Dell EMC Networking OS Configuration Guide for the Z9100–ON System 9.14.2.2 July 2019 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2018 - 2019 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: About this Guide.........................................................................................................32 Audience.............................................................................................................................................................................. 32 Conventions........................................................................................................................................................................
Removing a Command from EXEC Mode..............................................................................................................57 Moving a Command from EXEC Privilege Mode to EXEC Mode.................................................................... 57 Allowing Access to CONFIGURATION Mode Commands..................................................................................57 Allowing Access to Different Modes...........................................................................
Enabling 802.1X................................................................................................................................................................. 85 Configuring dot1x Profile ................................................................................................................................................86 Configuring the Static MAB and MAB Profile ...........................................................................................................
Counting ACL Hits......................................................................................................................................................119 Configure Ingress ACLs..................................................................................................................................................120 Configure Egress ACLs..................................................................................................................................................
Enabling four-byte autonomous system numbers............................................................................................. 180 Changing a BGP router ID....................................................................................................................................... 180 Configuring AS4 Number Representations.......................................................................................................... 181 Configuring a BGP peer...................................
Configuring UFT Modes.......................................................................................................................................... 233 IPv6 CAM ACL Region...................................................................................................................................................234 Important Points to Remember.............................................................................................................................
Applying DCB Policies in a Switch Stack.................................................................................................................. 266 Configure a DCBx Operation........................................................................................................................................266 DCBx Operation.........................................................................................................................................................266 DCBx Port Roles..
Viewing the Number of SAV Dropped Packets................................................................................................. 304 Clearing the Number of SAV Dropped Packets.................................................................................................305 Chapter 14: Equal Cost Multi-Path (ECMP)............................................................................... 306 ECMP for Flow-Based Affinity..........................................................................
Implementing FRRP........................................................................................................................................................ 333 FRRP Configuration........................................................................................................................................................334 Creating the FRRP Group.......................................................................................................................................
Configuring Layer 2 (Data Link) Mode................................................................................................................ 368 Configuring Layer 2 (Interface) Mode................................................................................................................. 368 Configuring Layer 3 (Network) Mode..................................................................................................................368 Configuring Layer 3 (Interface) Mode.................
Syslog Warning Upon Connecting SFP28 Optics with QSA.................................................................................394 FEC Configuration.......................................................................................................................................................... 395 View interface information with FEC type............................................................................................................... 396 View Advanced Interface Information........
Chapter 22: IPv6 Routing.......................................................................................................... 422 Protocol Overview.......................................................................................................................................................... 422 Extended Address Space........................................................................................................................................ 422 Stateless Autoconfiguration...........
Multi-Topology IS-IS...................................................................................................................................................... 448 Transition Mode.........................................................................................................................................................448 Interface Support....................................................................................................................................................
Chapter 27: Layer 2................................................................................................................... 485 Manage the MAC Address Table................................................................................................................................ 485 Clearing the MAC Address Table.......................................................................................................................... 485 Setting the Aging Time for Dynamic Entries.............
Relevant Management Objects....................................................................................................................................515 Chapter 29: Microsoft Network Load Balancing.........................................................................520 Configuring a Switch for NLB ..................................................................................................................................... 521 Enabling a Switch for Multicast NLB..........................
MSTP Sample Configurations......................................................................................................................................553 Debugging and Verifying MSTP Configurations...................................................................................................... 557 Chapter 32: Multicast Features................................................................................................. 559 Enabling IP Multicast.............................................
Router Types..............................................................................................................................................................597 Designated and Backup Designated Routers..................................................................................................... 598 Link-State Advertisements (LSAs).......................................................................................................................598 Router Priority and Cost.............
Related Configuration Tasks.................................................................................................................................. 643 Enable PIM-SM................................................................................................................................................................643 Configuring S,G Expiry Timers.....................................................................................................................................
Enabling PVST+...............................................................................................................................................................687 Disabling PVST+.............................................................................................................................................................. 687 Influencing PVST+ Root Selection.............................................................................................................................
RIPv1.............................................................................................................................................................................724 RIPv2............................................................................................................................................................................ 724 Implementation Information..........................................................................................................................
TACACS+ Remote Authentication........................................................................................................................ 779 Command Authorization.......................................................................................................................................... 780 Protection from TCP Tiny and Overlapping Fragment Attacks...........................................................................780 Enabling SCP and SSH......................................
Honoring the Incoming DEI Value.......................................................................................................................... 815 Marking Egress Packets with a DEI Value........................................................................................................... 815 Dynamic Mode CoS for VLAN Stacking.....................................................................................................................816 Mapping C-Tag to S-Tag dot1p Values.............
Copy a Binary File to the Startup-Configuration...............................................................................................843 Additional MIB Objects to View Copy Statistics............................................................................................... 844 Obtaining a Value for MIB Objects....................................................................................................................... 844 MIB Support to Display Reason for Last System Reboot...........
Monitor Port-Channels.................................................................................................................................................. 877 Troubleshooting SNMP Operation..............................................................................................................................878 Transceiver Monitoring..................................................................................................................................................
Configuring NTP Broadcasts................................................................................................................................. 908 Disabling NTP on an Interface............................................................................................................................... 908 Configuring a Source IP Address for NTP Packets.......................................................................................... 908 Configuring NTP Authentication...................
VLT Terminology....................................................................................................................................................... 937 Layer-2 Traffic in VLT Domains.............................................................................................................................938 Interspersed VLANs..................................................................................................................................................
Configuring an LLDP VLT Proxy Gateway.............................................................................................................. 1005 VLT Proxy Gateway Sample Topology.....................................................................................................................1006 VLT Domain Configuration.................................................................................................................................... 1006 Dell-1 VLT Configuration..................
Sample VRF Configuration..........................................................................................................................................1046 Route Leaking VRFs..................................................................................................................................................... 1050 Dynamic Route Leaking...............................................................................................................................................
Multicast..................................................................................................................................................................... 1101 Network Management............................................................................................................................................. 1101 MIB Location...........................................................................................................................................................
1 About this Guide This guide describes the protocols and features the Dell EMC Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell EMC Command Line Reference Guide for your system. The Z9100–ON platform is available with Dell EMC Networking OS version 9.8(1.0) and beyond. Though this guide contains information about protocols, it is not intended to be a complete reference.
2 Configuration Fundamentals The Dell EMC Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
● EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information. ● EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted.
GRUB ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP Navigating CLI Modes The Dell EMC Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode.
Table 1.
Table 1.
-- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports ------------------------------------------------------------------1 Management online Z9100-ON Z9100-ON 9.8(1.
● Enter ? after a partial keyword lists all of the keywords that begin with the specified letters. DellEMC(conf)#cl? class-map clock DellEMC(conf)#cl ● Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword. DellEMC(conf)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone DellEMC(conf)#clock Entering and Editing Commands Notes for entering commands. ● The CLI is not case-sensitive. ● You can enter partial CLI keywords.
Command History The Dell EMC Networking OS maintains a history of previously-entered commands for each mode. For example: ● When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC mode commands. ● When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered CONFIGURATION mode commands.
The no-more command displays the output all at once rather than one screen at a time. This is similar to the terminal length command except that the no-more option affects the output of the specified command only. The save command copies the output to a file for future reference. NOTE: You can filter a single command output multiple times. The save option must be the last option entered.
EXEC Privilege mode DellEMC#show alias DellEMC# show alias ----------------------------------------------------------------Alias Name Definition ----------------------------------------------------------------showipbr10 show ip interface brief | …. showipbr40 show ip interface brief | …. shboot show bootvar… cr-vlan interface vlan $1 ..
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell EMC Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
1. Power on the PC. 2. Connect the USB-A end of cable into an available USB port on the PC. 3. Connect the micro USB-B end of cable into the micro USB-B console port on the system. 4. Power on the system. 5. Install the necessary USB device drivers. (To download the drivers, go to https://www.dell.com/support.) For assistance, contact Dell EMC Networking Technical Support. 6. Open your terminal software emulation program to access the system. 7.
2. Assign an IP address to the interface. INTERFACE mode ip address ip-address/mask ● ip-address: an address in dotted-decimal format (A.B.C.D). ● mask: a subnet mask in /prefix-length format (/ xx). 3. Enable the interface. INTERFACE mode no shutdown Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port.
Dell EMC Networking OS encrypts type 5 secret and type 7 password based on dynamic-salt option such that the encrypted password is different when an user is configured with the same password. NOTE: dynamic-salt option is shown only with secret and password options. In dynamic-salt configuration, the length of type 5 secret and type 7 password is 32 and 16 characters more compared to the secret and password length without dynamic-salt configuration.
Table 3.
Table 5. Forming a copy Command Location source-file-url Syntax destination-file-url Syntax For a remote file location: copy nfsmount://{}/filepath/filename} username:password tftp://{hostip | hostname}/ filepath/filename NFS File System Important Points to Remember ● You cannot copy a file from one remote system to another. ● You cannot copy a file from one location to the same location.
Save the Running-Configuration The running-configuration contains the current system configuration. Dell EMC Networking recommends coping your runningconfiguration to the startup-configuration. The commands in this section follow the same format as those commands in the Copy Files to and from the System section but use the filenames startup-configuration and running-configuration. These commands assume that current directory is the internal flash, which is the system default.
6 7 8 9 10 11 12 13 drwx drwx drwx -rwx -rwx -rwx -rwx -rwx 4096 4096 4096 53285 630 2760 294418 54238335 Aug Aug Aug Sep Sep Sep Sep Sep 09 09 09 01 02 04 04 06 2015 2015 2015 2015 2015 2015 2015 2015 06:56:32 06:56:32 06:56:32 18:08:54 17:53:14 18:51:26 18:51:36 13:04:58 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 CONFD_LOG_DIR CORE_DUMP_DIR RUNTIME_PATCH_DIR TestReport-SU-1.txt TestReportIndividual-SU-1.txt startup-config confd_cdb.tar.gz FTOS-Z9100-ON-9.8.1.0.
View Command History The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer. The system generates a trace message for each executed command. No password information is saved to the file. NOTE: The timestamps display format of the show command history output changes based on the service timestamps log datetime configuration. The time format can be in uptime, local time zone time or UTC time.
[1d0h24m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: CMD-(CLI):[no shutdown]by default from console CMD-(CLI):[end]by default from console CMD-(CLI):[write memory]by default from console Repeated 1 time.
However, these changes are backward-compatible and do not affect existing behavior; meaning, you can still use the ip http source- interface command to communicate with a particular interface even if no VRF is configured on that interface NOTE: If the HTTP service is not VRF-aware, then it uses the global routing table to perform the look-up. To enable an HTTP client to look up the VRF table corresponding to either management VRF or any nondefault VRF, use the ip http vrf command in CONFIGURATION mode.
MD5 DellEMC# verify md5 flash://file-name 275ceb73a4f3118e1d6bcf7d75753459 SHA256 DellEMC# verify sha256 flash://file-name e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933 Getting Started 55
4 Management This chapter describes the different protocols or services used to manage the Dell EMC Networking system.
A user can access all commands at his privilege level and below. Removing a Command from EXEC Mode To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each command you wish to restrict.
privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword} ● Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...
username username privilege level NOTE: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode, but the prompt is hostname#, rather than hostname>. Configuring Logging The Dell EMC Networking OS tracks changes in the system using event and error messages. By ● ● ● default, Dell EMC Networking OS logs these messages on: the internal buffer console and terminal lines any configured syslog servers To disable logging, use the following commands.
The security log contains security events and information. RBAC restricts access to audit and security logs based on the CLI sessions’ user roles. The types of information in this log consist of the following: ● Establishment of secure traffic flows, such as SSH. ● Violations on secure flows or certificate issues. ● Adding and deleting of users.
Configuring Logging Format To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version {0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.
1. On the switch, enable the SSH server DellEMC(conf)#ip ssh server enable 2. On the syslog server, create a reverse SSH tunnel from the syslog server to the Dell OS switch, using following syntax: ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is 10.16.131.141 and the listening port is 5140 ssh -R 5140:10.156.166.48:5141 admin@10.16.131.
Sending System Messages to a Syslog Server To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP. ● Specify the server to which you want to send system messages. You can configure up to eight syslog servers.
The following example enables login activity tracking. The system stores the login activity details for the last 30 days. DellEMC(config)#login statistics enable The following example enables login activity tracking and configures the system to store the login activity details for 12 days. DellEMC(config)#login statistics enable DellEMC(config)#login statistics time-period 12 Display Login Statistics To view the login statistics, use the show login statistics command.
Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2 Example of the show login statistics user user-id command The show login statistics user user-id command displays the successful and failed login details of a specific user in the last 30 days or the custom defined time period.
Configuring Concurrent Session Limit To configure concurrent session limit, follow this procedure: ● Limit the number of concurrent sessions for each user. CONFIGURATION mode login concurrent-session limit number-of-sessions The following example limits the permitted number of concurrent login sessions to 4.
Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 4 vty 2 10.14.1.97 5 vty 3 10.14.1.97 Kill existing session? [line number/Enter to cancel]: Enabling Secured CLI Mode The secured CLI mode prevents the users from enhancing the permissions or promoting the privilege levels. ● Enter the following command to enable the secured CLI mode: CONFIGURATION Mode secure-cli enable After entering the command, save the running-configuration. Once you save the running-configuration, the secured CLI mode is enabled.
To view the logging configuration, use the show running-config logging command in privilege mode, as shown in the example for Configure a UNIX Logging Facility Level. Display the Logging Buffer and the Logging Configuration To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered based on the user roles.
○ ○ ○ ○ ○ ○ sys12 (system use) sys13 (system use) sys14 (system use) syslog (for syslog messages) user (for user programs) uucp (UNIX to UNIX copy protocol) To view nondefault settings, use the show running-config logging command in EXEC mode. DellEMC#show running-config logging ! logging buffered 524288 debugging service timestamps log datetime msec service timestamps debug datetime msec ! logging trap debugging logging facility user logging source-interface Loopback 0 logging 10.10.10.
○ datetime: To view the timestamp in system local time that includes the local time zone. ○ localtime: You can add the keyword localtime to view timestamp in system local time that includes the local time zone. ○ show-timezone: Enter the keyword to include the time zone information in the timestamp. ○ msec: Enter the keyword msec to include milliseconds in the timestamp. ○ uptime: To view time since last boot. ○ utc: Enter the keyword utc to view timestamp in UTC time that excludes the local time zone.
[May [May [May [May 17 17 17 17 10:17:30]: CMD-(CLI):[interface tengigabitethernet 1/2/2]by default from console 10:17:32]: CMD-(CLI):[shutdown]by default from console 10:17:34]: CMD-(CLI):[no shutdown]by default from console 10:17:40]: CMD-(CLI):[write memory]by default from console - Repeated 1 time.
DellEMC(conf)#no service timestamps log DellEMC#show clock 15:55:12.246 IST Fri May 17 2019 DellEMC# show command-history [May 17 15:53:10]: CMD-(CLI):[no service timestamps log]by default from console [May 17 15:53:16]: CMD-(CLI):[write memory]by default from console - Repeated 3 times. [May 17 15:53:22]: CMD-(CLI):[show logging]by default from console - Repeated 1 time. [May 17 15:53:36]: CMD-(CLI):[write memory]by default from console - Repeated 5 times.
Enabling the FTP Server To enable the system as an FTP server, use the following command. To view FTP configuration, use the show running-config ftp command in EXEC privilege mode. ● Enable FTP on the system. CONFIGURATION mode ftp-server enable DellEMC#show running ftp ! ftp-server enable ftp-server username nairobi password 0 zanzibar DellEMC# Configuring FTP Server Parameters After you enable the FTP server on the system, you can configure different parameters.
ip ftp password password ● Enter a username to use on the FTP client. CONFIGURATION mode ip ftp username name To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for Enable FTP Server. Terminal Lines You can access the system remotely and restrict access to the system by creating user profiles. Terminal lines on the system provide different means of accessing the system.
! ipv6 access-list testv6deny seq 10 deny ipv6 3001::/64 any seq 15 permit ipv6 any any ! DellEMC(conf)# DellEMC(conf)#line vty 0 0 DellEMC(config-line-vty)#access-class testv6deny ipv6 DellEMC(config-line-vty)#access-class testvpermit ipv4 DellEMC(config-line-vty)#show c line vty 0 exec-timeout 0 0 access-class testpermit ipv4 access-class testv6deny ipv6 ! Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user on a termin
login authentication myvtymethodlist DellEMC(config-line-vty)# Setting Timeout for EXEC Privilege Mode EXEC timeout is a basic security feature that returns Dell EMC Networking OS to EXEC mode after a period of inactivity on the terminal lines. To set timeout, use the following commands. ● Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the timeout period to 0.
Lock CONFIGURATION Mode Dell EMC Networking OS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2). You can set two types of lockst: auto and manual. ● Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set auto-lock, every time a user is in CONFIGURATION mode, all other users are denied access.
NOTE: This is true even if the unit is the master (in a HA chassis environment – as in the case of RPM) or a Stack master or standby (as in case of S3048-ON). LBQA (LPC Bus Quality Analyzer) Failure Detection mode The following functions are performed as a part of this mode: 1. The LBQA will be started as part of FTOS application init (typically as a poller in sysd). 2. The LBQA will run as a fast poller (typically 1 sec) in failure detection mode. 3.
The following example shows how to reload the system into ONIE prompt and enter the install mode directly: DellEMC#reload onie install Proceed with reload [confirm yes/no]: yes Restoring the Factory Default Settings Restoring the factory-default settings deletes the existing NVRAM settings, startup configuration, and all configured settings such as, stacking or fanout.
contains a valid image, then the primary boot line value is set to the partition that is configured to be used to boot the device in a network failure scenario. The secondary and default boot line values are set to a Null string. Important Points to Remember ● The Chassis remains in boot prompt if none of the partitions contain valid images. ● To enable TFTP boot after restoring factory default settings, you must stop the boot process in BLI.
5 802.1X 802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example). 802.
● The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. ● The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network. It translates and forwards requests and responses between the authentication server and the supplicant.
Figure 5. EAP Port-Authentication EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 6. EAP Over RADIUS RADIUS Attributes for 802.1X Support Dell EMC Networking systems include the following RADIUS attributes in all 802.
Configuring 802.1X Configuring 802.1X on a port is a one-step process. For more information, refer to Enabling 802.1X. Related Configuration Tasks ● ● ● ● ● ● Configuring Request Identity Re-Transmissions Forcibly Authorizing or Unauthorizing a Port Re-Authenticating a Port Configuring Timeouts Configuring a Guest VLAN Configuring an Authentication-Fail VLAN Important Points to Remember ● Dell EMC Networking OS supports 802.
Enabling 802.1X Enable 802.1X globally. Figure 7. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode.
no ip address dot1x authentication no shutdown ! DellEMC# To view 802.1X configuration information for an interface, use the show dot1x interface command. In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default. DellEMC#show dot1x interface TenGigabitEthernet 2/1/1 802.
Configuring the Static MAB and MAB Profile Enable MAB (mac-auth-bypass) before using the dot1x static-mab command to enable static mab. To enable static MAB and configure a static MAB profile, use the following commands. ● Configure static MAB and static MAB profile on dot1x interface. INTERFACE mode dot1x static-mab profile profile-name Eenter a name to configure the static MAB profile name. The profile name length is limited to a maximum of 32 characters.
! interface TenGigabitEthernet 2/1 switchport dot1x critical-vlan 300 no shutdown DellEMC#show dot1x interface tengigabitethernet 2/1 802.
NOTE: There are several reasons why the supplicant might fail to respond; for example, the supplicant might have been booting when the request arrived or there might be a physical layer problem. To configure re-transmissions, use the following commands. ● Configure the amount of time that the authenticator waits before re-transmitting an EAP Request Identity frame. INTERFACE mode dot1x tx-period number The range is from 1 to 65535 (1 year) The default is 30.
Auth PAE State: Backend State: Initialize Initialize Forcibly Authorizing or Unauthorizing a Port The 802.1X ports can be placed into any of the three states: ● ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network. Placing the port in this state is same as disabling 802.1X on the port. ● ForceUnauthorized — an unauthorized state.
The range is from 1 to 31536000. The default is 3600. ● Configure the maximum number of times the supplicant can be re-authenticated. INTERFACE mode dot1x reauth-max number The range is from 1 to 10. The default is 2. The bold lines show that re-authentication is enabled and the new maximum and re-authentication time period.
Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Guest VLAN: Disable Guest VLAN id: NONE Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 15 seconds Server Timeout: 15 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: Auth PAE State: Backend State: SINGLE_HOST Initialize Initialize Enter the tasks the user should do af
Figure 8. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2. Make the interface a switchport so that it can be assigned to a VLAN. 3. Create the VLAN to which the interface will be assigned. 4. Connect the supplicant to the port configured for 802.1X. 5.
● If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of the Guest VLAN and the authentication process begins. Configuring a Guest VLAN If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN. NOTE: For more information about configuring timeouts, refer to Configuring Timeouts.
Example of Viewing Configured Authentication 802.
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This section describes the access control list (ACL) virtual local area network (VLAN) group, and content addressable memory (CAM) enhancements.
The ACL manager does not notify the ACL agent in the following cases: ● The ACL VLAN group is created. ● The ACL VLAN group is deleted and it does not contain VLAN members. ● The ACL is applied or removed from a group and the ACL group does not contain a VLAN member. ● The description of the ACL group is added or removed.
2. Add a description to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode description description 3. Apply an egress IP ACL to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode ip access-group {group name} out implicit-permit 4. Add VLAN member(s) to an ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode member vlan {VLAN-range} 5. Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name.
Viewing CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL subpartitions) using the show cam-usage command in EXEC Privilege mode. Display Layer 2, Layer 3, ACL, or all CAM usage statistics. EXCE Privilege mode show cam usage [acl | router | switch] The following output shows CAM blocks usage for Layer 2 and Layer 3 ACLs and other processes that use CAM space: Starting from OS 9.11(2.
| | IN-L3 ECMP GRP | Codes: * - cam usage is above 90%.
● Filtering noninitial fragments of a datagram If your ACL rules contain the following keywords, the system accepts the configuration and shows a message stating that these features are not supported and ignores the configuration. ● ● ● ● ● ttl fragments no-drop dscp ecn Optimizing ACL for More Number of IPv4 ACL Rules To optimize ACL for more number of IPv4 ACL rules, follow these steps: 1. Carve the vlanaclopt CAM region. CONFIGURATION mode cam-acl-vlan vlanopenflow 0 vlaniscsi 0 vlanaclopt 2 2.
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
• • • • • • • • • Assign an IP ACL to an Interface Applying an IP ACL Configure Ingress ACLs Configure Egress ACLs Configuring UDF ACL IP Prefix Lists ACL Remarks ACL Resequencing Route Maps IP Access Control Lists (ACLs) In Dell EMC Networking switch/routers, you can create two different types of IP ACLs: standard or extended. A ● ● ● ● ● ● ● standard ACL filters packets based on the source IP packet.
CAM Optimization When you enable this command, if a policy map containing classification rules (ACL and/or dscp/ ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only one FP entry is used). When you disable this command, the system behaves as described in this chapter. Test CAM Usage This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs.
9.13(0.0), the system installs your ACL rules until all the allocated CAM memory is used. If there is no implicit permit in your rule, the Dell EMC Networking OS ensures that an implicit deny is installed at the end of your rule. This behavior is applicable for IPv4 and IPv6 ingress and egress ACLs. NOTE: System access lists (system-flow entries) are pre-programmed in the system for lifting the control-plane packets destined for the local device which the CPU needs to process.
Configure ACL Range Profiles Dell EMC Networking OS allows L3 ACLs to configure range of L4 source and destination ports using the operators and range of ports. This results in multiple ACL entries that use more space in the forwarding table. Staring from Dell EMC Networking OS 9.11(0.0), you can configure the range of L4 source and destination ports as part of L3 ACLs, which results in only one ACL entry. To configure the range profiles, use the following commands.
● If no match is found in a route-map sequence, the process moves to the next route-map sequence until a match is found, or there are no more sequences. ● When a match is found, the packet is forwarded and no more route-map sequences are processed. ○ If a continue clause is included in the route-map sequence, the next or a specified route-map sequence is processed after a match is found.
To delete all instances of that route map, use the no route-map map-name command. To delete just one instance, add the sequence number to the command syntax. DellEMC(conf)#no route-map zakho 10 DellEMC(conf)#end DellEMC#show route-map route-map zakho, permit, sequence 20 Match clauses: interface TenGigabitEthernet 1/1/1 Set clauses: tag 35 level stub-area DellEMC# The following example shows a route map with multiple instances.
Example of the match Command to Permit and Deny Routes DellEMC(conf)#route-map force permit 10 DellEMC(config-route-map)#match tag 1000 DellEMC(conf)#route-map force deny 20 DellEMC(config-route-map)#match tag 1000 DellEMC(conf)#route-map force deny 30 DellEMC(config-route-map)#match tag 1000 Configuring Match Routes To configure match criterion for a route map, use the following commands. ● Match routes with the same AS-PATH numbers.
match metric metric-value ● Match BGP routes based on the ORIGIN attribute. CONFIG-ROUTE-MAP mode match origin {egp | igp | incomplete} ● Match routes specified as internal or external to OSPF, ISIS level-1, ISIS level-2, or locally generated. CONFIG-ROUTE-MAP mode match route-type {external [type-1 | type-2] | internal | level-1 | level-2 | local } ● Match routes with a specific tag. CONFIG-ROUTE-MAP mode match tag tag-value To create route map instances, use these commands.
To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the number of set filters in a route map low. Set commands do not require a corresponding match command. Configure a Route Map for Route Redistribution Route maps on their own cannot affect traffic and must be included in different commands to affect routing traffic.
NOTE: If you configure the continue clause without specifying a module, the next sequential module is processed. Example of Using the continue Clause in a Route Map ! route-map test permit 10 match commu comm-list1 set community 1:1 1:2 1:3 set as-path prepend 1 2 3 4 5 continue 30! IP Fragment Handling Dell EMC Networking OS supports a configurable option to explicitly deny IP fragmented packets, particularly second and subsequent packets.
● If a packet's FO > 0, the packet is permitted. ● If a packet's FO = 0, the next ACL entry is processed. Deny ACL line with L3 information only, and the fragments keyword is present:If a packet's L3 information does match the L3 information in the ACL line, the packet's FO is checked. ● If a packet's FO > 0, the packet is denied. ● If a packet's FO = 0, the next ACL line is processed. In this first example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted.
To view the rules of a particular ACL configured on a particular interface, use the show ip accounting access-list ACL-name interface interface command in EXEC Privilege mode. The following is an example of viewing the rules of a specific ACL on an interface. DellEMC#show ip accounting access-list ToOspf interface gig 1/6 Standard IP access list ToOspf seq 5 deny any seq 10 deny 10.2.0.0 /16 seq 15 deny 10.3.0.0 /16 seq 20 deny 10.4.0.0 /16 seq 25 deny 10.5.0.0 /16 seq 30 deny 10.6.0.0 /16 seq 35 deny 10.7.
The following examples shows how to view a standard ACL filter sequence for an interface. DellEMC#show ip accounting access example interface gig 4/12 Extended IP access list example seq 15 deny udp any any eq 111 seq 20 deny udp any any eq 2049 seq 25 deny udp any any eq 31337 seq 30 deny tcp any any range 12345 12346 seq 35 permit udp host 10.21.126.225 10.4.5.0 /28 monitor 300 seq 40 permit udp host 10.21.126.226 10.4.5.0 /28 seq 45 permit udp 10.8.0.0 /16 10.50.188.
Configure Filters, ICMP Packets To create a filter for ICMP packets with a specified sequence number, use the following commands. 1. Create either an extended IPv4 or IPv6 ACL and assign it a unique name. CONFIGURATION mode ip access-list extended access-list-name ipv6 access-list extended access-list-name 2. Configure an extended IP ACL filter for ICMP packets.
seq seq seq seq seq seq seq 15 20 25 30 35 40 45 permit permit permit permit permit permit permit icmp icmp icmp icmp icmp icmp icmp any any any any any any any any any any any any any any nd-ns count (30 packets) nd-na count (56 packets) packet-too-big count (25 packets) parameter-problem count (34 packets) time-exceeded count (56 packets) dest-unreachable count (43 packets) port-unreachable count (25 packets) Configure Filters, TCP Packets To create a filter for TCP packets with a specified sequenc
{deny | permit} {source mask | any | host ip-address} [count [byte]] [order] [monitor [session-id]] [fragments] ● Configure a deny or permit filter to examine TCP packets. CONFIG-EXT-NACL mode {deny | permit} tcp {source mask] | any | host ip-address}} [count [byte]] [order] [monitor [session-id]] [fragments] ● Configure a deny or permit filter to examine UDP packets.
Assign an IP ACL to an Interface To pass traffic through a configured IP ACL, assign that ACL to a physical interface, a port channel interface, or a VLAN. The IP ACL is applied to all traffic entering a physical or port channel interface and the traffic is either forwarded or dropped depending on the criteria and actions specified in the ACL. The same ACL may be applied to different interfaces and that changes its functionality.
Configure Ingress ACLs Ingress ACLs are applied to interfaces and to traffic entering the system. These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation. To create an ingress ACL, use the ip access-group command in EXEC Privilege mode. The example shows applying the ACL, rules to the newly created access group, and viewing the access list.
DellEMC(config-ext-nacl)#permit tcp any any DellEMC(config-ext-nacl)#deny icmp any any DellEMC(config-ext-nacl)#permit 1.1.1.2 DellEMC(config-ext-nacl)#end DellEMC#show ip accounting access-list ! Extended Ingress IP access list abcd on gigethernet 0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.
cam-acl {default | l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt number ipmacacl number [vman-qos | vman-dual-qos number] ecfmacl number [nlbclusteracl number] ipv4pbr number }openflow number | fcoe number} [ipv4udfenable] [vrfv4acl number] DellEMC(conf)#cam-acl l2acl 1 ipv4acl 8 ipv6acl 2 ipv4qos 0 l2qos 2 l2pt 0 ipmacacl 0 vman-qos 0 ecfmacl 0 ipv4udfenable 3. View the currently configured CAM allocation.
key description udf-id id packetbase PacketBase offset bytes length bytes DellEMC(conf-udf-tcam)#key innerL3header udf-id 6 packetbase innerL3Header offset 0 length 2 6. View the UDF TCAM configuration. CONFIGURATION-UDF TCAM mode show config DellEMC(conf-udf-tcam)#show config ! udf-tcam ipnip seq 1 key innerL3header udf-id 6 packetbase innerL3Header offset 0 length 2 DellEMC(conf-udf-tcam)# 7. Configure the match criteria for the packet type in which UDF offset bytes are parsed.
ip access-list extended aa seq 5 permit ip any any udf-pkt-format ipnip udf-qualifier-value ipnip_val1 DellEMC(config-ext-nacl)# IP Prefix Lists IP prefix lists control routing policy. An IP prefix list is a series of sequential filters that contain a matching criterion (examine IP route prefix) and an action (permit or deny) to process routes. The filters are processed in sequence so that if a route prefix does not match the criterion in the first filter, the second filter (if configured) is applied.
2. Create a prefix list with a sequence number and a deny or permit action. CONFIG-NPREFIXL mode seq sequence-number {deny | permit} ip-prefix [ge min-prefix-length] [le max-prefixlength] The optional parameters are: ● ge min-prefix-length: the minimum prefix length to match (from 0 to 32). ● le max-prefix-length: the maximum prefix length to match (from 0 to 32). If you want to forward all routes that do not match the prefix list criteria, configure a prefix list filter to permit all routes (permit 0.0.0.
To delete a filter, enter the show config command in PREFIX LIST mode and locate the sequence number of the filter you want to delete, then use the no seq sequence-number command in PREFIX LIST mode. Viewing Prefix Lists To view all configured prefix lists, use the following commands. ● Show detailed information about configured prefix lists. EXEC Privilege mode show ip prefix-list detail [prefix-name] ● Show a table of summarized information about configured Prefix lists.
To view the configuration, use the show config command in ROUTER RIP mode, or the show running-config rip command in EXEC mode. DellEMC(conf-router_rip)#show config ! router rip distribute-list prefix juba out network 10.0.0.0 DellEMC(conf-router_rip)#router ospf 34 Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. ● Enter OSPF mode. CONFIGURATION mode router ospf ● Apply a configured prefix list to incoming routes.
ipv6 access-list {extended | standard} access-list-name 2. Define the ACL rule. CONFIG-EXT-NACL mode or CONFIG-STD-NACL seq sequence-number {permit | deny} options 3. Write a remark. CONFIG-EXT-NACL mode or CONFIG-STD-NACL remark [remark-number] remark-text The remark number is optional.
NOTE: ACL resequencing does not affect the rules, remarks, or order in which they are applied. Resequencing merely renumbers the rules so that you can place new rules within the list as needed. Table 7. ACL Resequencing Rules Resquencing Rules Before Resequencing: seq 5 permit any host 1.1.1.1 seq 6 permit any host 1.1.1.2 seq 7 permit any host 1.1.1.3 seq 10 permit any host 1.1.1.4 Rules After Resequencing: seq 5 permit any host 1.1.1.1 seq 10 permit any host 1.1.1.2 seq 15 permit any host 1.1.1.
Remarks that do not have a corresponding rule are incremented as a rule. These two mechanisms allow remarks to retain their original position in the list. The following example shows remark 10 corresponding to rule 10 and as such, they have the same number before and after the command is entered. Remark 4 is incremented as a rule, and all rules have retained their original positions.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 9. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
State Description Init The local system is communicating. Up Both systems are exchanging control packets. The session is declared down if: ● A control packet is not received within the detection time. ● Sufficient echo packets are lost. ● Demand mode is active and a control packet is not received in response to a poll packet. BFD Three-Way Handshake A three-way handshake must take place between the systems that participate in the BFD session.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 11.
● ● ● ● ● Configure BFD for OSPFv3 Configure BFD for IS-IS Configure BFD for BGP Configure BFD for VRRP Configuring Protocol Liveness Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
Remote Addr: 2.2.2.
Establishing Sessions for Static Routes for Default VRF Sessions are established for all neighbors that are the next hop of a static route on the default VRF. Figure 12. Establishing Sessions for Static Routes To establish a BFD session, use the following command. ● Establish BFD sessions for all neighbors that are the next hop of a static route.
Example Configuration and Verification The following example contains static routes for both default and nondefault VRFs. Dell#sh run | grep bfd bfd enable ip route bfd prefix-list p4_le ip route bfd vrf vrf1 ip route bfd vrf vrf2 ip route bfd vrf vrf1 prefix-list p4_le The following example shows that sessions are created for static routes for the default VRF.
Prefix lists are used in route maps and route filtering operations. You can use prefix lists as an alternative to existing access lists (ACLs). A prefix is a portion of the IP address. Prefix lists constitute any number of bits in an IP address starting from the far left bit of the far left octet. By specifying the exactly number of bits in an IP address that belong to a prefix list, the prefix list can be used to aggregate addresses and perform some functions; for example, redistribution.
no ip route bfd [prefix-list prefix-list-name] [interval interval min_rx min_rx multiplier value role {active | passive}] Configure BFD for IPv6 Static Routes BFD offers systems a link state detection mechanism for static routes. With BFD, systems are notified to remove static routes from the routing table as soon as the link state change occurs, rather than waiting until packets fail to reach their next hop. Configuring BFD for IPv6 static routes is a three-step process: 1. Enable BFD globally. 2.
ipv6 route bfd vrf vrf-name [prefix-list prefix-list-name] [interval interval min_rx min_rx multiplier value role {active | passive}] Example Configuration and Verification The following example contains static routes for both default and nondefault VRFs. Dell#show run | grep bfd bfd enable ipv6 route bfd prefix-list p6_le ipv6 route bfd vrf vrf1 ipv6 route bfd vrf vrf2 ipv6 route bfd vrf vrf1 prefix-list p6_le The following example shows that sessions are created for static routes for the default VRF.
Changing IPv6 Static Route Session Parameters BFD sessions are configured with default intervals and a default role. The parameters you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all static routes. If you change a parameter, the change affects all sessions for static routes. To change parameters for static route sessions, use the following command . ● Change parameters for all static route sessions.
Establishing Sessions with OSPF Neighbors for the Default VRF BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 13. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. ● Enable BFD globally.
The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Te 2/1/1 Up 100 100 3 O * 2.2.3.1 2.2.3.2 Te 2/2/1 Up 100 100 3 O Establishing Sessions with OSPF Neighbors for nondefault VRFs To configure BFD in a nondefault VRF, follow this procedure: ● Enable BFD globally.
* 6.1.1.1 6.1.1.2 Vl 30 Up 200 200 3 O * 7.1.1.1 7.1.1.2 Te 1/21/1 Up 200 200 3 O The following example shows the show bfd vrf neighbors command output showing the nondefault VRF. show bfd vrf VRF_blue neighbors * Ad Dn B C I O O3 R M V VT - Active session role Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 5.1.1.1 RemoteAddr 5.1.1.2 Interface Po 30 State Rx-int Tx-int Mult VRF Clients Up 200 200 3 255 O * 6.1.1.1 6.1.1.
Role: Active Delete session on Down: True VRF: VRF_blue Client Registered: OSPF Uptime: 00:00:15 Statistics: Number of packets received from neighbor: 78 Number of packets sent to neighbor: 78 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 Session Discriminator: 6 Neighbor Discriminator: 1 Local Addr: 7.1.1.1 Local MAC Addr: 00:a0:c9:00:00:02 Remote Addr: 7.1.1.
To disable BFD sessions, use the following commands. ● Disable BFD sessions with all OSPF neighbors. ROUTER-OSPF mode no bfd all-neighbors ● Disable BFD sessions with all OSPF neighbors on an interface. INTERFACE mode ip ospf bfd all-neighbors disable Configure BFD for OSPFv3 BFD for OSPFv3 provides support for IPV6. Configuring BFD for OSPFv3 is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPFv3 neighbors.
* fe80::2a0:c9ff:fe00:2 O3 DellEMC# fe80::3617:98ff:fe34:12 Vl 2 Up 200 200 3 Establishing BFD Sessions with OSPFv3 Neighbors for nondefault VRFs To configure BFD in a nondefault VRF, use the following procedure: ● Enable BFD globally. CONFIGURATION mode bfd enable ● Establish sessions with all OSPFv3 neighbors in a specific VRF. ROUTER-OSPFv3 mode bfd all-neighbors ● Establish sessions with the OSPFv3 neighbors on a single interface in a specific VRF.
* fe80::2a0:c9ff:fe00:2 511 O3 fe80::3617:98ff:fe34:12 Vl 100 Up 150 150 3 * fe80::2a0:c9ff:fe00:2 511 O3 fe80::3617:98ff:fe34:12 Vl 101 Up 150 150 3 * fe80::2a0:c9ff:fe00:2 511 O3 fe80::3617:98ff:fe34:12 Vl 102 Up 150 150 3 * fe80::2a0:c9ff:fe00:2 511 O3 DellEMC# fe80::3617:98ff:fe34:12 Vl 103 Up 150 150 3 Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role.
Related Configuration Tasks ● Changing IS-IS Session Parameters ● Disabling BFD for IS-IS Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 14. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. ● Establish sessions with all IS-IS neighbors.
C I O R - CLI - ISIS - OSPF - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1/1 Up 100 100 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface.
Figure 15. Establishing Sessions with BGP Neighbors The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: ● By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). ● By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peer-group-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
bfd enable 2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number 4. Enable the BGP neighbor. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group-name} no shutdown 5. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ipv6-address | peer-group name} remote-as as-number 6.
2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3. Specify the address family as IPv4. CONFIG-ROUTERBGP mode address-family ipv4 vrf vrf-name 4. Add an IPv4 BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ip-address | peer-group name} remote-as as-number 5. Enable the BGP neighbor. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ip-address | peer-group-name} no shutdown 6.
Disabling BFD for BGP You can disable BFD for BGP. To disable a BFD for BGP session with a specified neighbor, use the first command. To remove the disabled state of a BFD for BGP session with a specified neighbor, use the second command. The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the bfd all-neighbors command or configured for the peer group to which the neighbor belongs. ● Disable a BFD for BGP session with a specified neighbor.
V - VRRP LocalAddr * 1.1.1.3 * 2.2.2.3 * 3.3.3.3 RemoteAddr 1.1.1.2 2.2.2.2 3.3.3.2 Interface State Rx-int Tx-int Mult Clients Te 1/1/1 Up 200 200 3 B Te 1/2/1 Up 200 200 3 B Te 1/3/1 Up 200 200 3 B The following example shows viewing BFD neighbors with full detail. The bold lines show the BFD session parameters: TX (packet transmission), RX (packet reception), and multiplier (maximum number of missed packets).
3 neighbor(s) using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 1.1.1.2 2.2.2.2 3.3.3.2 0 0 0 1 1 1 282 273 282 281 273 281 0 0 0 0 0 0 0 (0) 0 00:38:12 04:32:26 00:38:12 The following example shows viewing BFD information for a specified neighbor.
BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP peer-group mode BFD configuration Peer active in peer-group outbound optimization ... Configure BFD for VRRP When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the route processor module (RPM). BFD sessions are established with all neighboring interfaces participating in VRRP.
vrrp bfd all-neighbors Establishing VRRP Sessions on VRRP Neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. VRRP BFD sessions on the backup router cannot change to the UP state. Configure the master router to establish an individual VRRP session the backup router. To establish a session with a particular VRRP neighbor, use the following command. ● Establish a session with a particular VRRP neighbor.
INTERFACE mode vrrp bfd neighbor ip-address interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command. Disabling BFD for VRRP If you disable any or all VRRP sessions, the sessions are torn down. A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to the Down state.
9 Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) is an interdomain routing protocol that manages routing between edge routers. BGP uses an algorithm to exchange routing information between switches enabled with BGP. BGP determines a path to reach a particular destination using certain attributes while avoiding routing loops. BGP selects a single path as the best path to a destination network or host. You can also influence BGP to select different path by altering some of the BGP attributes.
the knowledge to reach routers external to the AS. EBGP routers exchange information with other EBGP routers as well as IBGP routers to maintain connectivity and accessibility. Figure 17. BGP Topology with autonomous systems (AS) BGP version 4 (BGPv4) supports classless interdomain routing (CIDR) and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network.
Figure 18. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. AS4 Number Representation Dell EMC Networking OS supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If 4-Byte AS numbers are not implemented, only ASPLAIN representation is supported.
● All AS numbers between 0 and 65535 are represented as a decimal number, when entered in the CLI and when displayed in the show commands outputs. ● AS Numbers larger than 65535 is represented using ASDOT notation as .. For example: AS 65546 is represented as 1.10. ASDOT representation combines the ASPLAIN and ASDOT+ representations.
DellEMC(conf-router_bgp)#do sho ip bgp BGP table version is 28093, local router ID is 172.30.1.57 AS4 SUPPORT DISABLED DellEMC(conf-router_bgp)#no bgp four-octet-as-support DellEMC(conf-router_bgp)#sho conf ! router bgp 100 neighbor 172.30.1.250 local-as 65057 DellEMC(conf-router_bgp)#do show ip bgp BGP table version is 28093, local router ID is 172.30.1.57 Four-Byte AS Numbers You can use the 4-Byte (32-bit) format when configuring autonomous system numbers (ASNs).
State Description Idle BGP initializes all resources, refuses all inbound BGP connection attempts, and initiates a TCP connection to the peer. Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state.
Best Path Selection Criteria Paths for active routes are grouped in ascending order according to their neighboring external AS number (BGP best path selection is deterministic by default, which means the bgp non-deterministic-med command is NOT applied). The best path in each group is selected based on specific criteria. Only one “best path” is selected at a time. If any of the criteria results in more than one path, BGP moves on to the next option in the list.
7. 8. 9. 10. 11. 12. 13. a. This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs are compared only if the first AS in the AS_SEQUENCE is the same for both paths. b. If you entered the bgp always-compare-med command, MEDs are compared for all paths. c. Paths with no MED are treated as “worst” and assigned a MED of 4294967295. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths.
Figure 20. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 21. Multi-Exit Discriminators NOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
IPv4 and IPv6 address family The IPv4 address family configuration in Dell EMC Networking OS is used for identifying routing sessions for protocols that use IPv4 address. You can specify multicast within the IPv4 address family. The default of address family configuration is IPv4 unicast. You can configure the VRF instances for IPv4 address family configuration. The IPv6 address family configuration is used for identifying routing sessions for protocols that use IPv6 address.
Table 8. BGP Default Values (continued) Item Default Graceful Restart feature Disabled Local preference 100 MED 0 Route Flap Damping Parameters half-life = 15 minutes reuse = 750 suppress = 2000 max-suppress-time = 60 minutes Distance external distance = 20 internal distance = 200 local distance = 200 Timers keepalive = 60 seconds holdtime = 180 seconds Add-path Disabled Implement BGP with Dell EMC Networking OS The following sections describe how to implement BGP on Dell EMC Networking OS.
Table 9.
If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH. If an inbound route-map is used to prepend the as-path to the update from the peer, the Local-AS is added first. For example, consider the topology described in the previous illustration.
● To return all values on an snmpwalk for the f10BgpM2Peer sub-OID, use the -C c option, such as snmpwalk -v 2c -C c -c public. ● An SNMP walk may terminate pre-maturely if the index does not increment lexicographically. Dell EMC Networking recommends using options to ignore such errors. ● Multiple BPG process instances are not supported. Thus, the f10BgpM2PeerInstance field in various tables is not used to locate a peer.
Restrictions Dell EMC Networking OS supports only one BGP routing configuration and autonomous system (AS), but supports multiple address family configuration. Enabling BGP By default, BGP is disabled on the system. Dell EMC Networking OS supports one autonomous system (AS) and assigns the AS number (ASN). To enable the BGP process and begin exchanging information, assign an AS number and use commands in ROUTER BGP mode to configure a BGP neighbor.
DellEMC(conf-router_bgp)# neighbor 20.20.20.1 remote-as 20 DellEMC(conf-router_bgp)# neighbor 20.20.20.1 no shutdown DellEMC(conf-router_bgp)#exit DellEMC(conf)# The following example shows verifying the BGP configuration using the show running-config bgp command.. DellEMC#show running-config bgp ! router bgp 65535 neighbor 20.20.20.1 remote-as 20 neighbor 20.20.20.1 no shutdown DellEMC# Examples of the show ip bgp Commands The following example shows the show ip bgp summary command output.
Connections established 0; dropped 0 Last reset never No active TCP connection Enabling four-byte autonomous system numbers You can enable 4-byte support for configuring autonomous system numbers (ASN). To enable 4-byte support for the BGP process, use the following command. NOTE: When creating BGP confederations, all the routers in the Confederation must be a 4-byte or 2-byte identified routers. You cannot mix them. ● Enable 4-byte support for the BGP process.
Peering sessions are reset when you change the router ID of a BGP router. Upon changing the router ID, the system automatically restarts the BGP instance for the configuration to take effect. DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# bgp router-id 1.1.1.1 Following is the sample output of show ip bgp ipv4 multicast summary command. DellEMC# show ip bgp summary BGP router identifier 1.1.1.
neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.250 no shutdown 5332332 9911991 65057 18508 12182 7018 46164 i The following example shows the bgp asnotation asdot command output. DellEMC(conf-router_bgp)#bgp asnotation asdot DellEMC(conf-router_bgp)#sho conf ! router bgp 100 bgp asnotation asdot bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.
neighbor {ip-address | ipv6–address | peer-group-name} activate NOTE: Neighbors have to be activated using neighbor activate command in the respective address family. To exchange other address prefix types (IPv4 multicast or IPv6 unicast), the neighbors must be activated under the respective address family configuration such as address-family ipv4 multicast (for IPv4 multicast) andaddress-family ipv6 unicast(for IPv6). DellEMC(conf)# router bgp 10 DellEMC(conf-router_bgp)# neighbor 20.20.20.
Following is an example to enable BGP configuration in the router B. RouterB# configure terminal RouterB(conf)# router bgp 45000 RouterB(conf-router_bgp)# bgp router-id 172.17.1.99 RouterB(conf-router_bgp)# timers bgp 70 120 RouterB(conf-router_bgp)# neighbor 192.168.1.2 remote-as 40000 RouterB(conf-router_bgp)# exit RouterB(conf)# The show ip bgp summary displays BGP configuration. Following is the sample output for show ip bgp summary command for router A.
After you create a peer group, you can configure route policies for it. For information about configuring route policies for a peer group, refer to Filtering BGP Routes. See Example-Configuring BGP peer groups for configuring multiple BGP neighbors and enabling peer groups. Configuring Peer Groups To configure a peer group, use the following commands. 1. Enter the router configuration mode and the AS number. CONFIG mode router bgp as-number 2. Create a peer group by assigning a name to it.
A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates. NOTE: When you configure a new set of BGP policies for a peer group, always reset the peer group by entering the clear ip bgp peer-group peer-group-name command in EXEC Privilege mode. To view the configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/32 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int te 1/21/1 R1(conf-if-te-1/21/1)#ip address 10.0.1.21/24 R1(conf-if-te-1/21/1)#no shutdown R1(conf-if-te-1/21/1)#show config ! interface TengigabitEthernet 1/21 ip address 10.0.1.
router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 10.0.3.33 no shutdown neighbor 10.0.3.33 remote-as 100 Example of Enabling BGP (Router 2) R2# conf R2(conf)#int loop 0 R2(conf-if-lo-0)#ip address 192.168.128.2/32 R2(conf-if-lo-0)#no shutdown R2(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.2/24 no shutdown R2(conf-if-lo-0)#int te 2/11/1 R2(conf-if-te-2/11/1)#ip address 10.0.1.
R3(conf-if-te-3/21/1)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#neighbor 10.0.3.31 remote 99 R3(conf-router_bgp)#neighbor 10.0.3.31 no shut R3(conf-router_bgp)#neighbor 10.0.2.2 remote 99 R3(conf-router_bgp)#neighbor 10.0.2.2 no shut R3(conf-router_bgp)#show config ! router bgp 100 neighbor 10.0.3.31 remote 99 neighbor 10.0.3.31 no shut neighbor 10.0.2.2 remote 99 neighbor 10.0.2.
network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 peer-group CCC neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 peer-group BBB neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.
BGP soft-reconfiguration clears the policies without resetting the TCP connection. To reset a BGP connection using BGP soft-reconfiguration, use the clear ip bgp command in EXEC Privilege mode at the system prompt. When you change the BGP inbound policy locally, you need to process the updates received from a peer. The route-refresh capability allows the local peer to reset inbound information dynamically by exchanging route-refresh requests to supporting peers.
If neighbor soft-reconfiguration inbound command is not configured ever in the router, then doing a soft reset is enough for the route-refresh updates to be sent. Route-refresh updates for IPv4 and IPv6 prefixes This section explains the route-refresh functionality in different combinations for IPv4 or IPv6 prefix configured with IPv4 or IPv6 neighbors. By default, the IPv4 prefixes is sent for all the neighbors irrespective of IPv4 address family is enabled or disabled.
DellEMC(conf-router_bgp)#do clear ip bgp 20::2 soft in May 8 15:40:08 : BGP: 20::2 sending ROUTE_REFRESH AFI/SAFI (1/1) May 8 15:40:08 : BGP: 20::2 sending ROUTE_REFRESH AFI/SAFI (2/1) May 8 15:40:08 : BGP: 20::2 UPDATE rcvd packet len 56 May 8 15:40:08 : BGP: 20::2 rcvd UPDATE w/ attr: origin ?, path metric 0, 200, nexthop 20.1.1.2, Controlling route-refresh updates You can control route-refresh updates for IPv4 and IPv6 prefixes.
aggregate—address address-mask Use the aggregate-address command without any keywords to create an aggregate entry if any specific BGP routes are available in the specified range. DellEMC# configure terminal DellEMC(conf)# router bgp 100 DellEMC(conf-router_bgp)# aggregate-address 10.1.1.0/24 DellEMC(conf-router_bgp)# exit DellEMC(conf)# Following is the sample output of show ip bgp command. DellEMC# show ip bgp BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 BGP local router ID is 30.30.30.
Filtering BGP The following section describes the methods used to filter the updates received from BGP neighbors. Following are the filtering methods of BGP updates: ● Filtering using IP prefix lists ● Filtering using route maps ● Filtering using AS-PATH information ● Filtering using community lists Regular Expressions as Filters Regular expressions are used to filter AS paths or community lists.
neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown DellEMC(conf-router_bgp)#neigh 10.155.15.2 filter-list 1 in DellEMC(conf-router_bgp)#ex DellEMC(conf)#ip as-path access-list Eagle DellEMC(config-as-path)#deny 32$ DellEMC(config-as-path)#ex DellEMC(conf)#router bgp 99 DellEMC(conf-router_bgp)#neighbor AAA filter-list Eagle in DellEMC(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA filter-list Eaglein neighbor AAA no shutdown neighbor 10.
CONFIGURATION mode ip prefix-list prefix-name 2. Create multiple prefix list filters with a deny or permit action. CONFIG-PREFIX LIST mode seq sequence-number {deny | permit} {any | ip-prefix [ge | le] } ● ge: minimum prefix length to be matched. ● le: maximum prefix length to me matched. For information about configuring prefix lists, refer to Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-PREFIX LIST mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5.
{match | set} For information about configuring route maps, see Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Filter routes based on the criteria in the configured route map.
4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Use a configured AS-PATH ACL for route filtering and manipulation. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} filter-list as-path-name {in | out} If you assign an non-existent or empty AS-PATH ACL, the software allows all routes. To view all BGP path attributes in the BGP database, use the show ip bgp paths command in EXEC Privilege mode.
neighbor {ip-address | ipv6-address | peer-group-name} route-map map-name {in | out} DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# neighbor 10.10.10.1 remote-as 500 DellEMC(conf-router_bgp)# neighbor 10.10.10.
Received 6 updates, Sent 0 updates Route refresh request: received 0, sent 0 Minimum time between advertisement runs is 5 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) fall-over enabled Update source set to Loopback 0 Peer active in peer-group outbound optimization
When a BGP neighbor connection with authentication configured is rejected by a passive peer-group, Dell EMC Networking OS does not allow another passive peer-group on the same subnet to connect with the BGP neighbor. To work around this, change the BGP configuration or change the order of the peer group configuration. You can constrain the number of passive sessions accepted by the neighbor. The limit keyword allows you to set the total number of sessions the neighbor will accept, between 2 and 265.
bgp graceful-restart ● Set maximum restart time, in seconds, to restart and bring-up all the peers. CONFIG-ROUTER-BGP mode bgp graceful-restart [restart-time time-in-seconds] The default is 120 seconds. ● Set maximum time, in seconds, to retain the restarting peer’s stale paths. CONFIG-ROUTER-BGP mode bgp graceful-restart [stale-path-time time-in-seconds] The default is 360 seconds. ● Enable the local router to support graceful restart as a receiver only.
○ metric-type: external or internal. ○ route-map map-name: Specify the name of a configured route map to be consulted before adding the OSPF route. DellEMC# configure terminal DellEMC(conf)# ip route 10.0.0.0 255.0.0.0 null 0 DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp_af)# redistribute static DellEMC(conf-router_bgp_af)# exit The above configuration example show how to create a static route and redistribute the static routes into the BGP routing table.
list. After you create an IP community list, you can apply routing decisions to all routers meeting the criteria in the IP community list. IETF RFC 1997 defines the COMMUNITY attribute and the predefined communities of INTERNET, NO_EXPORT_SUBCONFED, NO_ADVERTISE, and NO_EXPORT. All BGP routes belong to the INTERNET community.
CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2. Two types of extended communities are supported. CONFIG-COMMUNITY-LIST mode {permit | deny} {{rt | soo} {ASN:NN | IPADDR:N} | regex REGEX-LINE} Filter routes based on the type of extended communities they carry using one of the following keywords: ● rt: route target. ● soo: route origin or site-of-origin. Support for matching extended communities against regular expression is also supported.
○ confed: Chooses the bestpath MED comparison of paths learned from BGP confederations. ○ missing-as-best: Treats a path without a MED value as the most preferred one. To view the non-default values, use the show config command in CONFIGURATION ROUTER BGP mode. Manipulating the COMMUNITY Attribute A COMMUNITY attribute indicates that all the routes with that attribute belong to the same community grouping.
To view BGP routes matching a certain community number or a pre-defined BGP community, use the show ip bgp community command in EXEC Privilege mode. DellEMC>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.48 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network * i 3.0.0.0/8 *>i 4.2.49.12/30 * i 4.21.132.0/23 *>i 4.24.118.16/30 *>i 4.24.145.0/30 *>i 4.24.187.12/30 *>i 4.24.202.0/30 *>i 4.25.88.
CONFIG-ROUTE-MAP mode set local-preference value 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Apply the route-map to the neighbor or peer group’s incoming or outgoing routes.
weight: the range is from 0 to 65535. The default is 0. ● Sets weight for the route. CONFIG-ROUTE-MAP mode set weight weight weight: the range is from 0 to 65535. NOTE: The weight assigned using the set weight command under route map configuration override the weight assigned using the neighbor weight command. DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# neighbor 10.10.10.1 remote-as 500 DellEMC(conf-router_bgp)# neighbor 10.10.10.
To illustrate how these rules affect routing, refer to the following illustration and the following steps. Routers B, C, D, E, and G are members of the same AS (AS100). These routers are also in the same Route Reflection Cluster, where Router D is the Route Reflector. Router E and H are client peers of Router D; Routers B and C and nonclient peers of Router D. Figure 25. BGP Router Rules 1. Router B receives an advertisement from Router A through eBGP.
Enabling Route Flap Dampening When EBGP routes become unavailable, they “flap” and the router issues both WITHDRAWN and UPDATE notices. A ● ● ● flap is when a route: is withdrawn is readvertised after being withdrawn has an attribute change The constant router reaction to the WITHDRAWN and UPDATE notices causes instability in the BGP process. To minimize this instability, you may configure penalties (a numeric value) for routes that flap.
● View all flap statistics or for specific routes meeting the following criteria. EXEC or EXEC Privilege mode show ip bgp [vrf vrf-name] flap-statistics [ip-address [mask]] [filter-list as-path-name] [regexp regular-expression] ○ ip-address [mask]: enter the IP address and mask. ○ filter-list as-path-name: enter the name of an AS-PATH ACL. ○ regexp regular-expression: enter a regular express to match on.
Changing BGP keepalive and hold timers BGP uses timers to control the activity of sending the keepalive messages to its neighbors or peers. Also, you can adjust the interval of how long the device has to wait for a keepalive messge from a neighbor before declaring the peer dead. To configure BGP timers, use either or both of the following commands. To change the BGP timers for all neighbors, use timers bgp command.
idle-holdtime: the range is from 1 to 32767. Time interval, in seconds, during which the peer remains in idle state. The default is 15 seconds. ● Configure idle-holdtime values for all BGP neighbors. CONFIG-ROUTER-BGP mode timers bgp extended idle holdtime idle-holdtime: the range is from 1 to 32767. Time interval, in seconds, during which the peer remains in idle state. The default is 15 seconds.
ROUTER-BGP Mode shutdown address-family-ipv6-unicast When you configure BGP, you must explicitly enable the BGP neighbors using the following commands: neighbor {ip-address | peer-group name} remote-as as-number neighbor {ip-address | peer-group-name} no shutdown For more information on enabling BGP, see Enabling BGP.
Configuring BGP Confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, BGP confederations are recommended only for IBGP peering involving many IBGP peering sessions per router. Basically, when you configure BGP confederations, you break the AS into smaller sub-AS, and to those outside your network, the confederations appear as one AS.
The following are the sample steps performed to configure a VRF, and VRF address families for IPv4 (unicast and multicast) and IPv6. DellEMC(conf)# ip vrf vrf1 DellEMC(conf-vrf)# exit DellEMC(conf)# router bgp 100 DellEMC(conf-router_bgp)# address-family ipv4 vrf vrf1 DellEMC(conf-router_bgp_af)# neighbor 50.0.0.2 remote-as 200 DellEMC(conf-router_bgp_af)# neighbor 50.0.0.2 maximum-prefix 10000 warning-only DellEMC(conf-router_bgp_af)# neighbor 50.0.0.
Format: IPv4 Address: A.B.C.D and IPv6 address: X:X:X:X::X. You must Configure Peer Groups before assigning it to an AS. This feature is not supported on passive peer groups. The first line in bold shows the actual AS number. The second two lines in bold show the local AS number (6500) maintained during migration. To disable this feature, use the no neighbor local-as command in CONFIGURATION ROUTER BGP mode. R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.
neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 allowas-in 9 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.2 no shutdown R2(conf-router_bgp)#R2(conf-router_bgp)# Enabling MBGP Configurations Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes.
CONFIG-ROUTER-BGP mode address-family ipv6 [unicast | vrf vrf-name] unicast — Specifies the IPv6 unicast address family. The default address-family is IPv6 unicast. vrf vrf-name — Specifies the name of VRF instance associated with the IPv6 address-family configuration. ● Enable the neighbor to exchange prefixes for IPv6 unicast address family.
address family. If you want the neighbor (30.30.30.1) to exchange IPv4 multicast and/or IPv6 unicast prefixes, you have to explicitly active the neighbor using neighbor activate command. If you do not want a neighbor to exchange IPv4 unicast prefixes, you have to manually deactivate the peer with the no neighbor activate command under the CONFIGURATION-ROUTER-BGP mode.
BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 2 neighbor(s) using 40960 bytes of memory Neighbor 20.20.20.1 2001::1 AS 10 10 MsgRcvd 10 40 MsgSent 20 45 TblVer 0 0 InQ 0 0 OutQ Up/Down State/Pfx 0 00:06:11 0 0 00:03:14 0 Following is the sample output of show ip bgp ipv4 multicast summary command. R2# show ip bgp ipv4 multicast summary BGP router identifier 2.2.2.
The following example configuration demonstrates how to configure BGP to automatically pick IPv6 address for IPv6 prefix advertised over an IPv4 neighbor. Example configuration performed in R1 DellEMC# configure terminal DellEMC(conf)# router bgp 655 DellEMC(conf-router_bgp)# neighbor 10.1.1.2 remote-as 20 DellEMC(conf-router_bgp)# neighbor 10.1.1.2 auto-local-address DellEMC(conf-router_bgp)# neighbor 10.1.1.2 no shutdown DellEMC(conf-router_bgp)# bgp router-id 1.1.1.
*> *> 4001::/64 5001::/64 3001::1 3001::1 0 0 0 655 ? 0 655 ? BGP Regular Expression Optimization Dell EMC Networking OS optimizes processing time when using regular expressions by caching and re-using regular expression evaluated results, at the expense of some memory in RP1 processor. BGP policies that contain regular expressions to match against as-paths and communities might take a lot of CPU processing time, thus affect BGP routing convergence.
Storing Last and Bad PDUs Dell EMC Networking OS stores the last notification sent/received and the last bad protocol data unit (PDU) received on a per peer basis. The last bad PDU is the one that causes a notification to be issued. In the following example, the last seven lines shown in bold are the last PDUs. Example of the show ip bgp neighbor Command to View Last and Bad PDUs DellEMC(conf-router_bgp)#do show ip bgp neighbors 1.1.1.2 BGP neighbor is 1.1.1.
10 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On Dell EMC Networking systems, CAM stores Layer 2 (L2) and Layer 3 (L3) forwarding information, access-lists (ACLs), flows, and routing policies.
Table 11. Default Cam Allocation Settings (continued) CAM Allocation Setting fedgovacl 0 nlbclusteracl 0 NOTE: When you reconfigure CAM allocation, use the nlbclusteracl number command to change the number of NLB ARP entries. The range is from 0 to 2. The default value is 0. At the default value of 0, eight NLB ARP entries are available for use. This platform supports upto 512 CAM entries. Select 1 to configure 256 entries. Select 2 to configure 1024 entries.
EXEC Privilege mode show cam-acl 4. Reload the system. EXEC Privilege mode reload Test CAM Usage To determine whether sufficient CAM space is available to enable a service-policy, use the test-cam-usage command. To verify the actual CAM space required, create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege mode. The Status column in the command output indicates whether or not you can enable the policy.
nlbclusteracl: 0 0 DellEMC# NOTE: If you change the cam-acl setting from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis.
| | | | | | | | IN-L3-MIRR ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL | | IN-L3 QOS | | IN-L3 FIB Codes: * - cam usage is above 90%.
● Add or delete an ACL rule Example of Syslog message on CAM usage Following table shows few possible scenarios during which the syslog message appear on re-configuring the CAM usage threshold value. Consider if the last CAM threshold was set to 90 percent and now you re-configure the CAM threshold to 80. And, if the current CAM usage is 85 percent, then the system displays the syslog message saying that the CAM usage is above the configured CAM threshold value. Table 13.
Dell EMC Networking OS supports the ability to view the actual CAM usage before applying a service-policy. The test camusage service-policy command provides this test framework. For more information, refer to Pre-Calculating Available QoS CAM Space. Syslog Error When the Table is Full In the Dell EMC Networking OS, the table full condition is displayed as CAM full only for LPM. But now the LPM is split into two tables. There are two syslog errors that are displayed: 1. /65 to /128 Table full. 2.
Hardware forwarding-table mode is changed. Save the configuration and reload to take effect. DellEMC(conf)#end DellEMC#write memory ! Apr 26 14:37:16: %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by admin DellEMC# 2. Display the hardware forwarding table mode in the current boot and in the next boot.
2. Configure the cam-acl such that the IPV6 ACL is in multiples of 2. cam-acl l2acl 0 ipv4acl 0 ipv6acl 8 ipv4qos 0 l2qos 0 l2pt 0 ipmacacl 1 vman-qos 0 3. Save the running-configuration. EXEC Privilege mode copy running-config startup-config 4. Reload the system. EXEC Privilege mode reload If the ipv6acl option of the cam-acl command is not in multiples of two, the system does not allow reload.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 28. CoPP Implemented Versus CoPP Not Implemented Topics: • Configure Control Plane Policing Configure Control Plane Policing The system can process a maximum of 8500 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
DellEMC(conf)#mac access-list extended lacp cpu-qos DellEMC(conf-mac-acl-cpuqos)#permit lacp DellEMC(conf-mac-acl-cpuqos)#exit DellEMC(conf)#ipv6 access-list ipv6-icmp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit icmp DellEMC(conf-ipv6-acl-cpuqos)#exit DellEMC(conf)#ipv6 access-list ipv6-vrrp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit vrrp DellEMC(conf-ipv6-acl-cpuqos)#exit The following example shows creating the QoS input policy.
1. Create a QoS input policy for the router and assign the policing. CONFIGURATION mode qos-policy-input name cpu-qos 2. Create an input policy-map to assign the QoS policy to the desired service queues.l. CONFIGURATION mode policy-map--input name cpu-qos service-queue queue-number qos-policy name 3. Enter Control Plane mode. CONFIGURATION mode control-plane-cpuqos 4. Assign a CPU queue-based service policy on the control plane in cpu-qos mode.
Table 15.
Displaying CoPP Configuration The CLI provides show commands to display the protocol traffic assigned to each control-plane queue and the current rate-limit applied to each queue. Other show commands display statistical information for trouble shooting CoPP operation. To view the rates for each queue, use the show cpu-queue rate cp command.
Example of Viewing Queue Mapping for IPv6 Protocols DellEMC#show ipv6 protocol-queue-mapping Protocol Src-Port Dst-Port TcpFlag ---------------------------TCP (BGP) any/179 179/any _ UDP (DHCPV6) 546/547 546/547 _ ICMPV6 NA any any _ ICMPV6 RA any any _ ICMPV6 NS any any _ ICMPV6 RS any any _ ICMPV6 any any _ VRRPV6 any any _ OSPFV3 any any _ DellEMC# Queue ----Q9 Q10 Q6 Q6 Q5 Q5 Q6 Q10 Q9 EgPort -----_ _ _ _ _ _ _ _ _ Rate (kbps) ----------_ _ _ _ _ _ _ _ _ Control Plane Policing (CoPP) 243
12 Data Center Bridging (DCB) Data center bridging (DCB) refers to a set of enhancements to Ethernet local area networks used in data center environments, particularly with clustering and storage area networks.
A CNA is a computer input/output device that combines the functionality of a host bus adapter (HBA) with a network interface controller (NIC). Multiple adapters on different devices for several traffic types are no longer required.
Figure 29. Illustration of Traffic Congestion The system supports loading two DCB_Config files: ● FCoE converged traffic with priority 3. In the Dell EMC Networking OS, PFC is implemented as follows: ● PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface. However, only one lossless queue is supported on an interface: one for Fibre Channel over Ethernet (FCoE) converged traffic. Configure the same lossless queues on all ports.
The following figure shows how ETS allows you to allocate bandwidth when different traffic types are classed according to 802.1p priority and mapped to priority groups. Figure 30. Enhanced Transmission Selection The following table lists the traffic groupings ETS uses to select multiprotocol traffic for transmission. Table 16. ETS Traffic Groupings Traffic Groupings Description Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7 configurable; 8 - 14 reservation and 15.
Data Center Bridging in a Traffic Flow The following figure shows how DCB handles a traffic flow on an interface. Figure 31. DCB PFC and ETS Traffic Handling Buffer Organization This section describes the buffer organization on the platform. A single chip architecture can allocate or share all its resource on all the ports. However, the system runs on a different 2x2 chip design. In this design, all ports are assigned to four port-sets.
PP (KB) (KB) (KB) (KB) (KB) ---------------------------------------------------------------------------------------------------1 0.0 3399 2656 1040 1040 576 1 0.1 3399 2656 1040 1040 576 1 0.2 3399 2656 1040 1040 576 1 0.3 3399 2656 1040 1040 576 DellEMC# The default DCB buffer configuration supports 64 PFC lossless queues of 10G interface speed on each of the XPEs. The following table shows the PFC buffer required for one loss less queue on various supported interface speeds: Table 17.
Table 18. XPE Numbering on Dell EMC Networking OS XPE Numbering XPE A of MMU Slice R 0.0 XPE A of MMU Slice S 0.1 XPE B of MMU Slice R 0.2 XPE B of MMU Slice S 0.3 Enabling Data Center Bridging DCB is automatically configured when you configure FCoE. Data center bridging supports converged enhanced Ethernet (CEE) in a data center network. DCB is disabled by default. It must be enabled to support CEE.
Important Points to Remember ● If you remove a dot1p priority-to-priority group mapping from a DCB map (no priority pgid command), the PFC and ETS parameters revert to their default values on the interfaces on which the DCB map is applied. By default, PFC is not applied on specific 802.1p priorities; ETS assigns equal bandwidth to each 802.1p priority. As a result, PFC and lossless port queues are disabled on 802.
Committed and peak bandwidth is in megabits per second. The range is from 0 to 40000. Committed and peak burst size is in kilobytes. Default is 50. The range is from 0 to 40000. The pfc on command enables priority-based flow control. 3. Specify the dot1p priority-to-priority group mapping for each priority. priority-pgid dot1p0_group_num dot1p1_group_num ...dot1p7_group_num Priority group range is from 0 to 7. All priorities that map to the same queue must be in the same priority group.
The default: No lossless queues are configured. 3. Configure to drop the unknown unicast packets flooding on lossless priorities. CONFIGURATION mode pfc-nodrop-priority l2-dlf drop 4. View the packets drop count corresponding to the priority.
not receiving any traffic, interfaces with PFC settings that receive appropriate PFC-enabled traffic (unicast, mixed-frame-size traffic) display incremental values in the CRC and discards counters. (These ingress interfaces receiving pfc-enabled traffic have an egress interface that has a compatible PFC configuration). NOTE: DCB maps are supported only on physical Ethernet interfaces.
Table 19. DCB Map to an Ethernet Port (continued) Step Task Command Command Mode 2 Apply the DCB map on the Ethernet port to configure it with the PFC and ETS settings in the map; for example: dcb-map name INTERFACE DellEMC# interface tengigabitEthernet 1/1 DellEMC(config-if-te-1/1/1)# dcb-map SAN_A_dcb_map1 Repeat Steps 1 and 2 to apply a DCB map to more than one port.
Table 21. Configuring PFC Assymetric (continued) Step Task Command 2 Enable pfc asymmetric on interface.
The default pause threshold size is 9 KB for all interfaces. This default behavior is impacted if you modify the total buffer available for PFC or assign static buffer configurations to the individual PFC queues. Shared headroom for lossless or PFC packets In switches that require lossless frame delivery, some fixed buffer is set aside to absorb any bursty traffic that arrives after flow control is configured (PFC in this case). This extra buffer space is called the PG headroom.
Table 22. Buffer usage statistics when shared headroom is not used (continued) Parameter Description reduces the time to trigger PFC, thereby, reducing the effectiveness of PFC. In the shared headroom feature, the main assumption is that not every PG uses the headroom buffer at the same time. This approach enables the system to save the headroom buffer space that is reserved for every PG to guarantee lossless delivery during traffic bursts. For each PG, you can assign a lower value for headroom buffer.
Enter the following show command: EXEC-Privilege Mode show hardware buffer headroom-pool [detail] buffer-info NOTE: The detail option display the current headroom pool usage in each of the Pipelines in the device.
Configuration Example for DSCP and PFC Priorities Consider a scenario in which the following DSCP and PFC priorities are necessary: DSCP 0 – 5, 10 - 15 Expected PFC Priority 1 20 – 25, 30 – 35 2 To configure the aforementioned DSCP and PFC priority values, perform the following tasks: 1. Create class-maps to group the DSCP subsets class-map match ip ! class-map match ip match-any dscp-pfc-1 dscp 0-5,10-15 match-any dscp-pfc-2 dscp 20-25,30-35 2.
a value of 1 if the mode of allocation is Dynamic. This table lists thestack-unit number, port number and priority group number. dellNetPfcPerPri This table fetches the number of PFC frames transmitted (PFC Requests) and the number of PFC frames oTable received (PFC Indications) per priority on a per port basis. This table lists the stack-unit index, port number and priority. Performing PFC Using DSCP Bits Instead of 802.
PFC and ETS Configuration Examples This section contains examples of how to configure and apply DCB policies on an interface. Using PFC to Manage Converged Ethernet Traffic To use PFC for managing converged Ethernet traffic, use the following command: dcb-map stack-unit all dcb-map-name Operations on Untagged Packets The below is example for enabling PFC for priority 2 for tagged packets. Priority (Packet Dot1p) 2 will be mapped to PG6 on PRIO2PG setting.
l2pt 0 ipmacacl 0 vman-qos 0 fcoeacl 2 etsacl 1 iscsi 2 command to allocate the appropriate CAM region for ETS. 1. Configure a DCB Map. CONFIGURATION mode dcb-map dcb-map-name The dcb-map-name variable can have a maximum of 32 characters. 2. Create an ETS priority group. CONFIGURATION mode priority-group group-num {bandwidth bandwidth | strict-priority} pfc off The range for priority group is from 0 to 7. Set the bandwidth in percentage. The percentage range is from 1 to 100% in units of 1%.
● If there is a hardware limitation or TLV error: ○ DCBx operation on an ETS port goes down. ○ New ETS configurations are ignored and existing ETS configurations are reset to the default ETS settings. ● ETS operates with legacy DCBx versions as follows: ○ In the CEE version, the priority group/traffic class group (TCG) ID 15 represents a non-ETS priority group. Any priority group configured with a scheduler type is treated as a strict-priority group and is given the priority-group (TCG) ID 15.
● Although ETS bandwidth allocation or strict-priority queuing does not support weighted random early detection (WRED), explicit congestion notification (ECN), rate shaping, and rate limiting because these parameters are not negotiated by DCBx with peer devices. In this case, the WRED or rate shaping configuration in the QoS output policy must take into account the bandwidth allocation or queue scheduler configured in the DCB map.
Applying DCB Policies in a Switch Stack You can apply DCB policies with PFC and ETS configurations to all stacked ports in a switch stack or on a stacked switch. To apply DCB policies in a switch stack, follow this step. ● Apply the specified DCB policy on all ports of the switch stack or a single stacked switch.
is generated. The network administrator must then reconfigure the peer device so that it advertises a compatible DCB configuration. ○ The configuration received from a DCBx peer or from an internally propagated configuration is not stored in the switch’s running configuration. ○ On a DCBx port in an auto-upstream role, the PFC and application priority TLVs are enabled. ETS recommend TLVs are disabled and ETS configuration TLVs are enabled.
DCB Configuration Exchange The DCBx protocol supports the exchange and propagation of configuration information for the enhanced transmission selection (ETS) and priority-based flow control (PFC) DCB features. DCBx uses the following methods to exchange DCB configuration parameters: Asymmetric DCB parameters are exchanged between a DCBx-enabled port and a peer port without requiring that a peer port and the local port use the same configured values for the configurations to be compatible.
Auto-Detection and Manual Configuration of the DCBx Version When operating in Auto-Detection mode (the DCBx version auto command), a DCBx port automatically detects the DCBx version on a peer port. Legacy CEE versions are supported in addition to the standard IEEE version 2.5 DCBx. A DCBx port detects a peer version after receiving a valid frame for that version.
Configuring DCBx To configure DCBx, follow these steps. For DCBx, to advertise DCBx TLVs to peers, enable LLDP. For more information, refer to . 1. 2. 3. 4. Configure Configure Configure Configure ToR- and FCF-facing interfaces as auto-upstream ports. server-facing interfaces as auto-downstream ports. a port to operate in a configuration-source role. ports to operate in a manual role. 1. Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port 2.
NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-applntlv. To verify the DCBx configuration on a port, use the show interface DCBx detail command. Configuring DCBx Globally on the Switch To globally configure the DCBx operation on a switch, follow these steps. 1. Enter Global Configuration mode. EXEC PRIVILEGE mode configure 2. Enter LLDP Configuration mode to enable DCBx operation. CONFIGURATION mode [no] protocol lldp 3.
DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs. LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface. DSM_DCBx_PEER_VERSION_CONFLICT: A local port expected to receive the IEEE or CEE version in a DCBx TLV from a remote peer but received a different, conflicting DCBx version.
Table 25. Displaying DCB Configurations (continued) Command Output show interface port-type pfc {summary | detail} Displays the PFC configuration applied to ingress traffic on an interface, including priorities and link delay. To clear PFC TLV counters, use the clear pfc counters interface port-type slot/port command. show interface port-type pfc statistics Displays counters for the PFC frames received and transmitted (by dot1p priority class) on an interface.
Local FCOE PriorityMap is 0x8 Remote FCOE PriorityMap is 0x8 DellEMC# show interfaces tengigabitethernet 1/1/4 pfc detail Interface TenGigabitEthernet 1/1/4 Admin mode is on Admin is enabled Remote is enabled Remote Willing Status is enabled Local is enabled Oper status is recommended PFC DCBx Oper status is Up State Machine Type is Feature TLV Tx Status is enabled PFC Link Delay 45556 pause quanta Application Priority TLV Parameters : -------------------------------------FCOE TLV Tx Status is disabled Loca
Table 26. show interface pfc summary Command Description (continued) Fields Description Application Priority TLV: FCOE TLV Tx Status Status of FCoE advertisements in application priority TLVs from local DCBx port: enabled or disabled. Application Priority TLV: Local FCOE Priority Map Priority bitmap used by local DCBx port in FCoE advertisements in application priority TLVs.
-----------------Local is enabled PG-grp Priority# BW-% BW-COMMITTED BW-PEAK TSA % Rate(Mbps) Burst(KB) Rate(Mbps) Burst(KB) ---------------------------------------------------------------------------------0 3 25 ETS 1 4 25 ETS 2 0,1,2,5,6,7 50 ETS 3 4 5 6 7 Oper status is init ETS DCBX Oper status is Down Reason: Port Shutdown State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled The following example shows the show interface ets detail command.
4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output TLV Pkts ETS ETS ETS ETS Pkts, 0 Error Conf TLV Pkts Traffic Class TLV Pkts, 0 Error Traffic Class The following table describes the show interface ets detail command fields. Table 27. show interface ets detail Command Description Field Description Interface Interface type with and port number.
P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disabled I-Application priority for iSCSI enabled i-Application Priority for iSCSI disabled ----------------------------------------------------------------------------------------Interface TenGigabitEthernet 1/12/1 Remote Mac Address 00:01:e8:8a:df:a0 Port Role is Manual DCBx Operational Status is Enabled Is Configuration Source? FALSE Local DCBx Compatibility mode is IEE
Table 28. show interface DCBx detail Command Description (continued) Field Description DCBx Operational Status Operational status (enabled or disabled) used to elect a configuration source and internally propagate a DCB configuration. The DCBx operational status is the combination of PFC and ETS operational status. Configuration Source Specifies whether the port serves as the DCBx configuration source on the switch: true (yes) or false (no).
Layer 2 class maps You can use dot1p priorities to classify traffic in a class map and apply a service policy to an ingress port to map traffic to egress queues. NOTE: Dell EMC Networking does not recommend mapping all ingress traffic to a single queue when using PFC and ETS. However, Dell EMC Networking does recommend using Ingress traffic classification using the service-class dynamic dot1p command (honor dot1p) on all DCB-enabled interfaces.
Sample DCB Configuration The following shows examples of using PFC and ETS to manage your data center traffic. In the following example: ● Incoming SAN traffic is configured for priority-based flow control. ● Outbound LAN, IPC, and SAN traffic is mapped into three ETS priority groups and configured for enhanced traffic selection (bandwidth allocation and scheduling). ● One lossless queue is used. Figure 33.
dot1p Value in Priority Group Assignment the Incoming Frame 2 LAN 3 SAN 4 IPC 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment. Priority Group Bandwidth Assignment IPC 5% SAN 50% LAN 45% PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic. 1. Enabling DCB DellEMC(conf)#dcb enable 2.
13 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters. Multiple servers might respond to a single DHCPDISCOVER; the client might wait a period of time and then act on the most preferred offer.
