the time that the OSPFv3 neighbors continue to advertise the restarting router as though it is fully adjacent.
The following example shows the show run ospf command. DellEMC#show run ospf ! router ospf 1 router-id 200.1.1.1 log-adjacency-changes graceful-restart grace-period 180 network 20.1.1.0/24 area 0 network 30.1.1.0/24 area 0 ! ipv6 router ospf 1 log-adjacency-changes graceful-restart grace-period 180 The following example shows the show ipv6 ospf database database-summary command. DellEMC#show ipv6 ospf database database-summary ! OSPFv3 Router with ID (200.1.1.
IPsec is a set of protocols developed by the internet engineering task force (IETF) to support secure exchange of packets at the IP layer. IPsec supports two encryption modes: transport and tunnel. ● Transport mode — encrypts only the data portion (payload) of each packet, but leaves the header untouched. ● Tunnel mode — is more secure and encrypts both the header and payload. On the receiving side, an IPsec-compliant device decrypts each packet.
NOTE: To encrypt all keys on a router, use the service password-encryption command in Global Configuration mode. However, this command does not provide a high level of network security. To enable key encryption in an IPsec security policy at an interface or area level, specify 7 for [key-encryption-type] when you enter the ipv6 ospf authentication ipsec or ipv6 ospf encryption ipsec command.
● Enable IPsec encryption for OSPFv3 packets on an IPv6-based interface. INTERFACE mode ipv6 ospf encryption {null | ipsec spi number esp encryption-algorithm [key-encryptiontype] key authentication-algorithm [key-authentication-type] key} ○ null: causes an encryption policy configured for the area to not be inherited on the interface. ○ ipsec spi number: is the security policy index (SPI) value. The range is from 256 to 4294967295.
no area area-id authentication ipsec spi number ● Display the configuration of IPSec authentication policies on the router. show crypto ipsec policy Configuring IPsec Encryption for an OSPFv3 Area To configure, remove, or display IPsec encryption in an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec encryption in an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
● Display security associations set up for OSPFv3 links in IPsec authentication and encryption policies on the router. EXEC Privilege show crypto ipsec sa ipv6 [interface interface] To display information on the SAs used on a specific interface, enter interface interface, where interface is one of the following values: ○ ○ ○ ○ For For For For a a a a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information.
STATUS : ACTIVE outbound ah sas spi : 500 (0x1f4) transform : ah-md5-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE inbound esp sas outbound esp sas Interface: GigabitEthernet 1/2 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transfo
show ipv6 route [vrf vrf-name] summary ● View the summary information for the OSPFv3 database. EXEC Privilege mode show ipv6 ospf [vrf vrf-name] database ● View the configuration of OSPFv3 neighbors. EXEC Privilege mode show ipv6 ospf [vrf vrf-name] neighbor ● View debug messages for all OSPFv3 interfaces.
SNMPv2-SMI::mib-2.191.1.1.6.0 = Gauge32: 0 SNMPv2-SMI::mib-2.191.1.1.7.0 = Gauge32: 0 SNMPv2-SMI::mib-2.191.1.1.8.0 = Counter32: 10088 SNMPv2-SMI::mib-2.191.1.1.9.0 = Counter32: 10076 SNMPv2-SMI::mib-2.191.1.1.10.0 = Gauge32: 7 SNMPv2-SMI::mib-2.191.1.1.11.0 = INTEGER: -1 SNMPv2-SMI::mib-2.191.1.1.12.0 = Gauge32: 0 SNMPv2-SMI::mib-2.191.1.1.13.0 = INTEGER: 2 SNMPv2-SMI::mib-2.191.1.1.14.0 = Gauge32: 100000 SNMPv2-SMI::mib-2.191.1.1.15.0 = INTEGER: 1 SNMPv2-SMI::mib-2.191.1.1.16.
34 Policy-based Routing (PBR) Policy-based routing (PBR) allows a switch to make routing decisions based on policies applied to an interface. Topics: • • • • Overview Implementing PBR Configuration Task List for Policy-based Routing Sample Configuration Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table.
● ● ● ● Destination IP address and mask Source port Destination port TCP Flags After you apply a redirect-list to an interface, all traffic passing through it is subjected to the rules defined in the redirect-list. Traffic is forwarded based on the following: ● ● ● ● Next-hop addresses are verified. If the specified next hop is reachable, traffic is forwarded to the specified next-hop. If the specified next-hops are not reachable, the normal routing table is used to forward the traffic.
Never apply the permit statement because the redirect list covers all source and destination IP addresses. ip redirect-list rcl0 seq 5 redirect 2.2.2.2 ip any any seq 10 permit ip host 3.3.3.3 any To ensure the permit permit statement or PBR exception is effective, use a lower sequence number, as shown: ip redirect-list rcl0 seq 10 permit ip host 3.3.3.3 any seq 15 redirect 2.2.2.2 ip any any Create a Redirect List To create a redirect list, use the following commands.
● ● ● ● IP address of the next-hop router in the forwarding route IP protocol number Source address with mask information Destination address with mask information Example: Creating a Rule DellEMC(conf-redirect-list)#redirect ? A.B.C.D Forwarding router's address DellEMC(conf-redirect-list)#redirect 3.3.3.3 ? <0-255> An IP protocol number icmp Internet Control Message Protocol ip Any Internet Protocol tcp Transmission Control Protocol udp User Datagram Protocol DellEMC(conf-redirect-list)#redirect 3.3.3.
Apply a Redirect-list to an Interface using a Redirect-group IP redirect lists are supported on physical interfaces as well as virtual local area network (VLAN) and port-channel interfaces. NOTE: When you apply a redirect-list on a port-channel, when traffic is redirected to the next hop and the destination port-channel is shut down, the traffic is dropped. However, the traffic redirected to the destination port-channel is sometimes switched.
Gi 1/32) seq 15 redirect tunnel 2 udp 155.55.0.0/16 host 144.144.144.144, Track 1 [up], Nexthop reachable (via Gi 1/32) seq 35 redirect 155.1.1.2 track 5 ip 7.7.7.0/24 8.8.8.0/24, Track 5 [up], Next-hop reachable (via Po 5) seq 30 redirect 155.1.1.2 track 6 icmp host 8.8.8.8 any, Track 5 [up], Next-hop reachable (via Po 5) seq 35 redirect 42.1.1.2 icmp host 8.8.8.8 any, Next-hop reachable (via Vl 20) seq 40 redirect 43.1.1.2 tcp 155.55.2.0/24 222.22.2.0/24, Next-hop reachable (via Vl 30) seq 45 redirect 31.
● seq 15 permit ip any Create the Redirect-List GOLD Assign Redirect-List GOLD to Interface 2/11 View Redirect-List GOLD Creating a PBR list using Explicit Track Objects for Redirect IPs Create Track Objects to track the Redirect IPs: DellEMC#configure terminal DellEMC(conf)#track 3 ip host 42.1.1.2 reachability DellEMC(conf-track-3)#probe icmp DellEMC(conf-track-3)#track 4 ip host 43.1.1.
Verify the Status of the Track Objects (Up/Down): DellEMC#show track brief ResId 1 2 3 4 Resource Interface ip routing Interface ipv6 routing IP Host reachability IP Host reachability Parameter Tunnel 1 Tunnel 2 42.1.1.2/32 43.1.1.
DellEMC(conf)#track 2 interface tunnel 2 ipv6 routing DellEMC(conf-track-2)#end Verify the Status of the Track Objects (Up/Down): DellEMC#show track brief ResId Resource 1 Interface ip routing 2 Interface ipv6 routing DellEMC# Parameter Tunnel 1 Tunnel 2 State Up Up LastChange 00:00:00 00:00:00 Create a Redirect-list with Track Objects pertaining to Tunnel Interfaces: DellEMC#configure terminal DellEMC(conf)#ip redirect-list explicit_tunnel DellEMC(conf-redirect-list)#redirect tunnel 1 track DellEMC(con
35 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
2. The last-hop DR sends a PIM Join message to the RP. All routers along the way, including the RP, create an (*,G) entry in their multicast routing table, and the interface on which the message was received becomes the outgoing interface associated with the (*,G) entry. This process constructs an RPT branch to the RP. 3. If a host on the same subnet as another multicast receiver sends an IGMP report for the same multicast group, the gateway takes no action.
3. Enable PIM-SM on an interface. Enable multicast routing. CONFIGURATION mode {ip | ipv6} multicast-routing [vrf vrf-name] Related Configuration Tasks The following are related PIM-SM configuration tasks. ● ● ● ● Configuring S,G Expiry Timers Configuring a Static Rendezvous Point Configuring a Designated Router Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1. Enable IPv4 or IPv6 multicast routing on the system.
Following is an example of show ip pim neighbor command output: DellEMC#show Neighbor Address 127.87.5.5 127.87.3.5 127.87.50.
Configuring S,G Expiry Timers You can configure a global expiry time (for all [S,G] entries). By default, [S,G] entries expire in 210 seconds. When you create, delete, or update an expiry time, the changes are applied when the keep alive timer refreshes. To configure a global expiry time, use the following command. Enable global expiry timer for S, G entries. CONFIGURATION mode {ip | ipv6} pim sparse-mode sg-expiry-timer seconds The range is from 211 to 86,400 seconds. The default is 210.
Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. Use the following command if you have configured a static RP for a group. If you do not use the override option with the following command, the RPs advertised in the BSR updates take precedence over any statically configured RPs.
INTERFACE mode {ip | ipv6} pim query-interval seconds ● Display the current value of these parameter.
Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the Internet. Create multicast boundaries and domains by filtering inbound and outbound bootstrap router (BSR) messages per interface. The following command is applied to the subsequent inbound and outbound updates.
show ip pim bsr-router Example: DellEMC# show ip pim bsr-router PIMv2 Bootstrap information This system is the Bootstrap Router (v2) BSR address: 7.7.7.7 (?) BSR Priority: 0, Hash mask length: 30 Next bootstrap message in 00:00:08 This system is a candidate BSR Candidate BSR address: 7.7.7.
36 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Related Configuration Tasks ● Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode.
Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.
1. C-BSRs flood their candidacy throughout the domain in a BSM. Each message contains a BSR priority value, and the C-BSR with the highest priority value becomes the BSR. 2. Each C-RP unicasts periodic Candidate-RP-Advertisements to the BSR. Each message contains an RP priority value and the group ranges for which it is a C-RP. 3. The BSR collects the most efficient group-to-RP mappings and periodically updates it to all PIM routes in the network. 4.
Enabling RP to Server Specific Multicast Groups When you configure an RP candidate, its advertisement is sent to the entire multicast address range and the group-to-RP mapping is advertised for the entire range of multicast address. Starting with Dell EMC Networking OS 9.11.0.0, you can configure an RP candidate for a specified range of multicast group address. The Configured multicast group ranges are used by the BSR protocol to advertise the candidate RPs in the bootstrap messages.
37 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
Port Monitoring Port monitoring is supported on both physical and logical interfaces, such as VLAN and port-channel interfaces. The source port (MD) with monitored traffic and the destination ports (MG) to which an analyzer can be attached must be on the same switch. You can configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session. The platform supports multiple source-destination statements in a single monitor session.
------ ------------------- ------ -------------0 Te 1/50 Te 1/51 N/A N/A No N/A N/A 1 Gi 1/45 Gi 1/46 N/A N/A No N/A N/A 2 NONE NONE N/A N/A No N/A N/A 300 Gi 1/17 Gi 1/4 N/A N/A No N/A N/A DellEMC(conf-mon-sess-300)# -------rx yes tx yes N/A No tx No ---- --------- -------- Port N/A N/A Port N/A N/A N/A N/A N/A Port N/A N/A Example of Viewing a Monitoring Session In the example below, 0/25 and 0/26 belong to Port-pipe 1.
Configuring Port Monitoring To configure port monitoring, use the following commands. 1. Verify that the intended monitoring port has no configuration other than no shutdown, as shown in the following example. EXEC Privilege mode show interface 2. Create a monitoring session using the command monitor session from CONFIGURATION mode, as shown in the following example. CONFIGURATION mode monitor session monitor session type rpm/erpm type is an optional keyword, required only for rpm and erpm 3.
NOTE: Source as VLAN is achieved via Flow based mirroring. Please refer section Enabling Flow-Based Monitoring. In the following example, the host and server are exchanging traffic which passes through the uplink interface 1/1. Port 1/1 is the monitored port and port 1/42 is the destination port, which is configured to only monitor traffic received on gigabitethernet 1/1 (host-originated traffic). Figure 94.
Enabling Flow-Based Monitoring Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead of all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 3 ingress traffic. You can specify traffic using standard or extended access-lists. NOTE: Flow-based monitoring is supported for known unicast egress traffic. 1. Create a monitoring session. CONFIGURATION mode monitor session session-id 2.
--------- ------ ----------- --------- ------- ----------- --------0 Gi 1/1 Te 1/2 rx interface No N/A N/A yes --------0.0.0.0 -------0.0.0.
Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
● ● ● ● ● ● Maximum number of destination sessions supported on a switch: 64 Maximum number ports supported in a destination session: 64. You can configure any port as a destination port. You can configure additional destination ports in an active session. You can tunnel the mirrored traffic from multiple remote-port source sessions to the same destination port. By default, destination port sends the mirror traffic to the probe port by stripping off the rpm header.
R R 100 300 Active Active T Te 1/49 T Te 1/50 Configuration procedure for Remote Port Mirroring To configure remote port mirroring, you must configure: 1. A reserved VLAN used to transport mirrored packets on source, intermediate, and destination switches 2. A source session that consists of multiple source ports, port channels, and VLANs which are associated with the dedicated VLAN and located on different source switches 3.
flow-based enable Configuring a destination session Following are the steps for configuring a destination session on a switch. You can configure the below steps on other destination switches to configure additional destination ports for this RPM session. 1. Configure the destination session for RPM. CONFIGURATION mode monitor session session-id 2. Associate the Layer 2 VLAN used to transport monitored traffic with this destination session.
The below configuration example shows that the source is a source port and the destination is the reserved VLAN (for example, remote-vlan 10).
DellEMC(conf-if-vl-100)#exit DellEMC(conf)# Configuring Remote Port Mirroring on an intermediate switch Following is a sample configuration of RPM on an intermediate switch. DellEMC(conf)#interface vlan 20 DellEMC(conf-if-vl-20)#mode remote-port-mirroring DellEMC(conf-if-vl-20)#tagged gigabitethernet 1/4 DellEMC(conf-if-vl-20)#tagged gigabitethernet 1/5 DellEMC(conf-if-vl-20)#exit Configuring Remote Port Mirroring on a destination switch Following is a sample configuration of RPM on a destination switch.
Following is a sample configuration of RPM on a destination switch.
Table 53. Configuration steps for ERPM (continued) Step Command Purpose multiple source statements in an ERPM monitoring session 4 erpm source-ip dest-ip gre-protocol Specify the source IP address, destination IP address, and GRE-protocol type value to which encapsulated mirrored traffic is sent. 5 no flow-based enable ERPM to be performed on a flow-by-flow basis or if you configure a VLAN source interface. Enter the no flow-based command to disable flow-based ERPM.
ERPM Behavior on a typical Dell EMC Networking OS The Dell EMC Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported. Figure 97.
○ Either have a Linux server's ethernet port ip as the ERPM destination ip or connect the ingress interface of the server to the ERPM MirrorToPort. The analyzer should listen in the forward/egress interface. If there is only one interface, one can choose the ingress and forward interface to be same and listen in the tx direction of the interface. ○ Download/ Write a small script (for example: erpm.py) such that it will strip the given ERPM packet starting from the bit where GRE header ends.
VLT Fail-over Scenario Consider a scenario where port monitoring is configured to mirror traffic on the source port or LAG of a VLT device to a destination port on an other device on the network. A fail-over occurs when the primary VLT device fails causing the secondary VLT device to take over. At the time of failover, the mirrored packets are dropped for some time. This time period is equivalent to the gracious VLT failover recovery time.
Table 54. RPM over VLT Scenarios (continued) Scenario RPM Restriction Recommended Solution device:source remote vlan destination orphan port. Mirroring VLT LAG across VLT Peers — In this scenario, the VLT LAG on the primary VLT peer is mirrored to an orphan port on the secondary VLT peer through the ICL LAG. The packet analyzer is connected to the secondary VLT peer. No restrictions apply to the RPM session.
38 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on Dell EMC Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell EMC Networking OS Command Line Reference Guide. Private VLANs extend the Dell EMC Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
PVLAN port types include: ● Community port — a port that belongs to a community VLAN and is allowed to communicate with other ports in the same community VLAN and with promiscuous ports. ● Host port — in the context of a private VLAN, is a port in a secondary VLAN: ○ The port must first be assigned that role in INTERFACE mode. ○ A port assigned the host role cannot be added to a regular VLAN. ● Isolated port — a port that, in Layer 2, can only communicate with promiscuous ports that are in the same PVLAN.
Configuration Task List The following sections contain the procedures that configure a private VLAN. ● ● ● ● Creating Creating Creating Creating PVLAN Ports a Primary VLAN a Community VLAN an Isolated VLAN Creating PVLAN ports PVLAN ports are ports that will be assigned to the PVLAN. 1. Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2. Enable the port. INTERFACE mode no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4.
CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 4. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: ● Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). ● Specified with this command even before they have been created.
You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add host (isolated) ports to the VLAN. Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make an isolated VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 98. Sample Private VLAN Topology The following configuration is based on the example diagram for the Z9500: ● ● ● ● ● Te Te Te Te Te 1/1 and Te 1/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. 1/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. 1/24 and Te 1/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
● The S4810 ports would have the same intra-switch communication characteristics as described for the Z9500. ● For transmission between switches, tagged packets originating from host PVLAN ports in one secondary VLAN and destined for host PVLAN ports in the other switch travel through the promiscuous ports in the local VLAN 4000 and then through the trunk ports (1/25 in each switch). Inspecting the Private VLAN Configuration The standard methods of inspecting configurations also apply in PVLANs.
G - GVRP tagged, M - Vlan-stack NUM * 1 100 P 200 I 201 Status Inactive Inactive Inactive Inactive Description Q Ports primary VLAN in PVLAN T Gi 1/19-20 isolated VLAN in VLAN 200 T Gi 1/21 The following example shows viewing a private VLAN configuration.
39 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN).
Figure 99. Per-VLAN Spanning Tree The Dell EMC Networking OS supports three other variations of spanning tree, as shown in the following table. Table 55. Spanning Tree Variations Dell EMC Networking OS Supports Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
Configure Per-VLAN Spanning Tree Plus Configuring PVST+ is a four-step process. 1. 2. 3. 4. Configure interfaces for Layer 2. Place the interfaces in VLANs. Enable PVST+. Optionally, for load balancing, select a nondefault bridge-priority for a VLAN.
Influencing PVST+ Root Selection As shown in the previous per-VLAN spanning tree illustration, all VLANs use the same forwarding topology because R2 is elected the root, and all TenGigabitEthernet ports have the same cost. The following per-VLAN spanning tree illustration changes the bridge priority of each bridge so that a different forwarding topology is generated for each VLAN. This behavior demonstrates how you can use PVST+ to achieve load balancing. Figure 100.
