Dell 9.13.0.0 Configuration Guide for the S5000 Switch December 2017 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Copyright © 2018 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: About this Guide.........................................................................................................32 Audience.............................................................................................................................................................................. 32 Conventions........................................................................................................................................................................
Viewing Files.......................................................................................................................................................................53 View Configuration Files..................................................................................................................................................54 Compressing Configuration Files.............................................................................................................................
Recovering from a Failed Start...................................................................................................................................... 78 Viewing the Reason for Last System Reboot.............................................................................................................79 Chapter 5: 802.1X....................................................................................................................... 80 The Port-Authentication Process....................
Configuring a Standard IP ACL Filter....................................................................................................................109 Configure an Extended IP ACL..................................................................................................................................... 110 Configuring Filters with a Sequence Number......................................................................................................
Chapter 9: Border Gateway Protocol IPv4 (BGPv4)................................................................... 155 Autonomous Systems (AS)........................................................................................................................................... 156 Sessions and Peers......................................................................................................................................................... 158 Establish a Session...............................
Filtering BGP Routes...................................................................................................................................................... 190 Filtering BGP Routes Using Route Maps.............................................................................................................. 191 Filtering BGP Routes Using AS-PATH Information........................................................................................... 192 Configuring BGP Route Reflectors...........
Show Commands............................................................................................................................................................ 228 Chapter 13: Data Center Bridging (DCB)....................................................................................230 Ethernet Enhancements in Data Center Bridging...................................................................................................230 Priority-Based Flow Control.....................................
Configure the System to be a DHCP Server............................................................................................................270 Configuration Tasks..................................................................................................................................................270 Configuring the Server for Automatic Address Allocation.............................................................................. 270 Specifying a Default Gateway.........................
FIP Snooping on Ethernet Bridges............................................................................................................................. 298 FIP Snooping in a Switch Stack.................................................................................................................................. 299 Using FIP Snooping........................................................................................................................................................
Clearing the FRRP Counters.................................................................................................................................. 329 Viewing the FRRP Configuration.......................................................................................................................... 329 Viewing the FRRP Information.............................................................................................................................. 329 Troubleshooting FRRP...............
Enabling IGMP Immediate-Leave.......................................................................................................................... 350 Disabling Multicast Flooding...................................................................................................................................350 Specifying a Port as Connected to a Multicast Router....................................................................................351 Configuring the Switch as Querier....................
Define the Interface Range.....................................................................................................................................384 Choosing an Interface-Range Macro................................................................................................................... 384 Monitoring and Maintaining Interfaces......................................................................................................................385 Maintenance Using TDR................
Configuring ARP Retries................................................................................................................................................ 415 ICMP................................................................................................................................................................................... 416 Configuration Tasks for ICMP............................................................................................................................
Configuring Detection and Ports for Dell Compellent Arrays.........................................................................439 Enable and Disable iSCSI Optimization................................................................................................................ 439 Default iSCSI Optimization Values..............................................................................................................................440 iSCSI Optimization Prerequisites............................
Displaying the MAC Address Table....................................................................................................................... 478 MAC Learning Limit........................................................................................................................................................ 478 mac learning-limit Dynamic.....................................................................................................................................
Enable MSDP....................................................................................................................................................................518 Manage the Source-Active Cache.............................................................................................................................. 519 Viewing the Source-Active Cache.........................................................................................................................
Supported Error Codes................................................................................................................................................. 555 mtrace Scenarios............................................................................................................................................................ 555 Chapter 37: NPIV Proxy Gateway............................................................................................... 561 Benefits of an NPIV Proxy Gateway.
Sample Configurations for OSPFv2..................................................................................................................... 603 OSPFv3 NSSA........................................................................................................................................................... 605 Configuration Task List for OSPFv3 (OSPF for IPv6)....................................................................................
Important Points to Remember...................................................................................................................................650 Port Monitoring............................................................................................................................................................... 650 Configuring Port Monitoring........................................................................................................................................
DSCP Color Maps........................................................................................................................................................... 697 Creating a DSCP Color Map...................................................................................................................................697 Displaying DSCP Color Maps.................................................................................................................................
Chapter 49: Rapid Spanning Tree Protocol (RSTP)....................................................................730 Protocol Overview.......................................................................................................................................................... 730 Configuring Rapid Spanning Tree................................................................................................................................730 Important Points to Remember..........................
VTY MAC-SA Filter Support...................................................................................................................................763 Two Factor Authentication (2FA)...............................................................................................................................763 Handling Access-Challenge Message...................................................................................................................
Chapter 54: Simple Network Management Protocol (SNMP)......................................................791 Protocol Overview...........................................................................................................................................................791 Implementation Information..........................................................................................................................................792 Configuration Task List for SNMP.........................
Fetch Dynamic MAC Entries using SNMP.................................................................................................................819 Deriving Interface Indices............................................................................................................................................. 820 Monitoring BGP sessions via SNMP........................................................................................................................... 821 Monitor Port-Channels......
Chapter 57: Spanning Tree Protocol (STP)................................................................................858 Protocol Overview..........................................................................................................................................................858 Configure Spanning Tree.............................................................................................................................................. 858 Important Points to Remember...............
Setting Daylight Saving Time Once...................................................................................................................... 887 Setting Recurring Daylight Saving Time..............................................................................................................888 Chapter 60: Tunneling............................................................................................................... 890 Configuring a Tunnel...............................................
VLT Bandwidth Monitoring.....................................................................................................................................924 VLT and Stacking...................................................................................................................................................... 924 VLT and IGMP Snooping.........................................................................................................................................
Dynamic Route Leaking.................................................................................................................................................. 971 Configuring Route Leaking without Filtering Criteria....................................................................................... 972 Configuring Route Leaking with Filtering............................................................................................................
Chapter 69: Standards Compliance...........................................................................................1012 IEEE Compliance............................................................................................................................................................ 1012 RFC and I-D Compliance.............................................................................................................................................. 1013 General Internet Protocols...........
1 About this Guide This guide describes the protocols and features supported on Dell Networking switches and routers by the Dell Networking operating system (OS) and provides configuration instructions and examples for implementing them. The S5000 switch is available with Dell Networking OS version 9.1(1.0) and later version. It also supports stacking. Though this guide contains information on protocols, it is not intended to be a complete reference.
2 Configuration Fundamentals The Dell Networking OS command line interface (CLI) is a text-based interface that you use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. In Dell Networking OS, after you enable a command, it is entered into the running configuration file.
● EXEC Privilege mode — has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can configure a password for this mode; for more information, refer to Configuring the Enable Password.
NOTE: Sub-CONFIGURATION modes all have the letters “conf” in the prompt with more modifiers to identify the mode and slot/port information. Table 1. Dell Networking OS Command Modes CLI Command Mode Prompt Access Command EXEC Dell> Access the router through the console or Telnet. EXEC Privilege Dell# ● From EXEC mode, enter the enable command. ● From any other mode, use the end command. CONFIGURATION Dell(conf)# ● From EXEC privilege mode, enter the configure command.
Table 1.
● Management: Port 0 ● Fibre Channel: Ports from 0 to 11 The do Command You can enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode by preceding the EXEC mode command with the do command. The following example shows the output of the do command.
Layer 2 protocols are disabled by default. Enable them using the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree. Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command: ● ● ● ● To list the keywords available in the current mode, enter ? at the prompt or after a keyword. Enter ? after a prompt lists all of the available keywords.
Short-Cut Key Action Combination CNTL-D Deletes character at cursor. CNTL-E Moves the cursor to the end of the line. CNTL-F Moves the cursor forward one character. CNTL-I Completes a keyword. CNTL-K Deletes all characters from the cursor to the end of the command line. CNTL-L Re-enters the previous command. CNTL-N Return to more recent commands in the history buffer after recalling commands with CTRL-P or the UP arrow key. CNTL-P Recalls commands, beginning with the last command.
0 Pause Tx pkts, 0 Pause Rx pkts 0 Pause Tx pkts, 0 Pause Rx pkts 0 Pause Tx pkts, 0 Pause Rx pkts NOTE: Dell Networking OS accepts a space or no space before and after the pipe. To filter a phrase with spaces, underscores, or ranges, enclose the phrase with double quotation marks. The except keyword displays text that does not match the specified text. The following example shows this command used in combination with the do show stack-unit all stack-ports all pfc details | except 0 command.
3 Getting Started This chapter helps you get started using the S5000.
Accessing the RJ-45/RS-232 Console Port The RS-232/RJ-45 console port is labeled on the lower left-hand side of the S5000 system as you face the Utility side of the chassis. NOTE: Before starting this procedure, be sure that you have a terminal emulation program already installed on your PC. Figure 2. RS-232/RJ-45 Console Port To access the console port, follow these steps. 1. Install an RJ-45 copper cable into the console port.
Accessing the CLI Interface and Running Scripts Using SSH In addition to the capability to access a device using a console connection or a Telnet session, you can also use SSH for secure, protected communication with the device. You can open an SSH session and run commands or script files. This method of connectivity is supported with S4810, S4048–ON, S3048–ON, S4820T, and Z9000 switches and provides a reliable, safe communication mechanism.
Default Configuration Although a version of Dell EMC Networking OS is pre-loaded onto the system, the system is not configured when you power up the system first time (except for the default hostname, which is DellEMC). You must configure the system using the CLI. Accessing the USB-B Console Port When you connect the USB-B port, it becomes the primary connection and, when the system is connected, it sends all messages to the USB-B drive.
Built by build at tools-sjc-01 on Thu Mar 14 16:45:06 2013 S5000 Boot Loader Label 1.3.1.1p . Mgmt MAC Addr: 5C:F9:DD:EF:0A:42 SF: Detected W25Q128 with page size 4 KiB, total 16 MiB Hit any key to stop autoboot: 0 Loading POST from Bootflash Partition A ## Starting application at 0x78000000 ... . . . auto-booting... Booting PRIMARY configuration... boot device : tftp file name : Dell-SH-9-0-1-0.bin Management Etherenet IP address : 10.11.210.35/16 Server IP address : 10.11.
optional slot 2 00:03:01: %STKUNIT0-M:CP %CHMGR-5-MODULE_INSERTED: SFP+ module has been inserted in stack-unit 0 optional slot 3 00:03:01: %STKUNIT0-M:CP %CHMGR-5-CHECKIN: Checkin from Stack unit 0 (type S5000, 64 ports) 00:03:02: %STKUNIT0-M:CP %CHMGR-2-FANTRAY_UP: Fan Tray 1 in unit 0 is up 00:03:02: %STKUNIT0-M:CP %CHMGR-2-FANTRAY_UP: Fan Tray 2 in unit 0 is up 00:03:03: %STKUNIT0-M:CP %CHMGR-0-PS_UP: Power supply 0 in unit 0 is up 00:03:04: %STKUNIT0-M:CP %CHMGR-0-PS_UP: Power supply 1 in unit 0 is up 0
■ ■ ■ 7 is to input a password that is already encrypted using DES encryption method. Obtain the encrypted password from the configuration file of another device. 5 is to input a password that is already encrypted using MD5 encryption method. Obtain the encrypted password from the configuration file of another device. 8 is to input a password that is already encrypted using sha256-based encryption method. Obtain the encrypted password from the configuration file of another device.
Accessing the System Remotely You can configure the system to access it remotely by Telnet or SSH. The system has a dedicated management port and a management routing table that is separate from the IP routing table. Configuring the system for Telnet is a three-step process: 1. Configure an IP address for the management port. Configure the Management Port IP Address 2. Configure a management route with a default gateway. Configure a Management Route 3. Configure a username and password.
○ encryption-type: specifies how you are inputting the password, is 0 by default, and is not required. ■ 0 is for inputting the password in clear text. ■ 7 is for inputting a password that is already encrypted using a Type 7 hash. Obtaining the encrypted password from the configuration of another S5000 switch. Creating a Port-based VLAN The default virtual local area network (VLAN) (VLAN 1) is part of the system startup configuration and does not require configuration.
● Configure an IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] Connect the S5000 to the Network After you have completed the hardware installation and software configuration for the S5000 system, you can connect to your company network by following your company’s cabling requirements. Configure File Management You can store on and access files from various storage media. Rename, delete, and copy files on the system from the EXEC Privilege mode.
The following shows an example of using the copy command to save a file to an FTP server. Example of Copying a file to a Remote System Dell#copy flash://Dell-EF-8.2.1.0.bin ftp://myusername:mypassword@10.10.10.10//Dell/DellEF-8.2.1.0 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 27952672 bytes successfully copied The following shows an example of using the copy command to import a file to the S5000 switch from an FTP server.
DellEMC#copy ftp://10.16.127.35 nfsmount: Source file name []: test.c User name to login remote host: username Example of Logging in to Copy from NFS Mount DellEMC#copy nfsmount:///test flash: Destination file name [test]: test2 ! 5592 bytes successfully copied DellEMC# DellEMC#copy nfsmount:///test.txt ftp://10.16.127.35 Destination file name [test.txt]: User name to login remote host: username Password to login remote host: ! Example of Copying to NFS Mount DellEMC#copy flash://test.
copy running-config tftp://{hostip | hostname}/filepath/ filename ● Save the running-configuration to an SCP server. EXEC Privilege mode copy running-config scp:// username:password@{hostip | hostname}/filepath/ filename NOTE: When copying to a server, you can only use a hostname if you configured a DNS server. Viewing Files You can only view file information and content on local file systems. To view a list of files or the contents of a file, use the following commands.
View Configuration Files Configuration files have three commented lines at the beginning of the file, as shown in the following example, to help you track the last time any user made a change to the file, which user made the changes, and when the file was last saved to the startup-configuration.
Table 6. Standard and Compressed Configurations (continued) no shut no ip address no ip address no ip address no shut no shut shut shut shut int te 1/1 int te 1/2 int te 1/3 int te 1/4 int te 1/10 int te 1/34 no ip address no ip address no ip address no ip address no ip address ip address 2.1.1.
Table 6. Standard and Compressed Configurations (continued) shutdown ! interface Vlan 4 tagged te 1/1 no ip address shutdown ! interface Vlan 5 tagged te 1/1 no ip address shutdown ! interface Vlan 100 no ip address no shutdown ! interface Vlan 1000 ip address 1.1.1.1/16 no shutdown Uncompressed config size – 52 lines write memory compressed The write memory compressed CLI will write the operating configuration to the startup-config file in the compressed mode.
The output of the show file-systems command in the following example shows the total capacity, amount of free memory, file structure, media type, read/write privileges for each storage device in use.
For a particular target where VRF is enabled, the show output is similar to the following: Feature State -----------------------VRF Enabled View Command History The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer. The system generates a trace message for each executed command. No password information is saved to the file. To view the command-history trace, use the show command-history command.
● sha256: SHA256 Secure Hash Algorithm ● flash: (Optional) Specifies the flash drive. The default uses the flash drive. You can enter the image file name. ● hash-value: (Optional). Specify the relevant hash published on iSupport.
DellEMC(conf)#ip http vrf {management | } 60 Getting Started
4 Switch Management This chapter explains the different protocols or services used to manage the S5000 switch.
Creating a Custom Privilege Level Custom privilege levels start with the default EXEC mode command set. You can then customize privilege levels 2 through 14 by: ● restricting access to an EXEC mode command ● moving commands from EXEC Privilege to EXEC mode ● allowing access to CONFIGURATION mode commands ● allowing access to INTERFACE, LINE, ROUTE-MAP, and ROUTER mode commands A user can access all commands at his privilege level and below.
● moves the capture bgp-pdu max-buffer-size command from EXEC Privilege to EXEC mode by requiring a minimum privilege level 3, which is the configured level for VTY 0 ● allows access to CONFIGURATION mode with the banner command ● allows access to INTERFACE and LINE modes are allowed with no commands ● Remove a command from the list of available commands in EXEC mode. CONFIGURATION mode privilege exec level level {command ||...|| command} ● Move a command from EXEC Privilege to EXEC mode.
range Configure interface range sonet SONET interface tengigabitethernet TenGigabit Ethernet interface vlan VLAN interface Dell(conf)#interface gigabitethernet 1/1 Dell(conf-if-gi-1/1)#? end Exit from configuration mode exit Exit from interface configuration mode Dell(conf-if-gi-1/1)#exit Dell(conf)#line ? aux Auxiliary line console Primary terminal line vty Virtual terminal Dell(conf)#line vty 0 Dell(config-line-vty)#? exit Exit from line configuration mode Dell(config-line-vty)# Applying a Privilege Leve
CONFIGURATION mode no logging console Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
Track Login Activity Dell EMC Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events. When you log in using the console or VTY line, the system displays the last successful login details of the current user and the number of unsuccessful login attempts since your last successful login to the system, and whether the current user’s permissions have changed since the last login.
Example of the show login statistics all command The show login statistics all command displays the successful and failed login details of all users in the last 30 days or the custom defined time period. DellEMC#show login statistics all -----------------------------------------------------------------User: admin Last login time: 08:54:28 UTC Wed Mar 23 2016 Last login location: Line vty0 ( 10.16.127.
The following is sample output of the show login statistics unsuccessful-attempts user login-id command. DellEMC# show login statistics unsuccessful-attempts user admin There were 3 unsuccessful login attempt(s) for user admin in last 12 day(s). The following is sample output of the show login statistics successful-attempts command. DellEMC#show login statistics successful-attempts There were 4 successful login attempt(s) for user admin in last 30 day(s).
Connected to 10.11.178.14. Escape character is '^]'. Login: admin Password: Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 Clear existing session? [line number/Enter to cancel]: When you try to create more than the permitted number of sessions, the following message appears, prompting you to close one of the existing sessions. If you close any of the existing sessions, you are allowed to login. $ telnet 10.11.178.17 Trying 10.11.178.17... Connected to 10.11.178.17.
logging trap level ● Specify the minimum severity level for logging to the syslog history table. CONFIGURATION mode logging history level ● Specify the size of the logging buffer. CONFIGURATION mode logging buffered size ● Specify the number of messages that Dell Networking OS saves to its logging history table.
1/56 Apr 25 11:07:15: %S5000:1 %IFAGT-5-REMOVED_OPTICS_PLUS: Optics SFP+ removed in slot 1 port 2 Apr 25 11:07:14: %S5000:1 %IFAGT-5-REMOVED_OPTICS_PLUS: Optics To view any changes made, use the show running-config logging command in EXEC privilege mode, as shown in the example for Configuring a UNIX Logging Facility Level. Configuring a UNIX Logging Facility Level You can save system log messages with a UNIX system logging facility. To configure a UNIX logging facility level, use the following command.
Synchronizing Log Messages You can configure Dell Networking OS to filter and consolidate the system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system. 1. Enter LINE mode.
Configuration Task List for File Transfer Services The configuration tasks for file transfer services are: ● Enabling the FTP Server ● Configuring FTP Server Parameters ● Configuring FTP Client Parameters Enabling the FTP Server To enable the system as an FTP server, use the following command. To view FTP configuration, use the show running-config ftp command in EXEC privilege mode. ● Enable FTP on the system.
○ For a 10-Gigabit Ethernet interface, enter the TenGigabitEthernet keyword then the slot/port information. ○ For a VLAN interface, enter the vlan keyword then a number from 1 to 4094. ○ For a 40-Gigabit Ethernet interface, enter the fortyGigE keyword then the slot/port information. CONFIGURATION mode ip ftp source-interface interface ● Configure a password. CONFIGURATION mode ip ftp password password ● Enter a username to use on the FTP client.
Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user on a terminal line. A combination of authentication methods is called a method list. If the user fails the first authentication method, Dell Networking OS prompts the next method until all methods are exhausted, at which point the connection is terminated. The available authentication methods are: enable Prompt for the enable password.
● Return to the default time-out values. LINE mode no exec-timeout The following example shows how to set the time-out period and how to view the configuration using the show config command from LINE mode. Dell(conf)#line con 0 Dell(config-line-console)#exec-timeout 0 Dell(config-line-console)#show config line console 0 exec-timeout 0 0 Dell(config-line-console)# Using Telnet to get to Another Network Device To telnet to another device, use the following commands. ● Telnet to the stack-unit.
Viewing the Configuration Lock Status If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which user has control of CONFIGURATION mode using the show configuration lock command from EXEC Privilege mode. You can then send any user a message using the send command from EXEC Privilege mode. Alternatively, you can clear any line using the clear command from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode.
copy flash://startup-config.bak running-config 7. Remove all authentication statements you might have for the console. LINE mode no authentication login no password 8. Save the running-config. EXEC Privilege mode copy running-config startup-config Recovering from a Forgotten Enable Password Use the following commands if you forget the enable password. 1. Log onto the system using the console. 2. Power-cycle the chassis by switching off all of the power modules and then switching them back on. 3.
5. Assign an IP address as the default gateway for the switch. BOOT USER mode default gateway ip-address 6. Reload the switch. BOOT USER mode reload Viewing the Reason for Last System Reboot You can view the reason for the last system reboot.
5 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
● The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. ● The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network. It translates and forwards requests and responses between the authentication server and the supplicant.
Figure 5. EAP Port-Authentication EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 6. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.
Configuring 802.1X Configuring 802.1X on a port is a one-step process. For more information, refer to Enabling 802.1X. Related Configuration Tasks ● ● ● ● ● ● Configuring Request Identity Re-Transmissions Forcibly Authorizing or Unauthorizing a Port Re-Authenticating a Port Configuring Timeouts Configuring a Guest VLAN Configuring an Authentication-Fail VLAN Important Points to Remember ● Dell Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP.
Enabling 802.1X Enable 802.1X globally. Figure 7. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. The bold lines show that 802.1X is enabled.
no ip address dot1x authentication no shutdown ! Dell# View 802.1X configuration information for an interface using the show dot1x interface command. The bold lines show that 802.1X is enabled on all ports unauthorized by default. Dell#show dot1x interface TenGigabitEthernet 2/1 802.
Configuring Request Identity Re-Transmissions If the authenticator sends a Request Identity frame, but the supplicant does not respond, the authenticator waits 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator re-transmits are configurable.
Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Forcibly Authorizing or Unauthorizing a Port IEEE 802.1X requires that a port can be manually placed into any of three states: ● ForceAuthorized — an authorized state.
Re-Authenticating a Port You can configure the authenticator for periodic re-authentication. After the supplicant has been authenticated, and the port has been authorized, you can configure the authenticator to reauthenticate the supplicant periodically. If you enable re-authentication, the supplicant is required to re-authenticate every 3600 seconds, but you can configure this interval. You can configure a maximum number of re-authentications as well.
dot1x server-timeout seconds The range is from 1 to 300. The default is 30. The example shows configuration information for a port for which the authenticator terminates the authentication process for an unresponsive supplicant or server after 15 seconds. The bold lines show the new supplicant and server timeouts. Dell(conf-if-Te-0/0)#dot1x port-control force-authorized Dell(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0 802.
Figure 8. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations. 2. Make the interface a switchport so that it can be assigned to a VLAN. 3. Create the VLAN to which the interface is assigned. 4. Connect the supplicant to the port configured for 802.1X. 5. Verify that the port has been authorized and placed in the desired VLAN.
Configuring a Guest VLAN If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN. NOTE: For more information about configuring timeouts, refer to Configuring Timeouts. Configure a port place in the Guest VLAN after failing to respond within the timeout period using the dot1x guest-vlan command from INTERFACE mode.
----------------------------Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Guest VLAN: Disabled Guest VLAN id: 200 Auth-Fail VLAN: Disabled Auth-Fail VLAN id: 100 Auth-Fail Max-Attempts: 5 Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 15 seconds Server Timeout: 15 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Backend State: Initialize Ini
no shutdown DellEMC(conf-if-Te 2/1))#show dot1x interface TenGigabitEthernet 2/1 802.
Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: 94 802.
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This section describes the access control list (ACL) virtual local area network (VLAN) group, and content addressable memory (CAM) enhancements.
The ACL manager does not notify the ACL agent in the following cases: ● The ACL VLAN group is created. ● The ACL VLAN group is deleted and it does not contain VLAN members. ● The ACL is applied or removed from a group and the ACL group does not contain a VLAN member. ● The description of the ACL group is added or removed.
acl-vlan-group {group name} 2. Add a description to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode description description 3. Apply an egress IP ACL to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode ip access-group {group name} out implicit-permit 4. Add VLAN member(s) to an ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode member vlan {VLAN-range} 5. Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name.
EXEC Privilege mode DellEMC#show cam-usage switch Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|============|============|============= 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 Codes: * - cam usage is above 90%. Viewing CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL subpartitions) using the show cam-usage command in EXEC Privilege mode.
| | | | | | | | | | | IN-V6 ACL | OUT-L2 ACL | OUT-L3 ACL | OUT-V6 ACL 3 0 | IN-L2 ACL | IN-L3 ACL | IN-V6 ACL | OUT-L2 ACL | OUT-L3 ACL | OUT-V6 ACL Codes: * - cam usage is above 90%.
To display the number of FP blocks that is allocated for the different VLAN services, use the show cam-acl-vlan command. After you configure the ACL VLAN groups, reboot the system to store the settings in nonvolatile storage. During CAM initialization, the chassis manager reads the NVRAM and allocates the dynamic VCAP regions.
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. The S5000 switch supports: ● Access control lists (ACLs) ● Ingress IP and MAC ACLs ● Egress IP and MAC ACLs At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
For extended ACL, TCP, and UDP filters, you can match criteria on specific or ranges of TCP or UDP ports. For extended ACL TCP filters, you can also match criteria on established TCP sessions. When creating an access list, the sequence of the filters is important. You have a choice of assigning sequence numbers to the filters as you enter them, or the Dell Networking operating system (OS) assigns numbers in the order the filters are created.
Test CAM Usage The test cam-usage command is supported on the S5000 platforms. This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs. To determine whether sufficient ACL CAM space is available to enable a service-policy, use this command. To verify the actual CAM space required, create a class map with all the required ACL rules, then execute the test cam-usage command in Privilege mode.
vrfv4Acl Openflow fedgovacl : : : 0 0 0 2 0 0 DellEMC(conf)# NOTE: If you change the cam-acl setting from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis.
fedgovacl : 0 DellEMC# View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL subpartitions) using the show cam-usage command in EXEC Privilege mode The following output shows CAM blocks usage for Layer 2 and Layer 3 ACLs and other processes that use CAM space: Example of the show cam-usage Command DellEMC#show cam-usage Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|===
NOTE: IP ACLs are supported over VLANs in Dell Networking OS version 6.2.1.1 and higher. ACLs and VLANs There are some differences when assigning ACLs to a VLAN rather than a physical port. For example, when using a single port-pipe, if you apply an ACL to a VLAN, one copy of the ACL entries is installed in the ACL CAM on the port-pipe. The entry looks for the incoming VLAN in the packet.
IP Fragment Handling The Dell Networking OS supports a configurable option to explicitly deny IP fragmented packets, specifically second and subsequent packets. It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable to all Layer protocols (permit/deny ip/tcp/udp/icmp). ● Both standard and extended ACLs support IP fragments. ● Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these fragments.
● If a packet's FO = 0, the next ACL line is processed. In this first example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted. All others are denied. Example of Layer 4 ACL Rules Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24 Dell(conf-ext-nacl)#deny ip any any fragment Dell(conf-ext-nacl) In the following example, the TCP packets that are first fragments or non-fragmented from host 10.1.1.
seq seq seq seq seq Dell# 30 35 40 45 50 deny deny deny deny deny 10.6.0.0 /16 10.7.0.0 /16 10.8.0.0 /16 10.9.0.0 /16 10.10.0.0 /16 The following example shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 25 was configured before filter 15, but the show config command displays the filters in the correct order. Dell(config-std-nacl)#seq 25 deny ip host 10.5.0.0 any log Dell(config-std-nacl)#seq 15 permit tcp 10.3.0.
seq 50 permit tcp 10.8.0.0 /16 10.50.188.118 /31 eq 49 monitor 349 seq 55 permit udp 10.15.1.0 /24 10.50.188.118 /31 range 1812 1813 To delete a filter, enter the show config command in IP ACCESS LIST mode and locate the sequence number of the filter you want to delete. Then use the no seq sequence-number command in IP ACCESS LIST mode.
{deny | permit} tcp {source mask] | any | host ip-address}} [count [byte]] [order] [monitor [session-id]] [fragments] ● Configure a deny or permit filter to examine UDP packets. CONFIG-EXT-NACL mode {deny | permit} udp {source mask | any | host ip-address}} [count [byte]] [order] [monitor [session-id]] [fragments] When you use the log keyword, the CP logs details about the packets that match.
NOTE: If you configure an interface as a vlan-stack access port, only the L2 ACL filters the packets. The L3 ACL applied to such a port does not affect traffic. That is, existing rules for other features (such as trace-list, policy-based routing [PBR], and QoS) are applied to the permitted traffic. For information about MAC ACLs, refer to Layer 2. Assign an IP ACL to an Interface To pass traffic through a configured IP ACL, assign that ACL to a physical interface, a port channel interface, or a VLAN.
Counting ACL Hits You can view the number of packets matching the ACL by using the count option when creating ACL entries. 1. Create an ACL that uses rules with the count option. Refer to Configuring a Standard IP ACL Filter. 2. Apply the ACL as an inbound or outbound ACL on an interface. Refer to Assign an IP ACL to an Interface. 3. show ip accounting access-list EXEC Privilege mode View the number of packets matching the ACL.
Example of Applying ACL Rules to Egress Traffic and Viewing ACL Configuration To specify ingress, use the out keyword. Begin applying rules to the ACL with the ip access-list extended abcd command. To view the access-list, use the show command.
NOTE: Loopback ACLs are supported only on ingress traffic. Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with the fragments option and apply it to a Loopback interface, the command is accepted, but the ACL entries are not installed the offending rule in CAM. For more information, refer to the Loopback Interfaces section in the Interfaces chapter. Applying an ACL on Loopback Interfaces You can apply ACLs on a Loopback interface.
A route prefix is an IP address pattern that matches on bits within the IP address. The format of a route prefix is A.B.C.D/X where A.B.C.D is a dotted-decimal address and /X is the number of bits that should be matched of the dotted decimal address. For example, in 112.24.0.0/16, the first 16 bits of the address 112.24.0.0 match all addresses between 112.24.0.0 to 112.24.255.255. The following examples show permit or deny filters for specific routes using the le and ge parameters, where x.x.x.
If you want to forward all routes that do not match the prefix list criteria, configure a prefix list filter to permit all routes (permit 0.0.0.0/0 le 32). The “permit all” filter must be the last filter in your prefix list. To permit the default route only, enter permit 0.0.0.0/0. The following example shows how the seq command orders the filters according to the sequence number assigned.
show ip prefix-list detail [prefix-name] ● Show a table of summarized information about configured Prefix lists. EXEC Privilege mode show ip prefix-list summary [prefix-name] Dell>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.
Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. ● Enter OSPF mode. CONFIGURATION mode router ospf ● Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded. CONFIG-ROUTER-OSPF mode distribute-list prefix-list-name in [interface] ● Apply a configured prefix list to incoming routes.
Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs, prefix lists, and MAC ACLs. To resequence an ACL or prefix list, use the following commands. You must specify the list name, starting number, and increment when using these commands.
seq 4 permit ip any host 1.1.1.1 remark 6 this remark has no corresponding rule remark 8 this remark corresponds to permit ip any host 1.1.1.2 seq 8 permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.3 seq 12 permit ip any host 1.1.1.4 Route Maps Similar to ACLs and prefix lists, route maps are composed of a series of commands that contain a matching criterion and an action; however, route maps can change the packets meeting the criterion.
route-map map-name [permit | deny] [sequence-number] The default is permit. The optional seq keyword allows you to assign a sequence number to the route map instance. The default action is permit and the default sequence number starts at 10. When you use the keyword deny in configuring a route map, routes that meet the match filters are not redistributed. To view the configuration, use the show config command in ROUTE-MAP mode.
When there are multiple match commands with the same parameter under one instance of route-map, Dell Networking OS does a match between all of those match commands. If there are multiple match commands with different parameters, Dell Networking OS does a match ONLY if there is a match among ALL the match commands. In the following example, there is a match if a route has any of the tag values specified in the match commands.
match ip address prefix-list-name ● Match destination routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode match ipv6 address prefix-list-name ● Match next-hop routes specified in a prefix list (IPv4). CONFIG-ROUTE-MAP mode match ip next-hop {access-list-name | prefix-list prefix-list-name} ● Match next-hop routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode match ipv6 next-hop {access-list-name | prefix-list prefix-list-name} ● Match source routes specified in a prefix list (IPv4).
● Specify an OSPF or ISIS type for redistributed routes. CONFIG-ROUTE-MAP mode set metric-type {external | internal | type-1 | type-2} ● Assign an IP address as the route’s next hop. CONFIG-ROUTE-MAP mode set next-hop ip-address ● Assign an IPv6 address as the route’s next hop. CONFIG-ROUTE-MAP mode set ipv6 next-hop ip-address ● Assign an ORIGIN attribute. CONFIG-ROUTE-MAP mode set origin {egp | igp | incomplete} ● Specify a tag for the redistributed routes.
Configure a Route Map for Route Tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol. As the route enters a different routing domain, it is tagged. The tag is passed along with the route as it passes through different routing protocols. You can use this tag when the route leaves a routing domain to redistribute those routes again.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 9. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Your Discriminator A random number the remote system generates to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
Up Both systems are exchanging control packets. The session is declared down if: ● A control packet is not received within the detection time. ● Sufficient echo packets are lost. ● Demand mode is active and a control packet is not received in response to a poll packet. BFD Three-Way Handshake A three-way handshake must take place between the systems that participate in the BFD session.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 11.
Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet. When you enable BFD, the local system removes the route as soon as it stops receiving periodic control packets from the remote system.
Actual parameters: TX: 100ms, RX: 100ms, Multiplier: 4 Role: Passive Delete session on Down: False Client Registered: CLI Uptime: 00:09:06 Statistics: Number of packets received from neighbor: 4092 Number of packets sent to neighbor: 4093 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 7 Disabling and Re-Enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configur
Establishing Sessions for Static Routes for Default VRF Sessions are established for all neighbors that are the next hop of a static route on the default VRF. Figure 12. Establishing Sessions for Static Routes To establish a BFD session, use the following command. ● Establish BFD sessions for all neighbors that are the next hop of a static route.
Example Configuration and Verification The following example contains static routes for both default and nondefault VRFs. Dell#sh run | grep bfd bfd enable ip route bfd prefix-list p4_le ip route bfd vrf vrf1 ip route bfd vrf vrf2 ip route bfd vrf vrf1 prefix-list p4_le The following example shows that sessions are created for static routes for the default VRF.
Prefix lists are used in route maps and route filtering operations. You can use prefix lists as an alternative to existing access lists (ACLs). A prefix is a portion of the IP address. Prefix lists constitute any number of bits in an IP address starting from the far left bit of the far left octet. By specifying the exactly number of bits in an IP address that belong to a prefix list, the prefix list can be used to aggregate addresses and perform some functions; for example, redistribution.
no ip route bfd [prefix-list prefix-list-name] [interval interval min_rx min_rx multiplier value role {active | passive}] Configure BFD for IPv6 Static Routes BFD offers systems a link state detection mechanism for static routes. With BFD, systems are notified to remove static routes from the routing table as soon as the link state change occurs, rather than waiting until packets fail to reach their next hop. Configuring BFD for IPv6 static routes is a three-step process: 1. Enable BFD globally. 2.
ipv6 route bfd vrf vrf-name [prefix-list prefix-list-name] [interval interval min_rx min_rx multiplier value role {active | passive}] Example Configuration and Verification The following example contains static routes for both default and nondefault VRFs. Dell#show run | grep bfd bfd enable ipv6 route bfd prefix-list p6_le ipv6 route bfd vrf vrf1 ipv6 route bfd vrf vrf2 ipv6 route bfd vrf vrf1 prefix-list p6_le The following example shows that sessions are created for static routes for the default VRF.
Changing IPv6 Static Route Session Parameters BFD sessions are configured with default intervals and a default role. The parameters you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all static routes. If you change a parameter, the change affects all sessions for static routes. To change parameters for static route sessions, use the following command . ● Change parameters for all static route sessions.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 13. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. ● Establish sessions with all OSPF neighbors.
I O R - ISIS - OSPF - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Te 2/1 Up 100 100 3 O Establishing Sessions with OSPF Neighbors for nondefault VRFs To configure BFD in a nondefault VRF, follow this procedure: ● Enable BFD globally. CONFIGURATION mode bfd enable ● Establish sessions with all OSPF neighbors in a specific VRF. ROUTER-OSPF mode bfd all-neighbors ● Establish sessions with OSPF neighbors on a single interface in a specific VRF.
Local MAC Addr: 00:01:e8:02:15:0e Remote Addr: 10.1.3.
Configure BFD for OSPFv3 BFD for OSPFv3 provides support for IPV6. Configuring BFD for OSPFv3 is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPFv3 neighbors. Related Configuration Tasks ● Changing OSPFv3 Session Parameters ● Disabling BFD for OSPFv3 Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface.
CONFIGURATION mode bfd enable ● Establish sessions with all OSPFv3 neighbors in a specific VRF. ROUTER-OSPFv3 mode bfd all-neighbors ● Establish sessions with the OSPFv3 neighbors on a single interface in a specific VRF. INTERFACE mode ipv6 ospf bfd all-neighbors ● To disable BFD on a specific OSPFv3 enabled interface, use the ipv6 ospf bfd all-neighbors disable command. You can also use the no bfd enable command to disable BFD on a specific interface.