● All platforms support Dynamic ARP Inspection on 16 VLANs per system. For more information, refer to Dynamic ARP Inspection. NOTE: If the DHCP server is on the top of rack (ToR) and the VLTi (ICL) is down due to a failed link, when a VLT node is rebooted in BMP (Bare Metal Provisioning) mode, it is not able to reach the DHCP server, resulting in BMP failure.
DHCP mode show config After an IP address is leased to a client, only that client may release the address. Dell EMC Networking OS performs a IP + MAC source address validation to ensure that no client can release another clients address. This validation is a default behavior and is separate from IP+MAC source address validation.
Configure a Method of Hostname Resolution Dell systems are capable of providing DHCP clients with parameters for two methods of hostname resolution—using DNS or NetBIOS WINS. Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1. Create a domain. DHCP domain-name name 2. Specify in order of preference the DNS servers that are available to a DHCP client.
Debugging the DHCP Server To debug the DHCP server, use the following command. ● Display debug information for DHCP server. EXEC Privilege mode debug ip dhcp server [events | packets] Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. ● Clear DHCP binding entries for the entire binding table. EXEC Privilege mode. clear ip dhcp binding ● Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode.
address, use the shutdown command on the interface. To display the dynamic IP address and show DHCP as the mode of IP address assignment, use the show interface type slot/port[/subport] command. To unconfigure the IP address, use the no shutdown command when the lease timer for the dynamic IP address is expired. The interface acquires a new dynamic IP address from the DHCP server. To configure a secondary (backup) IP address on an interface, use the ip address command at the INTERFACE configuration level.
DHCP Client on a Management Interface These conditions apply when you enable a management interface to operate as a DHCP client. ● The management default route is added with the gateway as the router IP address received in the DHCP ACK packet. It is required to send and receive traffic to and from other subnets on the external network. The route is added irrespective when the DHCP client and server are in the same or different subnets.
● An entry in the DHCP snooping table is not added for a DHCP client interface. DHCP Server A switch can operate as a DHCP client and a DHCP server. DHCP client interfaces cannot acquire a dynamic IP address from the DHCP server running on the switch. Acquire a dynamic IP address from another DHCP server. Virtual Router Redundancy Protocol (VRRP) Do not enable the DHCP client on an interface and set the priority to 255 or assign the same DHCP interface IP address to a VRRP virtual group.
Route Leaking for Complete Routing Table ! ip vrf VRF_1 ip route-import 1:1 ip route-export 2:2 ! ip vrf VRF_2 ip route-import 2:2 ip route-export 1:1 Route Leaking for Selective Routes ! ip vrf VRF_1 ip route-import 1:1 map1 ip route-export 2:2 map2 ! ip vrf VRF_2 ip route-import 2:2 ip route-export 1:1 ! ! route-map map1 permit 10 match ip address ip1 ! route-map map2 permit 20 match ip address ip2 ! ip prefix-list ip1 seq 5 permit 20.0.0.0/24 <----- This is needed for data forwarding seq 10 permit 20.0.
Global DHCP relay source IPv4 or IPv6 configuration You can configure global DHCP relay source IPv4 or IPv6 configuration using the command {ip | ipv6} dhcp-relay source-interface interface command in the CONFIGURATION mode. DHCP relay uses the IPv4 or IPv6 global source address of the configured interface for relaying packets to the DHCP server.
Dell(conf-if-lo-1)# ipv6 address 3::3/128 Dell(conf-if-lo-1)# no shutdown 2. Creating L3 interfaces with the DHCP helper configuration. Following are the steps to configure IPv4 or IPv6 interfaces with the DHCP helper configuration. The below example shows two VLAN interfaces (Vlan 2 and 4), DHCP helper (100.0.0.1 and 100::1) for the respective VLANs and the DHCP relay source IPv4 and IPv6 configuration, and two different loopback interfaces (loopback 2 and 3).
● Default Agent Circuit ID is constructed in the format VLANID:LagID:SlotID:PortStr. When the port is fanned-out, the PortStr is represented as mainPort:subPort (all in ASCII format). ● Default Agent Remote ID is the system MAC address (in binary format). The following example shows the format of the Circuit ID - 723:0:1:1. Table 30. Circuit ID Format VLAN ID LAG ID Slot ID Port Str 723 0 1 1 The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server.
When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages — containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on a trusted port, it adds an entry to the table.
ip dhcp snooping vlan name Enabling IPv6 DHCP Snooping To enable IPv6 DHCP snooping, use the following commands. 1. Enable IPv6 DHCP snooping globally. CONFIGURATION mode ipv6 dhcp snooping 2. Specify ports connected to IPv6 DHCP servers as trusted. INTERFACE mode ipv6 dhcp snooping trust 3. Enable IPv6 DHCP snooping on a VLAN or range of VLANs.
Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. ● Display the DHCP snooping information. EXEC Privilege mode show ip dhcp snooping ● Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping binding View the DHCP snooping statistics with the show ip dhcp snooping command.
10.1.1.11 10.1.1.25 00:00:a0:00:00:00 00:00:a0:00:00:00 39736 162 S D Vl 200 Vl 200 Po 10 Po 10 The following example shows a sample output of the show ip dhcp snooping binding command for a device connected to one of the VLT peers only (orphaned). The physical interface is the one that is directly connected to the VLT peer.
Drop DHCP Packets on Snooped VLANs Only Binding table entries are deleted when a lease expires or the relay agent encounters a DHCPRELEASE. Line cards maintain a list of snooped VLANs. When the binding table fills, DHCP packets are dropped only on snooped VLANs, while such packets are forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made. However, DHCP release and decline packets are allowed so that the DHCP snooping table can decrease in size.
arp inspection To view entries in the ARP database, use the show arp inspection database command. DellEMC#show arp inspection database Protocol Address Age(min) Hardware Address Interface VLAN CPU --------------------------------------------------------------------Internet 10.1.1.251 00:00:4d:57:f2:50 Te 1/2/1 Vl 10 CP Internet 10.1.1.252 00:00:4d:57:e6:f6 Te 1/1/1 Vl 10 CP Internet 10.1.1.253 00:00:4d:57:f8:e8 Te 1/3/1 Vl 10 CP Internet 10.1.1.
arp inspection-trust Dynamic ARP inspection is supported on Layer 2 and Layer 3. Source Address Validation Using the DHCP binding table, Dell EMC Networking OS can perform three types of source address validation (SAV). Table 31. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table.
● Enable DHCP MAC SAV. CONFIGURATION mode ip dhcp snooping verify mac-address Enabling IP+MAC Source Address Validation IP source address validation (SAV) validates the IP source address of an incoming packet and optionally the VLAN ID of the client against the DHCP snooping binding table. IP+MAC SAV ensures that the IP source address and MAC source address are a legitimate pair, rather than validating each attribute individually. You cannot configure IP+MAC SAV with IP SAV. 1.
Clearing the Number of SAV Dropped Packets To clear the number of SAV dropped packets, use the clear ip dhcp snooping source-address-validation discard-counters command. DellEMC>clear ip dhcp snooping source-address-validation discard-counters To clear the number of SAV dropped packets on a particular interface, use the clear ip dhcp snooping sourceaddress-validation discard-counters interface interface command.
14 Equal Cost Multi-Path (ECMP) This chapter describes configuring ECMP. This chapter describes configuring ECMP. Topics: • • ECMP for Flow-Based Affinity Link Bundle Monitoring ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features.
Configuring the Hash Algorithm Seed Deterministic ECMP sorts ECMPs in order even though RTM provides them in a random order. However, the hash algorithm uses as a seed the lower 12 bits of the chassis MAC, which yields a different hash result for every chassis. This behavior means that for a given flow, even though the prefixes are sorted, two unrelated chassis can select different hops.
Managing ECMP Group Paths To avoid path degeneration, configure the maximum number of paths for an ECMP route that the L3 CAM can hold. When you do not configure the maximum number of routes, the CAM can hold a maximum ECMP per route. To configure the maximum number of paths, use the following command. NOTE: For the new settings to take effect, save the new ECMP settings to the startup-config (write-mem) then reload the system. ● Configure the maximum number of paths per ECMP group. CONFIGURATION mode.
NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indices are generated in even numbers (0, 2, 4, 6... 1022) and are for information only. You can configure ecmp-group with id 2 for link bundle monitoring. This ecmp-group is different from the ecmp-group index 2 that is created by configuring routes and is automatically generated.
15 FIP Snooping The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces or in a switch stack.
Table 32. FIP Functions FIP Function Description FIP VLAN discovery FCoE devices (ENodes) discover the FCoE VLANs on which to transmit and receive FIP and FCoE traffic. FIP discovery FCoE end-devices and FCFs are automatically discovered. Initialization FCoE devices learn ENodes from the FLOGI and FDISC to allow immediate login and create a virtual link with an FCoE switch. Maintenance A valid virtual link between an FCoE device and an FCoE switch is maintained and the LOGO functions properly.
Port-based ACLs These ACLs are applied on all three port modes: on ports directly connected to an FCF, server-facing ENode ports, and bridge-to-bridge links. Port-based ACLs take precedence over global ACLs. FCoE-generated ACLs These take precedence over user-configured ACLs. A user-configured ACL entry cannot deny FCoE and FIP snooping frames. The following illustration shows a switch used as a FIP snooping bridge in a converged Ethernet network.
● Process FIP VLAN discovery requests and responses, advertisements, solicitations, FLOGI/FDISC requests and responses, FLOGO requests and responses, keep-alive packets, and clear virtual-link messages. Using FIP Snooping There are four steps to configure FCoE transit. 1. Enable the FCoE transit feature on a switch. 2. Enable FIP snooping globally on all Virtual Local Area Networks (VLANs) or individual VLANs on a FIP snooping bridge. 3.
Ipv4Acl : Ipv6Acl : Ipv4Qos : L2Qos : L2PT : IpMacAcl : VmanQos : EtsAcl : FcoeAcl : iscsiOptAcl : ipv4pbr : vrfv4Acl : Openflow : fedgovacl : nlbclusteracl: 0 0 2 0 0 0 0 1 2 2 0 0 0 0 0 -- stack-unit 1 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 2 Ipv4Acl : 0 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 0 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EtsAcl : 1 FcoeAcl : 2 iscsiOptAcl : 2 ipv4pbr : 0 vrfv4Acl : 0 Openflow : 0 fedgovacl : 0 nlbclusteracl: 0 DellEMC(conf)# Enabling the FCoE Transit Feature Th
Configure the FC-MAP Value You can configure the FC-MAP value to be applied globally by the switch on all or individual FCoE VLANs to authorize FCoE traffic. The configured FC-MAP value is used to check the FC-MAP value for the MAC address assigned to ENodes in incoming FCoE frames. If the FC-MAP value does not match, FCoE frames are dropped. A session between an ENode and an FCF is established by the switch-bridge only when the FC-MAP value on the FCF matches the FC-MAP value on the FIP snooping bridge.
FIP Snooping Restrictions The following restrictions apply when you configure FIP snooping. ● The maximum number of FCoE VLANs supported on the switch is eight. ● The maximum number of FIP snooping sessions supported per ENode server is 32. To increase the maximum number of sessions to 64, use the fip-snooping max-sessions-per-enodemac command. ● The maximum number of FCFs supported per FIP snooping-enabled VLAN is twelve.
Table 34. Displaying FIP Snooping Information (continued) Command Output show fip-snooping statistics [interface vlan vlan-id| interface port-type port/slot | interface port-channel port-channel-number] Displays statistics on the FIP packets snooped on all interfaces, including VLANs, physical ports, and port channels.
---100 ------TRUE -------0X0EFC00 The following example shows the show fip-snooping enode command. DellEMC# show fip-snooping enode Enode MAC Enode Interface FCF MAC VLAN FC-ID ----------------------- ---------- ----d4:ae:52:1b:e3:cd Te 1/11/1 54:7f:ee:37:34:40 100 62:00:11 The following table describes the show fip-snooping enode command fields. Table 36. show fip-snooping enode Command Description Field Description ENode MAC MAC address of the ENode.
Number of FLOGI Rejects Number of FDISC Accepts Number of FDISC Rejects Number of FLOGO Accepts Number of FLOGO Rejects Number of CVL Number of FCF Discovery Timeouts Number of VN Port Session Timeouts Number of Session failures due to Hardware Config DellEMC(conf)# :0 :16 :0 :0 :0 :0 :0 :0 :0 DellEMC# show fip-snooping statistics int tengigabitethernet 1/11/1 Number of Vlan Requests :1 Number of Vlan Notifications :0 Number of Multicast Discovery Solicits :1 Number of Unicast Discovery Solicits :0 Number
Table 38. show fip-snooping statistics Command Descriptions (continued) Field Description Number of Multicast Discovery Solicits Number of FIP-snooped multicast discovery solicit frames received on the interface. Number of Unicast Discovery Solicits Number of FIP-snooped unicast discovery solicit frames received on the interface. Number of FLOGI Number of FIP-snooped FLOGI request frames received on the interface. Number of FDISC Number of FIP-snooped FDISC request frames received on the interface.
VLAN ---*1 100 FC-MAP -----0X0EFC00 FCFs ---1 Enodes -----2 Sessions -------17 FCoE Transit Configuration Example The following illustration shows a switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 38. Configuration Example: FIP Snooping on a Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
Example of Enabling an FC-MAP Value on a VLAN DellEMC(conf-if-vl-10)# fip-snooping fc-map 0xOEFC01 NOTE: Configuring an FC-MAP value is only required if you do not use the default FC-MAP value (0x0EFC00).
16 Flex Hash and Optimized Boot-Up This chapter describes the Flex Hash and fast-boot enhancements. Topics: • • • • • • • Flex Hash Capability Overview Configuring the Flex Hash Mechanism Configuring Fast Boot and LACP Fast Switchover Optimizing the Boot Time Interoperation of Applications with Fast Boot and System States RDMA Over Converged Ethernet (RoCE) Overview Preserving 802.
Flex hash APIs do not mask out unwanted byte values after extraction of the data from the Layer 4 headers for the offset value. 2. Use the load-balance flexhash command to specify whether IPv4 or IPv6 packets must be subjected to the flex hash functionality, a unique protocol number, the offset of hash fields from the start of the L4 header to be used for hash calculation, and a meaningful description to associate the protocol number with the name.
unexpected shutdown) from an older release of Dell EMC Networking OS to Release 9.3(0.0) or later. Dell EMC recommends that you do not downgrade your system from Release 9.3(0.0) to an earlier release that does not support the fast boot functionality because the system behavior is unexpected and undefined. ● Fast boot uses the Symmetric Multiprocessing (SMP) utility that is enabled on the Intel CPU on the device to enhance the speed of the system startup. SMP is supported on the device.
A file is generated to indicate that the system is undergoing a fast boot, which is used after the system comes up. After the Dell EMC Networking OS image is loaded and activated, and the appropriate software components come up, the following additional actions are performed: ● If a database of dynamic ARP entries is present on the flash drive, that information is read and the ARP entries are restored; the entries are installed on the switch as soon as possible.
Unexpected Reload of the System When an unexpected or unplanned reload occurs, such as a reset caused by the software, the system performs the regular boot sequence even if it is configured for fast boot. When the system comes up, dynamic ARP or ND database entries are not present or required to be restored. The system boot up mode will not be fast boot and actions specific to this mode will not be performed.
RDMA Over Converged Ethernet (RoCE) Overview This functionality is supported on the platform. RDMA is a technology that a virtual machine (VM) uses to directly transfer information to the memory of another VM, thus enabling VMs to be connected to storage networks. With RoCE, RDMA enables data to be forwarded without passing through the CPU and the main memory path of TCP/IP.
except the Layer 2 and Layer 3 control frames. It is not required for a VLAN ID to be preserved (in the hardware or the OS application) when a VLAN ID, used for encapsulation, is associated with a physical/Port-channel interface. Normal VLANs and VLAN encapsulation can exist simultaneously and any non-unicast traffic received on a normal VLAN is not flooded using lite subinterfaces whose encapsulation VLAN ID matches with that of the normal VLAN ID.
17 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) and may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
Figure 39. Example of Multiple Rings Connected by Single Switch Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. ● The Master node transmits ring status check frames at specified intervals. ● You can run multiple physical rings on the same switch.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202, as shown in the illustration in Member VLAN Spanning Two Rings Connected by One Switch. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose.
● If multiple rings share one or more member VLANs, they cannot share any links between them. ● Member VLANs across multiple rings are not supported in Master nodes. ● Each ring has only one Master node; all others are transit nodes. FRRP Configuration These are the tasks to configure FRRP.
● ● ● ● For For For For a a a a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the slot/port/subport information. 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port/subport information. 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the slot/port/subport information. 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the slot/port information. 3.
interface primary interface secondary interface control-vlan vlan id Interface: ● For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information. ● For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the slot/port/subport information. ● For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port/subport information.
Viewing the FRRP Information To view general FRRP information, use one of the following commands. ● Show the information for the identified FRRP group. EXEC or EXEC PRIVELEGED mode. show frrp ring-id Ring ID: the range is from 1 to 255. ● Show the state of all FRRP groups. EXEC or EXEC PRIVELEGED mode. show frrp summary Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks ● ● ● ● ● Each Control Ring must use a unique VLAN ID.
mode master no disable Example of R2 TRANSIT interface TenGigabitEthernet 1/14/1 no ip address switchport no shutdown ! interface TenGigabitEthernet 1/11/1 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TenGigabitEthernet 1/14/1,11/1 no shutdown ! interface Vlan 201 no ip address tagged TenGigabitEthernet 1/14/1,11/1 no shutdown ! protocol frrp 101 interface primary TenGigabitEthernet 1/14/1 secondary TenGigabitEthernet 1/11/1 control-vlan 101 member-vlan 201 mode transit no
You can configure a simple FRRP ring that connects a VLT device in one data center to a VLT devices in two or more Data Centers. NOTE: This configuration connects VLT devices across Data Centers using FRRP; however, the VLTi may or may not participate as a ring interface of any FRRP ring. Following figure shows a simple FRRP ring inter-connecting VLT device: Figure 40.
configured (for example, M11 through Mn) that carry the data traffic across the FRRP rings. The secondary port P1 is tagged to the control VLAN (V1). VLTi is implicitly tagged to the member VLANs when these VLANs are configured in the VLT peer. As a result of the VLT Node1 configuration on R2, the FRRP ring R2 becomes active. The primary interface VLTi and the secondary interface P1 act as forwarding ports for the member VLANs (M11 to Mn). VLT Node2 is the master node.
18 GARP VLAN Registration Protocol (GVRP) The generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 42. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
gvrp enable DellEMC(conf)#protocol gvrp DellEMC(config-gvrp)#no disable DellEMC(config-gvrp)#show config ! protocol gvrp no disable DellEMC(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. ● Enable GVRP on a Layer 2 interface.
no shutdown DellEMC(conf-if-te-1/21/1)# Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings. ● Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The Dell EMC Networking OS default is 200ms.
19 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 43. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. ● Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. ● To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1. Include messages prevents traffic from all other sources in the group from reaching the subnet.
Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
● ● ● ● ● ● Adjusting Timers Preventing a Host from Joining a Group Enabling IGMP Immediate-Leave IGMP Snooping Fast Convergence after MSTP Topology Changes Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. ● View IGMP-enabled IPv4 interfaces. EXEC Privilege mode show ip igmp interface ● View IGMP-enabled IPv6 interfaces.
GigabitEthernet 1/13/1 is up, line protocol is down Inbound IGMP access group is not set Interface IGMP group join rate limit is not set Internet address is 1.1.1.1/24 IGMP is enabled on interface IGMP query interval is 60 seconds IGMP querier timeout is 125 seconds IGMP max query response time is 10 seconds IGMP last member query response interval is 1000 ms IGMP immediate-leave is disabled IGMP activity: 0 joins, 0 leaves, 0 channel joins, 0 channel leaves IGMP querying router is 1.1.1.
When the querier receives a leave message from a host, it sends a group-specific query to the subnet. If no response is received, it sends another. The amount of time that the querier waits to receive a response to the initial query before sending a second one is the last member query interval (LMQI). The switch waits one LMQI after the second query before removing the group from the state table. ● Adjust the period between queries.
IGMP Snooping Implementation Information ● IGMP snooping on Dell EMC Networking OS uses IP multicast addresses not MAC addresses. ● IGMP snooping reacts to spanning tree protocol (STP) and multiple spanning tree protocol (MSTP) topology changes by sending a general query on the interface that transitions to the forwarding state. ● If IGMP snooping is enabled on a PIM-enabled VLAN interface, data packets using the router as an Layer 2 hop may be dropped.
Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. When you configure the no ip igmp snooping flood command, the system drops the packets immediately. The system does not forward the frames on mrouter ports, even if they are present. Disable Layer 3 multicast (no ip multicastrouting) in order to disable multicast flooding.
Fast Convergence after MSTP Topology Changes When a port transitions to the Forwarding state as a result of an STP or MSTP topology change, Dell EMC Networking OS sends a general query out of all ports except the multicast router ports. The host sends a response to the general query and the forwarding database is updated without having to wait for the query interval to expire.
Table 39.
front-panel port IP on the peer box is initiated via management port only, if the management port is UP and management route is available.
● TFTP is an exception to the preceding logic. ● For TFTP, data transfer is initiated on port 69, but the data transfer ports are chosen independently by the sender and receiver during initialization of the connection. The ports are chosen at random according to the parameters of the networking stack, typically from the range of temporary ports. ● If route lookup in EIS routing table succeeds, the application-specific packet count is incremented.
Handling of Transit Traffic (Traffic Separation) This is forwarded traffic where destination IP is not an IP address configured in the switch. ● Packets received on the management port with destination on the front-end port is dropped. ● Packets received on the front-end port with destination on the management port is dropped. ● A separate drop counter is incremented for this case. This counter is viewed using the netstat command, like all other IP layer counters.
This phenomenon occurs where traffic is originating from the switch. 1. Management Applications (Applications that are configured as management applications): The management port is an egress port for management applications. If the management port is down or the destination is not reachable through the management port (next hop ARP is not resolved, and so on), and if the destination is reachable through a data port, then the management application traffic is sent out through the front-end data port.
EIS Behavior: If source TCP or UDP port matches an EIS management or a non-EIS management application and source IP address is management port IP address, management port is the preferred egress port selected based on route lookup in EIS table. If the management port is down or the route lookup fails, packets are dropped. If the source TCP/UDP port or source IP address does not match the management port IP address, a route lookup is done in the default routing table.
Designating a Multicast Router Interface To designate an interface as a multicast router interface, use the following command. Dell EMC Networking OS also has the capability of listening in on the incoming IGMP general queries and designate those interfaces as the multicast router interface when the frames have a non-zero IP source address. All IGMP control packets and IP multicast data traffic originating from receivers is forwarded to multicast router interfaces.
20 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell EMC Networking Operating System (OS). The system supports 10–Gigabit, 25–Gigabit, 40–Gigbit, 50–Gigabit, and 100–Gigabit QSFP 28 interfaces. NOTE: Only Dell-qualified optics are supported on these interfaces. Non-Dell optics for 40–Gigbit, 25–Gigabit, 50–Gigabit, and 100–Gigabit are set to error-disabled state.
• • • • • • • • • • • • • • • • • • • Non Dell-Qualified Transceivers Splitting 100G Ports Link Dampening Link Bundle Monitoring Using Ethernet Pause Frames for Flow Control Configure the MTU Size on an Interface Configuring wavelength for 10–Gigabit SFP+ optics Port-Pipes CR4 Auto-Negotiation Setting the Speed of Ethernet Interfaces Syslog Warning Upon Connecting SFP28 Optics with QSA FEC Configuration View interface information with FEC type View Advanced Interface Information Configuring the Traffic Sam
NOTE: The CLI output may be incorrectly displayed as 0 (zero) for the Rx/Tx power values. To obtain the correct power information, perform a simple network management protocol (SNMP) query. The following example shows the configuration and status information for one interface.
! interface hundredGigE 1/3 no ip address shutdown ! interface hundredGigE 1/4 no ip address shutdown Resetting an Interface to its Factory Default State You can reset the configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1. View the configurations applied on an interface.
● For a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the slot/port information. 2. Enable the interface. INTERFACE mode no shutdown To confirm that the interface is enabled, use the show config command in INTERFACE mode. To leave INTERFACE mode, use the exit command or end command. You cannot delete a physical interface. Physical Interfaces The Management Ethernet interface is a single RJ-45 Fast Ethernet port on a switch.
Table 44. Layer Modes (continued) Type of Interface Possible Modes Requires Creation Default State Shutdown (disabled for Layer 3) Configuring Layer 2 (Data Link) Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface unless the interface has been set to Layer 2 mode. To set Layer 2 data transmissions through an individual interface, use the following command. ● Enable Layer 2 data transmissions through an individual interface.
If an interface is in the incorrect layer mode for a given command, an error message is displayed (shown in bold). In the following example, the ip address command triggered an error message because the interface is in Layer 2 mode and the ip address command is a Layer 3 command only. DellEMC(conf-if)#show config ! interface TenGigabitEthernet 1/2/1 no ip address switchport no shutdown DellEMC(conf-if)#ip address 10.10.1.1 /24 % Error: Port is in Layer 2 mode Te 1/2/1.
● MAC learning limit ● ARP inspection Based on the automatic recovery configuration, when the interface is changed to Err-disabled state, the Dell EMC Networking OS invokes a timer for the configured time-out interval. Upon expiration of the timer, the interface is moved to operationally up state if the encountered error is fixed. If not, the interface is again moved to Err-disabled state again.
Egress Interface Selection (EIS) EIS allows you to isolate the management and front-end port domains by preventing switch-initiated traffic routing between the two domains. This feature provides additional security by preventing flooding attacks on front-end ports. The following protocols support EIS: DNS, FTP, NTP, RADIUS, sFlow, SNMP, SSH, Syslog, TACACS, Telnet, and TFTP. This feature does not support sFlow on stacked units.
The port range is 1. ● Configure an IP address and mask on a Management interface. INTERFACE mode ip address ip-address mask ○ ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in /prefix format (/x). Configuring a Management Interface on an Ethernet Port You can manage the system through any port using remote access such as Telnet. To configure an IP address for the port, use the following commands.
NOTE: You cannot simultaneously use egress rate shaping and ingress rate policing on the same VLAN. Dell EMC Networking OS supports Inter-VLAN routing (Layer 3 routing in VLANs). You can add IP addresses to VLANs and use them in routing protocols in the same manner that physical interfaces are used. For more information about configuring different routing protocols, refer to the chapters on the specific protocol.
● Enter INTERFACE mode of the Null interface. CONFIGURATION mode interface null 0 The only configurable command in INTERFACE mode of the Null interface is the ip unreachable command. Port Channel Interfaces Port channel interfaces support link aggregation, as described in IEEE Standard 802.3ad.
in the port channel is a Tengigabit Ethernet interface, all interfaces at 10000 Mbps are kept up, and all other interfaces that are not set to 10G speed or auto negotiate are disabled. Interfaces in Port Channels When interfaces are added to a port channel, the interfaces must share a common speed. When interfaces have a configured speed different from the port channel speed, the software disables those interfaces. The common speed is determined when the port channel is first enabled.
Adding a Physical Interface to a Port Channel The physical interfaces in a port channel can be on any line card in the chassis, but must be the same physical type. NOTE: Port channels can contain a mix of Ethernet interfaces, but Dell EMC Networking OS disables the interfaces that are not the same speed of the first channel member in the port channel (refer to 10/100/1000 Mbps Interfaces in Port Channels). You can add any physical interface to a port channel if the interface configuration is minimal.
Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 42 CRC, 0 IP Checksum, 0 overrun, 0 discarded 2456590833 packets output, 203958235255 bytes, 0 underruns Output 1640 Multicasts, 56612 Broadcasts, 2456532581 Unicasts 2456590654 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 5 minutes): Input 00.01Mbits/sec, 2 packets/sec Output 81.
interface Port-channel 3 no ip address channel-member TenGigabitEthernet 1/8/1 shutdown DellEMC(conf-if-po-3)# Configuring the Minimum Oper Up Links in a Port Channel You can configure the minimum links in a port channel (LAG) that must be in “oper up” status to consider the port channel to be in “oper up” status. To set the “oper up” status of your links, use the following command. ● Enter the number of links in a LAG that must be in “oper up” status. INTERFACE mode minimum-links number The default is 1.
INTERFACE mode DellEMC(conf-if)#switchport 3. Verify the manually configured VLAN membership (show interfaces switchport interface command).
Dell EMC Networking OS allows you to modify the hashing algorithms used for flows and for fragments. The load-balance and hash-algorithm commands are available for modifying the distribution algorithms. Load-Balancing Method By default, LAG hashing uses the source IP, destination IP, source transmission control protocol (TCP)/user datagram protocol (UDP) port, and destination TCP/UDP port for hash computation.
● Change to another algorithm. CONFIGURATION mode hash-algorithm [ecmp{crc16|crc16cc|crc32LSB|crc32MSB|crc-upper|dest-ip|lsb|xor1|xor2| xor4|xor8|xor16}] DellEMC(conf)#hash-algorithm ecmp xor 26 lag crc 26 nh-ecmp checksum 26 DellEMC(conf)# The hash-algorithm command is specific to ECMP group. The default ECMP hash configuration is crc-lower. This command takes the lower 32 bits of the hash key to compute the egress port.
Bulk Configuration Examples Use the interface range command for bulk configuration. ● ● ● ● ● ● ● Create a Single-Range Create a Multiple-Range Exclude Duplicate Entries Exclude a Smaller Port Range Overlap Port Ranges Commas Add Ranges Create a Single-Range The following is an example of a single range.
Overlap Port Ranges The following is an example showing how the interface-range prompt extends a port range from the smallest start port number to the largest end port number when port ranges overlap. handles overlapping port ranges.
Choosing an Interface-Range Macro To use an interface-range macro, use the following command. ● Selects the interfaces range to be configured using the values saved in a named interface-range macro. CONFIGURATION mode interface range macro name The following example shows how to change to the interface-range configuration mode using the interface-range macro named “test.
Input IP checksum: Input overrun: Output underruns: Output throttles: m l T q - 0 0 0 0 0 0 0 0 Change mode Page up Increase refresh interval Quit pps pps pps pps 0 0 0 0 c - Clear screen a - Page down t - Decrease refresh interval q DellEMC# Maintenance Using TDR The time domain reflectometer (TDR) is supported on all Dell EMC Networking switches. TDR is an assistance tool to resolve link issues that helps detect obvious open or short conditions within any of the four copper pairs.
MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 40000 Mbit
Link Dampening Interface state changes occur when interfaces are administratively brought up or down or if an interface state changes. Every time an interface changes a state or flaps, routing protocols are notified of the status of the routes that are affected by the change in state. These protocols go through the momentous task of re-converging. Flapping; therefore, puts the status of entire network at risk of transient loops and black holes.
Figure 48. Interface State Change Consider an interface periodically flaps as shown above. Every time the interface goes down, a penalty (1024) is added. In the above example, during the first interface flap (flap 1), the penalty is added to 1024. And, the accumulated penalty will exponentially decay based on the set half-life, which is set as 10 seconds in the above example. During the second interface flap (flap 2), again the penalty (1024) is accumulated.
Enabling Link Dampening To enable link dampening, use the following command. ● Enable link dampening. INTERFACE mode dampening To view the link dampening configuration on an interface, use the show config command. R1(conf-if-te-1/1/1)#show config ! interface TenGigabitEthernet 1/1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode.
Configure MTU Size on an Interface In Dell EMC Networking OS, Maximum Transmission Unit (MTU) is defined as the entire Ethernet packet (Ethernet header + FCS + payload). The following table lists the range for each transmission media. Transmission Media MTU Range (in bytes) Ethernet 594-12000 = link MTU 576-9234 = IP MTU Link Bundle Monitoring Monitoring linked LAG bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time.
The PAUSE frame is defined by IEEE 802.3x and uses MAC Control frames to carry the PAUSE commands. Ethernet pause frames are supported on full duplex only. If a port is over-subscribed, Ethernet Pause Frame flow control does not ensure no-loss behavior. Restriction: Ethernet Pause Frame flow control is not supported if PFC is enabled on an interface. Control how the system responds to and generates 802.3x pause frames on Ethernet interfaces. The default is rx off tx off. INTERFACE mode.
Table 45. Layer 2 Overhead Layer 2 Overhead Difference Between Link MTU and IP MTU Ethernet (untagged) 18 bytes VLAN Tag 22 bytes Untagged Packet with VLAN-Stack Header 22 bytes Tagged Packet with VLAN-Stack Header 26 bytes Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: ● All members must have the same link MTU value and the same IP MTU value.
Port-Pipes A port pipe is a Dell EMC Networking-specific term for the hardware packet-processing elements that handle network traffic to and from a set of front-end I/O ports. The physical, front-end I/O ports are referred to as a port-set. In the command-line interface, a port pipe is entered as port-set port-pipe-number. CR4 Auto-Negotiation You can configure interface type as CR4 with auto-negotiation enabled. Many DAC cable link issues are resolved by setting the interface type as CR4.
speed {10 | 100 | 1000 | 10000 | auto} NOTE: If you use an active optical cable (AOC), you can convert the QSFP+ port to a 10 Gigabit SFP+ port or 1 Gigabit SFP port. You can use the speed command to enable the required speed. 6. Optionally, set full- or half-duplex. INTERFACE mode duplex {half | full} 7. Disable auto-negotiation on the port. INTERFACE mode no negotiation auto If the speed was set to 1000, do not disable auto-negotiation. 8. Verify configuration changes.
For non Dell-qualified SFP28 optics: Aug 8 20:31:56 %Z9100-ON:1 %IFAGT-5-UNSUP_OPTICS: Non-qualified optics in slot 1 port 7/1. Wrong QSA in use. Please utilize QSA28, not lower speed QSA to guarantee support and performance for 25G Optics and cables FEC Configuration FEC configurations are available on 100–Gigbit, 50–Gigabit and 25–Gigabit Ethernet interfaces. To configure FEC, use the following commands. ● Enable FEC.
MTU 9416 bytes, IP MTU 9398 bytes LineSpeed 100000 Mbit Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:31:23 Queueing strategy: fifo Input Statistics: 32992398774 packets, 2243483116632 bytes 0 64-byte pkts, 32992398774 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 32992398774 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded 669 FEC bit er
Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 1 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
The following example shows how to configure rate interval when changing the default value. To configure the number of seconds of traffic statistics to display in the show interfaces output, use the following command. ● Configure the number of seconds of traffic statistics to display in the show interfaces output. INTERFACE mode rate-interval The bold lines shows the default value of 299 seconds, the change-rate interval of 100, and the new rate interval set to 100.
The following example shows how to configure rate interval when changing the default value. To configure the number of seconds of traffic statistics to display in the show interfaces output, use the following command. ● Configure the number of seconds of traffic statistics to display in the show interfaces output. CONFIGURATION Mode rate-interval The bold lines shows the default value of 299 seconds, the change-rate interval of 100, and the new rate interval set to 100.
13908 packets, 1114396 bytes, 0 underruns 5555 64-byte pkts, 8213 over 64-byte pkts, 140 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 13727 Multicasts, 5 Broadcasts, 176 Unicasts 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 150 seconds): Input 300.00 Mbits/sec, 1534517 packets/sec, 30.00% of line-rate Output 100.00 Mbits/sec, 4636111 packets/sec, 10.
When you enter this command, confirm that you want Dell EMC Networking OS to clear the interface counters for that interface. DellEMC#clear counters te 1/1/1 Clear counters on TenGigabitEthernet 1/1/1 [confirm] DellEMC# Enhanced Validation of Interface Ranges You can avoid specifying spaces between the range of interfaces, separated by commas, that you configure by using the interface range command.
Table 46. Standard and Compressed Configurations Uncompressed Compressed interface TenGigabitEthernet 1/4/1 ! no ip address interface group Vlan 2 , Vlan 100 shutdown no ip address ! no shutdown interface TenGigabitEthernet 1/10/1 ! no ip address interface group Vlan 3 – 5 shutdown tagged te 1/1/1 ! no ip address interface TenGigabitEthernet 1/34/1 shutdown ip address 2.1.1.1/16 ! shutdown interface Vlan 1000 ! ip address 1.1.1.
The write memory compressed CLI will write the operating configuration to the startup-config file in the compressed mode. In stacking scenario, it will also take care of syncing it to all the standby and member units.
21 IPv4 Routing The Dell EMC Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell EMC Networking OS.
• Troubleshooting UDP Helper IP Addresses Dell EMC Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks. Supernetting, which increases the number of subnets, is also supported. To subnet, you add a mask to the IP address to separate the network and host portions of the IP address.
2. Enable the interface. INTERFACE mode no shutdown 3. Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] ● ip-address mask: the IP address must be in dotted decimal format (A.B.C.D). The mask must be in slash prefixlength format (/24). ● secondary: add the keyword secondary if the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses.
S 6.1.2.5/32 S 6.1.2.6/32 S 6.1.2.7/32 S 6.1.2.8/32 S 6.1.2.9/32 S 6.1.2.10/32 S 6.1.2.11/32 S 6.1.2.12/32 S 6.1.2.13/32 S 6.1.2.14/32 S 6.1.2.15/32 S 6.1.2.16/32 S 6.1.2.17/32 S 11.1.1.0/24 Direct, Lo 0 --More-- via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.
Configure Static Routes for the Management Interface When an IP address that a protocol uses and a static management route exists for the same prefix, the protocol route takes precedence over the static management route. To configure a static route for the management port, use the following command. ● Assign a static route to point to the management interface or forwarding router.
Using the Configured Source IP Address in ICMP Messages ICMP error or unreachable messages are now sent with the configured IP address of the source interface instead of the front-end port IP address as the source IP address. Enable the generation of ICMP unreachable messages through the ip unreachable command in Interface mode. When a ping or traceroute packet from an endpoint or a device arrives at the null 0 interface configured with a static route, it is discarded.
INTERFACE mode ip directed-broadcast To view the configuration, use the show config command in INTERFACE mode. Resolution of Host Names Domain name service (DNS) maps host names to IP addresses. This feature simplifies commands such as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default. Unless you enable the feature, the system resolves only host names entered into the host table with the ip host command.
Specifying the Local System Domain and a List of Domains If you enter a partial domain, Dell EMC Networking OS can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. Dell EMC Networking OS searches the host table first to resolve the partial domain. The host table contains both statically configured and dynamically learnt host and IP addresses.
ARP Dell EMC Networking OS uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, Dell EMC Networking OS creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time.
Enabling Proxy ARP By default, Proxy ARP is enabled. To disable Proxy ARP, use the no proxy-arp command in the interface mode. To re-enable Proxy ARP, use the following command. ● Re-enable Proxy ARP. INTERFACE mode ip proxy-arp To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output.
ARP Learning via ARP Request In Dell EMC Networking OS versions prior to 8.3.1.0, Dell EMC Networking OS learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address. If the target IP does not match the incoming interface, the packet is dropped. If there is an existing entry for the requesting host, it is updated. Figure 49.
● Set the exponential timer for resending unresolved ARPs. CONFIGURATION mode arp backoff-time The default is 30. The range is from 1 to 3600. ● Display all ARP entries learned via gratuitous ARP. EXEC Privilege mode show arp retries ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply).
Figure 51. ICMP Redirect Host H is connected to the same Ethernet segment as SW1 and SW2. SW1 and SW2 are multi-layer switches which can route packets. The default gateway of Host H is configured as SW1. Although the best route to the remote branch office host may be through SW2, Host H sends a packet destined for Host R to its default gateway — SW1.
○ UDP broadcast traffic with port number 67 or 68 are unicast to the dynamic host configuration protocol (DHCP) server per the ip helper-address configuration whether or not the UDP port list contains those ports. ○ If the UDP port list contains ports 67 or 68, UDP broadcast traffic is forwarded on those ports. Enabling UDP Helper To enable UDP helper, use the following command. ● Enable UPD helper.
● UDP Helper with Configured Broadcast Addresses ● UDP Helper with No Configured Broadcast Addresses UDP Helper with Broadcast-All Addresses When the destination IP address of an incoming packet is the IP broadcast address, Dell EMC Networking OS rewrites the address to match the configured broadcast address. In the following illustration: 1. Packet 1 is dropped at ingress if you did not configure UDP helper address. 2.
Figure 53. UDP Helper with Subnet Broadcast Addresses UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces. In the following illustration, Packet 1 has a destination IP address that matches the configured broadcast address of VLAN 100 and 101.
Troubleshooting UDP Helper To display debugging information for troubleshooting, use the debug ip udp-helper command. Example of the debug ip udp-helper Command DellEMC(conf)# debug ip udp-helper 01:20:22: Pkt rcvd on Te 5/1/1 with IP DA (0xffffffff) will be sent on Te 5/1/2 Te 5/1/3 Vlan 3 01:44:54: Pkt rcvd on Te 7/1/1 is handed over for DHCP processing. When using the IP helper and UDP helper on the same interface, use the debug ip dhcp command. Example Output from the debug ip dhcp Command Packet 0.0.0.