Current root has priority 4096, Address 0001.e80d.b6d6 Number of topology changes 5, last change occurred 00:34:37 ago on Gi 1/32 Port 375 (GigabitEthernet 1/22) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.375 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.
● Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost. The following tables lists the default values for port cost by interface. Table 56.
CAUTION: Configure EdgePort only on links connecting to an end station. EdgePort can cause loops if you enable it on an interface connected to a network. To enable EdgePort on an interface, use the following command. ● Enable EdgePort on an interface. INTERFACE mode spanning-tree pvst edge-port [bpduguard | shutdown-on-violation] The EdgePort status of each interface is given in the output of the show spanning-tree pvst command, as previously shown.
Figure 101. PVST+ with Extend System ID ● Augment the bridge ID with the VLAN ID. PROTOCOL PVST mode extend system-id DellEMC(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 1/22,32 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface GigabitEthernet 2/12 no ip address switchport no shutdown ! interface GigabitEthernet 2/32 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged GigabitEthernet 2/12,32 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 2/12,32 no shutdown ! interface Vlan 300
40 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 57.
Table 57. Dell EMC Networking Operating System (OS) Support for Port-Based, Policy-Based Features (continued) Feature Direction Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 102.
• • • • • • • Guidelines for Configuring ECN for Classifying and Color-Marking Packets Applying Layer 2 Match Criteria on a Layer 3 Interface Applying DSCP and VLAN Match Criteria on a Service Queue Classifying Incoming Packets Using ECN and Color-Marking Guidelines for Configuring ECN for Classifying and Color-Marking Packets Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class Sample configuration to mark non-ecn packets as “yellow” with single traffic class Implementatio
dot1p-priority DellEMC#configure terminal DellEMC(conf)#interface gigabitethernet 1/1 DellEMC(conf-if-gi-1/1)#switchport DellEMC(conf-if-gi-1/1)#dot1p-priority 1 DellEMC(conf-if-gi-1/1)#end Honoring dot1p Priorities on Ingress Traffic By default, Dell EMC Networking OS does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel.
Traffic Monitor 0: normal 300 (50) peak 800 (50) Out of profile yellow 23386960 red 320605113 Traffic Monitor 1: normal NA peak NA Out of profile yellow 0 red 0 Traffic Monitor 2: normal NA peak NA Out of profile yellow 0 red 0 Traffic Monitor 3: normal NA peak NA Out of profile yellow 0 red 0 Traffic Monitor 4: normal NA peak NA Out of profile yellow 0 red 0 DellEMC#show interfaces gigabitEthernet 1/2 rate police Rate police 300 (50) peak 800 (50) Traffic Monitor 0: normal 300 (50) peak 800 (50) Out of pro
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 103. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell EMC Networking OS matches packets against match criteria in the order that you configure them.
class-map match-any 2. Create a match-all class map. CONFIGURATION mode class-map match-all 3. Specify your match criteria. CLASS MAP mode [seq sequence number] match {ip | ipv6 | ip-any} After you create a class-map, Dell EMC Networking OS places you in CLASS MAP mode. Match-any class maps allow up to five ACLs. Match-all class-maps allow only one ACL. NOTE: Within a class-map, the match rules are installed in the sequence number order. 4. Link the class-map to a queue.
3. Specify your match criteria. CLASS MAP mode [seq sequence number] match mac After you create a class-map, Dell EMC Networking OS places you in CLASS MAP mode. Match-any class maps allow up to five access-lists. Match-all class-maps allow only one. You can match against only one VLAN ID. 4. Link the class-map to a queue.
ip access-list extended AF1-FB1 seq 5 permit ip host 23.64.0.2 any seq 10 deny ip any any ! ip access-list extended AF1-FB2 seq 5 permit ip host 23.64.0.3 any seq 10 deny ip any any ! ip access-list extended AF2 seq 5 permit ip host 23.64.0.5 any seq 10 deny ip any any In the previous example, the ClassAF1 does not classify traffic as intended. Traffic matching the first match criteria is classified to Queue 1, but all other traffic is classified to Queue 0 as a result of CAM entry 20419.
Configuring Policy-Based Rate Policing To configure policy-based rate policing, use the following command. ● Configure rate police ingress traffic. QOS-POLICY-IN mode rate-police Setting a dot1p Value for Egress Packets To set a dot1p value for egress packets, use the following command. ● Set a dscp or dot1p value for egress packets. QOS-POLICY-IN mode set mac-dot1p Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1. Create an output QoS policy.
Table 59. Default Bandwidth Weights (continued) Queue Default Bandwidth Percentage for 4– Default Bandwidth Percentage for 8– Queue System Queue System 5 - 10% 6 - 25% 7 - 50% NOTE: The system supports 4 data queues. When you assign a percentage to one queue, note that this change also affects the amount of bandwidth that is allocated to other queues.
Applying an Input QoS Policy to an Input Policy Map To apply an input QoS policy to an input policy map, use the following command. ● Apply an input QoS policy to an input policy map. POLICY-MAP-IN mode policy-service-queue qos-polcy Honoring DSCP Values on Ingress Packets Dell EMC Networking OS provides the ability to honor DSCP values on ingress packets using Trust DSCP feature.
The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN. ● Enable the trust dot1p feature. POLICY-MAP-IN mode trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets.
Applying an Output Policy Map to an Interface 3. Apply the policy map to an interface. Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. ● Apply an output QoS policy to queues. INTERFACE mode service-queue Specifying an Aggregate QoS Policy To specify an aggregate QoS policy, use the following command. ● Specify an aggregate QoS policy.
● Each color map can only have one list of DSCP values for each color; any DSCP values previously listed for that color that are not in the new DSCP list are colored green. ● If you configured a DSCP color map on an interface that does not exist or you delete a DSCP color map that is configured on an interface, that interface uses an all green color policy. To create a DSCP color map: 1. Create the color-aware map QoS DSCP color map. CONFIGURATION mode qos dscp-color-map color-map-name 2.
detail: Displays detailed color policy information on an interface interface : Enter the name of the interface that has the color policy configured. Examples for Displaying a DSCP Color Policy Display summary information about a color policy for one or more interfaces. DellEMC# show Interface GI 1/10 GI 1/11 qos dscp-color-policy summary dscp-color-map mapONE mapTWO Display summary information about a color policy for a specific interface.
Enabling Strict-Priority Queueing In strict-priority queuing, the system de-queues all packets from the assigned queue before servicing any other queues. You can assign strict-priority to one unicast queue, using the strict-priority command. ● Policy-based per-queue rate shaping is not supported on the queue configured for strict-priority queuing. To use queuebased rate-shaping as well as strict-priority queuing at the same time on a queue, use the Scheduler Strict feature as described in Scheduler Strict .
Table 62. Pre-Defined WRED Profiles Default Profile Name Minimum Threshold Maximum Threshold Maximum Drop Rate wred_drop 0 0 100 wred_teng_y 467 4671 100 wred_teng_g 467 4671 50 wred_fortyg_y 467 4671 50 wred_fortyg_g 467 4671 25 Creating WRED Profiles To create WRED profiles, use the following commands. 1. Create a WRED profile. CONFIGURATION mode wred-profile 2. Specify the minimum and maximum threshold values.
Displaying WRED Drop Statistics To display WRED drop statistics, use the following command. ● Display the number of packets Dell EMC Networking OS the WRED profile drops.
● The estimated number of CAM entries the policy-map will consume. ● Whether or not the policy-map can be applied. ● The number of interfaces in a port-pipe to which the policy-map can be applied. Specifically: ● Available CAM — the available number of CAM entries in the specified CAM partition for the specified line card or stackunit port-pipe. ● Estimated CAM — the estimated number of CAM entries that the policy will consume when it is applied to an interface.
You can enable WRED and ECN capabilities per queue for granularity. You can disable these functionality per queue, and you can also specify the minimum and maximum buffer thresholds for each color-coding of the packets. You can configure maximum drop rate percentage of yellow and green profiles. You can set up these parameters for both front-end and backplane ports. Global Service Pools With WRED and ECN Settings Support for global service pools is now available.
Configuring WRED and ECN Attributes The functionality to configure a weight factor for the WRED and ECN functionality for backplane ports is supported on the platform. WRED drops packets when the average queue length exceeds the configured threshold value to signify congestion. Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded.
● If two rate three color policer is configured along with this feature then, ○ x < CIR – will be marked as “Green” ○ CIR < x< PIR – will be marked as “Yellow” ○ PIR < x – will be marked as “Red” But ‘Green’ packets matching the specific match criteria for which ‘color-marking’ is configured will be over-written and marked as “Yellow”.
1. Rate Policing 2. Queuing 3. Marking For the L3 Routed packets, the DSCP marking is the only marking action supported in the software. As a part of this feature, the additional marking action to set the “color” of the traffic will be provided. Until Release 9.3(0.0), the software has the capability to qualify only on the 6-bit DSCP part of the ToS field in IPv4 Header. You can now accept and process incoming packets based on the 2-bit ECN part of the ToS field in addition to the DSCP categorization.
Sample configuration to mark non-ecn packets as “yellow” with single traffic class Consider the use case where the packet with DSCP value “40” need to be enqueued in queue#2 and packets with DSCP value as 50 need to be enqueued in queue#3. And all the packets with ecn value as ‘0’ must be marked as ‘yellow’. The above requirement can be achieved using either of the two approaches. The above requirement can be achieved using either of the two approaches.
service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Applying Layer 2 Match Criteria on a Layer 3 Interface To process Layer 3 packets that contain a dot1p (IEEE 802.1p) VLAN Layer 2 header, configure VLAN tags on a Layer 3 port interface which is configured with an IP address but has no VLAN associated with it. You can also configure a VLAN subinterface on the port interface and apply a policy map that classifies packets using the dot1p VLAN ID.
QOS-POLICY-IN mode Dell(conf-qos-policy-in)#set ip-dscp 5 6. Create an input policy map. CONFIGURATION mode Dell(conf)#policy-map-input pp_policmap 7. Create a service queue to associate the class map and QoS policy map.
Similar to ‘dscp’ qualifier in the existing L3 ACL command, the ‘ecn’ qualifier can be used along with all other supported ACL match qualifiers such as SIP/DIP/TCP/UDP/SRC PORT/DST PORT/ ICMP. Until Release 9.3(0.0), ACL supports classification based on the below TCP flags: ● ACK ● FIN ● SYN ● PSH ● RST ● URG You can now use the ‘ecn’ match qualifier along with the above TCP flag for classification.
○ RST ○ URG In the existing software, ECE/CWR TCP flag qualifiers are not supported. ● Because this functionality forcibly marks all the packets matching the specific match criteria as ‘yellow’, Dell EMC Networking OS does not support Policer based coloring and this feature concurrently.
! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40 ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50 ! policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Approach with explicit ECN match qualifiers for ECN packets: ! ip access-list stan
41 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter.
Table 64. RIP Defaults Feature Default Interfaces running RIP ● Listen to RIPv1 and RIPv2 ● Transmit RIPv1 RIP timers ● ● ● ● Auto summarization Enabled ECMP paths supported 16 update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Configuration Information By default, RIP is disabled in Dell EMC Networking OS. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
The Dell EMC Networking OS default is to send RIPv1 and to receive RIPv1 and RIPv2. To change the RIP version globally, use the version command in ROUTER RIP mode. To view the global RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. DellEMC(conf-router_rip)#show config ! router rip network 10.0.0.0 DellEMC(conf-router_rip)# When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes.
Controlling RIP Routing Updates By default, RIP broadcasts routing information out all enabled interfaces, but you can configure RIP to send or to block RIP routing information, either from a specific IP address or a specific interface. To control which devices or interfaces receive routing updates, configure a direct update to one router and configure interfaces to block RIP updates from other sources. To control the source of RIP route information, use the following commands.
○ map-name: the name of a configured route map. ● Include specific OSPF routes in RIP. ROUTER RIP mode redistribute ospf process-id [match external {1 | 2} | match internal] [metric value] [route-map map-name] Configure the following parameters: ○ process-id: the range is from 1 to 65535. ○ metric: the range is from 0 to 16. ○ map-name: the name of a configured route map. To view the current RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode.
DellEMC# To configure an interface to receive or send both versions of RIP, include 1 and 2 in the command syntax. The command syntax for sending both RIPv1 and RIPv2 and receiving only RIPv2 is shown in the following example. DellEMC(conf-if)#ip rip send version 1 2 DellEMC(conf-if)#ip rip receive version 2 The following example of the show ip protocols command confirms that both versions are sent out that interface.
NOTE: If you enable the ip split-horizon command on an interface, the system does not advertise the summarized address. Controlling Route Metrics As a distance-vector protocol, RIP uses hop counts to determine the best route, but sometimes the shortest hop count is a route over the lowest-speed link. To manipulate RIP routes so that the routing protocol prefers a different route, manipulate the route by using the offset command.
RIP Configuration Example The examples in this section show the command sequence to configure RIPv2 on the two routers shown in the following illustration — Core 2 and Core 3. The host prompts used in the following example reflect those names. The examples are divided into the following groups of command sequences: ● ● ● ● ● Configuring RIPv2 on Core 2 Core 2 RIP Output RIP Configuration on Core 3 Core 3 RIP Output RIP Configuration Summary Figure 105.
10.11.10.0/24 directly connected,GigabitEthernet 2/11 10.0.0.0/8 auto-summary 192.168.1.0/24 [120/1] via 10.11.20.1, 00:00:03, GigabitEthernet 2/3 192.168.1.0/24 auto-summary 192.168.2.0/24 [120/1] via 10.11.20.1, 00:00:03, GigabitEthernet 2/3 192.168.2.0/24 auto-summary Core2# The following example shows the show ip route command to show the RIP setup on Core 2.
RIP Configuration on Core3 The following example shows how to configure RIPv2 on a host named Core3. Core3(conf)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.0 Core3(conf-router_rip)#network 192.168.2.0 Core3(conf-router_rip)#network 10.11.30.0 Core3(conf-router_rip)#network 10.11.20.0 Core3(conf-router_rip)#show config ! router rip network 10.0.0.0 network 192.168.1.0 network 192.168.2.
C 192.168.2.0/24 Direct, Gi Core3# 3/24 0/0 00:06:26 The following example shows the show ip protocols command to show the RIP configuration activity on Core 3.
! interface GigabitEthernet 3/2 ip address 10.11.20.1/24 no shutdown ! interface GigabitEthernet 3/4 ip address 192.168.1.1/24 no shutdown ! interface GigabitEthernet 3/5 ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
42 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell EMC Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
[no] rmon alarm number variable interval {delta | absolute} rising-threshold [value event-number] falling-threshold value event-number [owner string] OR [no] rmon hc-alarm number variable interval {delta | absolute} rising-threshold value event-number falling-threshold value event-number [owner string] Configure the alarm using the following optional parameters: ○ number: alarm number, an integer from 1 to 65,535, the value must be unique in the RMON Alarm Table.
In the following example, the configuration creates RMON event number 1, with the description “High ifOutErrors”, and generates a log entry when an alarm triggers the event. The user nms1 owns the row that is created in the event table by this command. This configuration also generates an SNMP trap when the event is triggered using the SNMP community string “eventtrap”.
The following command example enables an RMON MIB collection history group of statistics with an ID number of 20 and an owner of john, both the sampling interval and the number of buckets use their respective defaults.
43 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP).
● ● ● ● ● ● Prevent Network Disruptions with BPDU Guard Influencing RSTP Root Selection Configuring Spanning Trees as Hitless Enabling SNMP Traps for Root Elections and Topology Changes Configuring Fast Hellos for Link State Detection Flush MAC Addresses after a Topology Change Important Points to Remember ● RSTP is disabled by default. ● Dell EMC Networking OS supports only one Rapid Spanning Tree (RST) instance.
To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. The bold lines indicate that the interface is in Layer 2 mode. DellEMC(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 no ip address switchport no shutdown DellEMC(conf-if-gi-1/1)# Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default.
Figure 106. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. DellEMC#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
The port is not in the Edge port mode Port 380 (GigabitEthernet 2/4) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.380 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
Table 66.
To change the port cost or priority of an interface, use the following commands. ● Change the port cost of an interface. INTERFACE mode spanning-tree rstp cost cost The range is from 0 to 65535. The default is listed in the previous table. ● Change the port priority of an interface. INTERFACE mode spanning-tree rstp priority priority-value The range is from 0 to 15. The default is 128. To view the current values for interface parameters, use the show spanning-tree rstp command from EXEC privilege mode.
CAUTION: Configure EdgePort only on links connecting to an end station. If you enable EdgePort on an interface connected to a network, it can cause loops. Dell EMC Networking OS Behavior: Regarding bpduguard shutdown-on-violation behavior: ● If the interface to be shut down is a port channel, all the member ports are disabled in the hardware. ● When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware.
NOTE: The hello time is encoded in BPDUs in increments of 1/256ths of a second. The standard minimum hello time in seconds is 1 second, which is encoded as 256. Millisecond. hello times are encoded using values less than 256; the millisecond hello time equals (x/1000)*256. When you configure millisecond hellos, the default hello interval of 2 seconds is still used for edge ports; the millisecond hello interval is not used.
44 Software-Defined Networking (SDN) The Dell EMC Networking OS supports software-defined networking (SDN). For more information, see the SDN Deployment Guide.
45 Security This chapter describes several ways to provide security to the Dell EMC Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide.
● Enable AAA accounting and create a record for monitoring the accounting function. CONFIGURATION mode aaa accounting {commands level | dot1x | exec | rest | suppress | system} {default | name} {start-stop | wait-start | stop-only} {radius | tacacs+} The variables are: ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ system: sends accounting information of any other AAA configuration. exec: sends accounting information when a user has logged in to EXEC mode.
CONFIG-LINE-VTY mode accounting commands 15 com15 accounting exec execAcct DellEMC(config-line-vty)# accounting commands 15 com15 DellEMC(config-line-vty)# accounting exec execAcct Monitoring AAA Accounting Dell EMC Networking OS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting.
Sample dot1x accounting records The following lists the sample EAP and MAB accounting records EAP START accounting record: Fri May 10 12:20:43 2019 NAS-IP-Address = 10.16.133.
NAS-Port = 1010 NAS-Port-Id = "GigabitEthernet 1/11" Service-Type = Call-Check Acct-Session-Time = 21 Acct-Session-Id = "00-11-22-33-44-55-4" Acct-Multi-Session-Id = "00-11-22-33-44-55-00-11-33-44-77-88-5e-50-d6-5cc" Acct-Link-Count = 1 Acct-Terminate-Cause = Lost-Carrier Acct-Status-Type = Stop Event-Timestamp = "May 10 2019 23:30:42 CDT" Tmp-String-9 = "ai:" Acct-Unique-Session-Id = "5a761462ef63b815707de5fa1c5ef348" Timestamp = 1557549042 RADIUS Accounting attributes The following tables describe the va
Table 68. RADIUS Accounting Stop Record Attributes for CLI user (continued) RADIUS Attribute code RADIUS Attribute Description 46 Acct-Session Time Time the user has received the service. 49 Acct-Terminate-Cause Reason for session termination. 61 NAS-Port-Type ASYNC - for Console session. VIRTUAL - for telnet/SSH session. Table 69.