511 O3 DellEMC# Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role. Configure these parameters for all OSPFv3 sessions or all OSPFv3 sessions on a particular interface. If you change a parameter globally, the change affects all OSPFv3 neighbors sessions.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 14. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. ● Establish sessions with all IS-IS neighbors. ROUTER-ISIS mode bfd all-neighbors ● Establish sessions with IS-IS neighbors on a single interface.
LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 100 100 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface.
Figure 15. Establishing Sessions with BGP Neighbors The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: ● By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). ● By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peer-group-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
bfd enable 2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number 4. Enable the BGP neighbor. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group-name} no shutdown 5. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ipv6-address | peer-group name} remote-as as-number 6.
2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3. Specify the address family as IPv4. CONFIG-ROUTERBGP mode address-family ipv4 vrf vrf-name 4. Add an IPv4 BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ip-address | peer-group name} remote-as as-number 5. Enable the BGP neighbor. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ip-address | peer-group-name} no shutdown 6.
Disabling BFD for BGP You can disable BFD for BGP. To disable a BFD for BGP session with a specified neighbor, use the first command. To remove the disabled state of a BFD for BGP session with a specified neighbor, use the second command. The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the bfd all-neighbors command or configured for the peer group to which the neighbor belongs. ● Disable a BFD for BGP session with a specified neighbor.
V - VRRP LocalAddr * 1.1.1.3 * 2.2.2.3 * 3.3.3.3 RemoteAddr 1.1.1.2 2.2.2.2 3.3.3.2 Interface Te 6/1 Te 6/2 Te 6/3 State Up Up Up Rx-int 200 200 200 Tx-int 200 200 200 Mult 3 3 3 Clients B B B The following example shows viewing BFD neighbors with full detail. The bold lines show the BFD session parameters: TX (packet transmission), RX (packet reception), and multiplier (maximum number of missed packets).
3 neighbor(s) using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 1.1.1.2 2.2.2.2 3.3.3.2 0 0 0 1 1 1 282 273 282 281 273 281 0 0 0 0 0 0 0 (0) 0 00:38:12 04:32:26 00:38:12 The following example shows viewing BFD information for a specified neighbor.
BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP peer-group mode BFD configuration Peer active in peer-group outbound optimization ... Configuring Protocol Liveness Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled. When you disable a client, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state.
9 Border Gateway Protocol IPv4 (BGPv4) Border gateway protocol IPv4 (BGPv4) version 4 (BGPv4) is supported on Dell Networking OS This chapter provides a general description of BGPv4 as it is supported in the Dell Networking operating system (OS). BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
• • • • • • • • • • • Aggregating Routes Configuring BGP Confederations Enabling Route Flap Dampening Changing BGP Timers Enabling BGP Neighbor Soft-Reconfiguration Enabling or disabling BGP neighbors Route Map Continue Enabling MBGP Configurations BGP Regular Expression Optimization Debugging BGP Sample Configurations Autonomous Systems (AS) BGP autonomous systems (ASs) are a collection of nodes under common administration with common network routing policies.
BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded. BGP does not use a traditional interior gateway protocol (IGP) matrix, but makes routing decisions based on path, network policies, and/or rulesets.
Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two endpoints of that session are Peers. A Peer is also called a Neighbor. Establish a Session Events and timers drive information exchange between peers. The focus in BGP is on the traffic routing policies.
Figure 18. BGP Router Rules 1. Router B receives an advertisement from Router A through eBGP. Because the route is learned through eBGP, Router B advertises it to all its iBGP peers: Routers C and D. 2. Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B. 3.
The following illustration shows that the decisions BGP goes through to select the best path. The list following the illustration details the path selection criteria. Figure 19. BGP Best Path Selection Best Path Selection Details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. a.
12. If two paths have the same router ID, prefer the path with the lowest cluster ID length. Paths without a cluster ID length are set to a 0 cluster ID length. 13. Prefer the path originated from the neighbor with the lowest address. (The neighbor address is used in the BGP neighbor configuration and corresponds to the remote peer used in the TCP connection with the local router.
Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may effect selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this example, assume that the MED is the only attribute applied.
Network *> 7.0.0.0/29 *> 7.0.0.0/30 *> 9.2.0.0/16 Next Hop 10.114.8.33 10.114.8.33 10.114.8.33 Metric 0 0 10 LocPrf 0 0 0 Weight 18508 18508 18508 Path ? ? 701 i AS Path The AS path is the list of all ASs that all the prefixes listed in the update have passed through. The BGP speaker adds the local AS number when advertising to a eBGP neighbor. NOTE: Any update that contains the AS path number 0 is valid. The AS path is shown in the following example.
Implement BGP with Dell Networking OS The following sections describe how to implement BGP on Dell Networking OS. Additional Path (Add-Path) Support The Add-path feature reduces convergence times by advertising multiple paths to its peers for the same address prefix without replacing existing paths with new ones. By default, a BGP speaker advertises only the best path to its peers for a given address prefix.
Ignore Router-ID for Some Best-Path Calculations Dell Networking OS allows you to avoid unnecessary BGP best-path transitions between external paths under certain conditions. The bgp bestpath router-id ignore command reduces network disruption routing causes and forwarding plane changes and allows for faster convergence. Four-Byte AS Numbers Dell Networking OS supports 4-Byte (32-bit) format when configuring autonomous system numbers (ASNs).
Dynamic AS Number Notation Application Dell Networking OS applies the ASN notation type change dynamically to the running-config statements. When you apply or change an asnotation, the type selected is reflected immediately in the running-configuration and the show commands (refer to the following two examples).
Dell(conf-router_bgp)#do show ip bgp BGP table version is 28093, local router ID is 172.30.1.57 AS Number Migration With this feature you can transparently change the AS number of an entire BGP network and ensure that the routes are propagated throughout the network while the migration is in progress. When migrating one AS to another, perhaps combining ASs, an eBGP network may lose its routing to an iBGP if the ASN changes.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances Dell Networking OS BGP management information base (MIB) support with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell Networking website, www.dell.com. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
Traps (notifications) specified in the BGP4 MIB draft are not supported. Such traps (bgpM2Established and bgpM2BackwardTransition) are supported as part of RFC 1657.
Enabling BGP By default, BGP is not enabled on the system. Dell Networking OS supports one autonomous system (AS) and assigns the AS number (ASN). To establish BGP sessions and route traffic, configure at least one BGP neighbor or peer. In BGP, routers with an established TCP connection are called neighbors or peers. After a connection is established, the neighbors exchange full BGP routing tables with incremental updates afterward.
To view the BGP configuration, enter show config in CONFIGURATION ROUTER BGP mode. To view the BGP status, use the show ip bgp summary command in EXEC Privilege mode. The first example shows the summary with a 2-byte AS number displayed (in bold); the second example shows that the summary with a 4-byte AS number using the show ip bgp summary command (displays a 4–byte AS number in bold). Dell#show ip bgp summary BGP router identifier 192.168.10.
Received 18549 updates, Sent 11562 updates Minimum time between advertisement runs is 30 seconds For address family: IPv4 Unicast BGP table version 216613, neighbor version 201190 130195 accepted prefixes consume 520780 bytes Prefix advertised 49304, rejected 0, withdrawn 36143 Connections established 1; dropped 0 Last reset never Local host: 10.114.8.39, Local port: 1037 Foreign host: 10.114.8.60, Foreign port: 179 BGP neighbor is 10.1.1.
Term Description ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS numbers less than 65536 appear in integer format (asplain); AS numbers equal to or greater than 65536 appear using the decimal method (asdot+). For example, the AS number 65526 appears as 65526 and the AS number 65546 appears as 1.10. NOTE: The ASDOT and ASDOT+ representations are supported only with the Four-Byte AS Numbers feature.
Configuring Peer Groups To configure multiple BGP neighbors at one time, create and populate a BGP peer group. An advantage of peer groups is that members of a peer group inherit the configuration properties of the group and share same update policy. A maximum of 256 peer groups are allowed on the system. Create a peer group by assigning it a name, then adding members to the peer group. After you create a peer group, you can configure route policies for it.
A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates. NOTE: When you configure a new set of BGP policies for a peer group, always reset the peer group by entering the clear ip bgp peer-group peer-group-name command in EXEC Privilege mode. To view the configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
10.68.174.1 10.68.175.1 10.68.176.1 10.68.177.1 10.68.178.1 10.68.179.1 10.68.180.1 10.68.181.1 10.68.182.1 10.68.183.1 10.68.184.1 10.68.185.1 Dell> Configuring BGP Fast Fall-Over By default, the hold time governs a BGP session. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fall-over feature reduces the convergence time while maintaining stability.
For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dropped 5 Last reset 00:19:37, due to Reset by peer Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 200.200.200.200, Local port: 65519 Foreign host: 100.100.100.100, Foreign port: 179 Dell# To verify that fast fall-over is enabled on a peer-group, use the show ip bgp peer-group command (shown in bold).
3. Enable the peer group. CONFIG-ROUTER-BGP mode neighbor peer-group-name no shutdown 4. Create and specify a remote peer for BGP neighbor. CONFIG-ROUTER-BGP mode neighbor peer-group-name remote-as as-number Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED. After the peer group is ESTABLISHED, the peer group is the same as any other peer group. For more information about peer groups, refer to Configuring Peer Groups.
neighbor {IP address | peer-group-name} allowas-in number ○ Peer Group Name: 16 characters. ○ Number: from 1 through 10. Format: IP Address: A.B.C.D. You must Configuring Peer Groups before assigning it to an AS. The lines shown in bold are the number of times ASN 65123 can appear in the AS path (allows–in 9). To disable this feature, use the no neighbor allow-as in number command in CONFIGURATION ROUTER BGP mode. Dell(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.
CONFIG-ROUTER-BGP mode bgp graceful-restart [restart-time time-in-seconds] The default is 120 seconds. ● Set maximum time to retain the restarting peer’s stale paths. CONFIG-ROUTER-BGP mode bgp graceful-restart [stale-path-time time-in-seconds] The default is 360 seconds. ● Local router supports graceful restart as a receiver only. CONFIG-ROUTER-BGP mode bgp graceful-restart [role receiver-only] Enabling Neighbor Graceful Restart BGP graceful restart is active only when the neighbor becomes established.
CONFIG-AS-PATH mode {deny | permit} filter parameter This is the filter that is used to match the AS-path. The entries can be any format, letters, numbers, or regular expressions. You can enter this command multiple times if multiple filters are desired. For accepted expressions, refer to Regular Expressions as Filters. 3. Return to CONFIGURATION mode. AS-PATH ACL mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Use a configured AS-PATH ACL for route filtering and manipulation.
Regular Expression Definition * (asterisk) Matches 0 or more sequences of the immediately previous character or pattern. + (plus) Matches 1 or more sequences of the immediately previous character or pattern. ? (question) Matches 0 or 1 sequence of the immediately previous character or pattern.
Filtering BGP Routes Using AS-PATH Information To filter routes based on AS-PATH information, use these commands. 1. Create an AS-PATH ACL and assign it a name. CONFIGURATION mode ip as-path access-list as-path-name 2. Create an AS-PATH ACL filter with a deny or permit action. AS-PATH ACL mode {deny | permit} as-regular-expression 3. Return to CONFIGURATION mode. AS-PATH ACL exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5.
Configure the following parameters: ○ process-id: the range is from 1 to 65535. ○ match external: the range is from 1 or 2. ○ match internal ○ metric-type: external or internal. ○ map-name: name of a configured route map. Enabling Additional Paths The add-path feature is disabled by default. NOTE: In some cases, while receiving 1K same routes from more than 64 iBGP neighbors, BGP sessions holdtime of 10 seconds may flap.
ip community-list community-list-name 2. Configure a community list by denying or permitting specific community numbers or types of community. CONFIG-COMMUNITYLIST mode {deny | permit} {community-number | local-AS | no-advertise | no-export | quote-regexp regular-expression-list | regexp regular-expression} ● community-number: use AA:NN format where AA is the AS number (2 Bytes or 4 Bytes) and NN is a value specific to that autonomous system.
5. Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
To view BGP routes matching a certain community number or a pre-defined BGP community, use the show ip bgp community command in EXEC Privilege mode. Dell>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.48 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network * i 3.0.0.0/8 *>i 4.2.49.12/30 * i 4.21.132.0/23 *>i 4.24.118.16/30 *>i 4.24.145.0/30 *>i 4.24.187.12/30 *>i 4.24.202.0/30 *>i 4.25.88.
CONFIG-ROUTE-MAP mode set local-preference value 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
To view BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. Enabling Multipath By default, the software allows one path to a destination. You can enable multipath to allow up to 16 parallel paths to a destination. NOTE: Dell Networking recommends not using multipath and add path simultaneously in a route reflector. To allow more than one path, use the following command.
CONFIGURATION mode ip as-path access-list as-path-name 2. Create a AS-PATH ACL filter with a deny or permit action. AS-PATH ACL mode {deny | permit} as-regular-expression 3. Return to CONFIGURATION mode. AS-PATH ACL exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Filter routes based on the criteria in the configured route map.
seq sequence-number {deny | permit} {any | ip-prefix [ge | le] } ● ge: minimum prefix length to match. ● le: maximum prefix length to match. For information about configuring prefix lists, refer to Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-PREFIX LIST mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Filter routes based on the criteria in the configured prefix list.
● out: apply the route map to outbound routes. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode. Filtering BGP Routes Using AS-PATH Information To filter routes based on AS-PATH information, use these commands. 1. Create an AS-PATH ACL and assign it a name. CONFIGURATION mode ip as-path access-list as-path-name 2. Create an AS-PATH ACL filter with a deny or permit action.
To view a route reflector configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp in EXEC Privilege mode. Aggregating Routes Dell Networking OS provides multiple ways to aggregate routes in the BGP routing table. At least one specific route of the aggregate must be in the routing table for the configured aggregate to become active. To aggregate routes, use the following command.
Enabling Route Flap Dampening When EBGP routes become unavailable, they “flap” and the router issues both WITHDRAWN and UPDATE notices. A ● ● ● flap is when a route: is withdrawn is readvertised after being withdrawn has an attribute change The constant router reaction to the WITHDRAWN and UPDATE notices causes instability in the BGP process. To minimize this instability, you may configure penalties (a numeric value) for routes that flap.
● View all flap statistics or for specific routes meeting the following criteria. EXEC or EXEC Privilege mode show ip bgp flap-statistics [ip-address [mask]] [filter-list as-path-name] [regexp regular-expression] ○ ip-address [mask]: enter the IP address and mask. ○ filter-list as-path-name: enter the name of an AS-PATH ACL. ○ regexp regular-expression: enter a regular express to match on.
Changing BGP Timers To configure BGP timers, use either or both of the following commands. Timer values configured with the neighbor timers command override the timer values configured with the timers bgp command.
clear ip bgp {* | neighbor-address | AS Numbers | ipv4 | peer-group-name} [soft [in | out]] ○ *: Clears all peers. ○ neighbor-address: Clears the neighbor with this IP address. ○ AS Numbers: Peers’ AS numbers to clear. ○ ipv4: Clears information for the IPv4 address family. ○ peer-group-name: Clears all members of the specified peer group. ● Enable soft-reconfiguration for the BGP neighbor specified.
ROUTER-BGP Mode shutdown address-family-ipv4-multicast To enable or disable BGP neighbors corresponding to the IPv6 unicast groups: 1. Enter the router bgp mode using the following command: CONFIGURATION Mode router bgp as-number 2.
Set a Clause with a Continue Clause If the route-map entry contains sets with the continue clause, the set actions operation is performed first then the continue clause jump to the specified route map entry. ● If a set actions operation occurs in the first route map entry and then the same set action occurs with a different value in a subsequent route map entry, the last set of actions overrides the previous set of actions with the same set command.
BGP Regular Expression Optimization Dell Networking OS optimizes processing time when using regular expressions by caching and re-using regular expression evaluated results, at the expense of some memory in RP1 processor. BGP policies that contain regular expressions to match against as-paths and communities might take much CPU processing time, thus affect BGP routing convergence.
Storing Last and Bad PDUs Dell Networking OS stores the last notification sent/received and the last bad protocol data unit (PDU) received on a per peer basis. The last bad PDU is the one that causes a notification to be issued. In the following example, the last seven lines shown in bold are the last PDUs. Example of the show ip bgp neighbor Command to View Last and Bad PDUs Dell(conf-router_bgp)#do show ip bgp neighbors 1.1.1.2 BGP neighbor is 1.1.1.
To change the maximum buffer size, use the capture bgp-pdu max-buffer-size command. To view the captured PDUs, use the show capture bgp-pdu neighbor command. Dell#show capture bgp-pdu neighbor 20.20.20.2 Incoming packet capture enabled for BGP neighbor 20.20.20.
Figure 23. Sample Configurations Example of Enabling BGP (Router 1) Dell# conf Dell(conf)#int loop 0 Dell(conf-if-lo-0)#ip address 192.168.128.1/24 Dell(conf-if-lo-0)#no shutdown Dell(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown Dell(conf-if-lo-0)#int te 1/21 Dell(conf-if-te-1/21)#ip address 10.0.1.21/24 Dell(conf-if-te-1/21)#no shutdown Dell(conf-if-te-1/21)#show config ! interface TengigabitEthernet 1/21 ip address 10.0.1.
Dell(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0 Dell(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 update-source Loopback 0 neighbor 192 168 128 3 no shutdown Dell(conf-router_bgp)#end Dell# Dell#show ip bgp summary BGP router identifier 192.168.128.
neighbor 192.168.128.1 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown Dell(conf-router_bgp)#end Dell#show ip bgp summary BGP router identifier 192.168.128.
BGP router identifier 192.168.128.3, local AS number 100 BGP table version is 1, main routing table version 1 1 network entrie(s) using 132 bytes of memory 3 paths using 204 bytes of memory BGP-RIB over all using 207 bytes of memory 2 BGP path attribute entrie(s) using 128 bytes of memory 2 BGP AS-PATH entrie(s) using 90 bytes of memory 2 neighbor(s) using 9216 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.1 99 24 25 1 0 0 00:14:20 1 192.168.128.
Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 1, neighbor version 1 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Connections est
router bgp 99 network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 peer-group CCC neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 peer-group BBB neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.
Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down 192.168.128.1 99 93 99 1 0 (0) 00:00:15 192.168.128.2 99 122 120 1 0 (0) 00:00:11 State/Pfx 1 1 Dell#show ip bgp neighbor BGP neighbor is 192.168.128.1, remote AS 99, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
Hold time is 180, keepalive interval is 60 seconds Received 138 messages, 0 in queue 7 opens, 2 notifications, 7 updates 122 keepalives, 0 route refresh requests Sent 140 messages, 0 in queue 7 opens, 4 notifications, 7 updates 122 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) Capabilities received from neighbor for IPv4 Unicast : MULTIPR
10 Bare Metal Provisioning (BMP) Bare Metal Provisioning 2.0 is included as part of the Dell Networking OS image. BMP improves accessibility to the S5000 switch by automatically loading pre-defined configurations and boot images that are stored in file servers. You can use BMP on a single switch or on multiple switches. For more information about BMP in Auto-Configuration mode, refer to the Open Automation Guide.
Normal mode The switch loads the Dell Networking OS image and startup configuration file stored in the local flash. New configurations require that the Management IP and Management Interface be configured manually. This mode is set with the reload-type normal-reload command. If a switch enters a loop while reloading in Jumpstart mode because it continuously tries to contact a DHCP server and a DHCP server is not found, enter the stop jump-start command to interrupt the repeated discovery attempts.
● Boot File Name: The Dell Networking OS image to load on the switch. The boot filename is expected to use Option 67 or the boot filename in the boot payload of the DHCP offer. If both are specified, Option 67 is used. ● Configuration File Name: The configurations to apply to the switch. The configuration filename is expected to use Option 209. ● File Server Address: The server where the Image and Configurations file are placed. The address is assumed to be a TFTP address unless it is given as a URL.
After 10 minutes of rediscovery attempts, the server IP address is blacklisted as shown in the system log: 00:05:45:%STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent 47. 00:05:45:%STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent 00:05:45:%STKUNIT0-M:CP %JUMPSTART-5-DHCP_OFFER_REJECTED: Server IP address 10.11.197.39 was previously rejected.
● If the offer contains only a boot image that cannot be downloaded, BMP requests another DHCP offer. ● If you enable the reload-type config-download command and the configuration file in the offer cannot be downloaded, the switch boots up and loads the startup configuration stored in local flash memory. DHCP Server IP Blacklist If the process does not complete successfully, the DHCP server IP is blacklisted and the DHCP process is re-initiated. A DHCP server is maintained in the blacklist for ten minutes.
00:01:31: 0/6. 00:01:47: 0/8. 00:01:47: 0/35. 00:01:47: 0/56. 00:01:47: 0/60. 00:01:47: 0/0.
ii. If there is no version mismatch the switch downloads the configuration file. 00:03:27: server is 00:03:27: 0/56. 00:03:27: %STKUNIT0-M:CP %JUMPSTART-5-CFG_APPLY: The downloaded config from dhcp being applied %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_RELEASE: DHCP RELEASE sent on Fo %STKUNIT0-M:CP %SYS-5-CONFIG_LOAD: Loading configuration file c. If the configuration file is downloaded from the server, any saved startup-configuration on the flash is ignored.
11 Content Addressable Memory (CAM) Content addressable memory (CAM) is supported on Dell Networking OS. CAM is a type of memory that stores information in the form of a lookup table. On the S5000 systems, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies.
Table 12. Default Cam Allocation Settings (continued) EcfmAcl 0 nlbclusteracl 0 FcoeAcl 0 iscsiOptAcl 0 ipv4pbr 0 vrfv4Acl 0 Openflow 0 fedgovacl 0 Re-Allocating CAM for Ingress ACLs and QoS The default CAM allocation settings for ingress ACL and QoS regions are shown in the following list.
EXEC Privilege mode show cam-acl 4. Reload the system. EXEC Privilege mode reload Re-Allocating CAM for Egress ACLs The default CAM allocation settings for the three egress ACL and QoS regions on an S5000 switch include the following. ● L2 ACL(l2acl): 1 ● L3 ACL (ipv4acl): 1 ● IPv6 L3 ACL (ipv6acl): 2 The total egress CAM ACL space must equal four memory blocks.
Displaying CAM-ACL Settings To display the current CAM ACL settings for each ingress region, the show cam-acl command is supported on the S5000. The default ingress CAM ACL allocation settings on an S5000 (stack unit 0) are shown in the following example.
Configuring CAM Threshold and Silence Period This section describes how to configure CAM threshold and silence period between CAM threshold syslog warnings. The CAM threshold and silence period configuration is applicable only for Ingress L2, IPv4, IPv6 and Egress L2, IPv4, and IPv6 ACL CAM groups. For other ACL CAM regions, the CAM threshold and silence period is fixed and the values are 90 percent and 0 respectively.
Table 13. Possible Scenarios of Syslog Warning (continued) 90 95 91 98 100 100 No syslog 95 80 10 No syslog 92 90 89 No syslog DellEMC(conf)#Nov 5 19:55:12 %S6000:0 %ACL_AGENT-4ACL_AGENT_CAM_USAGE_BELOW_THE_THRESHOLD: The cam-usage of Ipv4Acl cam region on stack-unit 0 Portpipe 0 Pipeline 0 is below 95%. CAM Optimization To optimize CAM utilization for QoS entries by minimizing the required policy-map CAM space, use the cam-optimization command.
12 Control Plane Policing (CoPP) Control plane policing (CoPP) is supported on Dell Networking OS. Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 25. CoPP Implemented Versus CoPP Not Implemented Topics: • • • • Configure Control Plane Policing Configuring CoPP for Protocols Configuring CoPP for CPU Queues Show Commands Configure Control Plane Policing The S5000 can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though Per Protocol CoPP is applied. This happens because Queue-Based Rate Limiting is applied first.
CoPP policies are configured by creating extended ACL rules and specifying rate-limits through QoS policies. The ACLs and QoS policies are assigned as service-policies. Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS).
Dell(conf)#ipv6 access-list ipv6-vrrp cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit vrrp Dell(conf-ipv6-acl-cpuqos)#exit Dell(conf)#qos-policy-in rate_limit_200k cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 200 40 peak 500 40 Dell(conf-in-qos-policy-cpuqos)#exit Dell(conf)#qos-policy-in rate_limit_400k cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 400 50 peak 600 50 Dell(conf-in-qos-policy-cpuqos)#exit Dell(conf)#qos-policy-in rate_limit_500k cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 500
4. Assign a CPU queue-based service policy on the control plane in cpu-qos mode. Enabling this command sets the queue rates according to these configured.
To view the queue mapping for the MAC protocols, use the show mac protocol-queue-mapping command.
13 Data Center Bridging (DCB) Data center bridging (DCB) refers to a set of enhancements to Ethernet local area networks used in data center environments, particularly with clustering and storage area networks.
Traffic Description LAN traffic LAN traffic consists of many flows that are insensitive to latency requirements, while certain applications, such as streaming video, are more sensitive to latency. Ethernet functions as a best-effort network that may drop packets in the case of network congestion.
The system supports loading two DCB_Config files: ● FCoE converged traffic with priority 3. ● iSCSI storage traffic with priority 4. In the Dell EMC Networking OS, PFC is implemented as follows: ● PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface. However, only two lossless queues are supported on an interface: one for Fibre Channel over Ethernet (FCoE) converged traffic and one for Internet Small Computer System Interface (iSCSI) storage traffic.
Table 14. ETS Traffic Groupings (continued) Traffic Groupings Description Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7 configurable; 8 - 14 reservation and 15.0 - 15.7 is strict priority group.. Group bandwidth Percentage of available bandwidth allocated to a priority group. Group transmission selection algorithm (TSA) Type of queue scheduling a priority group uses. In Dell EMC Networking OS, ETS is implemented as follows: ● ETS supports groups of 802.
Enabling Data Center Bridging DCB is automatically configured when you configure FCoE or iSCSI optimization. Data center bridging supports converged enhanced Ethernet (CEE) in a data center network. DCB is disabled by default. It must be enabled to support CEE. ● Priority-based flow control ● Enhanced transmission selection ● Data center bridging exchange protocol ● FCoE initialization protocol (FIP) snooping DCB processes virtual local area network (VLAN)-tagged packets and dot1p priority values.
Important Points to Remember ● If you remove a dot1p priority-to-priority group mapping from a DCB map (no priority pgid command), the PFC and ETS parameters revert to their default values on the interfaces on which the DCB map is applied. By default, PFC is not applied on specific 802.1p priorities; ETS assigns equal bandwidth to each 802.1p priority. As a result, PFC and lossless port queues are disabled on 802.
Set the bandwidth in percentage. The percentage range is from 1 to 100% in units of 1%. Committed and peak bandwidth is in megabits per second. The range is from 0 to 40000. Committed and peak burst size is in kilobytes. Default is 50. The range is from 0 to 40000. The pfc on command enables priority-based flow control. 3. Specify the dot1p priority-to-priority group mapping for each priority. priority-pgid dot1p0_group_num dot1p1_group_num ...dot1p7_group_num Priority group range is from 0 to 7.
For the dot1p-queue assignments, refer to the dot1p Priority-Queue Assignment table. The maximum number of lossless queues globally supported on the switch is two. The range is from 0 to 3. Separate the queue values with a comma; specify a priority range with a dash; for example, pfc no-drop queues 1,3 or pfc no-drop queues 2-3. The default: No lossless queues are configured. NOTE: Dell EMC Networking OS Behavior: By default, no lossless queues are configured on a port.
● When you configure a DCB map, an error message is displayed if the PFC dot1p priorities result in more than two lossless queues. ● When you apply a DCB map, an error message is displayed if link-level flow control is already enabled on an interface. You cannot enable PFC and link-level flow control at the same time on an interface. ● In a switch stack, configure all stacked ports with the same PFC configuration.
Configuring PFC without a DCB Map In a network topology that uses the default ETS bandwidth allocation (assigns equal bandwidth to each priority), you can also enable PFC for specific dot1p-priorities on individual interfaces without using a DCB map. This type of DCB configuration is useful on interfaces that require PFC for lossless traffic, but do not transmit converged Ethernet traffic. Table 16.
When configuring lossless queues on a port interface, consider the following points: ● By default, no lossless queues are configured on a port. ● A limit of two lossless queues is supported on a port. If the number of lossless queues configured exceeds the maximum supported limit per port (two), an error message is displayed. Reconfigure the value to a smaller number of queues.
Dynamic ingress buffering enables the sending of pause frames at different thresholds based on the number of ports that experience congestion at a time. This behavior impacts the total buffer size used by a particular lossless priority on an interface. The pause and resume thresholds can also be configured dynamically.
To configure the aforementioned DSCP and PFC priority values, perform the following tasks: 1. Create class-maps to group the DSCP subsets class-map match ip ! class-map match ip match-any dscp-pfc-1 dscp 0-5,10-15 match-any dscp-pfc-2 dscp 20-25,30-35 2. Associate above class-maps to Queues Queue assignment as below. NOTE: Although, each port on the S4810, S4820T, and S5000 devices support 8 QoS queues, you can configure only 4 QoS queues (0-3)to manage data traffic.
For example, storage traffic is sensitive to frame loss; interprocess communication (IPC) traffic is latency-sensitive. ETS allows different traffic types to coexist without interruption in the same converged link by: ● Allocating a guaranteed share of bandwidth to each priority group. ● Allowing each group to exceed its minimum guaranteed bandwidth if another group is not fully using its allotted bandwidth.
Configure all 802.1p priorities in priority groups associated with an ETS output policy. You can assign each dot1p priority to only one priority group. By default, all 802.1p priorities are grouped in priority group 0 and 100% of the port bandwidth is assigned to priority group 0. The complete bandwidth is equally assigned to each priority class so that each class has 12 to 13%.
QoS OUTPUT POLICY mode Dell(conf-if-te-0/1)#exit 5. Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port 6. Apply the QoS output policy with the bandwidth percentage for specified priority queues to an egress interface. INTERFACE mode Dell(conf-if-te-0/1)#service-policy output test12 Configuring ETS in a DCB Map A switch supports the use of a DCB map in which you configure enhanced transmission selection (ETS) setting.
● When allocating bandwidth or configuring strict-priority queuing for dot1p priorities in a priority group on a DCBx CIN interface, take into account the CIN bandwidth allocation and dot1p-queue mapping. ● Because all the priorities mapped to a priority group is scheduled using a single queue, the priorities are treated with first come first served basis.
Applying DCB Policies in a Switch Stack You can apply DCB policies with PFC and ETS configurations to all stacked ports in a switch stack or on a stacked switch. To apply DCB policies in a switch stack, follow this step. ● Apply the specified DCB policy on all ports of the switch stack or a single stacked switch.
is generated. The network administrator must then reconfigure the peer device so that it advertises a compatible DCB configuration. ○ The configuration received from a DCBx peer or from an internally propagated configuration is not stored in the switch’s running configuration. ○ On a DCBx port in an auto-upstream role, the PFC and application priority TLVs are enabled. ETS recommend TLVs are disabled and ETS configuration TLVs are enabled.
DCB Configuration Exchange The DCBx protocol supports the exchange and propagation of configuration information for the enhanced transmission selection (ETS) and priority-based flow control (PFC) DCB features. DCBx uses the following methods to exchange DCB configuration parameters: Asymmetric DCB parameters are exchanged between a DCBx-enabled port and a peer port without requiring that a peer port and the local port use the same configured values for the configurations to be compatible.
Auto-Detection and Manual Configuration of the DCBx Version When operating in Auto-Detection mode (the DCBx version auto command), a DCBx port automatically detects the DCBx version on a peer port. Legacy CIN and CEE versions are supported in addition to the standard IEEE version 2.5 DCBx. A DCBx port detects a peer version after receiving a valid frame for that version.
DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: ● For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
NOTE: You can configure the transmission of more than one TLV type at a time; for example, advertise DCBx-tlv ets-conf ets-reco. You can enable ETS recommend TLVs (ets-reco) only if you enable ETS configuration TLVs (ets-conf). To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-tlv pfc ets-reco. 6. On manual ports only: Configure the Application Priority TLVs advertised on the interface to DCBx peers.
[no] advertise DCBx-appln-tlv {fcoe | iscsi} ● fcoe: enables the advertisement of FCoE in Application Priority TLVs. ● iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled and advertise FCoE and iSCSI. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-applntlv iscsi. 6. Configure the FCoE priority advertised for the FCoE protocol in Application Priority TLVs.
○ config-exchng: enables traces for DCBx configuration exchanges. ○ fail: enables traces for DCBx failures. ○ mgmt: enables traces for DCBx management frames. ○ resource: enables traces for DCBx system resource frames. ○ sem: enables traces for the DCBx state machine. ○ tlv: enables traces for DCBx TLVs. Verifying the DCB Configuration To display DCB configurations, use the following show commands. Table 19.
The following example shows the show dcb command. DellEMC# show dcb stack-unit 0 port-set 0 DCB Status : Enabled PFC Port Count : 56 (current), 56 (configured) PFC Queue Count : 2 (current), 2 (configured) The following example shows the show qos priority-groups command. DellEMC#show qos priority-groups priority-group ipc priority-list 4 set-pgid 2 The following example shows the output of the show qos dcb-map test command.
Remote FCOE PriorityMap is 0x8 Remote ISCSI PriorityMap is 0x8 0 Input TLV pkts, 1 Output TLV pkts, 0 Error pkts, 0 Pause Tx pkts, 0 Pause Rx pkts The following table describes the show interface pfc summary command fields. Table 20. show interface pfc summary Command Description Fields Description Interface Interface type with stack-unit and port number. Admin mode is on; Admin is enabled PFC Admin mode is on or off with a list of the configured PFC priorities .
Table 20. show interface pfc summary Command Description (continued) Fields Description PFC TLV Statistics: Output TLV pkts Number of PFC TLVs transmitted. PFC TLV Statistics: Error pkts Number of PFC error packets received. PFC TLV Statistics: Pause Tx pkts Number of PFC pause frames transmitted. PFC TLV Statistics: Pause Rx pkts Number of PFC pause frames received The following example shows the show interface pfc statistics command.
7 - - - - - - Oper status is init ETS DCBX Oper status is Down Reason: Port Shutdown State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled The following example shows the show interface ets detail command.
The following table describes the show interface ets detail command fields. Table 21. show interface ets detail Command Description Field Description Interface Interface type with stack-unit and port number. Maximum Supported TC Group Maximum number of priority groups supported. Number of Traffic Classes Number of 802.1p priorities currently configured. Admin mode ETS mode: on or off.
The following example shows the show stack-unit all stack-ports all ets details command.
E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disabled I-Application priority for iSCSI enabled i-Application Priority for iSCSI disabled ----------------------------------------------------------------------Interface TenGigabitEthernet 1/14 Remote Mac Address 00:01:e8:8a:df:a0 Port Role
Table 22. show interface DCBx detail Command Description (continued) Field Description Local DCBx Status: DCBx Max Version Supported Highest DCBx version supported in Control TLVs. Local DCBx Status: Sequence Number Sequence number transmitted in Control TLVs. Local DCBx Status: Acknowledgment Number Acknowledgement number transmitted in Control TLVs. Local DCBx Status: Protocol State Current operational state of DCBx protocol: ACK or IN-SYNC.
Figure 30. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
The following describes the priority group-bandwidth assignment. Priority Group Bandwidth Assignment IPC 5% SAN 50% LAN 45% PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic. 1. Enabling DCB DellEMC(conf)#dcb enable 2. Configure DCB map and enable PFC, and ETS DellEMC(conf)# service-class dynamic dot1p Or DellEMC(conf)# interface tengigabitethernet 1/1 DellEMC(conf-if-te-1/1)# service-class dynamic dot1p 3.
Although Dell EMC Networking OS allows you to change the default dot1p priority-queue assignments (refer to Setting dot1p Priorities for Incoming Traffic), DCB policies applied to an interface may become invalid if you reconfigure dot1pqueue mapping. If the configured DCB policy remains valid, the change in the dot1p-queue assignment is allowed. NOTE: Although, each port on the S4810, S4820T, and S5000 devices support 8 QoS queues, you can configure only 4 QoS queues (0-3) to manage data traffic.
The number of ports supported based on lossless queues configured depends on the buffer. The default number of PFC queues in the system is two. For each priority, you can specify the shared buffer threshold limit, the ingress buffer size, buffer limit for pausing the acceptance of packets, and the buffer offset limit for resuming the acceptance of received packets. 4. Configure the profile name for the DCB buffer threshold CONFIGURATION mode dcb-buffer-threshold dcb-buffer-threshold 5.
14 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies that network administrators determine.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
There are additional messages that are used in case the DHCP negotiation deviates from the process previously described and shown in the following illustration. DHCPDECLINE A client sends this message to the server in response to a DHCPACK if the configuration parameters are unacceptable; for example, if the offered address is already in use. In this case, the client starts the configuration process over by sending a DHCPDISCOVER.
Configure the System to be a DHCP Server A DHCP server is a network device that has been programmed to provide network configuration parameters to clients upon request. Servers typically serve many clients, making host management much more organized and efficient. The following table lists the key responsibilities of DHCP servers. Table 23. DHCP Server Responsibilities DHCP Server Responsibility Description Address Storage and Management DHCP servers are the owners of the addresses DHCP clients uses.
pool name 3. Specify the range of IP addresses from which the DHCP server may assign addresses. DHCP mode network network/prefix-length ● network: the subnet address. ● prefix-length: specifies the number of bits used for the network portion of the address you specify. The prefix-length range is from 17 to 31. 4. Display the current pool configuration. DHCP mode show config After an IP address is leased to a client, only that client may release the address.
no disable The default is Disabled. 3. Display the current DHCP configuration. DHCP mode show config In the following illustration, an IP phone powers Power over Ethernet (PoE) and has acquired an IP address from the Dell Networking system, which is advertising link layer discovery protocol (LLDP)-media endpoint discovery (MED). The leased IP address is displayed using the show ip dhcp binding command and confirmed using the show lldp neighbors command. Figure 33.