22 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell EMC Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
● Prefix Renumbering — Useful in transparent renumbering of hosts in the network when an organization changes its service provider. NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration. NOTE: Dell EMC Networking OS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS).
● A command has been introduced to partition the LPM to support provisioning of IPv6 /65 to /128 route prefixes. To support /65 – /128 IPv6 route prefix entries, Dell EMC Networking OS needs to be programmed with /65 - /128 bit IPv6 support. The number of entries as well needs to be explicitly programmed. This number can be1K, 2K, or 3K granularity. On the system, for IPv6 /65 to /128 will consume the same storage banks which is used by the L3_DEFIP table.
Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities. Routers understand the priority settings and handle them appropriately during conditions of congestion.
Hop Limit (8 bits) The Hop Limit field shows the number of hops remaining for packet processing. In IPv4, this is known as the Time to Live (TTL) field and uses seconds rather than hops. Each time the packet moves through a forwarding router, this field decrements by 1. If a router receives a packet with a Hop Limit of 1, it decrements it to 0 (zero). The router discards the packet and sends an ICMPv6 message back to the sending router indicating that the Hop Limit was exceeded in transit.
11 Discard the packet and send an ICMP Parameter Problem, Code 2 message to the packet’s Source IP Address only if the Destination IP Address is not a multicast address. The second byte contains the Option Data Length. The third byte specifies whether the information can change en route to the destination. The value is 1 if it can change; the value is 0 if it cannot change.
Implementing IPv6 with Dell EMC Networking OS Dell EMC Networking OS supports both IPv4 and IPv6 and both may be used simultaneously in your system. ICMPv6 ICMP for IPv6 combines the roles of ICMP, IGMP and ARP in IPv4. Like IPv4, it provides functions for reporting delivery and forwarding errors, and provides a simple echo service for troubleshooting. The Dell EMC Networking OS implementation of ICMPv6 is based on RFC 4443.
IPv6 Neighbor Discovery The IPv6 neighbor discovery protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In place of address resolution protocol (ARP), NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes. Using these messages, an IPv6 device learns the link-layer addresses for neighbors known to reside on attached links, quickly purging cached values that become invalid.
The DNS server address does not allow the following: ● link local addresses ● loopback addresses ● prefix addresses ● multicast addresses ● invalid host addresses If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed. Example for Configuring an IPv6 Recursive DNS Server The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
Displaying IPv6 RDNSS Information To display IPv6 interface information, including IPv6 RDNSS information, use the show ipv6 interface command in EXEC or EXEC Privilege mode. Examples of Displaying IPv6 RDNSS Information The following example displays IPv6 RDNSS information. The output in the last 3 lines indicates that the IPv6 RDNSS was correctly configured on interface te 1/1/1.
Configuration Tasks for IPv6 The following are configuration tasks for the IPv6 protocol. ● ● ● ● ● ● ● Adjusting Your CAM-Profile Assigning an IPv6 Address to an Interface Assigning a Static IPv6 Route Configuring Telnet with IPv6 SNMP over IPv6 Showing IPv6 Information Clearing IPv6 Routes Adjusting Your CAM-Profile Although adjusting your CAM-profile is not a mandatory step, if you plan to implement IPv6 ACLs, adjust your CAM settings. The CAM space is allotted in FP blocks.
You can configure up to two IPv6 addresses on management interfaces, allowing required default router support on the management port that is acting as host, per RFC 4861. Data ports support more than two IPv6 addresses. When you configure IPv6 addresses on multiple interfaces (the ipv6 address command) and verify the configuration (the show ipv6 interfaces command), the same link local (fe80) address is displayed for each IPv6 interface. ● Enter the IPv6 Address for the device.
○ mask: prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing. SNMP over IPv6 You can configure SNMP over IPv6 transport so that an IPv6 host can perform SNMP queries and receive SNMP notifications from a device running Dell EMC Networking OS IPv6. The Dell EMC Networking OS SNMP-server commands for IPv6 have been extended to support IPv6.
○ For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. ○ For a port channel interface, enter the keywords port-channel then a number. ○ For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
connected 5 0 static 0 0 Total 5 0 The following example shows the show ipv6 route command.
Clearing IPv6 Routes To clear routes from the IPv6 routing table, use the following command. ● Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} ○ *: all routes. ○ ipv6 address: the format is x:x:x:x::x. ○ mask: the prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:).
POLICY LIST CONFIGURATION mode router-preference maximum {high | low | medium} 10. Set the router lifetime. POLICY LIST CONFIGURATION mode router—lifetime value The router lifetime range is from 0 to 9,000 seconds. 11. Apply the policy to trusted ports. POLICY LIST CONFIGURATION mode trusted-port 12. Set the maximum transmission unit (MTU) value. POLICY LIST CONFIGURATION mode mtu value 13. Set the advertised reachability time.
23 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables qualityof-service (QoS) treatment for iSCSI traffic.
message. This cannot be inferred as the maximum supported iSCSI sessions are reached. Also, number of iSCSI sessions displayed on the system may show any number equal to or less than the maximum. The following illustration shows iSCSI optimization between servers and a storage array in which a stack of three switches connect installed servers (iSCSI initiators) to a storage array (iSCSI targets) in a SAN network.
Application of Quality of Service to iSCSI Traffic Flows You can configure iSCSI CoS mode. This mode controls whether CoS (dot1p priority) queue assignment and/or packet marking is performed on iSCSI traffic. When you enable iSCSI CoS mode, the CoS policy is applied to iSCSI traffic. When you disable iSCSI CoS mode, iSCSI sessions and connections are still detected and displayed in the status tables, but no CoS policy is applied to iSCSI traffic.
Detection and Auto-Configuration for Dell EqualLogic Arrays The iSCSI optimization feature includes auto-provisioning support with the ability to detect directly connected Dell EqualLogic storage arrays and automatically reconfigure the switch to enhance storage traffic flows. The switch uses the link layer discovery protocol (LLDP) to discover Dell EqualLogic devices on the network. LLDP is enabled by default. For more information about LLDP, refer to Link Layer Discovery Protocol (LLDP).
● Additional updates to connections (including aging updates) that are learnt on VLT lag members are synced to the peer. ● When receiving an iSCSI login request on a non-VLT interface followed by a response from a VLT interface, the session is not synced since it is initially learnt on a non-VLT interface through the request packet. ● The peer generates a new connection log that sees the login response packet.
Table 47. iSCSI Optimization Defaults (continued) Parameter Default Value iSCSI optimization target ports iSCSI well-known ports 3260 and 860 are configured as default (with no IP address or name) but can be removed as any other configured target. iSCSI session monitoring Disabled. The CAM allocation for iSCSI is set to zero (0). iSCSI Optimization Prerequisites The following are iSCSI optimization prerequisites. ● iSCSI optimization requires LLDP on the switch.
To delete a specific IP address from the TCP port, use the no iscsi target port tcp-port-n ip-address address command to specify the address to be deleted. ● ip-address specifies the IP address of the iSCSI target. When you enter the no form of the command, and the TCP port you want to delete is one bound to a specific IP address, include the IP address value in the command.
● Display detailed information on active iSCSI sessions on the switch . To display detailed information on specified iSCSI session, enter the session’s iSCSI ID. show iscsi sessions detailed [session isid] ● Display all globally configured non-default iSCSI settings in the current Dell EMC Networking OS session. show run iscsi The following example shows the show iscsi command.
24 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell EMC Networking supports both IPv4 and IPv6 versions of IS-IS.
Figure 59. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases. Use this feature to place a virtual physical topology into logical routing domains, which can each support different routing and security policies. All routers on a LAN or point-to-point must have at least one common supported topology when operating in Multi-Topology IS-IS mode.
Graceful Restart Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change. Normally, when an IS-IS router is restarted, temporary disruption of routing occurs due to events in both the restarting router and the neighbors of the restarting router.
● Computes routes to IPv6 destinations. ● Downloads IPv6 routes to the RTM for installing in the FIB. ● Accepts external IPv6 information and advertises this information in the PDUs. The following table lists the default IS-IS values. Table 48.
In IS-IS, neighbors form adjacencies only when they are same IS type. For example, a Level 1 router never forms an adjacency with a Level 2 router. A Level 1-2 router forms Level 1 adjacencies with a neighboring Level 1 router and forms Level 2 adjacencies with a neighboring Level 2 router. NOTE: Even though you enable IS-IS globally, enable the IS-IS process on an interface for the IS-IS process to exchange protocol information and form adjacencies. To configure IS-IS globally, use the following commands.
The default IS type is level-1-2. To change the IS type to Level 1 only or Level 2 only, use the is-type command in ROUTER ISIS mode. To view the IS-IS configuration, enter the show isis protocol command in EXEC Privilege mode or the show config command in ROUTER ISIS mode. DellEMC#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
NOTE: When you do not enable transition mode, you do not have IPv6 connectivity between routers operating in single-topology mode and routers operating in multi-topology mode. 2. Exclude this router from other router’s SPF calculations. ROUTER ISIS AF IPV6 mode set-overload-bit 3. Set the minimum interval between SPF calculations.
● Configure graceful restart timer T3 to set the time used by the restarting router as an overall maximum time to wait for database synchronization to complete. ROUTER-ISIS mode graceful-restart t3 {adjacency | manual seconds} ○ adjacency: the restarting router receives the remaining time value from its peer and adjusts its T3 value so if user has configured this option. ○ manual: allows you to specify a fixed value that the restarting router should use. The range is from 50 to 120 seconds.
LSP Interval: 33 Next IS-IS LAN Level-1 Hello in 4 seconds Next IS-IS LAN Level-2 Hello in 6 seconds LSP Interval: 33 Restart Capable Neighbors: 2, In Start: 0, In Restart: 0 DellEMC# Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary.
example, if you configure the metric as narrow, and a link state PDU (LSP) with wide metrics is received, the route is not installed. Dell EMC Networking OS supports the following IS-IS metric styles. Table 49. Metric Styles Metric Style Characteristics Cost Range Supported on IS-IS Interfaces narrow Sends and accepts narrow or old TLVs (Type, Length, Value). 0 to 63 wide Sends and accepts wide or new TLVs. 0 to 16777215 transition Sends both wide (new) and narrow (old) TLVs.
○ default-metric: the range is from 0 to 63 if the metric-style is narrow, narrow-transition, or transition. The range is from 0 to 16777215 if the metric style is wide or wide transition. ● Assign a metric for an IPv6 link or interface. INTERFACE mode isis ipv6 metric default-metric [level-1 | level-2] ○ default-metric: the range is from 0 to 63 for narrow and transition metric styles. The range is from 0 to 16777215 for wide metric styles. The default is 10. The default level is level-1.
LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000003 0x07BF eljefe.00-00 * 0x00000009 0xF76A eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.00-00 0x00000002 0xD1A7 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000006 0xC38A eljefe.00-00 * 0x0000000D 0x51C6 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
○ For a port channel interface, enter the keywords port-channel then a number. ○ For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. ● Apply a configured prefix list to all outgoing IPv4 IS-IS routes. ROUTER ISIS mode distribute-list prefix-list-name out [bgp as-number | connected | ospf process-id | rip | static] You can configure one of the optional parameters: ○ connected: for directly connected routes. ○ ospf process-id: for OSPF routes only. ○ rip: for RIP routes only.
Redistributing IPv4 Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the IS-IS process. With the redistribute command syntax, you can include BGP, OSPF, RIP, static, or directly connected routes in the IS-IS process. NOTE: Do not route iBGP routes to IS-IS unless there are route-maps associated with the IS-IS redistribution. To add routes from other routing instances or protocols, use the following commands.
○ ○ ○ ○ ○ ○ ○ ○ process-id: the range is from 1 to 65535. level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. metric value: the range is from 0 to 16777215. The default is 0. metric value: the range is from 0 to 16777215. The default is 0. match external: the range is 1 or 2. match internal metric-type: external or internal. map-name: name of a configured route map.
When the bit is set, a 1 is placed in the OL column in the show isis database command output. The overload bit is set in both the Level-1 and Level-2 database because the IS type for the router is Level-1-2. DellEMC#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000003 0x07BF eljefe.00-00 * 0x0000000A 0xF963 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
To disable a specific debug command, enter the keyword no then the debug command. For example, to disable debugging of IS-IS updates, use the no debug isis updates-packets command. To disable all IS-IS debugging, use the no debug isis command. To disable all debugging, use the undebug all command. IS-IS Metric Styles The following sections provide additional information about the IS-IS metric styles.
Table 50. Metric Value When the Metric Style Changes (continued) Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value show config and show runningconfig commands and is used if you change back to transition metric style. NOTE: A truncated value is a value that is higher than 63, but set back to 63 because the higher value is not supported. wide narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Table 51. Metric Value when the Metric Style Changes Multiple Times (continued) Beginning Metric Style Next Metric Style Resulting Metric Value Next Metric Style Final Metric Value wide transition truncated value narrow default value (10). A message is sent to the logging buffer wide transition transition truncated value narrow transition default value (10).
NOTE: Whenever you make IS-IS configuration changes, clear the IS-IS process (re-started) using the clear isis command. The clear isis command must include the tag for the ISIS process. The following example shows the response from the router: DellEMC#clear isis * % ISIS not enabled. DellEMC#clear isis 9999 * You can configure IPv6 IS-IS routes in one of the following three different methods: ● Congruent Topology — You must configure both IPv4 and IPv6 addresses on the interface.
IS-IS Sample Configuration — Multi-topology DellEMC(conf-if-te-3/17/1)#show config ! interface TenGigabitEthernet 3/17/1 ipv6 address 24:3::1/76 ipv6 router isis no shutdown DellEMC(conf-if-te-3/17/1)# DellEMC(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
25 In-Service Software Upgrade This chapter deals with In-Service Software Upgrade (ISSU) and its dependencies. Topics: • • • • • • • • • ISSU Introduction Fastboot 2.0 (Zero Loss Upgrade) L2 ISSU L3 ISSU CoPP Mirroring flow control packets PFC QoS Tunnel Configuration ISSU Introduction In-service software upgrades (ISSU), also known as warmboot or fastboot 2.0, allow Dell EMC Networking to address software bugs and add new features to switches and routers without interrupting network availability.
L2 ISSU This section deals with L2 ISSU related information. The following changes are required by ISSU for L2: LACP Long Timeout If there is a LACP protocol running on an interface, the user needs to have the LACP long timeout configured, if LACP short timeout is configured, ISSU will not take place. Spanning Tree When spanning tree is enabled, user needs to have BPDU guard configured in the interfaces.
The user will need to configure the boot-type to warmboot under the reload-type configuration mode. Warmboot is a system reload technique where the NPU will not restart. Only the CPU is restarted to bring up the upgraded software. Software upgrade ISSU, is the typical use case for warmboot. Since BCM chip is already up and running while the software is restarted, there should not be any traffic outage during warmboot.
26 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic.
● You can configure link dampening on individual members of a LAG. LACP Modes Dell EMC Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. ● Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. ● Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state.
Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. ● Create a dynamic port channel (LAG). CONFIGURATION mode interface port-channel ● Create a dynamic port channel (LAG). CONFIGURATION mode switchport DellEMC(conf)#interface port-channel 32 DellEMC(conf-if-po-32)#no shutdown DellEMC(conf-if-po-32)#switchport The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the tagged command on the LAG.
NOTE: The 30-second timeout is available for dynamic LAG interfaces only. You can enter the lacp long-timeout command for static LAGs, but it has no effect. To configure LACP long timeout, use the following command. ● Set the LACP timeout value to 30 seconds.
Figure 61. Shared LAG State Tracking To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). Dell EMC Networking OS has the ability to bring LAG 2 down if LAG 1 fails, so that traffic can be redirected. This redirection is what is meant by shared LAG state tracking. To achieve this functionality, you must group LAG 1 and LAG 2 into a single entity, called a failover group.
Figure 62. Configuring Shared LAG State Tracking The following are shared LAG state tracking console messages: ● 2d1h45m: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 1 ● 2d1h45m: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 To view the status of a failover group member, use the show interface port-channel command.
LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 63. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unicasts 0 Vlans, 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec,0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec,0 packets/sec, 0.
Figure 65.
Figure 66.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21/1 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21/1)#port-channel-protocol lacp Bravo(conf-if-te-3/21/1-lacp)#port-channel 10 mode active Bravo(conf-if-te-3/21/1-lacp)#no shut Bravo(conf-if-te-3/21/1)#end ! interface TenGigabitEthernet 3/21/1 no ip addre
Figure 67.
Figure 68.
Figure 69. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
27 Layer 2 This chapter describes the Layer 2 features supported on the device. Topics: • • • • • • • Manage the MAC Address Table MAC Learning Limit Disabling MAC Address Learning on the System Enabling port security NIC Teaming Configure Redundant Pairs Far-End Failure Detection Manage the MAC Address Table You can perform the following management tasks in the MAC address table.
The range is from 10 to 1000000. Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. ● Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. ● Display the contents of the MAC address table.
Setting the MAC Learning Limit To set a MAC learning limit on an interface, use the following command. ● Specify the number of MAC addresses that the system can learn off a Layer 2 interface. INTERFACE mode mac learning-limit address_limit Three options are available with the mac learning-limit command: ○ dynamic ○ no-station-move ○ station-move NOTE: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations.
mac learning-limit no-station-move The no-station-move option, also known as “sticky MAC,” provides additional port security by preventing a station move. When you configure this option, the first entry in the table is maintained instead of creating an entry on the new interface. no-station-move is the default behavior. Entries created before you set this option are not affected. To display a list of all interfaces with a MAC learning limit, use the following command.
● Display a list of all of the interfaces configured with MAC learning limit or station move violation. CONFIGURATION mode show mac learning-limit violate-action NOTE: When the MAC learning limit (MLL) is configured as no-station-move, the MLL will be processed as static entries internally. For static entries, the MAC address will be installed in all port-pipes, irrespective of the VLAN membership.
mac port-security NIC Teaming NIC teaming is a feature that allows multiple network interface cards in a server to be represented by one MAC address and one IP address in order to provide transparent redundancy, balancing, and to fully utilize network adapter resources. The following illustration shows a topology where two NICs have been teamed together. In this case, if the primary NIC fails, traffic switches to the secondary NIC because they are represented by the same set of addresses. Figure 70.
Figure 71. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 72. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
02:28:04: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 1/12/1 02:28:04: %RPM0-P:CP %IFMGR-5-STATE_ACT_STBY: Changed interface state to standby: te 1/13/1 Example of Configuring Redundant Layer 2 Pairs DellEMC(conf-if-range-te-1/11/1-1/11/2)#switchport backup interface TenGigabitEthernet 1/11/1 DellEMC(conf-if-range-te-1/11/1-1/11/2)#show config ! interface TenGigabitEthernet 1/11/1 no ip address switchport switchport backup interface TenGigabitEthernet 1/11/2 no shutdown ! interface Te
Far-End Failure Detection Far-end failure detection (FEFD) is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval. You can enable FEFD globally or locally on an interface basis. Disabling the global FEFD configuration does not disable the interface configuration. Figure 73.
5. If the FEFD system has been set to Aggressive mode and neighboring echoes are not received after three intervals, the state changes to Err-disabled. You must manually reset all interfaces in the Err-disabled state using the fefd reset [interface] command in EXEC privilege mode (it can be done globally or one interface at a time) before the FEFD enabled system can become operational again. Table 53.
To display information about the state of each interface, use the show fefd command in EXEC privilege mode. DellEMC#show fefd FEFD is globally 'ON', interval is 3 seconds, mode is 'Normal'.
Debugging FEFD To debug FEFD, use the first command. To provide output for each packet transmission over the FEFD enabled connection, use the second command. ● Display output whenever events occur that initiate or disrupt an FEFD enabled connection. EXEC Privilege mode debug fefd events ● Provide output for each packet transmission over the FEFD enabled connection.
28 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). Topics: • • • • • • • • • • • • • • • • • 802.
Figure 74. Type, Length, Value (TLV) Segment TLVs are encapsulated in a frame called an LLDP data unit (LLDPDU) (shown in the following table), which is transmitted from one LLDP-enabled device to its LLDP-enabled neighbors. LLDP is a one-way protocol. LLDP-enabled devices (LLDP agents) can transmit and/or receive advertisements, but they cannot solicit and do not respond to advertisements. There are five types of TLVs. All types are mandatory in the construction of an LLDPDU except Optional TLVs.
Optional TLVs The Dell EMC Networking OS supports these optional TLVs: management TLVs, IEEE 802.1 and 802.3 organizationally specific TLVs, and TIA-1057 organizationally specific TLVs. Management TLVs A management TLV is an optional TLVs sub-type. This kind of TLV contains essential management information about the sender. Organizationally Specific TLVs A professional organization or a vendor can define organizationally specific TLVs.
Table 55. Optional TLV Types (continued) Type TLV Description port belongs (and the untagged VLAN to which a port belongs if the port is in Hybrid mode). 127 Protocol Identity Indicates the protocols that the port can process. Dell EMC Networking OS does not currently support this TLV. 127 MAC/PHY Configuration/Status Indicates the capability and current setting of the duplex status and bit rate, and whether the current settings are the result of auto-negotiation.
Table 56. TIA-1057 (LLDP-MED) Organizationally Specific TLVs Type SubType TLV Description 127 1 LLDP-MED Capabilities Indicates: ● whether the transmitting device supports LLDPMED ● what LLDP-MED TLVs it supports ● LLDP device class 127 2 Network Policy Indicates the application type, VLAN ID, Layer 2 Priority, and DSCP value.
LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV. ● The value of the LLDP-MED capabilities field in the TLV is a 2–octet bitmap, each bit represents an LLDP-MED capability (as shown in the following table). ● The possible values of the LLDP-MED device type are shown in the following.
An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED network policy TLV is generated for each application type that you specify with the Dell EMC Networking OS CLI (Advertising TLVs).
● ● ● ● ● Viewing Information Advertised by Adjacent LLDP Agents Configuring LLDPDU Intervals Configuring Transmit and Receive Mode Configuring a Time to Live Debugging LLDP Important Points to Remember ● LLDP is enabled by default. ● Dell EMC Networking systems support up to eight neighbors per interface. ● Dell EMC Networking systems support a maximum of 8000 total neighbors per system. If the number of interfaces multiplied by eight exceeds the maximum, the system does not configure more than 8000.
Enabling LLDP LLDP is enabled by default. Enable and disable LLDP globally or per interface. If you enable LLDP globally, all UP interfaces send periodic LLDPDUs. To enable LLDP, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION or INTERFACE mode protocol lldp 2. Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP To disable or undo LLDP, use the following command. ● Disable LLDP globally or for an interface.
Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces. ● If you configure the system globally, all interfaces send LLDPDUs with the specified TLVs. ● If you configure an interface, only the interface sends LLDPDUs with the specified TLVs. ● If you configure LLDP both globally and at interface level, the interface level configuration overrides the global configuration. To advertise TLVs, use the following commands. 1. Enter LLDP mode.
Storing and Viewing Unrecognized LLDP TLVs Dell EMC Networking OS provides support to store unrecognized (reserved and organizational specific) LLDP TLVs. Also, support is extended to retrieve the stored unrecognized TLVs using SNMP. When the incoming TLV from LLDP neighbors is not recognized, the TLV is categorized as unrecognized TLV. The unrecognized TLVs is categorized into two types: 1. Reserved unrecognized LLDP TLV 2.
CONFIGURATION or INTERFACE mode show config The following example shows viewing an LLDP global configuration.
Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: d8:9e:f3:b2:61:20 Remote Port Subtype: Interface name (5) Remote Port ID: ethernet1/1/23 Remote Port Description: ethernet1/1/23 Local Port ID: ManagementEthernet 1/1 Locally assigned remote Neighbor Index: 2 Remote TTL: 120 Information valid for next 94 seconds Time since last information change of this neighbor: 5d5h9m Remote MTU: 1532 Remote System Name: swlab2-maa-tor-C4 Remote Management Address (IPv4): 100.104.70.
Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 00:00:00:00:00:01 Remote Port Subtype: Interface name (5) Remote Port ID: TenGigabitEthernEt 1/40 Local Port ID: FortyGigE 1/1/1 Locally assigned remote Neighbor Index: 1 Remote TTL: 120 Information valid for next 44 seconds Time since last information change of this neighbor: 00:01:16 UnknownTLVList: ( 9, 4) ( 10, 4) ( 11, 4) ( 12, 4) ( 13, 4) ( 14, 4) ( 15, 4) ( 19, 4) ( 20, 4) ( 21, 4) ( 22, 4) ( 23, 4) ( 24, 4) ( 25, 4) ( 29, 4) ( 30, 4) ( 31
4) 4) 4) 4) OrgUnknownTLVList: ((00-01-66),127, 4) ((00-01-66),126, 4) ((00-01-66),125, 4) ((00-01-66),124, 4) ((00-01-66),123, ((00-01-66),122, 4) ((00-01-66),121, 4) ((00-01-66),120, 4) ((00-01-66),119, 4) ((00-01-66),118, --------------------------------------------------------------------------Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 4c:76:25:f4:ab:03 Remote Port Subtype: Interface name (5) Remote Port ID: fortyGigE 1/2/8/1 Local Port ID: FortyGigE 1/1/2 Locally assigned
Before implementation of this feature, notification messages were not throttled. After implementation, the system throttles the lldp notification messages by 5 seconds (default) or as configured by the user. lldpNotificationInterval can be configured through three methods: ● CLI — Through the snmp-notification-interval CLI. ○ Example: snmp-notification-interval [5–3600] ● SNMP — Through the snmpset command. ○ Example: snmpset —c public —v2c 10.16.127.10 LLDP-MIB::lldpNotificationInterval.
Configuring the Time to Live Value The information received from a neighbor expires after a specific amount of time (measured in seconds) called a time to live (TTL). The TTL is the product of the LLDPDU transmit interval (hello) and an integer called a multiplier. The default multiplier is 4, which results in a default TTL of 120 seconds. ● Adjust the TTL value. CONFIGURATION mode or INTERFACE mode. multiplier ● Return to the default multiplier value. CONFIGURATION mode or INTERFACE mode.
Figure 80. The debug lldp detail Command — LLDPDU Packet Dissection Example of debug lldp Command Output with Unrecognized Reserved and Organizational Specific LLDP TLVs The following is an example of LLDPDU with both (Reserved and Organizational specific) unrecognized TLVs.
Table 60. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value. msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs.
Table 61.
Table 62. LLDP 802.1 Organizationally specific TLV MIB Objects (continued) TLV Type TLV Name TLV Variable System LLDP MIB Object VLAN name length Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName VLAN name Table 63.
Table 63.
29 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
Limitations of the NLB Feature The following limitations apply to switches on which you configure NLB: ● The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN. When a large volume of traffic is processed, the clustering performance might be impacted in a small way. This limitation is applicable to switches that perform unicast flooding in the software. ● The ip vlan-flooding command applies globally across the system and for all VLANs.
There might be some ARP table entries that are resolved through ARP packets, which had the Ethernet MAC SA different from the MAC information inside the ARP packet. This unicast data traffic flooding occurs only for those packets that use these ARP entries. Enabling a Switch for Multicast NLB To enable a switch for Multicast NLB mode, perform the following steps: 1.
30 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell EMC Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 82.
Implementation Information The Dell EMC Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process. 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Refer to the following figures. The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP.
Figure 83.
Figure 84.
Figure 85.
Figure 86. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
CONFIGURATION mode clear ip msdp sa-cache [group-address | local | rejected-sa] Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error. ● Cache rejected sources.
Figure 87.
Figure 88.
Figure 89. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. ● Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check. DellEMC(conf)#ip msdp peer 10.0.50.
DellEMC#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Reason Rpf-Fail Rpf-Fail Rpf-Fail Limiting the Source-Active Messages from a Peer To limit the source-active messages from a peer, use the following commands. 1.
Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1. OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache. CONFIGURATION mode ip msdp cache-rejected-sa 2. Prevent the system from caching remote sources learned from a specific peer based on source and group. CONFIGURATION mode ip msdp sa-filter list out peer list ext-acl As shown in the following example, R1 is advertising source 10.11.4.2.
GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 local R3(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 192.168.0.1 Expire 70 UpTime 00:27:20 Expire 1 UpTime 00:10:29 [Router 3] R3(conf)#do show ip msdp sa-cache R3(conf)# To display the configured SA filters for a peer, use the show ip msdp peer command from EXEC Privilege mode.
clear ip msdp peer peer-address R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.3(639) Connect Source: Lo 0 State: Established Up/Down Time: 00:04:26 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 5/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none R3(conf)#do clear ip msdp peer 192.168.0.1 R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.
1. All the RPs serving a given group are configured with an identical anycast address. 2. Sources then register with the topologically closest RP. 3. RPs use MSDP to peer with each other using a unique address. Figure 90. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2.
ip msdp peer 5. Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group.
ip msdp peer 192.168.0.22 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.22 ip msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 The following example shows an R2 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 2/1/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 2/11/1 ip pim sparse-mode ip address 10.11.1.
interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.11 connect-source Loopback 0 ip msdp peer 192.168.0.
MSDP Sample Configuration: R2 Running-Config ip multicast-routing ! interface TenGigabitEthernet 1/1/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 1/11/1 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 1/31/1 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.
router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.23 MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface TenGigabitEthernet 1/1/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface TenGigabitEthernet 1/22/1 ip address 10.10.42.
31 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview MSTP — specified in IEEE 802.
• • • • • • • Modifying Global Parameters Modifying the Interface Parameters Setting STP path cost as constant Configuring an EdgePort Flush MAC Addresses after a Topology Change MSTP Sample Configurations Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell EMC Networking OS supports four variations of spanning tree, as shown in the following table. Table 64. Spanning Tree Variations Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .
● Enabling SNMP Traps for Root Elections and Topology Changes ● Configuring Spanning Trees as Hitless Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. ● Within an MSTI, only one path from any bridge to any other bridge is enabled.
MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping. To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode.
Designated port id is 128.384, designated path cost 20000 Number of transitions to forwarding state 1 BPDU (MRecords): sent 39291, received 7547 The port is not in the Edge port mode Influencing MSTP Root Selection MSTP determines the root bridge, but you can assign one bridge a lower priority to increase the probability that it becomes the root bridge. To change the bridge priority, use the following command. ● Assign a number as the bridge priority.
PROTOCOL MSTP mode revision number To view the current region name and revision, use the show spanning-tree mst configuration command from EXEC Privilege mode. DellEMC(conf-mstp)#name my-mstp-region DellEMC(conf-mstp)#exit DellEMC(conf)#do show spanning-tree mst config MST region name: my-mstp-region Revision: 0 MSTI VID 1 100 2 200-300 Modifying Global Parameters The root bridge sets the values for forward-delay, hello-time, max-age, and max-hops and overwrites the values set on other MSTP bridges.
To view the current values for MSTP parameters, use the show running-config spanning-tree mstp command from EXEC privilege mode.
The range is from 0 to 240, in increments of 16. The default is 128. To view the current values for these interface parameters, use the show config command from INTERFACE mode. Setting STP path cost as constant You can set the path cost to be constant for port-channel regardless of the operation status of the port-channel member ports. To set the STP path cost, use the port-channel path-cost custom command from the PROTOCOL SPANNING-TREE mode.
switchport spanning-tree mstp edge-port spanning-tree MSTI 1 priority 144 no shutdown DellEMC(conf-if-te-1/1/1)# Flush MAC Addresses after a Topology Change Dell EMC Networking OS has an optimized MAC address flush mechanism for RSTP, MSTP, and PVST+ that flushes addresses only when necessary, which allows for faster convergence during topology changes. However, you may activate the flushing mechanism defined by 802.
(Step 2) interface TenGigabitEthernet 1/21/1 no ip address switchport no shutdown ! interface TenGigabitEthernet 1/31/1 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 1/21/1,31/1 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 1/21,31/1 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/21,31/1 no shutdown Router 2 Running-Configuration This example uses the following steps: 1.
tagged TenGigabitEthernet 1/1/3/1,1/1/4/1 no shutdown (Step 1) protocol spanning-tree mstp no disable name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 ! (Step 2) interface TenGigabitEthernet 2/11/1 no ip address switchport no shutdown ! interface TenGigabitEthernet 2/31/1 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 2/11/1,31/1 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 2/11/1,31/1 no shutdown ! interface
no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 1/1/5/1,1/1/5/2 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/1/5/1,1/1/5/2 no shutdown (Step 1) protocol spanning-tree mstp no disable name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 ! (Step 2) interface TenGigabitEthernet 3/11/1 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/21/1 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged Ten
switchport protected 0 exit interface 1/0/32 no shutdown spanning-tree port mode enable switchport protected 0 exit (Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. ● Display BPDUs. EXEC Privilege mode debug spanning-tree mstp bpdu ● Display MSTP-triggered topology change messages.
revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 The following example shows viewing the debug log of a successful MSTP configuration. DellEMC#debug spanning-tree mstp bpdu MSTP debug bpdu is ON DellEMC# 4w0d4h : MSTP: Sending BPDU on Te 2/21/1 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x6e CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.
32 Multicast Features NOTE: Multicast routing is supported on secondary IP addresses; it is not supported on IPv6. NOTE: Multicast routing is supported across default and non-default virtual routing and forwarding (VRFs).
Protocol Ethernet Address RIP 01:00:5e:00:00:09 NTP 01:00:5e:00:01:01 VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d ● ● ● ● The Dell EMC Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. Multicast is not supported on secondary IP addresses. If you enable multicast routing, egress Layer 3 ACL is not applied to multicast data traffic. Multicast traffic can be forwarded to a maximum of 15 VLANs with the same outgoing interface.
● Limit the total number of multicast routes on the system. CONFIGURATION mode ip multicast-limit The range is from 1 to . The default is 4000. NOTE: The IN-L3-McastFib CAM partition stores multicast routes and is a separate hardware limit that exists per port-pipe. Any software-configured limit may supersede this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit is reached using the ip multicast-limit command.
Figure 93. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 66. Preventing a Host from Joining a Group — Description Location Description 1/21/1 ● ● ● ● Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31/1 ● ● ● ● Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.13.
Table 66. Preventing a Host from Joining a Group — Description (continued) Location Description 2/11/1 ● ● ● ● Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31/1 ● ● ● ● Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1/1 ● ● ● ● Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11/1 ● ● ● ● Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.
multicast traffic flows only from the RP to the receivers. Once a receiver receives traffic from the RP, PM-SM switches to SPT to forward multicast traffic, which connects the receiver directly to the source. You can configure PIM to switch over to the SPT when the router receives multicast packets at or beyond a specified rate. Table 67.
Figure 94. Preventing a Source from Transmitting to a Group The following table lists the location and description shown in the previous illustration. Table 68. Preventing a Source from Transmitting to a Group — Description Location Description 1/21/1 ● ● ● ● Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31/1 ● ● ● ● Interface TenGigabitEthernet 1/31/1 ip pim sparse-mode ip address 10.11.13.
Table 68. Preventing a Source from Transmitting to a Group — Description (continued) Location Description 2/11/1 ● ● ● ● Interface TenGigabitEthernet 2/11/1 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31/1 ● ● ● ● Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1/1 ● ● ● ● Interface TenGigabitEthernet 3/1/1 ip pim sparse-mode ip address 10.11.5.
Understanding Multicast Traceroute (mtrace) Multicast Traceroute (mtrace) is a multicast diagnostic facility used for tracing multicast paths. Mtrace enables you to trace the path that a multicast packet takes from its source to the destination. When you initiate mtrace from a source to a destination, an mtrace Query packet with IGMP type 0x1F is sent to the last-hop multicast router for the given destination. The mtrace query packet is forwarded hop-by-hop untill it reaches the last-hop router.
● MTRACE Transit — when a Dell EMC Networking system is an intermediate router between the source and destination in an MTRACE query, Dell EMC Networking OS computes the RPF neighbor for the source, fills in the request, and forwards the request to the RPF neighbor. When a Dell EMC Networking system is the last hop to the destination, Dell EMC Networking OS sends a response to the query. To print the network path, use the following command.
Table 69. mtrace Command Output — Explained (continued) Command Output Description From source (?) to destination (?) In case the provided source or destination IP can be resolved to a hostname the corresponding name will be displayed. In cases where the IP cannot be resolved, it is displayed as (?) 0 1.1.1.1 --> Destination The first row in the table corresponds to the destination provided by the user. -1 1.1.1.1 PIM Reached RP/Core 103.103.103.
Table 70. Supported Error Codes (continued) Error Code Error Name Description 0x81 NO_SPACE There is not enough room to insert another response data block in the packet. mtrace Scenarios This section describes various scenarios that may result when an mtrace command is issued. The following table describes various scenarios when the mtrace command is issued: Table 71.
Table 71. Mtrace Scenarios (continued) Scenario You invoke a weak mtrace request by specifying only the source without specifying the mulicast tree or multicast group information for the source. Mtrace traces a path towards the source by using the RPF neighbor at each node. Output R1>mtrace 103.103.103.3 Type Ctrl-C to abort. Querying reverse path for source 103.103.103.
Table 71. Mtrace Scenarios (continued) Scenario When you issue the mtrace command with the source and multicast group information, if a multicast route is not present on a particular node, then the NO ROUTE error code is displayed on the node. In this scenario, the Source Network/Mask column for that particular node displays the the value as default.
Table 71. Mtrace Scenarios (continued) Scenario Output ----------------------------------------------------------------- If the destination provided in the command is not a valid receiver for the multicast group, the last hop router for the destination provides the WRONG LAST HOP error code. If the last-hop router contains a path to the source, the path is traced irrespective of the incorrect destination.
Table 71. Mtrace Scenarios (continued) Scenario Output 0 1.1.1.1 --> Destination -1 * * * * ----------------------------------------------------------------Timed out receiving responses Perhaps no local router has a route for source, the receiver is not a member of the multicast group or the multicast ttl is too low. While traversing the path from source to destination, if the mtrace packet exhausts the maximum buffer size of the packet, then NO SPACE error is displayed in the output.
Table 71. Mtrace Scenarios (continued) Scenario Output Querying reverse path for source 6.6.6.6 to destination 4.4.4.5 via RPF From source (?) to destination (?) ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/Mask| ---------------------------------------------------------------0 4.4.4.5 --> Destination -1 4.4.4.4 PIM 6.6.6.0/24 -2 20.20.20.2 PIM 6.6.6.0/24 -3 10.10.10.1 PIM RPF Interface 6.6.6.
33 Multicast Listener Discovery Protocol Dell Networking OS Supports Multicast Listener Discovery (MLD) protocol. Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
Joining a Multicast Group The Querier periodically sends a General Query to the all-nodes multicast address FF02::1. A host that wants to join a multicast group responds to the general query with a report that contains the group address; the report is also addressed to the group (in the IPv6 Destination Address field). To avoid duplicate reporting, any host that hears a report from another host for the same group in which it itself is interested cancels its report for that group.
| | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +. -+ . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version 2 multicast listener reports are sent by IP nodes to report (to neighboring routers) the current multicast listening state, or changes in the multicast listening state, of their interfaces.
| | * Source Address [1] * | | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +-+ . . . . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Auxiliary Data . . .
a report when the timer expires. Increasing this value spreads host responses over a greater period of time, and so reduces response burstiness. To adjust the query response time, use the following command: INTERFACE Mode ipv6 mld query-max-resp-time Configuring MLD Version To configure MLD version on the system, follow this procedure: Select the MLD version INTERFACE Mode ipv6 mld version {1 | 2} If you do not configure the MLD version, the system defaults to version 2.
retransmissions. Lowering the Last Listener Query Interval reduces the time to detect that there are no remaining receivers for a group, and so can reduce the amount of unnecessarily forwarded traffic. To adjust the last-member query interval, use the following command: INTERFACE Mode ipv6 mld last-member-query-interval Displaying MLD groups table Display MLD groups. Group information can be filtered.
Enable MLD Snooping MLD is automatically enabled when you enable IPv6 PIM, but MLD snooping must be explicitly enabled. To enable MLD snooping, use the following command: CONFIGURATION Mode ipv6 mld snooping enable Disable MLD Snooping When MLD is enabled globally, it is by default enabled on all the VLANs.
EXEC Pivilege show ipv6 mld snooping groups explicit Display the MLD Snooping Table 1. To display the MLD snooping table, use the following command: EXEC Privilege show ipv6 mroute snooping vlan 2.
34 Object Tracking IPv4 or IPv6 object tracking is available on Dell EMC Networking OS. Object tracking allows the Dell EMC Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell EMC Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 95. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: ● UP and DOWN thresholds used to report changes in a route metric. ● A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
A tracked route matches a route in the routing table only if the exact address and prefix length match an entry in the routing table. For example, when configured as a tracked route, 10.0.0.0/24 does not match the routing table entry 10.0.0.0/8. If no route-table entry has the exact address and prefix length, the tracked route is considered to be DOWN.