Table 71. RADIUS Accounting Stop Record Attributes for dot1x supplicant (continued) RADIUS Attribute code RADIUS Attribute Description 4 NAS-IP-Address IPv4 address of the NAS. 95 NAS-IPv6–Address IPv6 address of the NAS. Session Identification Attributes 1 User-Name User name/ Supplicant MAC Address (for MAB). 5 NAS-Port Port on which session is terminated. 6 Service-Type Framed (2) for EAP /Call check (10) for MAB. 8 Framed-IP-Address IPv4 address of supplicant.
Table 72. Use cases for dot1x supplicant to trigger RADIUS Accounting Start/Stop records (continued) dot1x event Accounting type Attributes Configure Port control to force unauth Stop Stop record attributes with termination cause as port-reinitialized (21). Interface Host mode change (single/multihost/multiauth) Stop Stop record attributes with termination cause as port-reinitialized (21).
Configure Login Authentication for Terminal Lines You can assign up to five authentication methods to a method list. Dell EMC Networking OS evaluates the methods in the order in which you enter them in each list. If the first method list does not respond or returns an error, Dell EMC Networking OS applies the next method list until the user either passes or fails the authentication. If the user fails a method list, Dell EMC Networking OS does not apply the next method list.
○ method1 [... method4]: any of the following: RADIUS, TACACS, enable, line, none. If you do not set the default list, only the local enable is checked. This setting has the same effect as issuing an aaa authentication enable default enable command. Enabling AAA Authentication — RADIUS To enable authentication from the RADIUS server, and use TACACS as a backup, use the following commands. 1. Enable RADIUS and set up TACACS as backup. CONFIGURATION mode aaa authentication enable default radius tacacs 2.
The re-authentication is also applicable for authenticated 802.1x devices. When there is a change in the authetication servers, the supplicants connected to all the ports are forced to re-authenticate. 1. Enable the re-authentication mode. CONFIGURATION mode aaa reauthentication enable 2. You are prompted to force the users to re-authenticate while adding or removing a RADIUS/TACACS+ server.
Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network. However, at times, you might need to allow others access to the router and you can limit that access to a subset of commands. In Dell EMC Networking OS, you can configure a privilege level for users who need limited access to the system. Every command in Dell EMC Networking OS is assigned a privilege level of 0, 1, or 15. You can configure up to 16 privilege levels in Dell EMC Networking OS.
○ privilege level The range is from 0 to 15. ○ Secret:Specify the secret for the user To view username, use the show users command in EXEC Privilege mode. Configuring the Enable Password Command To configure Dell EMC Networking OS, use the enable command to enter EXEC Privilege level 15. After entering the command, Dell EMC Networking OS requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level.
enable password [level level] [encryption-mode] password Configure the optional and required parameters: ● level level: specify a level from 0 to 15. Level 15 includes all levels. ● encryption-type: enter 0 for plain text or 7 for encrypted text. ● password: enter a string up to 32 characters long. To change only the password for the enable command, configure only the password parameter. 3. Configure level and commands for a mode or reset a command’s level.
exit Exit from the EXEC no Negate a command show Show running system information terminal Set terminal line parameters traceroute Trace route to destination DellEMC#confi DellEMC(conf)#? end Exit from Configuration mode exit Exit from Configuration mode no Reset a command snmp-server Modify SNMP parameters DellEMC(conf)# Specifying LINE Mode Password and Privilege You can specify a password authentication of all users on different terminal lines.
RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol. This protocol transmits authentication, authorization, and configuration information between a central RADIUS server and a RADIUS client (the Dell EMC Networking system). The system sends user information to the RADIUS server and requests authentication of the user and password. The RADIUS server returns one of the following responses: ● Access-Accept — the RADIUS server authenticates the user.
Auto-Command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line. The auto-command command is executed when the user is authenticated and before the prompt appears to the user. ● Automatically execute a command. auto-command Privilege Levels Through the RADIUS server, you can configure a privilege level for the user to enter into when they connect to a session. This value is configured on the client system. ● Set a privilege level.
Applying the Method List to Terminal Lines To enable RADIUS AAA login authentication for a method list, apply it to a terminal line. To configure a terminal line for RADIUS authentication and authorization, use the following commands. ● Enter LINE mode. CONFIGURATION mode line {aux 0 | console 0 | vty number [end-number]} ● Enable AAA login authentication for the specified RADIUS method list.
CONFIGURATION mode radius-server deadtime seconds ○ seconds: the range is from 0 to 2147483647. The default is 0 seconds. ● Configure a key for all RADIUS communications between the system and RADIUS server hosts. CONFIGURATION mode radius-server key [encryption-type] key ○ encryption-type: enter 7 to encrypt the password. Enter 0 to keep the password as plain text. ○ key: enter a string. The key can be up to 42 characters long. You cannot use spaces in the key.
aaa authentication login default radius local 2. Specify the protocol for authentication. CONFIGURATION mode aaa radius auth-method mschapv2 3. Establish a host address and password. CONFIGURATION mode radius-server host H key K 4. Log in to switch using console or telnet or ssh with a valid user role. When 1-factor authentication is used, the authentication succeeds enabling you to access the switch.
Allocate CAM for RADIUS-assigned DACL Allocate the CAM region to use the RADIUS-assigned DACL. Reload the switch for the CAM allocation to take effect. To allocate a CAM region for RADIUS-assigned DACL, use the cam-acl command. Enter the radius-v4acl allocation as a factor of 2 (2,4,6,8). The maximum number of FP blocks allocated for RADIUS-assigned DACLs is 8.
The RADIUS NAS-Filter-Rule attribute indicates the filter rules to be applied for a specific supplicant. The RADIUS server includes the RADIUS NAS-Filter-Rule attribute in the Access-Accept frame sent to the switch. Dell EMC Networking OS supports only the certain filters when configuring the ACLs in the RADIUS server.
seq 37 permit ip host 1.1.1.1 host 2.2.2.2 dscp 63 ecn 3 fragments log monitor nodrop order 254 seq 42 permit ip any host 150.0.0.100 dscp 63 ecn 3 seq 47 permit ip 100.0.0.0/28 200.0.0.0/23 seq 52 permit ip 100.0.0.0/16 any seq 57 permit icmp host 1.1.1.1 200.0.0.0/23 seq 62 permit icmp any 200.0.0.0/27 seq 67 permit icmp host 1.1.1.1 any seq 72 permit udp 1.1.1.1 1.1.1.1 eq 65535 2.2.2.2 2.2.2.
To view the RADIUS-assigned DACL, use show ip accounting access-list or show dot1x interface commands. show ip accounting access-list output: DellEMC#show ip accounting access-list ! Extended Ingress IP access list test on GigabitEthernet 1/1 Total cam count 15 seq 5 permit ip host 1.1.1.1 host 2.2.2.2 seq 6 permit ip host 4.4.4.4 host 5.5.5.5 seq 12 deny ip host 1.1.1.1 host 2.2.2.2 seq 17 permit ip host 100.0.0.1 host 150.0.0.100 count (0 packets) seq 22 deny ip host 100.0.0.1 host 200.0.0.
Alternatively, if the user changes authorization level, this change may require that authorization attributes be added or deleted from the user sessions. To overcome these limitations, Dell EMC Networking OS provides RADIUS extension commands in order to enable unsolicited messages to be sent to the NAS. These extension commands provide support for Disconnect Messages (DMs) and Change-ofAuthorization (CoA) packets.
Table 76.
Table 79. CoA EAP/MAB Disable Port (continued) Radius Attribute code Radius Attribute Description Mandatory 5 NAS-Port Port on which session is terminated Yes t=26(vendor-specific);l=length;vendoridentification-attribute;Length=value; Data=”cmd=bounce-host-port” Yes Authorization Attributes 26 Vendor-Specific Table 80. CoA EAP/MAB Bounce Port Radius Attribute code Radius Attribute Description Mandatory NAS Identification Attributes 4 NAS-IP-Address IPv4 address of the NAS.
Table 82. DM AAA Session(s) disconnect (continued) Radius Attribute code Radius Attribute Description Mandatory - AAA user name 5 NAS-Port Port on which session is terminated No t=26(vendor-specific);l=length;vendoridentification-attribute;Length=value; Data=”cmd=disconnect-user” Yes Authorization Attributes 26 Vendor-Specific Error-cause Values It is possible that a Dynamic Authorization Server cannot honor Disconnect Message request or CoA request packets for some reason.
● responds with CoA-Nak, for any internal processing error in NAS; Error-Cause value is “Resources Unavailable” (506). ● ignores attributes that are supported as per RFC but irrelevant to the CoA operations. ● responds to a CoA-Request containing one or more incorrect attribute values with a CoA-Nak; Error-Cause value is “Invalid Attribute Value” (407). NOTE: The Invalid Attribute Value Error-Cause is applicable to following scenarios: ○ if the CoA request contains incorrect Vendor-Specific attribute value.
Disconnect Message Processing This section lists various actions that the NAS performs during DM processing. The following activities are performed by NAS: ● responds with DM-Nak, if no matching session is found in NAS for the session identification attributes in DM; Error-Cause value is “Session Context Not Found” (503). ● responds with DM-Nak for any internal processing error in NAS; Error-Cause value is “Resources Unavailable” (506).
Disconnecting administrative users logged in through RADIUS Dell EMC Networking OS enables you to configure disconnect messages (DMs) to disconnect RADIUS administrative users who are logged in through an AAA interface. Before disconnecting an administrative user using the disconnect messages, ensure that the following prerequisites are satisfied: ● Shared key is configured in NAS for DAC. ● NAS server listens on the Management IP UDP port 3799 (default) or the port configured through CLI.
● discards the packet, if simultaneous requests are received for the same NAS Port. Configuring CoA to re-authenticate 802.1x sessions Dell EMC Networking OS provides RADIUS extension commands that enables you to configure re-authentication of 802.1x user sessions. When you configure this feature, the DAC sends the CoA request to re-authenticate the 802.1x uer session when ever the authorization level of the user’s profile changes. Before configuring re-authentication of 802.
terminate-session NAS terminates the 802.1x user session without disabling the physical port. Dell(conf#)radius dynamic-auth Dell(conf-dynamic-auth#)terminate-session NAS takes the following actions whenever session termination is triggered: ● validates the DM request and the session identification attributes. ● sends a DM-Nak with an error-cause of 402 (missing attribute), if the DM request does not contain the calling-station-id and NAS-port attributes.
● The NAS secondary VLT chassis member forwards the RADIUS dynamic authorization message authorizing dual-homed Port Extender (PE) ports to the primary VLT peer. NAS secondary VLT chassis member forwards the response to DAC after receiving it from the primary VLT peer. ● The NAS VLT secondary chassis member processes the RADIUS dynamic authorization message authorizing non-PE Control Bridge (CB) ports locally.
da-rsp-timeout value Dell(conf-dynamic-auth#)da-rsp-timeout 20 TACACS+ Dell EMC Networking OS supports terminal access controller access control system (TACACS+ client, including support for login authentication. Configuration Task List for TACACS+ The following list includes the configuration task for TACACS+ functions.
First bold line: Server key purposely changed to incorrect value. Second bold line: User authenticated using the secondary method.
DellEMC(config-line-vty)#login authentication tacacsmethod DellEMC(config-line-vty)#end Specifying a TACACS+ Server Host To specify a TACACS+ server host and configure its communication parameters, use the following command. ● Enter the host name or IP address of the TACACS+ server host.
Enabling SCP and SSH Secure shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network. Dell EMC Networking OS is compatible with SSH versions 2, in both the client and server modes. SSH sessions are encrypted and use authentication. SSH is enabled by default. For details about the command syntax, refer to the Security chapter in the Dell EMC Networking OS Command Line Interface Reference Guide.
CONFIGURATION MODE copy scp: flash: 4. On Switch 2, in response to prompts, enter the path to the desired file and enter the port number specified in Step 1. EXEC Privilege Mode 5. On the chassis, invoke SCP. CONFIGURATION mode copy scp: flash: The following example shows the use of SCP and SSH to copy a software image from one switch running SSH server on UDP port 99 to the local switch. Other SSH related command include: ● ● ● ● ● ● ● ● ● ● ● ● ● ● crypto key generate : generate keys for the SSH server.
● rekey-interval: time-based rekey threshold for an SSH session. The range is from 10 to 1440 minutes. The default is 60 minutes. ● rekey-limit: volume-based rekey threshold for an SSH session. The range is from 1 to 4096 to megabytes. The default is 1024 megabytes. Examples The following example configures the time-based rekey threshold for an SSH session to 30 minutes. DellEMC(conf)#ip ssh rekey time 30 The following example configures the volume-based rekey threshold for an SSH session to 4096 megabytes.
● hmac-sha2-256 ● hmac-sha1 ● hmac-sha1-96 ● hmac-md5 ● hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256,hmac-sha1,hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list. DellEMC(conf)# ip ssh server mac hmac-sha1-96 Configuring the HMAC Algorithm for the SSH Client To configure the HMAC algorithm for the SSH client, use the ip ssh mac hmac-algorithm command in CONFIGURATION mode.
● aes192-cbc ● aes256-cbc ● aes128-ctr ● aes192-ctr ● aes256-ctr The default cipher list is aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc. Example of Configuring a Cipher List The following example shows you how to configure a cipher list. DellEMC(conf)#ip ssh server cipher 3des-cbc aes128-cbc aes128-ctr Configuring the SSH Client Cipher List To configure the cipher list supported by the SSH client, use the ip ssh cipher cipher-list command in CONFIGURATION mode.
ip ssh hostbased-authentication enable no ip ssh password-authentication enable ip ssh server enable Secure Shell Authentication Secure Shell (SSH) is enabled by default using the SSH Password Authentication method. Enabling SSH Authentication by Password Authenticate an SSH client by prompting for a password when attempting to connect to the Dell EMC Networking system. This setup is the simplest method of authentication and uses SSH version 2.
NOTE: If no user is associated with the current logged-in session, the system displays the following error message. % Error: No username set for this term. admin@Unix_client#ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/admin/.ssh/id_rsa): /home/admin/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa.
The following example shows creating rhosts. admin@Unix_client# ls id_rsa id_rsa.pub rhosts shosts admin@Unix_client# cat rhosts 10.16.127.201 admin Using Client-Based SSH Authentication To SSH from the chassis to the SSH client, use the following command. If the SSH port is a non-default value, use the ip ssh server port number command to change the default port number. You may only change the port number when SSH is disabled. Then use the -p option with the ssh command.
VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in . These depend on which authentication scheme you use — line, local, or remote. Table 84. VTY Access Authentication Method VTY access-class support? Username access-class support? Remote authorization support? Line YES NO NO Local NO YES NO TACACS+ YES NO YES (with version 5.2.1.0 and later) RADIUS YES NO YES (with version 6.1.1.
VTY Line Remote Authentication and Authorization retrieves the access class from the VTY line. The takes the access class from the VTY line and applies it to ALL users. does not need to know the identity of the incoming user and can immediately apply the access class. If the authentication method is RADIUS, TACACS+, or line, and you have configured an access class for the VTY line, immediately applies it.
● Adding and Deleting Users from a Role ● Role Accounting ● Configuring AAA Authentication for Roles ● Configuring AAA Authorization for Roles ● Configuring an Accounting for Roles ● Applying an Accounting Method to a Role ● Displaying Active Accounting Sessions for Roles ● Configuring TACACS+ and RADIUS VSA Attributes for RBAC ● Displaying User Roles ● Displaying Accounting for User Roles ● Displaying Information About Roles Logged into the Switch ● Display Role Permissions Assigned to a Command Overview
Pre-requisites Before you enable role-based only AAA authorization: 1. Locally define a system administrator user role. This gives you access to login with full permissions even if network connectivity to remote authentication servers is not available. 2. Configure login authentication on the console. This ensures that all users are properly identified through authentication no matter the access point.
● Security Administrator (secadmin): This user role can control the security policy across the systems that are within a domain or network topology. The security administrator commands include FIPS mode enablement, password policies, inactivity timeouts, banner establishment, and cryptographic key operations for secure access paths. ● System Administrator (sysadmin).
Create a new user role, myrole and inherit security administrator permissions. DellEMC(conf)#userrole myrole inherit secadmin Verify that the user role, myrole, has inherited the security administrator permissions. The output highlighted in bold indicates that the user role has successfully inherited the security administrator permissions.
The following example allows the security administrator (secadmin) to access Interface mode.
Adding and Deleting Users from a Role To create a user name that is authenticated based on a user role, use the username name password encryption-type password role role-name command in CONFIGURATION mode. Example The following example creates a user name that is authenticated based on a user role. DellEMC(conf)# username john password 0 password role secadmin The following example deletes a user role.
Users with roles and privileges are authorized with the same mechanism. There are six methods available for authorization: radius, tacacs+, local, enable, line, and none. When role-based only AAA authorization is enabled, the enable, line, and none methods are not available. Each of these three methods allows users to be authorized with either a password that is not specific to their userid or with no password at all. Because of the lack of security, these methods are not available for role-based only mode.
authorization exec ucraaa accounting commands role netadmin ucraaa line vty 8 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin ucraaa line vty 9 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin ucraaa ! Configuring TACACS+ and RADIUS VSA Attributes for RBAC For RBAC and privilege levels, the Dell EMC Networking OS RADIUS and TACACS+ implementation supports two vendorspecific options: privilege level and roles.
Configuring AAA Accounting for Roles To configure AAA accounting for roles, use the aaa accounting command in CONFIGURATION mode. aaa accounting {system | exec | commands {level | role role-name}} {name | default} {start-stop | wait-start | stop-only} {tacacs+} Example of Configuring AAA Accounting for Roles The following example shows you how to configure AAA accounting to monitor commands executed by the users who have a secadmin user role.
sysadmin MAC testadmin Exec Config Interface Line Router IP Routemap Protocol netadmin Exec Config Interface Line Router IP Routemap Protocol MAC Displaying Role Permissions Assigned to a Command To display permissions assigned to a command, use the show role command in EXEC Privilege mode. The output displays the user role and or permission level.
NOTE: 2FA does not support RADIUS authentications done with REST, Web UI, and OMI. Handling Access-Challenge Message To provide a two-step verification in addition to the username and password, NAS prompts for additional information. An Access-Challenge request is sent from the RADIUS server to NAS. The RADIUS server returns one of the following responses: ● Access-Challenge—If the user credentials are valid, the NAS server receives an Access-Challenge request from the RADIUS server.
Configuring the System to Drop Certain ICMP Reply Messages You can configure the Dell EMC Networking OS to drop ICMP reply messages. When you configure the drop icmp command, the system drops the ICMP reply messages from the front end and management interfaces. By default, the Dell EMC Networking OS responds to all the ICMP messages. ● Drop the ICMP or ICMPv6 message type. drop {icmp | icmp6} CONFIGURATION mode.
Table 86.
Enabling and Configuring OS Image Hash Verification To enable and configure Dell EMC Networking OS image hash verification, follow these steps: 1. Enable the OS image hash verification feature. CONFIGURATION mode verified boot 2. Verify the hash checksum of the current OS image file on the local file system. EXEC Privilege verified boot hash system-image {A: | B:} hash-value You can get the hash value for your hashing algorithm from the Dell EMC iSupport page.