Creating Manual Binding Entries An address binding is a mapping between the IP address and the media access control (MAC) address of a client. The DHCP server assigns the client an available IP address automatically, and then creates an entry in the binding table. However, the administrator can manually create an entry for a client; manual bindings are useful when you want to guarantee that a particular network device receives a particular IP address.
Configure the System to be a Relay Agent DHCP clients and servers request and offer configuration information via broadcast DHCP messages. Routers do not forward broadcasts, so if there are no DHCP servers on the subnet, the client does not receive a response to its request and therefore cannot access the network.
Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
DHCP Snooping DHCP snooping protects networks from spoofing. In the context of DHCP snooping, ports are either trusted or not trusted. By default, all ports are not trusted. Trusted ports are ports through which attackers cannot connect. Manually configure ports connected to legitimate servers and relay agents as trusted.
EXEC Privilege mode show ip dhcp snooping View the DHCP snooping statistics with the show ip dhcp snooping command. Dell#show ip dhcp snooping IP IP IP IP DHCP DHCP DHCP DHCP Snooping Snooping Mac Verification Relay Information-option Relay Trust Downstream : : : : Enabled. Disabled. Disabled. Disabled.
A spoofed ARP message is one in which the MAC address in the sender hardware address field and the IP address in the sender protocol field are strategically chosen by the attacker. For example, in an MITM attack, the attacker sends a client an ARP message containing the attacker’s MAC address and the gateway’s IP address. The client then thinks that the attacker is the gateway, and sends all internet-bound packets to it.
--------------------------------------Valid ARP Requests : 0 Valid ARP Replies : 1000 Invalid ARP Requests : 1000 Invalid ARP Replies : 0 Dell# Bypassing the ARP Inspection You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in multiswitch environments. ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by default. To bypass the ARP inspection, use the following command.
INTERFACE mode ip dhcp source-address-validation vlan vlan-id NOTE: Before enabling SAV With VLAN option, allocate at least one FP block to the ipmacacl CAM region. DHCP MAC Source Address Validation DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against the client hardware address field (CHADDR) in the payload.
deny count (0 packets) deny access-list on TenGigabitEthernet 1/2 Total cam count 2 deny vlan 10 count (0 packets) deny vlan 20 count (0 packets) The following output of the show ip dhcp snooping source-address-validation discard-counters interface interface command displays the number of SAV dropped packets on a particular interface.
15 Equal Cost Multi-Path (ECMP) Equal cost multi-path (ECMP) is supported on Dell Networking OS. Topics: • • • • • • • • ECMP for Flow-Based Affinity Configuring the Hash Algorithm Enabling Deterministic ECMP Next Hop Configuring the Hash Algorithm Seed Link Bundle Monitoring Managing ECMP Group Paths Creating an ECMP Group Bundle Modifying the ECMP Group Threshold ECMP for Flow-Based Affinity IPv6 /128 routes having multiple paths do not form ECMPs.
● Enable IPv4 Deterministic ECMP next hop. CONFIGURATION mode. ip ecmp-deterministic ● Enable IPv6 Deterministic ECMP next hop. CONFIGURATION mode. ipv6 ecmp-deterministic Configuring the Hash Algorithm Seed Deterministic ECMP sorts ECMPs in order even though RTM provides them in a random order. However, the hash algorithm uses as a seed the lower 12 bits of the chassis MAC, which yields a different hash result for every chassis.
Managing ECMP Group Paths Configure the maximum number of paths for an ECMP route that the L3 CAM can hold to avoid path degeneration. When you do not configure the maximum number of routes, the CAM can hold a maximum ECMP per route. To configure the maximum number of paths, use the following command. NOTE: Save the new ECMP settings to the startup-config (write-mem) then reload the system for the new settings to take effect. ● Configure the maximum number of paths per ECMP group. CONFIGURATION mode.
NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indices are generated in even numbers (0, 2, 4, 6... 1022) and are for information only. You can configure ecmp-group with id 2 for link bundle monitoring. This ecmp-group is different from the ecmp-group index 2 that is created by configuring routes and is automatically generated.
16 Fabric Services The following example shows how fabric services operate. Figure 35.
Configuring Switch Mode to Fabric Services To configure switch mode to Fabric services, use the following commands. 1. Configure Switch mode to Fabric Services. CONFIGURATION mode fc switch-mode fabric-services 2. Configure the SAN fabric to which the FC port connects by entering the name of the FCoE map applied to the interface. INTERFACE mode fcoe-map {tengigabitEthernet slot/port | fortygigabitEthernet slot/port} The FCoE map contains FCoE and FC parameter settings (refer to FCoE Maps).
Command Description show fc topology Displays the topology information of the local switch. The following configurations are applicable only after configuring the switch mode to fabric services using the fc switchmode fabric-services command. When you set Switch mode to Fabric Services, the Fibre Channel interfaces are set to shutdown and the fcoe-map default_full_fabric applies.
Zoning The zoning configurations are supported for Fabric Services operation on the S5000. In Fabric Services, the fcoe-map default_full_fabrichas the default Zone mode set to deny. This setting denies all the fabric connections unless included in an active zoneset. To change this setting, use the default-zone-allow command. Changing this setting to all allows all the fabric connections without zoning. Zoning is a mechanism to ensure only the nodes that are part of a zone can communicate with each other.
Creating Zonesets A zoneset is a grouping or configuration of zones. To create a zoneset and zones into the zoneset, use the following steps. 1. Create a zoneset. CONFIGURATION mode fc zoneset zoneset_name 2. Add zones into a zoneset. ZONESET CONFIGURATION mode member zonename Dell(conf)#fc zoneset zs1 Dell(conf-fc-zoneset-zs1)#member z1 Dell(conf-fc-zoneset-zs1)# Dell(conf-fc-zoneset-zs1)#exit Dell(conf-fc-zoneset-zs1)# Activating a Zoneset Activating a zoneset makes the zones within it effective.
4. Configure the principal switch priority. principal-priority For example: Dell(conf-fmap-default_full_fabric-fcfabric)# principal-priority 254 5. Configure the error detect timeout value. E-D-TOV For example: Dell(conf-fmap-default_full_fabric-fcfabric)# e-d-TOV 2000 This is the basic error timeout used for all Fibre Channel error detection. The default is 2000 milliseconds. 6. Configure the resource allocation timeout value.
Command Description show fc alias Displays the configured alias. show fc switch Displays the FC Switch mode and world wide name. show fc topology Displays the topology information of the local switch.
Switch Port Hops Cost Age LinkCount NeighborID LocalPort RemotePort LinkCost NeighborID LocalPort RemotePort LinkCost Switch Name DomainId Switch Port Hops Cost Age LinkCount NeighborID LocalPort RemotePort LinkCost NeighborID LocalPort RemotePort LinkCost Switch Name DomainId Switch Port Hops Cost Age LinkCount NeighborID LocalPort RemotePort LinkCost NeighborID LocalPort RemotePort LinkCost Dell# 1 1 125 2 2 3 3 1 250 2 1 1 125 10:00:5c:f9:dd:ef:0a:80 2 N/A N/A N/A N/A 2 1 1 1 125 3 3 3 125 10:00:5c:f9:d
Example of the show fc ns fabric Command Dell#show fc ns fabric Total number of devices = 3 Switch Name 10:00:5c:f9:dd:ef:0a:80 Domain Id 2 Switch Port 9 Port Id 02:09:00 Port Name 32:11:0e:fc:00:00:00:88 Node Name 22:11:0e:fc:00:00:00:88 Class of Service 8 Symbolic Port Name (NULL) Symbolic Node Name (NULL) Port Type N_Port Switch Name 10:00:5c:f9:dd:ef:0a:80 Domain Id 2 Switch Port 11 Port Id 02:0b:00 Port Name 31:11:0e:fc:00:00:00:77 Node Name 21:11:0e:fc:00:00:00:77 Class of Service 8 Symbolic Port Name
Dell# 10:00:8c:7c:ff:21:5f:8d 20:02:00:11:0d:03:00:00 Example of the show fc zoneset active Command Dell#show fc zoneset active Active Zoneset: fcoe_srv_fc_tgt ZoneName ZoneMember ================================== brcd_sanb 10:00:8c:7c:ff:21:5f:8d 20:02:00:11:0d:03:00:00 Dell# Example of the show fc zoneset merged Command Dell#show fc zoneset merged Active Zoneset: zs1 Merged Zones Dell# Example of the show fc zone Command Dell#show fc zone ZoneName ZoneMember ============================== brcd_sanb brc
17 FCoE Transit The Fibre Channel over Ethernet (FCoE) Transit feature is supported on the S5000 switch on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces, in an S5000 switch stack, or on links between VLT peer switches.
Table 25. FIP Functions FIP Function Description FIP VLAN discovery FCoE devices (ENodes) discover the FCoE VLANs on which to transmit and receive FIP and FCoE traffic. FIP discovery FCoE end-devices and FCFs are automatically discovered. Initialization FCoE devices learn ENodes from the FLOGI and FDISC to allow immediate login and create a virtual link with an FCoE switch. Maintenance A valid virtual link between an FCoE device and an FCoE switch is maintained and the LOGO functions properly.
FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to transmit between an FCoE end-device and an FCF. An Ethernet bridge that provides these functions is called a FIP snooping bridge (FSB). NOTE: When you enable FCoE transit on an S5000, the switch functions as a FIP snooping bridge.
Figure 37. FIP Snooping on an S5000 Switch The following sections describe how to configure the FIP snooping feature on a switch that functions as a FIP snooping bridge so that it can perform the following functions: ● Allocate CAM resources for FCoE. ● Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis.
● A switch stack configuration is synchronized with the standby stack unit. ● Dynamic population of the FCoE database (ENode, Session, and FCF tables) is synchronized with the standby stack unit. The FCoE database is maintained by snooping FIP keep-alive messages. ● In case of a failover, the new master switch starts the required timers for the FCoE database tables. Timers run only on the master stack unit.
● create the VLANs on the switch which handles FCoE traffic (use the interface vlan command). ● configure each FIP snooping port to operate in Hybrid mode so that it accepts both tagged and untagged VLAN frames (use the portmode hybrid command). ● configure tagged VLAN membership on each FIP snooping port that sends and receives FCoE traffic and has links with an FCF, ENode server, or another FIP snooping bridge (use the tagged port-type slot/port command).
If you disable FCoE transit, FIP and FCoE traffic are handled as normal Ethernet frames and no FIP snooping ACLs are generated. The VLAN-specific and FIP snooping configuration is disabled and stored until you re-enable FCoE transit and the configurations are re-applied. Enable FIP Snooping on VLANs You can enable FIP snooping globally on a switch on all VLANs or on a specified VLAN.
Table 26. Impact of Enabling FIP Snooping Impact Description MAC address learning MAC address learning is not performed on FIP and FCoE frames, which are denied by ACLs dynamically created by FIP snooping on server-facing ports in ENode mode. MTU auto-configuration MTU size is set to mini-jumbo (2500 bytes) when a port is in Switchport mode, the FIP snooping feature is enabled on the switch, and FIP snooping is enabled on all or individual VLANs.
Table 27. Impact of Enabling FIP Snooping (continued) Impact Description deleted. If a port is enabled for FIP snooping in ENode or FCF mode, the ENode/FCF MAC-based ACLs are deleted. FIP Snooping Restrictions The following restrictions apply when you configure FIP snooping. ● The maximum number of FCoE VLANs supported: ○ on an S5000 NPIV proxy gateway is 12. ○ on an S5000 switch not configured as an NPIV proxy gateway is eight.
fip-snooping max-sessions-per-enodemac max-value Valid values are from 1 to 64. The default is 32 sessions are supported. 5. Enter the interface configuration level to configure a 10-Gigabit Ethernet or FC port for FIP snooping. CONFIGURATION mode interface port-type slot/port NOTE: By default, a port is enabled for bridge-to-ENode links. 6. Configure the port for bridge-to-FCF links.
NOTE: The show fip-snooping fcf command may continue to display FCFs the S5000 Fibre Channel ports advertise even if the ports are shut down because the FIP snooping feature does not interpret the A-bit in the FIP VLAN advertisements. When you configure the S5000 as an NPIV proxy gateway, use the show interfaces status command to check if the S5000 Fibre Channel ports connected to the FCF are up or down. The following example shows the show fip-snooping sessions command.
Table 30. show fip-snooping enode Command Description Field Description ENode MAC MAC address of the ENode. ENode Interface Slot/ port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. VLAN VLAN ID number the session uses. FC-ID Fibre Channel session ID the FCF assigns. The following example shows the show fip-snooping fcf command. Dell# show fip-snooping fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number of of of of of of of of of of of of of of of of of of Unicast Discovery Solicits FLOGI FDISC FLOGO Enode Keep Alive VN Port Keep Alive Multicast Discovery Advertisement Unicast Discovery Advertisement FLOGI Accepts FLOGI Rejects FDISC Accepts FDISC Rejects FLOGO Accepts FLOGO Rejects CVL FCF Discovery Timeouts VN Port Session Timeouts Session failures due to Hardware Config :0 :1
Table 32. show fip-snooping statistics Command Descriptions (continued) Field Description Number of ENode Keep Alives Number of FIP-snooped ENode keep-alive frames received on the interface. Number of VN Port Keep Alives Number of FIP-snooped VN port keep-alive frames received on the interface. Number of Multicast Discovery Advertisements Number of FIP-snooped multicast discovery advertisements received on the interface.
FCoE Transit Configuration Example The following illustration shows an S5000 switch enabled for FCoE transit and used as a FIP snooping bridge for FCoE traffic between an ENode (server CNA) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 38. Configuration Example of FCoE Transit on an S5000 Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
Dell(conf-if-te-0/1)# switchport Dell(conf-if-te-0/1)# protocol lldp Dell(conf-if-te-0/1-lldp)# dcbx port-role auto-downstream NOTE: A port is enabled by default for bridge-ENode links.
18 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a softwarebased cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell EMC Networking platforms.
When you enable FIPS mode, the following actions are taken: ● If enabled, the SSH server is disabled. ● All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed. ● Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. ● FIPS mode is enabled. ○ If you enable the SSH server when you enter the fips mode enable command, it is re-enabled for version 2 only. ○ If you re-enable the SSH server, a new RSA host key-pair is generated automatically.
● ● ● ● ● Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. FIPS mode disables. The SSH server re-enables. The Telnet server re-enables (if it is present in the configuration). New 1024–bit RSA and RSA1 host key-pairs are created. To disable FIPS mode, use the following command. ● To disable FIPS mode from a console port.
19 Fibre Channel Interface The S5000 functions as a converged enhanced Ethernet (CEE) switch that supports both LAN and storage area network (SAN) traffic using the Fibre Channel protocol. To access a SAN fabric, use a Fibre Channel (FC) module installed in the S5000. S5000 FC ports operate at 2G, 4G, and 8G speed. By default, FC ports have autosensing speed enabled to use or negotiate port speed with a peer SAN switch.
NOTE: You can install an FC module only in expansion slot 0. 2. Configure the speed of an FC port. INTERFACE FIBRE_CHANNEL mode speed {auto | 2G | 4G | 8G} The valid values are: 2, 4 Gbps or 8 Gbps or autosensing. The default is an FC port autosenses the speed of a peer FC port. 3. Enable the Fibre Channel port. INTERFACE FIBRE_CHANNEL mode no shutdown Displaying Fibre Channel Information To display information on switch-wide and interface-specific Fibre Channel operation, use the following commands.
Field Description Information: Fibrechannel 0/0 Administrative state of the Fibre Channel interface (up/no shutdown or down/ shutdown) and is down, FC link operational state of the FC link (up or down). is down Pluggable media present, SFP+ type Pluggable optic is inserted in the port or not, and the SFP+ optic type. Wavelength Wavelength of the inserted optic. SFP+ receive power Power received on SFP+ optic. Interface index Index number of FC port.
Field Description TxLinkResets Number of link resets on transmitted frames. TotalLinkResets Total number of link resets. TotalRxFrames Total number of frames received. TotalTxFrames Total number of frames transmitted. RxOfflineSequen ces Number of offline sequences received. TxOfflineSequen ces Number of offline sequences transmitted. TotalOfflineSequ Total number of offline sequences.
Command Description ● 2 = Records FC warning messages. ● 3 = Records FC informational messages. ● 4 = Records all messages generated for FC operation on the switch. The default is 4. show fctrace-level Displays the currently configured FC trace level. show file fcmfs:/ TRACE_LOG_FC/ qstack_trace. log Displays the trace log that contains trace messages of FC software and hardware events, state, and errors. The FC trace log is stored in internal flash at the file path fcmfs:/TRACE_LOG_FC/ qstack_trace.
Built by build at tools-sjc-01 on Sat Mar 9 13:25:54 2013 S5000 Boot Selector Label 1.3.0.0m CPU0: Core: Clock P2020, Version: 2.1, (0x80e20021) E500, Version: 5.1, (0x80211051) Configuration: CPU0:1200 MHz, CPU1:1200 MHz, CCB:600 MHz, DDR:330 MHz (660 MT/s data rate) (Asynchronous), LBC:37.
Example of the show system stack-unit Command Dell#show system stack-unit 0 port-group portmode PortGroupId Ports Mode(Curr Boot) Mode(Next Boot) 0 0,1 FC FC 1 2,3 FC FC 2 4,5 ETH FC 3 6,7 FC ETH 4 8,9 FC FC 5 10,11 FC FC Dell# Fibre Channel Interface 321
20 Force10 Resilient Ring Protocol (FRRP) Force10 resilient ring protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require four to five seconds to reconverge.
Figure 39. Normal Operating FRRP Topology A virtual LAN (VLAN) is configured on all node ports in the ring. All ring ports must be members of the Member VLAN and the Control VLAN. The Member VLAN is the VLAN used to transmit data as described earlier. The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass through all ports in the ring, including the secondary port of the Master node.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure that the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
Figure 40. Example of Multiple Rings Connected by a Single Switch Important FRRP Points FRRP provides a convergence time that can generally range between 150 ms and 1500 ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. ● The Master node transmits ring status check frames at specified intervals. ● You can run multiple physical rings on the same switch.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202, as shown in the illustration in Member VLAN Spanning Two Rings Connected by One Switch. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose.
● If multiple rings share one or more member VLANs, they cannot share any links between them. ● Member VLANs across multiple rings are not supported in Master nodes. ● Each ring has only one Master node; all others are transit nodes. FRRP Configuration These are the tasks to configure FRRP.
Slot/Port, Range: Slot and Port ID for the interface. Range is entered Slot/Port-Port. 3. Assign the Primary and Secondary ports and the control VLAN for the ports on the ring. CONFIG-FRRP mode. interface primary int slot/port secondary int slot/port control-vlan vlan id Interface: ● For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. ● For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
VLAN ID: Identification number of the Control VLAN. 4. Configure a Transit node. CONFIG-FRRP mode. mode transit 5. Identify the Member VLANs for this FRRP group. CONFIG-FRRP mode. member-vlan vlan-id {range} VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. 6. Enable this FRRP group on this switch. CONFIG-FRRP mode. no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time three times the Hello-Interval time.
The ring ID range is from 1 to 255. ● Show the state of all FRRP groups. EXEC or EXEC PRIVELEGED mode. show frrp summary The ring ID range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks ● ● ● ● ● Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only.
no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 1/24,34 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 1/24 secondary GigabitEthernet 1/34 control-vlan 101 member-vlan 201 mode master no disable Example of R2 TRANSIT interface GigabitEthernet 2/14 no ip address switchport no shutdown ! interface GigabitEthernet 2/31 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tag
FRRP Support on VLT Using FRRP rings, you can inter-connect VLT domains across data centers. These FRRP rings make use of Layer2 VLANs that spawn across Data Centers and provide resiliency by detecting node or link level failures. You can configure a simple FRRP ring that connects a VLT device in one data center to a VLT devices in two or more Data Centers.
VLT Node2 is the transit node. The primary interface for VLT Node2 is VLTi. P2 is the secondary interface, which is one of the orphan port participating in the FRRP ring. V1 is the control VLAN through which the RFHs are exchanged. In addition to the control VLAN, multiple member VLANS are configured (for example, M1 to M10) that carry the data traffic across the FRRP rings. The secondary port P2 is tagged to the control VLAN (V1).
21 GARP VLAN Registration Protocol (GVRP) Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GVRP, defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. The GARP VLAN registration protocol (GVRP)-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other.
Figure 44. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2. Enabling GVRP on a Layer 2 Interface Related Configuration Tasks ● Configure GVRP Registration ● Configure a GARP Timer Enabling GVRP Globally To configure GVRP globally, use the following command. ● Enable GVRP for the entire switch.
To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. ● Enable GVRP on a Layer 2 interface.
● Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The Dell Networking OS default is 200 ms. ● Leave — When a GARP device expects to deregister a piece of attribute information, it sends out a Leave message and starts this timer. If a Join message does not arrive before the timer expires, the information is deregistered.
22 High Availability (HA) High availability (HA) is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. Topics: • • • • • • High Availability on Stacks Hitless Behavior Graceful Restart Software Resiliency Hot-Lock Behavior Component Redundancy High Availability on Stacks A stack has a master and standby management unit that provide redundancy in a similar way to redundant route processor modules (RPMs).
● Open shortest path first ● Protocol independent multicast — sparse mode ● Intermediate system to intermediate system Software Resiliency During normal operations, Dell Networking OS monitors the health of both hardware and software components in the background to identify potential failures, even before these failures manifest. System Health Monitoring Dell Networking OS also monitors the overall health of the system.
Hot-Lock Behavior Dell Networking OS hot-lock features allow you to append and delete their corresponding content addressable memory (CAM) entries dynamically without disrupting traffic. Existing entries are simply shuffled to accommodate new entries. Hot-Lock IP ACLs allow you to append rules to and delete rules from an access control list (ACL) that is already written to CAM. This behavior is enabled by default and is available for both standard and extended ACLs on ingress and egress.
Synchronization between Management and Standby Units Data between the Management and Standby units is synchronized immediately after bootup. After the Management and Standby units have done an initial full synchronization (block sync), Dell EMC Networking OS only updates changed data (incremental sync). The data that is synchronized consists of configuration data, operational data, state and status, and statistics depending on the Dell EMC Networking OS version.
23 Internet Group Management Protocol (IGMP) Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. The internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group.
Figure 45. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. ● Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. ● To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1. Include messages prevents traffic from all other sources in the group from reaching the subnet.
Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
● ● ● ● ● ● Adjusting Timers Preventing a Host from Joining a Group Enabling IGMP Immediate-Leave IGMP Snooping Fast Convergence after MSTP Topology Changes Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. ● View IGMP-enabled interfaces.
Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command. ● View both learned and statically configured IGMP groups. EXEC Privilege mode show ip igmp groups Dell(conf-if-te-1/0)#do sho ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 224.1.1.1 TenGigabitEthernet 1/0 00:00:03 Never CLI 224.1.2.1 TenGigabitEthernet 1/0 00:56:55 00:01:22 1.1.1.
Enabling IGMP Immediate-Leave If the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robustness value). Then, after no response, it removes the group from the outgoing interface for the subnet. IGMP immediate leave reduces leave latency by enabling a router to immediately delete the group membership on an interface after receiving a Leave message (it does not send any group-specific or group-and-source queries before deleting the entry).
● Configuring the Switch as Querier Dell(conf)#ip igmp snooping enable Dell(conf)#do show running-config igmp ip igmp snooping enable Dell(conf)# Removing a Group-Port Association To configure or view the remove a group-port association feature, use the following commands. ● Configure the switch to remove a group-port association after receiving an IGMP Leave message. INTERFACE VLAN mode ip igmp fast-leave ● View the configuration.
Specifying a Port as Connected to a Multicast Router To statically specify or view a port in a VLAN, use the following commands. ● Statically specify a port in a VLAN as connected to a multicast router. INTERFACE VLAN mode ip igmp snooping mrouter ● View the ports that are connected to multicast routers. EXEC Privilege mode. show ip igmp snooping mrouter Configuring the Switch as Querier To configure the switch as a querier, use the following command.
Egress Interface Selection (EIS) for HTTP and IGMP Applications You can use the Egress Interface Selection (EIS) feature to isolate the management and front-end port domains for HTTP and IGMP traffic. Also, EIS enables you to configure the responses to switch-destined traffic by using the management port IP address as the source IP address. This information is sent out of the switch through the management port instead of the front-end port.
Table 33. Association Between Applications and Port Numbers (continued) Application Name Port Number Client TFTP 69 Supported Radius 1812,1813 Supported Tacacs 49 Supported HTTP 80 for httpd Server Supported 443 for secure httpd 8008 HTTP server port for confd application 8888 secure HTTP server port for confd application If you configure a source interface is for any EIS management application, EIS might not coexist with that interface and the behavior is undefined in such a case.
● For all non-management applications, traffic exits out of either front-end data port or management port based on route lookup in default routing table. ● Ping and traceroute are always non-management applications and route lookup for these applications is done in the default routing table only. ● For ping and traceroute utilities that are initiated from the switch, if reachability needs to be tested through routes in the management EIS routing table, you must configure ICMP as a management application.
● If the route lookup in the EIS routing table fails or if management port is down, then packets are dropped. The applicationspecific count of the dropped packets is incremented and is viewed using the show management application pktdrop-cntr command. This counter is cleared using clear management application pkt-drop-cntr command. ● Packets whose destination TCP/UDP port does not match a configured management application, take the regular route lookup flow in the IP stack.
● A separate drop counter is incremented for this case. This counter is viewed using the netstat command, like all other IP layer counters. Consider a scenario in which ip1 is an address assigned to the management port and ip2 is an address assigned to any of the front panel port of a switch. End users on the management and front panel port networks are connected.
2. Non-Management Applications (Applications that are not configured as management applications as defined by this feature): Non-management application traffic exits out of either front-end data port or management port based on routing table. If there is a default route on both the management and front-end data port, the default for the data port is preferred route.
EIS behavior for ICMP: ICMP packets do not have TCP/UDP ports. In this case, to perform an EIS route lookup for ICMP-based applications (ping and traceroute), you must configure ICMP as a management application. If the management port is down or the route lookup fails, packets are dropped. If source IP address does not match the management port IP address route lookup is done in the default routing table.
● Designate an interface as a multicast router interface.
24 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell EMC Networking Operating System (OS). The system supports 10 Gigabit Ethernet and 40 Gigabit Ethernet interfaces. NOTE: Only Dell-qualified optics are supported on these interfaces. Non-Dell 40G optics are set to error-disabled state.
• • • • • • • • • • • • • • • • Bulk Configuration Defining Interface Range Macros Monitoring and Maintaining Interfaces Non Dell-Qualified Transceivers Splitting QSFP Ports to SFP+ Ports Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port Configuring wavelength for 10–Gigabit SFP+ optics Link Dampening Link Bundle Monitoring Using Ethernet Pause Frames for Flow Control Configure the MTU Size on an Interface Port-Pipes Auto-Negotiation on Ethernet Interfaces View Advanced Interface Information Configuri
The following example shows the configuration and status information for one interface. DellEMC#show interfaces tengigabitethernet 1/1 TenGigabitEthernet 1/1 is up, line protocol is up Hardware is Force10Eth, address is 00:01:e8:05:f3:6a Current address is 00:01:e8:05:f3:6a Pluggable media present, XFP type is 10GBASE-LR. Medium is MultiRate, Wavelength is 1310nm XFP receive power reading is -3.7685 Interface index is 67436603 Internet address is 65.113.24.
interface TenGigabitEthernet 2/9 no ip address shutdown Resetting an Interface to its Factory Default State You can reset the configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1. View the configurations applied on an interface. INTERFACE mode show config DellEMC(conf-if-te-1/5)#show config ! interface TenGigabitEthernet 1/5 no ip address portmode hybrid switchport rate-interval 8 mac learning-limit 10 no-station-move no shutdown 2.
View EEE Information To view the details of Energy Efficient Ethernet (EEE), you can use the following show commands. You have several options for viewing the details of EEE on interfaces. ● List all the interfaces. EXEC mode EXEC PRIVILEGE mode show interfaces This command displays the status of each interface with various details along with the information whether EEE is enabled on the interfaces.. ● List the status of eee on all the interfaces, on a specified port, or on a range of ports.
0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Time since last interface status change: 2d10h6m The following example shows the status of EEE on a specific interface.
RX - Debug Counter 2 RX - Debug Counter 3 RX - Debug Counter 4 RX - Debug Counter 5 RX - Debug Counter 6 RX - Debug Counter 7 RX - Debug Counter 8 RX - EEE LPI Event Counter RX - EEE LPI Duration Counter TX - 64 Byte Frame Counter TX - 65 to 127 Byte Frame Counter TX - 128 to 255 Byte Frame Counter TX - 256 to 511 Byte Frame Counter TX - 512 to 1023 Byte Frame Counter TX - 1024 to 1518 Byte Frame Counter TX - 1519 to 1522 Byte Good VLAN Frame Counter TX - 1519 to 2047 Byte Frame Counter TX - 2048 to 4095 By
RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - 1024 to 1518 Byte Frame Counter 1519 to 1522 Byte Good VLAN Frame Counter 1519 to 2047 Byte Frame Counter 2048 to 4095 Byte Frame Counter 4096 to 9216 Byte Frame Counter Good Packet Counter Packet/Frame Counter Unicast Frame Counter Multicast Frame Counter Broadcast Frame Counter Byte Cou
TX TX TX TX TX TX TX TX TX TX TX TX TX TX - Debug Counter 0 Debug Counter 1 Debug Counter 2 Debug Counter 3 Debug Counter 4 Debug Counter 5 Debug Counter 6 Debug Counter 7 Debug Counter 8 Debug Counter 9 Debug Counter 10 Debug Counter 11 EEE LPI Event Counter EEE LPI Duration Counter 0 0 0 0 0 0 0 0 0 0 0 0 0 0 <
To confirm that the interface is enabled, use the show config command in INTERFACE mode. To leave INTERFACE mode, use the exit command or end command. You cannot delete a physical interface. Physical Interfaces The Management Ethernet interface is a single RJ-45 Fast Ethernet port on a switch. The interface provides dedicated management access to the system. Stack-unit interfaces support Layer 2 and Layer 3 traffic over the and 40-Gigabit Ethernet interfaces.
Configuring Layer 2 (Data Link) Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface unless the interface has been set to Layer 2 mode. To set Layer 2 data transmissions through an individual interface, use the following command. ● Enable Layer 2 data transmissions through an individual interface.
To determine the configuration of an interface, use the show config command in INTERFACE mode or the various show interface commands in EXEC mode. Configuring Layer 3 (Interface) Mode To assign an IP address, use the following commands. ● Enable the interface. INTERFACE mode no shutdown ● Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx).
Configuring EIS EIS is compatible with the following protocols: DNS, FTP, NTP, RADIUS, sFlow, SNMP, SSH, Syslog, TACACS, Telnet, and TFTP. To enable and configure EIS, use the following commands: 1. Enter EIS mode. CONFIGURATION mode management egress-interface-selection 2. Configure which applications uses EIS.
Interface index is 302006472 Internet address is 10.16.130.
To display the configuration for a given port, use the show interface command in EXEC Privilege mode, as shown in the following example. To display the routing table, use the show ip route command in EXEC Privilege mode.
! ip ospf hello-interval 15 no shutdown Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Because this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability. You can place Loopback interfaces in default Layer 3 mode. To configure, view, or delete a Loopback interface, use the following commands.
A port channel provides redundancy by aggregating physical interfaces into one logical interface. If one physical interface goes down in the port channel, another physical interface carries the traffic. Port Channel Benefits A port channel interface provides many benefits, including easy management, link redundancy, and sharing. Port channels are transparent to network configurations and can be modified and managed as one interface.
Configuration Tasks for Port Channel Interfaces To configure a port channel (LAG), use the commands similar to those found in physical interfaces. By default, no port channels are configured in the startup configuration.
INTERFACE PORT-CHANNEL mode channel-member interface The interface variable is the physical interface type and slot/port information. 2. Double check that the interface was added to the port channel. INTERFACE PORT-CHANNEL mode show config To view the port channel’s status and channel members in a tabular format, use the show interfaces port-channel brief command in EXEC Privilege mode, as shown in the following example.
DellEMC(conf-if)#ip address 10.56.4.4 /24 % Error: Port is part of a LAG Te 1/6. DellEMC(conf-if)# Reassigning an Interface to a New Port Channel An interface can be a member of only one port channel. If the interface is a member of a port channel, remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, Dell EMC Networking OS recalculates the hash algorithm for the port channel.
Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to a VLAN, place the port channel in Layer 2 mode (by using the switchport command). To add or remove a VLAN port channel and to view VLAN port channel members, use the following commands. ● Add the port channel to the VLAN as a tagged interface. INTERFACE VLAN mode tagged port-channel id number An interface with tagging enabled can belong to multiple VLANs.
Assigning an IP Address to a Port Channel You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols. To assign an IP address, use the following command. ● Configure an IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] ○ ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in slash format (/24). ○ secondary: the IP address is the interface’s backup IP address.
For more information about algorithm choices, refer to the command details in the IP Routing chapter of the Dell EMC Networking OS Command Reference Guide. ● Change to another algorithm. CONFIGURATION mode DellEMC(conf)#hash-algorithm ecmp xor 26 lag crc 26 nh-ecmp checksum 26 DellEMC(conf)# The hash-algorithm command is specific to ECMP group. The default ECMP hash configuration is crc-lower. This command takes the lower 32 bits of the hash key to compute the egress port.
Bulk Configuration Examples Use the interface range command for bulk configuration. ● ● ● ● ● ● ● Create a Single-Range Create a Multiple-Range Exclude Duplicate Entries Exclude a Smaller Port Range Overlap Port Ranges Commas Add Ranges Create a Single-Range The following is an example of a single range.
Overlap Port Ranges The following is an example showing how the interface-range prompt extends a port range from the smallest start port number to the largest end port number when port ranges overlap. handles overlapping port ranges.
The following example shows how to change to the interface-range configuration mode using the interface-range macro named “test.” DellEMC(config)# interface range macro test DellEMC(config-if)# Monitoring and Maintaining Interfaces Monitor interface statistics with the monitor interface command. This command displays an ongoing list of the interface status (up/down), number of packets, traffic statistics, and so on. To view the interface’s statistics, use the following command.
Maintenance Using TDR The time domain reflectometer (TDR) is supported on all Dell EMC Networking switches. TDR is an assistance tool to resolve link issues that helps detect obvious open or short conditions within any of the four copper pairs. TDR sends a signal onto the physical cable and examines the reflection of the signal that returns. By examining the reflection, TDR is able to indicate whether there is a cable fault (when the cable is broken, becomes unterminated, or if a transceiver is unplugged).
NOTE: When you split a 40G port (such as fo 1/4) into four 10G ports, the 40G interface configuration is still available in the startup configuration when you save the running configuration by using the write memory command. When a reload of the system occurs, the 40G interface configuration is not applicable because the 40G ports are split into four 10G ports after the reload operation. While the reload is in progress, you might see error messages when the configuration file is being loaded.
● When you insert a QSA into a 40 Gigabit port, you can use only the first 10 Gigabit port in the fan-out mode to plug-in SFP or SFP+ cables. The remaining three 10 Gigabit ports are perceived to be in Link Down state and are unusable. ● You cannot use QSFP Optical cables on the same port where QSA is used. ● When you remove the QSA module alone from a 40 Gigabit port, without connecting any SFP or SFP+ cables; Dell Networking OS does not generate any event.
Dell#show interfaces tengigabitethernet 0/4 transceiver SFP 0 Serial ID Base Fields SFP 0 Id = 0x0d SFP 0 Ext Id = 0x00 SFP 0 Connector = 0x23 SFP 0 Transceiver Code = 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 SFP 0 Encoding = 0x00 ……………… ……………… SFP 0 Diagnostic Information =================================== SFP 0 Rx Power measurement type = OMA =================================== SFP 0 Temp High Alarm threshold = 0.000C SFP 0 Voltage High Alarm threshold = 0.000V SFP 0 Bias High Alarm threshold = 0.
QSFP 0 Serial ID Base Fields QSFP 0 Id = 0x0d QSFP 0 Ext Id = 0x00 QSFP 0 Connector = 0x23 QSFP 0 Transceiver Code = 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 QSFP 0 Encoding = 0x00 ……………… ……………… QSFP 0 Diagnostic Information =================================== QSFP 0 Rx Power measurement type = OMA =================================== QSFP 0 Temp High Alarm threshold = 0.000C QSFP 0 Voltage High Alarm threshold = 0.000V QSFP 0 Bias High Alarm threshold = 0.
Current address is 90:b1:1c:f4:9a:fa Pluggable media present, SFP type is 1GBASE …………………… LineSpeed 1000 Mbit Dell#show interfaces tengigabitethernet 0/7 gigabitethernet 0/0 is up, line protocol is down Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, SFP type is 1GBASE …………………… LineSpeed 1000 Mbit Dell#show interfaces tengigabitethernet 0/8 TenGigabitEthernet 0/0 is up, line protocol is up Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Curre
Link Dampening Interface state changes occur when interfaces are administratively brought up or down or if an interface state changes. Every time an interface changes a state or flaps, routing protocols are notified of the status of the routes that are affected by the change in state. These protocols go through the momentous task of re-converging. Flapping; therefore, puts the status of entire network at risk of transient loops and black holes.