VRRP Object Tracking As a client, VRRP can track up to 20 objects (including route entries, and Layer 2 and Layer 3 interfaces) in addition to the 12 tracked interfaces supported for each VRRP group. You can assign a unique priority-cost value from 1 to 254 to each tracked VRRP object or group interface. The priority cost is subtracted from the VRRP group priority if a tracked VRRP object is in a DOWN state.
show track object-id DellEMC(conf)#track 100 interface tengigabitethernet 1/1/1 line-protocol DellEMC(conf-track-100)#delay up 20 DellEMC(conf-track-100)#description San Jose data center DellEMC(conf-track-100)#end DellEMC#show track 100 Track 100 Interface TenGigabitEthernet 1/1/1 line-protocol Description: San Jose data center Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface.
The following is an example of configuring object tracking for an IPv4 interface: DellEMC(conf)#track 101 interface tengigabitethernet 1/2/1 ip routing DellEMC(conf-track-101)#delay up 20 DellEMC(conf-track-101)#description NYC metro DellEMC(conf-track-101)#end DellEMC#show track 101 Track 101 Interface TenGigabitEthernet 7/2/1 ip routing Description: NYC metro The following is an example of configuring object tracking for an IPv6 interface: DellEMC(conf)#track 103 interface tengigabitethernet 1/11/1 ipv6 r
○ For ISIS, you can set the resolution in the range from 1 to 1000, where the default is 10. ○ For OSPF, you can set the resolution in the range from 1 to 1592, where the default is 1. ○ The resolution value used to map static routes is not configurable. By default, Dell EMC Networking OS assigns a metric of 0 to static routes. ○ The resolution value used to map RIP routes is not configurable. The RIP hop-count is automatically multiplied by 16 to scale it.
Track 105 IPv6 route 1234::/64 reachability Description: Headquarters Reachability is Down (route not in route table) 2 changes, last change 00:03:03 Configuring track reachability refresh interval If there is no entry in ARP table or if the next-hop address in the ARP cache ages out for a route tracked for its reachability, an attempt is made to check if the next-hop address is reachable after a certain refresh interval to see if the next-hop address appear in the ARP cache before considering it as DOWN.
Valid delay times are from 0 to 180 seconds. The default is 0. 4. (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters. 5. (Optional) Configure the metric threshold for the UP and/or DOWN routing status to be tracked for the specified route. OBJECT TRACKING mode threshold metric {[up number] [down number]} The default UP threshold is 254.
2 changes, last change 00:16:08 Tracked by: Track 2 IPv6 route 2040::/64 metric threshold Metric threshold is Up (STATIC/0/0) 5 changes, last change 00:02:16 Metric threshold down 255 up 254 First-hop interface is TenGigabitEthernet 1/2/1 Tracked by: VRRP TenGigabitEthernet 2/30/1 IPv6 VRID 1 Track 3 IPv6 route 2050::/64 reachability Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is TenGigabitEthernet 1/2/1 Tracked by: VRRP TenGigabitEthernet 2/30/1 IPv6 VRID 1 Track 4 Inter
track 5 ip route 192.168.0.
35 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell EMC Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell EMC Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 96. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. NOTE: If you configure two non-backbone areas, then you must enable the B bit in OSPF.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
● Type 3: Summary LSA (OSPFv2), Inter-Area-Prefix LSA (OSPFv3) — An ABR takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to. The link-state ID of the Type 3 LSA is the destination network number. ● Type 4: AS Border Router Summary LSA (OSPFv2), Inter-Area-Router LSA (OSPFv3) — In some cases, Type 5 External LSAs are flooded to areas where the detailed next-hop information may not be available.
Figure 98. Priority and Cost Examples OSPF with Dell EMC Networking OS The Dell EMC Networking OS supports up to 128,000 OSPF routes for OSPFv2. Dell EMC Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell EMC Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell EMC Networking OS supports only one OSPFv3 process per VRF. OSPFv2 and OSPFv3 can co-exist but you must configure them individually.
does not necessarily have to interrupt the forwarding of data packets. This behavior is supported because the forwarding tables previously computed by an active RPM have been downloaded into the forwarding information base (FIB) on the line cards (the data plane) and are still resident.
Multi-Process OSPFv2 with VRF Multi-process OSPF with VRF is supported on the Dell EMC Networking OS. Only one OSPFv2 process per VRF is supported. Multi-process OSPF allows multiple OSPFv2 processes on a single router. Multiple OSPFv2 processes allow for isolating routing domains, supporting multiple route policies and priorities in different domains, and creating smaller domains for easier management. Each OSPFv2 process has a unique process ID and must have an associated router ID.
RFC 2328 is supported by default on Dell EMC Networking OS and it is indicated in the show ip ospf command output. DellEMC#show ip ospf Routing Process ospf 1 with ID 2.2.2.
Configuration Information The interfaces must be in Layer 3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode. NOTE: Loop back routes are not installed in the Route Table Manager (RTM) as non-active routes.
Enabling OSPFv2 To enable Layer 3 routing, assign an IP address to an interface (physical or Loopback). By default, OSPF, similar to all routing protocols, is disabled. You must configure at least one interface for Layer 3 before enabling OSPFv2 globally. If implementing multi-process OSPF, create an equal number of Layer 3 enabled interfaces and OSPF process IDs. For example, if you create four OSPFv2 process IDs, you must have four interfaces with Layer 3 enabled. 1. Assign an IP address to an interface.
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 DellEMC# Assigning an OSPFv2 Area After you enable OSPFv2, assign the interface to an OSPF area. Set up OSPF areas and enable OSPFv2 on an interface with the network command. You must have at least one AS area: Area 0. This is the backbone area. If your OSPF network contains more than one area, configure a backbone area (Area ID 0.0.0.0).
Example of Viewing Active Interfaces and Assigned Areas DellEMC>show ip ospf 1 interface TenGigabitEthernet 1/17/1 is up, line protocol is up Internet Address 10.2.2.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 11.1.2.1, Interface address 10.2.2.1 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.
3. Enter ROUTER OSPF mode. CONFIGURATION mode router ospf process-id [vrf] Process ID is the ID assigned when configuring OSPFv2 globally. 4. Configure the area as a stub area. CONFIG-ROUTER-OSPF-id mode area area-id stub [no-summary] Use the keywords no-summary to prevent transmission into the area of summary ASBR LSAs. Area ID is the number or IP address assigned when creating the area.
Designated Router (ID) 10.1.2.100, Interface address 0.0.0.0 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.0 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 13:39:46 Neighbor Count is 0, Adjacent neighbor count is 0 TenGigabitEthernet 2/1/1 is up, line protocol is down Internet Address 10.1.3.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.2.
Convergence Level 0 Min LSA origination 5 secs, Min LSA arrival 1 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 DellEMC# Changing OSPFv2 Parameters on Interfaces In Dell EMC Networking OS, you can modify the OSPF settings on the interfaces. Some interface parameter values must be consistent across all interfaces to avoid routing errors. For example, set the same time interval for the hello packets on all routers in the OSPF network to prevent misconfiguration of OSPF neighbors.
The transmit delay must be the same on all routers in the OSPF network. To view interface configurations, use the show config command in CONFIGURATION INTERFACE mode. To view interface status in the OSPF process, use the show ip ospf interface command in EXEC mode. The bold lines in the example show the change on the interface. The change is reflected in the OSPF configuration. DellEMC(conf-if)#ip ospf cost 45 DellEMC(conf-if)#show config ! interface TenGigabitEthernet 1/1/1 ip address 10.1.2.100 255.255.
To enable and configure OSPFv2 graceful restart, use the following commands. 1. Enable OSPFv2 graceful-restart globally and set the grace period. CONFIG-ROUTEROSPF- id mode graceful-restart grace-period seconds The seconds range is from 40 and 3000. This setting is the time that an OSPFv2 router’s neighbors advertises it as fully adjacent, regardless of the synchronization state, during a graceful restart. OSPFv2 terminates this process when the grace period ends. 2.
ip prefix-list prefix-name You are in PREFIX LIST mode. ● Create a prefix list with a sequence number and a deny or permit action. CONFIG- PREFIX LIST mode seq sequence-number {deny |permit} ip-prefix [ge min-prefix-length] [le max-prefixlength] The optional parameters are: ○ ge min-prefix-length: is the minimum prefix length to match (from 0 to 32). ○ le max-prefix-length: is the maximum prefix length to match (from 0 to 32).
Troubleshooting OSPFv2 Use the information in this section to troubleshoot OSPFv2 operation on the switch. Be sure to check the following, as these questions represent typical issues that interrupt an OSPFv2 process. NOTE: The following tasks are not a comprehensive; they provide some examples of typical troubleshooting checks.
default-information originate always router-id 10.10.10.10 DellEMC# Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. You can copy and paste from these examples to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
network 10.0.13.0/24 area 0 network 10.0.23.0/24 area 0 ! interface Loopback 30 ip address 192.168.100.100/24 no shutdown ! interface TenGigabitEthernet 3/1/1 ip address 10.1.13.3/24 no shutdown ! interface TenGigabitEthernet 3/2/1 ip address 10.2.13.3/24 no shutdown OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.
Configuration Task List for OSPFv3 (OSPF for IPv6) This section describes the configuration tasks for Open Shortest Path First version 3 (OSPF for IPv6) on the switch. The configuration options of OSPFv3 are the same as those options for OSPFv2, but you may configure OSPFv3 with differently labeled commands. Specify process IDs and areas and include interfaces and addresses in the process. Define areas as stub or totally stubby.
2. Bring up the interface. CONF-INT-type slot/port mode no shutdown Assigning Area ID on an Interface To assign the OSPFv3 process to an interface, use the following command. The ipv6 ospf area command enables OSPFv3 on an interface and places the interface in the specified area. Additionally, the command creates the OSPFv3 process with ID on the router.
router-id {number} ○ number: the IPv4 address. The format is A.B.C.D. NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. ● Disable OSPF. CONFIGURATION mode no ipv6 router ospf process-id vrf {vrf-name} ● Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf [vrf vrf-name] process Configuring Stub Areas To configure IPv6 stub areas, use the following command. ● Configure the area as a stub area.
redistribute {bgp | connected | static} [metric metric-value | metric-type type-value] [route-map map-name] [tag tag-value] Configure the following required and optional parameters: ○ bgp | connected | static: enter one of the keywords to redistribute those routes. ○ metric metric-value: The range is from 0 to 4294967295. ○ metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. ○ route-map map-name: enter a name of a configured route map.
When you enable the helper-reject role on an interface using the ipv6 ospf graceful-restart helper-reject command, you reconfigure OSPFv3 graceful restart to function in a restarting-only role. OSPFv3 does not participate in the graceful restart of a neighbor. NOTE: Enter the ipv6 ospf graceful-restart helper-reject command in Interface configuration mode. NOTE: For graceful-restart configuration to work, you must configure grace-period. Use graceful-restart graceperiod command to configure grace-period.
log-adjacency-changes graceful-restart grace-period 180 The following example shows the show ipv6 ospf database database-summary command. DellEMC#show ipv6 ospf database database-summary ! OSPFv3 Router with ID (200.1.1.
To ensure integrity, data origin authentication, detection and rejection of replays, and confidentiality of the packet, RFC 4302 and RFC 4303 propose using two security protocols — authentication header (AH) and encapsulating security payload (ESP). For OSPFv3, these two IPsec protocols provide interoperable, high-quality cryptographically-based security.
Configuring IPsec Authentication on an Interface To configure, remove, or display IPsec authentication on an interface, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
○ authentication-algorithm: specifies the encryption authentication algorithm to use. The valid values are MD5 or SHA1. ○ key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted). For SHA-1 authentication, the key must be 40 hex digits (non-encrypted) or 80 hex digits (encrypted).
NOTE: When you configure encryption using the area encryption command, you enable both IPsec encryption and authentication. However, when you enable authentication on an area using the area authentication command, you do not enable encryption at the same time. If you have enabled IPsec authentication in an OSPFv3 area using the area authentication command, you cannot use the area encryption command in the area at the same time.
In the first example, the keys are not encrypted (shown in bold). In the second and third examples, the keys are encrypted (shown in bold). The following example shows the show crypto ipsec policy command.
Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3 operation on the switch.
○ ○ ○ ○ ○ ○ ○ For For For For For For For a a a a a a a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information. 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the slot/port/subport information. 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port/subport information. 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the slot/port/subport information.
SNMPv2-SMI::mib-2.191.1.1.18.0 = INTEGER: 1 SNMPv2-SMI::mib-2.191.1.1.19.0 = Gauge32: 0 SNMPv2-SMI::mib-2.191.1.1.20.0 = INTEGER: 1 MIB Support for OSPFv3 SNMPv3 context name support implements MIB views on multiple OSPV3 instances. Table 73. MIB Objects for OSPFv3 MIB Object OID Description ospfv3GeneralGroup 1.3.6.1.2.1.191.1.1 Contains a 32-bit unsigned integer uniquely identifying the router in the autonomous system. ospfv3AreaEntry 1.3.6.1.2.1.191.1.2.
36 Policy-based Routing (PBR) Policy-based routing (PBR) allows a switch to make routing decisions based on policies applied to an interface. Topics: • • • • Overview Implementing PBR Configuration Task List for Policy-based Routing Sample Configuration Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table.
● ● ● ● Destination IP address and mask Source port Destination port TCP Flags After you apply a redirect-list to an interface, all traffic passing through it is subjected to the rules defined in the redirect-list. Traffic is forwarded based on the following: ● ● ● ● Next-hop addresses are verified. If the specified next hop is reachable, traffic is forwarded to the specified next-hop. If the specified next-hops are not reachable, the normal routing table is used to forward the traffic.
PBR Exceptions (Permit) To create an exception to a redirect list, use thepermit command. Exceptions are used when a forwarding decision should be based on the routing table rather than a routing policy. The Dell EMC Networking OS assigns the first available sequence number to a rule configured without a sequence number and inserts the rule into the PBR CAM region next to the existing entries. Because the order of rules is important, ensure that you configure any necessary sequence numbers.
● ● ● ● source ip-address or any or host ip-address is the Source’s IP address FORMAT: A.B.C.D/NN, or ANY or HOST IP address destination ip-address or any or host ip-address is the Destination’s IP address FORMAT: A.B.C.D/NN, or ANY or HOST IP address To delete a rule, use the no redirect command.
multiple seq redirect commands with the same source and destination address and specify a different next-hop IP address. In this way, the recursive routes are used as different forwarding routes for dynamic failover. If the primary path goes down and the recursive route is removed from the routing table, the seq redirect command is ignored and the next command in the list with a different route is used.
EXEC mode show ip redirect-list redirect-list-name 2. View the redirect list entries programmed in the CAM. EXEC mode show cam pbr show cam-usage List the redirect list configuration using the show ip redirect-list redirect-list-name command. The noncontiguous mask displays in dotted format (x.x.x.x). The contiguous mask displays in /x format. DellEMC#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.
00002 Fi 1/21/1 N/A 19 0x0 0 0 155.55.0.0/16 222.22.2.0/24 00:00:00:00:00:04 Te 1/1/4 00003 Fi 1/21/1 N/A UDP 0x0 0 0 155.55.0.0/16 222.22.2.0/24 00:00:00:00:00:04 Te 1/1/4 Sample Configuration You can use the following example configuration to set up a PBR. These are not comprehensive directions but are intended to give you a guidance with typical configurations. You can copy and paste from these examples to your CLI.
seq 10 redirect 10.99.99.254 ip 192.168.2.0/24 any seq 15 permit ip any any Assign Redirect-List GOLD to Interface 2/11 EDGE_ROUTER(conf)#int Te 2/11/1 EDGE_ROUTER(conf-if-Te-2/11/1)#ip add 192.168.3.
3 4 IP Host reachability IP Host reachability 42.1.1.2/32 43.1.1.2/32 Up Up 00:00:59 00:00:59 Apply the Redirect Rule to an Interface: DellEMC# DellEMC(conf)#int TenGigabitEthernet 2/28 DellEMC(conf-if-te-2/28)#ip redirect-group redirect_list_with_track DellEMC(conf-if-te-2/28)#end Verify the Applied Redirect Rules: DellEMC#show ip redirect-list redirect_list_with_track IP redirect-list redirect_list_with_track Defined as: seq 5 redirect 42.1.1.2 track 3 tcp 155.55.2.0/24 222.22.2.
2 Interface ipv6 routing DellEMC# Tunnel 2 Up 00:00:00 Create a Redirect-list with Track Objects pertaining to Tunnel Interfaces: DellEMC#configure terminal DellEMC(conf)#ip redirect-list explicit_tunnel DellEMC(conf-redirect-list)#redirect tunnel 1 track DellEMC(conf-redirect-list)#redirect tunnel 1 track DellEMC(conf-redirect-list)#redirect tunnel 1 track 144.144.144.
37 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
2. The last-hop DR sends a PIM Join message to the RP. All routers along the way, including the RP, create an (*,G) entry in their multicast routing table, and the interface on which the message was received becomes the outgoing interface associated with the (*,G) entry. This process constructs an RPT branch to the RP. 3. If a host on the same subnet as another multicast receiver sends an IGMP report for the same multicast group, the gateway takes no action.
3. Enable PIM-SM on an interface. Enable multicast routing. CONFIGURATION mode {ip | ipv6} multicast-routing [vrf vrf-name] Related Configuration Tasks The following are related PIM-SM configuration tasks. ● ● ● ● Configuring S,G Expiry Timers Configuring a Static Rendezvous Point Configuring a Designated Router Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1. Enable IPv4 or IPv6 multicast routing on the system.
Following is an example of show ip pim neighbor command output: DellEMC#show Neighbor Address 127.87.5.5 127.87.3.5 127.87.50.
Configuring S,G Expiry Timers You can configure a global expiry time (for all [S,G] entries). By default, [S,G] entries expire in 210 seconds. When you create, delete, or update an expiry time, the changes are applied when the keep alive timer refreshes. To configure a global expiry time, use the following command. Enable global expiry timer for S, G entries. CONFIGURATION mode {ip | ipv6} pim sparse-mode sg-expiry-timer seconds The range is from 211 to 86,400 seconds. The default is 210.
Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. Use the following command if you have configured a static RP for a group. If you do not use the override option with the following command, the RPs advertised in the BSR updates take precedence over any statically configured RPs.
INTERFACE mode {ip | ipv6} pim query-interval seconds ● Display the current value of these parameter.
Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the Internet. Create multicast boundaries and domains by filtering inbound and outbound bootstrap router (BSR) messages per interface. The following command is applied to the subsequent inbound and outbound updates.
show ip pim bsr-router Example: DellEMC# show ip pim bsr-router PIMv2 Bootstrap information This system is the Bootstrap Router (v2) BSR address: 7.7.7.7 (?) BSR Priority: 0, Hash mask length: 30 Next bootstrap message in 00:00:08 This system is a candidate BSR Candidate BSR address: 7.7.7.
38 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Related Configuration Tasks ● Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode.
Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.
1. C-BSRs flood their candidacy throughout the domain in a BSM. Each message contains a BSR priority value, and the C-BSR with the highest priority value becomes the BSR. 2. Each C-RP unicasts periodic Candidate-RP-Advertisements to the BSR. Each message contains an RP priority value and the group ranges for which it is a C-RP. 3. The BSR collects the most efficient group-to-RP mappings and periodically updates it to all PIM routes in the network. 4.
Enabling RP to Server Specific Multicast Groups When you configure an RP candidate, its advertisement is sent to the entire multicast address range and the group-to-RP mapping is advertised for the entire range of multicast address. Starting with Dell EMC Networking OS 9.11.0.0, you can configure an RP candidate for a specified range of multicast group address. The Configured multicast group ranges are used by the BSR protocol to advertise the candidate RPs in the bootstrap messages.
39 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
Port Monitoring Port monitoring is supported on both physical and logical interfaces, such as VLAN and port-channel interfaces. The source port (MD) with monitored traffic and the destination ports (MG) to which an analyzer can be attached must be on the same switch. You can configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session. The platform supports multiple source-destination statements in a single monitor session.
Similarly, if BPDUs are transmitted, the MG port receives them tagged with the VLAN ID 4095. This behavior might result in a difference between the number of egress packets on the MD port and monitored packets on the MG port. Dell EMC Networking OS Behavior: The platform continues to mirror outgoing traffic even after an MD participating in spanning tree protocol (STP) transitions from the forwarding to blocking. Configuring Port Monitoring To configure port monitoring, use the following commands. 1.
N/A N/A 0 1 Po 10 N/A Vl 40 N/A Te 1/2/1 No Te 1/3/1 No rx Port 0.0.0.0 0.0.0.0 0 0 No rx Flow 0.0.0.0 0.0.0.0 0 0 No NOTE: Source as VLAN is achieved via Flow based mirroring. Please refer section Enabling Flow-Based Monitoring. In the following example, the host and server are exchanging traffic which passes through the uplink interface 1/1/1.
Flow-Based Monitoring Flow-based monitoring conserves bandwidth by monitoring only the specified traffic instead of all traffic on the interface. It is available for Layer 3 ingress traffic. You can specify the traffic that needs to be monitored using standard or extended access-lists. The flow-based monitoring mechanism copies packets that matches the ACL rules applied on the port and forwards (mirrors) them to another port.
---- ------ -------------- --------1 Te 1/2/1 remote-ip rx Port 0 No N/A N/A yes DellEMC# 0.0.0.0 0.0.0.0 0 The show config command has been modified to display monitoring configuration in a particular session.
ip access-group access-list-name To view an access-list that you applied to an interface, use the show ip accounting access-list command from EXEC Privilege mode. DellEMC(conf)#monitor session 0 DellEMC(conf-mon-sess-0)#flow-based enable DellEMC(conf)#ip access-list ext testflow DellEMC(config-ext-nacl)#seq 5 permit icmp any any count bytes monitor DellEMC(config-ext-nacl)#seq 10 permit ip 102.1.1.
Configuring IPv6 Flow-Based Mirroring This section describes how to configure IPv6 flow-based mirroring in the monitor session. You can configure IPv6 flow-based mirroring under monitor session. The IPv6 flow-based mirroring is supported in SPAN, RSPAN, and ERSPAN monitor sessions. By default, all mirror ACLs is considered as implicit permit. The Dell EMC Networking OS creates a separate logical group out of a physical CAM region for IPv6 mirroring.
DellEMC(config-ext-nacl)#exit DellEMC(conf)#interface fortyGigE 1/1/1 DellEMC(conf-if-fo-1/1/1)#ipv6 access-group testflow in The following is sample running-configuration of IPv6 flow-based mirroring with ACLs applied to monitor sessions.
Remote port mirroring helps network administrators monitor and analyze traffic to troubleshoot network problems in a timesaving and efficient way. In a remote-port mirroring session, monitored traffic is tagged with a VLAN ID and switched on a user-defined, non-routable L2 VLAN. The VLAN is reserved in the network to carry only mirrored traffic, which is forwarded on all egress ports of the VLAN.
● You can configure any switch in the network with source ports and destination ports, and allow it to function in an intermediate transport session for a reserved VLAN at the same time for multiple remote-port mirroring sessions. You can enable and disable individual mirroring sessions. ● BPDU monitoring is not required to use remote port mirroring.
Restrictions When you configure remote port mirroring, the following restrictions apply: ● You can configure the same source port to be used in multiple source sessions. ● You cannot configure a source port channel or source VLAN in a source session if the port channel or VLAN has a member port that is configured as a destination port in a remote-port mirroring session.
3. A destination session that consists of multiple destination ports associated with the dedicated VLAN and located on different destination switches Configuring a RSPAN VLAN for RPM Following are the steps for configuring a RSPAN VLAN for RPM. You must repeat the below mentioned steps on source, intermediate, and destination switches. 1. Enter global configuration mode. EXEC mode configure terminal 2. Create a VLAN to transport mirrored traffic in RPM. CONFIGURATION mode interface vlan vlan-id 3.
MONITOR SESSION mode source remote-vlan vlan-id destination interface direction {rx | tx | both} 3. (Optional) Configure destination ports so that the VLAN tag is added to the monitored traffic. MONITOR SESSION mode tagged destination interface To configure destination ports as untagged ports, enter the untagged destinationcommand.
Following is a sample configuration of RPM on an intermediate switch. DellEMC(conf)#interface vlan 10 DellEMC(conf-if-vl-10)#mode remote-port-mirroring DellEMC(conf-if-vl-10)#tagged tengigabitethernet 1/4/1 DellEMC(conf-if-vl-10)#tagged tengigabitethernet 1/5/1 DellEMC(conf-if-vl-10)#exit Configuring Remote Port Mirroring on a destination switch Following is a sample configuration of RPM on an a destination switch.
Dell(conf-if-te-1/1/7)#exit Dell(conf)#interface vlan 20 Dell(conf-if-vl-20)#mode remote-port-mirroring Dell(conf-if-vl-20)#tagged tengigabitethernet 1/1/7 Dell(conf-if-vl-20)#exit Dell(conf)#monitor session 2 type rpm Dell(conf-mon-sess-2)#source remote-vlan 20 destination tengigabitethernet 1/1/8 Dell(conf-mon-sess-2)#tagged destination tengigabitethernet 1/1/8 Dell(conf-mon-sess-2)#exit Configuration Example of RPM for port-channel This example provides a sample configuration of remote port mirroring fo
Encapsulated Remote Port Monitoring Encapsulated Remote Port Monitoring (ERPM) copies traffic from source ports/port-channels or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the destination IP address specified in the session. NOTE: When configuring ERPM, follow these guidelines ● The Dell EMC Networking OS supports ERPM source session only. Encapsulated packets terminate at the destination IP address or at the analyzer.
The following example shows an ERPM configuration: DellEMC(conf)#monitor session 0 type erpm DellEMC(conf-mon-sess-0)#source tengigabitethernet 1/9/1 direction rx DellEMC(conf-mon-sess-0)#source port-channel 1 direction tx DellEMC(conf-mon-sess-0)#erpm source-ip 1.1.1.1 dest-ip 7.1.1.2 gre-protocol 111 DellEMC(conf-mon-sess-0)#no disable DellEMC(conf)#monitor session 1 type erpm DellEMC(conf-mon-sess-1)#source vlan 11 direction rx DellEMC(conf-mon-sess-1)#erpm source-ip 5.1.1.1 dest-ip 3.1.1.
ERPM Behavior on a typical Dell EMC Networking OS The Dell EMC Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported. Figure 103.
○ Either have a Linux server's ethernet port ip as the ERPM destination ip or connect the ingress interface of the server to the ERPM MirrorToPort. The analyzer should listen in the forward/egress interface. If there is only one interface, one can choose the ingress and forward interface to be same and listen in the tx direction of the interface. ○ Download/ Write a small script (for example: erpm.py) such that it will strip the given ERPM packet starting from the bit where GRE header ends.
VLT Fail-over Scenario Consider a scenario where port monitoring is configured to mirror traffic on the source port or LAG of a VLT device to a destination port on an other device on the network. A fail-over occurs when the primary VLT device fails causing the secondary VLT device to take over. At the time of failover, the mirrored packets are dropped for some time. This time period is equivalent to the gracious VLT failover recovery time.
Table 75. RPM over VLT Scenarios (continued) Scenario RPM Restriction Recommended Solution VLT device:source remote vlan destination orphan port. Mirroring VLT LAG across VLT Peers — In this scenario, the VLT LAG on the primary VLT peer is mirrored to an orphan port on the secondary VLT peer through the ICL LAG. The packet analyzer is connected to the secondary VLT peer. No restrictions apply to the RPM session.
40 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on Dell EMC Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell EMC Networking OS Command Line Reference Guide. Private VLANs extend the Dell EMC Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
● Community port — a port that belongs to a community VLAN and is allowed to communicate with other ports in the same community VLAN and with promiscuous ports. ● Host port — in the context of a private VLAN, is a port in a secondary VLAN: ○ The port must first be assigned that role in INTERFACE mode. ○ A port assigned the host role cannot be added to a regular VLAN. ● Isolated port — a port that, in Layer 2, can only communicate with promiscuous ports that are in the same PVLAN.
Configuration Task List The following sections contain the procedures that configure a private VLAN. ● ● ● ● Creating Creating Creating Creating PVLAN Ports a Primary VLAN a Community VLAN an Isolated VLAN Creating PVLAN ports PVLAN ports are ports that will be assigned to the PVLAN. 1. Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2. Enable the port. INTERFACE mode no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4.
interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 4. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: ● Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). ● Specified with this command even before they have been created.
You can only add host (isolated) ports to the VLAN. Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make an isolated VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to isolated. INTERFACE VLAN mode private-vlan mode isolated 4.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 104. Sample Private VLAN Topology The following configuration is based on the example diagram for the Z9500: ● Te 1/1 and Te 1/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. ● Te 1/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. ● Te 1/24 and Te 1/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
● The S4810 ports would have the same intra-switch communication characteristics as described for the Z9500. ● For transmission between switches, tagged packets originating from host PVLAN ports in one secondary VLAN and destined for host PVLAN ports in the other switch travel through the promiscuous ports in the local VLAN 4000 and then through the trunk ports (1/25 in each switch). Inspecting the Private VLAN Configuration The standard methods of inspecting configurations also apply in PVLANs.
G - GVRP tagged, M - Vlan-stack NUM * 1 100 P 200 I 201 Status Inactive Inactive Inactive Inactive Description Q Ports primary VLAN in PVLAN T Te 1/19/1-2 isolated VLAN in VLAN 200 T Te 1/21/1 The following example shows viewing a private VLAN configuration.
41 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN).
Figure 105. Per-VLAN Spanning Tree The Dell EMC Networking OS supports three other variations of spanning tree, as shown in the following table. Table 76. Spanning Tree Variations Dell EMC Networking OS Supports Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
Configure Per-VLAN Spanning Tree Plus Configuring PVST+ is a four-step process. 1. 2. 3. 4. Configure interfaces for Layer 2. Place the interfaces in VLANs. Enable PVST+. Optionally, for load balancing, select a nondefault bridge-priority for a VLAN.
Influencing PVST+ Root Selection As shown in the previous per-VLAN spanning tree illustration, all VLANs use the same forwarding topology because R2 is elected the root, and all TenGigabitEthernet ports have the same cost. The following per-VLAN spanning tree illustration changes the bridge priority of each bridge so that a different forwarding topology is generated for each VLAN. This behavior demonstrates how you can use PVST+ to achieve load balancing. Figure 106.
Current root has priority 4096, Address 0001.e80d.b6d6 Number of topology changes 5, last change occurred 00:34:37 ago on Te 1/32/1 Port 375 (TenGigabitEthernet 1/22/1) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.375 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.
● Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost. The following tables lists the default values for port cost by interface. Table 77.
CAUTION: Configure EdgePort only on links connecting to an end station. EdgePort can cause loops if you enable it on an interface connected to a network. To enable EdgePort on an interface, use the following command. ● Enable EdgePort on an interface. INTERFACE mode spanning-tree pvst edge-port [bpduguard | shutdown-on-violation] The EdgePort status of each interface is given in the output of the show spanning-tree pvst command, as previously shown.
Figure 107. PVST+ with Extend System ID ● Augment the bridge ID with the VLAN ID. PROTOCOL PVST mode extend system-id DellEMC(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/22,32/1 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface TenGigabitEthernet 2/12/1 no ip address switchport no shutdown ! interface TenGigabitEthernet 2/32/1 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 2/12,32/1 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 2/12,32/1 no shutd
42 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 78.
Table 78. Dell EMC Networking Operating System (OS) Support for Port-Based, Policy-Based Features (continued) Feature Direction Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 108.
• • • • • • Configuring Policy-Based Rate Shaping Configuring Weights and ECN for WRED Configuring WRED and ECN Attributes Guidelines for Configuring ECN for Classifying and Color-Marking Packets Applying Layer 2 Match Criteria on a Layer 3 Interface Enabling Buffer Statistics Tracking Implementation Information The Dell EMC Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
DellEMC(conf-if-te-1/1/1)#switchport DellEMC(conf-if-te-1/1/1)#dot1p-priority 1 DellEMC(conf-if-te-1/1/1)#end Honoring dot1p Priorities on Ingress Traffic By default, Dell EMC Networking OS does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces.
Dell EMC Networking OS Behavior: Rate shaping is effectively rate limiting because of its smaller buffer size. Rate shaping on tagged ports is slightly greater than the configured rate and rate shaping on untagged ports is slightly less than configured rate. Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted. If any stream exceeds the configured bandwidth on a continuous basis, it can consume all of the buffer space that is allocated to the port.
Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell EMC Networking OS matches packets against match criteria in the order that you configure them. Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value or IP precedence, and characteristics defined in an IP ACL.
The following example matches the IPv4 and IPv6 traffic with a precedence value of 3: DellEMC(conf)# class-map match-any test1 DellEMC(conf-class-map)#match ip-any precedence 3 Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the class-map command. A Layer 2 class map differentiates traffic according to 802.1p value and/or VLAN and/or characteristics defined in a MAC ACL..
EXEC Privilege mode show qos class-map The following example shows incorrect traffic classifications.
○ SYN ○ PSH ○ RST ○ URG In the existing software, ECE/CWR TCP flag qualifiers are not supported. ● Because this functionality forcibly marks all the packets matching the specific match criteria as ‘yellow’, Dell EMC Networking OS does not support Policer based coloring and this feature concurrently.
Configuring Policy-Based Rate Policing To configure policy-based rate policing, use the following command. ● Configure rate police ingress traffic. QOS-POLICY-IN mode rate-police Setting a dot1p Value for Egress Packets To set a dot1p value for egress packets, use the following command. ● Set a dscp or dot1p value for egress packets.
Table 80. Default Bandwidth Weights (continued) Queue Default Bandwidth Percentage for 4– Default Bandwidth Percentage for 8– Queue System Queue System 2 26.67% 3% 3 53.33% 4% 4 - 5% 5 - 10% 6 - 25% 7 - 50% NOTE: The system supports 8 data queues. When you assign a percentage to one queue, note that this change also affects the amount of bandwidth that is allocated to other queues.
● Each color map can only have one list of DSCP values for each color; any DSCP values previously listed for that color that are not in the new DSCP list are colored green. ● If you configured a DSCP color map on an interface that does not exist or you delete a DSCP color map that is configured on an interface, that interface uses an all green color policy. To create a DSCP color map: 1. Create the color-aware map QoS DSCP color map. CONFIGURATION mode qos dscp-color-map color-map-name 2.
Displaying a DSCP Color Policy Configuration To display the DSCP color policy configuration for one or all interfaces, use the show qos dscp-color-policy {summary [interface] | detail {interface}} command in EXEC mode. summary: Displays summary information about a color policy on one or more interfaces. detail: Displays detailed color policy information on an interface interface : Enter the name of the interface that has the color policy configured.
Applying an Input QoS Policy to an Input Policy Map To apply an input QoS policy to an input policy map, use the following command. ● Apply an input QoS policy to an input policy map. POLICY-MAP-IN mode policy-service-queue qos-polcy Honoring DSCP Values on Ingress Packets Dell EMC Networking OS provides the ability to honor DSCP values on ingress packets using Trust DSCP feature.
Table 82. Default dot1p to Queue Mapping (continued) dot1p Queue ID 7 7 The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN. ● Enable the trust dot1p feature. POLICY-MAP-IN mode trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0.
Applying an Output QoS Policy to a Queue Specifying an Aggregate QoS Policy Applying an Output Policy Map to an Interface 3. Apply the policy map to an interface. Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. ● Apply an output QoS policy to queues. INTERFACE mode service-queue Specifying an Aggregate QoS Policy To specify an aggregate QoS policy, use the following command. ● Specify an aggregate QoS policy.
Enabling Strict-Priority Queueing In strict-priority queuing, the system de-queues all packets from the assigned queue before servicing any other queues. You can assign strict-priority to one unicast queue, using the strict-priority command. ● Policy-based per-queue rate shaping is not supported on the queue configured for strict-priority queuing. To use queuebased rate-shaping as well as strict-priority queuing at the same time on a queue, use the Scheduler Strict feature as described in Scheduler Strict .
Consider that two switches A and B are connected back to back via a tagged interface. Consider the case where untagged packets arrive on switch A, if you want to generate PFC for priority 2 for DSCP range 0-7, then you must need to match the interested traffic using the class map. You should create an L3 Input Qos Policy and mark vlan dot1p as 2. You have to associate both the L3 class map and L3 Input Qos Policy to queue 1 using the policy map.
You can create a custom WRED profile or use one of the five pre-defined profiles. Enabling and Disabling WRED Globally By default, WRED is enabled on the system. You can disable or reenable WRED manually using a single command. Follow these steps to disable or enable WRED in Dell EMC Networking OS. ● Enable WRED CONFIGURATION mode wred enable ● Disable WRED CONFIGURATION mode no wred enable NOTE: If you disable WRED globally, the system accepts any WRED profile you apply to traffic.
EXEC Privilege mode show qos statistics wred-profile DellEMC#show qos statistics wred-profile Interface Te 1/1/1 Drop-statistic Dropped Pkts Green Yellow Out of Profile 51623 51300 0 DellEMC# Displaying egress–queue Statistics To display the number of transmitted and dropped packets and their rate on the egress queues of an interface, use the following command: ● Display the number of packets and number of bytes on the egress-queue profile.
available. In this case, the system writes as many entries as possible, and then generates an CAM-full error message (shown in the following example). The partial policy-map configuration might cause unintentional system behavior.
In releases of Dell EMC Networking OS earlier than Release 9.3(0.0), you can configure only the maximum shaping attributes, such as the peak rate and the peak burst settings. You can now specify the committed or minimum burst and committed rate attributes. The committed burst and committed rate values can be defined either in bytes or pps. You can use the rate-shape pps peak-rate burst-packets command in the QoS Policy Out Configuration mode to configure the peak rate and burst size as a measure of pps.
Using ECN, the packets are marked for transmission at a later time after the network recovers from the heavy traffic state to an optimal load. In this manner, enhanced performance and throughput are achieved. Also, the devices can respond to congestion before a queue overflows and packets are dropped, enabling improved queue management. When a packet reaches the device with ECN enabled for WRED, the average queue size is computed. To measure the average queue size, a weight factor is used.
Table 83. Scenarios of WRED and ECN Configuration (continued) Queue Configuration Service-Pool Configuration WRED Threshold Relationship Expected Functionality Q threshold = Q-T, Service pool threshold = SP-T 1 1 0 X X Queue-based ECN marking above queue threshold. 1 X Q-T < SP-T ECN marking to shared buffer limits of the service-pool and then packets are tail dropped. SP-T < Q-T Same as above but ECN marking starts above SP-T.
○ FIN ○ SYN ○ PSH ○ RST ○ URG In the existing software, ECE/CWR TCP flag qualifiers are not supported. ● Because this functionality forcibly marks all the packets matching the specific match criteria as ‘yellow’, Dell EMC Networking OS does not support Policer based coloring and this feature concurrently.
Policy based ingress QOS involves the following three steps to achieve QOS: 1. Classification of incoming traffic. 2. Specify the differentiated actions for different traffic class. 3. Attach the policy-map to the interface. Dell EMC Networking OS support different types of match qualifiers to classify the incoming traffic. Match qualifiers can be directly configured in the class-map command or it can be specified through one or more ACL which in turn specifies the combination of match qualifiers.
● set the packet color as ‘yellow’ ● set the packet color as ‘yellow’ and set a new DSCP for the packet This marking action to set the color of the packet is allowed only on the ‘match-any’ logical operator of the class-map.
seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40_ecn ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50_ecn ! policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Applying Layer 2 Match Criteria on a Layer
important in deployments that experience congestion frequently. The receive buffer must be large enough to save all data that is received when the system processes a PFC PAUSE frame. You can use the service-class buffer shared-threshold-weight queue0 ... queue7 number command in Interface Configuration mode to specify the threshold weight for the shared buffer for each of the queues per port. 1. Create a 10-Gigabit Ethernet interface. DellEMC(conf)#interface TenGigabitEthernet 1/1/1 2.
MCAST MCAST MCAST 6 7 8 0 0 0 Quality of Service (QoS) 723
43 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter.
Table 84. RIP Defaults Feature Default Interfaces running RIP ● Listen to RIPv1 and RIPv2 ● Transmit RIPv1 RIP timers ● ● ● ● Auto summarization Enabled ECMP paths supported 16 update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Configuration Information By default, RIP is disabled in Dell EMC Networking OS. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
To view the global RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. DellEMC(conf-router_rip)#show config ! router rip network 10.0.0.0 DellEMC(conf-router_rip)# When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes. DellEMC#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 1/4 160.160.0.0/16 auto-summary 2.0.0.
31.0.0.0/8 auto-summary 192.162.2.0/24 [120/1] via 29.10.10.12, 00:01:21, Fa 1/49 192.162.2.0/24 auto-summary 192.161.1.0/24 [120/1] via 29.10.10.12, 00:00:27, Fa 1/49 192.161.1.0/24 auto-summary 192.162.3.0/24 [120/1] via 29.10.10.12, 00:01:22, Fa 1/49 192.162.3.0/24 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes.
Adding RIP Routes from Other Instances In addition to filtering routes, you can add routes from other routing instances or protocols to the RIP process. With the redistribute command, you can include open shortest path first (OSPF), static, or directly connected routes in the RIP process. To add routes from other routing instances or protocols, use the following commands. ● Include directly connected or user-configured (static) routes in RIP.