Dell EMC Networking OS Behavior after System Power-Cycle If the system reboots due reasons such as power-cycle, the current startup configuration may be different than the one you verified the hash using the verified boot hash command. When the system comes up, the system may use the lastverified startup configuration. Dell EMC Networking recommends backing up the startup configuration to a safe location after you use the verified boot hash command.
○ A minimum of one special character including a space (" !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~") DellEMC)# show running-config | g root root-access password 7 f4dc0cb9787722dd1084d17f417f164cc7f730d4f03d4f0215294cbd899614e3 Locking Access to GRUB Interface You can configure the Dell EMC Networking OS to lock the GRUB interface using a password. If you configure a GRUB password, the system prompts for the password when you try to access the GRUB interface.
46 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell EMC Networking OS. Topics: • • • • • VLAN Stacking VLAN Stacking Packet Drop Precedence Dynamic Mode CoS for VLAN Stacking Layer 2 Protocol Tunneling Provider Backbone Bridging VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.
Figure 107. VLAN Stacking in a Service Provider Network Important Points to Remember ● Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. ● Dell EMC Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
Related Configuration Tasks ● ● ● ● Configuring the Protocol Type Value for the Outer VLAN Tag Configuring Dell EMC Networking OS Options for Trunk Ports Debugging VLAN Stacking VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. ● Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN.
2 3 4 5 6 Inactive Inactive Inactive Inactive Active DellEMC# M Po1(Ge 3/14-15) M Te 3/13 Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. ● Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100. To display the S-Tag TPID for a VLAN, use the show running-config command from EXEC privilege mode.
Codes: Q: U x G - * - Default VLAN, G - GVRP VLANs Untagged, T - Tagged Dot1x untagged, X - Dot1x tagged GVRP tagged, M - Vlan-stack NUM * 1 100 101 103 Status Inactive Inactive Inactive Inactive Description Q Ports U Gi 1/1 T Gi 1/1 M Gi 1/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. ● Debug the internal state and membership of a VLAN and its ports. debug member The port notations are as follows: ● ● ● ● ● MT — stacked trunk MU — stacked access port T — 802.
For example, if you configure TPID 0x9100, the system treats 0x8100 and untagged traffic the same and maps both types to the default VLAN, as shown by the frame originating from Building C. For the same traffic types, if you configure TPID 0x8100, the system is able to differentiate between 0x8100 and untagged traffic and maps each to the appropriate VLAN, as shown by the packet originating from Building A.
Figure 109.
Figure 110. Single and Double-Tag TPID Mismatch The following table details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the S-Series. Table 87. Behaviors for Mismatched TPID Network Position Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Table 87. Behaviors for Mismatched TPID (continued) Network Position Egress Access Point Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Precedence Description Green High-priority packets that are the least preferred to be dropped. Yellow Lower-priority packets that are treated as best-effort. Red Lowest-priority packets that are always dropped (regardless of congestion status). ● Honor the incoming DEI value by mapping it to an Dell EMC Networking OS drop precedence. INTERFACE mode dei honor {0 | 1} {green | red | yellow} You may enter the command once for 0 and once for 1. Packets with an unmapped DEI value are colored green.
Figure 111. Statically and Dynamically Assigned dot1p for VLAN Stacking When configuring Dynamic Mode CoS, you have two options: ● Mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. In this case, you must have other dot1p QoS configurations; this option is classic dot1p marking. ● Mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p.
! interface GigabitEthernet 1/21 no ip address switchport vlan-stack access vlan-stack dot1p-mapping c-tag-dot1p 0-3 sp-tag-dot1p 7 service-policy input in layer2 no shutdown Mapping C-Tag to S-Tag dot1p Values To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly, use the following commands. 1. Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag.
Figure 112. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 113. VLAN Stacking with L2PT Implementation Information ● L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. ● No protocol packets are tunneled when you enable VLAN stacking. ● L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2.
INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell EMC Networking OS uses a Dell EMC Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command. ● Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network.
Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. 802.
47 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
● If the global sampling rate is non-default, for example 256, and if the sampling rate is not configured on the interface, the sampling rate of the interface is the global non-default sampling rate, that is, 256. To avoid the back-off, either increase the global sampling rate or configure all the line card ports with the desired sampling rate even if some ports have no sFlow configured.
Gi 1/1: configured rate 16384, actual rate 16384 DellEMC# If you did not enable any extended information, the show output displays the following (shown in bold).
Example of the show sflow command when the sflow max-header-size extended is configured globally DellEMC(conf-if-gi-1/10)#show sflow sFlow services are enabled Egress Management Interface sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 86400 Global default extended maximum header size: 256 bytes Global extended information enabled: none 1 collectors configured Collector IP addr: 100.1.1.12, Agent IP addr: 100.1.1.
Global default sampling rate: 32768 Global default counter polling interval: 20 1 collectors configured Collector IP addr: 133.33.33.53, Agent IP addr: 133.33.33.
Configuring Specify Collectors The sflow collector command allows identification of sFlow collectors to which sFlow datagrams are forwarded. You can specify up to two sFlow collectors. If you specify two collectors, the samples are sent to both. ● Identify sFlow collectors to which sFlow datagrams are forwarded. CONFIGURATION mode sflow collector ip-address agent-addr ip-address [number [max-datagram-size number] ] | [max-datagram-size number ] The default UDP port is 6343.
● extended-switch — 802.1Q VLAN ID and 802.1p priority information. ● extended-router — Next-hop and source and destination mask length. ● extended-gateway — Source and destination AS number and the BGP next-hop. NOTE: The entire AS path is not included. BGP community-list and local preference information are not included. These fields are assigned default values and are not interpreted by the collector. ● Enable extended sFlow.
Table 89. Extended Gateway Summary (continued) IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS Description there is no AS information. static/connected/IGP BGP 0 Exported src_as and src_peer_as are zero because there is no AS information for IGP. BGP static/connected/IGP — — Exported Exported Prior to Dell EMC Networking OS version 7.8.1.0, extended gateway data is not exported because IP DA is not learned via BGP. Version 7.8.1.
48 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell EMC Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a management information base (MIB). MIBs are hierarchically structured and use object identifiers to address managed objects, but managed objects also have a textual name called an object descriptor.
You cannot modify the FIPS mode if SNMPv3 users are already configured and present in the system. An error message is displayed if you attempt to change the FIPS mode by using the fips mode enable command in Global Configuration mode. You can enable or disable FIPS mode only if SNMPv3 users are not previously set up. If previously configured users exist on the system, you must delete the existing users before you change the FIPS mode.
SNMP version 3 (SNMPv3) is a user-based security model that provides password authentication for user security and encryption for data security and privacy. Three sets of configurations are available for SNMP read/write operations: no password or privacy, password privileges, password and privacy privileges. You can configure a maximum of 16 users even if they are in different groups.
CONFIGURATION mode snmp-server user name group-name 3 noauth auth md5 auth-password ● Configure an SNMP group (password privileges only). CONFIGURATION mode snmp-server group groupname {oid-tree} auth read name write name ● Configure an SNMPv3 view. CONFIGURATION mode snmp-server view view-name 3 noauth {included | excluded} NOTE: To give a user read and write privileges, repeat this step for each privilege type. ● Configure an SNMP group (with password or privacy privileges).
● Read the value of many objects at once. snmpwalk -v version -c community agent-ip {identifier.instance | descriptor.instance} In the following example, the value “4” displays in the OID before the IP address for IPv4. For an IPv6 IP address, a value of “16” displays. > snmpget -v 2c -c mycommunity 10.11.131.161 sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (32852616) 3 days, 19:15:26.16 > snmpget -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1.3.
snmp-server location text You may use up to 55 characters. The default is None. ● (From a management station) Identify the system manager along with this person’s contact information (for example, an email address or phone number). CONFIGURATION mode snmpset -v version -c community agent-ip sysContact.0 s “contact-info” You may use up to 55 characters. The default is None.
snmp coldstart snmp linkdown snmp linkup SNMP_COLD_START: Agent Initialized - SNMP COLD_START. SNMP_WARM_START:Agent Initialized - SNMP WARM_START. PORT_LINKDN:changed interface state to down:%d PORT_LINKUP:changed interface state to up:%d Enabling a Subset of SNMP Traps You can enable a subset of Dell EMC Networking enterprise-specific SNMP traps using one of the following listed command options. To enable a subset of Dell EMC Networking enterprise-specific SNMP traps, use the following command.
vrrp Enable VRRP state change traps xstp %SPANMGR-5-STP_NEW_ROOT: New Spanning Tree Root, Bridge ID Priority 32768, Address 0001.e801.fc35. %SPANMGR-5-STP_TOPOLOGY_CHANGE: Bridge port GigabitEthernet 1/8 transitioned from Forwarding to Blocking state. %SPANMGR-5-MSTP_NEW_ROOT_BRIDGE: Elected root bridge for instance 0. %SPANMGR-5-MSTP_NEW_ROOT_PORT: MSTP root changed to port Gi 1/8 for instance 0. My Bridge ID: 40960:0001.e801.fc35 Old Root: 40960:0001.e801.fc35 New Root: 32768:00d0.038a.2c01.
CONFIGURATION MODE snmp-server enable traps snmp syslog-unreachable To enable an SNMP agent to send a trap when the syslog server resumes connectivity, enter the following command: CONFIGURATION MODE snmp-server enable traps snmp syslog-reachable Table 91. List of Syslog Server MIBS that have read access MIB Object OID Object Values Description dF10SysLogTraps 1.3.6.1.4.1.6027.3.30.1.1 1 = reachable2 = unreachable Specifies whether the syslog server is reachable or unreachable.
Table 92. MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Object Values Description 2 = running-config ● If copySrcFileType is running-config or startupconfig, the default copySrcFileLocation is flash. ● If copySrcFileType is a binary file, you must also specify copySrcFileLocation and copySrcFileName. 3 = startup-config copySrcFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.3 1 = flash 2 = slot0 3 = tftp 4 = ftp 5 = scp 6 = usbflash copySrcFileName copyDestFileType .
Table 92. MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Object Values Description copyUserName .1.3.6.1.4.1.6027.3.5.1.1.1.1.9 Username for the server. Username for the FTP, TFTP, or SCP server. ● If you specify copyUserName, you must also specify copyUserPassword. copyUserPassword .1.3.6.1.4.1.6027.3.5.1.1.1.1.10 Password for the server. Password for the FTP, TFTP, or SCP server.
Copying Configuration Files via SNMP To copy the running-config to the startup-config from the UNIX machine, use the following command. ● Copy the running-config to the startup-config from the UNIX machine. snmpset -v 2c -c public force10system-ip-address copySrcFileType.index i 2 copyDestFileType.index i 3 The following examples show the command syntax using MIB object names and the same command using the object OIDs. In both cases, a unique index number follows the object.
copyServerAddress.110 a 11.11.11.11 copyUserName.110 s mylogin copyUserPassword.110 s mypass FTOS-COPY-CONFIG-MIB::copySrcFileType.110 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileName.110 = STRING: /home/startup-config FTOS-COPY-CONFIG-MIB::copyDestFileLocation.110 = INTEGER: ftp(4) FTOS-COPY-CONFIG-MIB::copyServerAddress.110 = IpAddress: 11.11.11.11 FTOS-COPY-CONFIG-MIB::copyUserName.110 = STRING: mylogin FTOS-COPY-CONFIG-MIB::copyUserPassword.
Table 93. Additional MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Values Description copyTimeCompleted .1.3.6.1.4.1.6027.3.5.1.1.1.1.13 Time value Specifies the point in the uptime clock that the copy operation completed. copyFailCause .1.3.6.1.4.1.6027.3.5.1.1.1.1.14 1 = bad filename Specifies the reason the copy request failed. 2 = copy in progress 3 = disk full 4 = file exists 5 = file not found 6 = timeout 7 = unknown copyEntryRowStatus .1.3.6.1.4.1.6027.
MIB Support to Display Reason for Last System Reboot Dell EMC Networking provides MIB objects to display the reason for the last system reboot. The dellNetProcessorResetReason object contains the reason for the last system reboot. The following table lists the related MIB objects. Table 94. MIB Objects for Displaying Reason for Last System Reboot MIB Object OID Description dellNetProcessorResetReason 1.3.6.1.4.1.6027.3.26.1.4.3.1.7 This is the table that contains the reason for last system reboot.
SNMP Walk Example Output snmpwalk -v 2c -c public 10.16.131.156 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.5 SNMPv2-SMI::enterprises.674.10895.3000.1.2.110.7.2.1.5.11 = INTEGER: 48 SNMPv2-SMI::enterprises.674.10895.3000.1.2.110.7.2.1.5.12 = INTEGER: 40 snmpwalk -v 2c -c public 10.16.131.156 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.6 SNMPv2-SMI::enterprises.674.10895.3000.1.2.110.7.2.1.6.11 = INTEGER: 31 SNMPv2-SMI::enterprises.674.10895.3000.1.2.110.7.2.1.6.12 = INTEGER: 26 snmpwalk -v 2c -c public 10.16.131.
Table 97. MIB Objects for Displaying the Software Core Files Generated by the System (continued) MIB Object OID Description chSysCoresFileName 1.3.6.1.4.1.6027.3.10.1.2.10.1.2 Contains the core file names and the file paths. chSysCoresTimeCreated 1.3.6.1.4.1.6027.3.10.1.2.10.1.3 Contains the time at which core files are created. chSysCoresStackUnitNumber 1.3.6.1.4.1.6027.3.10.1.2.10.1.4 Contains information that includes which stack unit or processor the core file was originated from.
Table 98. MIB Objects to Display the information for WRED Green/Yellow/Red Drop Counters (continued) MIB Object OID Description dellNetFpWredOutOfProfileDrops 1.3.6.1.4.1.6027.3.27.1.3.1.31 Count of WRED drops of red packets. SNMP Walk Example Output snmpwalk -v 2c -c public 10.16.151.246 1.3.6.1.4.1.6027.3.27.1.3 | grep 2107012 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.1.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.2.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.3.
Table 99. MIB Objects to Display the Available Partitions on Flash (continued) MIB Object OID Description dellNetFlashPartitionUsed 1.3.6.1.4.1.6027.3.26.1.4.8.1.4 Contains the amount of space used by the files on the partition. dellNetFlashPartitionFree 1.3.6.1.4.1.6027.3.26.1.4.8.1.5 Contains the amount of free space available on the partition. dellNetFlashPartitionMountPoint 1.3.6.1.4.1.6027.3.26.1.4.8.1.6 Symbolic or Alias name for the partition.
MIB Support to Display Egress Queue Statistics Dell EMC Networking OS provides MIB objects to display the information of the packets transmitted or dropped per unicast or multicast egress queue. The following table lists the related MIB objects: Table 100. MIB Objects to display egress queue statistics MIB Object OID Description dellNetFpEgrQTxPacketsRate 1.3.6.1.4.1.6027.3.27.1.20.1.6 Rate of Packets transmitted per Unicast/Multicast Egress queue. dellNetFpEgrQTxBytesRate 1.3.6.1.4.1.6027.3.27.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.70.70.70.0.24.0.0.0.0 = INTEGER: 2097157 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.70.70.70.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.70.70.70.2.32.1.4.70.70.70.2.1.4.70.70.70.2 = INTEGER: 2097157 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.80.80.80.0.24.1.4.10.1.1.1.1.4.10.1.1.1 = INTEGER: 2098693 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.80.80.80.0.24.1.4.20.1.1.1.1.4.20.1.1.
SNMPv2SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.100.100.100.0.24.1.4.20.1.1.1.1.4.20.1.1.1 = Hex-STRING: 4C 76 25 F4 AB 02 SNMPv2SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.100.100.100.0.24.1.4.30.1.1.1.1.4.30.1.1.1 = Hex-STRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.10.1.1.0.24.0.0.0.0 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.10.1.1.1.32.1.4.10.1.1.1.1.4.10.1.1.1 = STRING: "Fo 1/4/1" SNMPv2SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.10.1.1.2.32.1.4.127.0.0.1.1.4.
Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.70.70.70.0.24.0.0.0.0 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.70.70.70.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.70.70.70.2.32.1.4.70.70.70.2.1.4.70.70.70.2 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.80.80.80.0.24.1.4.10.1.1.1.1.4.10.1.1.1 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.80.80.80.0.24.1.4.20.1.1.1.1.4.20.1.1.
● To view the entAliasMappingTable generated by the system, use the following command. snmpwalk -v 2c -c public -On 10.16.150.97 1.3.6.1.2.1.47.1.3.2.1 .1.3.6.1.2.1.47.1.3.2.1.2.5.0 = OID: .1.3.6.1.2.1.2.2.1.1.2097157 .1.3.6.1.2.1.47.1.3.2.1.2.9.0 = OID: .1.3.6.1.2.1.2.2.1.1.2097669 .1.3.6.1.2.1.47.1.3.2.1.2.13.0 = OID: .1.3.6.1.2.1.2.2.1.1.2098181 .1.3.6.1.2.1.47.1.3.2.1.2.17.0 = OID: .1.3.6.1.2.1.2.2.1.1.2098693 .1.3.6.1.2.1.47.1.3.2.1.2.21.0 = OID: .1.3.6.1.2.1.2.2.1.1.2099205 .1.3.6.1.2.1.47.1.3.2.1.2.
Table 103. MIB Objects for LAG (continued) MIB Object OID Description identifier for the current Protocol partner of the Aggregator. dot3adAggPartnerSystemPriority 1.2.840.10006.300.43.1.1.1.1.8 Contains a two octet read–only value that indicates the priority value associated with the Partner’s system ID. dot3adAggPartnerOperKey 1.2.840.10006.300.43.1.1.1.1.9 Contains the current operational value of the key for the Aggregator’s current protocol partner. dot3adAggCollectorMaxDelay 1.2.840.10006.
MIB Support to Display Unrecognized LLDP TLVs This section provides information about MIB objects that display unrecognized LLDP TLV information about reserved and organizational specific unrecognized LLDP TLVs. MIB Support to Display Reserved Unrecognized LLDP TLVs The lldpRemUnknownTLVTable contains the information about an incoming reserved unrecognized LLDP TLVs that is not recognized by the local neighbor. The following table lists the related MIB objects: Table 104.
MIB Support to Display Organizational Specific Unrecognized LLDP TLVs The lldpRemOrgDefInfoTable contains organizationally defined information that is not recognized by the local neighbor. The following table lists the related MIB objects: Table 105. MIB Objects for Displaying Organizational Specific Unrecognized LLDP TLVs MIB Object OID Description lldpRemOrgDefInfoTable 1.0.8802.1.1.2.1.4.4 This table contains organizationally defined information that is not recognized by the local neighbor.
MIB Support for LLDP Notification Interval Dell EMC Networking provides objects for controlling the transmission of LLDP notification messages. The following table lists the related MIB objects: Table 106. MIB Objects for LLDP Notification Interval MIB Object OID Description lldpNotificationInterval 1.0.8802.1.1.2.1.1.5 This object controls the transmission of LLDP notifications. SNMP Walk Output snmpwalk -c public -v 2c 10.16.132.55 1.0.8802.1.1.2.1.1.5 .1.0.8802.1.1.2.1.1.5.