Figure 50. Interface State Change Consider an interface periodically flaps as shown above. Every time the interface goes down, a penalty (1024) is added. In the above example, during the first interface flap (flap 1), the penalty is added to 1024. And, the accumulated penalty will exponentially decay based on the set half-life, which is set as 10 seconds in the above example. During the second interface flap (flap 2), again the penalty (1024) is accumulated.
Enabling Link Dampening To enable link dampening, use the following command. ● Enable link dampening. INTERFACE mode dampening To view the link dampening configuration on an interface, use the show config command. R1(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode.
Configure MTU Size on an Interface In Dell EMC Networking OS, Maximum Transmission Unit (MTU) is defined as the entire Ethernet packet (Ethernet header + FCS + payload). The link MTU is the frame size of a packet, and the IP MTU size is used for IP fragmentation. If the system determines that the IP packet must be fragmented as it leaves the interface, Dell EMC Networking OS divides the packet into fragments no bigger than the size set in the ip mtu command.
An Ethernet interface starts to send pause frames to a sending device when the transmission rate of ingress traffic exceeds the egress port speed. The interface stops sending pause frames when the ingress rate falls to less than or equal to egress port speed. The globally assigned 48-bit Multicast address 01-80-C2-00-00-01 is used to send and receive pause frames.
The following table lists the various Layer 2 overheads found in the Dell EMC Networking OS and the number of bytes. Table 39. Layer 2 Overhead Layer 2 Overhead Difference Between Link MTU and IP MTU Ethernet (untagged) 18 bytes VLAN Tag 22 bytes Untagged Packet with VLAN-Stack Header 22 bytes Tagged Packet with VLAN-Stack Header 26 bytes Link MTU and IP MTU considerations for port channels and VLANs are as follows.
EXEC Privilege mode show interfaces [interface | stack—unit stack-unit-number] status 2. Determine the remote interface status. EXEC mode or EXEC Privilege mode [Use the command on the remote system that is equivalent to the first command.] 3. Access CONFIGURATION mode. EXEC Privilege mode config 4. Access the port. CONFIGURATION mode interface interface-type 5. Set the local port speed.
speed 100 duplex full no shutdown Set Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/ forced slave once auto-negotiation is enabled. CAUTION: Ensure that only one end of the node is configured as forced-master and the other is configured as forced-slave.
DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show ip interface configured ip interface stack-unit 1 configured ip interface tengigabitEthernet 1 configured ip interface br configured ip interface br stack-unit 1 configured ip interface br tengigabitEthernet 1 configured running-config interfaces configured running-config interface tengigabitEthernet 1 configured In EXEC mode, the show interfaces switchport command displays only interfaces in Layer 2 mo
Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 100 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
DellEMC#show int po 20 Port-channel 20 is up, line protocol is up Hardware address is 4c:76:25:f4:ab:02, Current address is 4c:76:25:f4:ab:02 Interface index is 1258301440 Minimum number of links to bring Port-channel up is 1 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :4c7625f4ab02 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 80000 Mbit Members in this channel: Fo 1/1/7/1(U) Fo 1/1/8/1(U) ARP type: ARPA, ARP Timeout 04:00:00 Queueing strategy: fifo Input Statistics: 139
EXEC Privilege mode clear counters [interface] [vrrp [vrid] | learning-limit] (OPTIONAL) Enter the following interface keywords and slot/port or number information: ○ For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. ○ For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. ○ For a Loopback interface, enter the keyword loopback then a number from 0 to 16383.
25 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. ● Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3. Apply the crypto policy to management traffic.
26 IPv4 Routing The Dell EMC Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell EMC Networking OS.
IP Addresses Dell EMC Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks. Supernetting, which increases the number of subnets, is also supported. To subnet, you add a mask to the IP address to separate the network and host portions of the IP address.
INTERFACE mode ip address ip-address mask [secondary] ● ip-address mask: the IP address must be in dotted decimal format (A.B.C.D). The mask must be in slash prefixlength format (/24). ● secondary: add the keyword secondary if the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. To view the configuration, use the show config command in INTERFACE mode or use the show ip interface command in EXEC privilege mode, as shown in the second example.
S 6.1.2.13/32 S 6.1.2.14/32 S 6.1.2.15/32 S 6.1.2.16/32 S 6.1.2.17/32 S 11.1.1.0/24 Direct, Lo 0 --More-- via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, Direct, Nu 0 Te Te Te Te Te 5/1 5/1 5/1 5/1 5/1 1/0 1/0 1/0 1/0 1/0 0/0 00:02:30 00:02:30 00:02:30 00:02:30 00:02:30 00:02:30 Dell EMC Networking OS installs a next hop that is on the directly connected subnet of current IP address on the interface.
supported on all the layer 3 VLAN interfaces. Because all of the Layer 3 interfaces are mapped to the VLAN ID of 4095 when VLAN sub-interfaces are configured on it, it is not possible to configure unique layer 3 MTU values for each of the layer 3 interfaces. If a VLAN interface contains both IPv4 and IPv6 addresses configured on it, both the IPv4 and IPv6 traffic are applied the same MTU size; you cannot specify different MTU values for IPv4 and IPv6 packets.
Enabling Directed Broadcast By default, Dell EMC Networking OS drops directed broadcast packets destined for an interface. This default setting provides some protection against denial of service (DoS) attacks. To enable Dell EMC Networking OS to receive directed broadcasts, use the following command. ● Enable directed broadcast. INTERFACE mode ip directed-broadcast To view the configuration, use the show config command in INTERFACE mode.
Specifying the Local System Domain and a List of Domains If you enter a partial domain, Dell EMC Networking OS can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. Dell EMC Networking OS searches the host table first to resolve the partial domain. The host table contains both statically configured and dynamically learnt host and IP addresses.
ARP Dell EMC Networking OS uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, Dell EMC Networking OS creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time.
Enabling Proxy ARP By default, Proxy ARP is enabled. To disable Proxy ARP, use the no proxy-arp command in the interface mode. To re-enable Proxy ARP, use the following command. ● Re-enable Proxy ARP. INTERFACE mode ip proxy-arp To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output.
ARP Learning via ARP Request In Dell EMC Networking OS versions prior to 8.3.1.0, Dell EMC Networking OS learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address. If the target IP does not match the incoming interface, the packet is dropped. If there is an existing entry for the requesting host, it is updated. Figure 51.
● Set the exponential timer for resending unresolved ARPs. CONFIGURATION mode arp backoff-time The default is 30. The range is from 1 to 3600. ● Display all ARP entries learned via gratuitous ARP. EXEC Privilege mode show arp retries ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply).
Important Points to Remember ● The existing ip directed broadcast command is rendered meaningless if you enable UDP helper on the same interface. ● The broadcast traffic rate should not exceed 200 packets per second when you enable UDP helper. ● You may specify a maximum of 16 UDP ports.
ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:07:44 Queueing strategy: fifo Input Statistics: 0 packets, 0 bytes Time since last interface status change: 00:07:44 Configurations Using UDP Helper When you enable UDP helper and the destination IP address of an incoming packet is a broadcast address, Dell EMC Networking OS suppresses the destination address of the packet. The following sections describe various configurations that employ UDP helper to direct broadcasts.
UDP Helper with Subnet Broadcast Addresses When the destination IP address of an incoming packet matches the subnet broadcast address of any interface, the system changes the address to the configured broadcast address and sends it to matching interface. In the following illustration, Packet 1 has the destination IP address 1.1.1.255, which matches the subnet broadcast address of VLAN 101.
UDP Helper with No Configured Broadcast Addresses The following describes UDP helper with no broadcast addresses configured. ● If the incoming packet has a broadcast destination IP address, the unaltered packet is routed to all Layer 3 interfaces. ● If the Incoming packet has a destination IP address that matches the subnet broadcast address of any interface, the unaltered packet is routed to the matching interfaces.
27 IPv6 Routing Internet Protocol Version 6 (IPv6) is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
Dell Networking OS manipulation of IPv6 stateless autoconfiguration supports the router side only. Neighbor discovery (ND) messages are advertised so the neighbor can use this information to auto-configure its address. However, received ND messages are not used to create an IPv6 address. The router redirect functionality in the neighbor discovery protocol (NDP) is similar to IPv4 router redirect messages. NDP uses ICMPv6 redirect messages (Type 137) to inform nodes that a better router exists on the link.
Payload Length (16 bits) The Payload Length field specifies the packet payload. This is the length of the data following the IPv6 header. IPv6 Payload Length only includes the data following the header, not the header itself. The Payload Length limit of 2 bytes requires that the maximum packet payload be 64 KB. However, the Jumbogram option type Extension header supports larger packet sizes when required. Next Header (8 bits) The Next Header field identifies the next header’s type.
Source Address (128 bits) The Source Address field contains the IPv6 address for the packet originator. Destination Address (128 bits) The Destination Address field contains the intended recipient’s IPv6 address. This can be either the ultimate destination or the address of the next hop router. Extension Header Fields Extension headers are used only when necessary. Due to the streamlined nature of the IPv6 header, adding extension headers do not severely impact performance.
Addressing IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab is a valid IPv6 address. If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons(::). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab can be shortened to 2001:0db8::1428:57ab. Only one set of double colons is supported in a single address.
Generally, ICMPv6 uses two message types: ● Error reporting messages indicate when the forwarding or delivery of the packet failed at the destination or intermediate node. These messages include Destination Unreachable, Packet Too Big, Time Exceeded and Parameter Problem messages. ● Informational messages provide diagnostic functions and additional host functions, such as Neighbor Discovery and Multicast Listener Discovery. These messages also include Echo Request and Echo Reply messages.
Figure 58. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
You must enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd-numbered ranges. The default option sets the CAM Profile as follows: ● L3 ACL (ipv4acl): 6 ● L2 ACL(l2acl): 5 ● IPv6 L3 ACL (ipv6acl): 0 ● L3 QoS (ipv4qos): 1 ● L2 QoS (l2qos): 1 To have the changes take effect, save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings. ● Allocate space for IPV6 ACLs.
ipv6 route prefix type {slot/port} forwarding router tag ○ prefix: IPv6 route prefix ○ type {slot/port}: interface type and slot/port ○ forwarding router: forwarding router’s address ○ tag: route tag Enter the keyword interface then the type of interface and slot/port information: ○ For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/ port information. ○ For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
show ipv6 ? Dell#show ipv6 ? accounting IPv6 accounting information cam IPv6 CAM Entries fib IPv6 FIB Entries interface IPv6 interface information mbgproutes MBGP routing table mld MLD information mroute IPv6 multicast-routing table neighbors IPv6 neighbor information ospf OSPF information pim PIM V6 information prefix-list List IPv6 prefix lists route IPv6 routing information rpf RPF table Dell# Showing an IPv6 Interface To view the IPv6 configuration for a specific interface, use the following command.
show ipv6 route type The following keywords are available: ○ To display information about a network, enter ipv6 address (X:X:X:X::X). ○ To display information about a host, enter hostname. ○ To display information about all IPv6 routes (including non-active routes), enter all. ○ To display information about all connected IPv6 routes, enter connected. ○ To display information about brief summary of all IPv6 routes, enter summary. ○ To display information about Border Gateway Protocol (BGP) routes, enter bgp.
Showing the Running-Configuration for an Interface To view the configuration for any interface, use the following command. ● Show the currently running configuration for the specified interface. EXEC mode show running-config interface type {slot/port} Enter the keyword interface then the type of interface and slot/port information: ○ For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/ port information.
Configuring IPv6 RA Guard The IPv6 Router Advertisement (RA) guard allows you to block or reject the unwanted router advertisement guard messages that arrive at the network device platform. To configure the IPv6 RA guard, perform the following steps: 1. Configure the terminal to enter the Global Configuration mode. EXEC Privilege mode configure terminal 2. Enable the IPv6 RA guard. CONFIGURATION mode ipv6 nd ra-guard enable 3. Create the policy.
reachable—time value The reachability time range is from 0 to 3,600,000 milliseconds. 14. Set the advertised retransmission time. POLICY LIST CONFIGURATION mode retrans—timer value The retransmission time range is from 100 to 4,294,967,295 milliseconds. 15. Display the configurations applied on the RA guard policy mode.
EXEC Privilege mode debug ipv6 nd ra-guard [interface slot/port | count value] The count range is from 1 to 65534. The default is infinity. For a complete listing of all commands related to IPv6 RA Guard, see the Dell EMC Networking OS Command Line Reference Guide.
28 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables qualityof-service (QoS) treatment for iSCSI traffic.
Figure 59. Example of iSCSI Optimization Monitoring iSCSI Traffic Flows The switch snoops iSCSI session-establishment and termination packets by installing classifier rules that trap iSCSI protocol packets to the CPU for examination. Devices that initiate iSCSI sessions usually use well-known TCP ports 3260 or 860 to contact targets. When you enable iSCSI optimization, by default the switch identifies IP packets to or from these ports as iSCSI traffic.
You can configure whether iSCSI frames are re-marked to contain the configured VLAN priority tag or IP DSCP when forwarded through the switch. NOTE: On a switch in which a large proportion of traffic is iSCSI, CoS queue assignments may interfere with other network control-plane traffic, such as ARP or LACP. Balance preferential treatment of iSCSI traffic against the needs of other critical data in the network.
Configuring Detection and Ports for Dell Compellent Arrays To configure a port connected to a Dell Compellent storage array, use the following command. ● Configure a port connected to a Dell Compellent storage array. INTERFACE Configuration mode iscsi profile-compellent The command configures a port for the best iSCSI traffic conditions.
Default iSCSI Optimization Values The following table lists the default values for the iSCSI optimization feature. Table 40. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization global setting Disabled iSCSI CoS mode (802.1p priority queue mapping) Enabled: dot1p priority 4 without the remark setting iSCSI CoS Packet classification VLAN classifies the iSCSI packets instead of by DSCP values.
[no] iscsi cos {enable | disable | dot1p vlan-priority-value [remark] | dscp dscp-value [remark]} ● enable: enables the application of preferential QoS treatment to iSCSI traffic so that iSCSI packets are scheduled in the switch with a dot1p priority 4 regardless of the VLAN priority tag in the packet. The default is: iSCSI packets are handled with dotp1 priority 4 without remark. ● disable: disables the application of preferential QoS treatment to iSCSI frames.
The following example shows the show iscsi command. Dell#show iscsi iSCSI is enabled iSCSI session monitoring is disabled iSCSI COS : dot1p is 4 no-remark Session aging time: 10 Maximum number of connections is 256 -----------------------------------------------iSCSI Targets and TCP Ports: -----------------------------------------------TCP Port Target IP Address 3260 860 The following example shows the show iscsi session command.
29 Intermediate System to Intermediate System Intermediate System to Intermediate System (IS-IS) protocol is an interior gateway protocol (IGP) that uses a shortest-pathfirst algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter.
The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.0001) are the area address. The system portion is 000c.000a.4321 and the last byte is always 0. Figure 60. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases.
neighbor within its LSPs. The local router does not form an adjacency if both routers do not have at least one common MT over the interface. Graceful Restart Graceful restart is supported on the S5000 platform for both Helper and Restart modes. Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets.
By default, Dell Networking OS supports dynamic host name exchange to assist with troubleshooting and configuration. By assigning a name to an IS-IS NET address, you can track IS-IS information on that address easier. Dell Networking OS does not support ISO CLNS routing; however, the ISO NET format is supported for addressing. To ● ● ● ● ● support IPv6, the Dell Networking implementation of IS-IS performs the following tasks: Advertises IPv6 information in the PDUs.
Enabling IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process and assign a NET address. To exchange protocol information with neighbors, enable IS-IS on an interface, instead of on a network as with other routing protocols. In IS-IS, neighbors form adjacencies only when they are same IS type. For example, a Level 1 router never forms an adjacency with a Level 2 router.
If you configure a tag variable, it must be the same as the tag variable assigned in step 1. The default IS type is level-1-2. To change the IS type to Level 1 only or Level 2 only, use the is-type command in ROUTER ISIS mode. To view the IS-IS configuration, enter the show isis protocol command in EXEC Privilege mode or the show config command in ROUTER ISIS mode. Dell#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.
NOTE: When you do not enable Transition mode, you do not have IPv6 connectivity between routers operating in single-topology mode and routers operating in multi-topology mode. 2. Exclude this router from other router’s SPF calculations. ROUTER ISIS AF IPV6 mode set-overload-bit 3. Set the minimum interval between SPF calculations.
● Configure graceful restart timer T3 to set the time the restarting router uses as an overall maximum time to wait for database synchronization to complete. ROUTER-ISIS mode graceful-restart t3 {adjacency | manual seconds} ○ adjacency: the restarting router receives the remaining time value from its peer and adjusts its T3 value so if user has configured this option. ○ manual: allows you to specify a fixed value that the restarting router should use. The range is from 50 to 120 seconds.
LSP Interval: 33 Restart Capable Neighbors: 2, In Start: 0, In Restart: 0 Dell# Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary. To change the defaults, use any or all of the following commands. ● Set interval between LSP generation.
Dell Networking OS supports the following IS-IS metric styles. Table 42. Metric Styles Metric Style Characteristics Cost Range Supported on IS-IS Interfaces narrow Sends and accepts narrow or old TLVs (Type, Length, Value). 0 to 63 wide Sends and accepts wide or new TLVs. 0 to 16777215 transition Sends both wide (new) and narrow (old) TLVs. 0 to 63 narrow transition Sends narrow (old) TLVs and accepts both narrow (old) and wide (new) TLVs.
The default value is 10. ● Assign a metric for an IPv6 link or interface. INTERFACE mode isis ipv6 metric default-metric [level-1 | level-2] ○ default-metric: the range is from 0 to 63 for narrow and transition metric styles. The range is from 0 to 16777215 for wide metric styles. The default is 10. The default level is level-1. For more information about this command, refer to Configuring the IS-IS Metric Style. The following table describes the correct value range for the isis metric command.
eljefe.00-00 * 0x00000009 0xF76A 1126 0/0/0 eljefe.01-00 * 0x00000001 0x68DF 1122 0/0/0 eljefe.02-00 * 0x00000001 0x2E7F 1113 0/0/0 Dell.00-00 0x00000002 0xD1A7 1102 0/0/0 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL B233.00-00 0x00000006 0xC38A 1124 0/0/0 eljefe.00-00 * 0x0000000D 0x51C6 1129 0/0/0 eljefe.01-00 * 0x00000001 0x68DF 1122 0/0/0 eljefe.02-00 * 0x00000001 0x2E7F 1113 0/0/0 Dell.
redistribute ospf process-id [level-1| level-1-2 | level-2] [metric value] [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map mapname] Configure the following parameters: ○ process-id the range is from 1 to 65535. ○ level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. ○ metric value the range is from 0 to 16777215. The default is 0. ○ match external the range is from 1 or 2.
area-password [hmac-md5] password The Dell Networking OS supports HMAC-MD5 authentication. This password is inserted in Level 1 LSPs, Complete SNPs, and Partial SNPs. ● Set the authentication password for a routing domain. ROUTER ISIS mode domain-password [encryption-type | hmac-md5] password The Dell Networking OS supports both DES and HMAC-MD5 authentication methods. This password is inserted in Level 2 LSPs, Complete SNPs, and Partial SNPs.
To view specific information, enter the following optional parameter: ○ interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. ● View information about IS-IS local update packets. EXEC Privilege mode debug isis local-updates [interface] To view specific information, enter the following optional parameter: ○ interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only.
Metric Style Correct Value Range for the isis metric Command narrow 0 to 63 wide transition 0 to 16777215 narrow transition 0 to 63 transition 0 to 63 Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is from 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow.
Table 43. Metric Value When the Metric Style Changes (continued) Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value narrow transition transition original value wide transition wide original value wide transition narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Table 45.
Figure 61. IPv6 IS-IS Sample Topography The following is a sample configuration for enabling IPv6 IS-IS. IS-IS Sample Configuration — Congruent Topology Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ip address 24.3.1.1/24 ipv6 address 24:3::1/76 ip router isis ipv6 router isis no shutdown Dell (conf-if-te-3/17)# Dell (conf-router_isis)#show config ! router isis metric-style wide level-1 metric-style wide level-2 net 34.0000.0000.AAAA.
IS-IS Sample Configuration — Multi-topology Transition Dell (conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell (conf-if-te-3/17)# Dell (conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
30 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by Dell Networking OS, provides both load-sharing and port redundancy across stack units. You can enable LAGs as static or dynamic.
LACP Modes Dell Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. ● Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. ● Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state.
Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. ● Create a dynamic port channel (LAG). CONFIGURATION mode interface port-channel ● Create a dynamic port channel (LAG). CONFIGURATION mode switchport Dell(conf)#interface port-channel 32 Dell(conf-if-po-32)#no shutdown Dell(conf-if-po-32)#switchport The LAG is in the default VLAN. To place the LAG into a nondefault VLAN, use the tagged command on the LAG.
NOTE: The 30-second timeout is available for dynamic LAG interfaces only. You can enter the lacp long-timeout command for static LAGs, but it has no effect. To configure LACP long timeout, use the following command. ● Set the LACP timeout value to 30 seconds.
Figure 62. Shared LAG State Tracking To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). Dell Networking OS brings LAG 2 down if LAG 1 fails, so that traffic can be redirected. This redirection is what is meant by shared LAG state tracking. To achieve this functionality, you must group LAG 1 and LAG 2 into a single entity, called a failover group. Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group.
Figure 63. Configuring Shared LAG State Tracking The following are shared LAG state tracking console messages: ● 2d1h45m: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 1 ● 2d1h45m: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 To view the status of a failover group member, use the show interface port-channel command.
LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 64. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unicasts 0 Vlans, 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec,0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec,0 packets/sec, 0.
Figure 66.
Figure 67.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-te-3/21-lacp)#port-channel 10 mode active Bravo(conf-if-te-3/21-lacp)#no shut Bravo(conf-if-te-3/21)#end ! interface TenGigabitEthernet 3/21 no ip address ! port-ch
Figure 68.
Figure 69.
Figure 70. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
31 Layer 2 Layer 2 features are supported on Dell Networking OS. Topics: • • • • • Manage the MAC Address Table MAC Learning Limit NIC Teaming Configure Redundant Pairs Far-End Failure Detection Manage the MAC Address Table Dell Networking OS provides the following management activities for the MAC address table.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. ● Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. ● Display the contents of the MAC address table.
mac learning-limit Dynamic The MAC address table is stored on the Layer 2 forwarding information base (FIB) region of the CAM. The Layer 2 FIB region allocates space for static MAC address entries and dynamic MAC address entries. When you enable MAC learning limit, entries created on this port are static by default. When you configure the dynamic option, learned MAC addresses are stored in the dynamic region and are subject to aging. Entries created before this option is set are not affected.
station-move-violation shutdown-original ● Shut down the second port to learn the MAC address. INTERFACE mode station-move-violation shutdown-offending ● Shut down both the first and second port to learn the MAC address. INTERFACE mode station-move-violation shutdown-both ● Display a list of all of the interfaces configured with MAC learning limit or station move violation.
NIC Teaming NIC teaming is a feature that allows multiple network interface cards in a server to be represented by one MAC address and one IP address in order to provide transparent redundancy, balancing, and to fully utilize network adapter resources. The following illustration shows a topology where two NICs have been teamed together. In this case, if the primary NIC fails, traffic switches to the secondary NIC because they are represented by the same set of addresses. Figure 71.
Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration). The redundant pairs feature allows you to create redundant links in networks that do not use STP by configuring backup interfaces for the interfaces on either side of the primary link.
In a redundant pair, any combination of physical and port-channel interfaces is supported as the two interfaces in a redundant pair. For example, you can configure a static (without LACP) or dynamic (with LACP) port-channel interface as either the primary or backup link in a redundant pair with a physical interface.
Example of Configuring Redundant Pairs on a Port-Channel on the S5000 Dell#show interfaces port-channel brief Codes: L - LACP Port-channel LAG Mode Status Uptime Ports 1 L2 up 00:08:33 Te 0/0 (Up) 2 L2 up 00:00:02 Te 0/1 (Up) Dell#configure Dell(conf)#interface port-channel 1 Dell(conf-if-po-1)#switchport backup interface port-channel 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Po 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-OSTATE_DN: Changed interface st
The report consists of several packets in SNAP format that are sent to the nearest known MAC address. In the event of a far-end failure, the device stops receiving frames and, after the specified time interval, assumes that the far-end is not available. The connecting line protocol is brought down so that upper layer protocols can detect the neighbor unavailability faster. FEFD State Changes FEFD has two operational modes, Normal and Aggressive.
Configuring FEFD You can configure FEFD for all interfaces from CONFIGURATION mode, or on individual interfaces from INTERFACE mode. To enable FEFD globally on all interfaces, use the following command. ● Enable FEFD globally on all interfaces. CONFIGURATION mode fefd-global To report interval frequency and mode adjustments, use the following commands. 1. Setup two or more connected interfaces for Layer 2 or Layer 3. INTERFACE mode ip address ip address, switchport 2.
1. Setup two or more connected interfaces for Layer 2 or Layer 3. INTERFACE mode ip address ip address, switchport 2. Activate the necessary ports administratively. INTERFACE mode no shutdown 3. INTERFACE mode fefd {disable | interval | mode} DellEMC(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport fefd mode normal no shutdown DellEMC(conf-if-te-1/1)#do show fefd | grep 1/1 Te 1/1 Normal 3 Unknown Debugging FEFD To debug FEFD, use the first command.
An RPM Failover In the event that an RPM failover occurs, FEFD becomes operationally down on all enabled ports for approximately 8-10 seconds before automatically becoming operational again. 02-05-2009 12:40:38 Local7.Debug 10.16.151.12 Feb 5 07:06:09: %RPM1-S:CP %RAM-6-FAILOVER_REQ: RPM failover request from active peer: User request. 02-05-2009 12:40:38 Local7.Debug 10.16.151.12 Feb 5 07:06:19: %RPM1-P:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 1/45 02-05-2009 12:40:38 Local7.Debug 10.16.
32 Link Layer Discovery Protocol (LLDP) Link Layer Discovery Protocol (LLDP) — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices. Topics: • • • • • • • • • • • • • • 802.
TLVs are encapsulated in a frame called an LLDP data unit (LLDPDU) (shown in the following table), which is transmitted from one LLDP-enabled device to its LLDP-enabled neighbors. LLDP is a one-way protocol. LLDP-enabled devices (LLDP agents) can transmit and/or receive advertisements, but they cannot solicit and do not respond to advertisements. There are five types of TLVs. All types are mandatory in the construction of an LLDPDU except Optional TLVs.
Figure 77. Organizationally Specific TLV IEEE Organizationally Specific TLVs The IEEE 802.1 and 802.3 working groups define eight TLV types as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Networking system to advertise any or all of these TLVs. Table 48. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. Dell Networking OS does not currently support this TLV.
Table 48. Optional TLV Types (continued) Type TLV Description 127 Power via MDI Dell Networking supports the LLDP-MED protocol, which recommends that Power via MDI TLV be not implemented, and therefore Dell Networking implements Extended Power via MDI TLV only. 127 Link Aggregation Indicates whether the link is capable of being aggregated, whether it is currently in a LAG, and the port identification of the LAG. Dell Networking OS does not currently support this TLV.
Table 49. TIA-1057 (LLDP-MED) Organizationally Specific TLVs (continued) Type SubType TLV Description 127 3 Location Identification Indicates that the physical location of the device expressed in one of three possible formats: ● Coordinate Based LCI ● Civic Address LCI ● Emergency Call Services ELIN 127 4 Location Identification Indicates power requirements, priority, and power status. Inventory Management TLVs Implementation of this set of TLVs is optional in LLDPMED devices.
Figure 78. LLDP-MED Capabilities TLV Table 50. Dell Networking OS LLDP-MED Capabilities Bit Position TLV Dell Networking OS Support 0 LLDP-MED Capabilities Yes 1 Network Policy Yes 2 Location Identification Yes 3 Extended Power via MDI-PSE Yes 4 Extended Power via MDI-PD No 5 Inventory No 6–15 reserved No Table 51.
Table 52. Network Policy Applications (continued) Type Application Description 1 Voice Specify this application type for dedicated IP telephony handsets and other appliances supporting interactive voice services. 2 Voice Signaling Specify this application type only if voice control packets use a separate network policy than voice data.
Figure 80. Extended Power via MDI TLV Configure LLDP Configuring LLDP is a two-step process. 1. Enable LLDP globally. 2. Advertise TLVs out of an interface. Related Configuration Tasks ● ● ● ● ● ● Viewing the LLDP Configuration Viewing Information Advertised by Adjacent LLDP Agents Configuring LLDPDU Intervals Configuring Transmit and Receive Mode Configuring a Time to Live Debugging LLDP Important Points to Remember ● LLDP is enabled by default.
multiplier no show LLDP multiplier configuration Negate a command or set its defaults Show LLDP configuration Dell(conf-lldp)#exit Dell(conf)#interface tengigabitethernet 0/3 Dell(conf-if-te-0/3)#protocol lldp Dell(conf-if-te-0/3-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol on this interface end Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode configuration (default = rx and tx) multiplier LLDP multiplier configuration no N
Disabling and Undoing LLDP on Management Ports To disable or undo LLDP on management ports, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION mode. protocol lldp 2. Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode. management-interface 3. Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no.
Figure 81. Configuring LLDP Storing and Viewing Unrecognized LLDP TLVs Dell EMC Networking OS provides support to store unrecognized (reserved and organizational specific) LLDP TLVs. Also, support is extended to retrieve the stored unrecognized TLVs using SNMP. When the incoming TLV from LLDP neighbors is not recognized, the TLV is categorized as unrecognized TLV. The unrecognized TLVs is categorized into two types: 1. Reserved unrecognized LLDP TLV 2.
The organizational specific TLV list is limited to store 256 entries per neighbor. If TLV entries are more than 256, then the oldest entry (of that neighbor) in the list is replaced. A syslog message appears when the organization specific unrecognized TLV list exceeds more than 205 entries (80 percent of 256) for you to take action.
Example of Viewing Brief Information Advertised by Neighbors R1(conf-if-te-1/31-lldp)#end R1(conf-if-te-1/31)#do show lldp neighbors Loc PortID Rem Host Name Rem Port Id Rem Chassis Id ------------------------------------------------------------------------Te 1/21 TenGigabitEthernet 2/11 00:01:e8:06:95:3e Te 1/31 TenGigabitEthernet 3/11 00:01:e8:09:c2:4a Example of Viewing Details Advertised by Neighbors R1#show lldp neighbors detail ========================================================= Local Interface
protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description mode tx no disable R1(conf-lldp)#no mode R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Configuring LLDP Notification Interval This implementation has been introduced to ad
! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description mode tx no disable R1(conf-lldp)#no mode R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Configuring a Time to Live The information received from a neighbor expires after
● View a readable version of the TLVs. debug lldp brief ● View a readable version of the TLVs plus a hexadecimal version of the entire LLDPDU. debug lldp detail Figure 82. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects Dell Networking OS supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: ● received and transmitted TLVs ● the LLDP configuration on the local agent ● IEEE 802.
Table 53. LLDP Configuration MIB Objects (continued) MIB Object Category LLDP Variable LLDP MIB Object Description Basic TLV Selection mibBasicTLVsTxEnable lldpPortConfigTLVsTxEnable Indicates which management TLVs are enabled for system ports. mibMgmtAddrInstanceTxEnable lldpManAddrPortsTxEnable The management addresses defined for the system and the ports through which they are enabled for transmission.
Table 54.
Table 56.
Table 56.
33 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
Limitations of the NLB Feature The following limitations apply to switches on which you configure NLB: ● The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN. When a large volume of traffic is processed, the clustering performance might be impacted in a small way. This limitation is applicable to switches that perform unicast flooding in the software. ● The ip vlan-flooding command applies globally across the system and for all VLANs.
There might be some ARP table entries that are resolved through ARP packets, which had the Ethernet MAC SA different from the MAC information inside the ARP packet. This unicast data traffic flooding occurs only for those packets that use these ARP entries. Enabling a Switch for Multicast NLB To enable a switch for Multicast NLB mode, perform the following steps: 1.
34 Multicast Source Discovery Protocol (MSDP) Multicast Source Discovery Protocol (MSDP) is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP). Protocol Overview Each rendezvous point (RP) peers with every other RP via the transmission control protocol (TCP).
Figure 84.
Implementation Information The Dell Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process. 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Refer to the following figures. The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP.
Figure 85.
Figure 86.
Figure 87.
Figure 88. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source Dell(conf)#ip multicast-msdp Dell(conf)#ip msdp peer 192.168.0.
Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3_E600#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
CONFIGURATION mode clear ip msdp sa-cache [group-address | local | rejected-sa] Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error. ● Cache rejected sources.
Figure 89.
Figure 90.
Figure 91.
Figure 92. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. ● Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check. DellEMC(conf)#ip msdp peer 10.0.50.
DellEMC#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Reason Rpf-Fail Rpf-Fail Rpf-Fail Limiting the Source-Active Messages from a Peer To limit the source-active messages from a peer, use the following commands. 1.
Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1. OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache. CONFIGURATION mode ip msdp cache-rejected-sa 2. Prevent the system from caching remote sources learned from a specific peer based on source and group. CONFIGURATION mode ip msdp sa-filter list out peer list ext-acl As shown in the following example, R1 is advertising source 10.11.4.2.
GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 local R3_E600(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 192.168.0.1 Expire 70 UpTime 00:27:20 Expire 1 UpTime 00:10:29 [Router 3] R3_E600(conf)#do show ip msdp sa-cache R3_E600(conf)# To display the configured SA filters for a peer, use the show ip msdp peer command from EXEC Privilege mode.
clear ip msdp peer peer-address R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.3(639) Connect Source: Lo 0 State: Established Up/Down Time: 00:04:26 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 5/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none R3_E600(conf)#do clear ip msdp peer 192.168.0.1 R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.
interface loopback 4. Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5. Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP.
! ip ip ip ip ip network 192.168.0.11/32 area 0 multicast-msdp msdp peer 192.168.0.3 connect-source Loopback 1 msdp peer 192.168.0.22 connect-source Loopback 1 msdp mesh-group AS100 192.168.0.22 msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 The following example shows an R2 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.
ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.
! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R2 Running-Config ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.
redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.23 MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface TenGigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.
35 Multiple Spanning Tree Protocol (MSTP) MSTP — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview In contrast, PVST+ allows a spanning tree instance for each VLAN.
• • MSTP Sample Configurations Debugging and Verifying MSTP Configurations Configure Multiple Spanning Tree Protocol Configuring multiple spanning tree is a four-step process. 1. 2. 3. 4. Configure interfaces for Layer 2. Place the interfaces in VLANs. Enable the multiple spanning tree protocol. Create multiple spanning tree instances and map VLANs to them. Related Configuration Tasks The following are the related configuration tasks for MSTP.
Adding and Removing Interfaces To add and remove interfaces, use the following commands. To add an interface to the MSTP topology, configure it for Layer 2 and add it to a VLAN. If you previously disabled MSTP on the interface using the no spanning-tree 0 command, to enable MSTP, use the following command. ● spanning-tree 0 To remove an interface from the MSTP topology, use the no spanning-tree 0 command.
Designated port id is 128.374, designated path cost 20000 Number of transitions to forwarding state 1 BPDU (MRecords): sent 93671, received 46843 The port is not in the Edge port mode Port 384 (TenGigabitEthernet 1/31) is alternate Discarding Port path cost 20000, Port priority 128, Port Identifier 128.384 Designated root has priority 32768, address 0001.e806.953e Designated bridge has priority 32768, address 0001.e809.c24a Designated port id is 128.
Modifying Global Parameters The root bridge sets the values for forward-delay, hello-time, max-age, and max-hops and overwrites the values set on other MSTP bridges. ● Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state. ● Hello-time — the time interval in which the bridge sends MSTP bridge protocol data units (BPDUs).
Modifying the Interface Parameters You can adjust two interface parameters to increase or decrease the probability that a port becomes a forwarding port. ● Port cost is a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. ● Port priority influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost. The following lists the default values for port cost by interface.
○ When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware. ○ When you remove a physical port from a port channel in the Error Disable state, the error disabled state is cleared on this physical port (the physical port is enabled in the hardware). ○ You can clear the Error Disabled state with any of the following methods: ■ Use the shutdown command on the interface.
To view the enable status of this feature, use the show running-config spanning-tree mstp command from EXEC Privilege mode. MSTP Sample Configurations The running-configurations support the topology shown in the following illustration. The configurations are from SFTOS systems. Figure 94. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1.
interface Vlan 200 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
MSTI 2 VLAN 200,300 ! (Step 2) interface TenGigabitEthernet 3/11 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/21 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown SFTOS Example Running-Configuration This example uses the following steps: 1.
interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. ● Display BPDUs. EXEC Privilege mode debug spanning-tree mstp bpdu ● Display MSTP-triggered topology change messages. debug spanning-tree mstp events To ensure all the necessary parameters match (region name, region version, and VLAN to instance mapping), examine your individual routers.
Brg/Port Prio: 32768/128, Rem Hops: 20 4w0d4h : MSTP: Received BPDU on Gi 2/21 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x78 (Indicates MSTP routers are in the [single] region.) CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.953e, CIST Port Id: 128:470 Msg Age: 0, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver3 Len: 96 Name: Tahiti, Rev: 123 (MSTP region name and revision), Int Root Path Cost: 0 Rem Hops: 19, Bridge Id: 32768:0001.e8d5.