The following example of the show ip protocols command confirms that both versions are sent out that interface. This interface no longer sends and receives the same RIP versions as Dell EMC Networking OS does globally (shown in bold).
Controlling Route Metrics As a distance-vector protocol, RIP uses hop counts to determine the best route, but sometimes the shortest hop count is a route over the lowest-speed link. To manipulate RIP routes so that the routing protocol prefers a different route, manipulate the route by using the offset command. Exercise caution when applying an offset command to routers on a broadcast network, as the router using the offset command is modifying RIP advertisements before sending out those advertisements.
● RIP Configuration on Core 3 ● Core 3 RIP Output ● RIP Configuration Summary Figure 111. RIP Topology Example RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Core2(conf-if-te-1/1/2)# Core2(conf-if-te-1/1/2)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.
The following example shows the show ip route command to show the RIP setup on Core 2.
! router rip network 10.0.0.0 network 192.168.1.0 network 192.168.2.0 version 2 Core3(conf-router_rip)# Core 3 RIP Output The examples in this section show the core 2 RIP output. ● To display Core 3 RIP database, use the show ip rip database command. ● To display Core 3 RIP setup, use the show ip route command. ● To display Core 3 RIP activity, use the show ip protocols command. The following example shows the show ip rip database command to view the learned RIP routes on Core 3.
Incoming filter for all interfaces is Default redistribution metric is 1 Default version control: receive version 2, send version 2 Interface Recv Send TenGigabitEthernet 3/21/1 2 2 TenGigabitEthernet 3/11/1 2 2 TenGigabitEthernet 3/24/1 2 2 TenGigabitEthernet 3/23/1 2 2 Routing for Networks: 10.11.20.0 10.11.30.0 192.168.2.0 192.168.1.0 Routing Information Sources: Gateway Distance Last Update 10.11.20.
! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
44 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell EMC Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
[no] rmon alarm number variable interval {delta | absolute} rising-threshold [value event-number] falling-threshold value event-number [owner string] OR [no] rmon hc-alarm number variable interval {delta | absolute} rising-threshold value event-number falling-threshold value event-number [owner string] Configure the alarm using the following optional parameters: ○ number: alarm number, an integer from 1 to 65,535, the value must be unique in the RMON Alarm Table.
this command. This configuration also generates an SNMP trap when the event is triggered using the SNMP community string “eventtrap”. DellEMC(conf)#rmon event 1 log trap eventtrap description “High ifOutErrors” owner nms1 Configuring RMON Collection Statistics To enable RMON MIB statistics collection on an interface, use the RMON collection statistics command in INTERFACE CONFIGURATION mode. ● Enable RMON MIB statistics collection.
45 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP).
● ● ● ● ● ● Prevent Network Disruptions with BPDU Guard Influencing RSTP Root Selection Configuring Spanning Trees as Hitless Enabling SNMP Traps for Root Elections and Topology Changes Configuring Fast Hellos for Link State Detection Flush MAC Addresses after a Topology Change Important Points to Remember ● RSTP is disabled by default. ● Dell EMC Networking OS supports only one Rapid Spanning Tree (RST) instance.
To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. The bold lines indicate that the interface is in Layer 2 mode. DellEMC(conf-if-te-1/1/1)#show config ! interface TenGigabitEthernet 1/1/1 no ip address switchport no shutdown DellEMC(conf-if-te-1/1/1)# Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default.
Figure 112. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. DellEMC#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
The port is not in the Edge port mode Port 380 (TenGigabitEthernet 2/4/1) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.380 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
Table 86.
Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. ● Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port. ● Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states. The bpduguard shutdown-on-violation option causes the interface hardware to be shut down when it receives a BPDU.
The range is from 50 to 950 milliseconds. DellEMC(conf-rstp)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e811.2233 Root Bridge hello time 50 ms, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e811.2233 We are the root Configured hello time 50 ms, max age 20, forward delay 15 NOTE: The hello time is encoded in BPDUs in increments of 1/256ths of a second.
46 Software-Defined Networking (SDN) The Dell EMC Networking OS supports software-defined networking (SDN). For more information, see the SDN Deployment Guide.
47 Security This chapter describes several ways to provide security to the Dell EMC Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide.
● Enable AAA accounting and create a record for monitoring the accounting function. CONFIGURATION mode aaa accounting {commands level | dot1x | exec | rest | suppress | system} {default | name} {start-stop | wait-start | stop-only} {radius | tacacs+} The variables are: ○ system: sends accounting information of any other AAA configuration. ○ exec: sends accounting information when a user has logged in to EXEC mode. ○ dot1x: sends accounting information when a dot1x user has logged in to EXEC mode.
accounting commands 15 com15 accounting exec execAcct DellEMC(config-line-vty)# accounting commands 15 com15 DellEMC(config-line-vty)# accounting exec execAcct Monitoring AAA Accounting Dell EMC Networking OS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting.
Sample dot1x accounting records The following lists the sample EAP and MAB accounting records EAP START accounting record: Fri May 10 12:20:43 2019 NAS-IP-Address = 10.16.133.
NAS-Port = 1010 NAS-Port-Id = "GigabitEthernet 1/11" Service-Type = Call-Check Acct-Session-Time = 21 Acct-Session-Id = "00-11-22-33-44-55-4" Acct-Multi-Session-Id = "00-11-22-33-44-55-00-11-33-44-77-88-5e-50-d6-5cc" Acct-Link-Count = 1 Acct-Terminate-Cause = Lost-Carrier Acct-Status-Type = Stop Event-Timestamp = "May 10 2019 23:30:42 CDT" Tmp-String-9 = "ai:" Acct-Unique-Session-Id = "5a761462ef63b815707de5fa1c5ef348" Timestamp = 1557549042 RADIUS Accounting attributes The following tables describe the va
Table 88. RADIUS Accounting Stop Record Attributes for CLI user (continued) RADIUS Attribute code RADIUS Attribute Description 46 Acct-Session Time Time the user has received the service. 49 Acct-Terminate-Cause Reason for session termination. 61 NAS-Port-Type ASYNC - for Console session. VIRTUAL - for telnet/SSH session. Table 89.
Table 91. RADIUS Accounting Stop Record Attributes for dot1x supplicant (continued) RADIUS Attribute code RADIUS Attribute Description 4 NAS-IP-Address IPv4 address of the NAS. 95 NAS-IPv6–Address IPv6 address of the NAS. Session Identification Attributes 1 User-Name User name/ Supplicant MAC Address (for MAB). 5 NAS-Port Port on which session is terminated. 6 Service-Type Framed (2) for EAP /Call check (10) for MAB. 8 Framed-IP-Address IPv4 address of supplicant.
Table 92. Use cases for dot1x supplicant to trigger RADIUS Accounting Start/Stop records (continued) dot1x event Accounting type Attributes Configure Port control to force unauth Stop Stop record attributes with termination cause as port-reinitialized (21). Interface Host mode change (single/multihost/multiauth) Stop Stop record attributes with termination cause as port-reinitialized (21).
Configuring AAA Authentication Login Methods To configure an authentication method and method list, use the following commands. Dell EMC Networking OS Behavior: If you use a method list on the console port in which RADIUS or TACACS is the last authentication method, and the server is not reachable, Dell EMC Networking OS allows access even though the username and password credentials cannot be verified.
CONFIGURATION mode aaa authentication enable default radius tacacs 2. Establish a host address and password. CONFIGURATION mode radius-server host x.x.x.x key some-password 3. Establish a host address and password. CONFIGURATION mode tacacs-server host x.x.x.x key some-password To get enable authentication from the RADIUS server and use TACACS as a backup, issue the following commands. The following example shows enabling authentication from the RADIUS server.
Example: DellEMC(config)#aaa authentication login vty_auth_list radius Force all logged-in users to re-authenticate (y/n)? 3. You are prompted to force the users to re-authenticate whenever there is a change in the RADIUS server list.. CONFIGURATION mode radius-server host IP Address Example: DellEMC(config)#radius-server host 192.100.0.12 Force all logged-in users to re-authenticate (y/n)? DellEMC(config)#no radius-server host 192.100.0.
● Privilege level 1 — is the default level for EXEC mode. At this level, you can interact with the router, for example, view some show commands and Telnet and ping to test connectivity, but you cannot configure the router. This level is often called the “user” level. One of the commands available in Privilege level 1 is the enable command, which you can use to enter a specific privilege level. ● Privilege level 0 — contains only the end, enable, and disable commands.
Configuring the Enable Password Command To configure Dell EMC Networking OS, use the enable command to enter EXEC Privilege level 15. After entering the command, Dell EMC Networking OS requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level. You can always change a password for any privilege level. To change to a different privilege level, enter the enable command, then the privilege level.
3. Configure level and commands for a mode or reset a command’s level. CONFIGURATION mode privilege mode {level level command | reset command} Configure the following required and optional parameters: ● mode: enter a keyword for the modes (exec, configure, interface, line, route-map, or router) ● level level: the range is from 0 to 15. Levels 0, 1, and 15 are pre-configured. Levels 2 to 14 are available for custom configuration. ● command: an Dell EMC Networking OS CLI keyword (up to five keywords allowed).
snmp-server Modify SNMP parameters DellEMC(conf)# Specifying LINE Mode Password and Privilege You can specify a password authentication of all users on different terminal lines. The user’s privilege level is the same as the privilege level assigned to the terminal line, unless a more specific privilege level is assigned to the user. To specify a password for the terminal line, use the following commands. ● Configure a custom privilege level for the terminal lines.
RADIUS Authentication Dell EMC Networking OS supports RADIUS for user authentication (text password) at login and can be specified as one of the login authentication methods in the aaa authentication login command. When configuring AAA authorization, you can configure to limit the attributes of services available to a user. When you enable authorization, the network access server uses configuration information from the user profile to issue the user's session.
Configuration Task List for RADIUS To authenticate users using RADIUS, you must specify at least one RADIUS server so that the system can communicate with and configure RADIUS as one of your authentication methods. The following list includes the configuration tasks for RADIUS.
Specifying a RADIUS Server Host When configuring a RADIUS server host, you can set different communication parameters, such as the UDP port, the key password, the number of retries, and the timeout. To specify a RADIUS server host and configure its communication parameters, use the following command. ● Enter the host name or IP address of the RADIUS server host.
To view the configuration of RADIUS communication parameters, use the show running-config command in EXEC Privilege mode. Monitoring RADIUS To view information on RADIUS transactions, use the following command. ● View RADIUS transactions to troubleshoot problems. EXEC Privilege mode debug radius Microsoft Challenge-Handshake Authentication Protocol Support for RADIUS Authentication Dell EMC Networking OS supports Microsoft Challenge-Handshake Authentication Protocol (MS-CHAPv2) with RADIUS authentication.
Alternatively, if the user changes authorization level, this change may require that authorization attributes be added or deleted from the user sessions. To overcome these limitations, Dell EMC Networking OS provides RADIUS extension commands in order to enable unsolicited messages to be sent to the NAS. These extension commands provide support for Disconnect Messages (DMs) and Change-ofAuthorization (CoA) packets.
Table 96.
Table 99. CoA EAP/MAB Disable Port (continued) Radius Attribute code Radius Attribute Description Mandatory t=26(vendor-specific);l=length;vendoridentification-attribute;Length=value; Data=”cmd=bounce-host-port” Yes Authorization Attributes 26 Vendor-Specific Table 100. CoA EAP/MAB Bounce Port Radius Attribute code Radius Attribute Description Mandatory NAS Identification Attributes 4 NAS-IP-Address IPv4 address of the NAS. No 95 NAS-IPv6–Address IPv6 address of the NAS.
Table 102. DM AAA Session(s) disconnect (continued) Radius Attribute code Radius Attribute Description Mandatory 5 NAS-Port Port on which session is terminated No t=26(vendor-specific);l=length;vendoridentification-attribute;Length=value; Data=”cmd=disconnect-user” Yes Authorization Attributes 26 Vendor-Specific Error-cause Values It is possible that a Dynamic Authorization Server cannot honor Disconnect Message request or CoA request packets for some reason.
The Invalid Attribute Value Error-Cause is applicable to following scenarios: ○ if the CoA request contains incorrect Vendor-Specific attribute value. ○ if the CoA request contains incorrect NAS-port or calling-station-id values. ● rejects the CoA-Request containing NAS-IP-Address or NAS-IPV6-Address attribute that does not match the NAS with a CoA-Nak; Error-Cause value is “NAS Identification Mismatch” (403).
● responds to a disconnect message containing one or more incorrect attributes values with a Disconnect-NAK; Error-Cause value is “Invalid Attribute Value” (407). ● responds to a disconnect message containing unsupported attributes with DM-Nak; Error-Cause value is “Unsupported Attributes” (401). NOTE: Unsupported attributes are the ones that are not mentioned in the RFC 5176 but present in the disconnect message that is received by the NAS.
1. Enter the following command to configure the dynamic authorization feature: radius dynamic-auth 2. Enter the following command to terminate the 802.1x user session: disconnect-user NAS disconnects the administrative users who are connected through an AAA interface. Dell(conf#)radius dynamic-auth Dell(conf-dynamic-auth#)disconnect-user NAS takes the following actions: ● validates the DM request and the session identification attributes.
To initiate 802.1x session re-authentication, the DAC sends a standard CoA request that contains one or more session identification attributes. NAS uses the calling-station-id or the NAS-port attributes to identify a 802.1x user session. In case of the EAP or MAB users, the MAC address is the calling-station-id of the supplicant and the NAS-port is the interface identifier. If both these attributes are present in the CoA request, NAS retrieves the supplicant connected to the interface.
● discards the packet, if simultaneous requests are received for the same NAS-port or calling-station-id, or both. Disabling 802.1x enabled port Dell EMC Networking OS provides RADIUS extension commands that enables you to disable 802.1x enabled ports. This command administratively shuts down the port causing the termination of the dot1x user session. This command is useful when a port is known to cause issue in the network and needs to be disabled. Before disabling the 802.
Stack failover scenario This section describes the stack failover scenario. ● The NAS stacking module processes the RADIUS dynamic authorization messages only if the role of module is master. ● The NAS standby stacking module processes the retransmitted CoA or DM messages without requiring a chassis reboot, if the master module fails and the standby module becomes the master. Configuring replay protection NAS enables you to configure the replay protection window period.
● TACACS+ Remote Authentication ● Specifying a TACACS+ Server Host For a complete listing of all commands related to TACACS+, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide. Choosing TACACS+ as the Authentication Method One of the login authentication methods available is TACACS+ and the user’s name and password are sent for authentication to the TACACS hosts specified.
tacacs-server host 10.10.10.10 timeout 1 DellEMC(conf)#tacacs-server key angeline DellEMC(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on vty0 (10.11.9.209) %RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password authentication success on vty0 ( 10.11.9.209 ) %RPM0-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line vty0 (10.11.9.
To specify multiple TACACS+ server hosts, configure the tacacs-server host command multiple times. If you configure multiple TACACS+ server hosts, Dell EMC Networking OS attempts to connect with them in the order in which they were configured. To view the TACACS+ configuration, use the show running-config tacacs+ command in EXEC Privilege mode. To delete a TACACS+ server host, use the no tacacs-server host {hostname | ip-address} command.
ssh {hostname} [-l username | -p port-number | -v 2}| -c encryption cipher | -m HMAC algorithm hostname is the IP address or host name of the remote device. Enter an IPv4 or IPv6 address in dotted decimal format (A.B.C.D). ● SSH V2 is enabled by default on all the modes. ● Display SSH connection information. EXEC Privilege mode show ip ssh The following example uses the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting.
● ● ● ● ● ● ● ● ● ● ip ssh connection-rate-limit : configure the maximum number of incoming SSH connections per minute. ip ssh hostbased-authentication enable : enable host-based authentication for the SSHv2 server. ip ssh password-authentication enable : enable password authentication for the SSH server. ip ssh pub-key-file : specify the file the host-based authentication uses. ip ssh rhostsfile : specify the rhost file the host-based authorization uses.
key-exchange-algorithm : Enter a space-delimited list of key exchange algorithms that will be used by the SSH server. The following key exchange algorithms are available: ● diffie-hellman-group-exchange-sha1 ● diffie-hellman-group1-sha1 ● diffie-hellman-group14-sha1 The default key exchange algorithms are the following: ● diffie-hellman-group-exchange-sha1 ● diffie-hellman-group1-sha1 ● diffie-hellman-group14-sha1 When FIPS is enabled, the default is diffie-hellman-group14-sha1.
hmac-algorithm: Enter a space-delimited list of keyed-hash message authentication code (HMAC) algorithms supported by the SSH server. The following HMAC algorithms are available: ● hmac-md5 ● hmac-md5-96 ● hmac-sha1 ● hmac-sha1-96 ● hmac-sha2-256 The default list of HMAC algorithm is in the following order: ● hmac-sha2-256 ● hmac-sha1 ● hmac-sha1-96 ● hmac-md5 ● hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256, hmac-sha1, hmac-sha1-96.
cipher-list-: Enter a space-delimited list of ciphers the SSH Client supports. The following ciphers are available. ● 3des-cbc ● aes128-cbc ● aes192-cbc ● aes256-cbc ● aes128-ctr ● aes192-ctr ● aes256-ctr The default cipher list is in the given order: aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc. Example of Configuring a Cipher List The following example shows you how to configure a cipher list.
To view your SSH configuration, use the show ip ssh command from EXEC Privilege mode. DellEMC(conf)#ip ssh server enable DellEMC(conf)#ip ssh password-authentication enable DellEMC# show ip ssh SSH server : enabled. SSH server version : v2. SSH server vrf : default. SSH server ciphers : 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192ctr,aes256-ctr. SSH server macs : hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmacsha2-256,hmac-sha2-256-96.
Refer to the first example. 3. Create a list of IP addresses and usernames that are permitted to SSH in a file called rhosts. Refer to the second example. 4. Copy the file shosts and rhosts to the Dell EMC Networking system. 5. Disable password authentication and RSA authentication, if configured CONFIGURATION mode or EXEC Privilege mode no ip ssh password-authentication or no ip ssh rsa-authentication 6. Enable host-based authentication. CONFIGURATION mode ip ssh hostbased-authentication enable 7.
Troubleshooting SSH To troubleshoot SSH, use the following information. You may not bind id_rsa.pub to RSA authentication while logged in via the console. In this case, this message displays:%Error: No username set for this term. Enable host-based authentication on the server (Dell EMC Networking system) and the client (Unix machine). The following message appears if you attempt to log in via SSH and host-based is disabled on the client.
3. Assign an access class. 4. Enter a privilege level. You can assign line authentication on a per-VTY basis; it is a simple password authentication, using an access-class as authorization. Configure local authentication globally and configure access classes on a per-user basis. can assign different access classes to different users by username. Until users attempt to log in, does not know if they will be assigned a VTY line.
Example of Configuring VTY Authorization Based on MAC ACL for the Line (Per MAC Address) DellEMC(conf)#mac access-list standard sourcemac DellEMC(config-std-mac)#permit 00:00:5e:00:01:01 DellEMC(config-std-mac)#deny any DellEMC(conf)# DellEMC(conf)#line vty 0 9 DellEMC(config-line-vty)#access-class sourcemac DellEMC(config-line-vty)#end Role-Based Access Control With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role.
A constrained RBAC model provides for separation of duty and as a result, provides greater security than the hierarchical RBAC model. Essentially, a constrained model puts some limitations around each role’s permissions to allow you to partition of tasks. However, some inheritance is possible. Default command permissions are based on CLI mode (such as configure, interface, router), any specific command settings, and the permissions allowed by the privilege and role commands.
line console 0 login authentication test authorization exec test exec-timeout 0 0 line vty 0 login authentication test authorization exec test line vty 1 login authentication test authorization exec test To enable role-based only AAA authorization, enter the following command in Configuration mode: DellEMC(conf)#aaa authorization role-only System-Defined RBAC User Roles By default, the Dell EMC Networking OS provides 4 system defined user roles. You can create up to 8 additional user roles.
Important Points to Remember Consider the following when creating a user role: ● Only the system administrator and user-defined roles inherited from the system administrator can create roles and user names. Only the system administrator, security administrator, and roles inherited from these can use the "role" command to modify command permissions. The security administrator and roles inherited by security administrator can only modify permissions for commands they already have access to.
line route-map router Line Configuration mode Route map configuration mode Router configuration mode Examples: Deny Network Administrator from Using the show users Command. The following example denies the netadmin role from using the show users command and then verifies that netadmin cannot access the show users command in exec mode. Note that the netadmin role is not listed in the Role access: secadmin,sysadmin, which means the netadmin cannot access the show users command.
DellEMC(conf)#do show role mode configure line Role access:sysadmin Example: Grant and Remove Security Administrator Access to Configure Protocols By default, the system defined role, secadmin, is not allowed to configure protocols. The following example first grants the secadmin role to configure protocols and then removes access to configure protocols.
Configure AAA Authentication for Roles Authentication services verify the user ID and password combination. Users with defined roles and users with privileges are authenticated with the same mechanism. There are six methods available for authentication: radius, tacacs+, local, enable, line, and none. When role-based only AAA authorization is enabled, the enable, line, and none methods are not available.
NOTE: Note that the methods were not applied to the console so the default methods (if configured) are applied there.
The following section shows you how to create an AV pair to allow a user to login from a network access server to have access to commands based on the user’s role. The format to create an AV pair for a user role is Force10avpair= ”shell:role=“ where user-role is a user defined or system-defined role. In the following example, you create an AV pair for a system-defined role, sysadmin. Force10-avpair= "shell:role=sysadmin" In the following example, you create an AV pair for a user-defined role.
Task ID 1, EXEC Accounting record, 00:00:30 Elapsed, service=shell Active accounted actions on tty3, User admin Priv 15 Role sysadmin Task ID 2, EXEC Accounting record, 00:00:26 Elapsed, service=shell Display Information About User Roles This section describes how to display information about user roles and consists of the following topics: ● Displaying User Roles ● Displaying Information About Roles Logged into the Switch ● Displaying Active Accounting Sessions for Roles Displaying User Roles To display
Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the show users command in EXEC Privilege mode. The output displays privilege level and/or user role. The mode is displayed at the start of the output and both the privilege and roles for all users is also displayed. If the role is not defined, the system displays "unassigned" .
show ip ssh DellEMC# show ip ssh SSH server : enabled. SSH server version : v2. SSH server vrf : default. SSH server ciphers : aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128ctr,aes128-cbc,3des-cbc. SSH server macs : hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96. SSH server kex algorithms : diffie-hellman-group-exchange-sha1,diffie-hellman-group1sha1,diffie-hellman-group14-sha1. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled.
Table 105. Suppressed ICMP message types (continued) ICMPv4 message types Time exceeded (11) IP header bad (12) Timestamp request (13) Timestamp reply (14) Information request (15) Information reply (16) Address mask request (17) Address mask reply (18) NOTE: The Dell EMC Networking OS does not suppress the ICMP message type echo request (8). Table 106.
SSH Lockout Settings The system has a SSH protection mechanism which, by default, allows 10 login attempts (success or failure) per minute. After the 10th attempt, the system blocks the user login for one minute (since the first login attempt) before allowing the next set of login attempts. With Dell EMC Networking OS version 9.11(0.0), the SSH protection mechanism has been enhanced to allow 60 login attempts (success or failure) per minute.
copy running-configuration startup-configuration After enabling and configuring OS image hash verification, the device verifies the hash checksum of the OS boot image during every reload. DellEMC# verified boot hash system-image A: 619A8C1B7A2BC9692A221E2151B9DA9E Image Verification for Subsequent OS Upgrades After enabling OS image hash verification, for subsequent Dell EMC Networking OS upgrades, you must enter the hash checksum of the new OS image file.
generate hash {md5 | sha1 | sha256} {flash://filename | startup-config} 3. Verify the hash checksum of the current startup configuration on the local file system. EXEC Privilege verified boot hash startup—config hash-value NOTE: The verified boot hash command is only applicable for the startup configuration file in the local file system. After enabling and configuring startup configuration verification, the device verifies the hash checksum of the startup configuration during every reload.
○ 7 directs the system to store the password with a dynamic salt. When you configure the root access password, ensure that your password meets the following criteria: ○ ○ ○ ○ ○ A A A A A minimum minimum minimum minimum minimum of of of of of eight characters in length one lower case letter (a to z) one upper case letter (A to Z) one numeric character (0 to 9) one special character including a space (" !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~") If you enable the boot access password, the system prompts for a pa
48 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell EMC Networking OS. Topics: • • • • • VLAN Stacking VLAN Stacking Packet Drop Precedence Dynamic Mode CoS for VLAN Stacking Layer 2 Protocol Tunneling Provider Backbone Bridging VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.
Figure 113. VLAN Stacking in a Service Provider Network Important Points to Remember ● Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. ● Dell EMC Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
Related Configuration Tasks ● ● ● ● Configuring the Protocol Type Value for the Outer VLAN Tag Configuring Dell EMC Networking OS Options for Trunk Ports Debugging VLAN Stacking VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. ● Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN.
2 3 4 5 6 Inactive Inactive Inactive Inactive Active DellEMC# M Po1(Te 1/2/1-1/3/3) M Te 3/13/1 Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. ● Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100. To display the S-Tag TPID for a VLAN, use the show running-config command from EXEC privilege mode.
NUM * 1 100 101 103 Status Inactive Inactive Inactive Inactive Description Q Ports U Te 1/1/1 T Te 1/1/1 M Te 1/1/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. ● Debug the internal state and membership of a VLAN and its ports. debug member The port notations are as follows: ● MT — stacked trunk ● MU — stacked access port ● T — 802.1Q trunk port ● U — 802.
Therefore, a mismatched TPID results in the port not differentiating between tagged and untagged traffic. Figure 114.
Figure 115.
Figure 116. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Table 107. Drop Eligibility Behavior (continued) Ingress Egress DEI Disabled DEI Enabled Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI. Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 Access Port Trunk Port To enable drop eligibility globally, use the following command. ● Make packets eligible for dropping based on their DEI value.
To display the DEI-marking configuration, use the show interface dei-mark [interface slot/port/subport ] in EXEC Privilege mode. DellEMC#show interface dei-mark Default CFI/DEI Marking: 0 Interface Drop precedence CFI/DEI -------------------------------Te 1/1/1 Green 0 Te 1/1/1 Yellow 1 Te 2/9/1 Yellow 0 Te 2/10/1 Yellow 0 Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.
Examples of QoS Interface Configuration and Rate Policing policy-map-input in layer2 service-queue 3 class-map a qos-policy 3 ! class-map match-any a layer2 match mac access-group a ! mac access-list standard a seq 5 permit any ! qos-policy-input 3 layer2 rate-police 40 Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3.
NOTE: Because dot1p-mapping marks and queues packets, the only remaining applicable QoS configuration is rate metering. You may use Rate Shaping or Rate Policing. Layer 2 Protocol Tunneling Spanning tree bridge protocol data units (BPDUs) use a reserved destination MAC address called the bridge group address, which is 01-80-C2-00-00-00. Only spanning-tree bridges on the local area network (LAN) recognize this address and process the BPDU.
Dell EMC Networking OS Behavior: In Dell EMC Networking OS versions prior to 8.2.1.0, the MAC address that Dell EMC Networking systems use to overwrite the Bridge Group Address on ingress was non-configurable. The value of the L2PT MAC address was the Dell EMC Networking-unique MAC address, 01-01-e8-00-00-00.
show cam-profile 2. Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3. Tunnel BPDUs the VLAN. INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell EMC Networking OS uses a Dell EMC Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command.
Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. 802.
49 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
To avoid the back-off, either increase the global sampling rate or configure all the line card ports with the desired sampling rate even if some ports have no sFlow configured. Important Points to Remember ● The Dell EMC Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. ● By default, sFlow collection is supported only on data ports.
If you did not enable any extended information, the show output displays the following (shown in bold).
Enabling and Disabling sFlow on an Interface By default, sFlow is disabled on all interfaces. This CLI is supported on physical ports and link aggregation group (LAG) ports. To enable sFlow on a specific interface, use the following command. ● Enable sFlow on an interface. INTERFACE mode [no] sflow ingress-enable To disable sFlow on an interface, use the no version of this command.
sflow collector 100.1.1.1 agent-addr 1.1.1.2 sflow enable sflow max-header-size extended sFlow Show Commands Dell EMC Networking OS includes the following sFlow display commands. ● Displaying Show sFlow Globally ● Displaying Show sFlow on an Interface ● Displaying Show sFlow on a Line Card Displaying Show sFlow Global To view sFlow statistics, use the following command. ● Display sFlow configuration information and statistics. EXEC mode show sflow The first bold line indicates sFlow is globally enabled.
show sflow interface interface-name The following example shows the show sflow interface command. DellEMC#show sflow interface tengigabitethernet 1/1/1 Te 1/1/1 sFlow type :Ingress Configured sampling rate :16384 Actual sampling rate :16384 Counter polling interval :20 Extended max header size :128 Samples rcvd from h/w :0 The following example shows the show running-config interface command.
● Change the global default counter polling interval. CONFIGURATION mode or INTERFACE mode sflow polling-interval interval value ○ interval value: in seconds. The range is from 15 to 86400 seconds. The default is 20 seconds. Back-Off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions.
50 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell EMC Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
• • • • Monitor Port-Channels Troubleshooting SNMP Operation Transceiver Monitoring Configuring SNMP context name Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a management information base (MIB).
In this example, for a specified user and a group, the AES128-CFB algorithm, the authentication password to enable the server to receive packets from the host, and the privacy password to encode the message contents are configured. SHA authentication needs to be used with the AES-CFB128 privacy algorithm only when FIPS is enabled because SHA is then the only available authentication level.
Set up SNMP As previously stated, Dell EMC Networking OS supports SNMP version 1 and version 2 that are community-based security models. The primary difference between the two versions is that version 2 supports two additional protocol operations (informs operation and snmpgetbulk query) and one additional object (counter64 object). SNMP version 3 (SNMPv3) is a user-based security model that provides password authentication for user security and encryption for data security and privacy.
● Configure an SNMPv3 view. CONFIGURATION mode snmp-server view view-name oid-tree {included | excluded} NOTE: To give a user read and write view privileges, repeat this step for each privilege type. ● Configure the user with an authorization password (password privileges only). CONFIGURATION mode snmp-server user name group-name 3 noauth auth md5 auth-password ● Configure an SNMP group (password privileges only).
There are several UNIX SNMP commands that read data. ● Read the value of a single managed object. snmpget -v version -c community agent-ip {identifier.instance | descriptor.instance} ● Read the value of the managed object directly below the specified object. snmpgetnext -v version -c community agent-ip {identifier.instance | descriptor.instance} ● Read the value of many objects at once. snmpwalk -v version -c community agent-ip {identifier.instance | descriptor.
You may use up to 55 characters. The default is None. ● (From a Dell EMC Networking system) Identify the physical location of the system (for example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1). CONFIGURATION mode snmp-server location text You may use up to 55 characters. The default is None. ● (From a management station) Identify the system manager along with this person’s contact information (for example, an email address or phone number).
snmp-server trap-source The following example lists the RFC-defined SNMP traps and the command used to enable each. The coldStart and warmStart traps are enabled using a single command. snmp authentication community string. snmp coldstart snmp linkdown snmp linkup SNMP_AUTH_FAIL:SNMP Authentication failed.Request with invalid SNMP_COLD_START: Agent Initialized - SNMP COLD_START. SNMP_WARM_START:Agent Initialized - SNMP WARM_START.
temperature is within threshold of %dC) envmon fan FAN_TRAY_BAD: Major alarm: fantray %d is missing or down FAN_TRAY_OK: Major alarm cleared: fan tray %d present FAN_BAD: Minor alarm: some fans in fan tray %d are down FAN_OK: Minor alarm cleared: all fans in fan tray %d are good vlt Enable VLT traps. vrrp Enable VRRP state change traps xstp %SPANMGR-5-STP_NEW_ROOT: New Spanning Tree Root, Bridge ID Priority 32768, Address 0001.e801.fc35.
SFM_DISCOVERY: Found SFM 1 SFM_REMOVE: Removed SFM 1 MAJOR_SFM: Major alarm: Switch fabric down MAJOR_SFM_CLR: Major alarm cleared: Switch fabric up MINOR_SFM: MInor alarm: No working standby SFM MINOR_SFM_CLR: Minor alarm cleared: Working standby SFM present TASK SUSPENDED: SUSPENDED - svce:%d - inst:%d - task:%s RPM0-P:CP %CHMGR-2-CARD_PARITY_ERR ABNORMAL_TASK_TERMINATION: CRASH - task:%s %s CPU_THRESHOLD: Cpu %s usage above threshold.
SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 4 Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1488564) 4:08:05.64, SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 5 Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1489064) 4:08:10.64, SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 6 Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1489568) 4:08:15.68,SNMPv2-MIB::snmpTrapOID.
Following is the sample audit log message that other syslog servers that are reachable receive: Oct 21 00:46:13: dv-fedgov-s4810-6: %EVL-6-NOT_REACHABLE:Syslog server 10.11.226.121 (port: 9140) is not reachable Following example shows the SNMP trap that is sent when connectivity to the syslog server is resumed: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10230) 0:01:42.30 SNMPv2MIB::snmpTrapOID.0 = OID: SNMPv2SMI::enterprises.6027.3.30.1.1.2 SNMPv2-SMI::enterprises.6027.3.30.1.
Table 111. MIB Objects for Copying Configuration Files via SNMP (continued) MIB Object OID Object Values Description copyDestFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.5 1 = Dell EMC Networking OS file Specifies the type of file to copy to. ● If copySourceFileType is running-config or startup-config, the default copyDestFileLocation is flash. ● If copyDestFileType is a binary, you must specify copyDestFileLocation and copyDestFileName. 2 = running-config 3 = startup-config copyDestFileLocation .1.3.6.
● index must be unique to all previously executed snmpset commands. If an index value has been used previously, a message like the following appears. In this case, increment the index value and enter the command again. Error in packet. Reason: notWritable (that object does not support modification) Failed object: FTOS-COPY-CONFIG-MIB::copySrcFileType.101 ● To complete the command, use as many MIB objects in the command as required by the MIB object descriptions shown in the previous table.
FTOS-COPY-CONFIG-MIB::copySrcFileType.7 = INTEGER: runningConfig(3) FTOS-COPY-CONFIG-MIB::copyDestFileType.7 = INTEGER: startupConfig(2) The following example shows how to copy configuration files from a UNIX machine using OID. >snmpset -c public -v 2c 10.11.131.162 .1.3.6.1.4.1.6027.3.5.1.1.1.1.2.8 i 3 .1.3.6.1.4.1.6027.3.5.1.1.1.1.5.8 i 2 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.2.8 = INTEGER: 3 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.5.
> snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.10 i 1 copySrcFileLocation.10 i 4 copyDestFileType.10 i 3 copySrcFileName.10 s /home/myfilename copyServerAddress.10 a 172.16.1.56 copyUserName.10 s mylogin copyUserPassword.10 s mypass Additional MIB Objects to View Copy Statistics Dell EMC Networking provides more MIB objects to view copy statistics, as shown in the following table. Table 112.
NOTE: In UNIX, enter the snmpset command for help using this command. The following examples show the command syntax using MIB object names and the same command using the object OIDs. In both cases, the same index number used in the snmpset command follows the object. The following command shows how to get a MIB object value using the object name. > snmpget -v 2c -c private -m ./f10-copy-config.mib 10.11.131.140 copyTimeCompleted.110 FTOS-COPY-CONFIG-MIB::copyTimeCompleted.
Table 114. MIB Objects to Display the Information for Power Monitoring MIB Object OID Description envMonSupplyCurrentPower 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.5 Displays per PSU input power (current configuration). envMonSupplyAveragePower 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.6 Displays average input power. envMonSupplyAvgStartTime 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.7 Displays average input-power start time. SNMP Walk Example Output snmpwalk -v 2c -c public 10.16.131.156 1.3.6.1.
Table 115. MIB Objects to Display support for 25G, 40G, 50G, 100G Optical Transceiver or DAC cable IDPROM user info (continued) MIB Object OID Description dellNetIfTransTransmitPowerLane4 1.3.6.1.4.1.6027.3.11.1.3.1.1.11 Specifies Lane 4 Tx power value in dBm dellNetIfTransReceivePowerLane1 1.3.6.1.4.1.6027.3.11.1.3.1.1.12 Specifies Lane 1 Rx power value in dBm dellNetIfTransReceivePowerLane2 1.3.6.1.4.1.6027.3.11.1.3.1.1.
● To view the available flash memory using SNMP, use the following command. snmpget -v2c -c public 192.168.60.120 .1.3.6.1.4.1.6027.3.26.1.4.4.1.7 enterprises.6027.326.1.4.4.1.7 = Gauge32: 24 The output above displays that 24% of the flash memory is used. MIB Support to Display the Software Core Files Generated by the System Dell EMC Networking provides MIB objects to display the software core files generated by the system.
enterprises.6027.3.10.1.2.10.1.5.1.1 enterprises.6027.3.10.1.2.10.1.5.1.2 enterprises.6027.3.10.1.2.10.1.5.1.3 enterprises.6027.3.10.1.2.10.1.5.2.1 = = = = "flashmntr" "l2mgr" "vrrp" Hex: 76 72 72 70 "sysd" Hex: 73 79 73 64 The output above displays that the software core files generated by the system. MIB Support for PFC Storm Control Dell EMC Networking provides MIB objects to display the information for PFC Storm Control. The OIDs specific to PFC Storm Control are appended to the dellNetFpStatsMib.
SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.1.2097669.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.1.2097669.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.1.2097925.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.1.2097925.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.2.2097157.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.2.2097157.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.2.2097413.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.2.2097413.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.2.2097669.
MIB Support for PFC no-drop-priority L2Dlf Drop Dell EMC Networking provides MIB objects to display the information for PFC no-drop-priority L2Dlf Drop which can be used to access counter information. The OIDs specific to PFC no-drop-priority L2Dlf Drop are appended to the dellNetFpStatsMib. These statistics can also be obtained by using the CLI command: show hardware pfc-nodrop-priority l2-dlf drops stackunit <> port-set <> .
SNMP Walk Output snmpwalk -v 2c -c public 10.16.210.86 1.3.6.1.4.1.6027.3.27.1.23.1 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.2.1.1.1 = Counter32: 2910 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.2.1.1.2 = Counter32: 2910 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.2.1.1.3 = Counter32: 2910 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.2.1.1.4 = Counter32: 2910 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.3.1.1.1 = Counter32: 0 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.3.1.1.2 = Counter32: 0 SNMPv2-SMI::enterprises.6027.3.
SNMPv2-SMI::enterprises.6027.3.27.1.3.1.28.2107012 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.29.2107012 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.30.2107012 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.31.2107012 In ● ● ● = = = = STRING: "0.0E0" Counter64: 33997973 Counter64: 329629607 Counter64: 31997973 the above example: 33997973 is the count of green packet-drops (Green Drops). 329629607 is the count of yellow packet-drops (Yellow Drops). 31997973 is the count of red packet-drops (Out of Profile Drops).
● If Smart Script is installed on the system, the log also shows the phone home partition. snmpwalk -v 2c -c public -On 10.16.151.161 1.3.6.1.4.1.6027.3.26.1.4.8 .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.1 = STRING: "/dev/ld0g" .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.2 = STRING: "mfs:332" .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.3 = STRING: "mfs:398" .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.4 = STRING: "/dev/ld0h" .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.5 = STRING: "tmpfs" .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.1 = INTEGER: 4624894 .1.3.6.1.4.1.6027.
Table 124. MIB Objects to display egress queue statistics (continued) MIB Object OID Description dellNetFpEgrQDroppedBytesRate 1.3.6.1.4.1.6027.3.27.1.20.1.9 Rate of Bytes dropped per Unicast/ Multicast Egress queue. MIB Support to ECMP Group Count Dell EMC Networking OS provides MIB objects to display the information of the ECMP group count information. The following table lists the related MIB objects: Table 125.
INTEGER: 1275078656 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.90.90.90.0.24.0.0.0.0 = INTEGER: 2097157 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.90.90.90.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.90.90.90.2.32.1.4.90.90.90.2.1.4.90.90.90.2 = INTEGER: 2097157 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.100.100.100.0.24.1.4.10.1.1.1.1.4.10.1.1.1 = INTEGER: 2098693 SNMPv2SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.100.100.100.0.24.1.4.20.1.1.1.1.4.20.1.
SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.20.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.0.24.0.0.0.0 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.1.32.1.4.30.1.1.1.1.4.30.1.1.1 = STRING: "Po 20" SNMPv2SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.70.70.70.0.24.0.0.0.0 = STRING: "CP" SNMPv2SMI::enterprises.6027.3.9.1.5.1.10.
Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.90.90.90.0.24.0.0.0.0 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.90.90.90.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.90.90.90.2.32.1.4.90.90.90.2.1.4.90.90.90.2 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.100.100.100.0.24.1.4.10.1.1.1.1.4.10.1.1.1 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.100.100.100.0.24.1.4.20.1.1.1.1.4.20.1.1.