The following table shows the MIB objects of the table dellNetPortSecIfConfigTable. The OID of the MIB table is 1.3.6.1.4.1.6027.3.31.1.2.1. Table 108. Interface level MIB Objects for Port Security MIB Object OID Access or Permission Description dellNetPortSecIfPortSecurity Enable 1.3.6.1.4.1.6027.3.31.1.2.1.1.1 read-only Specifies if the port security feature is enabled or disabled on an interface. dellNetPortSecIfPortSecurity Status 1.3.6.1.4.1.6027.3.31.1.2.1.1.
MIB objects for configuring MAC addresses This section describes about the MIB objects dellNetPortSecSecureStaticMacAddrTable to configure and unconfigure static MAC addresses in the system. The OID of this MIB table is 1.3.6.1.4.1.6027.3.31.1.2.2.
Table 110. MIB Objects for configuring MAC addresses MIB Object OID Access or Permission Description dellNetSecureMacIfIndex 1.3.6.1.4.1.6027.3.31.1.3.1.1.3 read-only Shows in which interface the dellNetSecureMacAddress is configured or learnt. dellNetSecureMacAddrType 1.3.6.1.4.1.6027.3.31.1.3.1.1.4 read-only Indicates if the secure MAC address is configured as a static, dynamic, or sticky.
Displaying the Ports in a VLAN Dell EMC Networking OS identifies VLAN interfaces using an interface index number that is displayed in the output of the show interface vlan command. The following example shows viewing the VLAN interface index number using SNMP. DellEMC(conf)#do show interface vlan id 10 % Error: No such interface name.
Add Tagged and Untagged Ports to a VLAN The value dot1qVlanStaticEgressPorts object is an array of all VLAN members. The dot1qVlanStaticUntaggedPorts object is an array of only untagged VLAN members. All VLAN members that are not in dot1qVlanStaticUntaggedPorts are tagged. ● To add a tagged port to a VLAN, write the port to the dot1qVlanStaticEgressPorts object. ● To add an untagged port to a VLAN, write the port to the dot1qVlanStaticEgressPorts and dot1qVlanStaticUntaggedPorts objects.
Managing Overload on Startup If you are running IS-IS, you can set a specific amount of time to prevent ingress traffic from being received after a reload and allow the routing protocol upgrade process to complete. To prevent ingress traffic on a router while the IS reload is implemented, use the following command. ● Set the amount of time after an IS-IS reload is performed before ingress traffic is allowed at startup.
lexicographically. The MAC address is part of the OID instance, so in this case, lexicographic order is according to the most significant octet. Table 111. MIB Objects for Fetching Dynamic MAC Entries in the Forwarding Database MIB Object OID MIB Description dot1dTpFdbTable .1.3.6.1.2.1.17.4.3 Q-BRIDGE MIB List the learned unicast MAC addresses on the default VLAN. dot1qTpFdbTable .1.3.6.1.2.1.17.7.1.2. 2 Q-BRIDGE MIB List the learned unicast MAC addresses on non-default VLANs.
Example of Deriving the Interface Index Number If you know the interface index, use the following commands to find the interface number. DellEMC ~ $ snmpwalk -v 2c -c public 10.16.206.127 .1.3.6.1.2.1.2.2.1.2 | grep 2097156 IF-MIB::ifDescr.2097156 = STRING: TenGigabitEthernet 1/1 DellEMC ~ $ snmpwalk -v 2c -c public 10.16.206.127 .1.3.6.1.2.1.31.1.1.1.1 | grep 2097156 IF-MIB::ifName.2097156 = STRING: TenGigabitEthernet 1/1 You can use the show interfaces command to view the interface index.
● ● ● ● ● ● ● ● ● ● ● ● router bgp 100 address-family ipv4 vrf vrf1 snmp context context1 neighbor 20.1.1.1 remote-as 200 neighbor 20.1.1.1 no shutdown exit-address-family address-family ipv4 vrf vrf2 snmp context context2 timers bgp 30 90 neighbor 30.1.1.1 remote-as 200 neighbor 30.1.1.1 no shutdown exit-address-family To map the context to a VRF instance for SNMPv3, follow these steps: 1. Create a community and map a VRF to it. Create a context and map the context and community, to a community map.
SNMPv2-SMI::enterprises.6027.20.1.2.3.1.1.2.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.1.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.2.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.3.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.4.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.5.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.3.1.1.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.
SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_DN: Changed interface state to down: Gi 1/1" 2010-02-10 14:22:39 10.16.130.4 [10.16.130.4]: SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500842) 23:36:48.42 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkDown IF-MIB::ifIndex.1107755009 = INTEGER: 1107755009 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_DN: Changed interface state to down: Po 1" 2010-02-10 14:22:40 10.16.130.4 [10.16.130.4]: SNMPv2-MIB::sysUpTime.
Following is the sample audit log message that other syslog servers that are reachable receive: Oct 21 00:46:13: dv-fedgov-s4810-6: %EVL-6-NOT_REACHABLE:Syslog server 10.11.226.121 (port: 9140) is not reachable Following example shows the SNMP trap that is sent when connectivity to the syslog server is resumed: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10230) 0:01:42.30 SNMPv2MIB::snmpTrapOID.0 = OID: SNMPv2SMI::enterprises.6027.3.30.1.1.2 SNMPv2-SMI::enterprises.6027.3.30.1.
SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.17.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.18.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.19.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.20.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.21.2113540 = = = = = STRING: "3.286000" STRING: "7.530000" "" "" "" Table 114. SNMP OIDs for Transceiver Monitoring Field (OID) Description SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.1 Device Name SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.
router-id 10.10.10.
49 Stacking Using the Dell EMC Networking OS stacking feature, you can interconnect multiple switch units with stacking ports or front end user ports. The stack becomes manageable as a single switch through the stack management unit. The system accepts Unit ID numbers from 1 to 6 and it supports stacking up to six units.
Stack Master Election The stack elects a master and standby unit at bootup time based on two criteria. ● Unit priority — User-configurable. The range is from 1 to 14. A higher value (14) means a higher priority. The default is 0. By removing the stack-unit priority using the no stack-unit priority command, you can set the priority back to the default value of zero. The unit with the highest priority is elected the master management unit; the unit with the second highest priority is elected the standby unit.
NOTE: If the removed management unit is brought up as a standalone unit or as part of a different stack, there is a possibility of MAC address collisions. A standalone is added to a stack. The standalone and the master unit have the same priority, but the standalone has a lower MAC address, so the standalone reboots. In the second example, a standalone is added to a stack. The standalone has a higher priority than the stack, so the stack (excluding the new unit) reloads.
2 3 4 5 6 Management Member Member Member Member online S3048-ON not present not present not present not present S3048-ON 9.8(0.0P2) 52 Stacking LAG When multiple links are used between stack units, Dell EMC Networking OS automatically bundles them in a stacking LAG to provide aggregated throughput and redundancy.
Example of Stack Manager Redundancy DellEMC#show redundancy -- Stack-unit Status ------------------------------------------------Mgmt ID: 1 Stack-unit ID: 1 Stack-unit Redundancy Role: Primary Stack-unit State: Active Stack-unit SW Version: 9.8(0.
start telnet-peer-stack-unit terminal upload Dell(standby)# Start shell Open a telnet connection to the peer stack-unit Set terminal line parameters Upload file -----------------CONSOLE ACCESS ON A MEMBER---------------------------Dell(stack-member-1)#? reset-self Reset this unit alone show Show running system information You can connect two units with two or more stacking cables in case of a stacking port or cable failure. Removal of only one of the cables does not trigger a reset.
○ Stack-group 0 corresponds to port 49, stack-group 1 corresponds to port 50, so on through stack-group 3. Figure 115. Stack-Group Assignments You can connect the units while they are powered down or up. Stacking ports are bi-directional. When a unit is added to a stack, the management unit performs a system check on the new unit to ensure the hardware type is compatible. A similar check is performed on the Dell EMC Networking OS version.
The new unit synchronizes its running and startup configurations with the stack. 4. After the units are reloaded, the system reboots. The units come up in a stack after the reboot completes. To view the port assignments, use the show system stack-unit command. Creating a New Stack Prior to creating a stack, know which unit will be the management unit and which will be the standby unit. Enable the front ports of the units for stacking. For more information, refer to Enabling Front End Port Stacking.
stacking ports. Please save and reload for config to take effect DellEMC(conf)# DellEMC#02:39:18: %STKUNIT4-M:CP %SYS-5-CONFIG_I: Configured from console Reload each unit in the stack. After the reload is complete, the four units come up as a stack with unit 1 as the management unit, unit 2 as the standby unit, and the remaining units as stack-members. All units in the stack can be accessed from the management unit.
--------------------------------------------------------1/50 2/49 10 up up Add Units to an Existing Stack You can add units to an existing stack in one of three ways. ● By manually assigning a new unconfigured unit a position in an existing stack. ● By adding a configured unit to an existing stack. ● By merging two stacks.
The following example shows adding a stack unit with a conflicting stack number (after).
● If the stack has been provisioned for the stack number that is assigned to the new unit, the pre-configured provisioning must match the switch type. If there is a conflict between the provisioned switch type and the new unit, a mismatch error message is displayed. Merge Two Stacks You may merge two stacks while they are powered and online. To merge two stacks, connect one stack to the other using user port cables from the front end user portusing the mini-SAS cables from the stacking ports.
Renumbering the stack manager triggers the whole stack to reload, as shown in the message below. When the stack comes back online, the master unit remains the management unit. Dell#stack-unit 2 renumber 1 Renumbering master unit will reload the stack. WARNING: Interface configuration for current unit will be lost! Proceed to renumber [confirm yes/no]: yes Creating a Virtual Stack Unit on a Stack Use virtual stack units to configure ports on the stack before adding a new unit. ● Create a virtual stack unit.
3 3 1 2 up absent AC up absent 8064 0 -- Fan Status -Unit Bay TrayStatus Fan1 Speed -----------------------------------------------------------3 1 up up 18000 3 2 up up 18000 3 3 down Speed in RPM DellEMC# The following is an example of the show system brief command to view the stack summary information.
● you disconnect the management unit from the stack. When the management unit fails, the unit disappears from the stack topology. At that time, the standby unit detects the communication loss and switches from the standby unit role to the management unit role in the stack. From the remaining units in the stack, the system selects a new standby unit based on the unit priority using the same algorithm used when the stack was initially created.
● Solid green indicates the unit is the stack master (management unit). Displaying the Status of Stacking Ports To display the status of the stacking ports, including the topology, use the following command. ● Display the stacking ports.
DellEMC# The following example shows three switches stacked together in a daisy chain topology.
Stack MAC Reload-Type : 00:21:22:23:24:25 : normal-reload [Next boot : normal-reload] -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports -----------------------------------------------------------------------------------1 Standby online S3048-ON S3048-ON 9.8(0.0P2) 52 2 Management online S3048-ON S3048-ON 9.8(0.
and power-cycle the stack. ---------------------STANDBY UNIT-------------------------------10:55:18: %STKUNIT1-M:CP %KERN-2-INT: Error: Stack Port 50 has flapped 5 times within 10 seonds.Shutting down this stack port now. 10:55:18: %STKUNIT1-M:CP %KERN-2-INT: Error: Please check the stack cable/module and power-cycle the stack. ---------------------MEMBER 2----------------------------------Error: Stack Port 51 has flapped 5 times within 10 seconds.Shutting down this stack port now.
50 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell EMC Networking Operating System (OS) Behavior: Dell EMC Networking OS supports unknown-unicast, muticast, and broadcast control for Layer 2 and Layer 3 traffic. Dell EMC Networking OS Behavior: The minimum number of packets per second (PPS) that storm control can limit on the device is two.
storm-control broadcast packets_per_second in ● Configure the packets per second of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. INTERFACE mode storm-control multicast packets_per_second in ● Shut down the port if it receives the PFC/LLFC packets more than the configured rate. INTERFACE mode storm-control pfc-llfc pps in shutdown NOTE: PFC/LLFC storm control enabled interface disables the interfaces if it receives continuous PFC/LLFC packets.
51 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell EMC Networking OS.
● ● ● ● ● ● ● Modifying Global Parameters Modifying Interface STP Parameters Enabling PortFast Prevent Network Disruptions with BPDU Guard STP Root Guard Enabling SNMP Traps for Root Elections and Topology Changes Configuring Spanning Trees as Hitless Important Points to Remember ● STP is disabled by default. ● The Dell EMC Networking OS supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+).
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 116. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface.
no shutdown DellEMC(conf-if-gi-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default. When you enable STP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the Spanning Tree topology. ● Only one path from any bridge to any other bridge participating in STP is enabled. ● Bridges block a redundant path by disabling one of the link ports. Figure 117.
To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP. NOTE: Dell EMC Networking recommends that only experienced network administrators change the spanning tree parameters. Poorly planned modification of the spanning tree parameters can negatively affect network performance. The following table displays the default values for STP. Table 116.
Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. ● Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. ● Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost. The default values are listed in Modifying Global Parameters.
Prevent Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
Figure 118. Enabling BPDU Guard Dell EMC Networking OS Behavior BPDU guard: ● is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. ● drops the BPDU after it reaches the RP and generates a console message. Example of Blocked BPDUs DellEMC(conf-if-gi-1/7)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e805.fb07 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e85d.
Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. ● Assign a number as the bridge priority or designate it as the root or secondary root.
Figure 119. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell EMC Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: ● Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
To disable STP root guard on a port or port-channel interface, use the no spanning-tree 0 rootguard command in an interface configuration mode. To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps individually or collectively, use the following commands.
As soon as a BPDU is received on an STP port in a Loop-Inconsistent state, the port returns to a blocking state. If you disable STP loop guard on a port in a Loop-Inconsistent state, the port transitions to an STP blocking state and restarts the max-age timer. Figure 120. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis.
○ If a BPDU is received from a remote device, BPDU guard places the port in an Err-Disabled Blocking state and no traffic is forwarded on the port. ○ If no BPDU is received from a remote device, loop guard places the port in a Loop-Inconsistent Blocking state and no traffic is forwarded on the port. ● When used in a PVST+ network, STP loop guard is performed per-port or per-port channel at a VLAN level.
52 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell EMC Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell EMC Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell EMC Networking device. For more information on SmartScripts, see Dell EMC Networking Open Automation guide. Figure 121.
Enable the SupportAssist service. CONFIGURATION mode support-assist activate DellEMC(conf)#support-assist activate This command guides you through steps to configure SupportAssist. Configuring SupportAssist Manually To manually configure SupportAssist service, use the following commands. 1. Accept the end-user license agreement (EULA). CONFIGURATION mode eula-consent {support-assist} {accept | reject} NOTE: Once accepted, you do not have to accept the EULA again.
CONFIGURATION mode support-assist DellEMC(conf)#support-assist DellEMC(conf-supportassist)# 3. (Optional) Configure the contact information for the company. SUPPORTASSIST mode contact-company name {company-name}[company-next-name] ... [company-next-name] DellEMC(conf)#support-assist DellEMC(conf-supportassist)#contact-company name test DellEMC(conf-supportassist-cmpy-test)# 4. (Optional) Configure the contact name for an individual.
[no] activity {full-transfer|core-transfer|event-transfer} DellEMC(conf-supportassist)#activity full-transfer DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist)#activity core-transfer DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist)#activity event-transfer DellEMC(conf-supportassist-act-event-transfer)# 2. Copy an action-manifest file for an activity to the system.
SUPPORTASSIST ACTIVITY mode [no] enable DellEMC(conf-supportassist-act-full-transfer)#enable DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist-act-core-transfer)#enable DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist-act-event-transfer)#enable DellEMC(conf-supportassist-act-event-transfer)# Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company.
[no] contact-person [first ] last DellEMC(conf-supportassist)#contact-person first john last doe DellEMC(conf-supportassist-pers-john_doe)# 2. Configure the email addresses to reach the contact person. SUPPORTASSIST PERSON mode [no] email-address primary email-address [alternate email-address] DellEMC(conf-supportassist-pers-john_doe)#email-address primary jdoe@mycompany.com DellEMC(conf-supportassist-pers-john_doe)# 3. Configure phone numbers of the contact person.
[no] enable DellEMC(conf-supportassist-serv-default)#enable DellEMC(conf-supportassist-serv-default)# 4. Configure the URL to reach the SupportAssist remote server. SUPPORTASSIST SERVER mode [no] url uniform-resource-locator DellEMC(conf-supportassist-serv-default)#url https://192.168.1.1/index.htm DellEMC(conf-supportassist-serv-default)# Viewing SupportAssist Configuration To view the SupportAssist configurations, use the following commands: 1.
! server Dell enable url http://1.1.1.1:1337 DellEMC# 3. Display the EULA for the feature. EXEC Privilege mode show eula-consent {support-assist | other feature} DellEMC#show eula-consent support-assist SupportAssist EULA has been: Accepted Additional information about the SupportAssist EULA is as follows: By installing SupportAssist, you allow Dell to save your contact information (e.g.
53 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell EMC Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell EMC Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell EMC Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks.
To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. DellEMC#show ntp status Clock is synchronized, stratum 4, reference is 10.16.151.117, vrf-id is 0 frequency is -44.862 ppm, stability is 0.050 ppm, precision is -18 reference time deeef7ef.85eeaa10 Tue, Jul 10 2018 9:16:31.523 UTC clock offset is -0.167449 msec, root delay is 149.194 msec root dispersion is 54.557 msec, peer dispersion is 0.
○ ○ ○ ○ ○ ○ For For For For For For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. a Loopback interface, enter the keyword loopback then a number from 0 to 16383. the Management interface, enter the keyword ManagementEthernet then the slot/port information. a port channel interface, enter the keywords port-channel then a number.
○ minpoll polling-interval: Enter the minpoll value. The range is from 4 to 16. ○ maxpoll polling-interval: Enter the maxpoll value. The range is from 4 to 16. 5. Configure the switch as NTP master. CONFIGURATION mode ntp master To configure the switch as NTP Server use the ntp master command. stratum number identifies the NTP Server's hierarchy. The following example shows configuring an NTP server. Dell EMC(conf)#show running-config ntp ! ntp master ntp server 10.16.127.
● Originate Timestamp: The departure time on the server of its last NTP message. If the server becomes unreachable, the value is set to zero. ● Receive Timestamp — the arrival time on the client of the last NTP message from the server. If the server becomes unreachable, the value is set to zero. ● Transmit Timestamp — the departure time on the server of the current NTP message from the sender. ● Filter dispersion — the error in calculating the minimum delay from a set of sample data from a peer.
Use the no ntp step-threshold command to revert to the default setting of 128 milliseconds. DellEMC(conf)#no ntp step-threshold Dell EMC Networking OS Time and Date You can set the time and date using the Dell EMC Networking OS CLI. Configuration Task List The following is a configuration task list for configuring the time and date settings.
■ ■ a number from 1 to 23 as the number of hours in addition to UTC for the timezone. a minus sign (-) then a number from 1 to 23 as the number of hours. DellEMC#conf DellEMC(conf)#clock timezone Pacific -8 DellEMC(conf)#01:40:19: %RPM0-P:CP %CLOCK-6-TIME CHANGE: Timezone configuration changed from "UTC 0 hrs 0 mins" to "Pacific -8 hrs 0 mins" DellEMC# Set Daylight Saving Time Dell EMC Networking OS supports setting the system to daylight saving time once or on a recurring basis every year.
clock summer-time time-zone recurring start-week start-day start-month start-time endweek end-day end-month end-time [offset] ○ time-zone: Enter the three-letter name for the time zone. This name displays in the show clock output. ○ start-week: (OPTIONAL) Enter one of the following as the week that daylight saving begins and then enter values for start-day through end-time: ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ■ week-number: Enter a number from 1 to 4 as the number of the week in the month to start daylight saving time.