36 Multicast Features The Dell Networking operating system (OS) supports the following multicast protocols.
● Multicast is not supported on secondary IP addresses. ● Egress L3 ACL is not applied to multicast data traffic if you enable multicast routing. First Packet Forwarding for Lossless Multicast All initial multicast packets are forwarded to receivers to achieve lossless multicast. In previous versions, when the Dell Networking system is an RP, all initial packets are dropped until PIM creates an (S,G) entry.
The default is 15000. NOTE: The IN-L3-McastFib CAM partition is used to store multicast routes and is a separate hardware limit that exists per port-pipe. Any software-configured limit may supersede by this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit the ip multicast-limit command sets is reached.
Figure 95. Preventing a Host from Joining a Group Table 58. Preventing a Host from Joining a Group — Description Location Description 1/21 ● ● ● ● Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 ● ● ● ● Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 ● ● ● ● Interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.
Table 58. Preventing a Host from Joining a Group — Description (continued) Location Description ● ip address 10.11.12.2/24 ● no shutdown 2/31 ● ● ● ● Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 ● ● ● ● Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 ● ● ● ● Interface TenGigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
Figure 96. Preventing a Source from Transmitting to a Group Table 59. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 ● ● ● ● Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 ● ● ● ● Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 ● ● ● ● Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.
Table 59. Preventing a Source from Transmitting to a Group — Description (continued) Location Description ● ip address 10.11.12.2/24 ● no shutdown 2/31 ● ● ● ● Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 ● ● ● ● Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 ● ● ● ● Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
NOTE: If the system initiating the mtrace is the last-hop router, then the Query message will not be initiated. Instead, the router sends the request message to it previous router. The last-hop router converts this query packet to a request packet by adding a response data block. This response data block contains the last-hop router’s interface address.
mtrace multicast-source-address multicast-receiver-address multicast-group-address From source (?) to destination (?) --------------------------------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| --------------------------------------------------------------------------------------0 “destination ip(to)” --> Destination -1 “Outgoing intf addr” “Proto” “Err/fwd code if present” “Src Mask” -2 “Outgoing intf addr” “Proto” “Err/fwd code if prese
Table 60. mtrace Command Output — Explained (continued) Command Output Description ● o (1.1.1.1) Outgoing interface address at that node for the source and group ● o (PIM) Multicast protocol used at the node to retrieve the information ● o (Reached RP/Core) Forwarding code in mtrace to denote that RP node is reached ● o (103.103.103.0/24) Source network and mask. In case (*G) tree is used, this field will have the value as (shared tree).
Table 62. Mtrace Scenarios Scenario When you want to trace a route with the multicast tree for a source, group, and destination, you can specify all the parameters in the command. Mtrace will trace the complete path from source to destination by using the multicast tables for that group. You can issue the mtrace command specifying the source multicast tree and multicast group without specifying the destination. Mtrace traces the complete path traversing through the multicast group to reach the source.
Table 62. Mtrace Scenarios (continued) Scenario Output ----------------------------------------------------------------* - Any PIM enabled interface on this node R1>mtrace 103.103.103.3 1.1.1.1 Type Ctrl-C to abort. Querying reverse path for source 103.103.103.3 to destination 1.1.1.
Table 62. Mtrace Scenarios (continued) Scenario Output -2 20.20.20.2 PIM 6.6.6.0/24 -3 10.10.10.1 PIM No route default ----------------------------------------------------------------- If you invoke a weak mtrace query (without the multicast group details) and the RPF neighbor on one of the nodes to the source is not PIM enabled, the output of the command displays a NO ROUTE error code in the Forwarding Code column.
Table 62. Mtrace Scenarios (continued) Scenario Output -1 5.5.5.4 PIM Wrong Last-Hop 6.6.6.0/24 -2 20.20.20.2 PIM 6.6.6.0/24 -3 10.10.10.1 PIM 6.6.6.0/24 -4 6.6.6.6 --> Source ----------------------------------------------------------------- If a router in the network does not process mtrace and drops the packet resulting in no response, the system performs an expanding-hop search to trace the path to the router that has dropped mtrace.
Table 62. Mtrace Scenarios (continued) Scenario destination as the last IP address from the output of the previous trace query. Output ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/Mask| ---------------------------------------------------------------0 1.1.1.1 --> Destination -1 1.1.1.1 PIM 99.99.0.0/16 -2 101.101.101.102 PIM 99.99.0.0/16 -3 2.2.2.1 PIM 99.99.0.0/16 . . . -146 17.17.17.17 PIM No space in packet 99.99.0.
37 NPIV Proxy Gateway The N-port identifier virtualization (NPIV) proxy gateway (NPG) provides FCoE-FC bridging capability on the S5000 switch. This chapter describes how to configure and use an NPIV proxy gateway on an S5000 switch in a storage area network (SAN).
Figure 97. NPIV Proxy Gateway Example An S5000 FC port is configured as an N (node) port that logs in to an F (fabric) port on the upstream FC core switch and creates a channel for N-port identifier virtualization. NPIV allows multiple N-port fabric logins at the same time on a single, physical Fibre Channel link. Converged Network Adapter (CNA) ports on servers connect to S5000 Ten-Gigabit Ethernet ports and log in to an upstream FC core switch through the S5000 N port.
NPIV Proxy Gateway: Protocol Services An S5000 NPG provides the following protocol services. ● Fibre Channel service to create N ports and log in to an upstream FC switch. ● FCoE service to perform: ○ Virtualization of FC N ports on an NPG so that they appear as FCoE FCFs to downstream servers. ○ NPIV service to perform the association and aggregation of FCoE servers to upstream F ports on core switches (through N ports on the NPG).
Table 63. S5000 NPIV Proxy Gateway: Terms and Definitions (continued) Term Description MAC address (FPMA). The FPMA is required to send FCoE packets from a server to a SAN fabric. FCoE map Template used to configure FCoE and FC parameters on Ethernet and FC ports in a converged fabric. FCoE VLAN VLAN dedicated to carrying only FCoE traffic between server CNA ports and a SAN fabric. (FCoE traffic must travel in a VLAN.) When you apply an FCoE map on a port, FCoE is enabled on the port.
port on the FCoE VLAN. The FIP advertisement also contains a keepalive message to maintain connectivity between a SAN fabric and downstream servers. Configure an NPIV Proxy Gateway You can directly connect an NPIV proxy gateway to a server or a server over a FIP snooping bridge. If you connect the S5000 and a FIP snooping bridge using a port channel, configure the port channel on both devices (the interface port-channel command on the S5000). NOTE: DCB is enabled by default.
priority-group 2 bandwidth 20 pfc on priority-group 4 strict-priority pfc off 3. Specify the priority group ID number to handle VLAN traffic for each dot1p class-of-service: from 0 through 7. DCB MAP mode priority-pgid dot1p0_group_num dot1p1_group_num dot1p2_group_num dot1p3_group_num dot1p4_group_num dot1p5_group_num dot1p6_group_num dot1p7_group_num Leave a space between each priority group number. For example: priority-pgid 0 0 0 1 2 4 4 4.
Creating an FCoE VLAN Create a dedicated VLAN to send and receive Fibre Channel traffic over FCoE links between servers and a fabric over an NPG. The NPG receives FCoE traffic and forwards de-capsulated FC frames over FC links to SAN switches in a specified fabric. Create the dedicated VLAN for FCoE traffic. CONFIGURATION mode interface vlan vlan-id NOTE: VLAN 1002 is commonly used to transmit FCoE traffic.
For example: Dell# interface tengigabitEthernet 0/0 Dell(config-if-te-0/0)# fcoe-map SAN_FABRIC_A Dell# interface port-channel 3 Dell(config-if-po-3)# fcoe-map SAN_FABRIC_A Dell# interface fortygigabitEthernet 0/48 Dell(config-if-fo-0/0)# fcoe-map SAN_FABRIC_A 3. Enable the port for FCoE transmission using the map settings.
Dell(config-dcbx-name)# priority-group 2 bandwidth 20 pfc on Dell(config-dcbx-name)# priority-group 4 strict-priority pfc off Dell(conf-dcbx-name)# priority-pgid 0 0 0 1 2 4 4 4 Apply the DCB Map on a Downstream (Server-Facing) Ethernet Port Dell(config)# interface tengigabitethernet 1/0 Dell(config-if-te-0/0)#dcb-map SAN_DCB_MAP Create the Dedicated VLAN Used for FCoE Traffic Dell(conf)#interface vlan 1002 Configure an FCoE map Applied on the Downstream (Server-Facing) Ethernet and Upstream (Core-Facing) F
Command Description show fcoe-map [brief | mapname] Displays the Fibre Channel and FCoE configuration parameters in FCoE maps. Enter the brief keyword to display an overview of currently configured FCoE maps. Enter the name of an FCoE map to display the FC and FCoE parameters configured in the map to apply on the Ethernet (FCoE) and FC ports. show qos dcbmap map-name Displays configuration parameters in a specified DCB map.
Field Description VLAN VLAN IDs of the VLANs in which the port is a member.
The following lists the show qos dcb-map command example field descriptions. Term heading Description heading State ● Complete: All mandatory DCB parameters are correctly configured. ● In progress: The DCB map configuration is not complete. Some mandatory parameters are not configured. PFC Mode PFC configuration in the DCB map: On (enabled) or Off. PG Priority group configured in the DCB map. TSA Transmission scheduling algorithm used in the DCB map: Enhanced Transmission Selection (ETS).
ENode Intf FCF MAC Fabric Intf FCoE Vlan Fabric Map ENode WWPN ENode WWNN FCoE MAC FC-ID LoginMethod Secs Status : Te 0/13 : 5c:f9:dd:ef:10:c9 : Fc 0/0 : 1003 : fid_1003 : 10:00:00:00:c9:d9:9c:cb : 10:00:00:00:c9:d9:9c:cd : 0e:fc:03:01:02:02 : 01:02:01 : FDISC : 5593 : LOGGED_IN The following lists the show npiv devices command example field descriptions. Field Description ENode [ number ] Server CNA that has successfully logged in to a fabric over an Ethernet port in ENode mode.
NUM * 1 10 11 20 Status Active Inactive Inactive Inactive Description Fabric Q Ports FABRIC_NAME1 U Po10(Te 1/2-33) FABRIC_NAME10 - The following lists the show vlan command example field descriptions. Field Description Num VLAN ID number. Status Operational state of VLAN: ● Active — Transmitting traffic. ● Inactive — Not transmitting traffic. Description Text description of VLAN. Fabric SAN fabric to which Fibre Channel traffic is sent.
38 Object Tracking IPv4 or IPv6 object tracking is available on Dell EMC Networking OS. Object tracking allows the Dell EMC Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell EMC Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 98. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: ● UP and DOWN thresholds used to report changes in a route metric. ● A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
A tracked route matches a route in the routing table only if the exact address and prefix length match an entry in the routing table. For example, when configured as a tracked route, 10.0.0.0/24 does not match the routing table entry 10.0.0.0/8. If no route-table entry has the exact address and prefix length, the tracked route is considered to be DOWN.
VRRP Object Tracking As a client, VRRP can track up to 20 objects (including route entries, and Layer 2 and Layer 3 interfaces) in addition to the 12 tracked interfaces supported for each VRRP group. You can assign a unique priority-cost value from 1 to 254 to each tracked VRRP object or group interface. The priority cost is subtracted from the VRRP group priority if a tracked VRRP object is in a DOWN state.
show track object-id DellEMC(conf)#track 100 interface tengigabitethernet 1/1 line-protocol DellEMC(conf-track-100)#delay up 20 DellEMC(conf-track-100)#description San Jose data center DellEMC(conf-track-100)#end DellEMC#show track 100 Track 100 Interface TenGigabitEthernet 1/1 line-protocol Description: San Jose data center Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface.
DellEMC(conf-track-101)#description NYC metro DellEMC(conf-track-101)#end DellEMC#show track 101 Track 101 Interface TenGigabitEthernet 7/2 ip routing Description: NYC metro The following is an example of configuring object tracking for an IPv6 interface: DellEMC(conf)#track 103 interface tengigabitethernet 1/11 ipv6 routing DellEMC(conf-track-103)#description Austin access point DellEMC(conf-track-103)#end DellEMC#show track 103 Track 103 Interface TenGigabitEthernet 7/11 ipv6 routing Description: Austin a
○ The resolution value used to map RIP routes is not configurable. The RIP hop-count is automatically multiplied by 16 to scale it. For example, a RIP metric of 16 (unreachable) scales to 256, which considers a route to be DOWN. Tracking Route Reachability Use the following commands to configure object tracking on the reachability of an IPv4 or IPv6 route. To remove object tracking, use the no track object-id command. 1. Configure object tracking on the reachability of an IPv4 or IPv6 route.
Reachability is Down (route not in route table) 2 changes, last change 00:03:03 Tracking a Metric Threshold Use the following commands to configure object tracking on the metric threshold of an IPv4 or IPv6 route. To remove object tracking, use the no track object-id command. 1. (Optional) Reconfigure the default resolution value used by the specified protocol to scale the metric for IPv4 or IPv6 routes.
Example of IPv4 and IPv6 Tracking Metric Thresholds The following example configures object tracking on the metric threshold of an IPv6 route: DellEMC(conf)#track 8 ipv6 route 2::/64 metric threshold DellEMC(conf-track-8)#threshold metric up 30 DellEMC(conf-track-8)#threshold metric down 40 Displaying Tracked Objects To display the currently configured objects used to track Layer 2 and Layer 3 interfaces, and IPv4 and IPv6 routes, use the following show commands.
Example of the show track resolution Command DellEMC#show track resolution IP Route Resolution ISIS 1 OSPF 1 IPv6 Route Resolution ISIS 1 Example of the show track vrf Command DellEMC#show track vrf red Track 5 IP route 192.168.0.0/24 reachability, Vrf: red Reachability is Up (CONNECTED) 3 changes, last change 00:02:39 First-hop interface is TenGigabitEthernet 1/4 Example of Viewing Object Tracking Configuration DellEMC#show running-config track track 1 ip route 23.0.0.
39 Open Shortest Path First (OSPFv2) Open Shortest Path First (OSPFv2) is supported on Dell Networking OS. OSPF protocol standards are listed in the Standards Compliance chapter.
Figure 99. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. The backbone is the only area with a default area number. All other areas can have their Area ID assigned in the configuration.
Router Types Router types are attributes of the OSPF process. A given physical router may be a part of one or more OSPF processes. For example, a router connected to more than one area, receiving routing from a border gateway protocol (BGP) process connected to another AS acts as both an area border router and an autonomous system router. Each router has a unique ID, written in decimal format (A.B.C.D). You do not have to associate the router ID with a valid IP address.
Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database. An ABR takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to. An ABR can connect to many areas in an AS, and is considered a member of each area it connects to.
● Type 7: External LSA — Routers in an NSSA do not receive external LSAs from ABRs, but are allowed to send external routing information for redistribution. They use Type 7 LSAs to tell the ABRs about these external routes, which the ABR then translates to Type 5 external LSAs and floods as normal to the rest of the OSPF network. ● Type 9: Link Local LSA (OSPFv2) — For OSPFv2, this is a link-local "opaque" LSA as defined by RFC2370. For all LSA types, there are 20-byte LSA headers.
Figure 101. Priority and Cost Examples Implementing OSPF with Dell Networking OS Dell Networking OS supports up to 10,000 OSPF routes. Within that 10,000, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. The S5000 supports up to 16 processes simultaneously.
Multi-Process OSPFv2 (IPv4 only) Multi-Process OSPF is supported on the S5000 switch for OSPFv2 with IPv4 only. Multi-process OSPF allows multiple OSPFv2 processes on a single router. Multiple OSPFv2 processes allow for isolating routing domains, supporting multiple route policies and priorities in different domains, and creating smaller domains for easier management. The S5000 support up to 16 OSPFv2 processes. Each OSPFv2 process has a unique process ID and must have an associated router ID.
Number of area in this router is 1, normal 0 stub 0 nssa 1 --More-- OSPF ACK Packing The OSPF ACK packing feature bundles multiple LS acknowledgements in a single packet, significantly reducing the number of ACK packets transmitted when the number of LSAs increases. This feature also enhances network utilization and reduces the number of small ACK packets sent to a neighboring router. OSPF ACK packing is enabled by default and non-configurable.
Configuration Task List for OSPFv2 (OSPF for IPv4) The following configuration tasks include two mandatory tasks and several optional tasks.
Assigning an OSPFv2 Area After you enable OSPFv2, assign the interface to an OSPF area. Set up OSPF areas and enable OSPFv2 on an interface with the network command. You must have at least one AS area: Area 0. This is the backbone area. If your OSPF network contains more than one area, configure a backbone area (Area ID 0.0.0.0). Any area besides Area 0 can have any number ID assigned to it. The OSPFv2 process evaluates the network commands in the order they are configured.
TenGigabitEthernet 12/17 is up, line protocol is up Internet Address 10.2.2.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 11.1.2.1, Interface address 10.2.2.1 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.
no ipv6 router ospf process-id vrf {vrf-name} ● Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf [vrf vrf-name] process Configuring Stub Areas OSPF supports different types of LSAs to help reduce the amount of router processing within the areas. Type 5 LSAs are not flooded into stub areas; the ABR advertises a default route into the stub area to which it is attached. Stub area routers use the default route to reach external destinations.
● hold-interval: set the next interval to send the same LSA. This interval is the time between sending the same LSA after the start-interval has been attempted. The range is from 1 to 600,000 milliseconds. ● max-interval: set the maximum amount of time the system waits before sending the LSA. The range is from 1 to 600,000 milliseconds. 2. Specify the interval for LSA acceptance.
Loopback 45 is up, line protocol is up Internet Address 10.1.1.23/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.100, Network Type LOOPBACK, Cost: 1 Enabling Fast-Convergence The fast-convergence CLI sets the minimum origination and arrival LSA parameters to zero (0), allowing rapid route calculation. When you disable fast-convergence, origination and arrival LSA parameters are set to 5 seconds and 1 second, respectively.
● Change the cost associated with OSPF traffic on the interface. CONFIG-INTERFACE mode ip ospf cost ○ cost: The range is from 1 to 65535 (the default depends on the interface speed). ● Change the time interval the router waits before declaring a neighbor dead. CONFIG-INTERFACE mode ip ospf dead-interval seconds ○ seconds: the range is from 1 to 65535 (the default is 40 seconds). The dead interval must be four times the hello interval. The dead interval must be the same on all routers in the OSPF network.
Dell(conf-if)#end Dell#show ip ospf 34 interface TenGigabitEthernet 0/0 is up, line protocol is up Internet Address 10.1.2.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 45 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 10.1.2.100 Backup Designated Router (ID) 10.1.2.100, Interface address 0.0.0.
○ ○ ○ ○ ○ transmit delay seconds: the range is from 1 to 3600 (the default is 1). dead interval seconds: the range is from 1 to 8192 (the default is 40). authentication key: eight characters. message digest key keyid: the range is from 1 to 255. md5 key: 16 characters. If you do not enter other parameters, the defaults are used. Only the area ID and router ID require configuration to create a virtual link. Use EITHER the Authentication Key or the Message Digest (MD5) key.
○ route-map map-name: enter a name of a configured route map. ○ tag tag-value: the range is from 0 to 4294967295. To view the current OSPF configuration, use the show running-config ospf command in EXEC mode or the show config command in ROUTER OSPF mode. Dell(conf-router_ospf)#show config ! router ospf 34 network 10.1.2.32 0.0.0.255 area 2.2.2.2 network 10.1.3.24 0.0.0.255 area 3.3.3.
If you do not enter a process ID, the command applies to the first OSPF process. To ○ ○ ○ ○ view debug messages for a specific operation, enter one of the optional keywords: event: view OSPF event messages. packet: view OSPF packet information. spf: view SPF information. database-timers rate-limit: view the LSAs currently in the queue. Dell#show run ospf ! router ospf 3 ! router ospf 4 router-id 4.4.4.4 network 4.4.4.
Figure 102. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Gl 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface TenGigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface TenGigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Gl 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.
OSPF Area 0 — Gl 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface TenGigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface TenGigabitEthernet 2/2 ip address 10.2.22.2/24 no shutdown OSPFv3 NSSA NSSA (Not-So-Stubby-Area) is a stub area that does not support Type-5 LSAs, but supports Type-7 LSAs to forward external links.
Enable OSPFv3 for IPv6 by specifying an OSPF process ID and an area in INTERFACE mode. If you have not created an OSPFv3 process, it is created automatically. All IPv6 addresses configured on the interface are included in the specified OSPF process. NOTE: IPv6 and OSPFv3 do not support Multi-Process OSPF. You can only enable a single OSPFv3 process. To create multiple OSPF processes you need to have multiple VRFs on a switch.
ipv6 ospf process-id area area-id ○ process-id: the process ID number assigned. ○ area-id: the area ID for this interface. Assigning OSPFv3 Process ID and Router ID Globally To assign, disable, or reset OSPFv3 globally, use the following commands. ● Enable the OSPFv3 process globally and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID} The range is from 0 to 65535. ● Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} ○ number: the IPv4 address.
Configuring Stub Areas To configure IPv6 stub areas, use the following command. ● Configure the area as a stub area. CONF-IPV6-ROUTER-OSPF mode area area-id stub [no-summary] ○ no-summary: use these keywords to prevent transmission in to the area of summary ASBR LSAs. ○ Area ID: a number or IP address assigned when creating the area. You can represent the area ID as a number from 0 to 65536 if you assign a dotted decimal format rather than an IP address.
default-information originate [always [metric metric-value] [metric-type type-value]] [route-map map-name] Configure the following required and optional parameters: ○ always: indicate that default route information is always advertised. ○ metric metric-value: The range is from 0 to 4294967295. ○ metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. ○ route-map map-name: enter a name of a configured route map.
When you configure a graceful restart on an OSPFv2 router, the show run ospf command displays information similar to the following. DellEMC#show run ospf ! router ospf 1 graceful-restart grace-period 300 graceful-restart role helper-only graceful-restart mode unplanned-only graceful-restart helper-reject 10.1.1.1 graceful-restart helper-reject 20.1.1.1 network 10.0.2.
Brd Rtr Count AS Bdr Rtr Count LSA count Summary LSAs Rtr LSA Count Net LSA Count Inter Area Pfx LSA Count Inter Area Rtr LSA Count Group Mem LSA Count 2 2 12010 1 4 3 12000 0 0 The following example shows the show ipv6 ospf database grace-lsa command. DellEMC#show ipv6 ospf database grace-lsa ! Type-11 Grace LSA (Area 0) LS Age Link State ID Advertising Router LS Seq Number Checksum Length Associated Interface Restart Interval Restart Reason : : : : : : : : : 10 6.16.192.66 100.1.1.
OSPFv3 Authentication Using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552. ● To use IPsec, configure an authentication (using AH) or encryption (using ESP) security policy on an interface or in an OSPFv3 area. Each security policy consists of a security policy index (SPI) and the key used to validate OSPFv3 packets. After IPsec is configured for OSPFv3, IPsec operation is invisible to the user.
○ key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted). For SHA-1 authentication, the key must be 40 hex digits (non-encrypted) or 80 hex digits (encrypted). ● Remove an IPsec authentication policy from an interface.
Configuring IPSec Authentication for an OSPFv3 Area To configure, remove, or display IPSec authentication for an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)). The security policy index (SPI) value must be unique to one IPSec security policy (authentication or encryption) on the router.
○ key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information. The required lengths of a non-encrypted or encrypted key are: 3DES - 48 or 96 hex digits; DES - 16 or 32 hex digits; AES-CBC - 32 or 64 hex digits for AES-128 and 48 or 96 hex digits for AES-192. ○ key-encryption-type: (optional) specifies if the key is encrypted. Valid values: 0 (key is not encrypted) or 7 (key is encrypted).
Transform set : ah-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-0-501 Policy refcount : 1 Inbound ESP SPI : 501 (0x1F5) Outbound ESP SPI : 501 (0x1F5) Inbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb7c0c30808825fb5 Outbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb7c0c30808825fb5 Inbound ESP Cipher Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba10345a1039ba8f8a Outbound ESP Cipher Key : bbdd96e6
Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3 operation on the switch. This section describes typical, OSPFv3 troubleshooting scenarios. NOTE: The following troubleshooting section is meant to be a comprehensive list, but only to provide some examples of typical troubleshooting checks.
The OSPFv3 ipv6 ospf area command enables OSPFv3 on the interface and places the interface in an area. With OSPFv2, two commands are required to accomplish the same tasks — the router ospf command to create the OSPF process, then the network area command to enable OSPF on an interface. NOTE: The OSPFv2 network area command enables OSPF on multiple interfaces with the single command. Use the OSPFv3 ipv6 ospf area command on each interface that runs OSPFv3.
Assigning IPv6 Addresses on an Interface To assign IPv6 addresses to an interface, use the following commands. 1. Assign an IPv6 address to the interface. CONF-INT-type slot/port mode ipv6 address ipv6 address IPv6 addresses are normally written as eight groups of four hexadecimal digits; separate each group by a colon (:). The format is A:B:C::F/128. 2. Bring up the interface.
Assigning OSPFv3 Process ID and Router ID to a VRF To assign, disable, or reset OSPFv3 on a non-default VRF, use the following commands. ● Enable the OSPFv3 process on a non-default VRF and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID} vrf {vrf-name} The process ID range is from 0 to 65535. ● Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} ○ number: the IPv4 address. The format is A.B.C.D.
Redistributing Routes You can add routes from other routing instances or protocols to the OSPFv3 process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process. Route redistribution is also supported between OSPF Routing process IDs. To add redistributing routes, use the following command. ● Specify which routes are redistributed into the OSPF process.
The valid values are from 40 to 1800 seconds. ● Configure an OSPFv3 interface to not act on the Grace LSAs that it receives from a restarting OSPFv3 neighbor. INTERFACE mode ipv6 ospf graceful-restart helper-reject ● Specify the operating mode and type of events that trigger a graceful restart. CONF-IPV6-ROUTER-OSPF mode graceful-restart mode [planned-only | unplanned-only] ○ Planned-only: the OSPFv3 router supports graceful restart only for planned restarts.
AS Scope LSA Count 0 AS Scope LSA Cksum sum 0 Originate New LSAS 73 Rx New LSAS 114085 Ext LSA Count 0 Rte Max Eq Cost Paths 5 GR grace-period 180 GR mode planned and unplanned Area 0 database summary Type Brd Rtr Count AS Bdr Rtr Count LSA count Summary LSAs Rtr LSA Count Net LSA Count Inter Area Pfx LSA Count Inter Area Rtr LSA Count Group Mem LSA Count Count/Status 2 2 12010 1 4 3 12000 0 0 The following example shows the show ipv6 ospf database grace-lsa command.
In OSPFv3 communication, IPsec provides security services between a pair of communicating hosts or security gateways using either AH or ESP. In an authentication policy on an interface or in an OSPF area, AH and ESP are used alone; in an encryption policy, AH and ESP may be used together. The difference between the two mechanisms is the extent of the coverage. ESP only protects IP header fields if they are encapsulated by ESP.
ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} [key-encryption-type] key} ○ ○ ○ ○ null: causes an authentication policy configured for the area to not be inherited on the interface. ipsec spi number: the security policy index (SPI) value. The range is from 256 to 4294967295. MD5 | SHA1: specifies the authentication type: Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1). key-encryption-type: (optional) specifies if the key is encrypted.
● Display the configuration of IPsec encryption policies on the router. show crypto ipsec policy ● Display the security associations set up for OSPFv3 interfaces in encryption policies. show crypto ipsec sa ipv6 Configuring IPSec Authentication for an OSPFv3 Area To configure, remove, or display IPSec authentication for an OSPFv3 area, use the following commands.
○ area area-id: specifies the area for which OSPFv3 traffic is to be encrypted. For area-id, enter a number or an IPv6 prefix. ○ spi number: is the security policy index (SPI) value. The range is from 256 to 4294967295. ○ esp encryption-algorithm: specifies the encryption algorithm used with ESP. The valid values are 3DES, DES, AES-CBC, and NULL. For AES-CBC, only the AES-128 and AES-192 ciphers are supported. ○ key: specifies the text string used in the encryption.
Policy name Policy refcount Inbound AH SPI Outbound AH SPI Inbound AH Key Outbound AH Key Transform set : : : : : : : OSPFv3-1-500 2 500 (0x1F4) 500 (0x1F4) bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e ah-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-0-501 Policy refcount : 1 Inbound ESP SPI : 501 (0x1F5) Outbound ESP SPI : 501 (0x1F5) Inbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759
Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3 operation on the switch. This section describes typical, OSPFv3 troubleshooting scenarios. NOTE: The following troubleshooting section is meant to be a comprehensive list, but only to provide some examples of typical troubleshooting checks.
40 Policy-based Routing (PBR) Policy-based routing (PBR) allows a switch to make routing decisions based on policies applied to an interface. Topics: • • • • Overview Implementing PBR Configuration Task List for Policy-based Routing Sample Configuration Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table.
● ● ● ● Destination IP address and mask Source port Destination port TCP Flags After you apply a redirect-list to an interface, all traffic passing through it is subjected to the rules defined in the redirect-list. Traffic is forwarded based on the following: ● ● ● ● Next-hop addresses are verified. If the specified next hop is reachable, traffic is forwarded to the specified next-hop. If the specified next-hops are not reachable, the normal routing table is used to forward the traffic.
PBR Exceptions (Permit) To create an exception to a redirect list, use thepermit command. Exceptions are used when a forwarding decision should be based on the routing table rather than a routing policy. The Dell EMC Networking OS assigns the first available sequence number to a rule configured without a sequence number and inserts the rule into the PBR CAM region next to the existing entries. Because the order of rules is important, ensure that you configure any necessary sequence numbers.
● ● ● ● source ip-address or any or host ip-address is the Source’s IP address FORMAT: A.B.C.D/NN, or ANY or HOST IP address destination ip-address or any or host ip-address is the Destination’s IP address FORMAT: A.B.C.D/NN, or ANY or HOST IP address To delete a rule, use the no redirect command.
multiple seq redirect commands with the same source and destination address and specify a different next-hop IP address. In this way, the recursive routes are used as different forwarding routes for dynamic failover. If the primary path goes down and the recursive route is removed from the routing table, the seq redirect command is ignored and the next command in the list with a different route is used.
In addition to supporting multiple redirect-lists in a redirect-group, multiple redirect-groups are supported on a single interface. Dell EMC Networking OS has the capability to support multiple groups on an interface for backup purposes. Show Redirect List Configuration To view the configuration redirect list configuration, use the following commands. 1. View the redirect list configuration and the associated interfaces. EXEC mode show ip redirect-list redirect-list-name 2.
Example: Showing CAM PBR Configuration DellEMC#show cam pbr stack-unit 1 port-set 0 TCP Flag: Bit 5 - URG, Bit 4 - ACK, Bit 3 - PSH, Bit 2 - RST, Bit 1 - SYN, Bit 0 - FIN Cam Port VlanID Proto Tcp Src Dst SrcIp DstIp Next-hop Egress Index Flag Port Port MAC Port ---------------------------------------------------------------------------------------------------------------06080 0 N/A IP 0x0 0 0 200.200.200.200 200.200.200.200 199.199.199.199 199.199.199.199 N/A NA 06081 0 N/A TCP 0x10 0 40 234.234.234.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.254 ip 192.
144.144.144.144 DellEMC(conf-redirect-list)#end Verify the Status of the Track Objects (Up/Down): DellEMC#show track brief ResId 1 2 3 4 Resource Interface ip routing Interface ipv6 routing IP Host reachability IP Host reachability Parameter Tunnel 1 Tunnel 2 42.1.1.2/32 43.1.1.
Create Track Objects to track the Tunnel Interfaces: DellEMC#configure terminal DellEMC(conf)#track 1 interface tunnel 1 ip routing DellEMC(conf-track-1)#exit DellEMC(conf)#track 2 interface tunnel 2 ipv6 routing DellEMC(conf-track-2)#end Verify the Status of the Track Objects (Up/Down): DellEMC#show track brief ResId Resource 1 Interface ip routing 2 Interface ipv6 routing DellEMC# Parameter Tunnel 1 Tunnel 2 State Up Up LastChange 00:00:00 00:00:00 Create a Redirect-list with Track Objects pertaining
41 PIM Sparse-Mode (PIM-SM) PIM-sparse mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
the interface on which the message was received is added to the outgoing interface list associated with the (*,G) entry, and the message is not (and does not need to be) forwarded towards the RP. Refuse Multicast Traffic A host requesting to leave a multicast group sends an IGMP Leave message to the last-hop DR. If the host is the only remaining receiver for that group on the subnet, the last-hop DR is responsible for sending a PIM Prune message up the RPT to prune its branch to the RP. 1.
ip pim sparse-mode To display which interfaces are enabled with PIM-SM, use the show ip pim interface command from EXEC Privilege mode. Dell#show ip pim interface Address Interface VIFindex Ver/ Mode 189.87.5.6 Te 4/11 0x2 v2/S 189.87.3.2 Te 4/12 0x3 v2/S 189.87.31.6 Te 7/11 0x0 v2/S 189.87.50.6 Te 7/13 0x4 v2/S Dell# Nbr Count 1 1 0 1 Query Intvl 30 30 30 30 DR DR Prio 1 127.87.5.6 1 127.87.3.5 1 127.87.31.6 1 127.87.50.
CONFIGURATION mode ip access-list extended access-list-name 3. Specify the source and group to which the timer is applied using extended ACLs with permit rules only. CONFIG-EXT-NACL mode [seq sequence-number] permit ip source-address/mask | any | host source-address} {destination-address/mask | any | host destination-address} 4. Set the expiry time for a specific (S,G) entry (as shown in the following example).
ip pim rp-address To display the assigned RP for a group, use the show ip pim rp command from EXEC privilege mode. Dell#show ip Group 225.0.1.40 226.1.1.1 pim rp RP 165.87.50.5 165.87.50.5 To display the assigned RP for a group range (group-to-RP mapping), use the show ip pim rp mapping command in EXEC privilege mode. Dell#show ip pim rp mapping PIM Group-to-RP Mappings Group(s): 224.0.0.0/4, Static RP: 165.87.50.
42 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Related Configuration Tasks ● Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode.
Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.
Group Address Interface Mode Uptime 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:36 Member Ports: Te 1/1 R1(conf)#do show ip igmp ssm-map 239.0.0.2 SSM Map Information Group : 239.0.0.2 Source(s) : 10.11.5.2 R1(conf)#do show ip igmp groups detail Interface Group Uptime Expires Router mode Last reporter Last reporter mode Last report Group source Source address 10.11.5.2 00:00:01 Expires Never Last Reporter 10.11.3.2 Vlan 300 239.0.0.2 00:00:01 Never IGMPv2-Compat 10.11.3.
Enabling RP to Server Specific Multicast Groups When you configure an RP candidate, its advertisement is sent to the entire multicast address range and the group-to-RP mapping is advertised for the entire range of multicast address. Starting with Dell EMC Networking OS 9.11.0.0, you can configure an RP candidate for a specified range of multicast group address. The Configured multicast group ranges are used by the BSR protocol to advertise the candidate RPs in the bootstrap messages.
43 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
You can configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session. The platform supports multiple source-destination statements in a single monitor session. The maximum number of source ports that can be supported in a session is 128. The maximum number of destination ports that can be supported depends on the port mirroring directions as follows: ● 4 per port pipe, if the four destination ports mirror in one direction, either rx or tx.
TTL Drop Rate ------ ----------- ---0 Te 1/13 0 No N/A 10 Te 1/14 0 No N/A 20 Te 1/15 0 No N/A 30 Te 1/16 0 No N/A 300 Te 1/17 0 No N/A DellEMC# Gre-Protocol --------------------Te 1/1 N/A Te 1/1 N/A Te 1/1 N/A Te 1/1 N/A Te 1/1 N/A FcMonitor --- -----------rx interface yes rx interface yes rx interface yes rx interface yes rx interface yes --------- -------- ---- 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.
Configuring Port Monitoring To configure port monitoring, use the following commands. 1. Verify that the intended monitoring port has no configuration other than no shutdown, as shown in the following example. EXEC Privilege mode show interface 2. Create a monitoring session using the command monitor session from CONFIGURATION mode, as shown in the following example. CONFIGURATION mode monitor session monitor session type rpm/erpm type is an optional keyword, required only for rpm and erpm 3.
NOTE: Source as VLAN is achieved via Flow based mirroring. Please refer section Enabling Flow-Based Monitoring. In the following example, the host and server are exchanging traffic which passes through the uplink interface 1/1. Port 1/1 is the monitored port and port 1/42 is the destination port, which is configured to only monitor traffic received on tengigabitethernet 1/1 (host-originated traffic). Figure 104.
cam-acl l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt number ipmacacl number vman-qos number ipv4mirracl number 6. Apply the ACL to the monitored port. MONITOR SESSION mode ip access-group access-list-name To view an access-list that you applied to an interface, use the show ip accounting access-list command from EXEC Privilege mode.
The reserved VLANs transport the mirrored traffic in sessions (blue pipes) to the destination analyzers in the local network. Two destination sessions are shown: one for the reserved VLAN that transports orange-circle traffic; one for the reserved VLAN that transports green-circle traffic. Figure 105.