Table 126. MIB Objects for Displaying the Details of FEC BER (continued) MIB Object OID Description dellNetFpMMUTxPurgeCellErr 1.3.6.1.4.1.6027.3.27.1.3.1.13 Tx Purge Cell Error. dellNetFpMMUAgedDrops 1.3.6.1.4.1.6027.3.27.1.3.1.14 Aged Drops. dellNetFpEgressFCSDrops 1.3.6.1.4.1.6027.3.27.1.3.1.15 Egress FCS Drops. dellNetFpEgIPv4L3UCAgedDrops 1.3.6.1.4.1.6027.3.27.1.3.1.16 IPv4 L3 UC Aged and Drops. dellNetFpEgTTLThresholdDrops 1.3.6.1.4.1.6027.3.27.1.3.1.17 TTL Threshold Drops.
SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2103822 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2104334 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2104846 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2105358 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2105870 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2106382 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2106894 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2107406 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2107918 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.
SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2098436 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2098564 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2098693 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2099214 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2099726 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2100238 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2100750 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2101262 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2101774 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.
● To view the entAliasMappingTable generated by the system, use the following command. snmpwalk -v 2c -c public -On 10.16.150.97 1.3.6.1.2.1.47.1.3.2.1 .1.3.6.1.2.1.47.1.3.2.1.2.5.0 = OID: .1.3.6.1.2.1.2.2.1.1.2097157 .1.3.6.1.2.1.47.1.3.2.1.2.9.0 = OID: .1.3.6.1.2.1.2.2.1.1.2097669 .1.3.6.1.2.1.47.1.3.2.1.2.13.0 = OID: .1.3.6.1.2.1.2.2.1.1.2098181 .1.3.6.1.2.1.47.1.3.2.1.2.17.0 = OID: .1.3.6.1.2.1.2.2.1.1.2098693 .1.3.6.1.2.1.47.1.3.2.1.2.21.0 = OID: .1.3.6.1.2.1.2.2.1.1.2099205 .1.3.6.1.2.1.47.1.3.2.1.2.
Table 128. MIB Objects for LAG (continued) MIB Object OID Description identifier for the current Protocol partner of the Aggregator. dot3adAggPartnerSystemPriority 1.2.840.10006.300.43.1.1.1.1.8 Contains a two octet read–only value that indicates the priority value associated with the Partner’s system ID. dot3adAggPartnerOperKey 1.2.840.10006.300.43.1.1.1.1.9 Contains the current operational value of the key for the Aggregator’s current protocol partner. dot3adAggCollectorMaxDelay 1.2.840.10006.
MIB Support to Display Unrecognized LLDP TLVs This section provides information about MIB objects that display unrecognized LLDP TLV information about reserved and organizational specific unrecognized LLDP TLVs. MIB Support to Display Reserved Unrecognized LLDP TLVs The lldpRemUnknownTLVTable contains the information about an incoming reserved unrecognized LLDP TLVs that is not recognized by the local neighbor. The following table lists the related MIB objects: Table 129.
MIB Support to Display Organizational Specific Unrecognized LLDP TLVs The lldpRemOrgDefInfoTable contains organizationally defined information that is not recognized by the local neighbor. The following table lists the related MIB objects: Table 130. MIB Objects for Displaying Organizational Specific Unrecognized LLDP TLVs MIB Object OID Description lldpRemOrgDefInfoTable 1.0.8802.1.1.2.1.4.4 This table contains organizationally defined information that is not recognized by the local neighbor.
Global MIB objects for port security This section describes about the scalar MIB objects of the global MIB dellNetPortSecGlobalObjects. The following table shows the scalar global MIB objects for port security. Table 131. Global MIB Objects for Port Security MIB Object OID Access or Permission Description dellNetGlobalPortSecurityMod 1.3.6.1.4.1.6027.3.31.1.1.1 e read-write Enables or disables port security feature globally on the device. dellNetGlobalTotalSecureAddr 1.3.6.1.4.1.6027.3.31.1.1.
Table 132. Interface level MIB Objects for Port Security (continued) MIB Object OID Access or Permission Description dellNetPortSecIfStickyEnable 1.3.6.1.4.1.6027.3.31.1.2.1.1.8 read-write Enables or disables sticky port security feature on this interface. dellNetPortSecIfClearSecure MacAddresses 1.3.6.1.4.1.6027.3.31.1.2.1.1.9 read-write Deletes secure MAC addresses based on the specified type. dellNetPortSecIfResetViolatio nStatus 1.3.6.1.4.1.6027.3.31.1.2.1.1.
Table 133. MIB Objects for configuring MAC addresses MIB Object OID Access or Permission Description dellNetPortSecSecureStaticM acAddrTable. Enabling and viewing SNMP for static MAC addresses You can enable and view SNMP for static MAC addresses using snmpset and snmpget command. Following example shows how to enable and view the static MAC addresses. To configure a static MAC address (00:00:00:00:11:11) on a vlan (100) on interface whose ifIndex is (2101252), use the following command.
MIB Support for CAM Dell EMC Networking provides a method to retrieve the CAM usage information. The following table lists the related MIB objects: Table 135. MIB Objects for CAM MIB Object OID Description camUsageL2Pi 1.3.6.1.4.1.6027.3.7.1.1.2.1.11 peLine Contains information about the pipe line number of the chip on the layer 2 switch where CAM is located. camUsageL3Pi 1.3.6.1.4.1.6027.3.7.1.1.3.1.
MIB support for MAC notification traps Dell EMC Networking OS provides MIB support to generate SNMP trap messages on learning or station move of a new or existing MAC address in the system with mac–address, vlan–id, and port details. The following table lists the related MIB objects, OID, and description for the same: Table 136. MIB Objects for MAC notification traps MIB Object OID Description dellNetMacNotifMib 1.3.6.1.4.1.6027.3.28.1 Contains the MAC notification groups.
Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object. The snmpset operation shown in the following example creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. > snmpset -v2c -c mycommunity 123.45.6.78 .1.3.6.1.2.1.17.7.1.4.3.1.5.10 i 4 SNMPv2-SMI::mib-2.17.7.1.4.3.1.5.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" .1.3.6.1.2.1.17.7.1.4.3.1.4.1107787786 x "40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.
To set time to wait till bgp session are up set 1.3.6.1.4.1.6027.3.18.1.3 and 1.3.6.1.4.1.6027.3.18.1.6 Enabling and Disabling a Port using SNMP To enable and disable a port using SNMP, use the following commands. 1. Create an SNMP community on the Dell system. CONFIGURATION mode snmp-server community 2. From the Dell EMC Networking system, identify the interface index of the port for which you want to change the admin status.
The value of dot1dTpFdbPort is the port number of the port off which the system learns the MAC address. In this case, of TenGigabitEthernet 1/21/1, the manager returns the integer 118.
MIB Objects for Viewing the System Image on Flash Partitions To view the system image on Flash Partition A, use the chSysSwInPartitionAImgVers object or, to view the system image on Flash Partition B, use the chSysSwInPartitionBImgVers object. Table 138. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImgVers 1.3.6.1.4.1.6027.3.10.1.2.8.1.11 List the version string of the system image in Flash Partition A.
● snmp-server context cx2 ● snmp-server group admingroup 3 auth read readview write writeview ● snmp-server group admingroup 3 auth read readview context cx1 ● snmp-server group admingroup 3 auth read readview context cx2 ● snmp-server user admin admingroup 3 auth md5 helloworld ● snmp mib community-map VRF1 context cx1 ● snmp mib community-map VRF2 context cx2 ● snmp-server view readview .1 included ● snmp-server view writeview .1 included 2. Configure snmp context under the VRF instances.
Monitor Port-Channels To check the status of a Layer 2 port-channel, use f10LinkAggMib (.1.3.6.1.4.1.6027.3.2). In the following example, Po 1 is a switchport and Po 2 is in Layer 3 mode. Example of SNMP Trap for Monitored Port-Channels [senthilnathan@lithium ~]$ snmpwalk -v 2c -c public 10.11.1.1 .1.3.6.1.4.1.6027.3.2.1.1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.1 = INTEGER: 1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.2 = INTEGER: 2 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.2.
IF-MIB::linkUp IF-MIB::ifIndex.1107755009 = INTEGER: 1107755009 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_UP: Changed interface state to up: Po 1" Troubleshooting SNMP Operation When you use SNMP to retrieve management data from an SNMP agent on a Dell EMC Networking router, take into account the following behavior. ● When you query an IPv4 icmpMsgStatsInPkts object in the ICMP table by using the snmpwalk command, the output for echo replies may be incorrectly displayed.
Table 139. SNMP OIDs for Transceiver Monitoring (continued) Field (OID) Description SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.4 Optics Type SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.5 Vendor Name SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.6 Part Number SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.7 Serial Number SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.8 Transmit Power Lane1 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.9 Transmit Power Lane2 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.
51 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell EMC Networking Operating System (OS) Behavior: Dell EMC Networking OS supports unknown-unicast, muticast, and broadcast control for Layer 2 and Layer 3 traffic. To view the storm control broadcast configuration show storm-control broadcast | multicast | unknownunicast | pfc-llfc[interface] command.
INTERFACE mode storm-control multicast packets_per_second in ● Shut down the port if it receives the PFC/LLFC packets more than the configured rate. INTERFACE mode storm-control pfc-llfc pps in shutdown NOTE: PFC/LLFC storm control enabled interface disables the interfaces if it receives continuous PFC/LLFC packets. It can be a result of a faulty NIC/Switch that sends spurious PFC/LLFC packets.
● Use the xoff-state threshold polling-count {number of polling-interval} command to set the number of times the polling should be done. If the traffic and the egress counter remain the same after the subsequent polling, then the corresponding port or priority is detected to have PFC storm. ● Once PFC storm is detected on an interface, you can use the storm-control pfc in queue-drop command on the interface to drop the ingress packets.
Te 0/3 Te 0/4 Te 0/5 Te 0/80 3 4 5 6 3 4 5 6 3 4 5 6 3 4 5 6 2 2 2 2 2 2 2 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 DellEMC# Storm Control 883
52 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell EMC Networking OS.
Related Configuration Tasks ● ● ● ● ● ● ● ● Adding an Interface to the Spanning Tree Group Modifying Global Parameters Modifying Interface STP Parameters Enabling PortFast Prevent Network Disruptions with BPDU Guard STP Root Guard Enabling SNMP Traps for Root Elections and Topology Changes Configuring Spanning Trees as Hitless Important Points to Remember ● STP is disabled by default. ● The Dell EMC Networking OS supports only one spanning tree instance (0).
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 120. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface.
no shutdown DellEMC(conf-if-te-1/1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default. When you enable STP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the Spanning Tree topology. ● Only one path from any bridge to any other bridge participating in STP is enabled. ● Bridges block a redundant path by disabling one of the link ports. Figure 121.
To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP. NOTE: Dell EMC Networking recommends that only experienced network administrators change the spanning tree parameters. Poorly planned modification of the spanning tree parameters can negatively affect network performance. The following table displays the default values for STP. Table 141.
To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally. Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. ● Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port.
Prevent Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
Figure 122. Enabling BPDU Guard Dell EMC Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: ● is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. ● drops the BPDU after it reaches the RP and generates a console message.
Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. ● Assign a number as the bridge priority or designate it as the root or secondary root.
Figure 123. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell EMC Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: ● Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps individually or collectively, use the following commands. ● Enable SNMP traps for spanning tree state changes. snmp-server enable traps stp ● Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
Figure 124. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. The following conditions apply to a port enabled with loop guard: ● Loop guard is supported on any STP-enabled port or port-channel interface.
● When used in a PVST+ network, STP loop guard is performed per-port or per-port channel at a VLAN level. If no BPDUs are received on a VLAN interface, the port or port-channel transitions to a Loop-Inconsistent (Blocking) state only for this VLAN. To enable a loop guard on an STP-enabled port or port-channel interface, use the following command. ● Enable loop guard on a port or port-channel interface.
53 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell EMC Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell EMC Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell EMC Networking device. For more information on SmartScripts, see Dell EMC Networking Open Automation guide. Figure 125.
Enable the SupportAssist service. CONFIGURATION mode support-assist activate DellEMC(conf)#support-assist activate This command guides you through steps to configure SupportAssist. Configuring SupportAssist Manually To manually configure SupportAssist service, use the following commands. 1. Accept the end-user license agreement (EULA). CONFIGURATION mode eula-consent {support-assist} {accept | reject} NOTE: Once accepted, you do not have to accept the EULA again.
support-assist DellEMC(conf)#support-assist DellEMC(conf-supportassist)# 3. (Optional) Configure the contact information for the company. SUPPORTASSIST mode contact-company name {company-name}[company-next-name] ... [company-next-name] DellEMC(conf)#support-assist DellEMC(conf-supportassist)#contact-company name test DellEMC(conf-supportassist-cmpy-test)# 4. (Optional) Configure the contact name for an individual.
[no] activity {full-transfer|core-transfer|event-transfer} DellEMC(conf-supportassist)#activity full-transfer DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist)#activity core-transfer DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist)#activity event-transfer DellEMC(conf-supportassist-act-event-transfer)# 2. Copy an action-manifest file for an activity to the system.
SUPPORTASSIST ACTIVITY mode [no] enable DellEMC(conf-supportassist-act-full-transfer)#enable DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist-act-core-transfer)#enable DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist-act-event-transfer)#enable DellEMC(conf-supportassist-act-event-transfer)# Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company.
[no] contact-person [first ] last DellEMC(conf-supportassist)#contact-person first john last doe DellEMC(conf-supportassist-pers-john_doe)# 2. Configure the email addresses to reach the contact person. SUPPORTASSIST PERSON mode [no] email-address primary email-address [alternate email-address] DellEMC(conf-supportassist-pers-john_doe)#email-address primary jdoe@mycompany.com DellEMC(conf-supportassist-pers-john_doe)# 3. Configure phone numbers of the contact person.
[no] enable DellEMC(conf-supportassist-serv-default)#enable DellEMC(conf-supportassist-serv-default)# 4. Configure the URL to reach the SupportAssist remote server. SUPPORTASSIST SERVER mode [no] url uniform-resource-locator DellEMC(conf-supportassist-serv-default)#url https://192.168.1.1/index.htm DellEMC(conf-supportassist-serv-default)# Viewing SupportAssist Configuration To view the SupportAssist configurations, use the following commands: 1.
! server Dell enable url http://1.1.1.1:1337 DellEMC# 3. Display the EULA for the feature. EXEC Privilege mode show eula-consent {support-assist | other feature} DellEMC#show eula-consent support-assist SupportAssist EULA has been: Accepted Additional information about the SupportAssist EULA is as follows: By installing SupportAssist, you allow Dell to save your contact information (e.g.
54 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell EMC Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell EMC Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell EMC Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks.
To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. DellEMC#show ntp status Clock is synchronized, stratum 4, reference is 10.16.151.117, vrf-id is 0 frequency is -44.862 ppm, stability is 0.050 ppm, precision is -18 reference time deeef7ef.85eeaa10 Tue, Jul 10 2018 9:16:31.523 UTC clock offset is -0.167449 msec, root delay is 149.194 msec root dispersion is 54.557 msec, peer dispersion is 0.
○ ○ ○ ○ ○ ○ ○ ○ For For For For For For For For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the slot/port/subport information. a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port/subport information. a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the slot/port/subport information. a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the slot/port information.
○ version number : Enter a number as the NTP version. The range is from 1 to 4. ○ minpoll polling-interval: Enter the minpoll value. The range is from 4 to 16. ○ maxpoll polling-interval: Enter the maxpoll value. The range is from 4 to 16. 5. Configure the switch as NTP master. CONFIGURATION mode ntp master To configure the switch as NTP Server use the ntp master command. stratum number identifies the NTP Server's hierarchy. The following example shows configuring an NTP server.
● Originate Timestamp: The departure time on the server of its last NTP message. If the server becomes unreachable, the value is set to zero. ● Receive Timestamp — the arrival time on the client of the last NTP message from the server. If the server becomes unreachable, the value is set to zero. ● Transmit Timestamp — the departure time on the server of the current NTP message from the sender. ● Filter dispersion — the error in calculating the minimum delay from a set of sample data from a peer.
● Setting Daylight Saving Time Once ● Setting Recurring Daylight Saving Time Setting the Time and Date for the Switch Software Clock You can change the order of the month and day parameters to enter the time and date as time day month year. You cannot delete the software clock. The software clock runs only when the software is up. The clock restarts, based on the hardware clock, when the switch reboots. To set the software clock, use the following command.
Set Daylight Saving Time Dell EMC Networking OS supports setting the system to daylight saving time once or on a recurring basis every year. Setting Daylight Saving Time Once Set a date (and time zone) on which to convert the switch to daylight saving time on a one-time basis. To set the clock for daylight savings time once, use the following command. ● Set the clock to the appropriate timezone and daylight saving time.
○ start-day: Enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. ○ start-year: Enter a four-digit number as the year. The range is from 1993 to 2035. ○ start-time: Enter the time in hours:minutes. For the hour variable, use the 24-hour format; example, 17:15 is 5:15 pm.
55 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): DellEMC(conf)#interface tunnel 3 DellEMC(conf-if-tu-3)#tunnel source 5::5 DellEMC(conf-if-tu-3)#tunnel destination 8::9 DellEMC(conf-if-tu-3)#tunnel mode ipv6 DellEMC(conf-if-tu-3)#ip address 3.1.1.1/24 DellEMC(conf-if-tu-3)#ipv6 address 3::1/64 DellEMC(conf-if-tu-3)#no shutdown DellEMC(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
The following sample configuration shows how to use the interface tunnel configuration commands. DellEMC(conf-if-te-1/1/1)#show config ! interface TenGigabitEthernet 1/1/1 ip address 20.1.1.1/24 ipv6 address 20:1::1/64 no shutdown DellEMC(conf)#interface tunnel 1 DellEMC(conf-if-tu-1)#ip unnumbered tengigabitethernet 1/1/1 DellEMC(conf-if-tu-1)#ipv6 unnumbered tengigabitethernet 1/1/1 DellEMC(conf-if-tu-1)#tunnel source 40.1.1.
DellEMC(conf-if-tu-1)#no shutdown DellEMC(conf-if-tu-1)#show config ! interface Tunnel 1 ip address 1.1.1.1/24 ipv6 address 1abd::1/64 tunnel source anylocal tunnel allow-remote 40.1.1.2 tunnel mode ipip decapsulate-any no shutdown Guidelines for Configuring Multipoint Receive-Only Tunnels ● You can configure up to eight remote end-points for a multipoint receive-only tunnel.
56 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link.
Figure 127. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 128. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
● If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
UPLINK-STATE-GROUP mode downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5. (Optional) Enter a text description of the uplink-state group. UPLINK-STATE-GROUP mode description text The maximum length is 80 alphanumeric characters. 6. (Optional) Disable upstream-link tracking without deleting the uplink-state group.
02:37:29 : UFD: Group:3, UplinkState: DOWN 02:37:29: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed uplink state group state to down: Group 3 02:37:29: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Downstream interface set to UFD error-disabled: Fo 3/7/1 02:37:29: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Fo 3/7/1 02:38:31 : UFD: Group:3, UplinkState: UP 02:38:31: %RPM0-P:CP %IFMGR-5-OSTATE_UP: Changed uplink state group state to up: Group 3 02:38:53: Fo 3/4/1 02:38:53: Fo 3/5/1 02:38:53: Fo 3/6/1 02:38:53:
LineSpeed 1000 Mbit, Mode auto Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:25:46 Queueing strategy: fifo Input Statistics: 0 packets, 0 bytes 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 0 packets, 0 bytes, 0 underruns 0 64-byte pkts, 0 over 64-byte pkts, 0 ove
00:10:00: %STKUNIT0-M:CP %IFMGR-5-OSTATE_DN: Downstream interface set to UFD errordisabled: Te 1/1/1 DellEMC# 00:10:00: %STKUNIT0-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 1/1/1 DellEMC(conf-uplink-state-group-3)# description Testing UFD feature DellEMC(conf-uplink-state-group-3)# show config ! uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream TenGigabitEthernet 1/1-2,5,9,11-12/1 upstream TenGigabitEthernet 1/3-4/1 DellEMC(conf-uplink-state-group-3
57 Upgrade Procedures To find the upgrade procedures, go to the Dell EMC Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell EMC Networking OS version. To upgrade your system type, follow the procedures in the Dell EMC Networking OS Release Notes. You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.
58 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN. For more information about assigning IP addresses, refer to Assigning an IP Address to a VLAN. ● Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN.
● The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). ● Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard. Some devices that are not compliant with IEEE 802.3 may not support the larger frame size.
Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands. To place an interface in Layer 2 mode, use the switchport command. You can further designate these Layer 2 interfaces as tagged or untagged. For more information, see the Interfaces chapter and Configuring Layer 2 (Data Link) Mode.
When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN. If the tagged interface is removed from the only VLAN to which it belongs, the interface is placed in the Default VLAN as an untagged interface. Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1. Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface.
Assigning an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces. The shutdown command in INTERFACE mode does not affect Layer 2 traffic on the interface; the shutdown command only prevents Layer 3 traffic from traversing over the interface. NOTE: You cannot assign an IP address to the Default VLAN (VLAN 1).
Enabling Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured. This presents a vulnerability because both interfaces are initially placed in the native VLAN, VLAN 1, and for that period customers are able to access each other's networks.
59 Virtual Link Trunking (VLT) Virtual link trunking (VLT) is a Dell EMC technology that provides two Dell EMC switches the ability to function as a single switch. VLT allows physical links between two Dell EMC switches to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR). As a result, the two physical switches appear as a single switch to the connected devices.
VLT not only overcomes this caveat, but also provides a multipath to the connected devices. In the example shown below, the two physical VLT peers appear as a single logical device to the connected devices. As the connected devices consider the VLT peers as a single switch, VLT eliminates STP-blocked ports. However, the two VLT devices are independent Layer2/Layer3 (L2/L3) switches for devices in the upstream network. Figure 131.
Figure 132. Example of VLT Deployment VLT offers the following benefits: ● ● ● ● ● ● ● ● ● ● ● ● Allows a single device to use a LAG across two upstream devices. Eliminates STP-blocked ports. Provides a loop-free topology. Uses all available uplink bandwidth. Provides fast convergence if either the link or a device fails. Optimized forwarding with virtual router redundancy protocol (VRRP). Provides link-level resiliency. Assures high availability. Active-Active load sharing with VRRP.
● VLT backup link — The backup link monitors the connectivity between the VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. ● VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches. Both ends must be on 10G, 25G, 40G, 50G, or 100G interfaces. ● VLT domain — This domain includes both the VLT peer devices, VLT interconnect, and all of the port channels in the VLT connected to the attached devices.
Viewing the MAC Synchronization Between VLT Peers You can use the following commands to verify the MAC synchronization between VLT peers: VLT-10-PEER-1#show mac-address-table count MAC Entries for all vlans : Dynamic Address Count : 1007 Static Address (User-defined) Count : 1 Sticky Address Count : 0 Total Synced Mac from Peer(N): 503 Total MAC Addresses in Use: 1008 VLT-10-PEER-1#show vlt counter mac Total MAC VLT counters ---------------------L2 Total MAC-Address Count: 1007 VLT-10-PEER-1#show mac-addr
such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode. This example provides the highest form of resiliency, scaling, and load balancing in data center switching networks. The following example shows stacking at the access, VLT in aggregation, and Layer 3 at the core. Figure 134. VLT on Core Switches The aggregation layer is mostly in the L2/L3 switching/routing layer.
Figure 135. Enhanced VLT Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember ● ● ● ● ● ● ● ● ● ● ● ● You cannot enable stacking simultaneously with VLT. If you enable both at the same time, unexpected behavior can occur. VLT port channel interfaces must be switch ports. If you include RSTP on the system, configure it before VLT.
● o disable this feature on VLT and port channels, use no lacp ungroup member-independent {vlt | portchannel} command under the configuration mode. ● When you enable IGMP snooping on the VLT peers, ensure the value of the delay-restore command is not less than the query interval.
○ VLT peer switches operate as separate chassis with independent control and data planes for devices attached on non-VLT ports. ○ One device in the VLT domain is assigned a primary role; the other device takes the secondary role. The primary and secondary roles are required for scenarios when connectivity between the chassis is lost. VLT assigns the primary chassis role according to the lowest MAC address. You can configure the primary role manually.
● ● ● ● ● ○ In order that the chassis backup link does not share the same physical path as the interconnect trunk, Dell EMC Networking recommends using the management ports on the chassis and traverse an out-of-band management network. The backup link can use user ports, but not the same ports the interconnect trunk uses. ○ The chassis backup link does not carry control plane information or data traffic. Its use is restricted to health checks only.
○ In a VLT domain, VRRP interoperates with virtual link trunks that carry traffic to and from access devices (see Overview). The VLT peers belong to the same VRRP group and are assigned master and backup roles. Each peer actively forwards L3 traffic, reducing the traffic flow over the VLT interconnect. ○ VRRP elects the router with the highest priority as the master in the VRRP group.
● Configure any ports at the edge of the spanning tree’s operating domain as edge ports, which are directly connected to end stations or server racks. Disable RSTP on ports connected directly to Layer 3-only routers not running STP or configure them as edge ports. ● Ensure that the primary VLT node is the root bridge and the secondary VLT peer node has the second-best bridge ID in the network.
VLT Port Delayed Restoration When a VLT node boots up, if the VLT ports have been previously saved in the start-up configuration, they are not immediately enabled. To ensure MAC and ARP entries from the VLT per node are downloaded to the newly enabled VLT node, the system allows time for the VLT ports on the new node to be enabled and begin receiving traffic. The delay-restore feature waits for all saved configurations to be applied, then starts a configurable timer.
Figure 136. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
If the VLT node elected as the designated router fails and you enable VLT Multicast Routing, multicast routes are synced to the other peer for traffic forwarding to ensure minimal traffic loss. If you did not enable VLT Multicast Routing, traffic loss occurs until the other VLT peer is selected as the DR. VLT Routing VLT Routing refers to the ability to run a dynamic routing protocol within a single VLT domain or between VLT domains (mVLT).
If you enable peer routing, a VLT node acts as a proxy gateway for its connected VLT peer as shown in the image below. Even though the gateway address of the packet is different, Peer-1 routes the packet to its destination on behalf of Peer-2 to avoid sub-optimal routing. Figure 138. Packets with peer routing enabled Benefits of Peer Routing ● ● Avoids sub-optimal routing ● Reduces latency by avoiding another hop in the traffic path.
Configuring VLT Unicast To enable and configure VLT unicast, follow these steps. 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2. Enable peer-routing. VLT DOMAIN mode peer-routing 3. Configure the peer-routing timeout. VLT DOMAIN mode peer-routing—timeout value value: Specify a value (in seconds) from 1 to 65535. The default value is infinity (without configuring the timeout).
3. Configure the multicast peer-routing timeout. VLT DOMAIN mode multicast peer-routing—timeout value value: Specify a value (in seconds) from 1 to 1200. NOTE: Reduce the multicast peer-routing-timeout value to 10 seconds to clear the (S,G) entry in mroute in primary VLT peer. Also, the MLD leave packet must be sent after the unicast route convergence. 4. Configure a PIM-SM compatible VLT node as a designated router (DR). For more information, refer to Configuring a Designated Router. 5.
Sample RSTP configuration The following is a sample of an RSTP configuration: Using the example shown in the Overview section as a sample VLT topology, the primary VLT switch sends BPDUs to an access device (switch or server) with its own RSTP bridge ID. BPDUs generated by an RSTP-enabled access device are only processed by the primary VLT switch. The secondary VLT switch tunnels the BPDUs that it receives to the primary VLT switch over the VLT interconnect.
Configuring a VLT Interconnect To configure a VLT interconnect, follow these steps. 1. Configure the port channel for the VLT interconnect on a VLT switch and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain. NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2.
VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 4. Enable peer routing. VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer. 5. (Optional) After you configure a VLT domain on each peer switch and connect (cable) the two VLT peers on each side of the VLT interconnect, the system elects a primary and secondary VLT peer device (see Primary and Secondary VLT Peers).
The range of domain IDs from 1 to 1000. 2. Enter an amount of time, in seconds, to delay the restoration of the VLT ports after the system is rebooted. CONFIGURATION mode delay-restore delay-restore-time The range is from 1 to 1200. The default is 90 seconds. Reconfiguring the Default VLT Settings (Optional) To reconfigure the default VLT settings, use the following commands. 1. Enter VLT-domain configuration mode for a specified VLT domain.
INTERFACE PORT-CHANNEL mode switchport 4. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: ● For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information. ● For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the slot/port/subport information.
channel-member interface interface: specify one of the following interface types: ● For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information. ● For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the slot/port/subport information. ● For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port/subport information.
12. Add links to the eVLT port. Configure a range of interfaces to bulk configure. CONFIGURATION mode interface range {port-channel id} 13. Enable LACP on the LAN port. INTERFACE mode port-channel-protocol lacp 14. Configure the LACP port channel mode. INTERFACE mode port-channel number mode [active] 15. Ensure that the interface is active. MANAGEMENT INTERFACE mode no shutdown 16. Enable peer routing.
EXEC mode or EXEC Privilege mode show interfaces interface 11. In the top of rack unit, configure LACP in the physical ports. EXEC Privilege mode show running-config entity 12. Verify that VLT is running. EXEC mode show vlt brief or show vlt detail 13. Verify that the VLT LAG is running in both VLT peer units. EXEC mode or EXEC Privilege mode show interfaces interface In the following sample VLT configuration steps, VLT peer 1 is Dell-2, VLT peer 2 is Dell-4, and the ToR is S60-1.
Codes: L - LACP Port-channel L LAG 2 Mode L2L3 Status up Uptime 03:33:14 Ports Te 1/4/1 (Up) In the ToR unit, configure LACP on the physical ports.
Dell-4#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG L 2 Mode L2L3 Status up Uptime 03:33:31 Ports Te 1/18/1 (Up) PVST+ Configuration PVST+ is supported in a VLT domain. Before you configure VLT on peer switches, configure PVST+ in the network. PVST+ is required for initial loop prevention during the VLT startup phase. You may also use PVST+ for loop prevention in the network outside of the VLT port channel. Run PVST+ on both VLT peer switches.
Te 1/10/1 Te 1/10/3 DellEMC# Desg Desg 128.230 128.233 128 128 2000 2000 FWD FWD 0 0 P2P P2P Yes No Peer Routing Configuration Example This section provides a detailed explanation of how to configure peer routing in a VLT domain. In the following example, devices are configured as follows: ● ● ● ● ● ● Access switch A1 is connected to two VLT peers (Dell-1 and Dell-2). The two VLT peers are connected to an upstream switch R1. OSPF is configured in Dell-1, Dell-2, and R1 switches.
Dell-1 Switch Configuration In the following output, RSTP is enabled with a bridge priority of 0. This ensures that Dell-1 becomes the root bridge. DellEMC#1#show run | find protocol protocol spanning-tree pvst no disable vlan 1,20,800,900 bridge-priority 0 The following output shows the existing VLANs.
description To_CR1_fa0/13 no ip address port-channel-protocol LACP port-channel 1 mode active no shutdown Port channel 1 connects the uplink switch R1. DellEMC#1#sh run int po1 interface Port-channel 1 description port-channel_to_R1 no ip address switchport vlt-peer-lag port-channel 1 no shutdown Port channel 2 connects the access switch A1.
Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: Peer routing : Peer routing-Timeout timer: Multicast peer routing timeout: 6(3) 90:b1:1c:f4:2c:bb 90:b1:1c:f4:29:f1 90:b1:1c:f4:01:01 6(3) 90 seconds Enabled 0 seconds 150 seconds Verify that the heartbeat mechanism is operational DellEMC#1#sh vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: Destination VRF: HeartBeat Timer Interval: He
The following output displays the MAC address of all interfaces in the system. All interfaces, physical and virtual, have the same MAC address. This is the address used for peer routing.
no shutdown ! DellEMC#1#sh run int te0/1 interface TenGigabitEthernet 0/1 description VLTi LINK no ip address no shutdown The following example shows that te 0/0 and te 0/1 are included in port channel 10. Also note that configuration on the VLTi links does not contain the switchport command. Dell-2#sh run int po10 interface Port-channel 10 description VLTi Port-Channel no ip address channel-member TenGigabitEthernet 0/0-1 no shutdown Te 0/4 connects to the access switch A1.
interface Vlan 800 description Client-VLAN ip address 192.168.8.2/24 tagged Port-channel 2 no shutdown The following output shows Dell-2 is configured with VLT domain 1. The peer-link port-channel command makes port channel 10 as the VLTi link. The peer-routing command enables peer routing between VLT peers in VLT domain 1. The IP address configured with the backup-destination command is the management IP address of the VLT peer (Dell-1). A priority value of 55000 makes Dell-2 as the secondary VLT peer.
router-id 172.17.1.2 network 192.168.8.0/24 area 0 network 192.168.9.0/24 area 0 network 172.16.1.0/24 area 0 network 192.168.20.0/29 area 0 passive-interface default no passive-interface vlan 20 While the passive-interface default command prevents all interfaces from establishing an OSPF neighborship, the no passiveinterface vlan 20 command allows the interface for VLAN 20, the OSPF peering VLAN, to establish OSPF adjacencies. The following output displays that Dell-1 forms neighborship with Dell-2 and R1.
interface Loopback3 ip address 3.3.3.2 255.255.255.0 ! interface Loopback4 ip address 4.4.4.2 255.255.255.0 R1#show run int port-channel 1 interface Port-channel1 switchport ip address 192.168.20.3 255.255.255.248 R1#show run | find router router ospf 1 router-id 172.15.1.1 passive-interface default no passive-interface Port-channel1 network 2.2.2.0 0.0.0.255 area 0 network 3.3.3.0 0.0.0.255 area 0 network 4.4.4.0 0.0.0.255 area 0 (The above subnets correspond to loopback interfaces lo2, lo3 and lo4.
This default route is configured for testing purposes, as described in the next section. The access switch (A1) is used to generate ICMP test PINGs to a loopback interface on CR1. This default route points to DellEMC#2’s VLAN 800 SVI interface. It’s in place to ensure that routed test traffic has DellEMC#2’s MAC address as the destination address in the Ethernet frame’s header When A1 sends a packet to R1, the VLT peers act as the default gateway for each other.
Add links to the eVLT port-channel on Peer 1. Domain_1_Peer1(conf)#interface range tengigabitethernet 1/16/1 - 1/16/2 Domain_1_Peer1(conf-if-range-te-1/16/1-2)# port-channel-protocol LACP Domain_1_Peer1(conf-if-range-te-1/16/1-2)# port-channel 100 mode active Domain_1_Peer1(conf-if-range-te-1/16/1-2)# no shutdown Next, configure the VLT domain and VLTi on Peer 2.
Domain_2_Peer4(conf-vlt-domain)# Domain_2_Peer4(conf-vlt-domain)# Domain_2_Peer4(conf-vlt-domain)# Domain_2_Peer4(conf-vlt-domain)# Domain_2_Peer4(conf-vlt-domain)# peer-link port-channel 1 back-up destination 10.18.130.12 system-mac mac-address 00:0b:00:0b:00:0b peer-routing unit-id 1 Configure eVLT on Peer 4.
Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, use any of the following show commands on the primary and secondary VLT switches. ● Display information on backup link operation. EXEC mode show vlt backup-link ● Display general status information about VLT domains currently configured on the switch.
----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.20 Up 1 3 34998 1030 1014 The following example shows the show vlt brief command.
The following example shows the show running-config vlt command. Dell_VLTpeer1# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.18 Dell_VLTpeer2# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.20 The following example shows the show vlt statistics command.
Po Po Po Po Po Po 3 4 100 110 111 120 128.4 128.5 128.101 128.111 128.112 128.121 128 128 128 128 128 128 200000 200000 800 00 200000 2000 DIS 0 DIS 0 FWD(VLTi)0 FWD(vlt) 0 DIS(vlt) 0 FWD(vlt) 0 0 0 0 0 0 0 0001.e88a.dff8 0001.e88a.dff8 0001.e88a.dff8 0001.e88a.dff8 0001.e88a.dff8 0001.e88a.dff8 128.4 128.5 128.101 128.111 128.112 128.
Dell_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.23 Dell_VLTpeer2(conf-vlt-domain)#exit Configure the backup link. Dell_VLTpeer2(conf)#interface ManagementEthernet 1/1 Dell_VLTpeer2(conf-if-ma-1/1)#ip address 10.11.206.35/ Dell_VLTpeer2(conf-if-ma-1/1)#no shutdown Dell_VLTpeer2(conf-if-ma-1/1)#exit Configure the VLT interconnect (VLTi).
Table 142. Troubleshooting VLT (continued) Description Behavior at Peer Up Behavior During Run Time Action to Take The VLT peer does not boot up. The VLTi is forced to a down state. Verify the domain ID matches on both VLT peers. threshold and when it drops below 80%. Domain ID mismatch The VLT peer does not boot up. The VLTi is forced to a down state. A syslog error message and an A syslog error message and an SNMP trap are generated. SNMP trap are generated.
Reconfiguring Stacked Switches as VLT To convert switches that have been stacked to VLT peers, use the following procedure. 1. Remove the current configuration from the switches. You will need to split the configuration up for each switch. 2. Copy the files to the flash memory of the appropriate switch. 3. Copy the files on the flash drive to the startup-config. 4. Reset the stacking ports to user ports for both switches. 5. Reload the stack and confirm the new configurations have been applied. 6.
Association of VLTi as a Member of a PVLAN If a VLAN is configured as a non-VLT VLAN on both the peers, the VLTi link is made a member of that VLAN if the VLTi link is configured as a PVLAN or normal VLAN on both the peers. If a PVLAN is configured as a VLT VLAN on one peer and a non-VLT VLAN on another peer, the VLTi is added as a member of that VLAN by verifying the PVLAN parity on both the peers.
● Layer 3 communication between secondary VLANs in a private VLAN is enabled by using the ip local-proxy-arp command in INTERFACE VLAN configuration mode. ● The ARP request is not received on the ICL Under such conditions, the IP stack performs the following operations: ● The ARP reply is sent with the MAC address of the primary VLAN. ● The ARP request packet originates on the primary VLAN for the intended destination IP address.
Table 143.
● ● ● ● For For For For a a a a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the slot/port/subport information. 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port/subport information. 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the slot/port/subport information. 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the slot/port information. 4. Ensure that the port channel is active.
private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: ● Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). ● Specified with this command even before they have been created. ● Amended by specifying the new secondary VLAN to be added to the list. Proxy ARP Capability on VLT Peer Nodes The proxy ARP functionality is supported on VLT peer nodes.
Proxy ARP is enabled only if you enable peer routing on both the VLT peers. If you disable peer routing by using the no peer-routingcommand in VLT DOMAIN node, a notification is sent to the VLT peer to disable the proxy ARP. If you disable peer routing when ICL link is down, a notification is not sent to the VLT peer and in such a case, the VLT peer does not disable the proxy ARP operation.
member port-channel port—channel ID 4. Verify the VLAN-stack configurations. EXEC Privilege show running-config Sample configuration of VLAN-stack over VLT (Peer 1) Configure the VLT domain DellEMC(conf)#vlt domain 1 DellEMC(conf-vlt-domain)#peer-link port-channel 1 DellEMC(conf-vlt-domain)#back-up destination 10.16.151.
DellEMC#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown DellEMC# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN DellEMC#show vlan id 50 Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C - Community, I - Isolated O - Openflow Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack
interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown DellEMC# Configure the VLAN as a VLAN-Stack VLAN and add the VLT LAG as members to the VLAN DellEMC(conf)#interface vlan 50 DellEMC(conf-if-vl-50)#vlan-stack compatible DellEMC(conf-if-vl-50-stack)#member port-channel 10 DellEMC(conf-if-vl-50-stack)#member port-channel 20 DellEMC(conf-if-vl-50-stack)# DellEMC#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-
The neighbor entries are typically learned by a node using neighbor solicitation (NS) and ND messages. These NS or neighbor advertisement (NA) messages can be either destined to the VLT node or to any nodes on the same network as the VLT interface. These learned neighbor entries are propagated to another VLT node so that the peer does not need to relearn the entries.
Consider a sample scenario in which two VLT nodes, Unit1 and Unit2, are connected in a VLT domain using an ICL or VLTi link. To the south of the VLT domain, Unit1 and Unit2 are connected to a ToR switch named Node B. Also, Unit1 is connected to another node, Node A, and Unit2 is linked to a node, Node C. When an NS traverses from Unit2 to Node B(ToR) and a corresponding NA reaches Unit1 because of LAG hashing, this NA is tunneled to Unit 2 along with some control information.
Figure 142. Sample Configuration of IPv6 Peer Routing in a VLT Domain Neighbor Solicitation from VLT Hosts Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR. When VLT node1 receives NS from VLT VLAN interface, it unicasts the NA packet on the VLT interface. When NS reaches VLT node2, it is flooded on all interfaces including ICL.
Traffic Destined to VLT Nodes Hosts can send traffic to one of the VLT nodes using a global IP or Link-Local address. When the host communicates with the VLT node using LLA and traffic reaches the wrong peer due to LAG level hashing in the ToR, the wrong peer routes the packet to correct the VLT node though the destination IP is LLA.