54 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): DellEMC(conf)#interface tunnel 3 DellEMC(conf-if-tu-3)#tunnel source 5::5 DellEMC(conf-if-tu-3)#tunnel destination 8::9 DellEMC(conf-if-tu-3)#tunnel mode ipv6 DellEMC(conf-if-tu-3)#ip address 3.1.1.1/24 DellEMC(conf-if-tu-3)#ipv6 address 3::1/64 DellEMC(conf-if-tu-3)#no shutdown DellEMC(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
no shutdown DellEMC(conf)#interface tunnel 1 DellEMC(conf-if-tu-1)#ip unnumbered gigabitethernet 1/1 DellEMC(conf-if-tu-1)#ipv6 unnumbered gigabitethernet 1/1 DellEMC(conf-if-tu-1)#tunnel source 40.1.1.1 DellEMC(conf-if-tu-1)#tunnel mode ipip decapsulate-any DellEMC(conf-if-tu-1)#no shutdown DellEMC(conf-if-tu-1)#show config ! interface Tunnel 1 ip unnumbered GigabitEthernet 1/1 ipv6 unnumbered GigabitEthernet 1/1 tunnel source 40.1.1.
no shutdown Tunneling 871
55 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link.
Figure 123. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 124. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
● If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
UPLINK-STATE-GROUP mode downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5. (Optional) Enter a text description of the uplink-state group. UPLINK-STATE-GROUP mode description text The maximum length is 80 alphanumeric characters. 6. (Optional) Disable upstream-link tracking without deleting the uplink-state group.
02:37:29: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 3/52 02:38:31 : UFD: Group:3, UplinkState: UP 02:38:31: %RPM0-P:CP %IFMGR-5-OSTATE_UP: Changed uplink state group state to up: Group 3 02:38:53: Te 3/49 02:38:53: Te 3/50 02:38:53: Te 3/51 02:38:53: Fo 3/52 02:38:53: 02:38:53: 02:38:53: 02:38:53: %RPM0-P:CP %IFMGR-5-OSTATE_UP: Downstream interface cleared from UFD error-disabled: %RPM0-P:CP %IFMGR-5-OSTATE_UP: Downstream interface cleared from UFD error-disabled: %RPM0-P:CP %IFMGR
Uplink State Group : 1 Upstream Interfaces : Downstream Interfaces : Status: Enabled, Up Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Gi 1/6(Up) Gi 1/7(Up) Downstream Interfaces : Gi 3/1(Up) Gi 3/3(Up) Gi 3/5(Up) Gi 3/6(Up) Uplink State Group : 5 Status: Enabled, Down Upstream Interfaces : Gi 1/1(Dwn) Gi 1/3(Dwn) Gi 1/5(Dwn) Downstream Interfaces : Gi 3/2(Dis) Gi 3/4(Dis) Gi 3/11(Dis) Gi 3/12(Dis) Gi 3/13(Dis) Gi 3/14(Dis) Gi 3/15(Dis) Uplink State Group : 6 Upstream Interfaces : Downs
downstream GigabitEthernet 1/1, 3, 5, 7-10 upstream gigabitEthernet 1/16, 20 DellEMC(conf-uplink-state-group-16)# show configuration ! uplink-state-group 16 no enable description test downstream disable links all downstream GigabitEthernet 1/21 upstream GigabitEthernet 1/22 upstream Port-channel 8 Sample Configuration: Uplink Failure Detection The following example shows a sample configuration of UFD on a switch/router in which you configure as follows. ● ● ● ● ● ● Configure uplink-state group 3.
(Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Gi 1/3(Up) Gi 1/4(Dwn) Downstream Interfaces : Gi 1/1(Dis) Gi 1/2(Dwn) Gi 1/5(Dwn) Gi 1/9(Dwn) Gi 1/11(Dwn) Gi 1/12(Dwn) 880 Uplink Failure Detection (UFD)
56 Upgrade Procedures To find the upgrade procedures, go to the Dell EMC Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell EMC Networking OS version. To upgrade your system type, follow the procedures in the Dell EMC Networking OS Release Notes. You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.
57 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 portbased VLANs and one default VLAN, as specified in IEEE 802.1Q.
NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN. For more information about assigning IP addresses, refer to Assigning an IP Address to a VLAN. ● Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN.
● The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). ● Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard. Some devices that are not compliant with IEEE 802.3 may not support the larger frame size.
Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands. To place an interface in Layer 2 mode, use the switchport command. You can further designate these Layer 2 interfaces as tagged or untagged. For more information, see the Interfaces chapter and Configuring Layer 2 (Data Link) Mode.
When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN. If the tagged interface is removed from the only VLAN to which it belongs, the interface is placed in the Default VLAN as an untagged interface. Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1. Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface.
Assigning an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces. The shutdown command in INTERFACE mode does not affect Layer 2 traffic on the interface; the shutdown command only prevents Layer 3 traffic from traversing over the interface. NOTE: You cannot assign an IP address to the Default VLAN (VLAN 1).
Enabling Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured. This presents a vulnerability because both interfaces are initially placed in the native VLAN, VLAN 1, and for that period customers are able to access each other's networks.
58 Virtual Link Trunking (VLT) Virtual link trunking (VLT) is a Dell EMC technology that provides two Dell EMC switches the ability to function as a single switch. VLT allows physical links between two Dell EMC switches to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR). As a result, the two physical switches appear as a single switch to the connected devices.
peers as a single switch, VLT eliminates STP-blocked ports. However, the two VLT devices are independent Layer2/Layer3 (L2/L3) switches for devices in the upstream network. Figure 127. VLT providing multipath VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches and supporting a loop-free topology. To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol.
Figure 128. Example of VLT Deployment VLT offers the following benefits: ● ● ● ● ● ● ● ● ● ● ● ● Allows a single device to use a LAG across two upstream devices. Eliminates STP-blocked ports. Provides a loop-free topology. Uses all available uplink bandwidth. Provides fast convergence if either the link or a device fails. Optimized forwarding with virtual router redundancy protocol (VRRP). Provides link-level resiliency. Assures high availability. Active-Active load sharing with VRRP.
● VLT backup link — The backup link monitors the connectivity between the VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. ● VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches. ● VLT domain — This domain includes both the VLT peer devices, VLT interconnect, and all of the port channels in the VLT connected to the attached devices.
Viewing the MAC Synchronization Between VLT Peers You can use the following commands to verify the MAC synchronization between VLT peers: VLT-10-PEER-1#show mac-address-table count MAC Entries for all vlans : Dynamic Address Count : 1007 Static Address (User-defined) Count : 1 Sticky Address Count : 0 Total Synced Mac from Peer(N): 503 Total MAC Addresses in Use: 1008 VLT-10-PEER-1#show vlt counter mac Total MAC VLT counters ---------------------L2 Total MAC-Address Count: 1007 VLT-10-PEER-1#show mac-addr
that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode. This example provides the highest form of resiliency, scaling, and load balancing in data center switching networks. The following example shows stacking at the access, VLT in aggregation, and Layer 3 at the core. Figure 130. VLT on Core Switches The aggregation layer is mostly in the L2/L3 switching/routing layer.
Figure 131. Enhanced VLT Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember WARNING: Do not add any VLANs to the VLT Interconnect. The VLTi interface manages VLAN tagged/untagged traffic automatically between peers. Manually adding any VLAN configuration has been shown to disrupt traffic flow.
● ● ● ● ● ● ● ● ● ● ● ● channels to or from a VLAN. You can manually add or remove a VLTi port-channel to a VLAN. In case a VLTi port-channel is manually removed from a VLAN, it is added back to the VLAN after reload of the VLTi peers. Use the lacp ungroup member-independent command only if the system connects to nodes using bare metal provisioning (BMP) to upgrade or boot from the network.
Configuration Notes When you configure VLT, the following conditions apply. ● With VLT, when an L3 interface is created, the local DA of that interface is added as an L2 entry pointing to the ICL interface on the peer chassis. This ensures that the L3 packets reaching the peer, by LAG hashing on ToR, get forwarded to the actual chassis via ICL and then get routed. When this interface is removed, the entry pointing to ICL on the peer chassis is deleted.
NOTE: If you configure the VLT system MAC address or VLT unit-id on only one of the VLT peer switches, the link between the VLT peer switches is not established. Each VLT peer switch must be correctly configured to establish the link between the peers. ○ If the link between the VLT peer switches is established, changing the VLT system MAC address or the VLT unit-id causes the link between the VLT peer switches to become disabled.
○ ○ ○ ○ ○ ○ ○ ■ Ingress and egress QoS policies applied on VLT ports must be the same on both VLT peers. ■ Apply the same ingress and egress QoS policies on VLTi (ICL) member ports to handle failed links. For detailed information about how to use VRRP in a VLT domain, see the following VLT and VRRP interoperability section. For information about configuring IGMP Snooping in a VLT domain, see VLT and IGMP Snooping.
can configure another peer as the Primary Peer using the VLT domain domain-id role priority priority-value command. If the VLTi link fails, the status of the remote VLT Primary Peer is checked using the backup link. If the remote VLT Primary Peer is available, the Secondary Peer disables all VLT ports to prevent loops. If all ports in the VLTi link fail or if the communication between VLTi links fails, VLT checks the backup link to determine the cause of the failure.
VLT and IGMP Snooping When configuring IGMP Snooping with VLT, ensure the configurations on both sides of the VLT trunk are identical to get the same behavior on both sides of the trunk. When you configure IGMP snooping on a VLT node, the dynamically learned groups and multicast router ports are automatically learned on the VLT peer node. VLT IPv6 The following features have been enhanced to support IPv6: ● VLT Sync — Entries learned on the VLT interface are synced on both VLT peers.
fa:11:22:33:44:55 . Jun 23 17:53:17.509 UTC %STKUNIT1-M:CP %ARPMGR-6-MAC_CHANGE: IP-4-ADDRMOVE: IP address 10.20.30.40 is moved from MAC address fa:11:22:33:44:55 to MAC address fa:aa:bb:cc:dd:ee . Jun 23 17:53:17.399 UTC %STKUNIT1-M:CP %ARPMGR-6-MAC_CHANGE: IP-4-ADDRMOVE: IP address 10.20.30.40 is moved from MAC address fa:aa:bb:cc:dd:ee to MAC address fa:11:22:33:44:55 . Follow these steps to configure or unconfigure the Additional ARP refresh on VLTi: Disabling Additional ARP refresh on VLTi 1.
Figure 132. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
If the VLT node elected as the designated router fails and you enable VLT Multicast Routing, multicast routes are synced to the other peer for traffic forwarding to ensure minimal traffic loss. If you did not enable VLT Multicast Routing, traffic loss occurs until the other VLT peer is selected as the DR. VLT Routing VLT Routing refers to the ability to run a dynamic routing protocol within a single VLT domain or between VLT domains (mVLT).
If you enable peer routing, a VLT node acts as a proxy gateway for its connected VLT peer as shown in the image below. Even though the gateway address of the packet is different, Peer-1 routes the packet to its destination on behalf of Peer-2 to avoid sub-optimal routing. Figure 134. Packets with peer routing enabled Benefits of Peer Routing ● ● Avoids sub-optimal routing ● Reduces latency by avoiding another hop in the traffic path.
Configuring VLT Unicast To enable and configure VLT unicast, follow these steps. 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2. Enable peer-routing. VLT DOMAIN mode peer-routing 3. Configure the peer-routing timeout. VLT DOMAIN mode peer-routing—timeout value value: Specify a value (in seconds) from 1 to 65535. The default value is infinity (without configuring the timeout).
3. Configure the multicast peer-routing timeout. VLT DOMAIN mode multicast peer-routing—timeout value value: Specify a value (in seconds) from 1 to 1200. NOTE: Reduce the multicast peer-routing-timeout value to 10 seconds to clear the (S,G) entry in mroute in primary VLT peer. Also, the MLD leave packet must be sent after the unicast route convergence. 4. Configure a PIM-SM compatible VLT node as a designated router (DR). For more information, refer to Configuring a Designated Router. 5.
Sample RSTP configuration The following is a sample of an RSTP configuration: Using the example shown in the Overview section as a sample VLT topology, the primary VLT switch sends BPDUs to an access device (switch or server) with its own RSTP bridge ID. BPDUs generated by an RSTP-enabled access device are only processed by the primary VLT switch. The secondary VLT switch tunnels the BPDUs that it receives to the primary VLT switch over the VLT interconnect.
Configuring a VLT Interconnect To configure a VLT interconnect, follow these steps. 1. Configure the port channel for the VLT interconnect on a VLT switch and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain. NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2.
4. Enable peer routing. VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer. 5. (Optional) After you configure a VLT domain on each peer switch and connect (cable) the two VLT peers on each side of the VLT interconnect, the system elects a primary and secondary VLT peer device (see Primary and Secondary VLT Peers). To configure the primary and secondary roles before the election process, use the primary-priority command.
CONFIGURATION mode delay-restore delay-restore-time The range is from 1 to 1200. The default is 90 seconds. Reconfiguring the Default VLT Settings (Optional) To reconfigure the default VLT settings, use the following commands. 1. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2.
switchport 4. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: ● For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. ● For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. 5. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 6.
● For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. ● For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. 3. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 4. Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 5.
INTERFACE mode port-channel-protocol lacp 14. Configure the LACP port channel mode. INTERFACE mode port-channel number mode [active] 15. Ensure that the interface is active. MANAGEMENT INTERFACE mode no shutdown 16. Enable peer routing. VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer. 17. Repeat steps 1 through 16 for the VLT peer node in Domain 1. 18. Repeat steps 1 through 16 for the first VLT node in Domain 2. 19.
show running-config entity 12. Verify that VLT is running. EXEC mode show vlt brief or show vlt detail 13. Verify that the VLT LAG is running in both VLT peer units. EXEC mode or EXEC Privilege mode show interfaces interface In the following sample VLT configuration steps, VLT peer 1 is Dell-2, VLT peer 2 is Dell-4, and the ToR is S60-1. NOTE: If you use a third-party ToR unit, Dell EMC Networking recommends using static LAGs with VLT peers to avoid potential problems if you reboot the VLT peers.
! port-channel-protocol LACP port-channel 2 mode active no shutdown configuring VLT peer lag in VLT Dell-2#show running-config interface port-channel 2 ! interface Port-channel 2 no ip address switchport vlt-peer-lag port-channel 2 no shutdown Dell-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel L LAG 2 Mode L2L3 Status up Uptime 03:33:14 Ports Gi 1/4 (Up) In the ToR unit, configure LACP on the physical ports.
Delay-Restore Abort Threshold Peer-Routing Peer-Routing-Timeout timer Multicast peer-routing timeout DellEMC# : : : : 60 seconds Disabled 0 seconds 150 seconds Verify that the VLT LAG is up in VLT peer unit.
Name ---------Po 1 Po 2 Te 1/10 Te 1/13 PortID -------128.2 128.3 128.230 128.233 Interface Name ---------Po 1 Po 2 Gi 1/10 Gi 1/13 DellEMC# Role -----Desg Desg Desg Desg Prio ---128 128 128 128 Cost -----188 2000 2000 2000 PortID -------128.2 128.3 128.230 128.233 Prio ---128 128 128 128 Sts Cost Bridge ID PortID ----------- ------- -------------------- -------FWD(vltI) 0 0 90b1.1cf4.9b79 128.2 FWD(vlt) 0 0 90b1.1cf4.9b79 128.3 FWD 0 0 90b1.1cf4.9b79 128.230 FWD 0 0 90b1.1cf4.9b79 128.
Figure 135. Peer Routing Configuration Example Dell-1 Switch Configuration In the following output, RSTP is enabled with a bridge priority of 0. This ensures that Dell-1 becomes the root bridge. DellEMC#1#show run | find protocol protocol spanning-tree pvst no disable vlan 1,20,800,900 bridge-priority 0 The following output shows the existing VLANs.
(The management interfaces are part of a default VRF and are isolated from the switch’s data plane.) In Dell-1, te 0/0 and te 0/1 are used for VLTi. DellEMC#1#sh run int te0/0 interface TenGigabitEthernet 0/0 description VLTi LINK no ip address no shutdown (VLTi Physical link) ! DellEMC#1#sh run int te0/1 interface TenGigabitEthernet 0/1 description VLTi LINK no ip address no shutdown (VLTi Physical link) The following example shows that te 0/0 and te 0/1 are included in port channel 10.
Vlan 20 is used in Dell-1, Dell-2, and R1 to form OSPF adjacency. When OSPF is converged, the routing tables in all devices are synchronized. DellEMC#1#sh run int vlan 20 interface Vlan 20 description OSPF PEERING VLAN ip address 192.168.20.1/29 untagged Port-channel 1 no shutdown ! DellEMC#1#sh run int vlan 800 interface Vlan 800 description Client-VLAN ip address 192.168.8.1/24 tagged Port-channel 2 no shutdown The following output shows Dell-1 is configured with VLT domain 1.
Use the show vlt detail command to verify that VLT is functional and that the correct VLANs are allowed. DellEMC#1#sh vlt detail Local LAG Id -----------1 2 Peer LAG Id ----------1 2 Local Status -----------UP UP Peer Status ----------UP UP Active VLANs ------------20 1, 800, 900 The following output displays the OSPF configuration in Dell-1 DellEMC#1#sh run | find router router ospf 1 router-id 172.17.1.1 network 192.168.9.0/24 area 0 network 192.168.8.0/24 area 0 network 172.17.1.
0 0 90:b1:1c:f4:2c:bd 90:b1:1c:f4:29:f3 LOCAL_DA LOCAL_DA 00001 00001A The above output shows that the 90:b1:1c:f4:2c:bd MAC address belongs to Dell-1. The 90:b1:1c:f4:29:f3 MAC address belongs to Dell-2. Also note that these MAC addresses are marked with LOCAL_DA. This means, these are the local destination MAC addresses used by hosts when routing is required. Packets sent to this MAC address are directly forwarded to their destinations without being sent to the peer switch.
no ip address port-channel-protocol LACP port-channel 2 mode active no shutdown Te 0/6 connects to the uplink switch R1. Dell-2#sh run int te0/6 interface TenGigabitEthernet 0/6 description To_CR1_fa0/13 no ip address port-channel-protocol LACP port-channel 1 mode active no shutdown Port channel 1 connects the uplink switch R1.