● To associate with source session, the reserved VLAN can have at max of only 4 member ports. ● To associate with destination session, the reserved VLAN can have multiple member ports. ● Reserved Vlan cannot have untagged ports In the reserved L2 VLAN used for remote port mirroring: ● MAC address learning in the reserved VLAN is automatically disabled. ● The reserved VLAN for remote port mirroring can be automatically configured in intermediate switches by using GVRP.
source fortyGigE 1/52 destination remote-vlan 300 direction rx source Port-channel 10 destination remote-vlan 300 direction rx no disable To display the currently configured source and destination sessions for remote port mirroring on a switch, enter the show monitor session command in EXEC Privilege mode.
DellEMC(conf-if-vl-10)#exit DellEMC(conf)#monitor session 1 type rpm DellEMC(conf-mon-sess-1)#source te 1/5 destination remote-vlan 10 dir rx DellEMC(conf-mon-sess-1)#no disable DellEMC(conf-mon-sess-1)#exit DellEMC(conf)#inte vlan 100 DellEMC(conf-if-vl-100)#tagged te 1/7 DellEMC(conf-if-vl-100)#exit DellEMC(conf)#interface vlan 20 DellEMC(conf-if-vl-20)#mode remote-port-mirroring DellEMC(conf-if-vl-20)#tagged te 1/6 DellEMC(conf-if-vl-20)#exit DellEMC(conf)#monitor session 2 type rpm DellEMC(conf-mon-sess
DellEMC(conf)#interface te 1/3 DellEMC(conf-if-te-1/3)#switchport DellEMC(conf-if-te-1/3)#no shutdown DellEMC(conf-if-te-1/3)#exit DellEMC(conf)#inte vlan 10 DellEMC(conf-if-vl-10)#mode remote-port-mirroring DellEMC(conf-if-vl-10)#tagged te 1/1 DellEMC(conf-if-vl-10)#exit DellEMC(conf)#inte vlan 20 DellEMC(conf-if-vl-20)#mode remote-port-mirroring DellEMC(conf-if-vl-20)#tagged te 1/2 DellEMC(conf-if-vl-20)#exit DellEMC(conf)#interface vlan 30 DellEMC(conf-if-vl-30)#mode remote-port-mirroring DellEMC(conf-if
4. Create Source RPM session as follows (port-channel 1 and port-channel 2 are LACP). DellEMC(conf)#monitor session 1 type rpm DellEMC(conf-mon-sess-1)#source port-channel 1 destination remote-vlan 10 dir rx DellEMC(conf-mon-sess-1)#no disable 5. Show the output for the LACP.
Table 65. Configuration steps for ERPM (continued) 3 source { interface | range } direction {rx | tx | both} Specify the source port or range of ports. Specify the ingress (rx), egress (tx), or both ingress and egress traffic to be monitored. You can enter multiple source statements in an ERPM monitoring session 4 erpm source-ip dest-ip gre-protocol Specify the source IP address, destination IP address, and GRE-protocol type value to which encapsulated mirrored traffic is sent.
ERPM Behavior on a typical Dell EMC Networking OS The Dell EMC Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported. Figure 106.
○ Either have a Linux server's ethernet port ip as the ERPM destination ip or connect the ingress interface of the server to the ERPM MirrorToPort. The analyzer should listen in the forward/egress interface. If there is only one interface, one can choose the ingress and forward interface to be same and listen in the tx direction of the interface. ○ Download/ Write a small script (for example: erpm.py) such that it will strip the given ERPM packet starting from the bit where GRE header ends.
VLT device to take over. At the time of failover, the mirrored packets are dropped for some time. This time period is equivalent to the gracious VLT failover recovery time. RPM over VLT Scenarios This section describes the restrictions that apply when you configure RPM in a VLT set up. Consider a simple VLT setup where two VLT peers are connected using VLTi and a top-of-rack switch is connected to both the VLT peers using VLT LAGs in a ring topology.
Table 66. RPM over VLT Scenarios (continued) Scenario RPM Restriction peer through the ICL LAG. The packet analyzer is connected to the secondary VLT peer. LAG destination remote vlan direction rx/tx/both.The following example shows the configuration on the secondary VLT device:source remote vlan destination orphan port.
44 Private VLANs (PVLAN) Private VLANs (PVLANs) extend the Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN). For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell Networking OS Command Line Reference Guide. A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair.
● Host port — in the context of a private VLAN, is a port in a secondary VLAN: ○ The port must first be assigned that role in INTERFACE mode. ○ A port assigned the host role cannot be added to a regular VLAN. ● Isolated port — a port that, in Layer 2, can only communicate with promiscuous ports that are in the same PVLAN. ● Promiscuous port — a port that is allowed to communicate with any other port type in the PVLAN: ○ A promiscuous port can be part of more than one primary VLAN.
Configuration Task List The following sections contain the procedures that configure a private VLAN. ● ● ● ● Creating Creating Creating Creating PVLAN Ports a Primary VLAN a Community VLAN an Isolated VLAN Creating PVLAN Ports PVLAN ports are ports that will be assigned to the PVLAN. 1. Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2. Enable the port. INTERFACE mode no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4.
CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 4. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: ● Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). ● Specified with this command even before they have been created.
You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add host (isolated) ports to the VLAN. Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make an isolated VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 107. Sample Private VLAN Topology The following configuration is based on the example diagram for the S5000–1: ● TenGig 0/0 and TenGig 23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. ● TenGig 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. ● TenGig 0/24 and TenGig 0/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
● Display the specific interface configuration. INTERFACE mode and INTERFACE VLAN mode show config ● Inspect the running-config, and, with the grep pipe option, display a specific part of the running-config. show running-config | grep string The following example shows the PVLAN parts of the running-config from the S5000–2 switch in the topology diagram previously shown. ● Display the type and status of the configured PVLAN interfaces.
* 1 100 P 200 I 201 Inactive Inactive Inactive Inactive primary VLAN in PVLAN T Te 0/19-20 isolated VLAN in VLAN 200 T Te 0/21 The following example shows the running-config command output of the PVLAN configuration from S5000–2.
45 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of Spanning Tree — developed by a third party — that allows you to configure a separate Spanning Tree instance for each VLAN. For more information about Spanning Tree, refer to Spanning Tree Protocol (STP).
Protocol Overview Figure 108. Per-VLAN Spanning Tree The Dell Networking OS supports three other variations of spanning tree, as shown in the following table. Table 67. Spanning Tree Variations Dell Networking OS Supports Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
Configure Per-VLAN Spanning Tree Plus Configuring PVST+ is a four-step process. 1. 2. 3. 4. Configure interfaces for Layer 2. Place the interfaces in VLANs. Enable PVST+. Optionally, for load balancing, select a nondefault bridge-priority for a VLAN.
Influencing PVST+ Root Selection As shown in the previous per-VLAN spanning tree illustration, all VLANs use the same forwarding topology because R2 is elected the root, and all Ten-GigabitEthernet ports have the same cost. The following per-VLAN spanning tree illustration changes the bridge priority of each bridge so that a different forwarding topology is generated for each VLAN. This behavior demonstrates how you can use PVST+ to achieve load balancing. Figure 109.
We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.b6d6 Number of topology changes 5, last change occurred 00:34:37 ago on Gi 1/32 Port 375 (TenGigabitEthernet 1/22) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.375 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.
Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. ● Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. ● Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
To enable EdgePort on an interface, use the following command. ● Enable EdgePort on an interface. INTERFACE mode spanning-tree pvst edge-port [bpduguard | shutdown-on-violation] The EdgePort status of each interface is given in the output of the show spanning-tree pvst command, as previously shown. Dell Networking OS Behavior: Regarding the bpduguard shutdown-on-violation command behavior: ● If the interface to be shut down is a port channel, all the member ports are disabled in the hardware.
PROTOCOL PVST mode extend system-id Dell(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
interface Vlan 200 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown Example of PVST+ Configuration (R3) protocol spanning-tree pvst no disable vlan 300 bridge-priority 4096 interface TenGigabitEthernet 3/12 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/22 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 3/12,22 no shutdown ! interface Vlan 200 n
46 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 69.
Table 69. Dell EMC Networking Operating System (OS) Support for Port-Based, Policy-Based Features (continued) Feature Direction Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 111.
• • • • • • • • Guidelines for Configuring ECN for Classifying and Color-Marking Packets Applying Layer 2 Match Criteria on a Layer 3 Interface Applying DSCP and VLAN Match Criteria on a Service Queue Classifying Incoming Packets Using ECN and Color-Marking Guidelines for Configuring ECN for Classifying and Color-Marking Packets Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class Sample configuration to mark non-ecn packets as “yellow” with single traffic class Enabling Buf
NOTE: You cannot configure service-policy input and service-class dynamic dot1p on the same interface. ● Honor dot1p priorities on ingress traffic. INTERFACE mode service-class dynamic dot1p DellEMC#configure terminal DellEMC(conf)#interface tengigabitethernet 1/1 DellEMC(conf-if-te-1/1)#service-class dynamic dot1p DellEMC(conf-if-te-1/1)#end Priority-Tagged Frames on the Default VLAN Priority-tagged frames are 802.1Q tagged frames with VLAN ID 0.
Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted. If any stream exceeds the configured bandwidth on a continuous basis, it can consume all of the buffer space that is allocated to the port. ● Apply rate shaping to outgoing traffic on a port. INTERFACE mode rate shape ● Apply rate shaping to a queue.
Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell EMC Networking OS matches packets against match criteria in the order that you configure them. Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value or IP precedence, and characteristics defined in an IP ACL.
The following example matches the IPv4 and IPv6 traffic with a precedence value of 3: DellEMC(conf)# class-map match-any test1 DellEMC(conf-class-map)#match ip-any precedence 3 Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the class-map command. A Layer 2 class map differentiates traffic according to 802.1p value and/or VLAN and/or characteristics defined in a MAC ACL..
EXEC Privilege mode show qos class-map The following example shows incorrect traffic classifications.
Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. ● Layer 3 — QoS input policies allow you to rate police and set a DSCP or dot1p value. In addition, you can configure a drop precedence for incoming packets based on their DSCP value by using a DSCP color map. For more information, see DSCP Color Maps.
Scheduler Strict — Policy-based Strict-priority Queueing configuration is done through scheduler strict. It is applied to Qos-policy-output. When scheduler strict is applied to multiple Queues, high queue number takes precedence. Allocating Bandwidth to Queue Specifying WRED Drop Precedence Configuring Policy-Based Rate Shaping To configure policy-based rate shaping, use the following command. ● Configure rate shape egress traffic.
Create Policy Maps There are two types of policy maps: input and output. Creating Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2. 1. Create a Layer 3 input policy map. CONFIGURATION mode policy-map-input Create a Layer 2 input policy map by specifying the keyword layer2 with the policy-map-input command. 2.
Table 71. Default DSCP to Queue Mapping (continued) DSCP/CP hex range (XXX)xxx DSCP Definition Traditional IP Precedence Internal Queue ID DSCP/CP decimal 010XXX AF2 Immediate 1 16–31 001XXX AF1 Priority 0 0–15 000XXX BE (Best Effort) Best Effort 0 0–15 ● Enable the trust DSCP feature. POLICY-MAP-IN mode trust diffserv Honoring dot1p Values on Ingress Packets Dell EMC Networking OS honors dot1p values on ingress packets with the Trust dot1p feature.
Guaranteeing Bandwidth to dot1p-Based Service Queues To guarantee bandwidth to dot1p-based service queues, use the following command. Apply this command in the same way as the bandwidth-percentage command in an output QoS policy (refer to Allocating Bandwidth to Queue). The bandwidth-percentage command in QOS-POLICY-OUT mode supersedes the service-class bandwidth-percentage command. ● Guarantee a minimum bandwidth to queues globally.
Applying an Output Policy Map to an Interface To apply an output policy map to an interface, use the following command. ● Apply an input policy map to an interface. INTERFACE mode service-policy output You can apply the same policy map to multiple interfaces, and you can modify a policy map after you apply it. DSCP Color Maps This section describes how to configure color maps and how to display the color map and color map configuration.
Create the DSCP color map profile, bat-enclave-map, with a yellow drop precedence , and set the DSCP values to 9,10,11,13,15,16 DellEMC(conf)# qos dscp-color-map bat-enclave-map DellEMC(conf-dscp-color-map)# dscp yellow 9,10,11,13,15,16 DellEMC(conf-dscp-color-map)# exit Assign the color map, bat-enclave-map to the interface.
Enabling QoS Rate Adjustment By default while rate limiting, policing, and shaping, Dell EMC Networking OS does not include the Preamble, SFD, or the IFG fields. These fields are overhead; only the fields from MAC destination address to the CRC are used for forwarding and are included in these rate metering calculations.
Figure 113. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Creating WRED Profiles To create WRED profiles, use the following commands. 1. Create a WRED profile. CONFIGURATION mode wred-profile 2. Specify the minimum and maximum threshold values. WRED mode threshold Applying a WRED Profile to Traffic After you create a WRED profile, you must specify to which traffic Dell EMC Networking OS should apply the profile.
show qos wred-profile Displaying WRED Drop Statistics To display WRED drop statistics, use the following command. ● Display the number of packets Dell EMC Networking OS the WRED profile drops.
Pre-Calculating Available QoS CAM Space Before Dell EMC Networking OS version 7.3.1, there was no way to measure the number of CAM entries a policy-map would consume (the number of CAM entries that a rule uses is not predictable; from 1 to 16 entries might be used per rule depending upon its complexity). Therefore, it was possible to apply to an interface a policy-map that requires more entries than are available.
exceeded. If you configure ECN for WRED, devices employ ECN to mark the packets and reduce the rate of sending packets in a congested network. In a best-effort network topology, data packets are transmitted in a manner in which latency or throughput is not maintained to be at an effective level. Packets are dropped when the network experiences a large traffic load.
Table 73. Scenarios of WRED and ECN Configuration (continued) Queue Configuration Service-Pool Configuration WRED Threshold Relationship Expected Functionality Q threshold = Q-T, Service pool threshold = SP-T 1 0 0 X X 1 X Q-T < SP-T SP-T < Q-T Queue based WRED, No ECN marking SP based WRED, No ECN marking 1 1 0 X X Queue-based ECN marking above queue threshold. 1 X Q-T < SP-T ECN marking to shared buffer limits of the service-pool and then packets are tail dropped.
Guidelines for Configuring ECN for Classifying and Color-Marking Packets Keep the following points in mind while configuring the marking and mapping of incoming packets using ECN fields in IPv4 headers: ● Currently Dell EMC Networking OS supports matching only the following TCP flags: ○ ACK ○ FIN ○ SYN ○ PSH ○ RST ○ URG In the existing software, ECE/CWR TCP flag qualifiers are not supported.
Classifying Incoming Packets Using ECN and Color-Marking Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded. If you configure ECN for WRED, devices employ this functionality of ECN to mark the packets and reduce the rate of sending packets in a congested, heavily-loaded network.
You can now use the ‘ecn’ match qualifier along with the above TCP flag for classification.
policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Approach with explicit ECN match qualifiers for ECN packets: ! ip access-list standard dscp_50_ecn seq 5 permit any dscp 50 ecn 1 seq 10 permit any dscp 50 ecn 2 seq 15 permit any dscp 50 ecn 3 ! ip access-list standard dscp_40_ecn seq 5 permit any dscp 40 ecn 1 seq 10 permit any dscp 40 ecn 2 seq 15 permit any dscp 40 ecn 3 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0
Applying DSCP and VLAN Match Criteria on a Service Queue You can configure Layer 3 class maps which contain both a Layer 3 Differentiated Services Code Point (DSCP) and IP VLAN IDs as match criteria to filter incoming packets on a service queue on the switch. To configure a Layer 3 class map to classify traffic according to both an IP VLAN ID and DSCP value, use the match ip vlan vlan-id command in class-map input configuration mode.
In such a condition, it is necessary that the switch is capable to take differentiated actions for ECN/Non-ECN packets. After classifying packets to ECN/Non-ECN, marking ECN and Non-ECN packets to different color packets is performed. Policy based ingress QOS involves the following three steps to achieve QOS: 1. Classification of incoming traffic. 2. Specify the differentiated actions for different traffic class. 3. Attach the policy-map to the interface.
The following combination of marking actions to be specified match sequence of the class-map command: ● set a new DSCP for the packet ● set the packet color as ‘yellow’ ● set the packet color as ‘yellow’ and set a new DSCP for the packet This marking action to set the color of the packet is allowed only on the ‘match-any’ logical operator of the class-map.
Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class Consider the example where there are no different traffic classes that is all the packets are egressing on the default ‘queue0’. Dell EMC Networking OS can be configured as below to mark the non-ecn packets as yellow packets.
! ip access-list standard dscp_40_ecn seq 5 permit any dscp 40 ecn 1 seq 10 permit any dscp 40 ecn 2 seq 15 permit any dscp 40 ecn 3 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40_ecn ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-g
MCAST 3 0 Unit 1 unit: 3 port: 9 (interface Fo 1/152) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 13 (interface Fo 1/156) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 17 (interface Fo 1/160) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------MCAST 3 0 Unit 1 unit
UCAST MCAST MCAST MCAST MCAST MCAST MCAST MCAST MCAST MCAST 11 0 1 2 3 4 5 6 7 8 0 0 0 0 0 0 0 0 0 0 Quality of Service (QoS) 715
47 Routing Information Protocol (RIP) RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter. Topics: • • • • Protocol Overview Implementation Information Configuration Information RIP Configuration Example Protocol Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2).
Table 74. RIP Defaults Feature Default Interfaces running RIP ● Listen to RIPv1 and RIPv2 ● Transmit RIPv1 RIP timers ● ● ● ● Auto summarization Enabled ECMP paths supported 16 update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Configuration Information By default, RIP is disabled in Dell Networking OS. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
To view the global RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. Dell(conf-router_rip)#show config ! router rip network 10.0.0.0 Dell(conf-router_rip)# When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes. Dell#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 0/0 160.160.0.0/16 auto-summary 2.0.0.
● Define a specific router to exchange RIP information between it and the Dell Networking system. ROUTER RIP mode neighbor ip-address You can use this command multiple times to exchange RIP information with as many RIP networks as you want. ● Disable a specific interface from sending or receiving RIP routing information. ROUTER RIP mode passive-interface interface Setting the Send and Receive Version To change the RIP version globally or on an interface in Dell Networking OS, use the following command.
To configure an interface to receive or send both versions of RIP, include 1 and 2 in the command syntax. The command syntax for sending both RIPv1 and RIPv2 and receiving only RIPv2 is shown in the following example. Dell(conf-if)#ip rip send version 1 2 Dell(conf-if)#ip rip receive version 2 The following example of the show ip protocols command confirms that both versions are sent out that interface.
Controlling Route Metrics As a distance-vector protocol, RIP uses hop counts to determine the best route, but sometimes the shortest hop count is a route over the lowest-speed link. To manipulate RIP routes so that the routing protocol prefers a different route, manipulate the route by using the offset command. Exercise caution when applying an offset command to routers on a broadcast network, as the router using the offset command is modifying RIP advertisements before sending out those advertisements.
● ● ● ● Core 2 RIP Output RIP Configuration on Core3 Core 3 RIP Output RIP Configuration Summary Figure 114. Example of a RIP Topology RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Core2(conf-if-te-2/31)# Core2(conf-if-te-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.
[120/1] via 10.11.20.1, 00:00:03, TenGigabitEthernet 2/31 192.168.1.0/24 auto-summary 192.168.2.0/24 [120/1] via 10.11.20.1, 00:00:03, TenGigabitEthernet 2/31 192.168.2.0/24 auto-summary Core2# The following example shows the show ip route command to show the RIP setup on Core 2.
RIP Configuration on Core3 The following example shows how to configure RIPv2 on a host named Core3. Core3(conf-if-te-3/21)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.0 Core3(conf-router_rip)#network 192.168.2.0 Core3(conf-router_rip)#network 10.11.30.0 Core3(conf-router_rip)#network 10.11.20.0 Core3(conf-router_rip)#show config ! router rip network 10.0.0.0 network 192.168.1.0 network 192.168.2.
C 192.168.2.0/24 Direct, Te Core3# 3/44 0/0 00:06:26 The following example shows the show ip protocols command to show the RIP configuration activity on Core 3.
! interface TenGigabitEthernet 3/21 ip address 10.11.20.1/24 no shutdown ! interface TenGigabitEthernet 3/43 ip address 192.168.1.1/24 no shutdown ! interface TenGigabitEthernet 3/44 ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
48 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
OR [no] rmon hc-alarm number variable interval {delta | absolute} rising-threshold value event-number falling-threshold value event-number [owner string] Configure the alarm using the following optional parameters: ○ number: alarm number, an integer from 1 to 65,535, the value must be unique in the RMON Alarm Table. ○ variable: the MIB object to monitor — the variable must be in SNMP OID format; for example, 1.3.6.1.2.1.1.3.
this command. This configuration also generates an SNMP trap when the event is triggered using the SNMP community string “eventtrap”. Dell(conf)#rmon event 1 log trap eventtrap description “High ifOutErrors” owner nms1 Configuring RMON Collection Statistics To enable RMON MIB statistics collection on an interface, use the RMON collection statistics command in INTERFACE CONFIGURATION mode. ● Enable RMON MIB statistics collection.
49 Rapid Spanning Tree Protocol (RSTP) Rapid spanning tree protocol (RSTP) is supported on Dell Networking OS. Topics: • • • • Protocol Overview Configuring Rapid Spanning Tree Configuring Interfaces for Layer 2 Mode Enabling Rapid Spanning Tree Protocol Globally Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.
● All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. ● Adding a group of ports to a range of VLANs sends multiple messages to the rapid spanning tree protocol (RSTP) task, avoid using the range command. When using the range command, Dell Networking recommends limiting the range to five ports and 40 VLANs. RSTP and VLT Virtual link trunking (VLT) provides loop-free redundant topologies and does not require RSTP.
Figure 115. Example of Configuring Interfaces for Layer 2 Mode 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE mode switchport 3. Enable the interface. INTERFACE mode no shutdown To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. The bold lines indicate that the interface is in Layer 2 mode.
Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. ● Only one path from any bridge to any other bridge is enabled. ● Bridges block a redundant path by disabling one of the link ports. To enable RSTP globally for all Layer 2 interfaces, use the following commands. 1.
To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Te 3/4 R3# Altr 128.684 128 20000 BLK 20000 P2P No Adding and Removing Interfaces To add and remove interfaces, use the following commands. To add an interface to the Rapid Spanning Tree topology, configure it for Layer 2 and it is automatically added. If you previously disabled RSTP on the interface using the command no spanning-tree 0 command, re-enable it using the spanning-tree 0 command. ● Remove an interface from the Rapid Spanning Tree topology.
NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. ● Change the max-age parameter. PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode.
● The reset stack-unit command does not clear the error disabled state of the port or the hardware disabled state. The interface continues to be disables in the hardware. ● You can clear the Error Disabled state with any of the following methods: ○ Perform an shutdown command on the interface. ○ Disable the shutdown-on-violation command on the interface (the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command).
50 Software-Defined Networking (SDN) The Dell EMC Networking OS supports software-defined networking (SDN). For more information, see the SDN Deployment Guide.
51 Security This chapter describes several ways to provide security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Line Reference Guide.
CONFIGURATION mode aaa accounting {commands | exec | suppress | system level} {default | name} {start-stop | wait-start | stop-only} {tacacs+} The variables are: ○ system: sends accounting information of any other AAA configuration. ○ exec: sends accounting information when a user has logged in to EXEC mode. ○ command level: sends accounting of commands executed at the specified privilege level. ○ suppress: Do not generate accounting records for a specific type of user.
Monitoring AAA Accounting Dell Networking OS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command. ● Step through all active sessions and print all the accounting records for the actively accounted functions.
Configuring AAA Authentication Login Methods To configure an authentication method and method list, use the following commands. Dell Networking OS Behavior: If you use a method list on the console port in which RADIUS or TACACS is the last authentication method, and the server is not reachable, Dell Networking OS allows access even though the username and password credentials cannot be verified.
CONFIGURATION mode aaa authentication enable default radius tacacs 2. Establish a host address and password. CONFIGURATION mode radius-server host x.x.x.x key some-password 3. Establish a host address and password. CONFIGURATION mode tacacs-server host x.x.x.x key some-password To get enable authentication from the RADIUS server and use TACACS as a backup, issue the following commands. The following example shows enabling authentication from the RADIUS server.
Example: DellEMC(config)#aaa authentication login vty_auth_list radius Force all logged-in users to re-authenticate (y/n)? 3. You are prompted to force the users to re-authenticate whenever there is a change in the RADIUS server list.. CONFIGURATION mode radius-server host IP Address Example: DellEMC(config)#radius-server host 192.100.0.12 Force all logged-in users to re-authenticate (y/n)? DellEMC(config)#no radius-server host 192.100.0.
● Privilege level 1 — is the default level for EXEC mode. At this level, you can interact with the router, for example, view some show commands and Telnet and ping to test connectivity, but you cannot configure the router. This level is often called the “user” level. One of the commands available in Privilege level 1 is the enable command, which you can use to enter a specific privilege level. ● Privilege level 0 — contains only the end, enable, and disable commands.
Configuring the Enable Password Command To configure Dell Networking OS, use the enable command to enter EXEC Privilege level 15. After entering the command, Dell Networking OS requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level. You can always change a password for any privilege level. To change to a different privilege level, enter the enable command, then the privilege level.
CONFIGURATION mode privilege mode {level level command | reset command} Configure the following required and optional parameters: ● mode: enter a keyword for the modes (exec, configure, interface, line, route-map, or router) ● level level: the range is from 0 to 15. Levels 0, 1, and 15 are pre-configured. Levels 2 to 14 are available for custom configuration. ● command: an Dell Networking OS CLI keyword (up to five keywords allowed). ● reset: return the command to its default privilege mode.
snmp-server Dell(conf)# Modify SNMP parameters Specifying LINE Mode Password and Privilege You can specify a password authentication of all users on different terminal lines. The user’s privilege level is the same as the privilege level assigned to the terminal line, unless a more specific privilege level is assigned to the user. To specify a password for the terminal line, use the following commands. ● Configure a custom privilege level for the terminal lines.
RADIUS Authentication and Authorization Dell Networking OS supports RADIUS for user authentication (text password) at login and can be specified as one of the login authentication methods in the aaa authentication login command. When configuring AAA authorization, you can configure to limit the attributes of services available to a user. When authorization is enabled, the network access server uses configuration information from the user profile to issue the user's session.
Configuration Task List for RADIUS To authenticate users using RADIUS, specify at least one RADIUS server so that the system can communicate with and configure RADIUS as one of your authentication methods. The following list includes the configuration tasks for RADIUS.
Specifying a RADIUS Server Host When configuring a RADIUS server host, you can set different communication parameters, such as the UDP port, the key password, the number of retries, and the timeout. To specify a RADIUS server host and configure its communication parameters, use the following command. ● Enter the host name or IP address of the RADIUS server host.
To view the configuration of RADIUS communication parameters, use the show running-config command in EXEC Privilege mode. Monitoring RADIUS To view information on RADIUS transactions, use the following command. ● View RADIUS transactions to troubleshoot problems. EXEC Privilege mode debug radius Microsoft Challenge-Handshake Authentication Protocol Support for RADIUS Authentication Dell EMC Networking OS supports Microsoft Challenge-Handshake Authentication Protocol (MS-CHAPv2) with RADIUS authentication.
TACACS+ Dell Networking OS supports terminal access controller access control system (TACACS+ client, including support for login authentication. Configuration Task List for TACACS+ The following list includes the configuration task for TACACS+ functions. ● Choosing TACACS+ as the Authentication Method ● Monitoring TACACS+ ● TACACS+ Remote Authentication For a complete listing of all commands related to TACACS+, refer to the Security chapter in the Dell Networking OS Command Line Reference Guide.
aaa authentication login LOCAL local tacacs+ aaa authorization exec default tacacs+ none aaa authorization commands 1 default tacacs+ none aaa authorization commands 15 default tacacs+ none aaa accounting exec default start-stop tacacs+ aaa accounting commands 1 default start-stop tacacs+ aaa accounting commands 15 default start-stop tacacs+ Dell(conf)# Dell(conf)#do show run tacacs+ ! tacacs-server key 7 d05206c308f4d35b tacacs-server host 10.10.10.
Command Authorization The AAA command authorization feature configures Dell Networking OS to send each configuration command to a TACACS server for authorization before it is added to the running configuration. By default, the AAA authorization commands configure the system to check both EXEC mode and CONFIGURATION mode commands. To enable only EXEC mode command checking, use the no aaa authorization config-commands command.
The following example uses the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. Dell(conf)#ip ssh server version 2 Dell(conf)#do show ip ssh SSH server : disabled. SSH server version : v2. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. To disable SSH server functions, use the no ip ssh server enable command.
Secure Shell Authentication Secure Shell (SSH) is disabled by default. Enable SSH using the ip ssh server enable command. SSH supports three methods of authentication: ● Enabling SSH Authentication by Password ● Using RSA Authentication of SSH ● Configuring Host-Based SSH Authentication ● Using Client-Based SSH Authentication Important Points to Remember ● If you enable more than one method, the order in which the methods are preferred is based on the ssh_config file on the Unix machine.
ip ssh rsa-authentication my-authorized-keys flash://public_key admin@Unix_client#ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/admin/.ssh/id_rsa): /home/admin/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub.
The following example shows creating rhosts. admin@Unix_client# ls id_rsa id_rsa.pub rhosts shosts admin@Unix_client# cat rhosts 10.16.127.201 admin Using Client-Based SSH Authentication To SSH from the chassis to the SSH client, use the following command. This method uses SSH version 1 or version 2. If the SSH port is a nondefault value, use the ip ssh server port number command to change the default port number. You may only change the port number when SSH is disabled.
hmac-algorithm: Enter a space-delimited list of keyed-hash message authentication code (HMAC) algorithms supported by the SSH server. The following HMAC algorithms are available: ● hmac-md5 ● hmac-md5-96 ● hmac-sha1 ● hmac-sha1-96 ● hmac-sha2-256 The default list of HMAC algorithm is in the following order: ● hmac-sha2-256 ● hmac-sha1 ● hmac-sha1-96 ● hmac-md5 ● hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256, hmac-sha1, hmac-sha1-96.
cipher-list-: Enter a space-delimited list of ciphers the SSH Client supports. The following ciphers are available. ● 3des-cbc ● aes128-cbc ● aes192-cbc ● aes256-cbc ● aes128-ctr ● aes192-ctr ● aes256-ctr The default cipher list is in the given order: aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc. Example of Configuring a Cipher List The following example shows you how to configure a cipher list.
Table 77. VTY Access (continued) Authentication Method VTY access-class support? Username access-class support? Remote authorization support? Local NO YES NO TACACS+ YES NO YES (with Dell Networking OS version 5.2.1.0 and later) RADIUS YES NO YES (with Dell Networking OS version 6.1.1.
Example of Configuring VTY Authorization Based on Access Class Retrieved from the Line (Per Network Address) Dell(conf)#ip access-list standard deny10 Dell(conf-ext-nacl)#permit 10.0.0.0/8 Dell(conf-ext-nacl)#deny any Dell(conf)# Dell(conf)#aaa authentication login tacacsmethod tacacs+ Dell(conf)#tacacs-server host 256.1.1.
sent to the user’s e-mail ID or mobile. If the OTP is valid, the RADIUS server authenticates the 2FA user and sends an Access-Accept response to NAS. ● Access-Reject—NAS validates the OTP and if the OTP is invalid, the RADIUS server does not authenticate the user and sends an Access-Reject response to NAS. Configuring Challenge Response Authentication for SSHv2 To configure challenge response authentication for SSHv2, perform the following steps: 1. Enable challenge response authentication for SSHv2.
Table 78. Suppressed ICMP message types ICMPv4 message types Echo reply (0) All sub types of destination unreachable (3) Source quench (4) Redirect (5) Router advertisement (9) Router solicitation (10) Time exceeded (11) IP header bad (12) Timestamp request (13) Timestamp reply (14) Information request (15) Information reply (16) Address mask request (17) Address mask reply (18) NOTE: The Dell EMC Networking OS does not suppress the ICMP message type echo request (8). Table 79.
● ● ● ● ● ● ● ● ● Router solicitation (133) Router advertisement (134) Neighbor solicitation (135) Neighbor advertisement (136) Redirect (137) Router renumbering (138) MLD v2 listener report (143) Duplicate Address Request (157) Duplicate Address Confirmation (158) Dell EMC Networking OS Security Hardening The security of a network consists of multiple factors. Apart from access to the device, best practices, and implementing various security features, security also lies with the integrity of the device.
copy running-configuration startup-configuration After enabling and configuring OS image hash verification, the device verifies the hash checksum of the OS boot image during every reload. DellEMC# verified boot hash system-image A: 619A8C1B7A2BC9692A221E2151B9DA9E Image Verification for Subsequent OS Upgrades After enabling OS image hash verification, for subsequent Dell EMC Networking OS upgrades, you must enter the hash checksum of the new OS image file.
generate hash {md5 | sha1 | sha256} {flash://filename | startup-config} 3. Verify the hash checksum of the current startup configuration on the local file system. EXEC Privilege verified boot hash startup—config hash-value NOTE: The verified boot hash command is only applicable for the startup configuration file in the local file system. After enabling and configuring startup configuration verification, the device verifies the hash checksum of the startup configuration during every reload.
52 Service Provider Bridging Service provider bridging is supported on Dell Networking OS. Topics: • • • • • • VLAN Stacking Configure VLAN Stacking VLAN Stacking Packet Drop Precedence Dynamic Mode CoS for VLAN Stacking Layer 2 Protocol Tunneling Provider Backbone Bridging VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which are an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 117. VLAN Stacking in a Service Provider Network Important Points to Remember ● Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. ● Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN. ● You cannot ping across a trunk port link if one or both of the systems is an S5000.
Related Configuration Tasks ● ● ● ● Configuring the Protocol Type Value for the Outer VLAN Tag Dell Networking OS Options for Trunk Ports Debugging VLAN Stacking VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. ● Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN.
i - Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged NUM Status Description Q Ports * 1 Active U Te 0/0-2 1002 Active T Te 0/0-2 Dell# Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. ● Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100.
NUM * 1 100 101 103 Status Description Inactive Inactive Inactive Inactive Q Ports U Te 0/1 T Te 0/1 M Te 0/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. ● Debug the internal state and membership of a VLAN and its ports. debug member The port notations are as follows: ● MT — stacked trunk ● MU — stacked access port ● T — 802.1Q trunk port ● U — 802.
Therefore, a mismatched TPID results in the port not differentiating between tagged and untagged traffic. Figure 118.
Figure 119.
Figure 120. Single and Double-Tag TPID Mismatch The following table details the outcome of matched and mismatched TPIDs in a VLAN-stacking network. Table 80. Behaviors for Mismatched TPID Network Position Incoming Packet TPID System TPID Match Type 9.1(1.
Table 80. Behaviors for Mismatched TPID (continued) Network Position Incoming Packet TPID System TPID Match Type 9.1(1.
You may enter the command once for 0 and once for 1. Packets with an unmapped DEI value are colored green. To display the DEI-honoring configuration, use the show interface dei-honor [interface slot/port | linecard number port-set number] in EXEC Privilege mode.
Figure 121. Statically and Dynamically Assigned dot1p for VLAN Stacking When configuring Dynamic Mode CoS, you have two options: ● Mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. In this case, you must have other dot1p QoS configurations; this option is classic dot1p marking. ● Mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p.
interface TenGigabitEthernet 1/21 no ip address switchport vlan-stack access vlan-stack dot1p-mapping c-tag-dot1p 0-3 sp-tag-dot1p 7 service-policy input in layer2 no shutdown Mapping C-Tag to S-Tag dot1p Values To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly, use the following commands. 1. Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag.
Figure 122. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 123. VLAN Stacking with L2PT Implementation Information ● L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. ● No protocol packets are tunneled when you enable VLAN stacking. ● L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2.
INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell Networking OS uses a Dell Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command. ● Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network.
originally specified in 802.1Q. Only bridges in the service provider network use this destination MAC address so these bridges treat BPDUs originating from the customer network as normal data frames, rather than consuming them. The same is true for GARP VLAN registration protocol (GVRP). 802.
53 sFlow The Dell Networking Operating System (OS) supports sFlow version 5. Topics: • • • • • • • • • • Overview Implementation Information Enabling and Disabling sFlow Enabling and Disabling sFlow on an Interface Enabling sFlow Max-Header Size Extended sFlow Show Commands Configuring Specify Collectors Changing the Polling Intervals Back-Off Mechanism sFlow on LAG ports Overview sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic.
Figure 124. sFlow Traffic Monitoring System Implementation Information Dell Networking sFlow is designed so that the hardware sampling rate is per line card port-pipe and is decided based on all the ports in that port-pipe. If you do not enable sFlow on any port specifically, the global sampling rate is downloaded to that port and is to calculate the port-pipe’s lowest sampling rate. This design supports the possibility that sFlow might be configured on that port in the future.
● Up to 700 packets are sampled and processed per second. Enabling and Disabling sFlow By default, sFlow is disabled globally on the system. Use the following command to enable sFlow globally. ● Enable sFlow globally. CONFIGURATION mode [no] sflow enable Enabling and Disabling sFlow on an Interface By default, sFlow is disabled on all interfaces. This CLI is supported on physical ports and link aggregation group (LAG) ports. To enable sFlow on a specific interface, use the following command.