Configure BFD in VLT Domain Dell EMC Networking OS supports Bidirectional Forwarding Detection (BFD) to detect communication failures on an interface that is a part of a VLT link aggregation group (LAG). In VLT domain, BFD provides high availability path when there are communication failures in any one of the VLT LAG links. The VLT nodes and top of rack (ToR) use the VLT LAG links to carry the BFD packets.
TOR(conf-if-po-111)# switchport TOR(conf-if-po-111)# no shutdown 4. Configure a VLAN. TOR(conf)#interface vlan 100 TOR(conf-if-vl-100)#ip address 100.1.1.3/24 TOR(conf-if-vl-100)#tagged port-channel 10 TOR(conf-if-vl-100)#arp timeout 1 TOR(conf-if-vl-100)#no shutdown TOR(conf-if-vl-100)#exit 5. Enable BFD over OSPF. TOR(conf)# router ospf 1 TOR(conf-router_ospf)# network 100.1.1.0/24 area 0 TOR(conf-router_ospf)# bfd all-neighbors VLT Primary 1. Enable BFD globally. VLT_Primary(conf)# bfd enable 2.
6. Enable BFD over OSPF. VLT_Primary(conf)# router ospf 1 VLT_Primary(conf-router_ospf)# network 100.1.1.0/24 area 0 VLT_Primary(conf-router_ospf)# bfd all-neighbors VLT Secondary 1. Enable BFD globally. VLT_Secondary(conf)# bfd enable 2. Configure port channel which is used as VLTi link. VLT_Secondary(conf)# interface VLT_Secondary(conf-if-po-100)# VLT_Secondary(conf-if-po-100)# VLT_Secondary(conf-if-po-100)# port-channel 100 no ip address channel-member tengigabitethernet 1/1/1, 1/1/2 no shutdown 3.
● To verify the VLTi (ICL) link is up in the VLT primary peer, use show vlt brief command.
Static VXLAN Configuration in a VLT setup Configuration steps are covered below: 1. Both Gateway VTEPs need VLT configured. ● ICL port configuration interface Port-channel 1 no ip address channel-member TenGigabitEthernet 0/4-5 no shutdown ● VLT Domain Configuration vlt domain 100 peer-link port-channel 1 back-up destination 10.11.70.14 this is ip address of the peer node ● VXLAN Instance Configuration vxlan-instance 1 static local-vtep-ip 14.14.14.
vni-profile test vnid 200 remote-vtep-ip 3.3.3.3 vni-profile test ● VLT Access port configuration interface TengigabitEthernet 0/12 port-channel-protocol lacp port-channel 30 mode active interface Port-channel 30 no ip address vxlan-instance 1 switchport vlt-peer-lag port-channel 30 no shutdown 2. Configure loopback interface and VXLAN instances on both the peers. ● Configure loopback interface IP address on both peers with the same IPaddress. interface Loopback 1 ip address 14.14.14.14/32 no shutdown 3.
60 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Command Line Reference Guide.
Figure 143. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: ● Proxy gateway is supported only for VLT; for example, across a VLT domain. ● You must enable the VLT peer-routing command for the VLT proxy gateway to function.
● Private VLANs (PVLANs) are not supported. ● When a Virtual Machine (VM) moves from one VLT domain to the another VLT domain, the VM host sends the gratuitous ARP (GARP) , which in-turn triggers a mac movement from the previous VLT domain to the newer VLT domain. ● After a station move, if the host sends a TTL1 packet destined to its gateway; for example, a previous VLT node, the packet can be dropped.
● You cannot have interface–level LLDP disable commands on the interfaces configured for proxy gateway and you must enable both transmission and reception. ● You must connect both units of the remote VLT domain by the port channel member. ● If you connect more than one port to a unit of the remote VLT domain, the connection must be completed by the time you enable the proxy gateway LLDP. ● You cannot have other conflicting configurations (for example, you cannot have a static proxy gateway configuration).
For VLT Proxy Gateway to work in this scenario you must configure the VLT-peer-mac transmit command under VLT Domain Proxy Gateway LLDP mode, in both C and D (VLT domain 1) and C1 and D1 (VLT domain 2). This behavior is applicable only in the LLDP configuration and not required in the static configuration.
Sample Dynamic Proxy Configuration on C switch or C1 switch Switch_C#conf Switch_C(conf)#vlt domain 1 Switch_C(conf-vlt-domain1)#proxy-gateway lldp Switch_C(conf-vlt-domain1-pxy-gw-lldp)#peer-domain-link port-channel 1.... VLT Proxy Gateway Sample Topology VLT proxy gateway enables one VLT domain to act as proxy gateway for another VLT domain when a host or virtual machine is moved from one VLT domain to the other VLT domain.
interface TenGigabitEthernet 0/9 description "To DELL-3 10Gb" no ip address ! port-channel-protocol LACP port-channel 50 mode active no shutdown interface Port-channel 50 description "mVLT port channel to DELL-3" no ip address switchport no spanning-tree vlt-peer-lag port-channel 50 no shutdown Note that on the inter-domain link, the switchport command is enabled. On a VLTi link between VLT peers in a VLT domain, the switchport command is not used.
The MAC addresses, configured using the remote-mac-address command, belong to Dell-3 and Dell-4. interface Vlan 100 description OSPF peering VLAN to Dell-1 ip address 10.10.100.2/30 ip ospf network point-to-point no shutdown The following is the OSPF configuration on Dell-2. router ospf 1 router-id 2.2.2.2 network 10.10.100.0/30 area 0 The following output shows that Dell-1 forms OSPF neighborship with Dell-2. Dell-2#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.
ip ospf network point-to-point no shutdown The following is the OSPF configuration on Dell-3. router ospf 1 router-id 3.3.3.3 network 10.10.101.0/30 area 0 network 10.10.102.0/30 area 0 The following output shows that Dell-4 and VLT domain 120 form OSPF neighborship with Dell-3. Dell-3#sh ip ospf nei ! Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.4 1 FULL/ - 00:00:33 10.10.101.1 Vl 101 0 1.1.1.1 1 FULL/ - 00:00:34 10.10.102.
61 Virtual Extensible LAN (VXLAN) Virtual Extensible LAN (VXLAN) is supported on Dell EMC Networking OS. Overview The switch acts as the VXLAN gateway and performs the VXLAN Tunnel End Point (VTEP) functionality. VXLAN is a technology where in the data traffic from the virtualized servers is transparently transported over an existing legacy network. Figure 146. VXLAN Gateway NOTE: In a stack setup, the Dell EMC Networking OS does not support VXLAN.
• NSX Controller-based VXLAN for VLT Components of VXLAN network VXLAN provides a mechanism to extend an L2 network over an L3 network. In short, VXLAN is an L2 overlay scheme over an L3 network and this overlay is termed as a VXLAN segment.
Functional Overview of VXLAN Gateway The following section is the functional overview of VXLAN Gateway: 1. Provides connectivity between a Virtual server infrastructure and a Physical server infrastructure. 2. Provides the functions performed by a VTEP in a virtual server infrastructure. The functions of a VTEP are: ● VTEP is responsible for creating one or more logical networks. ● VTEP is responsible for identifying and binding a Port and VLAN to a logical network ● VTEP maintains MAC bindings to a VTEP.
● Ethertype: It is set to 0×0800 because the payload packet is an IPv4 packet. The initial VXLAN draft does not include an IPv6 implementation, but it is planned for the next draft. Outer IP Header: The Outer IP Header consists of the following components: ● Protocol: It is set to 0×11 to indicate that the frame contains a UDP packet . ● Source IP: It is the IP address of originating VTEP. ● Destination IP: : It is the IP address of target VTEP.
Configuring and Controlling VXLAN from the NSX Controller GUI You can configure and control VXLAN from the NSX controller GUI, by adding a hardware device to NSX and authenticating the device. 1. Generate a certificate in your system and add it to the NSX before adding a hardware device for authentication. To generate a certificate, use the following command: ● crypto cert generate self-signed cert-file flash://vtep-cert.pem key-file flash:// vtep-privkey.
Figure 148. Create VXLAN Gateway To create a VXLAN L2 Gateway, the IP address of the Gateway is required. After connectivity is established between the VTEP and NSX controller, the management IP address and the connectivity status are populated as shown in the following image. Figure 149. Hardware Devices 3. Add a service node or replicator. Under Home > Networking and Security > Service Definition > Hardware Devices > Replication Cluster, click the Edit button.
Figure 150. Add Service Node or Replicator NOTE: Ensure L3 reachability between the VTEP and the replicator. 4. Create Logical Switch. You can create a logical network by creating a logical switch. The logical network acts as the forwarding domain for workloads on the physical as well as virtual infrastructure. Click Home > Networking and Security > Logical Switches and click Add. The New Logical Switch window opens. Enter a name and select Unicast as the replication mode and click OK. Figure 151.
In the Manage Hardware Bindings window, expand a VTEP and click Add. The Manage Hardware Bindings Window opens. Click the Select link and the Specify Hardware Port window opens. Click the hardware port and click OK. Figure 152. Specify Hardware Port In the Manage Hardware Bindings window, under the VLAN column, enter the VLAN ID and press OK. Figure 153. Create Logical Switch Port 6. (Optional) Enable or disable BFD globally. Go to Hardware Devices tab > BFD Configuration, and click the Edit button.
Figure 154. Edit VXLAN BFD Configuration NOTE: For more details about NSX controller configuration, refer to the NSX user guide from VMWare . Configuring and Controling VXLAN from Nuage Controller GUI The Dell EMC Networking OS supports Nuage controller for VXLAN. You can configure and control VXLAN from the Nuage controller GUI, by adding a hardware device to the Nuage controller and authenticating the device. 1. Under the Infrastructure tab, add a datacenter gateway. Figure 155.
Figure 156. Port-to-VLAN mappings 3. Under the Networks tab, create an L2 domain. Under the L2 domain, create a logical network (VNI) and add access ports of the VTEP in the logical network. Figure 157. Access ports of the VTEP Configuring VxLAN Gateway To configure the VxLAN gateway on the switch, follow these steps: 1. Connecting to NVP controller 2. Advertising VXLAN access ports to controller Connecting to an NVP Controller To connect to an NVP controller, use the following commands. 1.
3. Define how the device connects to the controller. VxLAN INSTANCE mode controller controller ID ip address port port-number TCP | SSL The port number range is from 1 to 6632. The default connection type is SSL. TCP, PTCP, and PSSL are supported with NSX controller only. 4. Enter the gateway IP VxLAN INSTANCE mode gateway-ip IP address 5. Enter the maximum backoff time (Optional). VxLAN INSTANCE mode max_backoff time The range is from 1000-180000. The default value is 30000 milliseconds. 6.
The following example shows the show vxlan vxlan-instance logical-network command. • show vxlan vxlan-instance 1 logical-network Instance : 1 Total LN count : 1024 * - No VLAN mapping exists and yet to be installed Name VNID 1ba08465-8774-3383-ba51-8b7e642ff632 6427 02f063c2-36c7-3ef6-a324-b432b748d15d 6218 36ab6265-5fa8-3ce8-b35c-e7cfdaf7c9e8 6368 The following example shows the show vxlan vxlan-instance statistics interface command.
Static Virtual Extensible LAN (VXLAN) When you create a Virtual Extensible LAN (VXLAN) , you need Network Virtualization Platform (NVP) Controller to configure and control the VXLAN. When you create a VXLAN instance in static mode, you can configure the VXLAN using CLIs instead of using the Controller. Once you create a VXLAN instance in the static mode, you can create a VNI profile, associate a VNID to the VNI profile, associate a remote VTEP to the VNID, and associate the VNID to a VLAN using the CLIs.
Displaying Static VXLAN Configurations To display the static VXLAN configurations, use the following commands. The following example displays the basic configuration details. DellEMC# show vxlan vxlan-instance 1 Instance : 1 Mode : Static Admin State : Up Local vtep ip : 101.101.101.101 Port List : Fo 1/49 The following example displays VTEP to VNI mapping for a specific remote VTEP. DellEMC# show vxlan vxlan-instance 1 vtep-vni-map Remote Vtep IP : 10.10.10.
VXLAN Scenario VXLAN tunnel stays down even if the remote VTEP IP is reachable through a recursive route. Following section explains the scenario through an example configuration. The following illustration depicts the topology in which the VTEPs are connected. Figure 158. VXLAN Scenario In the above illustration, R1 and R2 are the VTEPs that are trying to form the VXLAN tunnel. R3, the route reflector, exchanges the routes across two IBGP peers (R1 and R2).
In this RIOT scheme, whenever R1 tries to reach R2, the packet gets to P1 on VTEP 1 with VLAN 10 and gets routed out of P2 on VLAN 20. VTEP 1 sends an ARP request for R2 (10.1.2.1) through P2. This request gets VXLAN encapsulated at P3 and is sent out of P4. Eventually, the native ARP request reaches R2. R2 sends an ARP response that is VXLAN encapsulated at VTEP 2. This response reaches VTEP 1 on P4 with a VXLAN encapsulation. At this point, the ARP response is de-capsulated at P4.
● When you ping for 10.1.2.1 (Vlan 20’s IP on R2) from R1, the packet would get to P1 on VTEP 1 with Vlan 10, and try to get routed out of P2 on Vlan 20. ● VTEP 1 sends an ARP request for 10.1.2.1 out of P2. This gets VXLAN encapsulated at P2, and gets sent out of P3. ● VXLAN encapsulated ARP request lands on VTEP 2 which is decapsulated and sent out of P5 and P6. ● Packets looped back to P5 will not be forwarded again to either to P4 or P6 because of the added ACL rule 4.4.3.
In order for this configuration to work, the physical loopback ports are required to be in port-channels. There are two types of physical loopback interfaces: VXLAN Loopback Port and Non-VXLAN Loopback Port. These two port-channels are implicitly made no spanning tree, so that they do not go into a blocked state if xSTP is enabled. Internal Loopback To configure internal loopback port-channels, add free ports in the device as members of a port-channel, say 10, then configure vxlan-instance 1 loopback.
For VLT, in addition to the masks specified earlier, the VLT specific mask, to disallow frames that ingress on an ICL from going out of a VLT port channel would be permanently in place. These masks won’t be removed for the loopback ports even if the VLT peer LAG goes down (this is a deviation from standard VLT behavior, when these loopbacks are provisioned as VLT port-channels.). NSX Controller-based VXLAN for VLT Apart from static VXLAN for VLT, you can also use an NSX controller for VXLAN in a VLT setup.
Important Points to Remember ● The VLT peer port channel number must be the same on both VLT peers. ● before configuring controller-based VXLAN with VLT, remove any existing standalone VXLAN configuration. ● BFD tunnels come up only after the NSX controller sends tunnel details. The details come after the remote MAC addresses are downloaded from NSX controller. Configure NSX Controller-based VxLAN in VLT Setup You can configure NSX controller-based VxLAN in a VLT setup.
controller controller-ID ip address port port-number TCP | SSL The port number range is from 1 to 6632. The default connection type is SSL. 4. Enter the VxLAN gateway IP adress. VxLAN INSTANCE mode gateway-ip gateway-IP-address 5. Enter the IP address of the peer OVSDB server. peer-ovsdbserver-ip ovsdb-IP-address The peer OVSDB server is the peer VLT device. 6. Enter the fail mode. VxLAN INSTANCE mode fail-mode secure 7. Enable the VxLAN instance.
VLT configuration: DellEMC#show runn vlt ! vlt domain 100 peer-link port-channel 1 back-up destination 38.0.0.
Fail Mode Port List Te 1/21 : 10.16.140.183:6640 ssl (connected) : secure : Po 10 Po 11 Po 30 DellEMC# DellEMC# DellEMC#sh vxlan vxlan-instance 1 logical-network Instance : 1 Total LN count : 1 * - No VLAN mapping exists and yet to be installed Name VNID a35fe7f7-fe82-37b4-b69a-0af4244d1fca 5000 DellEMC#$nstance 1 logical-network name a35fe7f7-fe82-37b4-b69a-0af4244d1fca Name : a35fe7f7-fe82-37b4-b69a-0af4244d1fca Description : Type : ELAN Tunnel Key : 5000 VFI : 28674 Unknown Multicast MAC Tunnels: 6.6.
DellEMC# DellEMC#show vxlan vxlan-instance 1 unicast-mac-remote Total Remote Mac Count: 1 VNI MAC TUNNEL 5000 00:00:bb:00:00:00 4.3.3.
Total LN count : 1 * - No VLAN mapping exists and yet to be installed Name VNID a35fe7f7-fe82-37b4-b69a-0af4244d1fca 5000 DellEMC#$nstance 1 logical-network name a35fe7f7-fe82-37b4-b69a-0af4244d1fca Name : a35fe7f7-fe82-37b4-b69a-0af4244d1fca Description : Type : ELAN Tunnel Key : 5000 VFI : 28674 Unknown Multicast MAC Tunnels: 6.6.6.
Configuring and Controlling VXLAN from the NSX Controller GUI You can configure and control VXLAN from the NSX controller GUI, by adding a hardware device to NSX and authenticating the device. 1. Generate a certificate in your system and add it to the NSX before adding a hardware device for authentication. To generate a certificate, use the following command: ● crypto cert generate self-signed cert-file flash://vtep-cert.pem key-file flash:// vtep-privkey.
Figure 160. Create VXLAN Gateway To create a VXLAN L2 Gateway, the IP address of the Gateway is required. After connectivity is established between the VTEP and NSX controller, the management IP address and the connectivity status are populated as shown in the following image. Figure 161. Hardware Devices 3. Add a service node or replicator. Under Home > Networking and Security > Service Definition > Hardware Devices > Replication Cluster, click the Edit button.
Figure 162. Add Service Node or Replicator NOTE: Ensure L3 reachability between the VTEP and the replicator. 4. Create Logical Switch. You can create a logical network by creating a logical switch. The logical network acts as the forwarding domain for workloads on the physical as well as virtual infrastructure. Click Home > Networking and Security > Logical Switches and click Add. The New Logical Switch window opens. Enter a name and select Unicast as the replication mode and click OK. Figure 163.
In the Manage Hardware Bindings window, expand a VTEP and click Add. The Manage Hardware Bindings Window opens. Click the Select link and the Specify Hardware Port window opens. Click the hardware port and click OK. Figure 164. Specify Hardware Port In the Manage Hardware Bindings window, under the VLAN column, enter the VLAN ID and press OK. Figure 165. Create Logical Switch Port 6. (Optional) Enable or disable BFD globally. Go to Hardware Devices tab > BFD Configuration, and click the Edit button.
Figure 166. Edit VXLAN BFD Configuration NOTE: For more details about NSX controller configuration, refer to the NSX user guide from VMWare .
62 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time.
Figure 167. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
NOTE: To configure a router ID in a non-default VRF, configure at least one IP address in both the default as well as the non-default VRF. Table 144. Software Features Supported on VRF Feature/Capability Support Status for Default VRF Support Status for Non-default VRF 802.
DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance. VRF Configuration The VRF configuration tasks are: 1. Enabling VRF in Configuration Mode 2. Creating a Non-Default VRF 3. Assign an Interface to a VRF You can also: ● View VRF Instance Information ● Connect an OSPF Process to a VRF Instance ● Configure VRRP on a VRF Loading VRF CAM ● Load CAM memory for the VRF feature.
2. Assign the interface to management VRF. INTERFACE CONFIGURATION ip vrf forwarding management Before assigning a front-end port to a management VRF, ensure that no IP address is configured on the interface. 3. Assign an IPv4 address to the interface. INTERFACE CONFIGURATION ip address 10.1.1.1/24 Before assigning a front-end port to a management VRF, ensure that no IP address is configured on the interface. 4. Assign an IPv6 address to the interface.
Table 145. Configuring VRRP on a VRF (continued) Task Command Syntax Assign an IP address to the interface Configure the VRRP group and virtual IP address View VRRP command output for the VRF vrf1 Command Mode ip address 10.1.1.1 /24 no shutdown vrrp-group 10 virtual-address 10.1.1.100 show config ----------------------------! interface TenGigabitEthernet 1/13/1 ip vrf forwarding vrf1 ip address 10.1.1.1/24 ! vrrp-group 10 virtual-address 10.1.1.
● ● ● ● ● ● ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 nd reachable-time — Set advertised reachability time nd retrans-timer — Set NS retransmit interval used and advertised in RA nd suppress-ra — Suppress IPv6 Router Advertisements ad — IPv6 Address Detection ad autoconfig — IPv6 stateless auto-configuration address — Configure IPv6 address on an interface NOTE: The command line help still displays relevant details corresponding to each of these commands.
Figure 169. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface TenGigabitEthernet no ip address switchport no shutdown ! interface TenGigabitEthernet ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding green ip address 30.0.0.
ip vrf forwarding blue ip address 1.0.0.1/24 tagged TenGigabitEthernet 3/1/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged TenGigabitEthernet 3/1/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged TenGigabitEthernet 3/1/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.0/24 area 0 ! router ospf 2 vrf orange router-id 2.0.0.1 network 2.0.0.0/24 area 0 network 20.0.0.
! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/1/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/2/1 ! ip route vrf green30.0.0.0/24 3.0.0.1 ! The following shows the output of the show commands on Router 1.
Change --------------------C 2.0.0.0/24 C 20.0.0.0/24 00:10:05 O 21.0.0.0/24 00:10:41 ------- ----------- Direct, Vl 192 Direct, Te 1/2/1 via 2.0.0.
Dynamic Route Leaking enables a source VRF to share both its connected routes as well as dynamically learnt routes from various protocols, such as ISIS, OSPF, BGP, and so on, with other default or non-default VRFs. You can also leak global routes to be made available to VRFs. As the global RTM usually contains a large pool of routes, when the destination VRF imports global routes, these routes will be duplicated into the VRF's RTM.
interface-type slot/port[/subport] ip vrf forwarding VRF-blue ip address ip—address mask A non-default VRF named VRF-blue is created and the interface 1/12 is assigned to it. 7. Configure the import target in VRF-blue. ip route-import 1:1 8. Configure the export target in VRF-blue. ip route-import 3:3 9. Configure VRF-green.
Show routing tables of VRFs( after route-export and route-import tags are configured). DellEMC# show ip route vrf VRF-Red O C O C 11.1.1.1/32 111.1.1.0/24 44.4.4.4/32 144.4.4.0/24 via 111.1.1.1 110/0 00:00:10 Direct, Te 1/11/1 0/0 22:39:59 via VRF-shared:144.4.4.4 0/0 00:32:36 Direct, VRF-shared:Te 1/4/1 0/0 00:32:36 DellEMC# show ip route vrf VRF-Blue O 22.2.2.2/32 via 122.2.2.2 C O C 122.2.2.0/24 44.4.4.4/32 144.4.4.0/24 110/0 00:00:11 Direct, Te 1/12/1 0/0 22:39:61 via vrf-shared:144.4.4.
Consider a scenario where you have created two VRF tables VRF-red and VRF-blue. VRF-red exports routes with the export_ospfbgp_protocol route-map to VRF-blue. VRF-blue imports these routes into its RTM. For leaking these routes from VRF-red to VRF-blue, you can use the ip route-export route-map command on VRF-red (source VRF, that is exporting the routes); you must also specify a match criteria for these routes using the match source-protocol command.
ip route-export 2:2 ip route-import 1:1 import_ospf_protocol !this action accepts only OSPF routes from VRF-red even though both OSPF as well as BGP routes are shared The show VRF commands displays the following output: DellEMC# show ip route vrf VRF-Blue C 122.2.2.0/24 Direct, Te 1/22/1 0/0 O 22.2.2.2/32 via 122.2.2.2 110/0 O 44.4.4.4/32 22:39:61 00:00:11 via vrf-red:144.4.4.
63 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. Topics: • • • • • • VRRP Overview VRRP Benefits VRRP Implementation VRRP Configuration Sample Configurations Proxy Gateway with VRRP VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network.
Figure 170. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. In conjunction with Virtual Link Trunking (VLT), you can configure optimized forwarding with virtual router redundancy protocol (VRRP).
NOTE: In a VLT environment, VRRP configuration acts as active-active and if route is not present in any of the VRRP nodes, the packet to the destination is dropped on that VRRP node. Table 146.
The following examples how to configure VRRP. DellEMC(conf)#interface tengigabitethernet 1/1/1 DellEMC(conf-if-te-1/1/1)#vrrp-group 111 DellEMC(conf-if-te-1/1/1-vrid-111)# The following examples how to verify the VRRP configuration. DellEMC(conf-if-te-1/1/1)#show conf ! interface TenGigabitEthernet 1/1/1 ip address 10.10.10.
3. Set the backup switches to version 3. Dell_backup_switch1(conf-if-te-1/1/1-vrid-100)#version 3 Dell_backup_switch2(conf-if-te-1/2/1-vrid-100)#version 3 Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID). A VRRP group does not transmit VRRP packets until you assign the Virtual IP address to the VRRP group.
virtual-address 10.10.10.2 virtual-address 10.10.10.3 ! vrrp-group 222 no shutdown The following example shows the same VRRP group (VRID 111) configured on multiple interfaces on different subnets. DellEMC#show vrrp -----------------TenGigabitEthernet 1/1/1, VRID: 111, Version: 2 Net: 10.10.10.1 VRF: 0 default State: Master, Priority: 255, Master: 10.10.10.
10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------TenGigabitEthernet 1/2/1, VRID: 111, Net: 10.10.2.1 VRF: 0 default State: Master, Priority: 125, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 601, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.
INTERFACE-VRID mode no preempt Re-enable preempt by entering the preempt command. When you enable preempt, it does not display in the show commands, because it is a default setting. The following example shows how to disable preempt using the no preempt command. DellEMC(conf-if-te-1/1/1)#vrrp-group 111 DellEMC(conf-if-te-1/1/1-vrid-111)#no preempt DellEMC(conf-if-te-1/1/1-vrid-111)# The following example shows how to verify preempt is disabled using the show conf command.
The following example shows how to verify the advertise interval change using the show conf command. DellEMC(conf-if-te-1/1/1-vrid-111)#show conf ! vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 Track an Interface or Object You can set Dell EMC Networking OS to monitor the state of any interface according to the virtual group.
EXEC mode or EXEC Privilege mode show track ● (Optional) Display the configuration and the UP or DOWN state of tracked interfaces and objects in VRRP groups, including the time since the last change in an object’s state. EXEC mode or EXEC Privilege mode show vrrp ● (Optional) Display the configuration of tracked objects in VRRP groups on a specified interface.
2 - Up IPv6 route, 2040::/64, priority-cost 20, 00:02:11 3 - Up IPv6 route, 2050::/64, priority-cost 30, 00:02:11 The following example shows verifying the VRRP configuration on an interface.
Sample Configurations Before you set up VRRP, review the following sample configurations. VRRP for an IPv4 Configuration The following configuration shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
R2(conf-if-te-2/31/1-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31/1-vrid-99)#no shut R2(conf-if-te-2/31/1)#show conf ! interface TenGigabitEthernet 2/31/1 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.3 no shutdown R2(conf-if-te-2/31/1)#end R2#show vrrp -----------------TenGigabitEthernet 2/31/1, VRID: 99, Net: 10.1.1.1 VRF: 0 default State: Master, Priority: 200, Master: 10.1.1.
Figure 172. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-1/1/1)#end R2#show vrrp -----------------TenGigabitEthernet 1/1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 135 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP a
VRRP groups on each VRF instance in order that there is one MASTER and one backup router for each VRF. In VRF-1 and VRF-2, Switch-2 serves as owner-master of the VRRP group and Switch-1 serves as the backup. On VRF-3, Switch-1 is the owner-master and Switch-2 is the backup. In VRF-1 and VRF-2 on Switch-2, the virtual IP and node IP address, subnet, and VRRP group are the same.
S1(conf-if-te-1/2/1)#no shutdown ! S1(conf)#interface TenGigabitEthernet 1/3/1 S1(conf-if-te-1/3/1)#ip vrf forwarding VRF-3 S1(conf-if-te-1/3/1)#ip address 20.1.1.5/24 S1(conf-if-te-1/3/1)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-1/3/1-vrid-105)#priority 255 S1(conf-if-te-1/3/1-vrid-105)#virtual-address 20.1.1.
This VLAN scenario often occurs in a service-provider network in which you configure VLAN tags for traffic from multiple customers on customer-premises equipment (CPE), and separate VRF instances associated with each VLAN are configured on the provider edge (PE) router in the point-of-presence (POP).
10.1.1.100 Authentication: (none) VRRP in VRF: Switch-2 VLAN Configuration Switch-2 S2(conf)#ip vrf VRF-1 1 ! S2(conf)#ip vrf VRF-2 2 ! S2(conf)#ip vrf VRF-3 3 ! S2(conf)#interface TenGigabitEthernet 1/1/1 S2(conf-if-te-1/1/1)#no ip address S2(conf-if-te-1/1/1)#switchport S2(conf-if-te-1/1/1)#no shutdown ! S2(conf-if-te-1/1/1)#interface vlan 100 S2(conf-if-vl-100)#ip vrf forwarding VRF-1 S2(conf-if-vl-100)#ip address 10.10.1.
Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 419, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.100 Authentication: (none) VRRP for IPv6 Configuration This section shows VRRP IPv6 topology with CLI configurations.
NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be master even if one of two routers has a higher IP or IPv6 address. Router 2 R2(conf)#interface tengigabitethernet 1/1/1 R2(conf-if-te-1/1/1)#no ip address R2(conf-if-te-1/1/1)#ipv6 address 1::1/64 R2(conf-if-te-1/1/1)#vrrp-group 10 NOTE: You must configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
State: Backup, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 11, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP address: 1::10 fe80::10 DellEMC#show vrrp tengigabitethernet 1/1/1 TenGigabitEthernet 1/1/1, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:fd76 VRF: 0 default State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down: 0 centise
VRF: 2 vrf2 State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 548, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 Proxy Gateway with VRRP VLT proxy gateway solves the inefficient traffic trombone problem when VLANs are extended between date centers and when VMs are migrated between the two DCs.
● The core routers C1 and D1 in the local VLT domain are connected to the core routers C2 and D2 in the remote VLT Domain using VLT links. ● The core routers C1 and D1 in local VLT Domain along with C2 and D2 in the remote VLT Domain are part of a Layer 3 cloud. ● The core routers C1, D1, C2, D2 are in a VRRP group with the same vrrp-group ID. When a virtual machine running in Server Rack 1 migrates to Server Rack 2, L3 packets for that VM are routed through the default gateway.
unit-id 1 peer-routing interface port-channel 128 channel member ten 1/1/1 channel member ten 1/1/2 no shutdown int ten 1/5/1 port-channel-protocol lacp port-channel 10 mode active no shut int ten 1/4/1 port-channel-protocol lacp port-channel 20 mode active no shut interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.
interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.3/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.0/24 area 0 Sample configuration of D2: vlt domain 10 peer-link port-channel 128 back-up destination 10.16.140.
int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.
64 Debugging and Diagnostics This chapter describes debugging and diagnostics for the device. Topics: • • • • • • • • • • Offline Diagnostics Trace Logs Auto Save on Crash or Rollover Hardware Watchdog Timer Enabling Environmental Monitoring Buffer Tuning Troubleshooting Packet Loss Enabling Application Core Dumps Mini Core Dumps Enabling TCP Dumps Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware.
execution will cause stack-unit to reboot after completion of diags. Proceed with Offline-Diags [confirm yes/no]:y After the system goes offline, you must reload or run the online stack-unit stack-unit-number command for the normal operation. 2. Confirm the offline status. EXEC Privilege mode show system brief 3. Start diagnostics on the unit. diag stack-unit stack-unit-number When the tests are complete, the system displays the following message and automatically reboots the unit.
Enabling Environmental Monitoring The device components use environmental monitoring hardware to detect transmit power readings, receive power readings, and temperature updates. To receive periodic power updates, you must enable the following command. ● Enable environmental monitoring.
Troubleshoot an Over-temperature Condition To troubleshoot an over-temperature condition, use the following information. 1. Use the show environment commands to monitor the temperature levels. 2. Check air flow through the system. Ensure that the air ducts are clean and that all fans are working correctly. 3. After the software has determined that the temperature levels are within normal limits, you can re-power the card safely. To bring back the line card online, use the power-on command in EXEC mode.
Table 147. SNMP Traps and OIDs (continued) OID String OID Name Description .1.3.6.1.4.1.6027.3.27.1.6 dellNetFpStatsPerCOSTable View the forwarding plane statistics containing the packet buffer statistics per COS per port. Buffer Tuning Buffer Tuning allows you to modify the way your switch allocates buffers from its available memory and helps prevent packet drops during a temporary burst of traffic.
● show hardware buffer inteface interface{priority-group { id | all } | queue { id| all} | detail} buffer-info ● show hardware buffer-stats-snapshot resource interface interface{priority-group { id | all } | queue { ucast{id | all}{ mcast {id | all} | all} ● show hardware drops interface interface ● clear hardware stack-unit stack-unit-number counters ● clear hardware stack-unit stack-unit-number unit 0-1 counters ● clear hardware stack-unit stack-unit-number cpu data-plane statistics ● clear hardware stack
INVALID VLAN CNTR Drops : 0 L2MC Drops : 0 PKT Drops of ANY Conditions : 0 Hg MacUnderflow : 0 TX Err PKT Counter : 0 --- Error counters--Internal Mac Transmit Errors : 0 Unknown Opcodes : 0 Internal Mac Receive Errors : 0 --- FEC Counters --Ingress FEC uncorrected code words: 172 --- Error Ratio Counters --Ingress preFEC Bit Error Ratio: 3.727463E-11 Ingress FCS Drops Error Ratio : 0.
txPkt(COS9 ) txPkt(COS10) txPkt(COS11) txPkt(UNIT0) :0 :0 :0 :0 Example of Viewing Party Bus Statistics DellEMC#sh hardware stack-unit 1 cpu party-bus statistics Input Statistics: 27550 packets, 2559298 bytes 0 dropped, 0 errors Output Statistics: 1649566 packets, 1935316203 bytes 0 errors Display Stack Member Counters You can use the show hardware command to display internal receive and transmit statistics, based on the selected command option.
RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - Byte Counter Control Frame Counter Pause Control Frame Counter Oversized Frame Counter Jabber Frame Counter VLAN Tag Frame Counter Double VLAN Tag Frame Counter RUNT Frame Counter Fragment Counter VLAN Tagged Packets Ingress Dropped Packet MTU Check Error Frame Counter PFC Frame Priority
Enabling Application Core Dumps Application core dumps are disabled by default. A core dump file can be very large. Due to memory requirements the file can only be sent directly to an FTP server; it is not stored on the local flash. To enable full kernel core dumps, use the following command. ● Enable stack unit kernel full core dumps. CONFIGURATION mode logging coredump server To undo this command, use the no logging coredump server command.
Example of a Mini Core Text File VALID MAGIC -----------------PANIC STRING ----------------panic string is : ---------------STACK TRACE START--------------0035d60c : 00274f8c : 0024e2b0 : 0024dee8 : 0024d9c4 : 002522b0 : 0026a8d0 : 0026a00c : ----------------STACK TRACE END-----------------------------------FREE MEMORY--------------uvmexp.
65 Standards Compliance This chapter describes standards compliance for Dell EMC Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell EMC Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance Dell EMC Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell EMC Networking OS first supports the standard. General Internet Protocols The following table lists the Dell EMC Networking OS support per platform for general internet protocols. Table 148.
Table 148. General Internet Protocols (continued) R F C # Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 6 0 Transfer Protocol 2 4 7 4 Definition of 7.7.1 the Differentiate d Services Field (DS Field) in the IPv4 and IPv6 Headers 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 PPP over 61 SONET/SD 5 H 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 6 9 8 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.
Table 149. General IPv4 Protocols (continued) RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 103 DOMAIN NAMES 5 IMPLEMENTATION AND SPECIFICATION (client) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 104 A Standard for the 2 Transmission of IP Datagrams over IEEE 802 Networks 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1191 Path MTU Discovery 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
Table 150. General IPv6 Protocols (continued) RFC Full Name # S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 246 2 (Par tial) IPv6 Stateless Address Autoconfiguration 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 246 4 Transmission of IPv6 Packets over Ethernet Networks 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 267 5 IPv6 Jumbograms 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2711 IPv6 Router Alert Option 8.3.12.0 9.8(0.
Table 151. Border Gateway Protocol (BGP) (continued) RFC# Full Name SSeries/ZSeries S3048–ON S4048–ON Z9100–ON S4048TON S6010–ON 2842 Capabilities Advertisement with BGP-4 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2858 Multiprotocol Extensions for BGP-4 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2918 Route Refresh Capability for BGP-4 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 3065 Autonomous System Confederations for BGP 7.8.1 9.
Intermediate System to Intermediate System (IS-IS) The following table lists the Dell EMC Networking OS support per platform for IS-IS protocol. Table 153. Intermediate System to Intermediate System (IS-IS) RFC# Full Name S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1142 OSI IS-IS Intra-Domain Routing Protocol (ISO DP 10589) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.
Routing Information Protocol (RIP) The following table lists the Dell EMC Networking OS support per platform for RIP protocol. Table 154. Routing Information Protocol (RIP) RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 105 8 Routing Information Protocol 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 245 RIP Version 3 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4191 Default Router Preferences and More-Specific Routes 8.3.12.0 9.8(0.
Table 156. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1156 Management Information Base for Network Management of TCP/IP-based internets 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 1157 A Simple Network Management 7.6.1 Protocol (SNMP) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 1212 Concise MIB Definitions 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
Table 156. Network Management (continued) RFC# Full Name 2575 S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON View-based Access Control 7.6.1 Model (VACM) for the Simple Network Management Protocol (SNMP) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2576 Coexistence Between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
Table 156. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Network Management Protocol (SNMP) 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3434 Remote Monitoring MIB Extensions for High Capacity Alarms, High-Capacity Alarm Table (64 bits) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3580 IEEE 802.
Table 156. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON IEEE Management Information Base 802.1A module for LLDP configuration, B statistics, local system data and remote systems data components. 7.7.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) IEEE The LLDP Management 802.1A Information Base extension B module for IEEE 802.1 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) 7.7.1 9.8(0.0P2) 9.8(0.
Table 156. Network Management (continued) RFC# Full Name FORC E10-IFEXTEN SIONMIB S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Force10 Enterprise IF Extension 7.6.1 MIB (extends the Interfaces portion of the MIB-2 (RFC 1213) by providing proprietary SNMP OIDs for other counters displayed in the "show interfaces" output) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORC E10LINKA GGMIB Force10 Enterprise Link Aggregation MIB 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
Table 156. Network Management (continued) RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON ALAR M-MIB MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/CSPortal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/CSPortal20/Main/Login.aspx Some pages of iSupport require a login.
66 X.509v3 supports X.509v3 standards. Topics: • • • • • • • • • Introduction to X.509v3 certificates X.509v3 support in Information about installing CA certificates Information about Creating Certificate Signing Requests (CSR) Information about installing trusted certificates Transport layer security (TLS) Online Certificate Status Protocol (OSCP) Verifying certificates Event logging Introduction to X.509v3 certificates X.
Advantages of X.509v3 certificates Public key authentication is preferred over password-based authentication, although both may be used in conjunction, for various reasons. Public-key authentication provides the following advantages over normal password-based authentication: ● Public-key authentication avoids the human problems of low-entropy password selection and provides more resistance to brute-force attacks than password-based authentication.
The other hosts on the network, such as the SUT switch, syslog server, and OCSP server, generate private keys and create Certificate Signing Requests (CSRs). The hosts then upload the CSRs to the Intermediate CA or make the CSRs available for the Intermediate CA to download. generates a CSR using the crypto cert generate request command. The hosts on the network (SUT, syslog, OCSP…) also download and install the CA certificates from the Root and Intermediate CAs.
After the CA certificate is installed, the system can secure communications with TLS servers by verifying certificates that are signed by the CA. Installing CA certificate To install a CA certificate, enter the crypto ca-cert install {path} command in Global Configuration mode. Information about Creating Certificate Signing Requests (CSR) Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA. In order for a device to get a X.
● ● ● ● ● Common Name Email address Validity Length Alternate Name NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell EMC Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS.
TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS compression is disabled by default. TLS session resumption is also supported to reduce processor and traffic overhead due to public key cryptographic operations and handshake traffic.
Configuring OCSP behavior You can configure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders. To configure this behavior, follow this step: In CONFIGURATION mode, enter the following command: crypto x509 ocsp {[nonce] [sign-request]} Both the none and sign-request parameters are optional. The default behavior is to not use these two options.
Verifying Client Certificates Verifying client certificates is optional in the TLS protocol and is not explicitly required by Common Criteria. However, TLS-protected Syslog and RADIUS protocols mandate that certificate-based mutual authentication be performed. Event logging The system logs the following events: ● A CA certificate is installed or deleted. ● A self-signed certificate and private key are generated. ● An existing host certificate, a private key, or both are deleted.