Verify if VLT on Dell-1 is functional Dell-2#sh vlt brief VLT Domain Brief -----------------Domain ID: Role: Role Priority: 1 Secondary 55000 ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: Peer routing : Peer routing-Timeout timer: Multicast peer routing timeout: Up Up Up 1 6(3) 90:b1:1c:f4:29:f1 90:b1:1c:f4:2c:bb 90:b1:1c:f4:01:01 6(3) 90 seconds En
The following output displays the routes learned using OSPF. Dell-2 also learns the routes to the loopback addresses on R1 through OSPF. Dell-2#show ip route ospf Destination Gateway ----------------O 2.2.2.2/24 via 192.168.20.3, O 3.3.3.2/24 via 192.168.20.3, O 4.4.4.2/24 via 192.168.20.3, O 172.15.1.1/32 via 192.168.20.3, O 172.16.1.2/32 via 192.168.20.
network 172.15.1.0 0.0.0.255 area 0 network 192.168.20.0 0.0.0.7 area 0 CR1#show ip ospf neighbor (R1 is a DROTHER) Neighbor ID Pri State Dead Time Address Interface 172.16.1.2 1 FULL/BDR 00:00:31 192.168.20.2 Port-channel1 172.17.1.1 1 FULL/DR 00:00:38 192.168.20.1 Port-channel1 CR1#show ip route (Output Truncated) 2.0.0.0/24 is subnetted, 1 subnets C 2.2.2.0 is directly connected, Loopback2 3.0.0.0/24 is subnetted, 1 subnets C 3.3.3.0 is directly connected, Loopback3 O 192.168.8.0/24 [110/2] via 192.168.
Figure 136. eVLT Configuration Example eVLT Configuration Step Examples In Domain 1, configure the VLT domain and VLTi on Peer 1. Domain_1_Peer1#configure Domain_1_Peer1(conf)#interface port-channel 1 Domain_1_Peer1(conf-if-po-1)# channel-member GigabitEthernet 1/8-1/9 Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.
Configure eVLT on Peer 2. Domain_1_Peer2(conf)#interface port-channel 100 Domain_1_Peer2(conf-if-po-100)# switchport Domain_1_Peer2(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer2(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 2.
PIM-Sparse Mode Configuration Example The following sample configuration shows how to configure the PIM Sparse mode designated router functionality on the VLT domain with two VLT port-channels that are members of VLAN 4001. For more information, refer to PIM-Sparse Mode Support on VLT. Examples of Configuring PIM-Sparse Mode The following example shows how to enable PIM multicast routing on the VLT node globally.
EXEC mode show vlt role ● Display the current configuration of all VLT domains or a specified group on the switch. EXEC mode show running-config vlt ● Display statistics on VLT operation. EXEC mode show vlt statistics ● Display the RSTP configuration on a VLT peer switch, including the status of port channels used in the VLT interconnect trunk and to connect to access devices. EXEC mode show spanning-tree rstp ● Display the current status of a port or port-channel interface used in the VLT domain.
Delay-Restore Abort Threshold Peer-Routing Peer-Routing-Timeout timer Multicast peer-routing timeout DellEMC# : : : : 60 seconds Disabled 0 seconds 150 seconds The following example shows the show vlt detail command.
VLT Statistics ---------------HeartBeat Messages Sent: HeartBeat Messages Received: ICL Hello's Sent: ICL Hello's Received: 994 978 89 89 The following example shows the show spanning-tree rstp command. The bold section displays the RSTP state of port channels in the VLT domain. Port channel 100 is used in the VLT interconnect trunk (VLTi) to connect to VLT peer2. Port channels 110, 111, and 120 are used to connect to access switches or servers (vlt).
Configure the backup link. Dell_VLTpeer1(conf)#interface ManagementEthernet 1/1 Dell_VLTpeer1(conf-if-ma-1/1)#ip address 10.11.206.23/ Dell_VLTpeer1(conf-if-ma-1/1)#no shutdown Dell_VLTpeer1(conf-if-ma-1/1)#exit Configure the VLT interconnect (VLTi).
Dell_VLTpeer2(conf-if-po-110)#vlt-peer-lag port-channel 110 Dell_VLTpeer2(conf-if-po-110)#end Verify that the port channels used in the VLT domain are assigned to the same VLAN.
Table 117. Troubleshooting VLT (continued) Description Behavior at Peer Up Behavior During Run Time Action to Take A one-time informational syslog message is generated. To resolve, enable RSTP on both VLT peers. A one-time informational syslog message is generated. Correct the spanning tree configuration on the ports. Spanning tree mismatch at port level A syslog error message is generated.
Specifying VLT Nodes in a PVLAN You can configure VLT peer nodes in a private VLAN (PVLAN). VLT enables redundancy without the implementation of Spanning Tree Protocol (STP), and provides a loop-free network with optimal bandwidth utilization. Because the VLT LAG interfaces are terminated on two different nodes, PVLAN configuration of VLT VLANs and VLT LAGs are symmetrical and identical on both the VLT peers. PVLANs provide Layer 2 isolation between ports within the same VLAN.
MAC Synchronization for VLT Nodes in a PVLAN For the MAC addresses that are learned on non-VLT ports, MAC address synchronization is performed with the other peer if the VLTi (ICL) link is part of the same VLAN as the non-VLT port. For MAC addresses that are learned on VLT ports, the VLT LAG mode of operation and the primary to secondary association of the VLT nodes is determined on both the VLT peers.
Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN The following table illustrates the association of the VLTi link and PVLANs, and the MAC synchronization of VLT nodes in a PVLAN (for various modes of operations of the VLT peers): Table 118.
Table 118.
7. Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 8. (Optional) To configure a VLT LAG, enter the VLAN ID number of the VLAN where the VLT forwards packets received on the VLTi from an adjacent peer that is down. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number peer-down-vlan vlan interface number Associating the VLT LAG or VLT VLAN in a PVLAN 1.
By default, proxy ARP is enabled. To disable proxy ARP, use the no proxy-arp command in Interface mode. To re-enable proxy ARP, use the ip proxy-arp command in Interface mode. To view if proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only nondefault information displays in the show config command output.
VLT Nodes as Rendezvous Points for Multicast Resiliency You can configure VLT peer nodes as rendezvous points (RPs) in a Protocol Independent Multicast (PIM) domain. PIM uses a VLT node as the RP to distribute multicast traffic to a multicast group. Messages to join the multicast group (Join messages) and data are sent towards the RP, so that receivers can discover who the senders are and begin receiving traffic destined for the multicast group.
DellEMC(conf-vlt-domain)#peer-link port-channel 1 DellEMC(conf-vlt-domain)#back-up destination 10.16.151.116 DellEMC(conf-vlt-domain)#primary-priority 100 DellEMC(conf-vlt-domain)#system-mac mac-address 00:00:00:11:11:11 DellEMC(conf-vlt-domain)#unit-id 0 DellEMC(conf-vlt-domain)# DellEMC#show running-config vlt ! vlt domain 1 peer-link port-channel 1 back-up destination 10.16.151.
Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C - Community, I - Isolated O - Openflow Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack i - Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged NUM 50 Status Active Description DellEMC# Q M M V Ports Po10(Gi 1/8) Po20(Gi 1/12) Po1(Gi 1/30-32) Sample Configuration of VLAN-Stack Over VLT (Peer 2) Configure
DellEMC(conf-if-vl-50-stack)#member port-channel 10 DellEMC(conf-if-vl-50-stack)#member port-channel 20 DellEMC(conf-if-vl-50-stack)# DellEMC#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown DellEMC# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN DellEMC#show vlan id 50 Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C - Community, I - Isolated O - Openflow Q: U
ToR 1. Enable BFD globally. TOR(conf)# bfd enable 2. Configure a VLT peer LAG. TOR(conf)#interface gigabitethernet 1/1 TOR(conf-if-gi-1/1)#no ip address TOR(conf-if-gi-1/1)#port-channel-protocol lacp TOR(conf-if-gi-1/1)#port-channel 10 mode active TOR(conf-if-gi-1/1)#no shutdown TOR(conf)#interface gigabitethernet 1/2 TOR(conf-if-gi-1/2)#no ip address TOR(conf-if-gi-1/2)#port-channel-protocol lacp TOR(conf-if-gi-1/2)#port-channel 10 mode active TOR(conf-if-gi-1/2)#no shutdown 3.
5. Enable BFD over OSPF. TOR(conf)# router ospf 1 TOR(conf-router_ospf)# network 100.1.1.0/24 area 0 TOR(conf-router_ospf)# bfd all-neighbors VLT Primary 1. Enable BFD globally. VLT_Primary(conf)# bfd enable 2. Configure port channel which is used as VLTi link. VLT_Primary(conf)# interface VLT_Primary(conf-if-po-100)# VLT_Primary(conf-if-po-100)# VLT_Primary(conf-if-po-100)# port-channel 100 no ip address channel-member gigabitethernet 1/1, 1/2 no shutdown 3. Enable VLT and configure a VLT domain.
2. Configure port channel which is used as VLTi link. VLT_Secondary(conf)# interface VLT_Secondary(conf-if-po-100)# VLT_Secondary(conf-if-po-100)# VLT_Secondary(conf-if-po-100)# port-channel 100 no ip address channel-member gigabitethernet 1/1, 1/2 no shutdown 3. Enable VLT and configure a VLT domain. VLT_Secondary(conf)# vlt domain VLT_Secondary(conf-vlt-domain)# VLT_Secondary(conf-vlt-domain)# VLT_Secondary(conf-vlt-domain)# 100 peer-link port-channel 100 back-up destination 10.16.206.
Delay-Restore Abort Threshold: Peer-Routing : Peer-Routing-Timeout timer: Multicast peer-routing timeout: 60 seconds Enabled 0 seconds 150 seconds ● To verify the VLTi (ICL) link is up in the VLT secondary peer, use show vlt brief command.
Synchronization of IPv6 ND Entries in a VLT Domain Because the VLT nodes appear as a single unit, the ND entries learned via the VLT interface are expected to be the same on both VLT nodes. VLT V6 VLAN and neighbor discovery protocol monitor (NDPM) entries synchronization between VLT nodes is performed. The VLT V6 VLAN information must synchronize with peer VLT node. Therefore, both the VLT nodes are aware of the VLT VLAN information associated with the peers.
Figure 137. Sample Configuration of IPv6 Peer Routing in a VLT Domain Sample Configuration of IPv6 Peer Routing in a VLT Domain Consider a sample scenario as shown in the following figure in which two VLT nodes, Unit1 and Unit2, are connected in a VLT domain using an ICL or VLTi link. To the south of the VLT domain, Unit1 and Unit2 are connected to a ToR switch named Node B. Also, Unit1 is connected to another node, Node A, and Unit2 is linked to a node, Node C.
Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR. When VLT node1 receives NS from VLT VLAN interface, it unicasts the NA packet on the VLT interface. When NS reaches VLT node2, it is flooded on all interfaces including ICL. When VLT node 1 receives NS on ICL, it floods the NA packet on the VLAN. If NS is unicast and if it reaches the wrong VLT peer, it is lifted to the CPU using ACL entry.
When VLT node receives traffic from non-VLT host intended to VLT host, it routes the traffic to VLT interface. If VLT interface is not operationally up VLT node will route the traffic over ICL. Non-VLT host to North Bound traffic flow When VLT node receives traffic from non-VLT host intended to north bound with DMAC as self MAC it routes traffic to next hop.
59 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Command Line Reference Guide.
Figure 139. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: ● Proxy gateway is supported only for VLT; for example, across a VLT domain. ● You must enable the VLT peer-routing command for the VLT proxy gateway to function.
● Private VLANs (PVLANs) are not supported. ● When a Virtual Machine (VM) moves from one VLT domain to the another VLT domain, the VM host sends the gratuitous ARP (GARP) , which in-turn triggers a mac movement from the previous VLT domain to the newer VLT domain. ● After a station move, if the host sends a TTL1 packet destined to its gateway; for example, a previous VLT node, the packet can be dropped.
● You must globally enable LLDP. ● You cannot have interface–level LLDP disable commands on the interfaces configured for proxy gateway and you must enable both transmission and reception. ● You must connect both units of the remote VLT domain by the port channel member. ● If you connect more than one port to a unit of the remote VLT domain, the connection must be completed by the time you enable the proxy gateway LLDP.
● The preceding figure shows a sample square VLT Proxy gateway topology. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This causes sub-optimal routing. For VLT Proxy Gateway to work in this scenario you must configure the VLT-peer-mac transmit command under VLT Domain Proxy Gateway LLDP mode, in both C and D (VLT domain 1) and C1 and D1 (VLT domain 2).
2. Configure peer-domain-link port-channel in VLT Domain Proxy Gateway LLDP mode. The VLT port channel is the one that connects the remote VLT domain. Sample Dynamic Proxy Configuration on C switch or C1 switch Switch_C#conf Switch_C(conf)#vlt domain 1 Switch_C(conf-vlt-domain1)#proxy-gateway lldp Switch_C(conf-vlt-domain1-pxy-gw-lldp)#peer-domain-link port-channel 1....
The MAC addresses, configured using the remote-mac-address command, belong to Dell-3 and Dell-4.
remote-mac-address 00:01:e8:8b:ff:4f remote-mac-address 00:01:e8:d8:93:04 The MAC addresses, configured using the remote-mac-address command, belong to Dell-3 and Dell-4. interface Vlan 100 description OSPF peering VLAN to Dell-1 ip address 10.10.100.2/30 ip ospf network point-to-point no shutdown The following is the OSPF configuration on Dell-2. router ospf 1 router-id 2.2.2.2 network 10.10.100.0/30 area 0 The following output shows that Dell-1 forms OSPF neighborship with Dell-2.
interface Vlan 102 description ospf peering vlan to DELL-4 ip address 10.10.102.1/30 ip ospf network point-to-point no shutdown The following is the OSPF configuration on Dell-3. router ospf 1 router-id 3.3.3.3 network 10.10.101.0/30 area 0 network 10.10.102.0/30 area 0 The following output shows that Dell-4 and VLT domain 120 form OSPF neighborship with Dell-3. Dell-3#sh ip ospf nei ! Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.4 1 FULL/ - 00:00:33 10.10.101.1 Vl 101 0 1.1.1.
60 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time.
Figure 142. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
VRF supports some routing protocols only on the default VRF (default-vrf) instance. Table 1 displays the software features supported in VRF and whether they are supported on all VRF instances or only the default VRF. NOTE: To configure a router ID in a non-default VRF, configure at least one IP address in both the default as well as the non-default VRF. Table 119. Software Features Supported on VRF Feature/Capability Support Status for Default VRF Support Status for Non-default VRF 802.
DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance. VRF Configuration The VRF configuration tasks are: 1. Enabling VRF in Configuration Mode 2. Creating a Non-Default VRF 3. Assign an Interface to a VRF You can also: ● View VRF Instance Information ● Connect an OSPF Process to a VRF Instance ● Configure VRRP on a VRF Loading VRF CAM ● Load CAM memory for the VRF feature.
interface gigabitethernet 1/1 2. Assign the interface to management VRF. INTERFACE CONFIGURATION ip vrf forwarding management Before assigning a front-end port to a management VRF, ensure that no IP address is configured on the interface. 3. Assign an IPv4 address to the interface. INTERFACE CONFIGURATION ip address 10.1.1.1/24 Before assigning a front-end port to a management VRF, ensure that no IP address is configured on the interface. 4. Assign an IPv6 address to the interface.
Table 120. Configuring VRRP on a VRF (continued) Task Command Syntax Assign an IP address to the interface Configure the VRRP group and virtual IP address View VRRP command output for the VRF vrf1 Command Mode ip address 10.1.1.1 /24 no shutdown vrrp-group 10 virtual-address 10.1.1.100 show config ----------------------------! interface GigabitEthernet 1/13 ip vrf forwarding vrf1 ip address 10.1.1.1/24 ! vrrp-group 10 virtual-address 10.1.1.
● ● ● ● ● ● ● ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 nd ra-lifetime — Set IPv6 Router Advertisement Lifetime nd reachable-time — Set advertised reachability time nd retrans-timer — Set NS retransmit interval used and advertised in RA nd suppress-ra — Suppress IPv6 Router Advertisements ad — IPv6 Address Detection ad autoconfig — IPv6 stateless auto-configuration address — Configure IPv6 address on an interface NOTE: The command line help still displays relevant details correspon
Figure 144. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface GigabitEthernet 3/1 no ip address switchport no shutdown ! interface GigabitEthernet 1/1 ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface GigabitEthernet 1/2 ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown ! interface GigabitEthernet 1/3 ip vrf forwarding green ip address 30.0.0.
ip vrf forwarding blue ip address 1.0.0.1/24 tagged GigabitEthernet 3/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged GigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged GigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.0/24 area 0 ! router ospf 2 vrf orange router-id 2.0.0.1 network 2.0.0.0/24 area 0 network 20.0.0.
! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface GigabitEthernet 2/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface GigabitEthernet 2/2 ! ip route vrf green30.0.0.0/24 3.0.0.1 ! The following shows the output of the show commands on Router 1.
Change Destination --------------------C 2.0.0.0/24 C 20.0.0.0/24 O 21.0.0.0/24 00:10:41 Gateway Dist/Metric ------- ----------- Direct, Vl 192 Direct, Gi 1/2 via 2.0.0.
00:27:21 O 00:14:24 C 10.0.0.0/24 via 1.0.0.1, 11.0.0.
ip route vrf VRF1 20.0.0.0/16 140.0.0.2 vrf VRF2 ip route vrf VRF2 40.0.0.0/16 120.0.0.2 vrf VRF1 Dynamic Route Leaking Route Leaking is a powerful feature that enables communication between isolated (virtual) routing domains by segregating and sharing a set of services such as VOIP, Video, and so on that are available on one routing domain with other virtual domains. Inter-VRF Route Leaking enables a VRF to leak or export routes that are present in its RTM to one or more VRFs.
ip address ip—address mask A non-default VRF named VRF-red is created and the interface is assigned to this VRF. 4. Configure the import target in VRF-red. ip route-import 1:1 5. Configure the export target in VRF-red. ip route-export 2:2 6. Configure VRF-blue. ip vrf vrf-blue interface-type slot/port ip vrf forwarding VRF-blue ip address ip—address mask A non-default VRF named VRF-blue is created and the interface 1/12 is assigned to it. 7. Configure the import target in VRF-blue. ip route-import 1:1 8.
C 133.3.3.0/24 Direct, Gi 1/13 0/0 22:39:61 DellEMC# show ip route vrf VRF-Shared O 44.4.4.4/32 via 144.4.4.4 110/0 00:00:11 C 144.4.4.0/24 Direct, Gi 1/4 0/0 00:32:36 Show routing tables of VRFs( after route-export and route-import tags are configured). DellEMC# show ip route vrf VRF-Red O C O C 11.1.1.1/32 111.1.1.0/24 44.4.4.4/32 144.4.4.0/24 via 111.1.1.1 110/0 00:00:10 Direct, Gi 1/11 0/0 22:39:59 via VRF-shared:144.4.4.
When you initalize route leaking from one VRF to another, all the routes are exposed to the target VRF. If the size of the source VRF's RTM is considerablly large, an import operation results in the duplication of the target VRF's RTM with the source RTM entries. To mitigate this issue, you can use route-maps to filter the routes that are exported and imported into the route targets based on certain matching criteria. These match criteria include, prefix matches and portocol matches.
9. Configure the import target in the source VRF for reverse communnication with the destination VRF.
61 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. Topics: • • • • • • VRRP Overview VRRP Benefits VRRP Implementation VRRP Configuration Sample Configurations Proxy Gateway with VRRP VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network.
Figure 145. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. Endstation connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. In conjunction with Virtual Link Trunking (VLT), you can configure optimized forwarding with virtual router redundancy protocol (VRRP).