Example of viewing the sflow max-header-size extended on an Interface Mode DellEMC#show sflow interface tengigabitethernet 1/1 Te 1/1 sFlow type :Ingress Configured sampling rate :16384 Actual sampling rate :16384 Counter polling interval :20 Extended max header size :256 Samples rcvd from h/w :0 Example of the show running-config sflow Command DellEMC#show running-config sflow ! sflow collector 100.1.1.12 agent-addr 100.1.1.
show sflow interface interface-name The following example shows the show sflow interface command. Dell#show sflow interface tengigabitethernet 1/16 Te 1/16 Configured sampling rate :8192 Actual sampling rate :8192 Sub-sampling rate :2 Counter polling interval :15 Samples rcvd from h/w :33 Samples dropped for sub-sampling :6 The following example shows the show running-config interface command.
○ interval value: in seconds. The range is from 15 to 86400 seconds. The default is 20 seconds. Back-Off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the sampling-rate until the CPU condition is cleared.
54 Simple Network Management Protocol (SNMP) NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
Implementation Information The following describes SNMP implementation information. ● Dell Networking OS supports SNMP version 1 as defined by RFC 1155, 1157, and 1212, SNMP version 2c as defined by RFC 1901, and SNMP version 3 as defined by RFC 2571. ● Dell Networking OS supports up to 16 trap receivers. ● Dell Networking OS implementation of the sFlow MIB supports sFlow configuration via SNMP sets.
Creating a Community For SNMPv1 and SNMPv2, create a community to enable the community-based security in Dell Networking OS. The management station generates requests to either retrieve or alter the value of a management object and is called the SNMP manager. A network element that processes SNMP requests is called an SNMP agent. An SNMP community is a group of SNMP agents and managers that are allowed to interact.
CONFIGURATION mode snmp-server view view-name 3 noauth {included | excluded} NOTE: To give a user read and write privileges, repeat this step for each privilege type. ● Configure an SNMP group (with password or privacy privileges). CONFIGURATION mode snmp-server group group-name {oid-tree} priv read name write name ● Configure the user with a secure authorization password and privacy password.
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (32920954) 3 days, 19:26:49.54 SNMPv2-MIB::sysContact.0 = STRING: Writing Managed Object Values You may only alter (write) a managed object value if your management station is a member of the same community as the SNMP agent, and the object is writable. Use the following command to write or write-over the value of a managed object. ● To write or write-over the value of a managed object. snmpset -v version -c community agent-ip {identifier.
Subscribing to Managed Object Value Updates using SNMP By default, the Dell Networking system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system. Dell Networking OS supports the following three sets of traps: ● RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss.
CARD_DOWN: %sLine card %d down - %s LINECARDUP: %sLine card %d is up CARD_MISMATCH: Mismatch: line card %d is type %s - type %s required.
customer1 at Level 7 VLAN 1000 %ECFM-5-ECFM_RDI_ALARM: RDI Defect detected by MEP 3 in Domain customer1 at Level 7 VLAN 1000 entity Enable entity change traps Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1487406) 4:07:54.06, SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 4 Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1488564) 4:08:05.64, SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.
"NOT_REACHABLE: Syslog server 10.11.226.121 (port: 9140) is not reachable" SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 2 Following is the sample audit log message that other syslog servers that are reachable receive: Oct 21 00:46:13: dv-fedgov-s4810-6: %EVL-6-NOT_REACHABLE:Syslog server 10.11.226.121 (port: 9140) is not reachable Following example shows the SNMP trap that is sent when connectivity to the syslog server is resumed: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10230) 0:01:42.
Table 83. MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Object Values Description ● If copySourceFileType is set to runningconfig or startup-config, copySrcFileName is not required. copyDestFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.5 1 = Dell Networking OS file 2 = running-config 3 = startup-config copyDestFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.6 1 = flash 2 = slot0 3 = tftp 4 = ftp 5 = scp Specifies the type of file to copy to.
3. On the server, use the snmpset command as shown in the following example. snmpset -v snmp-version -c community-name -m mib_path/f10-copy-config.mib force10systemip-address mib-object.index {i | a | s} object-value... ● Every specified object must have an object value and must precede with the keyword i. Refer to the previous table. ● index must be unique to all previously executed snmpset commands. If an index value has been used previously, a message like the following appears.
The following example shows how to copy configuration files from a UNIX machine using the object name. > snmpset -c public -v 2c -m ./f10-copy-config.mib 10.11.131.162 copySrcFileType.7 i 3 copyDestFileType.7 i 2 FTOS-COPY-CONFIG-MIB::copySrcFileType.7 = INTEGER: runningConfig(3) FTOS-COPY-CONFIG-MIB::copyDestFileType.7 = INTEGER: startupConfig(2) The following example shows how to copy configuration files from a UNIX machine using OID. >snmpset -c public -v 2c 10.11.131.162 .1.3.6.1.4.1.6027.3.5.1.1.1.1.2.
snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.index i 4 copySrcFileName.index s filepath/filename copyDestFileType.index i 3 copyServerAddress.index a server-ip-address copyUserName.index s server-login-id copyUserPassword.index s server-login-password > snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.10 i 1 copySrcFileLocation.10 i 4 copyDestFileType.10 i 3 copySrcFileName.
● you are using SNMP version 2c ● the community name is public ● the file f10-copy-config.mib is in the current directory NOTE: In UNIX, enter the snmpset command for help using this command. The following examples show the command syntax using MIB object names and the same command using the object OIDs. In both cases, the same index number used in the snmpset command follows the object. The following command shows how to get a MIB object value using the object name. > snmpget -v 2c -c private -m .
average input power and average input-power start time. These statistics can also be obtained by using the CLI command: show environment . The following table lists the related MIB objects, OID and description for the same: Table 86. MIB Objects to Display the Information for Power Monitoring MIB Object OID Description envMonSupplyCurrentPower 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.5 Displays per PSU input power (current configuration). envMonSupplyAveragePower 1.3.6.1.4.1.674.10895.3000.1.2.110.
MIB Support to Display the Software Core Files Generated by the System Dell EMC Networking provides MIB objects to display the software core files generated by the system. The chSysSwCoresTable contains the list of software core files generated by the system. The following table lists the related MIB objects. Table 88. MIB Objects for Displaying the Software Core Files Generated by the System MIB Object OID Description chSysSwCoresTable 1.3.6.1.4.1.6027.3.10.1.2.
MIB Support to Display the Available Partitions on Flash Dell EMC Networking provides MIB objects to display the information of various partitions such as /flash, /tmp, /usr/ pkg, and /f10/ConfD. The dellNetFlashStorageTable table contains the list of all partitions on disk. The following table lists the related MIB objects: Table 89. MIB Objects to Display the Available Partitions on Flash MIB Object OID Description dellNetFlashPartitionNumber 1.3.6.1.4.1.6027.3.26.1.4.8.1.1 Index for the table.
.1.3.6.1.4.1.6027.3.26.1.4.8.1.4.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.5 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.5 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.
SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.10.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.20.1.1.0.24.0.0.0.0 = INTEGER: 1258296320 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.20.1.1.1.32.1.4.20.1.1.1.1.4.20.1.1.1 = INTEGER: 1258296320 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.20.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.30.1.1.0.24.0.0.0.0 = INTEGER: 1275078656 SNMPv2-SMI::enterprises.6027.
SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.80.80.80.0.24.1.4.10.1.1.1.1.4.10.1.1.1 = HexSTRING: 4C 76 25 F4 AB 02 SNMPv2SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.80.80.80.0.24.1.4.20.1.1.1.1.4.20.1.1.1 = HexSTRING: 4C 76 25 F4 AB 02 SNMPv2SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.80.80.80.0.24.1.4.30.1.1.1.1.4.30.1.1.1 = HexSTRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.90.90.90.0.24.0.0.0.0 = "" SNMPv2SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.90.90.90.1.32.1.4.127.0.0.1.1.4.127.0.0.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.10.1.1.0.24.0.0.0.0 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.10.1.1.1.32.1.4.10.1.1.1.1.4.10.1.1.1 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.10.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.20.1.1.0.24.0.0.0.0 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.20.1.1.1.32.1.4.20.1.1.1.1.4.20.1.1.1 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.20.1.
Table 92. MIB Objects for entAliasMappingTable (continued) MIB Object OID Description entAliasMappingEntry 1.3.6.1.2.1.47.1.3.2.1 Contains information about a particular logical entity. entAliasLogicalIndexOrZero 1.3.6.1.2.1.47.1.3.2.1.1 Contains a non–zero value and identifies the logical entity named by the same value of entLogicalIndex. entAliasMappingIdentifier 1.3.6.1.2.1.47.1.3.2.1.
Table 93. MIB Objects for LAG (continued) MIB Object OID Description dot3adAggActorSystemPriority 1.2.840.10006.300.43.1.1.1.1.2 Contains a two octet read–write value indicating the priority value associated with the Actor’s system ID. dot3adAggActorSystemID 1.2.840.10006.300.43.1.1.1.1.3 Contains a six octet read–write MAC address value used as a unique identifier for the system that contains the Aggregator. dot3adAggAggregateOrIndividual 1.2.840.10006.300.43.1.1.1.1.
iso.2.840.10006.300.43.1.1.1.1.3.1258356224 iso.2.840.10006.300.43.1.1.1.1.3.1258356736 iso.2.840.10006.300.43.1.1.1.1.4.1258356224 iso.2.840.10006.300.43.1.1.1.1.4.1258356736 iso.2.840.10006.300.43.1.1.1.1.5.1258356224 iso.2.840.10006.300.43.1.1.1.1.5.
MIB Support to Display Organizational Specific Unrecognized LLDP TLVs The lldpRemOrgDefInfoTable contains organizationally defined information that is not recognized by the local neighbor. The following table lists the related MIB objects: Table 95. MIB Objects for Displaying Organizational Specific Unrecognized LLDP TLVs MIB Object OID Description lldpRemOrgDefInfoTable 1.0.8802.1.1.2.1.4.4 This table contains organizationally defined information that is not recognized by the local neighbor.
Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object. The snmpset operation shown in the following example creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. > snmpset -v2c -c mycommunity 123.45.6.78 .1.3.6.1.2.1.17.7.1.4.3.1.5.10 i 4 SNMPv2-SMI::mib-2.17.7.1.4.3.1.5.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 The table that the Dell Networking system sends in response to the snmpget request is a table that contains hexadecimal (hex) pairs, each pair representing a group of eight ports. ● On the S5000, 7 hex pairs represent a stack unit. Seven pairs accommodate the greatest number of ports available–64 ports. On the S5000, the last stack unit begins on the 66th bit.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.1107787786 = Hex-STRING: 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNMPv2-SMI::mib-2.17.7.1.4.3.1.4.
Enabling and Disabling a Port using SNMP To enable and disable a port using SNMP, use the following commands. 1. Create an SNMP community on the Dell system. CONFIGURATION mode snmp-server community 2. From the Dell Networking system, identify the interface index of the port for which you want to change the admin status. EXEC Privilege mode show interface Or, from the management system, use the snmpwwalk command to identify the interface index. 3.
Example of Fetching MAC Addresses Learned on the Default VLAN Using SNMP ----------------MAC Addresses on Dell System-----------------R1_E600#show mac-address-table VlanId Mac Address Type Interface State 1 00:01:e8:06:95:ac Dynamic Te 1/21 Active ----------------Query from Management Station--------------------->snmpwalk -v 2c -c techpubs 10.11.131.162 .1.3.6.1.2.1.17.4.3.1 SNMPv2-SMI::mib-2.17.4.3.1.1.0.1.232.6.149.
show interface To view the system image on Flash Partition A, use the chSysSwInPartitionAImgVers object or, to view the system image on Flash Partition B, use the chSysSwInPartitionBImgVers object. Table 97. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImgVers 1.3.6.1.4.1.6027.3.10.1.2.8.1.11 List the version string of the system image in Flash Partition A. Chassis MIB chSysSwInPartitionBImgVers 1.3.6.1.4.1.6027.3.10.1.2.8.1.
● snmp-server community public ro ● snmp-server community VRF1 ro ● snmp-server community VRF2 ro ● snmp-server context cx1 ● snmp-server context cx2 ● snmp-server group admingroup 3 auth read readview write writeview ● snmp-server group admingroup 3 auth read readview context cx1 ● snmp-server group admingroup 3 auth read readview context cx2 ● snmp-server user admin admingroup 3 auth md5 helloworld ● snmp mib community-map VRF1 context cx1 ● snmp mib community-map VRF2 context cx2 ● snmp-server view readv
Monitor Port-Channels To check the status of a Layer 2 port-channel, use f10LinkAggMib (.1.3.6.1.4.1.6027.3.2). In the following example, Po 1 is a switchport and Po 2 is in Layer 3 mode. Example of SNMP Trap for Monitored Port-Channels [senthilnathan@lithium ~]$ snmpwalk -v 2c -c public 10.11.1.1 .1.3.6.1.4.1.6027.3.2.1.1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.1 = INTEGER: 1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.2 = INTEGER: 2 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.2.
IF-MIB::linkUp IF-MIB::ifIndex.1107755009 = INTEGER: 1107755009 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_UP: Changed interface state to up: Po 1" Troubleshooting SNMP Operation When you use SNMP to retrieve management data from an SNMP agent on a Dell Networking router, take into account the following behavior. ● When you query an IPv4 icmpMsgStatsInPkts object in the ICMP table by using the snmpwalk command, the output for echo replies may be incorrectly displayed.
Table 98. SNMP OIDs for Transceiver Monitoring (continued) Field (OID) Description SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.4 Optics Type SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.5 Vendor Name SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.6 Part Number SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.7 Serial Number SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.8 Transmit Power Lane1 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.9 Transmit Power Lane2 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.
55 Stacking Stacking provides a single point of management and network interface controller (NIC) teaming for high availability and higher throughput. Stacking is supported on the 10 GbE data ports of Ethernet module. Stacking is not supported on Fibre Channel/Ethernet Universal Port Modules. You can connect up to six S5000 switches in a single stack using port cables; no special cabling is required.
Figure 125. Four Stacked S5000 Switches Stack Management Roles The stack elects the management units for the stack management. ● Stack master — primary management unit, also called the master unit. ● Standby — secondary management unit. The master holds the control plane and the other units maintain a local copy of the forwarding databases. From the stack master you can configure: ● System-level features that apply to all stack members. ● Interface-level features for each stack member.
NOTE: The units with the highest MAC addresses become master and standby only if you do not configure priorities. The MAC address of the master unit is refreshed only when the stack is reloaded and a different unit becomes the stack manager. To view which switch is the stack master, enter the show system command. The following example shows sample output from an established stack. A ● ● ● change in the stack master occurs when: You power down the stack master or bring the master switch offline.
MAC Addressing All port interfaces in the stack use the MAC address of the management interface on the master switch. The MAC address of the chassis in which you use the master switch as the stack MAC address. The stack continues to use the master’s chassis MAC address even after a failover. The MAC address is not refreshed until the stack is reloaded and a different unit becomes the stack master.
Last failover type: None --Last Data Block Sync Record: -----------------------------------------Stack Unit Config: succeeded Mar 24 2013 20:35:14 Start-up Config: failed Mar 24 2013:35:14 Runtime Event Log: succeeded Mar 24 2013 20:35:14 Running Config: succeeded Mar 24 2013 20:35:14 ACL Mgr: succeeded Mar 24 2012 20:35:14 LACP: no block sync done STP: no block sync done SPAN: no block sync done Management Access on Stacks You can access the stack via the console port or VTY line.
Create a Stack Stacking is enabled on the device using the front end ports. Stack Group/Port Numbers By default, each unit in Standalone mode is numbered stack-unit 0. A maximum of eight 10G stack links or two 40G stack links can be made between two units in a stack. The front end ports are divided into 16 stack groups, each with 40G of bandwidth. Stack groups 0 through 11 correspond to 10G stack groups with four ports each. Stack groups 12 to 15 are one 40G port each.
Enabling Front End Port Stacking To enable the front ports on a unit for stacking, use the following commands. NOTE: After a port has been allocated for stacking, you can only use it for stacking. If stack-group 0 is allocated for stacking, you can use ports 0, 1, 2, and 3 for stacking but not for Ethernet anymore. If only port 0 is used for stacking, ports 1, 2, and 3 are spare; they cannot be used for Ethernet. NOTE: You can stack a maximum of eight 10G stack ports. 1. Assign a stack group for each unit.
EXEC Privilege mode show system brief Start with the management unit, then the standby, then each of the members in order of their assigned stack number (or the position in the stack you want each unit to take). Allow each unit to completely boot, and verify that the stack manager detects the unit, then power the next unit. In the above example, stack unit 1 is the master management unit, stack unit 2 is the standby unit. The cables are connected to each unit.
CONFIGURATION mode stack-unit stack-unit-number priority priority-number 4. Assign a stack group to each unit. CONFIGURATION mode stack-unitstack-unit-number stack-group stack-group-number 5. Connect the new unit to the stack using stacking cables. The following example shows adding a stack unit with a conflicting stack number (before). The following example shows adding a stack unit with a conflicting stack number (after).
Merge Two Stacks You may merge two stacks while they are powered and online. To merge two stacks, connect one stack to the other using user port cables from the front end user portusing the mini-SAS cables from the stacking ports. ● Dell EMC Networking OS selects a master stack manager from the two existing managers based on the priority of the stack. ● Dell EMC Networking OS resets all the units in the losing stack; they all become stack members.
Stack Group Ports 7 28 to 31 8 32 to 35 9 36 to 39 10 40 to 43 11 44 to 47 12 48 13 52 14 56 15 60 For example, to configure 10-Gigabit Ethernet ports 16 to 19 on stack unit 0 for stacking, enter the stack-unit 0 stackgroup 4 command in Global Configuration mode. Figure 127. S5000 Stack-Group Assignments Supported Stacking Topologies The S5000 supports stacking up to six units in a ring or a daisy chain topology.
Figure 128. S5000 Supported Stacking Topologies Configuring an S5000 Switch Stack To configure and bring up a switch stack, follow these steps. 1. Power down the switches stack and attach port cables to connect the ports between pairs of switches. Connect ports with the same speed on each pair of stacked switches. 2. Power up each stack unit. 3. Configure the stacking ports on each switch, including unit number and priority. 4.
● All stacked S5000 switches must run the same Dell Networking OS version. The minimum Dell Networking OS version required is 9.1(1.0). To check the Dell Networking OS version that a switch is running, power on the switch and enter the show version command. To download a Dell Networking OS version, go to http://support.dell.com. ● Stacking is not supported on switches enabled for virtual link trunking (VLT). To convert a stack unit to VLT operation, refer to Reconfiguring Stacked Switches as VLT.
NOTE: If you reconfigure the priorities of stacked switches in an existing S5000 stack, reload the stack so that a new master and standby election performs. Renumbering a Stack Unit By default, each stack unit is assigned the unit-number 0. When you renumber a stacked switch in an existing stack: ● If you renumber the master switch, you are prompted to reload the entire stack.
CONFIGURATION mode stack-unit unit-number stack-group group-number ● stack-unit unit-number is the stack-unit number. ● stack-group group-number is group of four 10 GbE ports or one 40 GbE port. The valid values are from 0 to 15. 8. Save the stacking configuration to the startup configuration. EXEC Privilege mode write memory 9. Repeat Steps 7 and 8 on each stack unit to configure the stack ports on the master, standby, and member units. 10.
! Feb 8 17:10:10: %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startupconfig in flash by default Proceed with reload [confirm yes/no]: yes Feb 8 17:11:47: %STKUNIT1-M:CP %CHMGR-5-RELOAD: User request to reload the chassis The following example shows viewing the two-switch stack configuration.
-- Module 1 -Status Module Type Num Ports Hot Pluggable : : : : online S5000-MOD-12xETH10-F - 12-port 10GE SFP+ (SH) 12 no -- Module 2 -Status Module Type Num Ports Hot Pluggable : : : : online S5000-MOD-12xETH10-F - 12-port 10GE SFP+ (SH) 12 no -- Module 3 -Status Module Type Num Ports Hot Pluggable : : : : online S5000-MOD-12xETH10-F - 12-port 10GE SFP+ (SH) 12 no -- Power Supplies -Unit Bay Status Type FanStatus ----------------------------------------------------------------0 0 up AC up 0 1 up
Status : not present Required Type : -- Unit 10 -Unit Type : Member Unit Status : not present Required Type : -- Unit 11 -Unit Type : Member Unit Status : not present Required Type : Dell# Provisioning a Stack Unit You can logically provision a stack-unit number to accept only an S5000 switch. Provisioning is a type of pre-configuration that is stored on the master switch and applied when a stacked unit is assigned the unit number. 1. Create a virtual stack unit by logically provisioning a switch.
To display the stack-unit number, use the show system brief command. Removing a Stack Group from Stacking Mode To remove a stack group of four 10 GbE ports or one 40 GbE port from the stack, use the no form of the stack-unit unit-number stack-group number command. After entering the command, save the configuration and if necessary, re-attach the cables to ports in a different stack group that has been enabled for stacking. Then reload the stack for the change to take effect. 1.
Adding a Standalone Switch to a Stack The following steps describe adding a standalone switch to a stack with no configured stack groups (steps from 1 to 6) and with configured stack groups (steps 7 and 8). To add a standalone switch with no stack groups configured to a stack, follow these steps. 1. Attach port cables to connect ports on the switch to one or more switches in the stack. 2. Power on the switch. 3. Log on to the CLI and enter Global Configuration mode.
● The new stack master uses its own startup and running configurations to synchronize the configurations on the new stack members. NOTE: Adding a new unit that is powered on and has stack groups configured is the same as merging two stacks (refer to Adding a Stack Unit). If the new unit is configured with a higher priority than the current stack master, it becomes the new stack master and the stack reloads.
Verify a Stack Configuration The following lists the status of a stacked switch (master, standby master, or member unit) according to the color of the System Status LED on its front panel. Color Meaning Green The switch is online and operating as a master, standby, or member unit in a stack or as a standalone unit. Blinking Green The switch is booting up. Amber A failure condition in switch operation has occurred.
11 12 13 14 15 0/44,45,46,47 0/48 0/52 0/56 0/60 The following example shows the show system stack-ports (ring) command.
3/10 3/11 3/12 3/13 3/14 3/15 3/16 3/17 3/18 3/19 4/4 4/5 4/6 4/7 4/8 4/9 4/10 4/11 2/18 2/19 4/4 4/5 4/6 4/7 4/8 4/9 4/10 4/11 3/12 3/13 3/14 3/15 3/16 3/17 3/18 3/19 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up The following example shows the show system stack-ports topology command.
Command Output unit-number stack-port port-number clear hardware stack-unit unit-number counters Clears statistics on the specified stack unit. The valid stack-unit numbers are from 0 to 11.
Last failover type: None -- Last Data Block Sync Record: ------------------------------------------------Stack Unit Config: succeeded Feb 13 2013 15:13:52 Start-up Config: succeeded Feb 13 2013 15:13:52 Runtime Event Log: succeeded Feb 13 2013 15:13:52 Running Config: succeeded Feb 13 2013 15:13:52 ACL Mgr: succeeded Feb 13 2013 15:13:52 LACP: no block sync done STP: no block sync done SPAN: no block sync done Example of the show hardware stack-unit stack port Command Dell# show hardware stack-unit 1 stac
Unplugged Stacking Cable Problem: A stacking cable is unplugged from a member switch. The stack loses half of its bandwidth from the disconnected switch. Resolution: Intra-stack traffic is re-routed on another link using the redundant stacking port on the switch. A recalculation of control plane and data plane connections is performed. Master Switch Fails Problem: The master switch fails due to a hardware fault, software crash, or power loss. Resolution: A failover procedure begins: 1.
To verify that the problem has been resolved and the stacked switch is back online, use the show system brief command.
Specify the system partition on the master switch into which you want to copy the Dell Networking OS image. The valid values are a: and b:. The system prompts you to upgrade all member units with the new Dell Networking OS version. 3. Reboot all stack units to load the Dell Networking OS image from the same partition on all switches in the stack. CONFIGURATION mode boot system stack-unit all primary system partition 4. Save the configuration. EXEC Privilege mode write memory 5.
4. Reset the stack unit to activate the new Dell Networking OS version. EXEC Privilege power-cycle stack-unit unit-number The following example shows how to upgrade an individual stack unit.
56 Storm Control The storm control feature allows you to control unknown-unicast, muticast, and broadcast control traffic on Layer 2 and Layer 3 physical interfaces. The minimum number of packets per second (PPS) that storm control can limit is two. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic.
● Configure the percentage of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. INTERFACE mode storm-control multicast packets_per_second in ● Shut down the port if it receives the PFC/LLFC packets more than the configured rate. INTERFACE mode storm-control pfc-llfc pps in shutdown NOTE: PFC/LLFC storm control enabled interface disables the interfaces if it receives continuous PFC/LLFC packets.
57 Spanning Tree Protocol (STP) Spanning tree protocol (STP) is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network.
Related Configuration Tasks ● ● ● ● ● ● ● ● Adding an Interface to the Spanning Tree Group Modifying Global Parameters Modifying Interface STP Parameters Enabling PortFastt Prevent Network Disruptions with BPDU Guard STP Root Guard Enabling SNMP Traps for Root Elections and Topology Changes Configuring Spanning Trees as Hitless Important Points to Remember ● STP is disabled by default. ● The Dell Networking OS supports only one spanning tree instance (0).
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 129. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface.
no shutdown Dell(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default. When you enable STP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the Spanning Tree topology. ● Only one path from any bridge to any other bridge participating in STP is enabled. ● Bridges block a redundant path by disabling one of the link ports. Figure 130.
To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
● Disable spanning tree on a Layer 2 interface. INTERFACE mode no spanning-tree 0 Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP. NOTE: Dell Networking recommends that only experienced network administrators change the spanning tree parameters.
Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. ● Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. ● Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost. The default values are listed in Modifying Global Parameters.
Prevent Network Disruptions with BPDU Guard Configure the Portfast (and EdgePort, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport do not expect to receive BDPUs. If an EdgePort does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
Figure 131. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: ● is used on EdgePorts and blocks all traffic on EdgePort if it receives a BPDU. ● drops the BPDU after it reaches the RPM and generates a console message.
Global BPDU Filtering By default, when you enable BPDU filtering globally, it stops transmitting BPDUs on the operational portfast-enabled ports. When the port receives BPDUs, it automatically participates in the spanning tree. By default, global BPDU filtering is disabled. Figure 132. BPDU Filtering Enabled Globally Interface BPDU Filtering When you enable BPDU filtering on an interface, it stops sending and receiving BPDUs on the portfast-enabled ports.
Selecting STP Root STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. ● Assign a number as the bridge priority or designate it as the root or secondary root.
Figure 134. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: ● Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps individually or collectively, use the following commands. ● Enable SNMP traps for spanning tree state changes. snmp-server enable traps stp ● Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
As soon as a BPDU is received on an STP port in a Loop-Inconsistent state, the port returns to a blocking state. If you disable STP loop guard on a port in a Loop-Inconsistent state, the port transitions to an STP blocking state and restarts the max-age timer. Figure 135. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis.
○ If a BPDU is received from a remote device, BPDU guard places the port in an Err-Disabled Blocking state and no traffic is forwarded on the port. ○ If no BPDU is received from a remote device, loop guard places the port in a Loop-Inconsistent Blocking state and no traffic is forwarded on the port. ● When used in a PVST+ network, STP loop guard is performed per-port or per-port channel at a VLAN level.
58 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell EMC Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell EMC Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell EMC Networking device. For more information on SmartScripts, see Dell EMC Networking Open Automation guide. Figure 136.
Enable the SupportAssist service. CONFIGURATION mode support-assist activate DellEMC(conf)#support-assist activate This command guides you through steps to configure SupportAssist. Configuring SupportAssist Manually To manually configure SupportAssist service, use the following commands. 1. Accept the end-user license agreement (EULA). CONFIGURATION mode eula-consent {support-assist} {accept | reject} NOTE: Once accepted, you do not have to accept the EULA again.
support-assist DellEMC(conf)#support-assist DellEMC(conf-supportassist)# 3. (Optional) Configure the contact information for the company. SUPPORTASSIST mode contact-company name {company-name}[company-next-name] ... [company-next-name] DellEMC(conf)#support-assist DellEMC(conf-supportassist)#contact-company name test DellEMC(conf-supportassist-cmpy-test)# 4. (Optional) Configure the contact name for an individual.
[no] activity {full-transfer|core-transfer|event-transfer} DellEMC(conf-supportassist)#activity full-transfer DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist)#activity core-transfer DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist)#activity event-transfer DellEMC(conf-supportassist-act-event-transfer)# 2. Copy an action-manifest file for an activity to the system.
SUPPORTASSIST ACTIVITY mode [no] enable DellEMC(conf-supportassist-act-full-transfer)#enable DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist-act-core-transfer)#enable DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist-act-event-transfer)#enable DellEMC(conf-supportassist-act-event-transfer)# Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company.
[no] contact-person [first ] last DellEMC(conf-supportassist)#contact-person first john last doe DellEMC(conf-supportassist-pers-john_doe)# 2. Configure the email addresses to reach the contact person. SUPPORTASSIST PERSON mode [no] email-address primary email-address [alternate email-address] DellEMC(conf-supportassist-pers-john_doe)#email-address primary jdoe@mycompany.com DellEMC(conf-supportassist-pers-john_doe)# 3. Configure phone numbers of the contact person.
[no] enable DellEMC(conf-supportassist-serv-default)#enable DellEMC(conf-supportassist-serv-default)# 4. Configure the URL to reach the SupportAssist remote server. SUPPORTASSIST SERVER mode [no] url uniform-resource-locator DellEMC(conf-supportassist-serv-default)#url https://192.168.1.1/index.htm DellEMC(conf-supportassist-serv-default)# Viewing SupportAssist Configuration To view the SupportAssist configurations, use the following commands: 1.
! server Dell enable url http://1.1.1.1:1337 DellEMC# 3. Display the EULA for the feature. EXEC Privilege mode show eula-consent {support-assist | other feature} DellEMC#show eula-consent support-assist SupportAssist EULA has been: Accepted Additional information about the SupportAssist EULA is as follows: By installing SupportAssist, you allow Dell to save your contact information (e.g.
59 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell EMC Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell EMC Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell EMC Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks.
To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. R6_E300(conf)#do show ntp status Clock is synchronized, stratum 2, reference is 192.168.1.1 frequency is -369.623 ppm, stability is 53.319 ppm, precision is 4294967279 reference time is CD63BCC2.0CBBD000 (16:54:26.049 UTC Thu Mar 12 2009) clock offset is 997.529984 msec, root delay is 0.00098 sec root dispersion is 10.04271 sec, peer dispersion is 10032.
○ ○ ○ ○ For For For For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. the Management interface, enter the keyword ManagementEthernet then the slot/port information. a port channel interface, enter the keywords port-channel then a number. a VLAN interface, enter the keyword vlan then a number from 1 to 4094. To view the configuration, use the show running-config ntp command in EXEC privilege mode (refer to the example in Configuring NTP Authentication).
ntp master To configure the switch as NTP Server use the ntp master command. stratum number identifies the NTP Server's hierarchy. The following example shows configuring an NTP server. R6_E300(conf)#1w6d23h : NTP: xmit packet to 192.168.1.1: leap 0, mode 3, version 3, stratum 2, ppoll 1024 rtdel 0219 (8.193970), rtdsp AF928 (10973.266602), refid C0A80101 (192.168.1.1) ref CD7F4F63.6BE8F000 (14:51:15.421 UTC Thu Apr 2 2009) org CD7F4F63.68000000 (14:51:15.
● Receive Timestamp — the arrival time on the client of the last NTP message from the server. If the server becomes unreachable, the value is set to zero. ● Transmit Timestamp — the departure time on the server of the current NTP message from the sender. ● Filter dispersion — the error in calculating the minimum delay from a set of sample data from a peer. To view the NTP configuration, use the show running-config ntp command in EXEC privilege mode.
○ time: enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format; for example, 17:15:00 is 5:15 pm. ○ month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. ○ day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. ○ year: enter a four-digit number as the year.
○ end-month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. ○ end-day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. ○ end-year: enter a four-digit number as the year. The range is from 1993 to 2035. ○ end-time: enter the time in hours:minutes.
pacific Sat Nov 7 2009" NOTE: If you enter after entering the recurring command parameter, and you have already set a one-time daylight saving time/date, the system uses that time and date as the recurring setting. The following example shows the clock summer-time recurring parameters.
60 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): DellEMC(conf)#interface tunnel 3 DellEMC(conf-if-tu-3)#tunnel source 5::5 DellEMC(conf-if-tu-3)#tunnel destination 8::9 DellEMC(conf-if-tu-3)#tunnel mode ipv6 DellEMC(conf-if-tu-3)#ip address 3.1.1.1/24 DellEMC(conf-if-tu-3)#ipv6 address 3::1/64 DellEMC(conf-if-tu-3)#no shutdown DellEMC(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
no shutdown DellEMC(conf)#interface tunnel 1 DellEMC(conf-if-tu-1)#ip unnumbered tengigabitethernet 1/1 DellEMC(conf-if-tu-1)#ipv6 unnumbered tengigabitethernet 1/1 DellEMC(conf-if-tu-1)#tunnel source 40.1.1.1 DellEMC(conf-if-tu-1)#tunnel mode ipip decapsulate-any DellEMC(conf-if-tu-1)#no shutdown DellEMC(conf-if-tu-1)#show config ! interface Tunnel 1 ip unnumbered TenGigabitEthernet 1/1 ipv6 unnumbered TenGigabitEthernet 1/1 tunnel source 40.1.1.
no shutdown Tunneling 893
61 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with NIC teaming, automatic recovery from a failed link.
Figure 138. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 139. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number by using the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group. This calculation ensures that there is no traffic drops due to insufficient bandwidth on the upstream links to the routers/switches.
● If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5. (Optional) Enters a text description of the uplink-state group. UPLINK-STATE-GROUP mode description text The maximum length is 80 alphanumeric characters. 6. (Optional) Disables upstream-link tracking without deleting the uplink-state group.
02:38:31 : UFD: Group:3, UplinkState: UP 02:38:31: %RPM0-P:CP %IFMGR-5-OSTATE_UP: Changed uplink state group state to up: Group 3 02:38:53: Fo 13/0 02:38:53: Fo 13/1 02:38:53: Fo 13/3 02:38:53: Fo 13/5 02:38:53: Fo 13/6 02:38:53: 02:38:53: 02:38:53: 02:38:53: 02:38:53: %RPM0-P:CP %IFMGR-5-OSTATE_UP: Downstream interface cleared from UFD error-disabled: %RPM0-P:CP %IFMGR-5-OSTATE_UP: Downstream interface cleared from UFD error-disabled: %RPM0-P:CP %IFMGR-5-OSTATE_UP: Downstream interface cleared from UFD er
Uplink State Group : 1 Upstream Interfaces : Downstream Interfaces : Status: Enabled, Up Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Te 0/46(Up) Te 0/47(Up) Downstream Interfaces : Te 13/0(Up) Te 13/1(Up) Te 13/3(Up) Te 13/5(Up) Te 13/6(Up) Uplink State Group : 5 Status: Enabled, Down Upstream Interfaces : Te 0/0(Dwn) Te 0/3(Dwn) Te 0/5(Dwn) Downstream Interfaces : Te 13/2(Dis) Te 13/4(Dis) Te 13/11(Dis) Te 13/12(Dis) Te 13/13(Dis) Te 13/14(Dis) Te 13/15(Dis) Uplink State Group : 6 Up
downstream TenGigabitEthernet 0/1, 3, 5, 7-10 upstream TengigabitEthernet 0/56, 60 Dell(conf-uplink-state-group-16)# show configuration ! uplink-state-group 16 no enable description test downstream disable links all downstream TenGigabitEthernet 0/40 upstream TenGigabitEthernet 0/41 upstream Port-channel 8 Sample Configuration: Uplink Failure Detection The following example shows a sample configuration of UFD on a switch/router in which you configure as follows. ● ● ● ● ● ● Configure uplink-state group 3.
(Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Te 0/3(Up) Te 0/4(Dwn) Downstream Interfaces : Te 0/1(Dis) Te 0/2(Dwn) Te 0/5(Dwn) Te 0/9(Dwn) Te 0/11(Dwn) Te 0/12(Dwn) 902 Uplink Failure Detection (UFD)
62 Upgrade Procedures To find the upgrade procedures, go to the Dell Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell Networking OS version. To upgrade your system type, follow the procedures in the Dell Networking OS Release Notes. Get Help with Upgrades Direct any questions or concerns about the Dell Networking OS upgrade procedures to the Dell Technical Support Center. You can reach Technical Support: ● On the web: http://dell.
63 Virtual LANs (VLANs) VLANs are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The Dell Networking operating system (OS) supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
● Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN. Alternatively, use the no switchport command, and Dell Networking OS removes the interface from the Default VLAN. ● A tagged interface requires an additional step to remove it from Layer 2 mode. Because tagged interfaces can belong to multiple VLANs, remove the tagged interface from all VLANs using the no tagged interface command.
● Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard. Some devices that are not compliant with IEEE 802.3 may not support the larger frame size.
Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands. To place an interface in Layer 2 mode, use the switchport command. You can further designate these Layer 2 interfaces as tagged or untagged. For more information, refer to the Interfaces chapter and Configuring Layer 2 (Data Link) Mode.
4 Active Dell# T Po1(So 0/0-1) When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN. If the tagged interface is removed from the only VLAN to which it belongs, the interface is placed in the Default VLAN as an untagged interface. Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1.
Assigning an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, assign an IP address to the VLANs to route traffic between the two interfaces. The shutdown command in INTERFACE mode does not affect Layer 2 traffic on the interface; the shutdown command only prevents Layer 3 traffic from traversing over the interface. NOTE: You cannot assign an IP address to the Default VLAN (VLAN 1).
2. Configure the interface for Hybrid mode. INTERFACE mode portmode hybrid 3. Configure the interface for Switchport mode. INTERFACE mode switchport 4. Add the interface to a tagged or untagged VLAN.
64 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Command Line Reference Guide.
Figure 141. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: ● Proxy gateway is supported only for VLT; for example, across a VLT domain. ● You must enable the VLT peer-routing command for the VLT proxy gateway to function.
● Private VLANs (PVLANs) are not supported. ● When a Virtual Machine (VM) moves from one VLT domain to the another VLT domain, the VM host sends the gratuitous ARP (GARP) , which in-turn triggers a mac movement from the previous VLT domain to the newer VLT domain. ● After a station move, if the host sends a TTL1 packet destined to its gateway; for example, a previous VLT node, the packet can be dropped.
● You cannot have interface–level LLDP disable commands on the interfaces configured for proxy gateway and you must enable both transmission and reception. ● You must connect both units of the remote VLT domain by the port channel member. ● If you connect more than one port to a unit of the remote VLT domain, the connection must be completed by the time you enable the proxy gateway LLDP. ● You cannot have other conflicting configurations (for example, you cannot have a static proxy gateway configuration).
For VLT Proxy Gateway to work in this scenario you must configure the VLT-peer-mac transmit command under VLT Domain Proxy Gateway LLDP mode, in both C and D (VLT domain 1) and C1 and D1 (VLT domain 2). This behavior is applicable only in the LLDP configuration and not required in the static configuration.
Sample Static Configuration on C switch or C1 switch Switch_C#conf Switch_C(conf)#vlt domain 1 Switch_C(conf-vlt-domain1)#proxy-gateway static Switch_C(conf-vlt-domain1-pxy-gw-static)#remote-mac-address ....
65 Virtual Link Trunking (VLT) Virtual link trunking (VLT) allows physical links between two chassis to appear as a single virtual link to the network core or other switches such as Edge, Access or ToR. VLT reduces the role of Spanning Tree protocols by allowing LAG terminations on two separate distribution or core switches, and by supporting a loop free topology. (A Spanning Tree protocol is still needed to prevent the initial loop that may occur prior to VLT being established.
The following illustration shows VLT deployed on S5000 switches. The switches appear as a single virtual switch from the point of view of the switch or server supporting LACP. Figure 143. Virtual Link Trunking on S5000 Switches VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing.
Figure 144. VLT on Core Switches Multiple VLT A multiple VLT (mVLT) configuration allows two different VLT domains connected by a standard LACP LAG to form a loop-free Layer 2 topology in the aggregation layer. This configuration supports a maximum of four (4) units, increasing the number of available ports and allowing for dual redundancy of the VLT. The following illustration shows how the core/aggregation port density in the Layer 2 topology is increased using mVLT.
VLT Terminology The following are key VLT terms. ● Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. ● VLT backup link — The backup link monitors the vitality of VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. ● VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches. Both ends must be on 10 GbE or 40 GbE interfaces.
Configuration Notes When you configure VLT, the following conditions apply. ● VLT domain ○ A VLT domain supports two chassis members, which appear as a single logical device to network access devices connected to VLT ports through a port channel. ○ A VLT domain consists of the two core chassis, the interconnect trunk, backup link, and the LAG members connected to attached devices. ○ Each VLT domain has a unique MAC address that you create or VLT creates automatically.
● ● ● ● ● ● ○ If the link between VLT peer switches is established, any change to the VLT system MAC address or unit-id fails if the changes made create a mismatch by causing the VLT unit-ID to be the same on both peers and/or the VLT system MAC address does not match on both peers. ○ If you replace a VLT peer node, preconfigure the switch with the VLT system MAC address, unit-id, and other VLT parameters before connecting it to the existing VLT peer switch using the VLTi connection.
○ In a VLT domain, VRRP interoperates with virtual link trunks that carry traffic to and from access devices (refer to Overview). The VLT peers belong to the same VRRP group and are assigned master and backup roles. Each peer actively forwards L3 traffic, reducing the traffic flow over the VLT interconnect. ○ VRRP elects the router with the highest priority as the master in the VRRP group.
VLT Bandwidth Monitoring When bandwidth usage of the VLTi (ICL) exceeds 80%, a syslog error message (shown in the following message) and an SNMP trap are generated. %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (portchannel 25) crosses threshold. Bandwidth usage (80 ) When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (shown in the following message) and an SNMP trap.
Figure 146. Example of PIM-Sparse Mode on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This allows multicast traffic that originates from the source that is connected to the VLT ports to reach the PIM router which has downstream neighbors.
RSTP Configuration RSTP is supported in a VLT domain. Before you configure VLT on peer switches, configure RSTP in the network. RSTP is required for initial loop prevention during the VLT startup phase. You may also use RSTP for loop prevention in the network outside of the VLT port channel. For information about how to configure RSTP, Rapid Spanning Tree Protocol (RSTP). Run RSTP on both VLT peer switches.
Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 2) Dell_VLTpeer2(conf)#protocol spanning-tree rstp Dell_VLTpeer2(conf-rstp)#no disable Dell_VLTpeer2(conf-rstp)#bridge-priority 0 Configuring VLT To configure VLT, use the following procedure. Prerequisites: Before you begin, make sure that both VLT peer switches are running the same Dell Networking OS version and are configured for RSTP as described in RSTP Configuration.
Enabling VLT and Creating a VLT Domain To enable VLT and create a VLT domain, use the following steps. 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-Domain Configuration mode. CONFIGURATION mode vlt domain domain-id The domain ID range is from 1 to 1000. Configure the same domain ID on the peer switch to allow for common peering. VLT uses the domain ID to automatically create a VLT MAC address for the domain.
Configuring a VLT Port Delay Period To configure a VLT port delay period, use the following commands. 1. Enter VLT-Domain Configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs from 1 to 1000. 2. Enter an amount of time, in seconds, to delay the restoration of the VLT ports after the system is rebooted. CONFIGURATION mode delay-restore delay-restore-time The range is from 1 to 1200. The default is 90 seconds.
Connecting a VLT Domain to an Attached Access Device (Switch or Server) To connect a VLT domain to an attached access device, use the following commands. On a VLT peer switch: To connect to an attached device, configure the same port channel ID number on each peer switch in the VLT domain. 1. Configure the same port channel to use to connect to an attached device and enter Interface Configuration mode. CONFIGURATION mode interface port-channel id-number 2. Remove an IP address from the interface.
VLT DOMAIN CONFIGURATION mode peer-down-vlan vlan interface number The range is from 1 to 4094. Configuring Enhanced VLT (Optional) To configure enhanced VLT (eVLT) between two VLT domains on your network, use the following procedure. For a sample configuration, refer to eVLT Configuration Example. To set up the VLT domain, use the following commands. 1. Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode.
CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command in the Enabling VLT and Creating a VLT Domain. 9. Place the interface in Layer 2 mode. INTERFACE PORT-CHANNEL mode switchport 10. Associate the port channel to the corresponding port channel in the VLT peer for the VLT connection to an attached device. INTERFACE PORT-CHANNEL mode vlt-peer-lag port-channel id-number 11. Ensure that the port channel is active.
Sample PVST+ Configuration The following examples show the PVST+ configuration that you must perform on each peer switch to prevent forwarding loops.
5. Configure the backup link between the VLT peer units (shown in the following example). 6. Configure the peer 2 management ip/ interface ip for which connectivity is present in VLT peer 1. EXEC Privilege mode show running-config vlt 7. Configure the peer 1 management ip/ interface ip for which connectivity is present in VLT peer 1. EXEC mode or EXEC Privilege mode show interfaces interface 8.
! vlt domain 5 peer-link port-channel 1 back-up destination 10.11.206.43 S5000-4# S5000-4#show running-config interface managementethernet 0/0 ip address 10.11.206.58/16 no shutdown Configure the VLT links between VLT peer 1 and VLT peer 2 to the top of rack unit. In the following example, port Te 0/40 in VLT peer 1 is connected to Te 0/48 of TOR and port Te 0/18 in VLT peer 2 is connected to Te 0/50 of TOR. 1.
LAG Mode Status Uptime Ports L 100 L2 up 03:33:48 Te 0/48 (Up) Te 0/50 (Up) s60-1# Verify that VLT is up. Verify that the VLTi (ICL) link, backup link connectivity (heartbeat status) and VLT peer link (peer chassis) are all up.
Figure 147. eVLT Configuration Example eVLT Configuration Step Examples In Domain 1, configure the VLT domain and VLTi on Peer 1. Domain_1_Peer1#configure Domain_1_Peer1(conf)#interface port-channel 1 Domain_1_Peer1(conf-if-po-1)# channel-member TenGigabitEthernet 1/8-9 Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.
Configure eVLT on Peer 2. Domain_1_Peer2(conf)#interface port-channel 100 Domain_1_Peer2(conf-if-po-100)# switchport Domain_1_Peer2(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer2(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 2.
PIM-Sparse Mode Configuration Example The following sample configuration shows how to configure the PIM Sparse mode designated router functionality on the VLT domain with two VLT port-channels that are members of VLAN 4001. For more information, refer to PIM-Sparse Mode Support on VLT. Examples of Configuring PIM-Sparse Mode The following example shows how to enable PIM multicast routing on the VLT node globally.
show vlt role ● Display the current configuration of all VLT domains or a specified group on the switch. EXEC mode show running-config vlt ● Display statistics on VLT operation. EXEC mode show vlt statistics ● Display the RSTP configuration on a VLT peer switch, including the status of port channels used in the VLT interconnect trunk and to connect to access devices. EXEC mode show spanning-tree rstp ● Display the current status of a port or port-channel interface used in the VLT domain.
VLT Domain Brief -----------------Domain ID: Role: Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: 1000 Primary 32768 Up Up Up 1 5(1) 00:01:e8:8a:e7:e7 00:01:e8:8a:e9:70 00:0a:0a:01:01:0a 5(1) 90 seconds The following example shows the show vlt detail command.
The following example shows the show vlt statistics command. Dell_VLTpeer1# show vlt statistics VLT Statistics ---------------HeartBeat Messages Sent: HeartBeat Messages Received: ICL Hello's Sent: ICL Hello's Received: 987 986 148 98 Dell_VLTpeer2# show vlt statistics VLT Statistics ---------------HeartBeat Messages Sent: HeartBeat Messages Received: ICL Hello's Sent: ICL Hello's Received: 994 978 89 89 The following example shows the show spanning-tree rstp command.
Additional VLT Sample Configurations To configure VLT, configure a backup link and interconnect trunk, create a VLT domain, configure a backup link and interconnect trunk, and connect the peer switches in a VLT domain to an attached access device (switch or server). Review the following examples of VLT configurations. Configuring Virtual Link Trunking (VLT Peer 1) Enable VLT and create a VLT domain with a backup-link and interconnect trunk (VLTi).
Configure the backup link. Dell_VLTpeer2(conf)#interface ManagementEthernet 0/0 Dell_VLTpeer2(conf-if-ma-0/0)#ip address 10.11.206.35/ Dell_VLTpeer2(conf-if-ma-0/0)#no shutdown Dell_VLTpeer2(conf-if-ma-0/0)#exit Configure the VLT interconnect (VLTi).
Table 101. Troubleshooting VLT (continued) Description Domain ID mismatch Behavior at Peer Up Behavior During Run Time usage goes above the 80% threshold and when it drops below 80%. the VLTi bandwidth usage goes above its threshold. The VLT peer does not boot up. The VLTi is forced to a down state. The VLT peer does not boot up. The VLTi is forced to a down state. Action to Take Verify the domain ID matches on both VLT peers.
Reconfiguring Stacked Switches as VLT To convert switches that have been stacked to VLT peers, use the following procedure. 1. Remove the current configuration from the switches. You need to split the configuration up for each switch. 2. Copy the files to the flash memory of the appropriate switch. 3. Copy the files on the flash drive to the startup-config. 4. Reset the stacking ports to user ports for both switches. 5. Reload the stack and confirm that the new configurations have been applied. 6.
Association of VLTi as a Member of a PVLAN If a VLAN is configured as a non-VLT VLAN on both the peers, the VLTi link is made a member of that VLAN if the VLTi link is configured as a PVLAN or normal VLAN on both the peers. If a PVLAN is configured as a VLT VLAN on one peer and a non-VLT VLAN on another peer, the VLTi is added as a member of that VLAN by verifying the PVLAN parity on both the peers.
● Layer 3 communication between secondary VLANs in a private VLAN is enabled by using the ip local-proxy-arp command in INTERFACE VLAN configuration mode. ● The ARP request is not received on the ICL Under such conditions, the IP stack performs the following operations: ● The ARP reply is sent with the MAC address of the primary VLAN. ● The ARP request packet originates on the primary VLAN for the intended destination IP address.
Table 102.
● For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. 4. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 5. To configure the VLT interconnect, repeat Steps 1–4 on the VLT peer switch. 6. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 7. Enter the port-channel number that acts as the interconnect trunk.
● Specified with this command even before they have been created. ● Amended by specifying the new secondary VLAN to be added to the list. Proxy ARP Capability on VLT Peer Nodes The proxy ARP functionality is supported on VLT peer nodes. A proxy ARP-enabled device answers the ARP requests that are destined for the other router in a VLT domain. The local host forwards the traffic to the proxy ARP-enabled device, which in turn transmits the packets to the destination. By default, proxy ARP is enabled.
When you remove the VLT domain on one of the VLT nodes, the peer routing configuration removal is notified to the peer. In this case, the VLT peer node disables the proxy ARP. When you remove the ICL link on one of the VLT nodes using the no peer-link command, the ICL down event is triggered on the other VLT node, which in turn starts the proxy ARP application.
show running-config Sample configuration of VLAN-stack over VLT (Peer 1) Configure the VLT domain DellEMC(conf)#vlt domain 1 DellEMC(conf-vlt-domain)#peer-link port-channel 1 DellEMC(conf-vlt-domain)#back-up destination 10.16.151.116 DellEMC(conf-vlt-domain)#primary-priority 100 DellEMC(conf-vlt-domain)#system-mac mac-address 00:00:00:11:11:11 DellEMC(conf-vlt-domain)#unit-id 0 DellEMC(conf-vlt-domain)# DellEMC#show running-config vlt ! vlt domain 1 peer-link port-channel 1 back-up destination 10.16.151.
shutdown DellEMC# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN DellEMC#show vlan id 50 Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C - Community, I - Isolated O - Openflow Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack i - Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged NUM 50 Status Active Description
no shutdown DellEMC# Configure the VLAN as a VLAN-Stack VLAN and add the VLT LAG as members to the VLAN DellEMC(conf)#interface vlan 50 DellEMC(conf-if-vl-50)#vlan-stack compatible DellEMC(conf-if-vl-50-stack)#member port-channel 10 DellEMC(conf-if-vl-50-stack)#member port-channel 20 DellEMC(conf-if-vl-50-stack)# DellEMC#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown DellEMC# Verify that the Port Channels used in the VLT Domain are Assigned
IPv6 Peer Routing When you enable peer routing on VLT nodes, the MAC address of the peer VLT node is stored in the ternary content addressable memory (TCAM) space table of a station. If the data traffic destined to a VLT node, node1, reaches the other VLT node, node2, owing to LAG-level hashing in the ToR switch, it is routed instead of forwarding the packet to node1. This processing occurs because of the match or hit for the entry in the TCAM of the VLT node2.
control information present in the tunneled NA packet is processed in such a way so that the ingress port is marked as the link from Node B to Unit 2 rather than pointing to ICL link through which tunneled NA arrived. Figure 148. Sample Configuration of IPv6 Peer Routing in a VLT Domain Sample Configuration of IPv6 Peer Routing in a VLT Domain Consider a sample scenario as shown in the following figure in which two VLT nodes, Unit1 and Unit2, are connected in a VLT domain using an ICL or VLTi link.
Neighbor Solicitation from VLT Hosts Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR. When VLT node1 receives NS from VLT VLAN interface, it unicasts the NA packet on the VLT interface. When NS reaches VLT node2, it is flooded on all interfaces including ICL. When VLT node 1 receives NS on ICL, it floods the NA packet on the VLAN.
When VLT node receives traffic from non-VLT host intended to VLT host, it routes the traffic to VLT interface. If VLT interface is not operationally up VLT node will route the traffic over ICL. Non-VLT host to North Bound traffic flow When VLT node receives traffic from non-VLT host intended to north bound with DMAC as self MAC it routes traffic to next hop.
66 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time.
Figure 150. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
NOTE: To configure a router ID in a non-default VRF, configure at least one IP address in both the default as well as the non-default VRF. Table 103. Software Features Supported on VRF Feature/Capability Support Status for Default VRF Support Status for Non-default VRF 802.
DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance. VRF Configuration The VRF configuration tasks are: 1. Enabling VRF in Configuration Mode 2. Creating a Non-Default VRF 3. Assign an Interface to a VRF You can also: ● View VRF Instance Information ● Connect an OSPF Process to a VRF Instance ● Configure VRRP on a VRF Loading VRF CAM ● Load CAM memory for the VRF feature.
2. Assign the interface to management VRF. INTERFACE CONFIGURATION ip vrf forwarding management Before assigning a front-end port to a management VRF, ensure that no IP address is configured on the interface. 3. Assign an IPv4 address to the interface. INTERFACE CONFIGURATION ip address 10.1.1.1/24 Before assigning a front-end port to a management VRF, ensure that no IP address is configured on the interface. 4. Assign an IPv6 address to the interface.
Table 104. Configuring VRRP on a VRF (continued) Task Command Syntax Assign an IP address to the interface Configure the VRRP group and virtual IP address View VRRP command output for the VRF vrf1 Command Mode ip address 10.1.1.1 /24 no shutdown vrrp-group 10 virtual-address 10.1.1.100 show config ----------------------------! interface TenGigabitEthernet 1/13 ip vrf forwarding vrf1 ip address 10.1.1.1/24 ! vrrp-group 10 virtual-address 10.1.1.
● ● ● ● ● ● ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 nd reachable-time — Set advertised reachability time nd retrans-timer — Set NS retransmit interval used and advertised in RA nd suppress-ra — Suppress IPv6 Router Advertisements ad — IPv6 Address Detection ad autoconfig — IPv6 stateless auto-configuration address — Configure IPv6 address on an interface NOTE: The command line help still displays relevant details corresponding to each of these commands.
Figure 152. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface TenGigabitEthernet no ip address switchport no shutdown ! interface TenGigabitEthernet ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding green ip address 30.0.0.
ip vrf forwarding blue ip address 1.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.0/24 area 0 ! router ospf 2 vrf orange router-id 2.0.0.1 network 2.0.0.0/24 area 0 network 20.0.0.
! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/2 ! ip route vrf green30.0.0.0/24 3.0.0.1 ! The following shows the output of the show commands on Router 1.
Change Destination --------------------C 2.0.0.0/24 C 20.0.0.0/24 O 21.0.0.0/24 00:10:41 Gateway Dist/Metric ------- ----------- Direct, Vl 192 Direct, Te 1/2 via 2.0.0.
C 11.0.0.
Dynamic Route Leaking enables a source VRF to share both its connected routes as well as dynamically learnt routes from various protocols, such as ISIS, OSPF, BGP, and so on, with other default or non-default VRFs. You can also leak global routes to be made available to VRFs. As the global RTM usually contains a large pool of routes, when the destination VRF imports global routes, these routes will be duplicated into the VRF's RTM.
interface-type slot/port ip vrf forwarding VRF-blue ip address ip—address mask A non-default VRF named VRF-blue is created and the interface 1/12 is assigned to it. 7. Configure the import target in VRF-blue. ip route-import 1:1 8. Configure the export target in VRF-blue. ip route-import 3:3 9. Configure VRF-green. ip vrf vrf-green interface-type slot/port ip vrf forwarding VRF-green ip address ip—address mask A non-default VRF named VRF-green is created and the interface is assigned to it. 10.
Show routing tables of VRFs( after route-export and route-import tags are configured). DellEMC# show ip route vrf VRF-Red O C O C 11.1.1.1/32 111.1.1.0/24 44.4.4.4/32 144.4.4.0/24 via 111.1.1.1 110/0 00:00:10 Direct, Te 1/11 0/0 22:39:59 via VRF-shared:144.4.4.4 0/0 00:32:36 Direct, VRF-shared:Te 1/4 0/0 00:32:36 DellEMC# show ip route vrf VRF-Blue O 22.2.2.2/32 via 122.2.2.2 C O C 122.2.2.0/24 44.4.4.4/32 144.4.4.0/24 110/0 00:00:11 Direct, Te 1/12 0/0 22:39:61 via vrf-shared:144.4.4.
Consider a scenario where you have created two VRF tables VRF-red and VRF-blue. VRF-red exports routes with the export_ospfbgp_protocol route-map to VRF-blue. VRF-blue imports these routes into its RTM. For leaking these routes from VRF-red to VRF-blue, you can use the ip route-export route-map command on VRF-red (source VRF, that is exporting the routes); you must also specify a match criteria for these routes using the match source-protocol command.
ip route-export 2:2 ip route-import 1:1 import_ospf_protocol !this action accepts only OSPF routes from VRF-red even though both OSPF as well as BGP routes are shared The show VRF commands displays the following output: DellEMC# show ip route vrf VRF-Blue C 122.2.2.0/24 Direct, Te 1/22 0/0 O 22.2.2.2/32 via 122.2.2.2 110/0 O 44.4.4.4/32 22:39:61 00:00:11 via vrf-red:144.4.4.
67 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. Topics: • • • • • VRRP Overview VRRP Benefits VRRP Implementation VRRP Configuration Sample Configurations VRRP Overview VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
Figure 153. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation The S5000 supports a total of 255 VRRP groups on a switch. Within a single VRRP group, up to 12 virtual IP addresses are supported.
Table 105. Recommended VRRP Advertise Intervals on the S5000 Recommended Advertise Interval Groups/Interface Total VRRP Groups S5000 S5000 Less than 250 1 second 512 Between 250 and 450 2–3 seconds 512 Between 450 and 600 3–4 seconds 512 Between 600 and 800 4 seconds 512 Between 800 and 1000 5 seconds 512 Between 1000 and 1200 7 seconds 512 Between 1200 and 1500 8 seconds 512 VRRP Configuration By default, VRRP is not configured.
The following examples how to verify the VRRP configuration. Dell(conf-if-Te-1/1)#show conf ! interface TenGigabitEthernet 1/1 ip address 10.10.10.1/24 ! vrrp-group 111 no shutdown Dell(conf-if-Te-1/1)# Configuring a Virtual IP Address To configure a virtual IP address, use the following commands. 1. Configure a VRRP group. INTERFACE mode vrrp-group vrrp-id The VRID range is from 1 to 255. 2. Configure virtual IP addresses for this VRID. INTERFACE -VRID mode virtual-address ip-address1 [...
State: Master, Priority: 100, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 27, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.3 Authentication: When the VRRP process completes its initialization, the State field contains either Master or Backup.
NOTE: You must configure all virtual routers in the VRRP group the same and enable authentication with the same password or authentication is disabled. To configure simple authentication, use the following command. ● Configure a simple text password. INTERFACE-VRID mode authentication-type simple [encryption-type] password Parameters: ○ encryption-type: 0 indicates unencrypted; 7 indicates encrypted. ○ password: plain text. The bold section shows the encryption type (encrypted) and the password.
virtual-address 10.10.10.3 virtual-address 10.10.10.10 Dell(conf-if-te-1/1-vrid-111)# Changing the Advertisement Interval By default, the MASTER router transmits a VRRP advertisement to all members of the VRRP group every one second, indicating it is operational and is the MASTER router. If the VRRP group misses three consecutive advertisements, the election process begins and the BACKUP virtual router with the highest priority transitions to MASTER.
● VLAN: enter vlan vlan-id. The valid VLAN IDs are from 1 to 4094. For a virtual group, you can also track the status of a configured object (the track object-id command) by entering its object number. NOTE: You can configure a tracked object for a VRRP group (using the track object-id command in INTERFACEVRID mode) before you actually create the tracked object (using a track object-id command in CONFIGURATION mode).
Track 2 IPv6 route 2040::/64 metric threshold Metric threshold is Up (STATIC/0/0) 5 changes, last change 00:02:16 Metric threshold down 255 up 254 First-hop interface is TenGigabitEthernet 13/2 Tracked by: VRRP GigabitEthernet 7/30 IPv6 VRID 1 Track 3 IPv6 route 2050::/64 reachability Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is TenGigabitEthernet 13/2 Tracked by: VRRP TenGigabitEthernet 7/30 IPv6 VRID 1 The following example shows verifying the VRRP status.
INTERFACE mode vrrp delay minimum seconds This time is the gap between an interface coming up and being operational, and VRRP enabling. The seconds range is from 0 to 900. The default is 0. ● Set the delay time for VRRP initialization on all the interfaces in the system configured for VRRP. INTERFACE mode vrrp delay reload seconds This time is the gap between system boot up completion and VRRP enabling. The seconds range is from 0 to 900. The default is 0.
Figure 154. VRRP for IPv4 Topology Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#int te 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#int te 3/21 R3(conf-if-te-3/21)#ip address 10.1.1.2/24 R3(conf-if-te-3/21)#vrrp-group 99 R3(conf-if-te-3/21-vrid-99)#virtual 10.1.1.
Figure 155. Example of VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
-----------------TenGigabitEthernet 0/0, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default-vrf State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 135 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP address: 1::10 fe80::10 Router 3 R3(conf)#interface tengigabitethernet 1/0 R3(conf-if-te-1/0)#no ipv6 address R3(conf-if-te
There is no requirement for the virtual IP and node IP addresses to be the same in VRF-1 and VRF-2; similarly, there is no requirement for the IP addresses to be different. In VRF-3, the node IP addresses and subnet are unique. Figure 156.
% Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-12/3-vrid-105)#priority 255 S1(conf-if-te-12/3-vrid-105)#virtual-address 20.1.1.5 S1(conf-if-te-12/3)#no shutdown Example of Configuring VRRP in a VRF on Switch-2 (Non-VLAN Configuration) Switch-2 S2(conf)#ip vrf default-vrf 0 ! S2(conf)#ip vrf VRF-1 1 ! S2(conf)#ip vrf VRF-2 2 ! S2(conf)#ip vrf VRF-3 3 ! S2(conf)#interface GigabitEthernet 12/1 S2(conf-if-gi-12/1)#ip vrf forwarding VRF-1 S2(conf-if-gi-12/1)#ip address 10.10.1.
S1(conf-if-te-12/4)#interface vlan 100 S1(conf-if-vl-100)#ip vrf forwarding VRF-1 S1(conf-if-vl-100)#ip address 10.10.1.5/24 S1(conf-if-vl-100)#tagged tengigabitethernet 12/4 S1(conf-if-vl-100)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177. S1(conf-if-vl-100-vrid-101)#priority 100 S1(conf-if-vl-100-vrid-101)#virtual-address 10.10.1.
S2(conf-if-vl-300-vrid-101)#virtual-address 20.1.1.5 S2(conf-if-vl-300)#no shutdown VRRP for IPv6 Configuration This section shows VRRP IPv6 topology with CLI configurations. Consider an example VRRP for IPv6 configuration in which the IPv6 VRRP group consists of two routers. Figure 157. VRRP for IPv6 Topology NOTE: This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI.
R2(conf-if-te-1/1)#ipv6 address 1::1/64 R2(conf-if-te-1/1)#vrrp-group 10 NOTE: You must configure a virtual link local (fe80) address for each VRRPv3 group created for an interface. The VRRPv3 group becomes active as soon as you configure the link local address. Afterwards, you can configure the group’s virtual IPv6 address. R2(conf-if-te-1/1-vrid-10)#virtual-address fe80::10 NOTE: The virtual IPv6 address you configure should be the same as the IPv6 subnet to which the interface belongs.
Virtual IP address: 1::10 fe80::10 DellEMC#show vrrp tengigabitethernet 0/0 TenGigabitEthernet 0/0, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:fd76 VRF: 0 default State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 214, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 DellEMC#show vrrp tengigabitethernet 2/8 Ten
Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 548, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 Displaying VRRP in a VRF Configuration To display information on a VRRP group that is configured on an interface that belongs to a VRF instance, use the following commands. ● Display information on a VRRP group that is configured on an interface that belongs to a VRF instance.
68 S5000 Debugging and Diagnostics Topics: • • • • • • • • • • Offline Diagnostics Trace Logs Hardware Watchdog Timer Using the Show Hardware Commands Enabling Environmental Monitoring Buffer Tuning Troubleshooting Packet Loss Enabling Application Core Dumps Mini Core Dumps Enabling TCP Dumps Offline Diagnostics The diagnostics tests are grouped into three levels: ● Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications.
NOTE: The system reboots when the offline diagnostics complete. This is an automatic process. The following warning message appears when you implement the offline stack-unit command: Warning - Diagnostic execution will cause stack-unit to reboot after completion of diags. Proceed with Offline-Diags [confirm yes/no]:y After the system goes offline, you must reload or execute the online stack-unit command for the normal operation. 2. Confirm the offline status. EXEC Privilege mode show system brief 3.
0 0 0 1 up up DC DC up up -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed Fan2 Speed Fan3 Speed --------------------------------------------------------------0 0 absent or down 0 1 up up 4800 up 4800 up 4800 up 4800 0 2 up up 4800 up 4800 up 4800 up 4800 0 3 absent or down Dell# As shown in the following two examples, log messages differ somewhat when diagnostics are done on a standalone unit and on a stack member.
**********************************S-Series Diagnostics******************** Stack Unit Board Serial Number : DL267160098 CPU Version : MPC8541, Version: 1.1 PLD Version : 5 Diag image based on build : E_MAIN4.7.7.206 Stack Unit Board Voltage levels - 3.300000 V, 2.500000 V, 1.800000 V, 1.250000 V, 1.200000 V, 2.
Hardware Watchdog Timer The hardware watchdog command automatically reboots an Dell Networking OS switch/router with a single RPM that is unresponsive. This is a last resort mechanism intended to prevent a manual power cycle. Using the Show Hardware Commands These commands display information from a hardware sub-component and from hardware-based feature tables. The following lists the show hardware commands available as of the latest Dell Networking OS version.
show hardware stack-unit {0-11} unit {0-0} details ● Execute a specified bShell command from the CLI without going into the bShell. EXEC Privilege mode show hardware stack-unit {0-11} unit {0-0} execute-shell-cmd {command} ● View the Multicast IPMC replication table from the bShell. EXEC Privilege mode show hardware stack-unit {0-11} unit {0-0} ipmc-replication ● View the internal statistics for each port-pipe (unit) on per port basis.
SFP+ 1 Bias Low Alarm threshold = 4.000mA SFP+ 1 TX Power Low Alarm threshold = 0.251mW SFP+ 1 RX Power Low Alarm threshold = 0.010mW =================================== SFP+ 1 Temp High Warning threshold = 73.000C SFP+ 1 Voltage High Warning threshold = 3.600V Dell# Recognize an Overtemperature Condition An overtemperature condition occurs, for one of two reasons: the card genuinely is too hot or a sensor has malfunctioned. Inspect cards adjacent to the one reporting the condition to discover the cause.
Troubleshoot an Under-Voltage Condition To troubleshoot an under-voltage condition, check that the correct number of power supplies are installed and their Status light emitting diodes (LEDs) are lit. The following table lists information for SNMP traps and OIDs on S-Series environmental monitoring hardware and hardware components. Table 106. SNMP Traps and OIDs OID String OID Name Description chSysPortXfpRecvPower OID displays the receiving power of the connected optics.
If you have already applied a custom buffer profile on an interface, the buffer-profile global command fails and a message similar to the following displays: % Error: User-defined buffer profile already applied. Failed to apply global pre-defined buffer profile. Please remove all user-defined buffer profiles. Similarly, when you configure buffer-profile global, you cannot not apply a buffer profile on any single interface.
Total Egress Drops: 0 Dell#show hard stack-unit 0 drops unit 0 User Port Ingress IngMac Total Mmu EgMac Egress Port Number Drops Drops Drops Drops Drops 0 1 0 0 0 0 0 1 2 0 0 0 0 0 2 3 0 0 0 0 0 3 4 0 0 0 0 0 !--------------- output truncated --------------! Example of show hardware drops interface interface Dell#show hardware drops interface tengigabitethernet 2/1 Drops in Interface Te 2/1: --- Ingress Drops --Ingress Drops IBP CBP Full Drops PortSTPnotFwd Drops IPv4 L3 Discards Policy Discards Packets d
Dataplane Statistics The show hardware stack-unit cpu data-plane statistics command provides insight into the packet types coming to the CPU. The show hardware stack-unit cpu party-bus statistics command displays input and output statistics on the party bus, which carries inter-process communication traffic between CPUs. The command output in the following example has been augmented, providing detailed RX/ TX packet statistics on a per-queue basis.
Display Stack Port Statistics The show hardware stack-unit stack-port command displays input and output statistics for a stack-port interface.
CONFIGURATION mode logging coredump server To undo this command, use the no logging coredump server command. Mini Core Dumps Dell Networking OS supports mini core dumps on the application and kernel crashes. The mini core dump applies to Master, Standby, and Member units. Application and kernel mini core dumps are always enabled. The mini core dumps contain the stack space and some other minimal information that you can use to debug a crash.
Enabling TCP Dumps A TCP dump captures CPU-bound control plane traffic to improve troubleshooting and system manageability. When you enable TCP dump, it captures all the packets on the local CPU, as specified in the CLI. You can save the traffic capture files to flash, FTP, SCP, or TFTP. The files saved on the flash are located in the flash://TCP_DUMP_DIR/Tcpdump_/ directory and labeled tcpdump_*.pcap. There can be up to 20 Tcpdump_ directories.
69 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking Operating System (OS), Dell Networking OS also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance Dell Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell Networking OS first supports the standard. General Internet Protocols The following table lists the Dell Networking OS support per platform for general internet protocols. Table 107. General Internet Protocols RFC# Full Name Dell networking OS 9.1(1.
Table 108. General IPv4 Protocols (continued) RFC# Full Name Dell networking OS 9.1(1.
Table 109. General IPv6 Protocols (continued) RFC# Full Name Dell networking OS 9.1(1.0) 5175 IPv6 Router Advertisement Flags Option √ Border Gateway Protocol (BGP) The following table lists the Dell Networking OS support per platform for BGP protocols. Table 110.
Intermediate System to Intermediate System (IS-IS) The following table lists the Dell Networking OS support per platform for IS-IS protocol. Table 112. Intermediate System to Intermediate System (IS-IS) RFC# Full Name Dell networking OS 9.1(1.
Table 114. Multicast (continued) RFC# Full Name Dell networking OS 9.1(1.
Table 115. Dell Networking OS support per platform for network management protocol (continued) RFC# Full Name Dell networking OS 9.1(1.
Table 115. Dell Networking OS support per platform for network management protocol (continued) RFC# Full Name Dell networking OS 9.1(1.
Table 115. Dell Networking OS support per platform for network management protocol (continued) RFC# Full Name Dell networking OS 9.1(1.0) IEEE 802.1AB Management Information Base module for LLDP configuration, statistics, local system data and remote systems data components. √ IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.1 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) √ IEEE 802.
Table 115. Dell Networking OS support per platform for network management protocol (continued) RFC# Full Name Dell networking OS 9.1(1.0) FORCE10-TRAP-ALARM-MIB Dell Networking Trap Alarm MIB √ MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/CSPortal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.
70 X.509v3 supports X.509v3 standards. Topics: • • • • • • • • • Introduction to X.509v3 certification X.509v3 support in Information about installing CA certificates Information about Creating Certificate Signing Requests (CSR) Information about installing trusted certificates Transport layer security (TLS) Online Certificate Status Protocol (OSCP) Verifying certificates Event logging Introduction to X.509v3 certification X.
Advantages of X.509v3 certificates Public key authentication is preferred over password-based authentication, although both may be used in conjunction, for various reasons. Public-key authentication provides the following advantages over normal password-based authentication: ● Public-key authentication avoids the human problems of low-entropy password selection and provides more resistance to brute-force attacks than password-based authentication.
The other hosts on the network, such as the SUT switch, syslog server, and OCSP server, generate private keys and create Certificate Signing Requests (CSRs). The hosts then upload the CSRs to the Intermediate CA or make the CSRs available for the Intermediate CA to download. generates a CSR using the crypto cert generate request command. The hosts on the network (SUT, syslog, OCSP…) also download and install the CA certificates from the Root and Intermediate CAs.
After the CA certificate is installed, the system can secure communications with TLS servers by verifying certificates that are signed by the CA. Installing CA certificate To install a CA certificate, enter the crypto ca-cert install {path} command in Global Configuration mode. Information about Creating Certificate Signing Requests (CSR) Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA. In order for a device to get a X.
● ● ● ● ● Common Name Email address Validity Length Alternate Name NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell EMC Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS.
TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS compression is disabled by default. TLS session resumption is also supported to reduce processor and traffic overhead due to public key cryptographic operations and handshake traffic.
Configuring OCSP behavior You can configure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders. To configure this behavior, follow this step: In CONFIGURATION mode, enter the following command: crypto x509 ocsp {[nonce] [sign-request]} Both the none and sign-request parameters are optional. The default behavior is to not use these two options.
Verifying Client Certificates Verifying client certificates is optional in the TLS protocol and is not explicitly required by Common Criteria. However, TLS-protected Syslog and RADIUS protocols mandate that certificate-based mutual authentication be performed. Event logging The system logs the following events: ● A CA certificate is installed or deleted. ● A self-signed certificate and private key are generated. ● An existing host certificate, a private key, or both are deleted.