NOTE: In a VLT environment, VRRP configuration acts as active-active and if route is not present in any of the VRRP nodes, the packet to the destination is dropped on that VRRP node. Table 121.
The following examples how to configure VRRP. DellEMC(conf)#interface gigabitethernet 1/1 DellEMC(conf-if-gi-1/1)#vrrp-group 111 DellEMC(conf-if-gi-1/1-vrid-111)# The following examples how to verify the VRRP configuration. DellEMC(conf-if-gi-1/1)#show conf ! interface GigabitEthernet 1/1 ip address 10.10.10.
3. Set the backup switches to version 3. Dell_backup_switch1(conf-if-gi-1/1-vrid-100)#version 3 Dell_backup_switch2(conf-if-gi-1/2-vrid-100)#version 3 Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID). A VRRP group does not transmit VRRP packets until you assign the Virtual IP address to the VRRP group.
vrrp-group 111 priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 ! vrrp-group 222 no shutdown The following example shows the same VRRP group (VRID 111) configured on multiple interfaces on different subnets. DellEMC#show vrrp -----------------GigabitEthernet 1/1, VRID: 111,Version: 2 Net: 10.10.10.1 VRF: 0 default State: Master, Priority: 255, Master: 10.10.10.
Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------GigabitEthernet 1/2, VRID: 111, Net: 10.10.2.1 VRF: 0 default State: Master, Priority: 125, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 601, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.
Because preempt is enabled by default, disable the preempt function with the following command. ● Prevent any BACKUP router with a higher priority from becoming the MASTER router. INTERFACE-VRID mode no preempt Re-enable preempt by entering the preempt command. When you enable preempt, it does not display in the show commands, because it is a default setting. The following example shows how to disable preempt using the no preempt command.
The following example shows how to change the advertise interval using the advertise-interval command. DellEMC(conf-if-gi-1/1)#vrrp-group 111 DellEMC(conf-if-gi-1/1-vrid-111)#advertise-interval 10 DellEMC(conf-if-gi-1/1-vrid-111)# The following example shows how to verify the advertise interval change using the show conf command. DellEMC(conf-if-gi-1/1-vrid-111)#show conf ! vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.
● (Optional) Display the configuration and the UP or DOWN state of tracked objects, including the client (VRRP group) that is tracking an object’s state. EXEC mode or EXEC Privilege mode show track ● (Optional) Display the configuration and the UP or DOWN state of tracked interfaces and objects in VRRP groups, including the time since the last change in an object’s state.
2007::1 fe80::1 Tracking states for 2 resource Ids: 2 - Up IPv6 route, 2040::/64, priority-cost 20, 00:02:11 3 - Up IPv6 route, 2050::/64, priority-cost 30, 00:02:11 The following example shows verifying the VRRP configuration on an interface.
Sample Configurations Before you set up VRRP, review the following sample configurations. VRRP for an IPv4 Configuration The following configuration shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
R2(conf-if-gi-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-gi-2/31-vrid-99)#no shut R2(conf-if-gi-2/31)#show conf ! interface GigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.3 no shutdown R2(conf-if-gi-2/31)#end R2#show vrrp -----------------GigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 VRF: 0 default State: Master, Priority: 200, Master: 10.1.1.
Figure 147. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-gi-1/1)#end R2#show vrrp -----------------GigabitEthernet 1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 135 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP address:
Both Switch-1 and Switch-2 have three VRF instances defined: VRF-1, VRF-2, and VRF-3. Each VRF has a separate physical interface to a LAN switch and an upstream VPN interface to connect to the Internet. Both Switch-1 and Switch-2 use VRRP groups on each VRF instance in order that there is one MASTER and one backup router for each VRF. In VRF-1 and VRF-2, Switch-2 serves as owner-master of the VRRP group and Switch-1 serves as the backup. On VRF-3, Switch-1 is the ownermaster and Switch-2 is the backup.
% Info: The VRID used by the VRRP group 11 in VRF 2 will be 178. S1(conf-if-gi-1/2-vrid-101)#priority 100 S1(conf-if-gi-1/2-vrid-101)#virtual-address 10.10.1.2 S1(conf-if-gi-1/2)#no shutdown ! S1(conf)#interface GigabitEthernet 1/3 S1(conf-if-gi-1/3)#ip vrf forwarding VRF-3 S1(conf-if-gi-1/3)#ip address 20.1.1.5/24 S1(conf-if-gi-1/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-gi-1/3-vrid-105)#priority 255 S1(conf-if-gi-1/3-vrid-105)#virtual-address 20.1.1.
VLAN Scenario In another scenario, to connect to the LAN, VRF-1, VRF-2, and VRF-3 use a single physical interface with multiple tagged VLANs (instead of separate physical interfaces). In this case, you configure three VLANs: VLAN-100, VLAN-200, and VLAN-300. Each VLAN is a member of one VRF. A physical interface ( ) attaches to the LAN and is configured as a tagged interface in VLAN-100, VLAN-200, and VLAN-300. The rest of this example is similar to the non-VLAN scenario.
Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 419, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.
Virtual MAC address: 00:00:5e:00:01:0a Virtual IP address: 20.1.1.100 Authentication: (none) DellEMC#show vrrp vrf vrf2 port-channel 1 -----------------Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 419, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.
Figure 149. VRRP for IPv6 Topology NOTE: This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, and so on.
NOTE: The virtual IPv6 address you configure should be the same as the IPv6 subnet to which the interface belongs.
00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 DellEMC#show vrrp gigabitethernet 2/8 GigabitEthernet 2/8, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:e9ed VRF: 0 default State: Master, Priority: 110, Master: fe80::201:e8ff:fe8a:e9ed (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 120 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 DellEMC# DellEMC
This is achieved by configuring same VRRP group IDs to the extended L3 VLANs and VRRP stays active-active across all four VLT nodes even though they are in two different VLT domains. The following illustration shows a sample configuration with two data centers: ● ● ● ● ● ● ● Server racks, Rack 1 and Rack 2, are part of data centers DC1 and DC2, respectively. Rack 1 is connected to devices A1 and B1 in a Layer 2 network segment. Rack 2 is connected to devices A2 and B2 in a Layer 2 network segment.
unit-id 0 peer-routing interface port-channel 128 channel member ten 1/1/1 channel member ten 1/1/2 no shutdown int ten 1/5/1 port-channel-protocol lacp port-channel 10 mode active no shut int ten 1/4/1 port-channel-protocol lacp port-channel 20 mode active no shut interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.
interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.2/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.0/24 area 0 Sample configuration of C2: vlt domain 10 peer-link port-channel 128 back-up destination 10.16.140.
int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.0/24 area 0 Sample configuration of D2: vlt domain 10 peer-link port-channel 128 back-up destination 10.16.140.
62 Debugging and Diagnostics This chapter describes debugging and diagnostics for the device. Topics: • • • • • • • • • • • Offline Diagnostics Trace Logs Auto Save on Crash or Rollover Last Restart Reason Hardware Watchdog Timer Using the Show Hardware Commands Enabling Environmental Monitoring Troubleshooting Packet Loss Enabling Application Core Dumps Mini Core Dumps Enabling TCP Dumps Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware.
NOTE: The system reboots when the offline diagnostics complete. This is an automatic process. The following warning message appears when you implement the offline stack-unit command: Warning - Diagnostic execution will cause stack-unit to reboot after completion of diags. Proceed with Offline-Diags [confirm yes/no]:y After the system goes offline, you must reload or run the online stack-unit stack-unit-number command for the normal operation. 2. Confirm the offline status.
Table 122. Line Card Restart Causes and Reasons Causes Displayed Reasons Remote power cycle of the chassis push button reset reload soft reset reboot after a crash soft reset Hardware Watchdog Timer The hardware watchdog command automatically reboots a Dell EMC Networking OS switch or router with a single RPM that is unresponsive. This is a last resort mechanism that is intended to prevent a manual power cycle.
EXEC Privilege mode show hardware stack-unit {1–6} stack-port {portnumber} ● View the counters in the field processors of the stack unit. EXEC Privilege mode show hardware stack-unit {1–6} unit {0-1} counters ● View the details of the FP Devices and Hi gig ports on the stack-unit. EXEC Privilege mode show hardware stack-unit {1–6} unit {0-1} details ● Execute a specified bShell command from the CLI without going into the bShell.
=================================== QSFP 52 Temp High Alarm threshold QSFP 52 Voltage High Alarm threshold QSFP 52 Bias High Alarm threshold QSFP 52 RX Power High Alarm threshold QSFP 52 Temp Low Alarm threshold QSFP 52 Voltage Low Alarm threshold QSFP 52 Bias Low Alarm threshold QSFP 52 RX Power Low Alarm threshold =================================== QSFP 52 Temp High Warning threshold QSFP 52 Voltage High Warning threshold QSFP 52 Bias High Warning threshold QSFP 52 RX Power High Warning threshold QSFP 52
3. After the software has determined that the temperature levels are within normal limits, you can re-power the card safely. To bring back the line card online, use the power-on command in EXEC mode. In addition, to control airflow for adequate system cooling, Dell EMC Networking requires that you install blanks in all slots without a line card. NOTE: Exercise care when removing a card; if it has exceeded the major or shutdown thresholds, the card could be hot to the touch.
Troubleshooting Packet Loss The show hardware stack-unit command is intended primarily to troubleshoot packet loss. To troubleshoot packet loss, use the following commands.
HOL DROPS on COS6 HOL DROPS on COS7 HOL DROPS on COS8 HOL DROPS on COS9 HOL DROPS on COS10 HOL DROPS on COS11 HOL DROPS on COS12 HOL DROPS on COS13 HOL DROPS on COS14 HOL DROPS on COS15 HOL DROPS on COS16 HOL DROPS on COS17 TxPurge CellErr Aged Drops --- Egress MAC counters--Egress FCS Drops --- Egress FORWARD PROCESSOR IPv4 L3UC Aged & Drops TTL Threshold Drops INVALID VLAN CNTR Drops L2MC Drops PKT Drops of ANY Conditions Hg MacUnderflow TX Err PKT Counter --- Error counters--Internal Mac Transmit Errors
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 49 49 49 1016 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 16 0 0 0 17 2144854 0 124904297 18 0 0 0 19 0 0 0 20 0 0 0 21 0 0 0 22 0 0 0 23 0 0 0 24 0 0 0 25 0 0 0 26 0 0 0 27 0 0 0 28 0 0 0 29 0 0 0 30 0 0 0 31 0 0 0 32 0 0 0 33 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 52 52 52 52 53 53 53 53 54/1 54/2 54/3 54/4 Internal Internal 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 61 0 0 0 62 0 0 0 63 0 0 0 64 0 0 0 65 0 0 0 66 0 0 0 67 0 0 0 68 0 0 0 69 0 0 0 70 0 0 0 71 0 0 0 72 0 0 0 53 0 0 0 57 4659499 0 0 Dataplane Statistics The show hardware stack-unit cpu data-plane statistics command provides insight into the packet types coming to the CPU.
noTxDesc :0 txError :0 txReqTooLarge :0 txInternalError :0 txDatapathErr :0 txPkt(COS0 ) :0 txPkt(COS1 ) :0 txPkt(COS2 ) :0 txPkt(COS3 ) :0 txPkt(COS4 ) :0 txPkt(COS5 ) :0 txPkt(COS6 ) :0 txPkt(COS7 ) :0 txPkt(COS8 ) :0 txPkt(COS9 ) :0 txPkt(COS10) :0 txPkt(COS11) :0 txPkt(UNIT0) :0 Example of Viewing Party Bus Statistics DellEMC#sh hardware stack-unit 1 cpu party-bus statistics Input Statistics: 27550 packets, 2559298 bytes 0 dropped, 0 errors Output Statistics: 1649566 packets, 1935316203 bytes 0 errors
RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - IPV4 L3 Unicast Frame Counter IPV4 L3 routed multicast Packets IPV6 L3 Unicast Frame Counter IPV6 L3 routed multicast Packets Unicast Packet Counter 64 Byte Frame Counter 64 to 127 Byte Frame Counter 128 to 255 Byte Frame Counter 256 to 511 Byte Frame Counter 512 to 1023 Byte Frame Counter 1024 to 1518 Byte Frame Counter 1519 to 1522 Byte Good
RX - IPV4 L3 Routed Multicast Packets RX - IPV6 L3 Unicast Frame Counter RX - IPV6 L3 Routed Multicast Packets RX - Unicast Packet Counter RX - 64 Byte Frame Counter RX - 65 to 127 Byte Frame Counter RX - 128 to 255 Byte Frame Counter RX - 256 to 511 Byte Frame Counter RX - 512 to 1023 Byte Frame Counter RX - 1024 to 1518 Byte Frame Counter RX - 1519 to 1522 Byte Good VLAN Frame Counter RX - 1519 to 2047 Byte Frame Counter RX - 2048 to 4095 Byte Frame Counter RX - 4096 to 9216 Byte Frame Counter RX - Good P
A mini core dump contains critical information in the event of a crash. Mini core dump files are located in flash:/ (root dir). The application mini core filename format is f10StkUnit..acore.mini.txt. The kernel mini core filename format is f10StkUnit.kcore.mini.txt. The following are sample filenames. When a member or standby unit crashes, the mini core file gets uploaded to master unit.
63 Standards Compliance This chapter describes standards compliance for Dell EMC Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell EMC Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance Dell EMC Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell EMC Networking OS first supports the standard. General Internet Protocols The following table lists the Dell EMC Networking OS support per platform for general internet protocols. Table 124.
Table 124. General Internet Protocols (continued) R F C # Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 6 0 Transfer Protocol 2 4 7 4 Definition of 7.7.1 the Differentiate d Services Field (DS Field) in the IPv4 and IPv6 Headers 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 PPP over 61 SONET/SD 5 H 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 6 9 8 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.
Table 125. General IPv4 Protocols (continued) RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 103 DOMAIN NAMES 5 IMPLEMENTATION AND SPECIFICATION (client) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 104 A Standard for the 2 Transmission of IP Datagrams over IEEE 802 Networks 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1191 Path MTU Discovery 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
Table 126. General IPv6 Protocols (continued) RFC Full Name # S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 246 2 (Par tial) IPv6 Stateless Address Autoconfiguration 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 246 4 Transmission of IPv6 Packets over Ethernet Networks 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 267 5 IPv6 Jumbograms 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2711 IPv6 Router Alert Option 8.3.12.0 9.8(0.
Table 127. Border Gateway Protocol (BGP) (continued) RFC# Full Name SSeries/ZSeries S3048–ON S4048–ON Z9100–ON S4048TON S6010–ON 2842 Capabilities Advertisement with BGP-4 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2858 Multiprotocol Extensions for BGP-4 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2918 Route Refresh Capability for BGP-4 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 3065 Autonomous System Confederations for BGP 7.8.1 9.
Intermediate System to Intermediate System (IS-IS) The following table lists the Dell EMC Networking OS support per platform for IS-IS protocol. Table 129. Intermediate System to Intermediate System (IS-IS) RFC# Full Name S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1142 OSI IS-IS Intra-Domain Routing Protocol (ISO DP 10589) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.
Routing Information Protocol (RIP) The following table lists the Dell EMC Networking OS support per platform for RIP protocol. Table 130. Routing Information Protocol (RIP) RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 105 8 Routing Information Protocol 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 245 RIP Version 3 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4191 Default Router Preferences and More-Specific Routes 8.3.12.0 9.8(0.
Table 132. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1156 Management Information Base for Network Management of TCP/IP-based internets 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 1157 A Simple Network Management 7.6.1 Protocol (SNMP) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 1212 Concise MIB Definitions 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
Table 132. Network Management (continued) RFC# Full Name 2575 S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON View-based Access Control 7.6.1 Model (VACM) for the Simple Network Management Protocol (SNMP) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2576 Coexistence Between Version 1, 7.6.1 Version 2, and Version 3 of the Internet-standard Network Management Framework 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2578 Structure of Management Information Version 2 (SMIv2) 7.
Table 132. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Network Management Protocol (SNMP) 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3434 Remote Monitoring MIB Extensions for High Capacity Alarms, High-Capacity Alarm Table (64 bits) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3580 IEEE 802.
Table 132. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON IEEE Management Information Base 7.7.1 802.1A module for LLDP configuration, B statistics, local system data and remote systems data components. 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) IEEE The LLDP Management 802.1A Information Base extension B module for IEEE 802.1 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) 7.7.1 9.8(0.0P2) 9.8(0.
Table 132. Network Management (continued) RFC# Full Name FORC E10-IFEXTEN SIONMIB S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Force10 Enterprise IF Extension 7.6.1 MIB (extends the Interfaces portion of the MIB-2 (RFC 1213) by providing proprietary SNMP OIDs for other counters displayed in the "show interfaces" output) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORC E10LINKA GGMIB Force10 Enterprise Link Aggregation MIB 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
Table 132. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON ALAR M-MIB MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/CSPortal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/CSPortal20/Main/Login.aspx Some pages of iSupport require a login.
64 X.509v3 supports X.509v3 standards. Topics: • • • • • • • • • Introduction to X.509v3 certificates X.509v3 support in Information about installing CA certificates Information about Creating Certificate Signing Requests (CSR) Information about installing trusted certificates Transport layer security (TLS) Online Certificate Status Protocol (OSCP) Verifying certificates Event logging Introduction to X.509v3 certificates X.
Advantages of X.509v3 certificates Public key authentication is preferred over password-based authentication, although both may be used in conjunction, for various reasons. Public-key authentication provides the following advantages over normal password-based authentication: ● Public-key authentication avoids the human problems of low-entropy password selection and provides more resistance to brute-force attacks than password-based authentication.
The other hosts on the network, such as the SUT switch, syslog server, and OCSP server, generate private keys and create Certificate Signing Requests (CSRs). The hosts then upload the CSRs to the Intermediate CA or make the CSRs available for the Intermediate CA to download. generates a CSR using the crypto cert generate request command. The hosts on the network (SUT, syslog, OCSP…) also download and install the CA certificates from the Root and Intermediate CAs.
After the CA certificate is installed, the system can secure communications with TLS servers by verifying certificates that are signed by the CA. Installing CA certificate To install a CA certificate, enter the crypto ca-cert install {path} command in Global Configuration mode. Information about Creating Certificate Signing Requests (CSR) Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA. In order for a device to get a X.
● ● ● ● ● ● Organization Unit Name Common Name Email address Validity Length Alternate Name NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell EMC Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS.
When not operating in FIPS mode, the system may support TLS 1.0 up to 1.2, and older ciphers and hashes: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS compression is disabled by default.
Configuring OCSP behavior You can configure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders. To configure this behavior, follow this step: In CONFIGURATION mode, enter the following command: crypto x509 ocsp {[nonce] [sign-request]} Both the none and sign-request parameters are optional. The default behavior is to not use these two options.
Verifying Client Certificates Verifying client certificates is optional in the TLS protocol and is not explicitly required by Common Criteria. However, TLS-protected Syslog and RADIUS protocols mandate that certificate-based mutual authentication be performed. Event logging The system logs the following events: ● ● ● ● ● A CA certificate is installed or deleted. A self-signed certificate and private key are generated. An existing host certificate, a private key, or both are deleted.
